A U.S. federal judge has issued a permanent injunction against the Israeli spyware vendor NSO Group, prohibiting the company from using its technology to hack WhatsApp, one of the world's most widely used encrypted messaging applications. The court found that NSO Group had illegally reverse-engineered WhatsApp using a zero-day exploit, which resulted in the compromise of approximately 1,400 user devices. This exploit allowed unauthorized access to personal information, undermining the security and privacy of WhatsApp users globally. The case was brought before the U.S. District Court for the Northern District of California, where Judge Phyllis Hamilton presided over the proceedings. A California jury previously determined that NSO Group's actions constituted a breach, and initially awarded $167 million in punitive damages to Meta, WhatsApp's parent company. NSO Group appealed the ruling, arguing that the damages were excessive and that the injunction would effectively shut down its operations. In her final order, Judge Hamilton reduced the damages to $4 million but maintained the permanent injunction, emphasizing the broader harm caused by unauthorized access to encrypted personal information. The court's decision also requires NSO Group to destroy any code used in the WhatsApp hack, further limiting the company's ability to conduct similar operations in the future. Meta representatives welcomed the verdict, describing it as a significant advancement for user privacy and security. The ruling highlighted NSO Group's alleged role in enabling governments to target dissidents, political opponents, and journalists through its spyware. The case underscores the legal and ethical challenges posed by commercial spyware vendors and their impact on global digital privacy. The court's findings reinforce the importance of robust encryption and the need for legal protections against unauthorized surveillance. The decision sets a precedent for holding spyware vendors accountable for facilitating unauthorized access to secure communications platforms. The outcome of this litigation may influence future regulatory and legal actions against similar companies. The case also demonstrates the willingness of U.S. courts to intervene in matters involving foreign technology firms and the protection of user data. The permanent injunction serves as a warning to other entities considering the development or deployment of similar surveillance tools. The legal battle between Meta and NSO Group has drawn international attention to the risks associated with commercial spyware and the necessity of safeguarding encrypted communications.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
The court reduced punitive damages to $4 million after earlier jury awards of compensatory and punitive damages, while NSO continued an appeal seeking to limit damages. This marked a further narrowing of the financial outcome after liability had been established.
Judge Phyllis J. Hamilton granted Meta a permanent injunction prohibiting NSO from targeting WhatsApp users, reverse-engineering WhatsApp, or creating new WhatsApp accounts. The order also required NSO to destroy any WhatsApp source code in its possession.
In the course of the litigation, a US court found NSO Group liable under US and California anti-hacking statutes and for breach of contract, citing evidence that it reverse-engineered WhatsApp code and used a modified client to install spyware via WhatsApp servers. The ruling established NSO's responsibility for the 2019 campaign.
Following the 2019 spyware campaign, WhatsApp and parent company Meta brought a lawsuit against NSO Group, alleging it abused WhatsApp infrastructure to target users and violated anti-hacking laws and contractual terms. The case began a legal battle that lasted roughly six years.
In 2019, NSO Group used a WhatsApp zero-day later tracked as CVE-2019-3568, a buffer overflow in RTCP handling, to deliver Pegasus spyware through targeted calls. The campaign reportedly infected about 1,400 devices.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
darkreading.com
Open sourcegovinfosecurity.com
Open sourcebankinfosecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.