Litigators of the Week: Spyware-Maker NSO Group Hit With $168M Verdict for Hacking WhatsApp
Rarely do human rights groups weigh in when Big Tech companies land nine-digit damages awards at trial. But this week, an official at Amnesty International called the $168 million verdict WhatsApp and Meta won against NSO Group “a momentous win in the fight against spyware abuse.”
Our Litigators of the Week are WhatsApp’s trial team, led by Greg Andres, Antonio Perez-Marques and Micah Block of Davis Polk & Wardwell. Late last year, U.S. District Senior Judge Phyllis Hamilton in Oakland, California, granted their motion for summary judgment against NSO Group—the Israeli company behind the Pegasus spyware used to target more than 1,000 WhatsApp users—finding the company violated the federal Computer Fraud and Abuse Act and California’s anti-hacking statute. This week, after a trial on damages, jurors found NSO Group “engaged in malice, oppression or fraud,” opening the door to a massive punitive damage award under California law.
Who is your client and what was at stake?
Greg Andres: We represented the plaintiffs WhatsApp and Meta in this litigation. At stake was their ability to protect the privacy of WhatsApp users’ communications in the first instance, and to prevent malicious actors from targeting their platform and their users. Privacy is at the core of WhatsApp’s mission and is the reason that WhatsApp provides industry-leading encryption. As WhatsApp Vice President of Global Communications Carl Woog testified at trial, “Privacy is the foundation of WhatsApp. It’s been part of our app from the beginning. And we believe that people should be able to have a private conversation online, just as you would have a private conversation in your living room.” This case was about holding NSO accountable and sending a message to NSO and others in their industry that the consequences for those who target U.S. companies for these unlawful purposes will be severe, and that WhatsApp’s world-class infrastructure is meant for connecting friends and families and is off-limits for spyware makers and other bad actors.
Lawyers at Cooley filed the complaint in this case. An appellate team at O’Melveny & Myers argued the foreign sovereign immunity issues at the Ninth Circuit. When did you and your firm get the call to handle this matter and what pieces of it have you handled?
Micah Block: We became involved in this matter in June 2020 as part of our broad portfolio of work for Meta. We have represented Meta and WhatsApp since then and led all subsequent motion practice, discovery and trial, with the able assistance of the appellate team at O’Melveny & Myers during the Ninth Circuit and Supreme Court appeals, as well as the expert team of Dr. Gil Orion, Ron Lehmann and Yael Riemer at FBC & Co., who advised us on a number of thorny Israeli law issues.
Tell me about the discovery issues that came up around the production of the Pegasus source code in this litigation. Did NSO’s failure to produce discovery and obey court orders end up helping you in any way?
Antonio Perez-Marques: Getting robust discovery from a foreign spyware company whose entire business is cloaked in secrecy and relies on the active concealment of its work was among the most challenging aspects of this case. Although NSO failed to produce certain discovery (including the code for its Pegasus spyware) in violation of the court’s orders and was sanctioned as a result, we were ultimately successful in that effort, obtaining sufficient discovery for the court to conclude as a matter of law that NSO was liable on all claims and for the jury to recognize NSO’s conduct as malicious, oppressive and fraudulent.
Following the denial of NSO’s motion to dismiss in July 2020, the district court proceedings were stayed for over two years while NSO pursued an unsuccessful appeal.
When the stay was lifted following the denial of certiorari in January 2023, the next battle was whether we would be able to get discovery from NSO: the defendants claimed that virtually all of the discovery we were seeking, including the code for Pegasus and the WhatsApp installation vectors, constituted state secrets that would be illegal for them to produce in the United States. Litigating and winning that dispute, under the Ninth Circuit’s Richmark standard, was a major milestone in the case. It opened up some degree of discovery, including key depositions of NSO executives.
