ANALYTICAL BRIEFREF: PGSS-0326-GE|SOURCE: OSINT / AMNESTY INTERNATIONAL / CITIZEN LAB / COURT FILINGS
UPDATED 16 MAR 2026
THE MERCENARY

THE SPYWARE INDUSTRIAL COMPLEX

NSO Group, Pegasus, and the $168 Million Verdict That Exposed How Governments Buy Zero-Days to Hack Their Own Citizens

SUBJECT Commercial Surveillance Vendors (CSVs)
REGION Global / Israel / European Union
PRIORITY HIGH
ANALYST OPEN SOURCE
STATUS ACTIVE LITIGATION
MAY 2025 — US court orders NSO Group to pay $168M to WhatsApp for exploiting zero-day to deploy Pegasus on 1,400 devices ///DEC 2024 — Judge Hamilton finds NSO liable for violating Computer Fraud and Abuse Act via WhatsApp zero-click exploit ///Google GTIG 2025: commercial spyware vendors topped nation-states as primary zero-day exploit users for the first time ///Pegasus provides full device access: messages, calls, camera, microphone, location — zero-click, zero-trace ///2021 Pegasus Project: 50,000+ phone numbers targeted — journalists, activists, heads of state including Macron ///US Commerce Dept blacklisted NSO Group Nov 2021 — same year SpaceX signed $1.8B classified NRO contract ///MAY 2025 — US court orders NSO Group to pay $168M to WhatsApp for exploiting zero-day to deploy Pegasus on 1,400 devices ///DEC 2024 — Judge Hamilton finds NSO liable for violating Computer Fraud and Abuse Act via WhatsApp zero-click exploit ///Google GTIG 2025: commercial spyware vendors topped nation-states as primary zero-day exploit users for the first time ///Pegasus provides full device access: messages, calls, camera, microphone, location — zero-click, zero-trace ///2021 Pegasus Project: 50,000+ phone numbers targeted — journalists, activists, heads of state including Macron ///US Commerce Dept blacklisted NSO Group Nov 2021 — same year SpaceX signed $1.8B classified NRO contract ///
01 // THE VERDICT

$168 MILLION FOR A PHONE CALL

OAKLAND, CA — 6 MAY 2025 | US DISTRICT COURT

Jury Awards WhatsApp $168 Million in Damages Against NSO Group for Pegasus Spyware Campaign

On May 6, 2025, a federal jury in Oakland ordered NSO Group to pay $167.25 million in punitive damages to WhatsApp (owned by Meta) for exploiting a zero-day vulnerability in WhatsApp's voice calling feature to deploy Pegasus spyware onto approximately 1,400 devices worldwide.[1] The exploit — CVE-2019-3568, rated 9.8/10 severity — allowed Pegasus installation through a single WhatsApp call that the target didn't need to answer.[2]

In December 2024, U.S. District Judge Phyllis Hamilton had already found NSO liable, ruling that the company violated the Computer Fraud and Abuse Act and California's Comprehensive Computer Data Access and Fraud Act.[2] The May verdict added the financial penalty. NSO's defense — that it only sells to governments and bears no responsibility for how they use the tool — was rejected. The court held that building and deploying the exploit constituted the violation, regardless of who pressed the button.

DAMAGES
$168M
Punitive damages awarded to WhatsApp/Meta against NSO Group[1]
TARGETS
1,400
Devices infected via WhatsApp zero-click exploit in 2019 campaign[2]
CVSS SCORE
9.8/10
CVE-2019-3568 — WhatsApp voice calling zero-day severity rating[2]

NSO Group has been held accountable for unlawfully targeting the devices of WhatsApp users with military-grade spyware.

— WhatsApp statement following jury verdict, May 2025[1]
02 // CAPABILITY PROFILE

WHAT PEGASUS DOES

Pegasus is a fully-featured intelligence collection platform disguised as a phone infection. Once deployed — typically via zero-click exploit requiring no user interaction — the spyware provides the operator with:[3]

Complete device access: All messages (including end-to-end encrypted apps like Signal, WhatsApp, Telegram), emails, photos, contacts, calendar, browsing history, and stored files. Pegasus extracts data from encrypted apps by reading it after decryption on the device — bypassing encryption entirely.[3]

Real-time surveillance: Live activation of microphone and camera. GPS location tracking. Call interception. The device becomes a 24/7 surveillance platform that the target carries voluntarily.[3]

Stealth: Pegasus is designed to leave minimal forensic traces. It can operate entirely in memory (RAM), surviving reboots through persistence mechanisms but leaving little on-disk evidence. Amnesty International's Security Lab developed specialized forensic methodology specifically to detect Pegasus infections — indicating that standard mobile forensic tools are insufficient.[4]

The technical sophistication places Pegasus in the same tier as nation-state tools like the Duqu dynasty or the Equation Group's exploits leaked by the Shadow Brokers. The difference: Pegasus is commercially available to any government willing to pay.

