US Court Slams $168m Fine on Spyware Giant NSO

On May 6, 2025, a U.S. court in California ordered NSO Group, an Israeli spyware company, to pay $168 million in damages. The judgment was the result of a lawsuit filed by Meta Platforms, the owner of WhatsApp. This was not merely the conclusion of a protracted corporate lawsuit; it marked a landmark moment in the global fight against the clandestine and often abusive world of digital surveillance. The verdict, a resounding victory for Meta Platforms, owner of WhatsApp, has sent shockwaves through an industry that has long thrived in the shadows, peddling powerful tools of espionage to governments worldwide.

At the heart of this legal battle is NSO Group, the developer of Pegasus, a spyware tool of notorious capability. Pegasus has been repeatedly linked to state-sponsored surveillance campaigns targeting journalists, human rights activists, political dissidents, and even heads of state across the globe, transforming smartphones into pocket-sized spies. The U.S. court’s decision to hold NSO Group liable for its actions and impose substantial damages signifies a potential turning point. The sheer size of the penalty, combined with its status as the first U.S. jury verdict against a commercial spyware company, signals a shift in the landscape of accountability. NSO Group’s defence has often leaned on the argument that it sells only to sovereign governments, thereby attempting to deflect responsibility for how its tools are used. However, this verdict pierces that veil, holding the technology provider directly accountable for facilitating illegal acts. This suggests that the creators of such potent surveillance tools may no longer be able to easily evade responsibility for the abuse their products enable.

This article will dissect the Meta vs. NSO Group judgment, explore its implications for the shadowy spyware industry, and critically examine what this U.S. legal precedent means for India. The U.S. ruling, therefore, is not just a foreign legal development but a significant event with potential repercussions for India’s ongoing struggle for digital rights and accountability.

The verdict rings out: Meta’s gruelling six-year battle and NSO’s defeat

The culmination of a nearly six-year legal confrontation saw a U.S. federal jury in the Northern District of California order NSO Group to pay Meta Platforms approximately $167.7 million. This sum comprised $444,719 in compensatory damages, covering Meta’s costs in responding to the attack, and a colossal $167,254,000 in punitive damages, designed to punish NSO Group for its conduct and deter future wrongdoing.

This damages trial followed a crucial summary judgment by U.S. District Judge Phyllis J. Hamilton on December 20, 2024. In that earlier ruling, Judge Hamilton found NSO Group liable for violating the U.S. Computer Fraud and Abuse Act (CFAA), the California Comprehensive Computer Data Access and Fraud Act (CDAFA), and for breaching WhatsApp’s terms of service. The case centred on NSO Group’s 2019 cyberattack, which exploited a vulnerability in WhatsApp’s audio calling feature. This flaw allowed NSO to covertly install its Pegasus spyware on the mobile devices of more than 1,400 WhatsApp users across the globe, including journalists, human rights activists, political dissidents, and diplomats.

Throughout the litigation, NSO Group employed a multi-pronged defence strategy, which was systematically dismantled by the U.S. courts. A cornerstone of NSO’s defence was the claim of foreign sovereign immunity, arguing that because it sells its spyware exclusively to government agencies, it should be shielded from lawsuits as an agent of those foreign states. This argument was consistently rejected by U.S. courts, culminating in the U.S. Supreme Court declining to hear NSO’s appeal on the matter. This series of rejections was pivotal, establishing that NSO Group, despite its governmental clientele, could indeed be sued in U.S. courts, particularly as evidence emerged that NSO utilized U.S.-based servers for its operations. NSO had long contended that U.S. courts lacked jurisdiction over its foreign operations targeting foreign victims, a claim significantly undermined by these rulings.

Furthermore, the NSO Group attempted to distance itself from the actual deployment of Pegasus, asserting that its government clients operate the spyware independently. However, court documents and trial testimony painted a different picture. Evidence, including sworn depositions from NSO employees, revealed the company’s direct involvement in the spyware’s installation and data extraction processes. Some employees even admitted to using WhatsApp to install spyware and continuing these activities even after Meta had filed the lawsuit. This direct operational role contradicted NSO’s narrative of being a passive technology provider.

The company also faced criticism and sanctions for its conduct during the discovery phase of the lawsuit, including its failure to produce the Pegasus source code as ordered by the court. In arguing against damages, NSO contended that Meta had suffered no actual financial loss, suggesting that employee salaries for remediation efforts would have been paid regardless of the attack and that WhatsApp’s servers were not physically damaged. The jury, however, sided with Meta, awarding the full amount of compensatory damages requested.

