Court Bans NSO Group from Targeting WhatsApp Users with Pegasus Spyware
A U.S. federal court has permanently banned Israeli spyware developer NSO Group—creator of the infamous Pegasus surveillance tool—from using its software to attack or monitor WhatsApp users.
Pegasus, sold as “lawful surveillance software,” has long been marketed to governments for counterterrorism and criminal investigations. However, the spyware has repeatedly been linked to widespread abuse. Once deployed, it can intercept calls and messages, extract passwords, track location data, and access photos and files on both iOS and Android devices.
A Long Legal Battle
The dispute began in 2019, when WhatsApp, owned by Meta, filed a lawsuit accusing NSO Group of helping various governments—including Mexico, the UAE, and Bahrain—conduct unauthorized cyberattacks on approximately 1,400 individuals. The victims reportedly included journalists, human rights defenders, lawyers, diplomats, and political dissidents.
Meta sought both monetary damages and an injunction to prevent further exploitation of its platform.
How Pegasus Infiltrated WhatsApp
Court filings unsealed in late 2024 revealed new technical details about the operation.
Between 2016 and 2018, NSO Group allegedly used a custom WhatsApp client known as the WhatsApp Installation Server (WIS) along with a proprietary exploit called “Heaven.”
The exploit impersonated legitimate WhatsApp traffic, allowing Pegasus to be silently installed on victims’ devices via a third-party server controlled by NSO Group.
Once WhatsApp’s engineers detected the intrusion, they rolled out patches in September and December 2018, effectively blocking the Heaven exploit. But NSO quickly adapted—creating a successor exploit dubbed “Eden” in early 2019 to bypass WhatsApp’s new defenses.
The Court’s Decision
Last week, Judge Phyllis J. Hamilton of the U.S. District Court for the Northern District of California granted Meta’s long-pending request for a permanent injunction.
The ruling prohibits NSO Group from:
- Targeting WhatsApp users or attempting to infect their devices
- Intercepting WhatsApp communications, which are protected by end-to-end encryption using the Signal protocol
- Retaining or using any data previously obtained through attacks on WhatsApp
Judge Hamilton also ordered NSO Group to delete all compromised data from past operations.
In her opinion, Hamilton wrote that Pegasus inflicted measurable harm on Meta’s business interests:
“Any company that handles users’ personal information and invests in encryption suffers direct harm from unauthorized access. This is not merely reputational damage—it undermines the very product being sold: user privacy,” she stated.
Limited Scope of the Ruling
The judge rejected Meta’s attempt to extend the injunction to foreign governments, noting that sovereign states were not parties to the case.
She also declined to include other Meta platforms, such as Facebook and Instagram, since no evidence suggested they were targeted.
Damages and Reactions
While granting the injunction, Judge Hamilton reduced the punitive damages awarded by a jury in May 2025—from $167 million to $4 million USD—stating that the jury’s calculation method was flawed.
In a statement, NSO Group welcomed the reduction, calling the original sum “excessive.”
Meanwhile, WhatsApp head Will Cathcart hailed the ruling as a landmark moment for digital rights:
“Today’s ruling bans NSO Group from ever targeting WhatsApp or our users again,” Cathcart said. “After six years of litigation, this sets an important precedent—there are real consequences for attacking a U.S. company and the people who depend on it.”
Broader Implications
The ruling marks a significant legal victory in the ongoing battle between commercial spyware vendors and platform operators seeking to protect their users.
It reinforces that private companies cannot claim sovereign immunity or operate outside the reach of U.S. courts simply because their customers are governments.
For the first time, a major spyware manufacturer has been permanently barred by court order from targeting users of a global communications platform—potentially reshaping how surveillance technology firms operate worldwide.
