WhatsApp vs. NSO Group Lawsuit: 8 Key Takeaways

WhatsApp's Legal Triumph Over NSO Group

A significant win for WhatsApp occurred on May 6th, as a jury mandated that NSO Group compensate the Meta-owned platform with damages exceeding $167 million.

This decision marks the end of a legal dispute lasting over five years. The initial claim, filed by WhatsApp in October 2019, alleged that NSO Group compromised the security of over 1,400 users.

Details of the Allegations

The lawsuit centered on a vulnerability within WhatsApp’s audio call feature, which NSO Group reportedly exploited to gain unauthorized access.

The case unfolded over a week-long jury trial, featuring direct testimonies from key figures. These included Yaron Shohat, the CEO of NSO Group, and personnel from WhatsApp involved in the incident response and investigation.

Revelations Prior to the Trial

Even preceding the trial’s commencement, substantial information came to light. It was revealed that NSO Group had terminated services for 10 government clients due to misuse of its Pegasus spyware.

Furthermore, the locations of 1,223 individuals targeted by the spyware campaign were identified, alongside the names of three of NSO Group’s customers: Mexico, Saudi Arabia, and Uzbekistan.

Key Findings from Court Transcripts

TechCrunch meticulously reviewed over 1,000 pages of court transcripts from the trial hearings.

• The transcripts detailed the extent of the security breach and the methods employed by NSO Group.
• Evidence presented showcased how the exploited vulnerability allowed for the installation of Pegasus on targeted devices.
• Testimonies highlighted the significant resources WhatsApp dedicated to mitigating the attack and protecting its user base.

The most compelling facts and revelations gleaned from these transcripts are summarized for clarity.

This ruling underscores the growing scrutiny surrounding the development and deployment of sophisticated spyware and its potential for abuse.

Details Emerge Regarding the WhatsApp Attack Mechanism

Recent testimony has illuminated the operational process of the attack carried out via WhatsApp. The exploit, categorized as a zero-click attack, functioned without necessitating any action on the part of the intended recipient.

As articulated by WhatsApp’s legal counsel, Antonio Perez, during the proceedings, the attack involved initiating a simulated WhatsApp phone call directed towards the target. Perez detailed that NSO Group had engineered a dedicated system, termed the “WhatsApp Installation Server.”

This specialized server was specifically constructed to transmit harmful messages through WhatsApp’s network, effectively replicating legitimate communications. The system was designed to appear as standard WhatsApp traffic.

Upon delivery, these messages prompted the user’s device to connect with an external server and download the Pegasus spyware. According to Perez, the sole prerequisite for initiating this process was the target’s phone number.

Tamir Gazneli, NSO Group’s Vice President of Research and Development, affirmed that “any zero-click solution represents a substantial advancement for Pegasus” in his own testimony.

Key Components of the Attack

• Zero-Click Nature: The attack required no user interaction.
• WhatsApp Installation Server: A dedicated server created by NSO Group for message delivery.
• Pegasus Spyware: The malicious software ultimately installed on the target device.
• Phone Number as Identifier: The only piece of information needed to initiate the attack.

The process highlights the sophistication of the attack vector and the capabilities of the Pegasus spyware. It demonstrates a method of infiltration that bypasses typical security measures.

NSO Group Continued Targeting WhatsApp Users During Legal Proceedings

A lawsuit was initiated by WhatsApp against the NSO Group in November 2019, stemming from a spyware attack. Despite this ongoing legal action, NSO Group continued to target users of the messaging application, as revealed by Tamir Gazneli, the company’s Vice President of Research and Development.

Gazneli stated that the exploit, internally designated “Erised” – a zero-click vector affecting WhatsApp – remained operational from late 2019 through May 2020. Additional versions of the exploit were known as “Eden” and “Heaven.”

Details of the WhatsApp Exploits

Collectively, the “Erised,” “Eden,” and “Heaven” exploits were grouped under the moniker “Hummingbird.” This indicates a coordinated effort in developing and deploying these spyware capabilities. The continued use of these tools during the lawsuit highlights the company’s persistence in its activities.

