What actually happened

It starts in May 2019, when NSO exploited a flaw in WhatsApp's voice-calling feature to deliver Pegasus to about 1,400 phones worldwide. The targets were not random: journalists, human rights lawyers, diplomats and officials across more than 20 countries. The attack was "zero-click" — the victim did not have to answer the call, tap a link or open anything. The spyware simply arrived.

WhatsApp's parent, Meta, sued in October 2019, and the decisive milestones came at the end. In December 2024 the court found NSO liable for breaching US and Californian anti-hacking laws and WhatsApp's terms of service. In May 2025 a jury in San Francisco put a number on it: around US$444,000 in compensatory damages and a thumping US$167 million in punitive damages. Then, in October 2025, the judge issued a permanent injunction barring NSO from ever targeting WhatsApp or its users again, and ordered it to destroy any code it held relating to Meta's platforms.

There was a sting in the tail: the same ruling cut the punitive damages from US$167 million to roughly US$4 million, the judge reasoning that the law caps such awards and that there were not yet enough cases of this kind to call NSO's conduct "particularly egregious." NSO is appealing. The headline number shrank, but the precedent and the ban stood.

The defence that finally broke

The reason researchers called the verdict a landmark was not the money. It was that the case dismantled the industry's favourite alibi.

For years, spyware vendors have positioned themselves as neutral arms suppliers: they license software to vetted agencies, and if a client points it at a journalist instead of a terrorist, that is the client's sin, not theirs. But the litigation forced NSO's own executives onto the stand and its documents into the record — and the picture that emerged was not of a passive vendor handing over a product. Court filings established that NSO itself is the entity that installs Pegasus on a target's device and extracts the data. It also conceded it spends tens of millions a year developing new ways to break into phones — through messaging apps, browsers and operating systems — and that Pegasus could still compromise an up-to-date iPhone or Android.

In other words, the maker is not standing at arm's length from the act. It is operationally in the room. Once that is on the record, "we just sell it" stops being a defence — and that is the part with consequences for every other company in this business.

Why your encryption isn't a force field

There is a comforting belief that end-to-end encryption makes you untouchable. It does not, and Pegasus is the clearest proof. Encryption protects a message while it travels between your phone and the person you are talking to — nobody in the middle can read it. But spyware does not sit in the middle. It sits on the device, underneath the app, at the level of the operating system itself. By the time you read a message it has been decrypted; by the time you write one it has not yet been encrypted. A phone with Pegasus on it sees everything you see — every chat, photo, password and location — and can switch on the microphone and camera as well. The encryption did its job perfectly. It simply was not protecting the part that got attacked.

This is why "I use WhatsApp or Signal, so I'm fine" is only half a sentence. The app can be flawless and the device still owned. As we covered in what a zero-day really is, the most dangerous flaws are the ones nobody has patched yet — exactly the ones Pegasus has always traded on.

What the verdict changes

• The maker is a target now, not just the buyer. For the first time a commercial spyware company has been held liable in court for how its product was used — a precedent other victims and platforms can build on.

• The injunction has bite. It bans NSO from WhatsApp permanently, and the ban held even while the appeal runs. When WhatsApp detected fresh NSO-linked activity in June 2026, it went straight back to court asking for NSO to be held in contempt — turning the order into a live enforcement tool rather than a one-off scolding.

• Investors are on notice. A spyware firm that can be sued, banned and dragged back for contempt is a riskier asset — which changes the calculus for the financiers who keep this industry liquid, arguably a stronger deterrent than any single fine.

What it doesn't change

It would be easy to read the verdict as the end of Pegasus. It is not.

• NSO is still operating. The injunction covers WhatsApp, and only WhatsApp — not other Meta apps, and crucially not NSO's government customers, who keep using the tool. The reduced damages are a rounding error to an industry that deals in seven-figure exploits.

• The rivals have not gone anywhere. Even if NSO vanished tomorrow, competitors would take its place — and researchers warn the most dangerous players now are small, obscure firms almost nobody can name.

• Your everyday exposure is unchanged. Pegasus was aimed at high-value targets, and most people will never be one. But the techniques it pioneered trickle down, and the spyware that actually reaches ordinary Australians is more mundane: stalkerware, dodgy apps, and malware delivered by social engineering. A court case in California does nothing to clear that off your phone.

The Australian picture

It is tempting to file this under "overseas news." Don't. Australians run the same iPhones and Android devices as everyone else, which means the same zero-click vectors land here on the same day. And while the average person is not a Pegasus target, the people it is built for — senior executives, lawyers on sensitive matters, journalists, dissidents who have settled here, and high-net-worth individuals — are very much part of the local population.

Australia has signed up to the international push to rein the industry in — it is a backer of the UK-and-France-led Pall Mall Process on commercial cyber-intrusion tools, and joined the earlier multinational statement condemning spyware abuse. At the same time, our own Assistance and Access Act already gives agencies wide powers to compel access to encrypted data — a reminder, as we argued in The surveillance ratchet, that the machinery for getting inside devices is being built on every side. For a business, the implication is blunt: the data on your people's phones is a target, and "we use an encrypted app" is not a security strategy.

What you can do now

You cannot litigate Pegasus out of existence from your living room. You can make yourself a far harder target.

For individuals:

• Patch the moment updates land. Pegasus and its imitators live on unpatched flaws. Turn on automatic updates and install Apple's and Google's emergency security patches the day they ship.

• Restart, and use the locked-down modes. A regular reboot can disrupt non-persistent infections, and Apple's Lockdown Mode strips out the features zero-click attacks abuse.

• Harden the device, not just the apps. A hardened handset such as a GrapheneOS phone removes much of the attack surface an ordinary phone leaves exposed.

• Be ruthless with links and permissions. Most everyday spyware still arrives through a tapped link or an over-permissioned app. When in doubt, toss it out.

For businesses:

• Treat mobile as a front door. Build phones into your security program properly — see our mobile device security guide — rather than assuming the laptop is the only way in.

• Issue hardened devices and encrypted comms to high-risk roles. Executives, finance, legal and anyone handling sensitive IP warrant more than a stock handset and a consumer chat app.

• Know your exposure, then close it. A risk audit and system hardening cost far less before an incident than after one.

• Get expert eyes on it. If you are unsure where your people are exposed, our cyber security consultants — or a virtual CISO — can map the risk and build the defence around it.

A final word

The NSO verdict is a genuine milestone: a court has finally said that making the weapon, not just firing it, carries liability — and that the people who build surveillance-for-hire can be named, banned and held in contempt when they ignore the order. That is worth something. What it is not is a cure. The industry is still trading, the rivals are still selling, and the spyware most likely to end up on an Australian phone was never made by NSO at all.

The lesson, as ever, is that accountability after the fact is no substitute for being hard to hit in the first place. At Xiph Cyber we have spent years helping Australian businesses and individuals do exactly that — hardened devices, encrypted communications, and the consulting to put them to work. To find out where you are exposed and what to do about it, talk to our team about cyber security consulting, or get in touch at enquiries@xiphcyber.com.