Meta’s decisive legal victory over NSO Group, awarding the tech giant $168 million in damages, has delivered a rare but powerful rebuke to the commercial spyware industry. The California jury’s ruling, split between punitive and compensatory damages, marks one of the most significant legal setbacks for a vendor accused of enabling government-backed digital surveillance.
But as watchdogs and legal experts point out, legal wins don’t always equal systemic change, especially in a murky, borderless ecosystem where spyware thrives under legal ambiguity and jurisdictional loopholes.
The case stems from a 2019 lawsuit in which Meta (then Facebook) accused NSO Group of targeting over 1,400 WhatsApp users using Pegasus spyware. The malware exploited vulnerabilities in the WhatsApp platform to silently infiltrate phones and exfiltrate private data.
Yet despite the jury’s strong judgment, Meta faces a steep climb in collecting damages. NSO Group, headquartered in Israel, has already vowed to appeal the ruling, a move that could delay enforcement indefinitely. Jurisdictional hurdles further complicate any effort to seize assets or enforce financial penalties.
“Meta may face significant hurdles in enforcing the payout,” says Jen Roberts of the Atlantic Council. “NSO Group has already demonstrated that it will continue operating despite ongoing legal threats.” According to court documents, the company continued targeting WhatsApp using three new exploit methods—internally named Eden, Heaven, and ERISED—even while the lawsuit was active.
A Rare Glimpse Inside the Spyware Black Box
The trial’s discovery phase unearthed rare and revealing insights into NSO Group’s operations. Executives disclosed a $50 million annual R&D budget, multiple exploit delivery vectors (collectively dubbed Hummingbird), and over $7 million in payments from U.S. agencies for services rendered.
This transparency is unprecedented in the spyware world, where companies usually operate in total secrecy. The exposure is likely to unsettle other spyware vendors, many of whom are already facing legal and reputational risks. But experts warn the impact may be limited.
Governments Still Want Spyware—And They’ll Get It
Despite Meta’s win, demand for offensive surveillance capabilities remains strong, especially among authoritarian regimes and resource-constrained governments. That underlying market pressure is why the spyware hydra won’t die with NSO.
“Even if NSO goes bankrupt, their engineers and executives could simply regroup, rebrand, and launch new firms,” warns Roberts. “We’ve seen this cycle before.”
This pattern of “splintering,” where staff from sanctioned or shuttered companies spawn new ventures, has already been documented in the Atlantic Council’s Mythical Beasts spyware dataset. Roberts says this trend must be monitored closely to prevent further proliferation of digital surveillance tools.
A Human Rights Wake-Up Call
For rights groups, the case adds to the mounting evidence that commercial spyware is incompatible with democratic norms. According to Silvia Lorenzo Perez of the Center for Democracy and Technology (CDT), tools like Pegasus inherently violate international human rights standards, even when used under the guise of national security.
“Pegasus is inherently disproportionate,” she says. “Its invasive capabilities raise serious questions about whether any such tool can ever be deployed lawfully in a democracy.”
That sentiment is echoed by digital rights advocates, who argue that even targeted surveillance must meet strict tests of legality, necessity, and proportionality—conditions rarely met when spyware is deployed in the real world.
NSO Group’s downfall is not just a warning to spyware makers, but also to governments that procure their services. The lawsuit highlights that private companies enabling illegal surveillance may face civil liability, and that public sector clients are complicit in misuse.
Perez believes the case could set a deterrent precedent: “This sends a strong signal to governments: engaging in spyware deployment is no longer just ethically questionable—it can be legally actionable.”
The big question now is whether this verdict will trigger meaningful reform or simply drive the industry deeper underground. With companies like Candiru, Intellexa, and others still operating in opaque jurisdictions, the ecosystem remains dangerous and diffuse.
NSO Group’s appeal will likely drag the case out for years, and even if the company disappears, its code, talent, and tactics will live on. As long as there’s global demand for stealthy, untraceable surveillance tools, the market will find a way to fill the void.
Still, Meta’s victory is a milestone—a legal, reputational, and symbolic win for victims of digital surveillance and a warning shot across the bow of an industry that has, until now, faced few consequences.