The crumbling of the “sovereign agent” facade is perhaps one of the most significant outcomes of this litigation. Spyware companies have historically hidden behind the argument that they merely sell tools to governments, thereby deflecting responsibility for any misuse. This verdict, by establishing NSO’s direct actions in deploying spyware and by piercing the sovereign immunity claim, creates a powerful precedent. It suggests that the creators of these potent surveillance tools can be held accountable in jurisdictions like the United States, especially if their actions involve U.S. infrastructure or violate U.S. laws. This development considerably increases the legal exposure for such companies on a global scale.

The composition of the damages award is also telling. The overwhelming proportion of punitive damages ($167.25 million) compared to compensatory damages ($444,719) indicates that the jury found NSO Group acted with “malice, oppression or fraud,” as noted in the court’s findings. Compensatory damages are intended to cover actual losses incurred by the plaintiff. Punitive damages, on the other hand, are designed to punish the defendant for egregious conduct and to deter similar behaviour in the future. The jury’s decision to award such substantial punitive damages sends an unequivocal message that NSO’s conduct was not merely illegal but profoundly reprehensible. This financial blow is aimed squarely at NSO Group and, by extension, the broader spyware industry, signalling that such activities will incur severe financial penalties that go far beyond merely covering the victim’s direct costs. This could make the business model of such companies, some of which, like NSO, are already reported to be under financial strain, far riskier and less tenable.

Pegasus unveiled: The “ghost” in the machine and its modus operandi

Pegasus is not just any spyware; it is a highly sophisticated tool engineered to infiltrate both iOS and Android devices, the dominant mobile operating systems globally. Its notoriety stems significantly from its “zero-click” exploit capabilities. This means Pegasus can be surreptitiously installed on a target’s device without requiring any action from the user – no need to click a malicious link, open an infected attachment, or even answer a call. The spyware can be delivered silently, for instance, through a missed WhatsApp call or a specially crafted message that doesn’t even need to be opened by the recipient.

Once installed, Pegasus effectively hands over complete control of the compromised device to the attacker. It can access a vast trove of personal and sensitive information, including encrypted messages (either by intercepting them before encryption on the sending device or by reading them after decryption on the receiving device), emails, photos, videos, call logs, contact lists, GPS location data, and stored passwords. Furthermore, Pegasus can remotely and covertly activate the device’s microphone and camera, turning the phone into a live surveillance device, all without the owner’s knowledge or consent. During the U.S. trial, NSO Group executives themselves conceded that Pegasus is capable of vacuuming up “every kind of user data on the phone”.

NSO Group has consistently maintained a specific narrative about its business model. The company claims that its flagship product, Pegasus, is sold exclusively to vetted government security and law enforcement agencies. The stated purpose, according to NSO, is to aid these agencies in legitimate activities such as conducting rescue operations and combating serious criminals, including terrorists, money launderers, and drug traffickers.

However, this official line stands in stark contrast to the findings of numerous independent investigations conducted by organizations like the University of Toronto’s Citizen Lab, Amnesty International, and various international media consortia, including the Pegasus Project. These investigations have meticulously documented the widespread use of Pegasus against unintended targets: journalists attempting to hold power accountable, human rights activists defending fundamental freedoms, lawyers representing sensitive clients, political opponents challenging incumbent regimes, and even heads of state. The trial also revealed that NSO Group invests heavily in its offensive capabilities, with executives admitting to spending tens of millions of dollars annually to develop sophisticated malware installation methods. The price tag for such capabilities is correspondingly high; for instance, NSO reportedly charged European government customers up to $7 million for the ability to hack just 15 devices, with additional costs for targeting devices internationally.

The glaring disparity between NSO Group’s stated purpose for Pegasus and the documented reality of its deployment against civil society effectively exposes the fallacy of the “dual-use” argument often employed for such powerful technologies. NSO’s defence consistently hinges on the supposed legitimacy of its clients and the intended use of Pegasus against “serious crime and terrorism.” However, the evidence presented during the trial, coupled with a vast body of independent research, points to a persistent pattern of abuse. This discrepancy suggests one or a combination of possibilities: NSO’s vetting processes for its government clients are woefully inadequate, its contractual controls designed to prevent misuse are ineffective or unenforced, or the company is wilfully blind to, if not complicit in, the misuse of its spyware by these clients. The argument that such tools have both legitimate and illegitimate uses – the “dual-use” defence – often crumbles when the technology in question is as inherently invasive as Pegasus and the oversight mechanisms are minimal or absent.

