News · WhatsApp's jury verdict against NSO Group and what the trial record now exposes

May, 64 min to read
AI Products

WhatsApp's jury verdict against NSO Group and what the trial record now exposes

After six years, Meta's WhatsApp won a damages ruling against the maker of Pegasus — and put spyware executives, and their installation methods, on the public record.

What the 2019 detection actually caught

Meta's account starts with a concrete engineering event: six years ago, WhatsApp engineers detected and stopped an attack that exploited the app's calling system to deliver NSO's Pegasus spyware. According to the post, the campaign targeted over a thousand users, including human rights activists, journalists, diplomats and others in civil society.

Meta says it worked with Citizen Lab to investigate and to notify the people it believed were targeted, both to learn about the attack and to help those users secure their devices. That combination — internal detection, external forensic partner, direct victim notification — is the operational template that underlies the legal case that followed.

The verdict and the money that hasn't arrived yet

The news here is a jury decision forcing NSO to pay damages, which Meta frames as the first courtroom victory against illegal spyware. The company is candid that winning is not the same as collecting.

In this specific case, we know we have a long road ahead to collect awarded damages from NSO and we plan to do so. Ultimately, we would like to make a donation to digital rights organizations that are working to defend people against such attacks around the world.Montana Labs

Meta also states its next step is a court order to bar NSO from ever targeting WhatsApp again — an injunction aimed at the attacker specifically, separate from the monetary award.

What NSO was forced to admit about Pegasus

The trial pulled specifics out of a business that operated in secrecy. Meta reports that NSO conceded Pegasus can collect "every kind of user data on the phone" — financial and location data, emails, text messages — and can remotely activate the microphone and camera without the user's knowledge or authorization.

Two admissions matter beyond WhatsApp. First, that NSO spends tens of millions of dollars annually developing malware installation methods across instant messaging, browsers, and operating systems. Second, that its spyware remains capable of compromising iOS or Android devices to this day. Meta stresses that closing the 2019 calling-system vector did not close the threat; the installation surface is the whole device stack.

Publishing the depositions as a threat-research artifact

The most reusable part of this announcement is not the verdict — it's the disclosure. Meta is publishing unofficial transcripts of deposition videos shown in open court, including testimony from NSO's CEO Yaron Shohat, its R&D vice president Tamir Gazneli, and other executives, with official court transcripts to follow.

For anyone studying the surveillance-for-hire market, that turns litigation output into primary source material. Meta explicitly frames the release as being for researchers and journalists working to protect the public, and repeats its standing ask that security researchers report bugs through its Bug Bounty program.

The implication: end-to-end encryption raised the value of compromising the endpoint

The through-line in Meta's post is that as private communication moves onto end-to-end encrypted apps like WhatsApp and Signal, adversaries stop attacking the channel and start attacking the phone. If the message can't be read in transit, the economically rational target becomes the device where it's decrypted — which is exactly the capability NSO admitted to maintaining across operating systems, browsers, and messaging clients.

That reframes the win. A single jury award and injunction constrain one vendor; they don't shrink the installation surface that spans everyone's software. Meta says as much — that this is an industry-wide threat and it'll take all of us to defend against it. For teams shipping products that handle sensitive user data, the practical lesson from the trial record is that endpoint compromise is a funded, continuous investment on the other side, not a solved problem.

Find this story relevant to you?

Contact us to find a unique solution

Contact us

Need an AI engineering partner that can actually build?

We help businesses integrate AI, build AI-powered products, automate high-value workflows, and modernize the software systems behind them.

Get in touch

Related reading

More analysis around product delivery, operational AI, and the systems work that makes deployment hold up in reality.

Jul, 144 min to read
AI Products

How Google DeepMind rebuilt Pelé's unfilmed 1959 goal from archives and stunt footage

Jul, 134 min to read
AI Products

Expedia's image-selection automation is the concrete piece behind its AI marketing story

Jul, 134 min to read
AI Products

ENEOS Materials built over 1,000 custom GPTs and put ChatGPT Enterprise in front of every employee