WhatsApp Spyware Case: NSO Group on the Brink as Damages Trial Begins

NSO Group Faces Potential ‘Tens of Millions’ in Damages in WhatsApp Spyware Case

Opening arguments have commenced in the five-year legal battle between NSO Group, the Israeli spyware developer, and WhatsApp. Experts predict that NSO Group could face significant penalties, potentially leading to the company’s bankruptcy, after being found liable for hacks on WhatsApp users in December. Meta, WhatsApp’s parent company, is seeking over $440,000 in compensatory damages, but punitive damages could elevate the total to tens of millions.

The lawsuit is the result of NSO’s involvement in the 2019 spyware infections of around 1,400 WhatsApp users, many of whom were journalists, diplomats, and dissidents. A Northern California federal judge previously ruled NSO liable for these intrusions. NSO Group has declined to comment on the case.

Despite the potential for hefty damages and bankruptcy, experts believe that NSO’s powerful zero-click spyware, Pegasus, may persist. Nitansha Bansal, a spyware expert, suggests NSO could restructure or sell Pegasus to another vendor to exploit vulnerabilities in different regions.

Aaron Cooper, a former NSC legal advisor, noted that private equity firms are beginning to distance themselves from investing in spyware companies. A movement is underway among these firms to avoid investments that conflict with U.S. national security or democratic values. Paladin Capital Group, along with eight other private equity firms, has organized a pledge to this effect.

NSO’s non-compliance with discovery orders, including failure to provide Pegasus’s source code or details on client motives, may lead to greater damages. Matthew Pearl, a former NSC official, stated that NSO’s secrecy regarding its clients and their actions puts them in a difficult position, as non-cooperation can be penalized by the courts.

The court has deemed inadmissible any evidence of how Pegasus is used by law enforcement and counterterrorism officials, focusing the jury’s attention solely on NSO’s hacking of WhatsApp accounts. This includes repeated attempts to breach the platform even after the lawsuit was filed.

Jim Lewis, a cyber expert, believes that while NSO may face high damages, this will not eliminate the use of similar spyware. He compares the situation to plugging one hole in a boat with many, as other countries also have companies developing such technologies.

NSO’s financial difficulties have been compounded by being placed on the U.S. Bureau of Industry and Security’s entity list in 2021, leading to reduced revenues and increased legal expenses. Bansal noted that approximately 100 NSO employees were laid off in 2022 due to the company’s precarious financial situation. NSO has spent millions lobbying the U.S. government to be removed from the entity list, but these efforts are unlikely to succeed.

Civil society groups are hopeful that the damages awarded in the WhatsApp case will significantly impact NSO and other spyware companies. Natalia Krapiva from Access Now believes a large award will encourage more lawsuits, increasing legal fees and damaging their reputation.