WhatsApp Exposes NSO Spyware Secrets in Legal Victory

In March, WhatsApp achieved a significant legal victory against the Israeli company NSO Group, the developer of the Pegasus spyware. A U.S. federal court permitted the release of three documents shedding new light on Pegasus’s operations.

The disclosed documents include testimony from NSO employees, internal company records, and correspondence obtained through legal subpoenas. Among the revelations is the fact that NSO severed access to Pegasus for 10 government clients due to violations in the program’s use.

The lawsuit, filed by WhatsApp in 2019, accused NSO of orchestrating cyberattacks against journalists, human rights defenders, and activists, actions that violated U.S. cybersecurity laws and WhatsApp’s terms of service. A spokesperson for the messaging platform stated that the new evidence further demonstrates how Pegasus was employed for surveillance.

Court filings reveal that NSO developed exploits named “Eden” and “Heaven,” which infiltrated devices through WhatsApp messages. Clients merely had to provide the target’s phone number, after which Pegasus would automatically install the spyware. Licenses for the software reportedly cost up to $6.8 million annually, generating at least $31 million in revenue for NSO in 2019.

NSO has consistently claimed it does not participate in its clients’ operations, but the documents suggest otherwise. One NSO employee admitted that decisions to deploy exploits were made internally. It also emerged that fake WhatsApp accounts and servers were created to facilitate these attacks.

After security updates in 2018, WhatsApp successfully blocked the “Heaven” and “Eden” exploits. By 2020, it had also neutralized another NSO tool, “Erised,” which could infect devices without any interaction from the target.

The legal proceedings further revealed that Pegasus had been used to spy on Princess Haya of Dubai, a case previously reported by major news outlets. Simultaneously, NSO cut off 10 clients over abuses related to the spyware.

WhatsApp now awaits a final court ruling in its favor. Experts suggest the newly uncovered data could be pivotal in other lawsuits against NSO across various jurisdictions.

Access Now, a digital rights organization, noted that WhatsApp’s actions are already yielding results. Despite NSO’s refusal to provide comprehensive information, the available evidence strengthens the plaintiffs’ positions in similar cases worldwide.

In Barcelona, a lawyer recently filed a groundbreaking lawsuit against the founders and an executive of NSO Group, accusing them of espionage-related attacks. This marks the first case targeting not just the company but also its key individuals. The lawsuit was filed on behalf of Andreu Van den Eynde, a lawyer and professor specializing in cybersecurity, who became a victim of a surveillance campaign against Catalans advocating for regional independence in 2022. The Pegasus spyware was central to these activities.