Meta Scores Major Legal Victory Against Spyware Maker NSO Group

In a landmark decision, Meta has won a decisive legal battle against NSO Group, the notorious Israeli spyware developer behind the Pegasus surveillance tool. The ruling, which has been years in the making, culminated in a U.S. jury awarding Meta nearly \$168 million in damages—a significant legal and symbolic win in the fight against commercial spyware and cyber-espionage operations.

This case has been closely watched across both the tech and cybersecurity communities. It centers around a 2019 zero-day vulnerability in WhatsApp that allowed Pegasus spyware to infiltrate around 1,400 mobile devices, including those used by journalists, human rights activists, and political dissidents. NSO Group, which markets Pegasus as a tool for counterterrorism and law enforcement, allegedly used this exploit to surveil individuals without their knowledge or consent.

The Timeline of the Meta vs. NSO Group Legal Battle

May 2019: NSO Group exploited a buffer overflow flaw in WhatsApp’s VOIP stack, identified as CVE-2019-3568. The exploit required no user interaction—spyware was silently installed after a missed WhatsApp call.
Devices affected: Android, iOS, Windows Phone, and Tizen variants of WhatsApp were all vulnerable at the time.
October 2019: Meta filed a lawsuit accusing NSO of unlawfully using its infrastructure to spread Pegasus spyware.
2020-2023: Legal arguments unfolded, with NSO claiming sovereign immunity due to its work with governments. This defense was later rejected by U.S. courts.
May 2025: A jury found NSO Group liable and ordered it to pay \$168 million in compensatory and punitive damages.

Meta emphasized that Pegasus enabled broad, invasive surveillance, collecting everything from text messages and emails to GPS data and live audio through unauthorized mic and camera access. Internal court documents also revealed that NSO used multiple zero-day exploits on WhatsApp, demonstrating a systematic effort to weaponize digital vulnerabilities for covert surveillance.

In response, NSO Group insisted that Pegasus is intended solely for legitimate use by government agencies to combat terrorism and serious crime. However, critics—including privacy advocates and independent research labs like Citizen Lab—have consistently pointed to misuse of the spyware in targeting civil society groups, including journalists and dissidents.

This lawsuit marks a pivotal shift, as it may set a precedent for holding spyware vendors legally accountable, especially when operating across international jurisdictions and targeting users of American platforms.

What Undercode Say:

Meta’s victory isn’t just a win for a tech company—it’s a landmark moment in the broader battle for digital rights and privacy in the surveillance age.

Legal Accountability for Spyware Vendors: This is the first significant example of a spyware firm being held financially accountable for exploiting private infrastructure. It changes the risk-reward calculation for commercial surveillance firms.
The Power of Zero-Day Exploits: The technical details in this case show how a single, obscure flaw—CVE-2019-3568—can become the root of a global surveillance operation. It highlights the value (and danger) of zero-day vulnerabilities.
Commercial Spyware as a Threat Vector: Pegasus operates with nation-grade sophistication but is sold commercially. This commodification of spyware makes it accessible to regimes and organizations who may not respect democratic norms or due process.
Legal Pushback May Deter Future Abuse: By targeting NSO through civil litigation rather than diplomacy, Meta has created a roadmap for other tech firms and victims to push back.
Meta’s Motivations: Let’s not forget that Meta’s own business model revolves around data. But in this case, the defense of user privacy aligned with its corporate interests—creating a rare win-win in Silicon Valley.
Citizen Lab’s Role: The inclusion of independent researchers was pivotal. Their forensic work identified victims and provided technical context that bolstered the lawsuit.
The Pegasus Problem Persists: Despite this ruling, NSO is still operating, and similar tools exist in the shadows. The threat hasn’t vanished—it’s merely been challenged in court.
Erosion of Trust in Encrypted Platforms: Attacks like this undermine user confidence in secure messaging platforms. It’s a reminder that end-to-end encryption alone isn’t enough without vigilant patching and threat monitoring.
Possible Diplomatic Fallout: Israel’s export of offensive cyber tools like Pegasus has already caused international tension. This verdict could pressure governments to reconsider regulatory oversight of cyber arms exports.
Investor Concerns for Surveillance Tech Startups: Legal precedent may spook investors away from spyware firms, drying up funding for similar operations.
Victim Notification is Still Inadequate: Many targeted individuals never knew they were hacked. This lack of transparency highlights the need for better global protocols for digital threat disclosure.
Technical Forensics Are Essential: The digital trails left by Pegasus were vital to proving NSO’s actions. It underscores the growing importance of digital forensics in law and policy enforcement.
Sovereign Immunity Argument Fails: NSO’s failed claim that it was protected due to its work with governments sets a precedent: private contractors can be held accountable for illegal activities.
Surveillance Tech Needs Regulation: Pegasus-type spyware exists in a legal gray zone. Countries must act quickly to regulate the global spyware market.
Meta’s Legal Strategy May Be Copied: Other companies targeted by spyware might now follow Meta’s path, creating legal headaches for spyware vendors globally.