The fact that targeting continued throughout the legal challenge raises questions about the effectiveness of the lawsuit in immediately halting NSO Group’s operations. It demonstrates a sustained effort to exploit vulnerabilities within the WhatsApp platform.

Implications of Continued Targeting

• The ongoing attacks suggest a disregard for the legal process.
• It underscores the potential for continued exploitation of messaging apps.
• The use of multiple exploit names (“Erised,” “Eden,” “Heaven”) points to a sophisticated and evolving cybersecurity threat.

NSO Group Acknowledges Targeting a US Phone Number During FBI Evaluation

For a considerable period, NSO Group has maintained that its spyware, Pegasus, is incapable of targeting American phone numbers. This restriction specifically applies to mobile numbers beginning with the +1 country code.

Initial reports surfaced in 2022, published by The New York Times, indicating that the company had, in fact, “attacked” a U.S.-based phone. However, this action was characterized as a trial run conducted for the benefit of the FBI.

Details of the FBI Test

Joe Akrotirianakis, legal counsel for NSO Group, has officially corroborated this account. He stated that the instance where Pegasus targeted a +1 number represented a “single exception.”

This exception involved a uniquely configured iteration of Pegasus. It was designed for demonstration purposes, intended to showcase the software’s capabilities to prospective U.S. government clients.

FBI Decision and Implications

Following the evaluation process, reports indicate that the FBI ultimately decided against the deployment of Pegasus.

This decision highlights the careful consideration given to the use of such powerful surveillance technology, even when offered for testing by private companies.

The confirmation from NSO Group clarifies the circumstances surrounding the reported targeting of a U.S. phone number, emphasizing it was a controlled test and not a breach of the company’s stated policy.

The Utilization of Pegasus by Governmental Clients of NSO

According to NSO’s CEO, Shohat, the platform’s interface, as presented to governmental users, deliberately omits the selection of specific hacking methodologies or techniques for targeting individuals. This is due to the fact that clients prioritize obtaining the necessary intelligence, irrespective of the employed access vector.

Essentially, the decision regarding which exploit – a specific hacking technology – to deploy against a target is made autonomously by the Pegasus system itself.

This backend process ensures that the most effective method is utilized each time the spyware attempts to compromise a device.

Pegasus's Autonomous Operation

The system’s automated selection of exploits simplifies the process for the user. It removes the need for technical expertise in choosing the optimal hacking approach.

This approach allows governmental clients to focus solely on the intelligence gathering aspect, rather than the technical details of the intrusion.

• Efficiency: Automated exploit selection streamlines the targeting process.
• Simplicity: Users are shielded from complex technical choices.
• Effectiveness: Pegasus aims to employ the most viable hacking method.

Therefore, the core functionality of Pegasus, from the perspective of its governmental customers, centers around receiving actionable intelligence, with the underlying technical mechanisms handled automatically by the system.

NSO Group's Workforce Numbers Revealed

During a recent disclosure, Shohat revealed significant information regarding the staffing levels of NSO Group and its parent organization, Q Cyber. The combined workforce of both entities is estimated to be between 350 and 380 individuals.

Breakdown of Employee Distribution

Approximately 50 employees are directly affiliated with Q Cyber, while the remaining personnel are employed by NSO Group. This indicates a substantial concentration of staff within NSO Group itself.

The revealed figures offer a glimpse into the scale of operations for these companies. NSO Group, known for its surveillance technology, maintains a considerable team to support its activities.

Understanding the employee count provides context to the resources dedicated to the development and deployment of their technologies. The data highlights the significant investment in personnel by both Q Cyber and NSO Group.

This information was shared by Shohat, offering a rare insight into the internal structure and size of these organizations. It contributes to a more comprehensive understanding of their capabilities.

NSO Group and Apple Co-Located in Herzliya

An unusual situation exists regarding the physical locations of NSO Group and Apple. NSO Group’s primary offices are situated within the same building as Apple in Herzliya, a city near Tel Aviv, Israel.

