A US federal judge has ruled that NSO Group, the Israeli maker of the controversial Pegasus spyware, violated state and federal US hacking laws in a case filed by WhatsApp.

The lawsuit accused NSO Group of infecting the phones of 1,400 individuals over a two-week period in May 2019.

The ruling, made by District Judge Phyllis Hamilton, found that NSO Group’s actions were in breach of the US Computer Fraud and Abuse Act and WhatsApp’s terms of service.

As a result, WhatsApp is entitled to sanctions against NSO Group, with the penalty to be determined in future proceedings.

The case, which has been ongoing for five years, will now proceed to a trial in March 2025, where a jury will decide on the damages NSO Group should pay WhatsApp. This decision marks a significant legal victory for WhatsApp and a key moment in the ongoing global debate over the use of spyware by governments.

WhatsApp expressed satisfaction with the ruling, highlighting that the decision was a victory not just for the company but for human rights advocates and journalists who had been targeted by the spyware.

A WhatsApp spokesperson stated, “NSO can no longer avoid accountability for their unlawful attacks on WhatsApp, journalists, human rights activists and civil society. With this ruling, spyware companies should be on notice that their illegal actions will not be tolerated.”

The court also found that NSO Group had failed to comply with earlier orders to provide the source code of the Pegasus spyware, a key piece of evidence in the case. The company had only made the code available for review in Israel, which the judge described as “simply impracticable.” This non-compliance contributed to the sanctions imposed on NSO Group.

NSO Group has long maintained that it only sells its spyware to government clients and that those clients, not the company, are responsible for using it to target individuals. However, the court’s findings suggest that NSO Group itself was directly involved in the hacking, which targeted not just WhatsApp but also iPhones to extract sensitive information, including photos, emails, and texts.

Among the known victims of the hack were government officials, journalists, human rights activists, and political dissidents. The case highlights growing concerns over the abuse of surveillance technologies by authoritarian regimes.

The US government blacklisted NSO Group in 2021, prohibiting US agencies from purchasing its products. The ruling in favour of WhatsApp is seen as a significant step towards holding spyware companies accountable and deterring further misuse of surveillance technologies.