"Meta seeks damages from Israeli spyware company over WhatsApp hacks", 7 May 2025

A jury heard opening arguments... in a trial over computer fraud claims brought by WhatsApp and its parent company Meta against NSO Group Technologies, a notorious hacker-for-hire firm.

The claims relate to a 2019 security breach in which the cyber-intelligence company remotely installed surveillance software on the phones of over 1,400 WhatsApp users, including activists, journalists and diplomats.

Since U.S. District Judge Phyllis J. Hamilton already ruled in December that the company was liable for the hacks, Meta began Tuesday by reminding jurors that they aren't there to determine whether NSO and its parent company QCyber are innocent or not.

“We’re not asking you to determine whether NSO and QCyber broke the law. They did. What we’re asking you to determine is how much NSO should pay in damages for these violations and breaches of contract,” Antonio Perez of Davis Polk, who is representing Meta, told the jury.

The trial will determine how much the Israel-based firm now owes Meta for violating state and federal laws, including the U.S. Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act, and for breaching WhatsApp’s terms of service.

Meta is asking the jury for over $440,000 in compensatory damages to remedy the costs of investigating malicious code on its servers as well as unspecified punitive damages to be awarded by the jury.

...

Meta is suing over an incident on May 2, 2019, when NSO used its servers as a method for transferring executable files to users’ phones, which it then used to spy on them.

In the courtroom, Meta portrayed the company as a grave threat to WhatsApp’s stated missions of privacy and security.

“That’s what they were using WhatsApp servers to do — to get that program onto users’ phones and turn them into powerful spying devices,” Perez said.

Meta also claimed it was owed compensation for the long hours of work by its employees required to subvert NSO’s attacks for the 12 days it took to release a new patch and lock NSO out of its servers.

Meanwhile, NSO argued Meta was inflating its damages.

...

NSO claimed that the employees who responded to their unauthorized server use were salaried, and making extra damages for overtime pay unwarranted.

The Israeli company further argued it was entitled to pay the minimum amount in damages, because WhatsApp didn’t actually suffer any harm. NSO said the program didn’t slow down WhatsApp’s servers or delete any code, and it was only on the servers for a fraction of a second.

...

NSO also claimed that Meta pushed out a patch for Pegasus within 48 hours of the initial incident, but let the malware remain on their servers for another week so they could study it and try to “steal NSO’s trade secrets.”

During opening statements, NSO showed the jury an internal communication between two software engineers at WhatsApp saying they were lucky nobody realized they were trying to “fetch the payload,” apparently referring to the Pegasus program.

...

“Facebook is going to try to scare you into thinking it was used by scammers but will show you no evidence that is the case,” Akrotirianakis said.

Finally, NSO accused Meta of an ulterior motive for coming after them for such a small amount: a major PR victory that Meta could own the narrative about if it wins this case.

“You know a company like Facebook, worth over a trillion, is not after the money,” Akrotirianakis said.

...

Meta used these witnesses to provide the jury with details of the attacks, which they said were initially discovered by an intern. It also gave Meta a chance to refute why it supposedly studied the Pegasus virus when it was on its servers.

“If you remediate immediately, you lose your opportunity to understand how the attack works,” Gheorghe said.

Attorneys were largely civil while the jury was present. However, accusations flew across the courtroom during each break as Meta accused NSO of violating court orders by addressing topics previously restricted by the court or using language like “accused,” which implies its liability hadn’t been decided yet.

“It’s just not fair that he is able to trample over the court’s orders with no consequences,” Attorney Greg Andres of Davis Polk, representing Meta, complained to the Bill Clinton-appointed judge.

NSO has previously faced sanctions for refusing to comply with court orders.

WhatsApp — an encrypted communication app owned by Facebook's parent company Meta Platforms which boasts over 2 billion users worldwide — originally brought the case in 2019 after Pegasus compromised the privacy of 1,400 WhatsApp users by covertly transferring the program to phones through the company’s servers.

Originally designed as a tool for government law enforcement and intelligence agencies, Pegasus is NSO’s flagship product and is licensed to governments around the world.

In order to embed the spyware into someone’s phone, Pegasus clients send a text message that then invades devices through a malicious code lurking in these messages sent via WhatsApp, Telegram or other messaging services.

Pegasus can also infect users through missed phone calls and “zero-click” attacks, which do not require any action from the phone’s owner to succeed.

Once implanted, Pegasus can control a phone’s microphones and cameras while extracting the personal and location data of its owner — for example, by scraping browser history and contacts, grabbing screenshots, and infiltrating communications.

The company landed on the U.S. Commerce Department’s entity list in 2021 for activities counter to national security interests.

This case was filed in the Northern District of California and heard at the Ron V. Dellums Federal Courthouse in Oakland, California. A verdict is expected by May 5, 2025.