A U.S. federal judge issued a permanent injunction on Thursday that prevents NSO Group from using WhatsApp to target people, delivering Meta’s messaging platform a resounding courtroom victory over one of the world’s most infamous commercial spyware vendors. Though the court also cut an already huge monetary award to about $4 million, security and legal experts say the injunction is the bigger news, effectively dividing off more than two billion users from a known vector of sophisticated surveillance.
Permanent Injunction Alters Platform Security
The order permanently prohibits NSO Group and its affiliates from using, developing or testing any product or software that relies on the WhatsApp servers, accounts, infrastructure and information. In more practical terms, that means the company can’t be used to distribute or test hacks on WhatsApp’s network, can’t even maintain accounts for such purposes and would be squared up against a contempt of court proceeding if it somehow violated the ban. For a platform targeted by nation-grade tools, this is an unusual, broad remedy that not only gives status quo monetary damages but also directly restricts future behavior.
WhatsApp leaders celebrated the ruling as a shield that will safeguard global civil society, and reiterated that the court’s order puts an end to NSO trying to hack its multitudes of users worldwide.
The case marks the intersection of platform trust and private surveillance, leaving few avenues to gain a strategic perch that might imperil journalists, dissidents or diplomats across borders.
Damages Cut, but Core Liability Left Standing
A jury had previously awarded punitive damages in the nine figures after finding that NSO used WhatsApp’s servers to send malware to more than 1,400 targets like human rights defenders and journalists. The judge, however, trimmed the award to roughly $4 million under legal standards that limit punitive-to-compensatory ratios in the absence of especially egregious misconduct. The updated number pares back the financial sting, yet keeps intact the central findings — and matches them with a powerful behavioral cure.
Legal observers say that injunctive relief can matter more than a headline number.
An injunction could limit what the vendor can do technically and add to customer commitments, while also serving as a legal precedent that other platforms might use as supporting evidence when they pursue similar claims under anti-hacking laws and breach-of-contract theories.
How Pegasus Made Its Way to WhatsApp Users
Court documents as well as independent research groups like Citizen Lab and Amnesty International’s Security Lab have chronicled how commercial spyware has used messaging apps in order to get to high-value phones with “zero-click” exploits, attacks that require no user input. In the case of WhatsApp, investigators traced the campaign to malicious phone calls and specially crafted network traffic that installed Pegasus on targeted devices.
Once in place, Pegasus can gain access to messages, microphones and cameras with the potential of going undetected by using advanced persistence methods. WhatsApp patched the flaws and alerted affected users, but their sheer number — over 1,400 in a single campaign — underscored how messaging platforms are emerging as the prime conduit for mercenary spyware.
Wider Pressure on Commercial Spyware and Vendors
The decision adds to the growing pressure on the surveillance-for-hire market. NSO has long maintained that it sells only to vetted government agencies for lawful investigations, but watchdogs and media consortiums have traced Pegasus infections to the devices of lawyers, opposition politicians and civil society leaders in dozens of countries. The U.S. Commerce Department put NSO on its trade blacklist, while Apple filed a separate lawsuit accusing the company of using the same techniques to attack iPhone users.
Big technology companies, like Microsoft and Google, supported WhatsApp’s stance in court filings by arguing that any immunity or impunity for spyware merchants would weaken the security of global digital infrastructure. NSO, meanwhile, has said it is in the process of changing ownership among U.S.-based investors — a development that, if completed, could bring new governance claims but will not mitigate the restraints established with the injunction.
What The Decision Means For Users And Vendors
For ordinary users, one immediate takeaway is that WhatsApp has now established a court-backed fortification against one prolific attacker. This isn’t to say that the spyware threat goes away — attackers simply move on to target different apps, mobile basebands or device management interfaces — but it does take a recorded, high-impact route off the table and establish a playbook for platform enforcement.
For the spyware business, the ruling demonstrates that platform providers can triumph over not just damages but also restrictions that will play out for years to come. Added to export controls, investor pressure, and coordinated vulnerability disclosure programmes, the legal risk calculus for surveillance vendors is hardening. Look for other platforms to follow suit with lawsuits in time targeting access and tightening, while security teams speed the hardening of call stacks, media parsers, and real-time communications code — the precise areas where zero-click exploits land.
The point from the court is clear: pipeline hacks that use public networks are not merely a technological headache — they’re also a legal one. And for WhatsApp’s billions of users, a restraining order that effectively blocks NSO Group from using the network is a concrete step toward safer messaging.
