A U.S. federal judge has unsealed critical court documents in the ongoing legal battle between WhatsApp and the NSO Group, exposing the inner workings of the notorious Pegasus spyware. The files, released following a legal victory for WhatsApp, reveal that the Israeli surveillance firm has terminated access for 10 government clients due to confirmed misuse of its technology.
The unsealed records include employee depositions, internal company memos, and intercepted communications that challenge NSO’s long-standing claims of having no involvement in customer operations. These revelations serve as a major development in the 2019 lawsuit, in which WhatsApp accuses NSO of violating the Computer Fraud and Abuse Act by targeting journalists, activists, and dissidents.
The Anatomy of a Cyber-Attack
According to the documents, NSO developed a sophisticated hacking suite codenamed “Hummingbird,” which included specific exploits dubbed “Eden” and “Heaven.” These tools were sold to intelligence agencies and police departments for up to $6.8 million per annual license, generating at least $31 million in revenue for NSO in 2019 alone.
Tamir Gazneli, NSO’s head of research and development, admitted in a deposition that Pegasus was successfully installed on “between hundreds and tens of thousands” of devices. While NSO has consistently argued that its customers operate the system independently, WhatsApp’s filing suggests otherwise:
“The customer simply places an order for a target device’s data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus.”
Exploits and the “Fake Client” Strategy
The court filings detail how NSO utilized a “WhatsApp Installation Server” (WIS)—essentially a modified, fake version of the WhatsApp application—to deliver malicious payloads directly to target devices. NSO employees admitted to creating legitimate-looking WhatsApp accounts specifically for these operations.
Technical exploits identified in the case include:
- Heaven: An exploit active before 2018 designed to force devices to communicate with NSO-controlled relay servers.
- Eden: Developed after WhatsApp patched the “Heaven” vulnerability, this exploit required routing through legitimate WhatsApp relay servers.
- Erised: A “zero-click” exploit capable of compromising devices without any user interaction, blocked by WhatsApp in May 2020.
Accountability and Future Implications
Despite the incriminating evidence, NSO spokesperson Gil Lainer maintains that the firm is not responsible for the intelligence gathered by its clients. “NSO stands behind its previous statements… neither NSO nor its employees have access to the intelligence gathered by the system,” Lainer stated.
The documents also confirm that Pegasus was used against Dubai’s Princess Haya, a case previously linked to NSO technology by The Guardian and The Washington Post. The admission that NSO cut off 10 clients for abuse underscores the ongoing tension between surveillance demand and human rights concerns.
As WhatsApp awaits a decision on its request for a summary judgment, legal experts suggest these disclosures create a significant hurdle for NSO’s defense. Natalia Krapiva, legal counsel at Access Now, noted that while NSO continues to withhold sensitive data like source code, the information already public is proving vital for global litigation efforts against the firm.