NSO Ordered to Pay $611 Million for WhatsApp Hacking

Home page — News — NSO Ordered to Pay $611 Million for WhatsApp Hacking

Background of the Lawsuit

In May 2025, a federal jury in the Northern District of California awarded Meta-owned WhatsApp a total of $611 million—$444 million in compensatory damages and $167 million in punitive damages—after finding Israel-based NSO Group liable for deploying its Pegasus spyware against nearly 1,400 WhatsApp users. Launched in 2019, WhatsApp’s lawsuit was one of the first major legal challenges targeting commercial sellers of zero-click exploits.

Kubernetes v1.33: supplementalGroupsPolicy Moves to Beta

2025-05-06

The Clickless Exploit: Technical Breakdown

At the heart of WhatsApp’s case was CVE-2019-3568, a buffer-overflow vulnerability in WhatsApp’s Voice over IP (VoIP) stack. NSO’s engineers crafted a “clickless” exploit that initiated a specially malformed Session Description Protocol (SDP) payload during a WhatsApp call. Targets never had to answer; malformed audio metadata triggered a heap-based overflow, enabling a return-oriented programming (ROP) chain that injected the Pegasus payload directly into device RAM.

Supported platforms: iOS 12–13 and Android 8–9
Exploit vector: SDP packet via WhatsApp’s RTP channel
Post-exploit comms: Encrypted C2 over TLS 1.3, certificate pinned to NSO infrastructure

Once in memory, Pegasus harvested call logs, contacts, live audio, keystrokes, GPS, and Signal-protocol messages. Citizen Lab’s forensic analysis confirmed injection through WhatsApp’s XMTP transport and mapping of malicious domains that resolved to NSO-owned servers in Europe and the Middle East.

Jury Verdict and Legal Outcome

Compensatory Damages: $444 million
Punitive Damages: $167 million
Total Award: $611 million

Judge Phyllis J. Hamilton presided over the trial and rejected NSO’s claim of sovereign immunity, noting that the company’s contracts expressly allowed targeting of journalists, dissidents, and lawyers. NSO argued its tools were restricted to licensed government use in counter-terrorism and child-abuse investigations, but internal logs exposed during discovery contradicted these assurances.

Trump and DOJ Push for Release of Tina Peters Amid Election Controversies

2025-05-06

Implications for the Cybersecurity Industry

Security experts and privacy advocates hailed the verdict as a watershed moment. “This sends a clear message: no company is above the law when it weaponizes zero-day exploits against civilians,” said John Scott-Railton of Citizen Lab. The decision underscores growing legal risks for mercenary spyware vendors, complementing the U.S. Commerce Department’s 2024 sanctions against NSO and similar entities.

Policy and Regulatory Considerations

Calls are intensifying for an international framework to regulate offensive cyber tools. The EU’s draft Cyber Resilience Act and the proposed UN International Code of Conduct for Information Security draw momentum from this case. “Regulating exploit brokers is no longer optional—it’s essential for global human rights,” noted Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation.

Man Pleads Guilty to AI Attack on Disney Employee

2025-05-06

Future Directions and Countermeasures

In response to the exploit, WhatsApp accelerated its security roadmap: implementing memory‐safe crates in Rust for its VoIP stack, expanding fuzzing with AFL++ and LibFuzzer, and leveraging hardware enclaves (Secure Enclave on iOS, TrustZone on Android). Meta also plans real-time anomaly detection using machine learning models in its Signal-based protocol telemetry.

On the defensive front, security teams are hardening VoIP services, enforcing mandatory multi-factor authentication for admin consoles, and deploying network-level protections like eBPF filters to detect malformed SDP packets before they reach end-points.

Expert Opinions and Next Steps

Bruce Schneier, Security Technologist: “This ruling could catalyze stronger open-source implementations and community audits.”
Sherri Davidoff, Incident Responder: “Organizations must adopt supply-chain risk management for all third-party security tools.”

With NSO’s defense undercut and its source code partially unsealed, other spyware vendors face mounting pressure. As the industry reckons with legal and reputational fallout, the WhatsApp-NSO verdict stands as a precedent for both victims and defenders in the digital age.