Meta's $167M Win Over NSO Group Marks Turning Point in Spyware Accountability

In a landmark ruling that could reshape the global spyware industry, a U.S. federal jury has ordered Israeli surveillance vendor NSO Group to pay $167.25 million in damages to Meta for hacking into WhatsApp. The case centers on the company’s controversial Pegasus software, a powerful surveillance tool that exploited a WhatsApp vulnerability to silently infiltrate the phones of 1,400 users — including journalists, human rights defenders, and diplomats.

The verdict, handed down in California on Tuesday, comes nearly five years after Meta filed suit following an investigation by Citizen Lab that exposed Pegasus’ zero-click exploit. The spyware could activate microphones, access messages, track locations, and turn phones into surveillance devices — all without users needing to answer a call.

“This is an important step forward for privacy and security,” Meta said in a statement following the jury’s decision. “The verdict is a critical deterrent to this malicious industry.”

Meta was awarded $444,719 in compensatory damages in addition to the $167 million in punitive damages — a significant financial blow to a company already under mounting international pressure. NSO Group is also facing a parallel legal battle with Apple, which sued in 2021 over similar Pegasus-related intrusions on iPhone users.

NSO Group spokesperson Gil Lainer responded cautiously, saying the company would “carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal.”

But for many in the cybersecurity world, the message is already clear: spyware vendors can no longer expect impunity when their tools are turned on civil society.

“I see this landmark ruling as a defining moment for cybersecurity accountability,” said Carolyn Crandall, Chief Marketing Officer at AirMDR. “By holding a spyware vendor liable for how its tools were used, the court has drawn a clear line between those who knowingly enable illicit hacking and those who build dual-use defensive solutions in good faith.”

Crandall warned that this decision could ripple through the broader cybersecurity landscape, where tools originally developed for legitimate purposes — such as Mimikatz, created for red team penetration testing — are often repurposed by threat actors. “Transparency and intent will become defining factors,” she added. “The days of plausible deniability are fading.”

Meta, for its part, is already seeking a permanent injunction to bar NSO Group from using its platforms, and has published unofficial transcripts of deposition videos used in the trial. The company also plans to donate to digital rights organizations that combat spyware and protect vulnerable users.

The case sets a precedent not only for technology companies but also for the legal system, which is beginning to treat spyware not just as a tool but as a product with legal consequences for its misuse. As offensive cybersecurity capabilities increasingly fall into the hands of private companies, this decision may signal the start of a new era of accountability — one where even the most shadowy players face a courtroom reckoning.