Inside NSO’s WhatsApp hack: $40 million in profit and 1,223 global targets
Meta lawsuit sheds light on how a single vulnerability turned into a global espionage tool.
NSO customers exploited a flaw the company identified in WhatsApp to use Pegasus spyware against hundreds of targets in 51 countries, according to documents filed in a lawsuit by Meta against the Israeli surveillance company. Additional documents reveal how a single vulnerability generated tens of millions of dollars in revenue for NSO, detail efforts to sell Pegasus in the U.S., and expose key aspects of the company’s marketing strategy.
In December, a federal court in California ruled in favor of Meta in the major lawsuit it filed in 2019, following NSO’s alleged use of a WhatsApp vulnerability to hack into users' devices and monitor their activities—including those of 100 journalists and human rights activists. The court rejected NSO’s defense, including its claim that it discovered the flaw before agreeing to WhatsApp’s terms of service, and ruled that the company failed to comply with disclosure requirements during the discovery phase. NSO has said it plans to appeal. Damages are yet to be determined.
Over the weekend, previously sealed or redacted documents related to the case were released, shedding new light on the scope and scale of NSO’s activities. One internal document listed 1,223 individuals who were targeted through the WhatsApp breach. The largest number of victims was in Mexico (423), followed by India (100), Bahrain (82), Morocco (69), and Pakistan (58).
A country’s inclusion on the list does not necessarily mean it was an NSO client. Syria, for example, is listed with 11 victims—despite being a country to which NSO is barred from selling Pegasus. These may have been targeted by third countries or intelligence services. However, Mexico, India, Bahrain, and Morocco have all previously been reported as NSO customers.
Other countries with notable victim counts include Indonesia (54), Israel (51), Uzbekistan (43), Algeria (38), and Cyprus (31). In the Middle East, the list identifies 9 victims in Lebanon, 6 in the UAE, 2 in Qatar, and 1 in Egypt.
A significant pattern in the data is the disproportionately high number of victims in countries that are not Western democracies. Spain is the highest-ranked Western democracy, with 21 victims—12th on the list. In 2022, Pegasus was reportedly used to spy on Spain’s prime minister and defense minister, but that investigation was closed due to Israel’s lack of cooperation. Other Western democracies include the Netherlands (11 victims), France (7), and Belgium (4).
The list also includes one victim in the United States. NSO has previously stated that Pegasus cannot be used on U.S. phones, only by U.S. government agencies. The document suggests that, at least once, a foreign law enforcement agency may have used Pegasus within U.S. territory—likely before the company was blacklisted in 2021.
More details emerged from a deposition by a former NSO employee who marketed Pegasus in the U.S. and Canada between 2016 and 2018. Despite efforts to engage local and federal agencies—including police departments in Los Angeles, San Diego, San Francisco, San Bernardino County, and Idaho—he said no deals were ever closed.
A leaked Meta document, based in part on NSO data, showed that the WhatsApp breach brought NSO $61.71 million in revenue between Q2 2018 and Q2 2020. The estimated profit was between $21.31 million and $40.24 million, depending on how R&D expenses were calculated. In 2018, NSO earned $19.44 million from the breach, followed by $31.06 million in 2019 and $11.21 million in the first half of 2020.
NSO responded: “The list sent for our consideration is an interpretation of information taken out of context, alongside half-truths and one-sided claims by Meta—claims that have already been refuted and will continue to be refuted in the legal process. For example, the fact that the phone of a suspect in a crime or terrorist activity is identified in a certain territory does not indicate the identity of the customer.”
