Court documents unsealed on Thursday disclose that NSO Group knowingly engineered exploits for its Pegasus spyware, facilitating the infection of approximately 1,400 WhatsApp users' phones in 2019.
WhatsApp has accused the operation of breaching both federal and state laws, highlighting the systemic disregard for privacy safeguards. By enabling unauthorized access to private communications, NSO Group's actions undermined the core principles of data protection and user consent, exposing sensitive personal information to potential misuse.
Unredacted depositions from multiple NSO Group employees, filed overnight by WhatsApp in its ongoing litigation, reveal that NSO Group directly operates the Pegasus spyware on behalf of its clients, contrary to prior assumptions that clients were responsible. By maintaining operational control over Pegasus, NSO Group not only facilitates but directly executes privacy violations, enabling invasive monitoring without transparency or oversight.
The chaos of the intercontinental joint operation is everywhere. Even if you are physically thousands of kilometers away, you can easily spy on people from another country.
In one deposition, an NSO employee revealed that customers simply had to provide the phone number of the individual they wished to surveil, with the system handling the rest automatically. This testimony confirms that customers were not directly involved in the operational aspects of deploying Pegasus. Instead, NSO unilaterally accessed WhatsApp’s servers, utilizing a system they designed and continuously upgraded to infiltrate targeted phones.
It seems that we are in an age where we can access a lot of data with a single click and spy on whatever we want...
This operational model represents a profound breach of privacy, as NSO effectively centralized the decision-making and execution of surveillance, bypassing any client accountability.
In its filing, WhatsApp stated: “The customer simply places an order for a target device’s data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus.” This assertion underscores the direct role NSO Group plays in executing surveillance operations, effectively removing clients from the technical process.
What else could it be, right?
This setup exacerbates privacy concerns, as it not only facilitates unauthorized data access but also ensures that individuals targeted have no recourse against those directly responsible for the violation.
This mechanism of espionage and surveillance has also been used in much more dangerous waters.
According to the website Forbidden Stories, leaked documents indicate that in 2020, NSO’s legal team expressed concern that highly sensitive materials—including its complete client list (potentially identifying “US customers”), contracts, and details related to high-profile incidents such as the Jeff Bezos hack and the murder of Jamal Khashoggi—might become exposed during the discovery process.
One click is enough.
Pegasus is classified as "zero-click" spyware, meaning it infiltrates devices without any direct interaction from the user, such as clicking on a malicious link or opening a harmful attachment. This type of spyware significantly heightens privacy risks, as it allows for covert surveillance without the victim’s knowledge or consent. By bypassing traditional security measures that rely on user caution, zero-click exploits make it almost impossible for individuals to protect their personal data.
Lawyers, doctors, activists, freedom defenders, democrats or leaders of other countries... Anyone can be a target.
For NSO, it is a vector known as "Eden."
The court filing further cites the confirmation of NSO’s Head of R&D, who acknowledged that these vectors functioned exactly as alleged by the plaintiffs.
Who cares terms?
As a preliminary matter, NSO Group has acknowledged that it developed and sold the spyware detailed in the complaint, specifically its zero-click installation vector known as “Eden.” Eden was part of a broader family of WhatsApp-based vectors collectively named “Hummingbird,” which were used in the attacks outlined in the complaint. NSO's Head of R&D has confirmed that these vectors functioned exactly as described by the plaintiffs. Moreover, NSO has admitted to developing these exploits by extracting and decompiling WhatsApp’s code, reverse-engineering the platform, and creating its own “WhatsApp Installation Server” (WIS) to send malformed messages through WhatsApp's servers. These messages, which could not be generated by legitimate WhatsApp clients, were used to silently install the Pegasus spyware on target devices. This methodology clearly violated both federal and state law, as well as WhatsApp’s Terms of Service. NSO’s internal documents further indicate that the company was fully aware of WhatsApp's prohibition on reverse-engineering, yet NSO made no effort to adhere to WhatsApp’s Terms in developing and deploying these malware vectors.
In other words, a complex phishing attack is being carried out on your device, making it appear as if the message was sent from a real institution.
Yes, this is real. Apparently this has happened.
The purpose of such a planned mechanism is to obtain confidential documents and other critical information from your device.
NSO has admitted that it never sought nor obtained authorization from WhatsApp to engage in its covert activities, fully aware that WhatsApp would take action to halt its operations if detected. Furthermore, NSO acknowledged that WhatsApp’s security updates temporarily disabled its Malware Vectors, yet the company responded by modifying the exploit or developing new ones to circumvent WhatsApp’s defenses and continue its illegal use of WhatsApp servers to deploy Pegasus. Even after WhatsApp detected and blocked the exploit in May 2019, NSO proceeded to develop another installation vector, "Erised," which also leveraged WhatsApp’s servers to infect devices with Pegasus. Notably, NSO continued to offer Erised to its clients even after the lawsuit was filed, persisting in its efforts to bypass WhatsApp's security measures until further changes in May 2020 blocked its access.
For full court filing, you can check here:
https://www.documentcloud.org/documents/25292927-wa-motion-for-summary-judgment_-unsealed-1
A second unredacted document from WhatsApp reveals that NSO facilitated the use of Pegasus for its clients by setting up a virtual private server, allowing them to operate anonymously. WhatsApp details how NSO created a "fake persona" to lease the server using bitcoin, thereby further masking the identity of the individuals involved in the attacks. This deceptive setup included using a server based in California to execute the 2019 Pegasus infections.
These kids have studied well.
Official records are available at the link below:
https://www.documentcloud.org/documents/25293501-whatsapp-opposition-to-nso-motion-for-summary-judgment_-unsealed-1
This entire ugly process shows us that NSO is not only a producer but also an executive.
Now add to this scenario that this company works with government institutions.
They know more about your device than you do.
That's exactly the world we live in.
Top comments (0)