Case Background
WhatsApp Inc. and Meta Platforms, Inc. (formerly Facebook, Inc.) initiated a high-stakes legal battle against NSO Group Technologies Limited and Q Cyber Technologies Limited in October 2019. The tech giants alleged that the Israeli surveillance firm had exploited a vulnerability in the WhatsApp messaging service to install spyware on the devices of approximately 1,400 users worldwide. These users included human rights activists, journalists, and government officials. Before the Plaintiffs discovered the breach, NSO Group had developed a sophisticated program that bypassed WhatsApp’s end-to-end encryption.
Cause
The lawsuit originated from an unauthorized access and malware infection campaign that took place between April and May 2019. NSO Group had reverse-engineered the WhatsApp application to emulate legitimate network traffic. They used this capability to route malicious code through WhatsApp’s signaling servers. By disguising the malware as call settings, the Defendants successfully injected a remote access trojan known as "Pegasus" into the memory of target devices, often without the user even needing to answer the call.
Injury
WhatsApp and Meta suffered significant technical and reputational harm due to the breach. The unauthorized access forced the companies to dedicate massive resources to investigate the attack, develop security patches, and notify affected users. Furthermore, the Plaintiffs argued that NSO Group’s actions violated the trust of their global user base and compromised the integrity of the encrypted platform.
Damages Sought
In their initial complaint, the Plaintiffs sought several forms of relief. They demanded a permanent injunction to bar NSO Group from ever accessing WhatsApp or Facebook services and systems again. Financially, they requested compensatory damages for the costs incurred during the investigation and remediation of the breach. Additionally, the Plaintiffs asked for punitive damages, arguing that NSO Group’s conduct was malicious and fraudulent.
Key Arguments and Proceedings
The legal proceedings spanned over five years, involving intense discovery and several unsuccessful attempts by NSO Group to have the case dismissed on the grounds of sovereign immunity.
Legal Representation
Plaintiff(s): WhatsApp Inc. and Meta Platforms, Inc. (formerly Facebook, Inc.)
· Counsel for Plaintiff(s): Travis LeBlanc | Joseph D. Mornin | Daniel J. Grooms | Amelia Birnie | Antonio J. Perez-Marques | Catalina Joos Vergara | Craig Cagney | Daniel Joseph Grooms | Elizabeth B Prelogar | Gersham Johnson | Gina M Cora | Greg D Andres | Ian Shapiro | Jeffrey A. N. Kopczynski | Luca E. Marzorati | Meenu Ann Mathews | Micah Galvin Block | Muhammad Sardar | Quentin J. Ullrich | Ronald Arthur Lehmann
Defendant(s): NSO Group Technologies Limited and Q Cyber Technologies Limited
· Counsel for Defendant(s): Joseph N. Akrotirianakis | Aaron S. Craig | Derek Lawrence Shaffer | Emmett Gilles | Jonathan M. Freiman | Steve Malech | John V Coghlan | Jonathan Weinberg | Matthew Vincent Noller | Patrick F. Philbin | Roy Falik
Key Arguments or Remarks by Counsel
Counsel for WhatsApp emphasized that NSO Group had built a "nerve center" to control their spyware and intentionally violated WhatsApp's terms of service. They argued that the Defendants were not just passive software providers but active participants in the surveillance. In response, the defense argued that NSO Group simply sold technology to government clients who were responsible for its use. They maintained that the company did not operate the software itself and therefore could not be held liable for the specific targets chosen by its customers.
Claims
The Plaintiffs brought forward multiple legal claims, including:
Computer Fraud and Abuse Act (CFAA): They alleged NSO Group accessed protected computers without authorization. California Comprehensive Computer Data Access and Fraud Act: They claimed the Defendants illegally accessed data and systems under California state law. Breach of Contract: They argued NSO Group violated the specific Terms of Service every user must agree to. Trespass to Chattels: They contended that the malware interference constituted a legal trespass on their digital property.
Defense
NSO Group’s primary defense rested on the idea of limited liability and the actions of third parties. They argued that any harm was caused by the "end-users" (government agencies) rather than the developers. They also filed numerous affirmative defenses, claiming that the imposition of punitive damages for harm to non-parties would violate their due process rights under the Fifth and Fourteenth Amendments.
Jury Verdict
On May 6, 2025, the jury reached a unanimous decision in the Northern District of California. They found that NSO Group had indeed violated the California Comprehensive Computer Data Access and Fraud Act.
The jury determined that NSO Group’s violation involved malice, oppression, or fraud, which cleared the path for punitive damages. While the compensatory damages were set at $444,719 for the financial loss suffered by WhatsApp, the jury sent a much stronger message with the punitive award.
In total, the jury ordered NSO Group to pay $167,254,000 in punitive damages. This massive award aimed to punish the company for its conduct and deter similar unauthorized surveillance activities in the future. The verdict represented a significant victory for Meta and WhatsApp in their long-standing effort to hold private spyware developers accountable for exploiting global communication platforms.
Court documents are available upon request at [email protected]
