Meta says NSO Group breached spyware injunction with new WhatsApp attacks

The legal dispute between spyware maker NSO Group and WhatsApp, which has been running since 2019, has entered a new phase. Ars Technica reports that Meta has filed a new submission in the United States Northern District of California federal court alleging that NSO Group has breached the limits set in a standing injunction by launching new targeted attacks against WhatsApp users in late 2024 and early 2025.

The case began with allegations that NSO Group used its Pegasus spyware to target roughly 1,400 users via WhatsApp infrastructure in 2019. In late 2024 a federal jury found NSO liable under the Computer Fraud and Abuse Act (CFAA) and issued a $167.2 million damages award along with a standing injunction against the company.

The core evidence in Meta's new filing draws on joint forensic analysis by Citizen Lab and Meta's security team. The analysis shows that the technical signatures of recently detected exploit chains map back to NSO Group's existing tooling infrastructure. Citizen Lab's director Ron Deibert told Ars Technica that the indicators were consistent and that the source technology of the attacks matched NSO's known fingerprint templates.

In response, an NSO Group spokesperson said the company serves only approved government customers and complies fully with the standing injunction. The spokesperson said any direct attack on users falls outside NSO's licensing policy. NSO also asserts that fake attack signatures may have been used.

According to the filing, targeted users include journalists, civil society activists and lawyers working in immigration law in several European Union member states. Ars Technica also reports that the supplementary evidence folder filed with the court has been requested for confidential treatment because of its size. The decision on whether to unseal the folder could come in the coming weeks.

On the WhatsApp security side, Meta deployed multi-device end-to-end encryption, Disappearing Messages and a model for early detection of suspicious calls after the previous wave of attacks. The new allegations indicate that those mechanisms need continuous renewal in order to remain sufficient against zero-day exploits.

On the regulatory side, the European Commission's revision of export controls on spyware makers, including NSO Group, is in its final stage of work that began in 2024. The draft envisages judicial oversight for spyware use against civilian targets within EU member states. The US Treasury renewed its 2021 designation of NSO on its sanctions list last year.

On the financial side, the appeal process on the $167 million damages award is ongoing. The company's financial situation has been described as weakening for some time; the new Meta filing asks the court for additional injunctive relief to extend the standing injunction. A positive ruling could create a situation in which NSO cannot update its US-linked software libraries.

On the clinical side, the past three years have seen examples of spyware reaching mobile health data; this dimension is described as one of the allegations in the confidential folder of the new filing. Legal experts say this dimension could expand the case technically and ethically.

In the broader picture, the Meta - NSO case continues to be the most tangible legal indicator of where the clash between consumer platforms and state-grade spyware will land. As Ars Technica stresses, the ruling from the next hearing will set a precedent for the sector. This is not legal advice.