In late December the Northern District of California ruled against Israeli spyware firm NSO Group, finding the controversial firm liable for hacking and a breach of contract.

The ruling was the latest in a five year battle between NSO Group and WhatsApp over the Israeli company's Pegasus spyware infiltrating WhatsApp's servers to spy on WhatsApp users.

Overall, the ruling was a win for WhatsApp with the court finding in favor of their motions for sanctions against NSO Group. However, the court also ruled against elements of WhatsApp's sanctions request.

The court found that NSO Group is subject to evidentiary sanctions for refusing to comply with discovery requests after the court ordered the company to comply and produce various documents. The company is notorious for attempting to impede lawsuits by refusing to provide relevant information, including a now dropped lawsuit filed by Apple.

NSO Group used their malicious spyware known as Pegasus to infiltrate and monitor devices and extract information using what are known as zero-click exploits. This means that a user does not need to click on a link or download a program for a hacker to access their devices. Instead, Pegasus exploits existing software like WhatApp's servers.

In this specific case, NSO Group was found liable for hacking journalists and employees of El Faro, an independent publication which primarily serves Central America. NSO Group and clients using their spyware used the zero-click exploits to install Pegasus on iPhones of 22 employees of El Faro between June 2020 and November 2021.

The court found that NSO Group exceeded its "authorized access" to WhatsApp's servers and breached WhatsApp's terms of service by transmitting its infiltration code and learning information about target devices through WhatsApp's servers. The court found NSO Group liable under the Computer Fraud and Abuse Act ("CFAA"), California Comprehensive Computer Data Access and Fraud Act ("CDAFA"), and for breach of contract.