03 // TARGET PROFILE

WHO GETS HACKED

In July 2021, the Pegasus Project — a collaboration of 80+ journalists coordinated by Forbidden Stories and Amnesty International — revealed a leaked list of over 50,000 phone numbers selected as potential surveillance targets by NSO customers.[5] The targets included:

Journalists: Reporters from the New York Times, Wall Street Journal, CNN, Al Jazeera, Le Monde, Financial Times, and dozens of other outlets. Investigative journalists covering corruption, human rights, and organized crime were disproportionately represented.[5]

Heads of state: French President Emmanuel Macron, Iraqi President Barham Salih, South African President Cyril Ramaphosa, and Pakistani Prime Minister Imran Khan were among the heads of state whose numbers appeared on the list.[5]

Human rights defenders: Amnesty International staff, Human Rights Watch researchers, and civil liberties lawyers across the Middle East, Africa, and Latin America. Saudi dissident and Washington Post columnist Jamal Khashoggi's inner circle was targeted before his murder in the Saudi consulate in Istanbul.[5]

NSO's stated mission — providing technology to "prevent terrorism and crime" — is belied by its customer list. The company sold Pegasus to Saudi Arabia, the UAE, Morocco, Mexico, India, Hungary, and dozens of other governments — many with documented patterns of suppressing dissent, persecuting journalists, and targeting political opposition.[5]

04 // THE ZERO-DAY ECONOMY

WHEN SPYWARE VENDORS OUTPACE NATION-STATES

In March 2026, Google's Threat Intelligence Group (GTIG) published its annual zero-day exploitation analysis revealing that for the first time, commercial surveillance vendors (CSVs) topped nation-states as the primary users of zero-day exploits.[6] The shift is structural, not incidental.

Zero-day exploits — vulnerabilities unknown to the software vendor and therefore unpatched — are the currency of offensive cyber operations. Historically, nation-state intelligence agencies (NSA, GCHQ, PLA Unit 61398) were the primary discoverers and deployers of zero-days. The Shadow Brokers leak revealed the NSA's massive zero-day arsenal.[7]

Now the market has inverted. Companies like NSO Group, Intellexa, and their competitors maintain dedicated vulnerability research teams that discover zero-days in iOS, Android, Chrome, and WhatsApp — then package them as turnkey surveillance products sold to government customers.[6] The commercial model industrializes what was once a bespoke intelligence capability.

The implications for the existing cyber weapons ecosystem are profound. The Duqu dynasty — three generations of nation-state espionage tools built on the Stuxnet codebase — represented years of development by the most sophisticated cyber teams in history. Pegasus achieves comparable access through a commercial product available to any government with $8-12 million per year.[3] The democratization of nation-state surveillance capability is the defining trend of the 2020s.

05 // THE REGULATORY VOID

BLACKLISTED BUT NOT STOPPED

In November 2021, the U.S. Commerce Department added NSO Group and Intellexa (Predator spyware) to the Entity List — the same sanctions mechanism used against Huawei and, later, applied to Anthropic as a "supply chain risk."[8] The listing restricts U.S. companies from selling technology to NSO without special license.

The listing slowed but did not stop NSO. The company restructured, explored sale to U.S. defense contractors, and continued selling to government clients outside the U.S. sanctions reach. Pegasus infections continued to be detected by Citizen Lab and Amnesty International throughout 2022-2025.[4]

The European Union launched a parliamentary investigation (PANA Committee) but achieved no binding regulation. Hungary, a Pegasus customer, blocked meaningful EU action. Israel, where NSO is headquartered, treats Pegasus exports as defense articles requiring export licenses — licenses it has granted to authoritarian regimes.[5]

The fundamental problem: there is no international legal framework governing the sale of offensive cyber capabilities. The Wassenaar Arrangement covers some surveillance technology, but enforcement is inconsistent and the commercial spyware industry has grown faster than any regulatory response. Zero-day exploits are legal to develop, legal to sell, and legal to use — until a court rules otherwise, case by case.

