The NSO Group, an Israeli surveillance technology firm, is facing significant legal challenges after a U.S. court filing revealed damning admissions regarding the company’s involvement in hacking WhatsApp servers.
NSO’s Pegasus spyware, which has been the subject of intense scrutiny, was admitted by the company to have been used to hack the messaging platform and bypass security measures.
NSO Group continued exploiting WhatsApp servers to install its Pegasus spyware even after the messaging platform identified and blocked a previous exploit in May 2019, according to court filings.
The surveillance firm admitted to developing another installation vector, known as “Erised,” which used WhatsApp servers to deploy Pegasus spyware. This exploit reportedly remained active and available to NSO’s clients until WhatsApp implemented further security changes sometime after May 2020.
The case, which is being heard in the U.S. District Court for the Northern District of California, revolves around allegations that NSO Group violated multiple laws, including the U.S. Computer Fraud and Abuse Act (CFAA) and California’s Comprehensive Computer Data Access and Fraud Act (CDAFA).
The plaintiffs, WhatsApp and its parent company Meta, have accused NSO of using its Pegasus spyware to infiltrate WhatsApp’s servers and send malicious code that compromised the privacy of users worldwide.
According to recently filed court documents, NSO admitted that its Pegasus software was responsible for the attacks detailed in the lawsuit. The spyware was used to send malicious messages through WhatsApp, exploiting vulnerabilities in the platform.
NSO also acknowledged that it created WhatsApp accounts for itself and its clients to carry out these attacks, circumventing security measures put in place by the messaging service.
“One of the key revelations in the filing is that NSO continued to use WhatsApp as an attack vector even after the lawsuit was filed in 2019.
Free Webinar on How Security Leaders can Optimize Their Security Tech Stack in 2025 - Attend in LinkedIn
NSO Argument and Count Denial
The admissions have strengthened the plaintiffs’ case, with WhatsApp seeking a partial summary judgment to establish NSO’s liability. NSO’s defense has focused on challenging personal jurisdiction and attempting to invoke various defenses under the CFAA and CDAFA. However, the plaintiffs have argued that these defenses lack merit, pointing to extensive evidence gathered during the discovery process.
“Key to WhatsApp’s argument is the claim that NSO knowingly targeted servers in the United States, including in California, by hardcoding domain names into its spyware’s source code. The plaintiffs also allege that NSO leased a California-based server through an intermediary, which was used in over 700 instances during the May 2019 attacks.”
NSO has attempted to challenge the court’s jurisdiction, arguing that it should not be held accountable in California for actions that took place outside the U.S. However, the court has rejected these arguments, finding sufficient evidence that NSO purposely directed its activities toward California.
The court noted that NSO had agreed to WhatsApp’s updated Terms of Service in 2020, which included a forum selection clause specifying that any disputes would be resolved in the Northern District of California.
WhatsApp Argument
Additionally, WhatsApp’s argument that NSO used U.S.-based servers, including some in California, for the attacks has further undermined NSO’s jurisdictional defense. The court has previously ruled that it does not matter whether NSO explicitly targeted servers based on their location, only that they intentionally accessed and used those servers without authorization.
Another factor that has bolstered WhatsApp’s case is NSO’s business ties to California. The court documents reveal that NSO partnered with a California-based private equity firm to secure millions of dollars in funding for the development of its Pegasus spyware.
This partnership, according to WhatsApp, helped NSO create a market for its technology in California, further establishing the company’s connection to the state.
As the legal battle continues, the stakes are high for NSO Group. The company has already faced a wave of international criticism over the use of Pegasus by governments to spy on journalists, activists, and political opponents. A ruling in favor of WhatsApp could result in significant financial penalties and further damage to NSO’s reputation.
Simplify and speed up Threat Analysis Workflow by Auto-detonating Cyber Attacks in a Malware sandbox