Moreover, the very existence, development, and marketing of a tool like Pegasus, capable of achieving total and covert compromise of a personal device, indicates a dangerous global trend towards the normalization of extreme surveillance capabilities. The fact that NSO Group could successfully develop and sell such a product to numerous governments worldwide suggests a significant global appetite for these intrusive powers. The technical sophistication of Pegasus, particularly its zero-click infection vectors, means that traditional cybersecurity defences employed by average users are often rendered useless. This creates an environment where the reasonable expectation of digital privacy is severely eroded, potentially casting a chilling effect on free speech, association, and dissent, even for individuals who are not directly targeted but fear they could be.

Turning point for spyware accountability?

The verdict against NSO Group is a landmark precedent in the fight against the unregulated proliferation of commercial spyware. It is the first U.S. jury verdict against a commercial spyware company and, significantly, the first U.S. verdict against NSO Group itself. The financial award also represents the largest reported verdict in a civil case brought under either the Computer Fraud and Abuse Act (CFAA) or the California Comprehensive Computer Data Access and Fraud Act (CDAFA).

The judgment is anticipated to have a significant impact on the broader spyware industry. Meta, in its statement following the verdict, emphasised that the ruling acts as a “critical deterrent to this malicious industry”. The success of Meta’s lawsuit may embolden other victims of spyware, whether individuals or corporations, to seek legal recourse against spyware vendors. Furthermore, the ruling could make it considerably harder for spyware companies to hide behind “plausible deniability” regarding the use of their products. This, coupled with the substantial financial penalty, is likely to lead to increased legal and financial risks for the industry, potentially affecting investment, operational strategies, and the overall viability of businesses built on selling such intrusive technologies.

This legal victory also serves to empower technology platforms in their efforts to protect their users and systems. It validates the legal strategy employed by tech companies like Meta, which utilized anti-hacking statutes such as the CFAA to hold spyware developers accountable for exploiting their platforms. Demonstrating a commitment beyond mere financial compensation, Meta has announced its intention to donate the damages recovered from NSO Group to digital rights organizations that are actively working to combat surveillance abuses and protect vulnerable users. This action is part of a growing trend where major technology companies, including Apple, which has also filed its own lawsuit against NSO Group, are taking a more proactive and aggressive stance in combating the commercial surveillance industry through both legal challenges and technical countermeasures.

The outcome of the Meta vs. NSO case signals a potential shift in the power dynamics that have characterized the surveillance technology landscape. For years, spyware firms like NSO Group operated largely in the shadows, their actions difficult to definitively prove and their legal standing often ambiguous due to claims of sovereign immunity and client confidentiality. Technology platforms, whose services were exploited as vectors for spyware delivery, were often in a reactive posture. This verdict, however, building upon the crucial judicial rejection of NSO’s sovereign immunity claims, empowers these platforms. They can now more confidently leverage their considerable legal and technical resources to proactively protect their ecosystems, thereby making it more costly and legally perilous for spyware vendors to target mainstream communication platforms.

The case also inadvertently highlights the role of the U.S. legal system as a, perhaps reluctant, enforcer of global digital rights. This is also a consequence of the geographical concentration of major technology company headquarters and critical internet infrastructure, including servers, within the United States. When global communication platforms, many of which are U.S.-based, find their terms of service violated or their U.S.-located servers accessed without authorization for the purpose of deploying spyware, it provides a jurisdictional hook for legal action within the American judicial system. While the outcome in the Meta vs. NSO case is viewed positively by digital rights advocates, it does raise broader questions about the sustainability and global desirability of relying predominantly on one nation’s courts to address what inherently international issues of spyware abuse are. This underscores the pressing need for enhanced international cooperation and the development of stronger, harmonized national laws elsewhere to combat this menace effectively.

Finally, the substantial financial penalty imposed on NSO Group, particularly the massive punitive damages award, underscores the potential of economic deterrence as a key weapon against the spyware industry. NSO Group has been reported to be facing significant financial difficulties, including being placed on a U.S. government blacklist that restricts its access to American technology and markets. A judgment of nearly $168 million could indeed be a fatal blow to an already struggling entity. This suggests that economic pressure, exerted through sanctions, large civil penalties, and divestment campaigns, might be one of the most effective tools to curb the proliferation of commercial spyware, especially since ethical appeals or reliance on the discretion of client governments have, to date, proven largely insufficient.

The Indian Connection: Pegasus shadows loom large over democracy

The NSO Group’s activities, as detailed in the U.S. court proceedings and prior investigations, have a significant and alarming Indian connection. Court documents related to the Meta lawsuit revealed that India was the second-most targeted country in the 2019 WhatsApp hacking campaign, with over 100 Indian users identified as victims. The list of those targeted in India reportedly included journalists, human rights activists, lawyers, and politicians, mirroring the global pattern of Pegasus deployment against civil society figures rather than solely against criminals and terrorists as NSO Group claims.

