# Hacking the Hackers' Vendor: WhatsApp v. NSO Group and the CFAA's Reach
*A messaging company sued the world's most notorious spyware vendor under a 1986 anti-hacking law — and won a nine-figure jury verdict. The case shows the CFAA reaching across borders to a commercial exploit developer.*
In WhatsApp v. NSO Group, a U.S. court applied the Computer Fraud and Abuse Act to the maker of Pegasus, the commercial spyware used to compromise phones around the world. The case is a milestone in holding exploit vendors civilly liable — and a useful lens on how the CFAA, supply-chain security, and mobile exploitation intersect.
What the Case Was About
In 2019, WhatsApp (owned by Meta) discovered that NSO Group had exploited a vulnerability in WhatsApp's calling feature to deliver Pegasus spyware to roughly 1,400 targeted devices — among them journalists, activists, and officials. Delivering the exploit routed malicious traffic through WhatsApp's U.S.-based servers. WhatsApp sued under the CFAA, California's computer-crime statute (CDAFA, § 502), and for breach of WhatsApp's terms of service.
What the Courts Held
In December 2024, Judge Phyllis Hamilton granted WhatsApp summary judgment on liability, finding NSO violated the CFAA and California law and breached the terms of service by accessing WhatsApp's systems to deliver the exploit. NSO's argument that it merely supplied a tool to sovereign clients did not defeat liability. In May 2025, a jury awarded $444,719 in compensatory damages and $167.25 million in punitive damages. The court subsequently found the punitive award constitutionally excessive and reduced it to roughly $4 million (about nine times the compensatory figure). NSO has appealed the liability and damages rulings.
Why It Matters for Contractors
- The CFAA reaches commercial exploit developers — across borders. Building, selling, or deploying tools that access systems "without authorization" can create civil liability even when end users are foreign governments.
- Supply-chain and mobile exploitation are real threats. The case underscores why zero-click mobile exploits and third-party tooling belong in contractor threat models, not just enterprise IT.
- "We just sold the tool" is a weak defense. Liability attached to the vendor that built and operated the exploitation infrastructure, not only to the operators who pulled the trigger.
Key Takeaways
- WhatsApp v. NSO established civil CFAA liability against a foreign spyware vendor for exploiting a U.S. platform to infect ~1,400 devices.
- A 2025 jury awarded ~$167M, later reduced to ~$4M as excessive; the case is on appeal.
- The decision shows the CFAA's long reach over exploit developers and commercial surveillance vendors.
See the statute on our Computer Fraud and Abuse Act page and the access-scope framework in Van Buren.
*Source: WhatsApp Inc. v. NSO Group Techs. Ltd., No. 4:19-cv-07123 (N.D. Cal.); summary judgment Dec. 20, 2024; jury verdict May 6, 2025.*