During these depositions, we also learned, shockingly, that NSO had continued using WhatsApp to install Pegasus even after the lawsuit had been filed—a fact that we ultimately emphasized at trial to illustrate that conducting these kinds of attacks was inherent to NSO’s business and they would not stop absent a powerful message from the jury. Anticipating that NSO’s executives might not be willing to testify in a United States courtroom, we ensured that the depositions would be usable at trial—both as an evidentiary matter, as corporate representative depositions under Federal Rule of Civil Procedure 30(b)(6) and in the style of questioning, making sure to generate execute lines of questioning that could be played in full for the jury.
Although, in the end, we never received from NSO a full set of the Pegasus code, and NSO was sanctioned for violating the court's orders by failing to produce it in the United States, the limited discovery we received was more than sufficient to establish that NSO had broken the law and for the jury to conclude that NSO had acted with malice, oppression or fraud, warranting a substantial punitive damages award.
Who all was on your trial team and how did you divide the work?
Perez-Marques: Micah, Greg and I presented the evidence and arguments at trial, but we had a great team behind us and are well aware that litigation is a team sport. I gave the opening, Micah handled the expert witnesses and Greg presented the closing and rebuttal arguments. Greg and I divided the cross-examinations of the NSO executives at trial. Luca Marzorati played a crucial role in the development of the evidence before and at trial and Gina Cora was essential during the extensive motion practice and the jury instructions, where we prevailed on the majority of the relevant issues. And our efforts were supported, at every stage, with the teamwork and legal savvy and expertise of the Meta legal team, including Michael Chmelar, Nikki Vo, Tyler Smith, Christen Dubois, Arif Dhilla and Brady Freeman. As with every trial, preparation is the key, and many Davis Polk attorneys and staff played key roles throughout the case, including, but not limited to, counsel Craig Cagney; associates Muhammad Sardar, Gersham Johnson, Quentin Ullrich, Amelia Birnie, Kaitlin Campanini, Meenu Mathews and Cyerra Haywood; and law clerks Tyler Conroy and Thomas Floyd. Senior paralegal Felicia Yu led the Davis Polk trial operations team, and we wouldn’t have made it through trial without her and the rest of the incredible on-site team in Oakland.
How did you put on your damages cases? What did you have to prove to be eligible for punitive damages under California’s hacking statute?
Block: For compensatory damages, we relied largely on the testimony of WhatsApp and Meta engineers who responded to NSO’s May 2019 attack. NSO’s attack was a foundational moment for many of these engineers’ careers, so it was especially pleasing to give them the opportunity to tell their story to the jury. Those engineers explained how NSO’s sophisticated attack emerged as a “worst case scenario” in response to which Meta and WhatsApp quickly had to leverage a cross-border and cross-functional team of their world-class security experts to unpack and block in the space of two weeks what NSO’s R&D department had spent more than a year developing and concealing. We also relied on the testimony of our damages expert, Dana Trexler of Stout, who painstakingly investigated the work done by dozens of engineers and presented a summary of their work and time spent on the matter for the jury. Ms. Trexler’s thorough analysis and clear testimony allowed the jury to fully accept her quantification of Meta and WhatsApp’s costs.
For punitive damages, we relied almost entirely on the testimony of NSO’s executives in order to prove that NSO acted with malice, oppression or fraud when violating the California Comprehensive Fraud and Abuse Act. Despite the severity of NSO’s conduct, there were few factual disputes about what had actually happened: NSO launched repeated and sophisticated attacks on WhatsApp’s servers and deliberately concealed their attacks from WhatsApp, as well as the user victims. In our closing, we emphasized that there had to be consequences, that hacking and spying had to stop and that it did not pay.
NSO’s chief executive testified that the company lost $12 million in 2024 and $9 million in 2023. What steps will Meta be taking to try to collect on this $167 million damages award?
