Eight things we learned from WhatsApp vs. NSO Group spyware lawsuit
On May 6, WhatsApp scored a major victory against NSO Group when a jury ordered the infamous spyware maker to pay more than $167 million in damages to the Meta-owned company.
The ruling concluded a legal battle spanning more than five years, which started in October 2019 when WhatsApp accused NSO Group of hacking more than 1,400 of its users by taking advantage of a vulnerability in the chat app's audio-calling functionality.
The verdict came after a week-long jury trial that featured several testimonies, including NSO Group's CEO Yaron Shohat and WhatsApp employees who responded and investigated the incident.
Even before the trial began, the case had unearthed several revelations, including that NSO Group had cut off 10 of its government customers for abusing its Pegasus spyware, the locations of 1,223 of the victims of the spyware campaign, and the names of three of the spyware maker's customers: Mexico, Saudi Arabia, and Uzbekistan.
TechCrunch read more than 1,000 pages of court transcripts of the trial's hearings. We have highlighted the most interesting facts and revelations below.
New testimony described how the WhatsApp attack worked
The zero-click attack, which means the spyware required no interaction from the target, 'worked by placing a fake WhatsApp phone call to the target,' as WhatsApp's lawyer Antonio Perez said during the trial. The lawyer explained that NSO Group had built what it called the 'WhatsApp Installation Server,' a special machine designed to send malicious messages across WhatsApp's infrastructure mimicking real messages.
'Once received, those messages would trigger the user's phone to reach out to a third server and download the Pegasus spyware. The only thing they needed to make this happen was the phone number,' said Perez.
NSO Group's research and development vice president Tamir Gazneli testified that 'any zero-click solution whatsoever is a significant milestone for Pegasus.'
NSO admitted that it kept targeting WhatsApp users after the lawsuit was filed
Following the spyware attack, WhatsApp filed its lawsuit against NSO Group in November 2019. Despite the active legal challenge, the spyware maker kept targeting the chat app's users, according to NSO Group's research and development vice president Tamir Gazneli.
Gazneli said that 'Erised,' the codename for one of the versions of the WhatsApp zero-click vector, was in use from late-2019 up to May 2020. The other versions were called 'Eden' and 'Heaven,' and the three were collectively known as 'Hummingbird.'
NSO confirms it targeted an American phone number as a test for the FBI
Contact Us Do you have more information about NSO Group, or other spyware companies? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or
Do you have more information about NSO Group, or other spyware companies? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email .
For years, NSO Group has claimed that its spyware cannot be used against American phone numbers, meaning any cell number that starts with the +1 country code.
In 2022, The New York Times first reported that the company did 'attack' a U.S. phone but it was part of a test for the FBI.
NSO Group's lawyer Joe Akrotirianakis confirmed this, saying the 'single exception' to Pegasus not being able to target +1 numbers 'was a specially configured version of Pegasus to be used in demonstration to potential U.S. government customers.'
The FBI reportedly chose not to deploy Pegasus following its test.
How NSO's government customers use Pegasus
NSO's CEO Shohat explained that Pegasus' user interface for its government customers does not provide an option to choose which hacking method or technique to use against the targets they are interested in, 'because customers don't care which vector they use, as long as they get the intelligence they need.'
In other words, it's the Pegasus system in the backend that picks out which hacking technology, known as an exploit, to use each time the spyware targets an individual.
NSO says it employs hundreds of people
NSO Group's CEO Yaron Shohat disclosed a small but notable detail: NSO Group and its parent company, Q Cyber, have a combined number of employees totalling between 350 and 380. Around 50 of these employees work for Q Cyber.
NSO's headquarters shares the same building as Apple
In a funny coincidence, NSO Group's headquarters in Herzliya, a suburb of Tel Aviv in Israel, is in the same building as Apple, whose iPhone customers are also frequently targeted by NSO's Pegasus spyware. Shohat said NSO occupies the top five floors and Apple occupies the remainder of the 14-floor building.
'We share the same elevator when we go up,' Shohat said during testimony.
The fact that NSO Group's headquarters are openly advertised is somewhat interesting on its own. Other companies that develop spyware or zero-days like the Barcelona-based Variston, which shuttered in February, was located in a co-working space while claiming on its official website to be located somewhere else.
Pegasus spyware cost European customers millions
During their testimony, an NSO Group employee revealed how much the company charged European customers to access its Pegasus spyware between 2018 and 2020, saying the 'standard price' is $7 million, plus an additional $1 million or so for 'covert vectors.'
These new details were included in a court document without the full context of the testimony, but offers an idea of how much advanced spyware like Pegasus can cost paying governments. While not explicitly defined, 'covert vectors' likely refer to stealthy techniques used to plant the spyware on the target phone, such as a zero-click exploit, where a Pegasus operator doesn't need the victim to interact with a message or click a link to get hacked.
The prices of spyware and zero-days can vary depending on several factors: the customer, given that some spyware makers charge more when selling to countries like Saudi Arabia or the United Arab Emirates, for example; the number of concurrent targets that the customer can spy on at any given time; and feature add-ons, such as zero-click capabilities.
All of these factors could explain why a European customer would pay $7 million in 2019, while Saudi Arabia reportedly paid $55 million and Mexico paid $61 million over the span of several years.
NSO describes a dire state of finances
During the trial, Shohat answered questions about the company's finances, some of which were disclosed in depositions ahead of the trial. These details were brought up in connection with how much in damages the spyware maker should pay to WhatsApp.