These findings were amplified by the Pegasus Project revelations in 2021. This collaborative investigative effort by international media organizations, based on a leaked list of potential surveillance targets, indicated that around 300 phone numbers in India were of interest to NSO’s clients. The Indian list controversially  included serving ministers, prominent opposition leaders such as Rahul Gandhi, political strategists like Prashant Kishor, numerous journalists including Siddharth Varadarajan of The Wire, activists such as Umar Khalid, a former Election Commissioner, Ashok Lavasa, who had flagged poll code violations by the Prime Minister, and even sitting Supreme Court judges.

Amnesty International’s Security Lab has conducted forensic investigations that further substantiate these concerns. Their findings confirmed repeated targeting of Indian journalists. Siddharth Varadarajan, for instance, was found to have been targeted with Pegasus in 2018 and then again in October 2023. Another journalist, Anand Mangnale, South Asia Editor at The Organised Crime and Corruption Reporting Project (OCCRP), was targeted in August 2023 with a sophisticated zero-click exploit delivered via iMessage while he was reportedly working on a story about alleged stock manipulation by a large Indian conglomerate.

In response to the widespread outcry following the Pegasus Project revelations, the Supreme Court of India intervened in October 2021. Recognising the gravity of the allegations, the Court constituted an independent technical committee, headed by retired Supreme Court Justice R.V. Raveendran, to investigate the claims of Pegasus surveillance.  This committee submitted its report in a sealed cover to the Supreme Court in August 2022. Out of the 29 phones analysed by the Technical Committee, just five showed signs of malware — and even in those cases, there was no clear evidence linking it to Pegasus, as per the three-part report presented to the Court by the Justice R.V. Raveendran committee. Crucially, the CJI NV Ramana (as he was then) also made a significant observation: the Indian government “did not cooperate” with the technical committee’s investigation.

The full contents of the technical committee’s report remain sealed and have not been made public.

The Indian government’s official stance on the Pegasus allegations has been one of consistent denial of any unauthorised interception by its agencies. Statements from the Ministry of Electronics and Information Technology (MeitY), including those made by Union Minister Ashwini Vaishnaw, have dismissed the reports as attempts to “malign Indian democracy and its well-established institutions”. The government has asserted that existing legal frameworks, such as the Indian Telegraph Act and the Information Technology Act, provide sufficient checks and balances against illegal surveillance. However, MeitY, through CERT-In (Indian Computer Emergency Response Team), was reportedly informed by WhatsApp about the Pegasus breach affecting Indian users as early as September 2019, raising questions about the timeliness and transparency of the government’s subsequent public responses.

More often than not, the government has invoked “national security” as a reason to avoid confirming or denying the procurement or use of Pegasus spyware. During Supreme Court hearings, the Solicitor General of India argued that “terrorists cannot claim privacy rights.” This sentiment was, to some extent, echoed by one of the judges who remarked, “What is wrong if the country is using spyware?… Using against whom is the question?”. These statements have fuelled concerns among civil liberties advocates that the national security argument is being used to shield potentially unlawful surveillance activities from scrutiny.

The Indian government’s persistent invocation of “national security” to sidestep transparency regarding Pegasus use, particularly its documented non-cooperation with the Supreme Court-appointed technical committee, presents a stark contrast to the detailed evidence and rigorous judicial scrutiny observed in the U.S. legal proceedings against NSO Group. While national security is undeniably a legitimate concern for any state, its deployment as a blanket justification to prevent any meaningful disclosure about the use of highly invasive spyware against a wide range of citizens—including journalists, opposition figures, and potentially even members of the judiciary—raises profound questions about democratic accountability and the potential for abuse of power. The U.S. verdict, which meticulously details the illegal hacking mechanisms employed by NSO, makes the Indian government’s opaque and defensive stance increasingly difficult to sustain, as the spyware tool itself has now been judicially recognized in a foreign court as problematic and its vendor held liable for its misuse.

The repeated and continued targeting of journalists in India, as confirmed by forensic analysis even after the initial Pegasus revelations and the Supreme Court’s intervention, suggests a brazen and deeply concerning attempt to suppress dissent and investigative journalism. When journalists investigating sensitive matters, such as allegations of financial misconduct by powerful entities, find themselves under state-sponsored surveillance, it sends a potent chilling message to the entire media community. This transcends individual privacy violations; it constitutes an assault on the freedom of the press, a cornerstone of any functioning democracy. The persistence of such targeting implies that the perpetrators feel a disturbing sense of impunity within the domestic Indian context.

