Seven things we learned from WhatsApp vs. NSO Group spyware lawsuit

On Tuesday, WhatsApp scored a large triumph against NSO Group erstwhile a assemblage ordered the infamous spyware shaper to wage much than $167 cardinal successful damages to the Meta-owned company.

The ruling concluded a ineligible conflict spanning much than 5 years, which started successful October 2019 erstwhile WhatsApp accused NSO Group of hacking much than 1,400 of its users by taking vantage of a vulnerability successful the chat app’s audio-calling functionality.

The verdict came aft a week-long assemblage proceedings that featured respective testimonies, including NSO Group’s CEO Yaron Shohat and WhatsApp employees who responded and investigated the incident. 

Even earlier the proceedings began, the lawsuit had unearthed respective revelations, including that NSO Group had chopped disconnected 10 of its authorities customers for abusing its Pegasus spyware, the locations of 1,223 of the victims of the spyware campaign, and the names of 3 of the spyware maker’s customers: Mexico, Saudi Arabia, and Uzbekistan.

TechCrunch work the transcripts of the trial’s hearings and is highlighting the astir absorbing facts and revelations that came out. We volition update this station arsenic we larn much from the cache of much than 1,000 pages. 

Testimony described however the WhatsApp onslaught worked

The zero-click attack, which means the spyware required nary enactment from the target, “worked by placing a fake WhatsApp telephone telephone to the target,” arsenic WhatsApp’s lawyer Antonio Perez said during the trial. The lawyer explained that NSO Group had built what it called the “WhatsApp Installation Server,” a peculiar instrumentality designed to nonstop malicious messages crossed WhatsApp’s infrastructure mimicking existent messages. 

“Once received, those messages would trigger the user’s telephone to scope retired to a 3rd server and download the Pegasus spyware. The lone happening they needed to marque this hap was the telephone number,” said Perez. 

NSO Group’s probe and improvement vice president Tamir Gazneli testified that “any zero-click solution whatsoever is simply a important milestone for Pegasus.”

NSO Group confirms it targeted an American telephone fig arsenic a trial for the FBI

For years, NSO Group has claimed that its spyware cannot beryllium utilized against American telephone numbers, meaning immoderate compartment fig that starts with the +1 state code.

In 2022, The New York Times archetypal reported that the institution did “attack” a U.S. telephone but it was portion of a trial for the FBI. 

NSO Group’s lawyer Joe Akrotirianakis confirmed this, saying the “single exception” to Pegasus not being capable to people +1 numbers “was a specially configured mentation of Pegasus to beryllium utilized successful objection to imaginable U.S. authorities customers.”

The FBI reportedly chose not to deploy Pegasus pursuing its test.

How NSO Group’s authorities customers usage Pegasus

NSO’s CEO Shohat explained that Pegasus’ idiosyncratic interface for its authorities customers does not supply an enactment to take which hacking method oregon method to usage against the targets they are funny in, “because customers don’t attraction which vector they use, arsenic agelong arsenic they get the quality they need.” 

In different words, it’s the Pegasus strategy successful the backend that picks retired which hacking technology, known arsenic an exploit, to usage each clip the spyware targets an individual.

In a comic coincidence, NSO Group’s headquarters successful Herzliya, a suburb of Tel Aviv successful Israel, is successful the aforesaid gathering as Apple, whose iPhone customers are besides often targeted by NSO’s Pegasus spyware. Shohat said NSO occupies the apical 5 floors and Apple occupies the remainder of the 14-floor building.

“We stock the aforesaid elevator erstwhile we spell up,” Shohat said during testimony.

The information that NSO Group’s office are openly advertised is somewhat absorbing connected its own. Other companies that make spyware oregon zero-days similar the Barcelona-based Variston, which shuttered successful February, was located successful a co-working abstraction portion claiming connected its authoritative website to beryllium located determination else. 

NSO Group admitted that it kept targeting WhatsApp users aft the suit was filed

Following the spyware attack, WhatsApp filed its suit against NSO Group successful November 2019. Despite the progressive ineligible challenge, the spyware shaper kept targeting the chat app’s users, according to NSO Group’s probe and improvement vice president Tamir Gazneli. 

Gazneli said that “Erised,” the codename for 1 of the versions of the WhatsApp zero-click vector, was successful usage from late-2019 up to May 2020. The different versions were called “Eden” and “Heaven,” and the 3 were collectively known arsenic “Hummingbird.”

NSO says it employs hundreds of people

NSO Group’s CEO Yaron Shohat disclosed a tiny but notable detail: NSO Group and its genitor company, Q Cyber, person a combined fig of employees totalling betwixt 350 and 380. Around 50 of these employees enactment for Q Cyber. 

NSO Group describes dire finances

During the trial, Shohat answered questions astir the company’s finances, immoderate of which were disclosed successful depositions up of the trial. These details were brought up successful transportation with however overmuch successful damages the spyware shaper should wage to WhatsApp. 

According to Shohat and documents provided by NSO Group, the spyware shaper mislaid $9 cardinal successful 2023 and $12 cardinal successful 2024. The institution besides revealed it had $8.8 cardinal successful its slope relationship arsenic of 2023, and $5.1 cardinal successful the slope arsenic of 2024. Nowadays, the institution burns done astir $10 cardinal each month, mostly to screen the salaries of its employees.

Also, it was revealed that Q Cyber had astir $3.2 cardinal successful the slope some successful 2023 and 2024.

During the trial, NSO revealed its probe and improvement portion — liable for uncovering vulnerabilities successful bundle and figuring retired however to exploit them — spent immoderate $52 cardinal successful expenses during 2023, and $59 cardinal successful 2024. Shohat besides said that NSO Group’s customers wage “somewhere successful the range” betwixt $3 cardinal and “ten times that” for entree to its Pegasus spyware.

Factoring successful these numbers, the spyware shaper was hoping to get distant with paying small oregon nary damages. 

“To beryllium honest, I don’t deliberation we’re capable to wage anything. We are struggling to support our caput supra water,” Shohat said during his testimony. “We’re committing to my [chief fiscal officer] conscionable to prioritize expenses and to marque definite that we person capable wealth to conscionable our commitments, and evidently connected a play basis.”

First published connected May 10, 2025 and updated with further details.