According to Shohat and documents provided by NSO Group, the spyware maker lost $9 million in 2023 and $12 million in 2024. The company also revealed it had $8.8 million in its bank account as of 2023, and $5.1 million in the bank as of 2024. Nowadays, the company burns through around $10 million each month, mostly to cover the salaries of its employees.
Also, it was revealed that Q Cyber had around $3.2 million in the bank both in 2023 and 2024.
During the trial, NSO revealed its research and development unit — responsible for finding vulnerabilities in software and figuring out how to exploit them — spent some $52 million in expenses during 2023, and $59 million in 2024. Shohat also said that NSO Group's customers pay 'somewhere in the range' between $3 million and 'ten times that' for access to its Pegasus spyware.
Factoring in these numbers, the spyware maker was hoping to get away with paying little or no damages.
'To be honest, I don't think we're able to pay anything. We are struggling to keep our head above water,' Shohat said during his testimony. 'We're committing to my [chief financial officer] just to prioritize expenses and to make sure that we have enough money to meet our commitments, and obviously on a weekly basis.'
First published on May 10, 2025 and updated with additional details.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Business Insider
an hour ago
- Business Insider
Meta's chief AI scientist says all countries should contribute data to a shared open-source AI model
AI has surged to the top of the diplomatic agenda in the past couple of years. And one of the leading topics of discussion among researchers, tech executives, and policymakers is how open-source models — which are free for anyone to use and modify — should be governed. At the AI Action Summit in Paris earlier this year, Meta's chief AI scientist, Yann LeCun, said he'd like to see a world in which "we'll train our open-source platforms in a distributed fashion with data centers spread across the world." Each will have access to its own data sources, which they may keep confidential, but "they will contribute to a common model that will essentially constitute a repository of all human knowledge," he said. This repository will be larger than what any one entity, whether a country or company, can handle. India, for example, may not give away a body of knowledge comprising all the languages and dialects spoken there to a tech company. However, "they would be happy to contribute to training a big model, if they can, that is open source," he said. To achieve that vision, though, "countries have to be really careful with regulations and legislation." He said countries shouldn't impede open-source, but favor it. Even for closed-loop systems, OpenAI CEO Sam Altman has said international regulation is critical. "I think there will come a time in the not-so-distant future, like we're not talking decades and decades from now, where frontier AI systems are capable of causing significant global harm," Altman said on the All-In podcast last year. Altman believes those systems will have a "negative impact way beyond the realm of one country" and said he wanted to see them regulated by "an international agency looking at the most powerful systems and ensuring reasonable safety testing."
Engadget
2 hours ago
- Engadget
Meta will reportedly soon use AI for most product risk assessments instead of human reviewers
According to a report from NPR , Meta plans to shift the task of assessing its products' potential harms away from human reviewers, instead leaning more heavily on AI to speed up the process. Internal documents seen by the publication note that Meta is aiming to have up to 90 percent of risk assessments fall on AI, NPR reports, and is considering using AI reviews even in areas such as youth risk and "integrity," which covers violent content, misinformation and more. Unnamed current and former Meta employees who spoke with NPR warned AI may overlook serious risks that a human team would have been able to identify. Updates and new features for Meta's platforms, including Instagram and WhatsApp, have long been subjected to human reviews before they hit the public, but Meta has reportedly doubled down on the use of AI over the last two months. Now, according to NPR, product teams have to fill out a questionnaire about their product and submit this for review by the AI system, which generally provides an "instant decision" that includes the risk areas it's identified. They'll then have to address whatever requirements it laid out to resolve the issues before the product can be released. A former Meta executive told NPR that reducing scrutiny "means you're creating higher risks. Negative externalities of product changes are less likely to be prevented before they start causing problems in the world." In a statement to NPR , Meta said it would still tap "human expertise" to evaluate "novel and complex issues," and leave the "low-risk decisions" to AI. Read the full report over at NPR . It comes a few days after Meta released its latest quarterly integrity reports — the first since changing its policies on content moderation and fact-checking earlier this year. The amount of content taken down has unsurprisingly decreased in the wake of the changes, per the report. But there was a small rise in bullying and harassment, as well as violent and graphic content.
Yahoo
3 hours ago
- Yahoo
Google says to appeal online search antitrust ruling
Google said Saturday it will appeal a ruling against it for anti-competitive practices in online search, a day after urging a US judge to reject the suggestion it spin off its Chrome browser. "We will wait for the Court's opinion. And we still strongly believe the Court's original decision was wrong, and look forward to our eventual appeal," the tech giant wrote on X. Google was found guilty in the summer of 2024 of illegal practices to establish and maintain its monopoly in online search by a federal judge in Washington. The Justice Department is now demanding remedies that could transform the digital landscape: Google's divestiture from its Chrome browser and a ban on entering exclusivity agreements with smartphone manufacturers to install the search engine by default. It is also asking that the California-based company be forced to share the data used to produce search results on Chrome. The department's proposal "reserves the right for the government to decide who gets Google users' data. Not the Court," Google said Saturday. "While we heard a lot about how the remedies would help various well-funded competitors (w/ repeated references to Bing), we heard very little about how all this helps consumers," Google added, referring to the Microsoft-owned search engine. The firm has proposed much more limited measures, including giving phone manufacturers the possibility to pre-install its Google Play app store but not Chrome or the search engine. The Friday hearing devoted to arguments marked the end of the trial to determine Google's penalty. The judge's decision is expected by August. juj/vla/bjt/mlm
