Pegasus spyware creator ordered to pay WhatsApp $168mn for 2019 hack

Stay informed with free updates

Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.

WhatsApp won a $168mn jury verdict in a case against NSO Group, the Israeli maker of Pegasus spyware, for exploiting a weakness in the encrypted messaging platform and selling it to clients who used it to surveil journalists, activists and political dissidents.

The case in a California federal court is the first time that a manufacturer of spyware has been held responsible for violating the technical sanctity of the platforms that operate on modern smartphones. It threatens an emerging industry based on weaponising tiny vulnerabilities for huge profits.

“Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone,” WhatsApp parent company Meta said in a blog post.

NSO said it would appeal. “We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorised government agencies,” it said in a statement.

Meta-owned WhatsApp’s success in the case opens NSO up to litigation from Apple, Amazon, Android and other global companies whose platforms Pegasus either abused, or attempted to hack, in order to inject its spyware.

“After years of every trick and delay tactic it only took the jury a day’s deliberation to see right through to the heart of the matter: NSO’s business is based on hacking American companies . . . so that dictators can hack dissidents,” said John Scott-Railton at the University of Toronto’s Citizen Lab, a watchdog group, which helped WhatsApp investigate the hack and protect the civil society targets.

The world’s largest technology companies backed WhatsApp’s lawsuit, filing legal briefs in support.

Pegasus was considered a pioneer in an industry that bloomed — mostly within Israel — for nearly a decade. It commercialised weaknesses in popular software, enabling clients to penetrate the privacy of smartphones anywhere in the world — bypassing encryption and even remotely activating handheld microphones and cameras to capture private conversations.

NSO initially operated in the shadows, staffed by veterans of the Israeli military’s signals intelligence units, who were paid hundreds of thousands of dollars a year to create software that mimicked the technical capabilities of Israel’s military.

It was valued at more than $1bn in a private equity buyout in 2019, and reported $251mn in revenues in 2018.

The sale of Pegasus was considered a diplomatic calling card to prise open relations between the Jewish state and its Gulf rivals, with NSO signing blockbuster deals with countries that had a record of human rights abuses, including Saudi Arabia and the UAE, which did not recognise Israel at the time.

In 2019, the Financial Times reported that NSO was exploiting a weakness in WhatsApp that allowed its clients to make a single missed call to a target’s phone, which would then install the spyware — allowing the device to be operated remotely, deleting the phone call and exposing all its contents, from pictures to location history.

WhatsApp fixed the leak, but also studied the traces that Pegasus left, finally identifying hundreds of targets that it notified of the hack, including at least 100 people considered members of civil society — human rights lawyers, advocates for press freedom and prominent opposition politicians.

Before this database was generated by WhatsApp, which worked with Citizen Lab, NSO had argued that its software was being sold to responsible clients, who were contract-bound to use it only to prevent crime and terrorism, and that any abuse was rare.

“Then WhatsApp showed up and it was like the playground bully suddenly met their match, said Scott-Railton. “WhatsApp stuck the fight out and carried this case across the finish line . . . a huge credit to their leadership for carrying this torch.”

But the extent of abuse unveiled in the investigation put the spotlight on NSO and its rivals, drawing the attention of media consortiums and the Biden administration, which blacklisted NSO and sought to regulate the spyware industry.

The Meta-owned company also decided to sue NSO, vowing to make public everything its lawyers discovered about the company’s inner workings, while seeking to hold it responsible for the hack.

The jury trial was focused exclusively on damages. A judge ruled in December that NSO breached hacking laws and the terms of its service agreement with WhatsApp.