The situation also presents a tale of two judiciaries and, by extension, two executive approaches. The proactive stance of the U.S. judiciary in holding NSO Group accountable, significantly aided by a well-resourced corporate plaintiff like Meta, contrasts sharply with the Indian Supreme Court’s current position. The Indian Court appears to be treading a cautious path, attempting to balance national security claims against individual queries about surveillance, a task made more challenging by the executive branch’s non-cooperation. While the U.S. case benefited from Meta’s considerable resources and clear legal standing as an aggrieved party whose platform was abused, in India, the petitioners are often individuals, under-resourced rights groups, or journalists. The Indian Supreme Court’s cautious handling of the sealed technical committee report and the government’s steadfast refusal to cooperate highlight systemic challenges in achieving accountability domestically. The fact that MeitY was reportedly informed of the WhatsApp breach affecting Indian users as far back as September 2019, yet the government’s public narrative and actions did not appear to reflect this urgency or information, further underscores this accountability deficit. The U.S. verdict might provide Indian petitioners with stronger international legal and moral backing, but overcoming domestic institutional hurdles remains a formidable challenge.

VI. Echoes in Delhi: How the US verdict resonates in India’s Pegasus saga

The U.S. District Court’s comprehensive findings against NSO Group and the subsequent multi-million dollar damages award are poised to have significant reverberations in India, where the Pegasus spyware controversy continues to simmer. The U.S. court’s meticulous detailing of NSO’s illegal activities and the intrusive nature of Pegasus spyware provide substantial evidentiary and moral support for petitioners currently before the Indian Supreme Court. Indeed, during hearings in April 2025, Senior Advocate Kapil Sibal, representing one of the petitioners, explicitly cited the U.S. judgment, highlighting the court’s observation that India was among the countries where WhatsApp users were targeted by Pegasus. The detailed revelations from the U.S. trial concerning NSO Group’s operational methods and its direct involvement in deploying the spyware can be leveraged to counter claims that the spyware’s use is solely determined by client governments without NSO’s active participation or knowledge.

This international legal precedent is likely to fuel fresh and more vociferous demands for transparency and accountability from the Indian government. Opposition parties, such as the Congress party which has already called for Supreme Court-monitored probes based on U.S. court revelations , along with civil society organizations; and various digital rights advocates, are expected to intensify their calls for the Indian government to: first, unequivocally state whether it procured and deployed Pegasus spyware; second, consent to a truly independent and transparent investigation into the allegations; and third, make the Supreme Court-appointed technical committee’s full report public, allowing for informed public debate and scrutiny.

The U.S. judgment also presents a formidable challenge to the broad “national security” argument frequently invoked by the Indian government to justify opacity surrounding the use of Pegasus. By laying bare the illicit hacking mechanisms of Pegasus and its deployment against ordinary citizens such as journalists and activists, the U.S. court’s findings weaken the credibility of using an all-encompassing national security pretext to shield such surveillance from any form of oversight in India. If the tool’s mode of operation is deemed illegal by a U.S. court when used against similar profiles of individuals, its alleged use in India under a vague and unsubstantiated national security rationale becomes increasingly questionable and harder to defend both domestically and internationally.

Ultimately, the U.S. verdict indirectly places India’s own democratic institutions—particularly its judiciary and parliamentary oversight mechanisms—under a critical test. If a foreign court, driven by a corporate plaintiff, can achieve a significant degree of accountability against the NSO Group, the question inevitably arises: why are Indian institutions apparently struggling to achieve similar accountability regarding the use of Pegasus within India’s borders? This focuses uncomfortable attention on the independence, efficacy, and resilience of these institutions when confronted with executive power and sweeping claims of national security. The Indian Supreme Court’s next steps in the Pegasus matter, with hearings scheduled for July 30, 2025, will be very closely watched in this context.

Conclusion

The broader struggle against illicit surveillance and the misuse of powerful espionage technologies is far from over. It requires sustained, multifaceted efforts from technology companies committed to protecting their users, from a vigilant and courageous civil society, from international bodies striving to establish global norms, and, most crucially, from national governments willing to uphold the rule of law and safeguard fundamental human rights in the increasingly complex digital age. The path to effectively reining in the global spyware menace is undoubtedly long and arduous, but the Meta-NSO verdict offers a crucial milestone, a tangible victory for a future where digital technologies empower rather than oppress.

The writer is part of the legal research team of Sabrang India.

Courtesy: Sabrang India