This is particularly noteworthy as customers of Apple’s iPhone are often the targets of NSO Group’s Pegasus spyware.

According to testimony given by Shohat, NSO Group utilizes the top five floors of the 14-story building, with Apple occupying the remaining space.

“We often use the same elevator to access our respective offices,” Shohat stated during the proceedings.

Transparency in Location

The open advertising of NSO Group’s headquarters is a point of interest. Many firms involved in the development of spyware or zero-day exploits operate with greater discretion regarding their physical addresses.

For example, Variston, a Barcelona-based company that ceased operations in February, maintained a presence in a co-working facility while publicly listing a different location on its website.

This contrasts with NSO Group’s more straightforward approach to disclosing its headquarters location.

Comparison to Other Spyware Developers

The operational models of these companies differ significantly.

• Variston opted for a degree of obfuscation regarding its physical location.
• NSO Group, conversely, openly advertises its presence in the Herzliya building.

This difference in transparency highlights varying strategies employed within the spyware development industry.

The Financial Impact of Pegasus Spyware on European Clients

Recent disclosures from an NSO Group representative have illuminated the substantial costs incurred by European entities seeking access to the Pegasus spyware between 2018 and 2020.

The revealed “standard price” for the spyware was $7 million, with an additional expense of approximately $1 million allocated to “covert vectors.” This information surfaced within a legal document, providing insight into the financial scale associated with sophisticated spyware acquisition.

Understanding "Covert Vectors"

The term “covert vectors” likely encompasses the discreet methods employed to deploy Pegasus onto target devices.

These techniques could include zero-click exploits, which allow for device compromise without requiring any action from the user, such as clicking a link or opening a message.

Such exploits represent a particularly valuable and costly component of the spyware package.

Factors Influencing Spyware Pricing

The cost of Pegasus, and similar spyware, is subject to variation based on several key determinants.

• The identity of the purchasing nation, with some vendors applying premium pricing for sales to countries like Saudi Arabia and the United Arab Emirates.
• The number of simultaneous targets a client can monitor.
• The inclusion of advanced features, notably zero-click exploitation capabilities.

These variables contribute to the discrepancies observed in pricing across different clients.

For instance, a European customer may have been billed $7 million in 2019, while Saudi Arabia allegedly spent $55 million and Mexico $61 million over multiple years.

These figures demonstrate the significant financial investment governments are willing to make to acquire powerful surveillance technology like Pegasus.

NSO Group Details Precarious Financial Situation

Testimony during the legal proceedings featured Shohat addressing inquiries concerning the company's financial health, with certain information previously outlined in pre-trial depositions. These financial specifics were central to determining the appropriate damage compensation owed to WhatsApp.

As presented by Shohat and documentation from NSO Group, the developer of spyware experienced a loss of $9 million in 2023 and $12 million in 2024. The company’s financial records indicated a balance of $8.8 million held in its accounts as of 2023, decreasing to $5.1 million by 2024.

Currently, the company’s operational costs are approximately $10 million monthly, largely attributed to employee compensation.

Furthermore, it was disclosed that Q Cyber maintained a bank balance of around $3.2 million for both 2023 and 2024.

The trial also brought to light that NSO’s research and development division – the team focused on identifying and exploiting software vulnerabilities – incurred expenses of $52 million in 2023, rising to $59 million in 2024. Shohat stated that clients of NSO Group invest “somewhere in the range” of $3 million to “ten times that amount” for access to the Pegasus spyware system.

These figures were key to the company’s strategy of minimizing potential damage payments.

“Frankly, I do not believe we have the capacity to make any payment,” Shohat conveyed during his statement. “We are facing significant challenges in maintaining solvency and are focused on prioritizing expenditures to ensure we can fulfill our obligations, assessed on a weekly basis.”

Pegasus spyware access costs vary significantly for clients.

Originally published on May 10, 2025, and subsequently updated with further information.