The $168 million judgment against NSO Group in the U.S. over its Pegasus spyware, used to hack WhatsApp users, has amplified concerns in India. Hundreds of Indian phone numbers were reportedly targeted, leading to accusations of government overreach and a stalled Supreme Court investigation.
BY PC Bureau
May 7, 2025 – A landmark legal victory in the United States has cast a renewed spotlight on the contentious use of Pegasus spyware in India. A U.S. federal jury in California ordered Israeli cyber-intelligence firm NSO Group to pay a staggering $168 million in damages to WhatsApp and its parent company, Meta, concluding a long-fought legal battle over the company’s controversial spyware.
This ruling, delivered on Tuesday, has significant implications not only for NSO Group but also for the ongoing debate surrounding government surveillance and privacy rights in India, where Pegasus has triggered a major political storm.
The U.S. lawsuit, initiated by WhatsApp in 2019, stemmed from the discovery that NSO Group exploited a “zero-click” vulnerability in the messaging platform’s video calling feature. This allowed the clandestine installation of Pegasus on approximately 1,400 devices globally, including around 100 in India, with a mere phone call and no user interaction. Once installed, the sophisticated spyware could pilfer a vast array of sensitive data, including messages, emails, location information, and even activate the device’s camera and microphone for covert surveillance. Victims of these attacks included journalists, human rights activists, and diplomats worldwide.
ALSO READ: Mock Drill Cover Masks ‘Operation Sindoor’ Terror Strikes
The California jury found NSO Group liable for violating U.S. federal and California anti-hacking laws, as well as for breaching WhatsApp’s terms of service. The substantial damages awarded – $167.25 million in punitive damages and approximately $444,719 in compensatory damages – underscore the severity of the court’s judgment against the spyware firm.
Will Cathcart, head of WhatsApp, hailed the decision as a pivotal moment for digital privacy, asserting that “spyware companies could not hide behind immunity or avoid accountability for their unlawful actions.” Cybersecurity experts echoed this sentiment, with Citizen Lab’s John Scott-Railton describing it as a landmark ruling with “huge implications for the spyware industry,” signaling a potential shift in holding such companies responsible for the misuse of their technologies.
ALSO READ:
Meta has won $168 million in damages from the Israeli cyber intelligence firm #NSOGroup in the WhatsApp spyware scandal.
At @amnesty, we have extensively documented the use of NSO Group’s spyware #Pegasus to illegally surveil human rights defenders, journalists, and opposition… pic.twitter.com/MsRU8Eh8Ci
— Erika Guevara Rosas (@ErikaGuevaraR) May 7, 2025
NSO Group, while indicating plans to appeal, maintains that its Pegasus software is intended for legitimate use by government law enforcement agencies to combat terrorism and serious crime. However, the U.S. court’s findings suggest a more direct role for NSO in the unauthorized surveillance activities. Meta, in a move towards greater transparency, has published transcripts of NSO executives’ court depositions and pledged to donate any recovered damages to digital rights organizations.
The Indian Epicenter of Controversy
While the U.S. court ruling marks a global milestone, the Pegasus spyware has been at the center of a significant and ongoing controversy in India. The “Pegasus Project” revelations in July 2021, a collaborative investigation involving over 17 media organizations and Amnesty International, exposed a leaked list of approximately 50,000 phone numbers believed to be potential Pegasus targets worldwide.
Alarmingly, over 300 verified Indian mobile phone numbers appeared on this list. The alleged targets represented a diverse cross-section of Indian society, including:
• Key Opposition Figures: Rahul Gandhi, a leading opposition figure, was among those allegedly targeted, along with several of his close associates and party officials.
ALSO READ:Â India Deploys SCALP Missiles, Hammer Bombs in Precision Strikes
• Critical Journalists: Prominent investigative journalists known for their scrutiny of the government, such as Siddharth Varadarajan, Swati Chaturvedi, J Gopikrishnan were identified, with forensic analysis confirming Pegasus infection on some of their devices.
• Government and Constitutional Officials: The list reportedly included individuals holding key positions, such as then Election Commissioner Ashok Lavasa and former CBI head Alok Verma.
• Human Rights Defenders and Lawyers: Activists involved in sensitive cases, like the Bhima Koregaon matter, and their legal representatives were also allegedly targeted.
• Individuals Linked to the Judiciary: Shockingly, even individuals connected to the Supreme Court, including an employee who had made serious allegations against the then Chief Justice, and her family members, were reportedly on the list.
These revelations ignited a fierce political backlash in India, with opposition parties accusing the government of deploying military-grade spyware to conduct unwarranted surveillance on its political adversaries, dissenting voices, and even members of crucial institutions. Demands for a thorough investigation and accountability reverberated through the political landscape.
Government Denial and Judicial Intervention
The Indian government, however, vehemently denied any unauthorized surveillance. In a parliamentary statement, the Minister of Electronics and Information Technology dismissed the “Pegasus Project” reports as “baseless,” asserting the existence of adequate legal and constitutional safeguards against illegal interception. The government maintained that any lawful surveillance is conducted strictly within the framework of the Telegraph Act, 1885, and the IT Act, 2000.
ALSO READ:Â Operation Sindoor Strikes Terror Hubs, Kills 80 in Pak, PoK
Faced with mounting public pressure and petitions from affected individuals and concerned citizens, the Supreme Court of India intervened in 2021. The apex court established a Technical Committee, headed by retired Supreme Court Justice R.V. Raveendran, to investigate the allegations of unauthorized Pegasus surveillance.
The Supreme Court expressed its strong disapproval of the Union government’s “limited affidavit,” which failed to provide a clear response to the allegations, citing national security concerns as the reason for its reticence.
In 2022, the Supreme Court-appointed Technical Committee submitted its findings. While the full report remains confidential, key aspects revealed by the then Chief Justice of India included:
• The presence of malware was detected on five of the 29 mobile phones examined.
• However, the committee could not definitively conclude that this malware was Pegasus.
• Significantly, the Supreme Court noted the Central government’s non-cooperation with the Technical Committee’s investigation.
The Supreme Court’s observation regarding the government’s lack of cooperation raised serious questions about the transparency and accountability of surveillance operations within the country.
The U.S. Ruling and Renewed Scrutiny in India
The recent U.S. court ruling against NSO Group, which explicitly highlighted the 2019 WhatsApp hacking campaign that impacted approximately 100 Indian users, has injected fresh urgency into the stalled Pegasus investigation in India. Opposition parties, particularly the Congress, have seized upon the U.S. verdict to demand a re-examination of the case by the Supreme Court, directly questioning the Modi government’s potential involvement in the alleged surveillance.