Jury orders NSO to pay $167M for hacking WhatsApp users

112 comments

·May 7, 2025

IG_Semmelweiss

Not sure if this is too little, too late. The israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, employed almost 500 people as of 2017 [1] . However, the US govt included NSO Group in its Entity List for acting against U.S. national security and foreign policy interests, effectively banning U.S. companies from supplying NSO [1]

This makes me think that NSO is effectively frozen out of the US banking network, and therefore the whatsapp judgement is ineffective to go after US assets in US jurisdictions. So, no disgorgement outside of what banks may have frozen before this lawsuit (if anything) as a result of the Entity list addition.

[1] https://en.wikipedia.org/wiki/NSO_Group

cedws

Given that the NSO Group is supported by the Israeli government and their weapons have been used against US civilians, and US-aligned individuals, you would think there would be much heftier consequences.

rafale

They knowingly attacked and destroyed USS Liberty in 1967 and didn't face any consequences.

Sometimes I wonder what's so special about Israel that they keep getting away with everything.

gruez

>They knowingly attacked and destroyed USS Liberty in 1967

Both sides agree it was an accident.

>Israel apologized for the attack, saying that USS Liberty had been attacked in error after being mistaken for an Egyptian ship.[5] Both the Israeli and United States governments conducted inquiries and issued reports that concluded the attack was a mistake due to Israeli confusion about the ship's identity.[6]

jona-f

US's legitimization of it's leading role in the world is based on the story how they saved the world from the nazis. This story escalated ideologically, so now any critique of Israel is indirectly questioning USA as the world leader.

logicchains

What's so special? A good chunk of the US population believes the Israelis were literally chosen by God over 2000 years ago to occupy that piece of land, and they're obligated to do whatever they can to help them.

markus_zhang

The neo crusader kingdom?

tuyguntn

I also wonder about this, my personal conclusion is israelis work very hard to create a dirt on politicians over the years, and politicians just afraid of losing everything in one day vs joining the club of other blackmailed, powerful politicians. cases: Epstein, Monica Lewinsky, AIPAC, and probably many more

throawayonthe

[dead]

jimnotgym

Shouldn't we be seeing criminal sanctions? If I sold app exploits I would be in jail

voxic11

Selling exploits is generally legal. What law would be used to put you in jail? Using exploits can fall under the Computer Fraud and Abuse Act's criminally prohibited conduct but afaik there is no similar law that covers distributing/selling exploits. In fact selling exploits to companies via their bug bounty programs is quite common.

All that said NSO didn't just distribute/sell the exploits (that would be giving away their secret sauce). Instead they offered what was essentially a managed service for executing the exploits against user selected targets.

4oo4

Wouldn't hosting a service to facilitate others' use of the exploits fall under CFAA? Since there have been numerous arrests for those hosting Ransomware-as-a-service, DDOS-as-a-service, etc. Just curious whether there is a legal nuance that prevents them from being criminally charged instead of just politics/diplomacy.

saagarjha

Depends on who you sell them to

razakel

You're not a three-letter agency, though.

jimnotgym

NSO is not a three-letter agency, it is a private company

rabid_turtle

NSO is very cozy with Israel intelligence. It being private gives it the legal ability to do things that a government agency could not.

razakel

One of the founders is ex-Mossad.

walterbell

Meta published deposition transcripts, http://nitter.poast.org/jsrailton/status/1919880291667292460

https://about.fb.com/wp-content/uploads/2025/05/WhatsApp-v-N...

firefax

Below are the Internet Archive copies, since Facebook doesn't have the greatest track record on stable URLs.

(I reregistered recently and was banned for being "inauthentic" -- the URL they linked to which was supposed to detail what part of the policy I broke was broken.)

https://web.archive.org/web/20250506235016/https://about.fb....

https://web.archive.org/web/20250506235104/https://about.fb....

https://web.archive.org/web/20250506235302/https://about.fb....

https://web.archive.org/web/20250506235441/https://about.fb....

OsrsNeedsf2P

Not sure how I feel about this - on one hand the NSO Group happily sold this exploit to absolutely horrible clients[0], but on the other, app security shouldn't depend on legal enforcement.

[0] https://www.theguardian.com/news/2021/jul/18/revealed-murder...

JumpCrisscross

> app security shouldn't depend on legal enforcement

Why not? There are significant negative externalities to not enforcing cybercrime laws.

lazide

I think they meant solely depend on legal enforcement.

For the same reason banks should have a decent vault for cash they aren’t using at this exact moment, since they shouldn’t just depend solely on any robbers getting caught.

bloppe

It's not like hacking WhatsApp was that easy. If it were, NSO wouldn't be able to sell it's exploits for so much

walterbell

> app security shouldn't depend on legal enforcement

EU Cyber Resilience Act (CRA) will soon impose legal security requirements on a wide class of software binaries sold in the EU.

vkou

Just because locks can be defeated by five seconds and a lockpick gun doesn't mean that the housebreaker, his fence, or his getaway driver is absolved of their responsibility.

TZubiri

Of course law plays a huge part in computer security.

knorker

As is constantly being made abundantly clear from blockchain stuff, code cannot make legal systems obsolete.

No crime in the world can be made physically impossible. Why would hacking be any different?

bn-l

It’s amazing how much justice you can get when you are a billion dollar company

> The jury also awarded WhatsApp $444 million in compensatory damages.

