NSO Group Lost in Court. The Fight Over WhatsApp Isn't Over.

The 2019 Attack, Explained

In 2019, NSO Group did something that set it apart from the typical commercial spyware playbook. Pegasus didn't require a target to click a link, open an attachment, or do anything at all. The exploit worked by sending a specially crafted call through WhatsApp's infrastructure. The target's phone didn't even need to ring. The call was enough to silently install Pegasus, and the call log could be wiped to erase evidence it ever happened.

That category of attack is called a zero-click exploit, and it's what made the 2019 campaign so significant. Roughly 1,400 WhatsApp users were targeted in a two-week window in May 2019. The targets included journalists, human rights lawyers, and political dissidents across multiple countries. WhatsApp identified the attack, patched the vulnerability, and notified users it believed had been compromised — and then filed suit against NSO Group in U.S. federal court.

The legal argument WhatsApp made was direct: NSO didn't just build a tool and hand it to governments. NSO's own systems sent the malicious traffic through WhatsApp's servers, making NSO the active party in the intrusion, not a passive vendor. That distinction became the foundation of the entire case.

What the Courts Decided

The courts took five years to finish what WhatsApp started. And when the rulings came, they came in stages.

In December 2024, a U.S. District Court found NSO Group liable under the Computer Fraud and Abuse Act and related laws for the 2019 attacks. The liability ruling validated the core argument WhatsApp had made from the beginning: NSO was the active party, not a passive tool supplier. The court agreed.

Then, in May 2025, a jury awarded WhatsApp and Meta roughly $167 million in punitive damages on top of compensatory damages for the 2019 Pegasus attacks. By any measure, that number signaled that the jury wanted to make a statement.

The judge made a different statement five months later. On October 17-18, 2025, the court issued a permanent injunction barring NSO Group from targeting WhatsApp users or servers with Pegasus — and simultaneously reduced the punitive damages award to approximately $4 million. The gap between $167 million and $4 million is hard to miss. WhatsApp described the injunction as a ruling that "bans NSO from ever targeting WhatsApp and our global users again."

NSO Group filed an appeal in November 2025. So the damages figure may be settled, at least for now, but the legal fight is not.

Why the Injunction Is Not the End

NSO filed its appeal in November 2025, and as of June 2026, that appeal is still moving through the 9th Circuit. The permanent injunction is in effect, no new targeting attempts have been publicly documented, and the $4 million damages figure stands. On the surface, that looks like a resolved situation.

It is not.

In May 2026, the Knight Institute and others filed amicus briefs in the 9th Circuit in support of WhatsApp and Meta. Amicus filings at this stage matter because they signal that the legal community views the appeal as consequential — not a formality NSO is running out for procedural reasons, but a live dispute over questions that go beyond what happened to 1,400 users in 2019. The core issue on appeal is whether the underlying liability holding survives scrutiny. If NSO prevails, the December 2024 ruling gets unwound, and the framework WhatsApp built over five years of litigation goes with it.

The reduced damages figure is also worth noting separately. A jury said $167 million. A judge said $4 million. That reduction will almost certainly become part of the appellate argument about whether the courts applied the law correctly. Neither side got a clean result, which is exactly the kind of outcome that keeps cases in front of appeals courts longer than most observers expect.

Where the Case Stands Now

As of June 2026, the permanent injunction is in force, the appeal is live in the 9th Circuit, and the $4 million damages figure stands pending the outcome. That is the factual summary. What it does not capture is how much remains unresolved.

The 9th Circuit appeal is not a procedural afterthought. Amicus briefs filed in May 2026 — including one from the Knight Institute — treat it as a live legal dispute with implications well beyond the original 1,400 targeted users. Those briefs exist because the organizations filing them believe the appeal could undo the liability framework WhatsApp spent five years building in court. If NSO prevails, the December 2024 ruling comes apart. The precedent that treating NSO as the active party in an intrusion — not a passive vendor — disappears with it.

That question has weight outside the United States, too. Spyware accountability has no consistent legal framework across jurisdictions. A 9th Circuit ruling that holds NSO liable under U.S. law gives future plaintiffs a model. A ruling that overturns it gives commercial spyware vendors a stronger argument that operating through a government client insulates them from direct liability.

No public reporting documents new Pegasus attacks on WhatsApp users since the injunction. Whether that holds through the appeal, and what the 9th Circuit decides when it gets there, are the two questions this case still has to answer.