NSO Ordered to Pay $168M to WhatsApp: Implications for Israeli Companies
Summary
- Background: A Landmark Ruling and Expanded Jurisdiction – In early May 2025, a U.S. federal court ruled that NSO must pay WhatsApp $168 million in damages for intrusions carried out באמצעות the Pegasus software. The ruling raises fundamental questions regarding the extraterritorial application of U.S. jurisdiction to foreign companies, including Israeli entities, as well as the regulation of defense-related technology exports.
- Proceedings and Decision: Discovery Failures and Liability – The claim was based on allegations that the intrusions were executed באמצעות WhatsApp servers located in the United States. The court accepted the plaintiff’s position, inter alia, due to NSO’s failure to comply with its discovery obligations, and imposed evidentiary sanctions that led to the acceptance of key allegations. As a result, U.S. jurisdiction was established and liability determined, leaving only the issue of damages to be decided by a jury.
- The Judgment: Exceptional Punitive Damages – The jury found that WhatsApp’s direct damages were relatively limited, yet awarded substantial punitive damages exceeding $167 million. The significant disparity between the actual harm and the damages awarded reflects the weight attributed to broader considerations, particularly allegations concerning the use of the software in human rights violations.
- Implications: Increased Legal and Regulatory Exposure – The ruling underscores the growing exposure of Israeli cyber companies to civil litigation in the United States, even where their primary operations are conducted abroad. It raises important questions regarding export control oversight and the ability of such companies to defend against similar claims. Accordingly, activities in this sector require careful legal assessment and proactive preparedness for significant regulatory and litigation risks.
- Recent Update: In October 2025, the court reduced the punitive damages imposed on NSO from USD 168 million to USD 4 million, issued an injunction prohibiting NSO from hacking into mobile devices via WhatsApp (The injunction applies only to WhatsApp), collecting data from its users, creating simulations of the app, opening new WhatsApp accounts for research or attack purposes, and reverse engineering its source code. In addition, the injunction does not apply to foreign governments that are clients of NSO.
Recent Update (April 2026):
In October 2025, the court reduced the punitive damages imposed on NSO from USD 168 million to USD 4 million. Alongside the damages, the court issued an injunction prohibiting NSO from hacking into mobile devices via WhatsApp, collecting data from its users, creating simulations of the app, opening new WhatsApp accounts for research or attack purposes, and reverse engineering its source code. The injunction applies only to WhatsApp and not to other Meta platforms, such as Facebook and Instagram. In addition, the injunction does not apply to foreign governments that are clients of NSO, as they are not parties to the proceedings and US law does not apply to them.
The injunction is significant in that it delineates the boundaries of liability for companies developing offensive cyber technologies with respect to the rights of users on various digital platforms and strengthens the legal protection of privacy interest in the international arena.
___________________________________________________________________________
The injunction is significant in that it delineates the boundaries of liability for companies developing offensive cyber technologies with respect to the rights of users on various digital platforms and strengthens the legal protection of privacy interest in the international arena.
In early May, a federal court in the Northern District of California ordered the Israeli company NSO Group to pay USD 168 million to WhatsApp (owned by Meta). This precedent-setting ruling raises fundamental questions about American jurisdiction over foreign companies and about the regulation of defense tech exports.
Background: NSO and US Jurisdiction
NSO Group Technologies is an Israeli cyber-intelligence firm that gained global notoriety for its proprietary Pegasus software for remote surveillance of smartphone users, including through WhatsApp. NSO claims its clients are predominantly government law enforcement agencies combatting major crime, while human rights activists allege dictatorial regimes use the software to spy on dissidents. Against this backdrop, the US Department of Commerce added NSO to its restricted Entity List in 2021.
The lawsuit was filed after a string of US court rulings over the past six years dismissed claims the plaintiffs’ phones were hacked, on the grounds of a lack of personal jurisdiction and forum non conveniens. This was because the plaintiffs were not American citizens and the alleged hacks did not take place on American soil.
However, the American judicial system is sending a clear message with this ruling: entities operating outside of the United States will be held liable if they harm American companies using technological means.
