"Court document reveals locations of WhatsApp victims targeted by NSO spyware", 9 April 2025

NSO Group’s notorious spyware Pegasus was used to target 1,223 WhatsApp users in 51 different countries during a 2019 hacking campaign, according to a new court document. 

The document was published... as part of the lawsuit that Meta-owned WhatsApp filed against NSO Group in 2019, accusing the surveillance tech maker of exploiting a vulnerability in the chat app to target hundreds of users, including more than 100 human rights activists, journalists, and “other members of civil society.”

At the time, WhatsApp said around 1,400 users had been targeted. Now, an exhibit published in the court document shows exactly in what countries 1,223 specific victims were located when they were targeted with NSO Group’s Pegasus spyware. 

The country breakdown is a rare insight into which NSO Group customers may be more active, and where their victims and targets are located. 

The countries with the most victims of this campaign are Mexico, with 456 individuals; India, with 100; Bahrain with 82; Morocco, with 69; Pakistan, with 58; Indonesia, with 54; and Israel, with 51, according to a chart titled “Victim Country Count,” that WhatsApp submitted as part of the case.

There are also victims in Western countries like Spain (12 victims), the Netherlands (11), Hungary (8), France (7), United Kingdom (2), and one victim in the United States. 

The court document with the list of victims by country was first reported by Israeli news site CTech. 

“Numerous news articles have been written over the years documenting use of Pegasus to target victims around the world,” said Runa Sandvik, a cybersecurity expert who’s been tracking victims of government spyware for years.

“What’s often missing from these articles is the true scale of the targeting — the number of victims who were not notified; who did not get their devices checked; who opted not to share their story publicly. The list we see here — with 456 cases in Mexico alone, a country with documented, well-known civil society victims — speaks volumes about the true scale of the spyware problem,” Sandvik told TechCrunch.

Another piece of data that shows the scale of the government spyware problem is that the hacking campaign targeting WhatsApp users occurred over a period of only two months, “between in and around April 2019 and May 2019,” as WhatsApp wrote in its original complaint.

In other words, in just two months, NSO Group’s government customers targeted more than a thousand WhatsApp users.

It’s important to note that it is not clear if the fact that there is a victim located in a certain country means that specific country’s government was the customer using NSO Group’s spyware against those victims. It’s possible that a government customer could be using Pegasus to target someone outside of the country. 

As CTech noted, Syria appears on the victim list, but NSO Group cannot export its technology to Syria, a country that’s sanctioned by countries all over the world. 

...

Apart from this list of victims, the court case brought by WhatsApp has led to other revelations, including the fact that NSO Group disconnected 10 government customers after reports that they abused the spyware, and that the WhatsApp hacking tool produced by NSO Group cost up to $6.8 million for a one-year license, which in total netted the company “at least $31 million in revenue in 2019.”

WhatsApp spokesperson Zade Alsawah declined to comment. NSO Group did not respond to a request for comment.