Perez-Marques: The evidence presented at trial, including the financial statements that NSO produced just weeks before trial began, made it clear that the company continues to earn and spend substantial sums from their spyware business—with over a hundred million dollars in revenue in 2023 and 2024, shareholders’ equity around $130 million, and annual R&D budgets that exceed $50 million—supporting an R&D department of roughly 140 employees. We suspect this evidence was key to the jury in rejecting the claim of NSO’s CEO that the company would be unable to pay a substantial award. Indeed, NSO’s decision to maintain extensive research-and-development operations signals they are poised to restart their operations as soon as this lawsuit is over. Ultimately, we believe the money is there and we will be pursuing all available paths to collect the award.
What can other companies take from what WhatsApp was able to accomplish with this litigation?
Andres: This type of litigation requires commitment and patience. Ultimately, companies willing to take a stand for their customers, like WhatsApp did here, have to be prepared for a long and contentious fight, but there is a light at the end of that tunnel: most importantly, the ability to protect the interests of customers, the company’s most important asset. Carl Woog deserves special thanks as the driving force behind upholding WhatsApp’s values since the early days of NSO’s attack. He did an incredible job describing WhatsApp’s values to the jury and sat with us at counsel table for the entirety of the trial.
What do you hope other spyware makers take from it?
Andres: Hacking and spying in violation of the law does not pay; there are consequences for attacking American companies, and courts in the United States will vindicate the rights of victims, however long that takes. Though companies like Meta and WhatsApp have a global reach, it is important to remember that they are headquartered and have significant infrastructure in California, so attacks on these systems are attacks on the United States that can be redressed in American courtrooms. We hope spyware companies learn that they are risking their business when they set out to hack U.S. companies in order to spy on people around the world.
What will you remember most about this matter?
Andres: We were inspired by the dedication of countless Meta and WhatsApp engineers, WhatsApp leadership and the Meta legal team. The engineers who work at Meta and WhatsApp—many of whom were drawn to work at the company because it helps them connect with their friends and family around the world—truly care about the work they are doing and we think the jury understood that commitment and the engineers’ deep concern for their users. WhatsApp leadership showed bravery in sticking with this case for years, despite countless hurdles along the way. And the Meta legal team deserves great credit for not flinching and seeing this litigation to the end.
Perez-Marques: The executive depositions and cross-examinations will stand out for me. Because of the excellent deposition testimony we were able to elicit from NSO’s executives, we faced a key strategic judgment at trial as to how to approach the cross-examinations of those witnesses. Although the jury had already heard nearly two hours of deposition testimony from NSO’s CEO, Yaron Shohat, and NSO’s head of R&D, Tamir Gazneli, we chose to conduct a robust cross-examination of both witnesses at trial, based on the judgment that the jury would benefit from hearing them make the same admissions live in the courtroom, confirming that the deposition video was not some sort of “gotcha” moment. For instance, on the stand, Mr. Gazneli admitted that NSO repeatedly attacked WhatsApp’s servers, that NSO deliberately concealed their activities from WhatsApp, because NSO knew WhatsApp would stop the attacks if they were detected, and that NSO repeatedly re-designed their spyware to evade WhatsApp’s controls. It was also in the course of this cross-examination that Mr. Gazneli slipped and characterized the victims of NSO’s spyware as “not people,” creating a dramatic moment that I will always remember and that I’m sure had an impact on the jury. Mr. Gazneli also acknowledged on the stand the many other applications that NSO’s 140-person R&D group studies and may target in the future, including operating systems, other messaging apps and browsers.
Block: From the trial, I will most remember our team’s jury addresses. Tony’s opening was crisp, accurate and compelling—he gave the jury a concise roadmap for what the trial evidence would show, and we were able to follow through on everything he promised to prove. Greg brought it all home in closing and tied the evidence to the jury instructions in a way that the jury found extremely persuasive. From the marathon pre-trial proceedings in this case, I’ll most remember how this case rewarded patience, focus and persistence. We faced down myriad procedural obstacles and discovery barriers to get this case to trial and hold NSO accountable. Credit for that goes first to the patient and courageous team at WhatsApp and Meta who led overall strategy and trusted us with this assignment, and next to the steadfast and extremely effective team at Davis Polk—especially the counsel and associates who lived and breathed this case for years.
