Landmark injunction curbs Pegasus‑era hacking tactics while a judge trims Meta’s payout from roughly $167 million to $4 million—an inflection point for digital rights and the business of government‑grade spyware.

OAKLAND, Calif. —

A U.S. federal judge has permanently barred Israeli spyware company NSO Group from targeting WhatsApp, issuing one of the most far‑reaching court orders yet against the commercial surveillance industry—even as the court sharply reduced the money the firm must pay to Meta, WhatsApp’s parent company.

In a 25‑page order, U.S. District Judge Phyllis Hamilton granted WhatsApp’s request for a permanent injunction that prevents NSO from attempting to compromise the messaging platform or its users. The ruling caps a six‑year legal battle that began after WhatsApp disclosed in 2019 that NSO’s Pegasus spyware exploited a flaw in the app’s calling features to silently infect targets’ phones. A California jury in May found NSO liable and initially set punitive damages at about $167 million, along with a small compensatory award for Meta.

On Friday, Hamilton pared that award to $4 million, concluding the record did not support the kind of “particularly egregious” conduct that would sustain the nine‑figure punitive calculation. The split outcome at once cements a forward‑looking restriction on NSO’s operations and tempers the financial consequences of its defeat at trial.

The injunction is unusually specific. It bars NSO from using WhatsApp or Meta infrastructure to deliver exploits, from reverse‑engineering WhatsApp to build or test payloads, and from assisting others in attempts to compromise the service. NSO must remove any WhatsApp‑related tooling from its systems and certify compliance. While the order is limited to WhatsApp, it provides a template other platforms can study as they pursue their own cases against exploit vendors.

WhatsApp head Will Cathcart welcomed the injunction as a victory for user safety and for civil society, which has borne the brunt of years of mercenary hacking. Human‑rights groups likewise applauded the decision, saying it reduces a prominent attack vector against journalists, lawyers and opposition figures who rely on encrypted messaging in hostile environments.

NSO, which has endured ownership changes and financial strain since being placed on the U.S. Commerce Department’s entity list in 2021, said it was reviewing the decision. The company argues its software is licensed only to vetted government clients for legitimate law‑enforcement and counter‑terrorism work. At the same time, it acknowledged that the court’s order could tighten constraints on its business, even as it welcomed the dramatic reduction in damages.

The legal journey to this point has been closely watched. U.S. courts previously rejected NSO’s bid for sovereign immunity, finding that a private contractor does not inherit the legal protections of its government customers simply by selling to them. That reasoning has become an important touchstone in other disputes over the privatization of state‑like cyber powers and the spread of commercial offensive tools.

The case unfolded against a drumbeat of technical revelations. Investigations by academics and media consortiums tied Pegasus infections to civil‑society targets on multiple continents. Platform makers responded with a mix of patches, threat notifications and, increasingly, lawsuits. Apple filed a separate case against NSO in 2021; Microsoft and Google have called out exploit brokers and tightened their own security pipelines. Together, the actions reflect a turn toward law as a complement to code in the defense of widely used communications tools.

Hamilton’s ruling highlights a recurring tension in cyber litigation. It can be easier to prove that a digital intrusion occurred than to establish the heightened culpability necessary for eye‑popping punitive awards. The judge’s reduction of Meta’s damages does not erase the jury’s liability finding, but it reinforces the idea that permanent, enforceable conduct remedies may matter more than headline figures, especially in areas where intrusions are technically complex and harms are diffuse.

For governments, the decision lands amid a policy debate that shows no sign of fading. Law‑enforcement and intelligence services contend that highly capable spyware is sometimes essential to preempt violent acts and dismantle criminal networks. Rights advocates counter that export controls are porous, oversight is weak and abuse is routine, particularly in countries with fragile institutions. The Biden administration has tightened procurement rules and visa restrictions aimed at mercenary‑spyware vendors, while lawmakers in Europe weigh deeper guardrails on “dual‑use” technologies.

The practical effect for users will be incremental but real. WhatsApp engineers have spent years hardening call stacks, rolling out memory‑safety improvements and raising the cost of zero‑click exploitation. Removing a top‑tier adversary from the set of actors probing the platform’s defenses narrows the threat, even as other state units and private brokers continue to hunt for new vulnerabilities. Security teams caution that vigilance remains essential: patch quickly, limit automatic media handling where possible and be mindful of unexpected calls or prompts.

NSO could appeal aspects of the order, including its scope and certain factual findings. Meta is likely to leverage the injunction in regulatory conversations and as a model for further litigation. Any dispute over compliance could return the parties to court, where judges have tools—from discovery to contempt—to enforce forward‑looking remedies.

Whatever the next chapter, Friday’s ruling is a watershed for the U.S. tech arena and for global digital rights. It affirms that private companies can use American courts not only to seek redress for past intrusions but to shut down future ones. And it sends a clear message to the commercial spyware market: target the world’s most widely used platforms, and you may find yourself barred from the field.