Spyware maker NSO Group barred from targeting WhatsApp and ordered to pay reduced damages

18 October 2025

A U.S. federal court has delivered a decisive blow to Israeli spyware firm NSO Group, issuing a permanent injunction barring it from targeting WhatsApp with its surveillance tools and drastically cutting the damages it must pay to WhatsApp’s parent company.

The ruling, issued by U.S. District Judge Phyllis Hamilton, follows years of litigation between WhatsApp, owned by Meta Platforms, and NSO Group, whose flagship spyware product Pegasus has been at the center of global human-rights and cyber-surveillance controversy. The June 2019 lawsuit alleged that NSO misused WhatsApp’s infrastructure and vulnerabilities to deploy Pegasus and monitor activists, journalists, government officials and civil society figures.

Judge Hamilton’s 25-page opinion found that NSO’s conduct caused “irreparable harm” to WhatsApp and its users by exploiting software weaknesses and repeatedly designing work-arounds to evade detection and security patches. The court therefore granted WhatsApp’s request for a sweeping injunction banning NSO from ever targeting WhatsApp users again. WhatsApp chief Will Cathcart called the ruling a “major victory for privacy and civil society.”

At the same time, the court significantly reduced the punitive damages NSO must pay. Earlier this year, a jury had awarded Meta around $167 million in damages, including punitive and compensatory awards. However Judge Hamilton ruled that the jury-calculated award was excessive under legal standards and capped the punitive ratio at 9-1, bringing the total damages to just $4 million.

NSO Group immediately criticised the injunction, warning that being prevented from targeting WhatsApp could jeopardise its entire business model one reliant on providing surveillance tools to governments and intelligence agencies. The order thus presents an existential threat to the company.

From a broader perspective this ruling marks a milestone in digital-civil-rights law and corporate accountability. Private spyware firms have long operated in a legal grey area, often producing powerful tools for law-enforcement clients but also facilitating misuse around the world. By granting the injunction and cutting the damages award, the court has signalled that surveillance software companies may be held to account when their products are used to violate privacy and human-rights norms.

Industry analysts point out that the decision will ripple through the cybersecurity sector. Software vendors that assist government espionage efforts will face increased scrutiny from platforms and regulators alike. For Meta the ruling affirms that users’ rights to privacy and encrypted communication constitute more than a service promise they may become enforceable protections.

Still, the reduced damages also reflect the court’s discomfort with ultra-large punishments in new technology cases. Judge Hamilton found that the legal precedent for spyware-based harm remains thin and therefore the punitive award must be constrained. This suggests that while platform owners may secure injunctions in future, large monetary awards may demand more detailed frameworks.

In the wake of the decision NSO’s global standing is in flux. Its reputation for enabling covert operations has already drawn sanctions such as being placed on the U.S. Commerce Department’s restricted list. With the injunction now in place, the company may pivot its products or client base, or face serious commercial decline.

For Meta and other digital platforms the message is clear: when core products are compromised by third-party tools, the platforms may pursue not only retrospective damages but ongoing prohibitions on misuse. That could shape future negotiations between tech firms and government-spyware vendors.

While the case is specific to WhatsApp, the legal principle may extend to other services. Meta asked for similar injunctions against Facebook, Instagram and Threads, but Judge Hamilton declined to extend the order without further evidence indicating similar harms on those platforms.

Ultimately the ruling illustrates the delicate balance between cybersecurity, national-security tools and civil-society safeguards. As governments increasingly rely on sophisticated surveillance tools and private firms build them, courts may become frontline venues for determining how far such tools go before crossing the line into unacceptable privacy violations.