A federal court has ordered the Israeli company NSO Group (developer of the commercial spyware Pegasus) to stop using the spyware to target and attack WhatsApp** users.
Recall that Pegasus is a spyware platform developed by NSO Group. Pegasus is sold as legal spyware and is used for espionage and surveillance around the world. Pegasus (and, through it, NSO Group’s clients) can collect text messages and app data from iOS and Android devices, eavesdrop on calls, track location, steal passwords, and more.
Several years ago, we devoted a separate article to Pegasus and NSO Group after public attention was drawn to the operation of this commercial spyware and the abuses associated with it.
Back in 2019, WhatsApp representatives filed a lawsuit against NSO Group and accused the company of aiding cyberattacks carried out in the interests of various governments in 20 countries around the world, including Mexico, the UAE, and Bahrain. The suit sought monetary damages and a court injunction against such practices.
This legal battle continues to this day. For example, in late 2024, unredacted court documents became public. According to these papers, until about April 2018, NSO Group used a custom WhatsApp client (WhatsApp Installation Server, or WIS) and a proprietary exploit called Heaven for its attacks. It could masquerade as the official WhatsApp client and was used to install Pegasus on victims’ devices from a third-party server under NSO’s control.
After the WhatsApp developers discovered the issue and blocked NSO Group’s access to the infected devices and servers using patches released in September and December 2018, the Heaven exploit stopped working.
Then, in February 2019, NSO Group developed a new exploit — Eden — to bypass WhatsApp’s new security measures. In May 2019, WhatsApp representatives discovered that Eden was being used by NSO Group clients to attack approximately 1,400 user devices, many of which belonged to lawyers, journalists, human rights activists, political dissidents, diplomats, and senior foreign officials.
Last week, U.S. District Judge Phyllis J. Hamilton of the Northern District of California granted a request for a permanent injunction that WhatsApp’s owner (Meta*) filed against NSO Group back in 2019.
The court’s ruling requires NSO Group to permanently cease targeting WhatsApp users, attempting to infect their devices, or intercepting WhatsApp messages, which are protected by end-to-end encryption using the open-source Signal protocol. Hamilton also ruled that NSO Group must delete all data previously obtained through the targeting of WhatsApp users.
Earlier, NSO Group representatives claimed that such a ruling would “force the company to shut down,” since Pegasus is its flagship product. However, Hamilton determined that the harm caused by Pegasus to Meta outweighs such considerations.
“According to the court, any business that handles users’ personal information and invests resources in encrypting that information suffers from unauthorized access to it—and this is not just reputational harm, it is business harm,” Hamilton said. “In essence, companies like WhatsApp are, in part, selling data privacy, and any unauthorized access undermines those sales. The defendants’ actions nullify one of the plaintiffs’ service’s key objectives, which constitutes direct harm.”
At the same time, the judge denied Meta’s request to extend the injunction to foreign governments that might use WhatsApp. She noted that sovereign states are not parties to the lawsuit. In addition, Meta’s request to extend the ban to targeting users of other Meta products (such as Facebook** and Instagram**) was rejected on the grounds that there was no evidence they had been targeted.
“Today’s ruling bans the spyware developer NSO Group from ever again targeting WhatsApp and our users around the world,” commented WhatsApp head Will Cathcart. “We welcome this decision, which comes after six years of litigation to hold NSO Group accountable for attacks on members of civil society. It sets an important precedent: there are serious consequences for attacks on an American company.”
Hamilton also reduced the punitive damages the jury had imposed on NSO Group in May 2025. The jury’s verdict had required NSO Group to pay WhatsApp $167 million in punitive damages, but that amount has now been reduced to $4 million. The judge noted that the criteria the jury previously used to determine the punitive damages amount were incorrect.
Representatives of NSO Group told the media that the company welcomes the court’s decision to reduce the penalties by 97%, “compared to the excessive amount” initially determined by the jury.