The Allegations
About six years ago, WhatsApp filed a lawsuit against NSO alleging that Pegasus was used to hack into 1,400 cellphones through WhatsApp’s servers in California. WhatsApp accused NSO of violating federal and California anti-hacking laws and of breaching WhatsApp’s terms of service by deploying Pegasus on WhatsApp’s servers.
NSO presented a series of defense arguments. Inter alia, it argued the federal court had no jurisdiction since, pursuant to relevant legislation, to acquire jurisdiction, the court would have to be convinced that NSO purposefully and deliberately accessed servers located in California and obtained information from them. NSO claimed that, although its Pegasus spyware moved through WhatsApp’s servers, no information was taken from the servers and only Pegasus’ clients, and not NSO, hacked and collected information from the targeted end-users’ devices. NSO further argued that WhatsApp suffered no actual damage.
Partial Ruling on the Question of Liability
On December 20, 2024, the federal court issued a summary judgment accepting WhatsApp’s position that NSO Group was liable under California jurisdiction. It only briefly discussed the liability issues raised by the plaintiff. The court’s ruling stemmed primarily from NSO’s failure to cooperate during discovery and its noncompliance with court orders, including to disclose Pegasus’ source code to the plaintiff. NSO argued that Israeli Ministry of Defense directives prohibit it from transferring the source code outside of Israel or to anyone who is not an Israeli citizen. Instead, NSO proposed that WhatsApp’s Israeli lawyers seek to obtain access to the source code, or that WhatsApp request permission from the Ministry of Defense to transfer the source code for the purposes of the hearing. The court rejected NSO’s arguments and proposals as impractical and ruled that it violated the discovery orders issued by the court.
As a result, the court imposed evidentiary sanctions on NSO. It thus accepted WhatsApp’s claims that it could have proven its allegations had it been able to examine Pegasus’ source code. Accordingly, the court also accepted WhatsApp’s claims that the court had jurisdiction because Pegasus used servers and information extracted from WhatsApp’s servers in California for the purpose of hacking into other devices.
The court ultimately issued a summary judgment regarding NSO’s liability and ruled that a jury trial was necessary only to determine the volume of damages.
The Jury Verdict: Exceptional Punitive Damages
The jury set the damages caused to WhatsApp as a result of the hack at less than USD 0.5 million but imposed punitive damages on NSO exceeding USD 167 million. The jury’s decision to impose punitive damages apparently derived mainly from testimony it heard regarding various regimes’ use of Pegasus as a key tool for committing human rights violations.
NSO is likely to appeal to the US Courts of Appeals.
Implications for Israeli Companies: Increased Legal and Regulatory Exposure
If not overturned on appeal, the fee imposed on NSO is extremely significant. More than 99% of the damages are punitive, while the actual damage caused to WhatsApp is relatively negligible. In other words, a US court has ruled that it has jurisdiction to adjudicate a lawsuit against an Israeli company even for merely indirect damages caused in the United States. Moreover, upon taking jurisdiction, the court then scrutinized NSO’s overall actions, and not only any specific damage caused in the United States.
Cyber surveillance was one of the most dynamic segments of the Israeli high-tech sector over the past decade. However, after several reported incidents of companies committing privacy protection and other statutory violations in various countries and helping governments suppress dissent, they were hit with sanctions and other punitive measures.
This ruling shows that Israeli cyber companies face increased exposure to civil lawsuits in the United States, which could result in payouts of enormous sums. Even when the client is a legitimate democratic country, the very use of the software for controversial purposes may expose a company to lawsuits and cause a chilling effect in its international operations.
Another issue that requires addressing is the activities of high-tech companies under Israeli Ministry of Defense supervision. The Defense Export Control Division supervises exports of defense products to foreign countries, and all such exports require a license. The ruling on the NSO case now raises questions about the Ministry of Defense’s ability to control software exports, and about Israeli companies’ ability to defend themselves against such lawsuits.
Since exports of products that other countries use for security purposes entail material legal issues, companies should obtain legal advice before engaging in international activities.
