I’m not usually one to cheer for Meta Platforms, a purveyor of addictive applications, but it’s difficult not to hail the seismic jolt the company just gave an even murkier world than social media: spyware.
A California jury has awarded Meta’s WhatsApp US$168-million in damages after its five-year legal battle against NSO Group, an Israeli surveillance firm. The case revolved around nations that used its Pegasus software to hack the WhatsApp accounts of 1 400 people, including journalists, activists and dissidents. Court transcripts revealed that some of those governments included Saudi Arabia, Uzbekistan and Mexico, but the full extent of NSO’s clientele remains a mystery.
NSO was already struggling financially. Having once boasted a valuation of $2-billion, it was on the brink of insolvency in 2021 after being blacklisted by the US, which means this week’s huge payout could be the final straw despite its pledge to appeal. “We will carefully examine the verdict’s details and pursue appropriate legal remedies,” a spokesman told me. He declined to comment on the company’s finances.
If NSO hits the wall, perhaps that’s for the best. On its website, the firm claims to make “ethical cyber-intelligence” software to help governments “investigate terror and crime”. But ethics took a back seat in practice, and the targets often weren’t criminals thanks to NSO’s hands-off approach to doing business. Its pitch to government clients was that there was no technical way for NSO to ascertain who was being surveilled, which made it impossible to stop the product from being misused, for instance, to spy on the wife of murdered Saudi journalist Jamal Khashoggi.
“We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorised government agencies,” NSO’s spokesman says.
Lucrative market
The surveillance trade is littered with companies like NSO, often smaller and lesser known, and prone to frequent name and jurisdiction changes to evade restrictions. It’s a lucrative market, according to Laurent Richard, a French journalist who authored a book on Pegasus in 2023. “This industry is resilient,” he told me in an interview that year. “You can be 25 years old and get paid $30 000/month in these jobs. You have dictators, tyrants and even democracies ready to pay millions to have access to this kind of surveillance solution.”
But Meta’s court win now makes the spyware business look much riskier, and its decision to pursue this case to the end (rather than settle out of court) is even more laudable. Critically, it establishes a legal precedent. Simply using American servers now creates enough jurisdiction for the courts to hear cases from US tech giants against foreign vendors. In Meta’s case, NSO was specifically found liable for breaching federal and California hacking laws, as well as WhatsApp’s terms of service.
Read: Signal vs WhatsApp: messaging app war heats up after US security blunder
That could open the door to similar litigation, something from which businesses can derive some comfort. Although NSO sold exclusively to governments, the spyware industry also supports corporate espionage that costs billions in stolen research and development and intellectual property. At a minimum, it will make any government think twice about spying on US companies.
Unfortunately, Meta’s legal victory is more of a bruising than a death knell for this shadowy sector. Apple last year dropped its own suit against NSO, saying that pursuing a case would mean it has to share sensitive “threat intelligence” information, which it didn’t want to do.
And there’s evidence that the spyware industry is adapting, with smaller, less visible players moving to fill the gap left by NSO. Take the Intellexa Consortium, a web of companies that make another hacking tool called Predator, which was used to monitor United Nations officials, US lawmakers and the president of the European parliament, according to a 2023 investigation by Amnesty International.
America’s sanctions on Intellexa, while a good start, don’t solve the whack-a-mole problem that such companies pose, where they can pop up in other jurisdictions under new names or simply reprogram their software to avoid detection. Predator, for instance, was recently modified to better anonymise its customers and was spotted being used in Africa a year after its blacklisting, according to a September 2024 study by Recorded Future, a cybersecurity company.
Read: WhatsApp-powered bank card launched in South Africa
The WhatsApp verdict — decided by a jury in one day — is a victory, but it hasn’t killed the threat. Smaller operators are evolving with fresh spyware tactics and exotic corporate structures, which means Meta’s $168-million blow is probably more of a warning shot. — (c) 2025 Bloomberg LP
Get breaking news from TechCentral on WhatsApp. Sign up here.
Don’t miss:
Thousands targeted: NSO’s WhatsApp hacking spree revealed