Eight Key Takeaways from WhatsApp vs. NSO Group Spyware Lawsuit
In a landmark victory for WhatsApp, a jury ordered NSO Group, the controversial spyware maker, to pay over $167 million in damages. This ruling concludes a five-year legal battle that began in October 2019 when WhatsApp accused NSO Group of exploiting a vulnerability in its audio-calling feature to hack over 1,400 users. TechCrunch meticulously reviewed over 1,000 pages of court transcripts to bring you the most critical revelations from the trial.
1. How the WhatsApp Attack Worked: The zero-click attack, requiring no user interaction, involved placing a fake WhatsApp call to the target. WhatsApp’s lawyer, Antonio Perez, explained that NSO Group created a “WhatsApp Installation Server” to send malicious messages mimicking real ones. These messages triggered the user’s phone to download the Pegasus spyware via a third server. All that was needed was the target’s phone number.
2. NSO Continued Targeting WhatsApp After Lawsuit: Despite the lawsuit filed in November 2019, NSO Group continued targeting WhatsApp users. Tamir Gazneli, NSO’s R&D VP, revealed that the “Erised” version of the zero-click vector was used from late 2019 to May 2020, alongside versions codenamed “Eden” and “Heaven,” collectively known as “Hummingbird.”
3. Targeting an American Phone Number: NSO Group admitted to targeting a U.S. phone number as a test for the FBI. This was a “specially configured version of Pegasus” demonstrated to potential U.S. government clients, according to NSO’s lawyer. The FBI ultimately chose not to deploy Pegasus.
4. How NSO’s Government Customers Use Pegasus: NSO’s CEO, Yaron Shohat, clarified that Pegasus’ user interface doesn’t allow customers to select specific hacking methods. The system automatically chooses the exploit to use, ensuring customers obtain the needed intelligence without concerning themselves with the technical details.
5. NSO’s Employee Count: NSO Group and its parent company, Q Cyber, employ between 350 and 380 individuals combined, with approximately 50 working for Q Cyber.
6. Shared Headquarters with Apple: In an ironic twist, NSO Group’s headquarters in Herzliya, Israel, is located in the same building as Apple, a frequent target of Pegasus. Shohat mentioned that NSO occupies the top five floors, while Apple occupies the rest of the 14-story building, sharing the same elevator.
7. Cost of Pegasus Spyware for European Customers: An NSO Group employee disclosed that European customers paid a “standard price” of $7 million for Pegasus between 2018 and 2020, with an additional $1 million for “covert vectors,” referring to stealthy zero-click exploits.
8. NSO’s Financial Struggles: NSO Group is facing financial difficulties, having lost $9 million in 2023 and $12 million in 2024. The company’s bank account held $8.8 million in 2023 and $5.1 million in 2024, with a monthly burn rate of around $10 million, primarily for employee salaries. Shohat admitted the company is struggling to stay afloat.