***
Prof. Amichai Cohen is a special counsel on international law at our firm.
Dr. Ran Karmi is an associate in the competition and antitrust department.
The firm’s international law practice advises clients on matters involving international trade, national security, Israeli constitutional law, international criminal law, and the application of international law within the Israeli legal system.
FAQs
Extraterritorial enforcement of an American judgment is not automatic and requires separate “recognition and enforcement” proceedings in each country where the company has assets. Concrete measures, such as account garnishments or asset seizures, may only be taken after a country recognizes the judgment. To apply multi-jurisdictional pressure, parallel enforcement proceedings may be opened concurrently in countries where the company operates.
The implications for the company are highly significant. Account garnishments and asset freezes are merely initial measures followed by a more severe impact—reputational damage that destabilizes the foundation of the company’s operations and may lead to difficulties working with banks and international institutions, business partners shying away from engagements, and even contract terminations or freezes by government customers.
Moreover, cross-border enforcement creates a cumulative effect: even if the company succeeds in delaying or reducing enforcement in one country, it may encounter barriers in other countries. International operations thus become more complicated and expensive, and depend not only on business considerations but also on a global legal risk assessment.
Companies must change not only procedures, but also their entire compliance approach. This means switching from “formal compliance,” with a list of requirements, to a broader approach that includes ongoing risk management. To this end, companies should take the following key measures:
- Enhanced due diligence on customers at the customer selection stage – This includes background, interests, and potential uses of the technology, with an emphasis on risk exposure. In addition, monitor employees to ensure compliance in practice.
- An updated compliance program as a critical component – Don’t merely update procedures, but revamp compliance systems in collaboration with lawyers with expertise in cybersecurity, privacy protection, and international law. The program should include explicit details on permitted transactions, transactions requiring special approvals, and transactions that are absolutely prohibited. Ongoing training to employees and managers should also be provided.
- Post-sale oversight of technological tools and monitoring of actual use – For example, technological mechanisms that limit use, periodic inspections, and enabling termination of service in exceptional instances.
- Strengthening internal mechanisms – Independent compliance teams, ethics committees, and the implementation of decision-making processes that take human rights aspects rather than just profitability into account.
- Transparency and accountability to the public – Companies must maintain high-quality documentation, strong corporate governance mechanisms, transparency with regulatory authorities, compliance with international standards of privacy and oversight, etc.
Although not necessarily a “binding precedent” in its formal sense, this is a judgment with far-reaching and global implications, in that it influences court rulings, regulatory authorities, and technology companies. Cybersecurity companies are not only responsible for developing a tool, but also for the uses made of it. Thus, this judgment expands the limits of liability from users to manufacturers.
In the context of privacy protection and cybersecurity, the judgment expands liability not only for the harm itself, but also to those who facilitated it and whether it could have been prevented. Technology companies may be sued globally under stricter standards, even for security uses.
This judgment sends a clear signal to the technology industry in Israel in general and the cybersecurity industry in particular: global operations trigger global legal responsibilities. Companies now must strengthen compliance, control, and risk management to avoid legal exposure and reputational damage. On the upside, the judgment may accelerate cybersecurity regulations and turn compliance into a competitive advantage: responsible companies will gain the market’s trust, while competitors may expose themselves to substantive business risks.
The judgment emphasizes the need to manage global legal risks actively and in a balanced manner.
- Companies and managers should design and implement effective compliance systems, including controls over customers and product uses, documentation of decisions, training, and periodic inspections. It is also important to work in conjunction with legal advisors on an ongoing basis and in coordination with regulatory authorities, including when obtaining export permits, and to understand that compliance with local law does not provide full protection abroad.
- Shareholders should verify that compliance and risk management mechanisms are in place and demand inspections whenever warning signs arise.
- Injured parties should collect and retain evidence, obtain assistance from cybersecurity experts, and seek legal advice, sometimes also to open proceedings abroad.
Ultimately, coordination with regulatory authorities, ongoing legal advice, and proper management of evidence are not merely technical measures but key components of broad legal protection and risk management in an era of global technological activities.