Alex_001

This feels like one of the rare moments where there's actual financial accountability for spyware abuse — but is $167M even close to meaningful for a company like NSO, backed by deep-pocketed clients?

Glyptodon

I wonder about the other end of liability - if the app was so broken that merely calling a phone with it could lead to a back, it seems like users might reasonably also blame its authors.

aitchnyu

I've been thinking about requiring iMessage and other codebases in memory unsafe languages to be built by WASM compiler with the objective of being memory safe and minimal performance loss.

Meekro

Unfortunately, the smartest programmers in the world (people like Linus Torvalds) sometimes screw up and create security issues. If Linus can't get it 100% right, what hope is there for the rest of us?

nashashmi

Israel defense green lights the sale and use of Pegasus software. https://www.nytimes.com/2022/01/28/magazine/nso-group-israel...

ebfe1

Ok ....where is the form so as an ex-whatsapp user, I can get a piece of that 167M pie? Oh... there isnt one... :)

They're based in Israel, so it's unlikely they'll pay. It's interesting that Zerodium has slowly stopped their gears (at least publicly) even though the USG was buying their exploits to target HVTs. It's like when the DOJ posts an arrest warrant for a Russian or a Chinese military official, it's mainly for show.

notepad0x90

I'm on NSO's side here. It's quite hypocritical of everyone involved to be against NSO but not gun makers. I don't even want to touch civilians abuse of guns, just governments buying guns from weapons manufacturers and using them in properly sanctioned wars. People are acting like exploits are more dangerous than bullets or restricted like nuclear, biological and chemical weapons, they are not!

The demand is there and the suppliers exist. without companies like NSO, the price of exploits goes up and it becomes more lucrative for malicious actors to sell them to even more nefarious actors. The exploit brokers become more anonymous. And when they sell to the really bad actors, it will require deanonymizing market places on Tor instead of having law suits like this.

It is much better for everyone involved to tolerate companies like NSO and regulate them.

dqv

> It is much better for everyone involved to tolerate companies like NSO and regulate them.

That's what this is. That's what a lawsuit is. This is them being regulated. They aren't being ordered to shut down, they're being ordered to pay damages.

notepad0x90

no, there is no regulation or law for what they do. This is a civil suit between two companies, it is not a regulation. had they actually violated the law, it would have been a criminal prosecution. civil damages are not government regulation. if you can simply be anonymous, you won't even break the law as you sell to any party.

dqv

> no, there is no regulation or law for what they do

Yes, there is: the CFAA. Corporations and the government have even weaponized criminal complaints against individuals under the law.

> This is a civil suit between two companies, it is not a regulation

The venue in which regulation is enforced does not change its status as a regulation. The distinction between criminal and civil is irrelevant here. (Notwithstanding the possibility of a corrupt judge) Meta would not have been able to continue their suit had there not been a regulation.

> had they actually violated the law, it would have been a criminal prosecution

No, had a prosecutor wanted to pursue an indictment, it would have been a criminal prosecution. A prosecutor's willingness to enforce a law and bring trial is at their discretion. In the same way that charges don't necessarily indicate criminality, a lack thereof doesn't necessarily indicate the absence of wrongdoing.

> civil damages are not government regulation.

Civil laws are regulation. The judge is the regulating authority who enforces the penalty for being out of compliance with those laws, which comes in the form of ordering money damages in this situation.

> if you can simply be anonymous, you won't even break the law as you sell to any party

Yes and maybe the fact that they're anonymous brings it it to the level of criminality in a prosecutor's eyes. That desire to conceal their identity could the turn preponderance of the evidence (civil) into beyond a reasonable doubt (criminal).

Or it could always stay in the civil system. The criminal system is political just like anything else. See above.

sureglymop

I think your last sentence is key. The NSO as far as I'm aware to targets people on an individual level.

It's not hard to phish and hack a single individual as a large organization. It's just a matter of resources and slipping up eventually. With that being said, the exploits they find are interesting and I wish they would publish them in a white hat manner instead.

ktallett

It isn't an either or scenario, NSO can be in the wrong and rightfully fined and weapons can also be sold by governments to the wrong parties. The latter should be regulated as well, not the former being let off as well. Demand shouldn't always equal supply.

jeisc

spying software should be illegal to sell under any circumstance the people who need these programs should be writing them themselves not buying them off the shelf

bell-cot

The same argument could be made about conventional arms.

Unfortunately, 99% of nations prioritize having quick & easy access to weapons.

And for many nations, selling weapons is also a lucrative way to exert influence.

palata

> Unfortunately, 99% of nations prioritize having quick & easy access to weapons.

What?

bell-cot

Re-read user jeisc's comment.

There are 200 or so nations on our planet.

How many of those nations have governments which believe that their own army, air force, & navy should be unable to buy (say) guns, bombs, and torpedoes? Vs. having to hire engineers to design them, then build weapon factories, then build all of their own weapons.

My assertion is that zero-ish of those governments want such legal restrictions.

(And obviously, actual legal restrictions on the sale of spyware might be similarly unpopular, with the people who actually write the our world's laws.)

FirmwareBurner

Your police and military where you live doesn't have easy access to weapons?

HN

Jury orders NSO to pay $167M for hacking WhatsApp users

Jury orders NSO to pay $167M for hacking WhatsApp users