06 // TIMELINE

THE RISE OF THE MERCENARY

2010
NSO Group founded in Herzliya, Israel by Niv Carmi, Shalev Hulio, and Omri Lavie. Initial backing from private equity. Product: Pegasus mobile surveillance platform.[3]
2016
Citizen Lab and Lookout discover Pegasus targeting Ahmed Mansoor, a UAE human rights activist. Three iOS zero-day exploits chained together. Apple patches CVE-2016-4655, -4656, -4657. First public identification of Pegasus.[4]
2018
Jamal Khashoggi's inner circle targeted with Pegasus by Saudi Arabia. Khashoggi murdered in Saudi consulate in Istanbul, October 2018. NSO denies involvement in the murder itself.[5]
2019
WhatsApp discovers CVE-2019-3568 — zero-click Pegasus deployment via voice call. 1,400 devices infected. WhatsApp/Meta files lawsuit against NSO Group.[2]
JUL 2021
Pegasus Project: 50,000+ phone numbers revealed as potential targets. Heads of state, journalists, human rights defenders. Global outcry. NSO denies wrongdoing.[5]
NOV 2021
U.S. Commerce Department adds NSO Group and Intellexa to Entity List. Same sanctions mechanism later applied to Anthropic as "supply chain risk."[8]
DEC 2024
Judge Hamilton finds NSO liable for violating Computer Fraud and Abuse Act via WhatsApp exploitation. First federal court finding of liability for a commercial spyware vendor.[2]
MAY 2025
Jury awards WhatsApp $168M in punitive damages against NSO. Largest financial penalty ever imposed on a commercial surveillance vendor.[1]
MAR 2026
Google GTIG: commercial spyware vendors surpass nation-states as primary zero-day exploit users for the first time. The mercenary model has overtaken the state model.[6]
07 // ANALYTICAL CONCLUSION

BOTTOM LINE

Pegasus represents the industrialization of capabilities that were once the exclusive province of the most sophisticated intelligence agencies. A commercial product, sold to dozens of governments, that achieves the same level of device access as the Equation Group's bespoke tools or the Duqu dynasty's three generations of state-sponsored espionage platforms — but available for annual license fees rather than decades of development.[3]

The $168 million verdict against NSO is the first financial consequence for the commercial surveillance industry, but it addresses symptoms, not causes. Zero-day exploitation remains legal. Government customers continue to purchase Pegasus and its competitors. Google's finding that CSVs now outpace nation-states in zero-day usage confirms the structural shift: the market for offensive cyber capability has been commercialized.[6]

The Entity List designation — the same mechanism used to blacklist Huawei, and later applied as a "supply chain risk" to Anthropic — creates a direct comparison. NSO builds tools to hack phones. Anthropic builds AI with safety restrictions. Both were sanctioned. The principle at work is not ethics but alignment: entities that resist U.S. government preferences face the same regulatory instrument, regardless of whether they hack citizens or refuse to enable autonomous weapons.

The spyware industrial complex is the shadow image of the defense tech boom. Palmer Luckey builds weapons for the Pentagon with Silicon Valley speed. NSO Group builds surveillance tools for any government with Silicon Valley speed. The same talent pipeline, the same zero-day expertise, the same commercial model — pointed in different directions, with different customers, and no international framework to distinguish between them.

For the first time, commercial surveillance vendors surpassed nation-states as the primary users of zero-day exploits.

— Google Threat Intelligence Group, March 2026[6]
SOURCES

References & Source Material

  1. [1]The Hacker News, "NSO Group Fined $168M for Targeting 1,400 WhatsApp Users With Pegasus Spyware," 7 May 2025. Jury verdict, damages amount, WhatsApp statement.
  2. [2]"Pegasus (spyware)," Wikipedia. CVE-2019-3568, Judge Hamilton ruling Dec 2024, NSO lobbying, comprehensive timeline.
  3. [3]"NSO Group," Wikipedia. Company history, Pegasus capabilities, customer list, legal proceedings, Entity List designation.
  4. [4]Amnesty International, "Forensic Methodology Report: How to catch NSO Group's Pegasus," Jul 2021. Detection methodology, forensic indicators, infection chain analysis.
  5. [5]The Guardian / Forbidden Stories, "Pegasus Project," Jul 2021. 50,000+ phone numbers, heads of state targets, journalist surveillance, Khashoggi connection.
  6. [6]Security Boulevard, "Spyware Makers Topped Google's List of Zero-Day Exploits for the First Time in 2025," 6 Mar 2026. Google GTIG annual analysis, CSV zero-day dominance.
  7. [7]Various reporting on Shadow Brokers leak and Equation Group arsenal, 2017. NSA zero-day stockpile and proliferation precedent.
  8. [8]U.S. Commerce Department, "Addition of Certain Entities to the Entity List," Nov 2021. NSO Group and Intellexa designation.
ANALYTICAL BRIEF // NSO GROUP PEGASUS & COMMERCIAL SURVEILLANCE VENDORS // REF PGSS-0326-GE
SOURCES: AMNESTY INTERNATIONAL · CITIZEN LAB · GOOGLE GTIG · THE HACKER NEWS · THE GUARDIAN
OPEN SOURCE
CONNECTIONS
ZOOM OUT