{
	"id": "68303cde-3001-483f-837d-4571efae2158",
	"created_at": "2026-04-06T00:06:30.613Z",
	"updated_at": "2026-04-10T03:21:07.073963Z",
	"deleted_at": null,
	"sha1_hash": "1dc73435bedb3c0c687925609f27d1eea5d51c4f",
	"title": "1,400 Pegasus spyware infections detailed in WhatsApp’s lawsuit filings",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 273155,
	"plain_text": "1,400 Pegasus spyware infections detailed in WhatsApp’s lawsuit\r\nfilings\r\nBy Suzanne Smalley\r\nPublished: 2024-11-14 · Archived: 2026-04-05 22:09:10 UTC\r\nUnredacted court documents published Thursday show that spyware maker NSO Group admitted to developing\r\nexploits to allow its Pegasus product to infect the phones of some 1,400 WhatsApp users in 2019 — an operation\r\nthat allegedly violated federal and state laws, according to the messaging company.\r\nThe filings, part of a lawsuit WhatsApp filed against the NSO Group in 2019, shine a light on how Israel-based\r\nNSO Group — a notoriously secretive company — operates the powerful Pegasus spyware on behalf of\r\ngovernment customers. A California federal judge ordered the documents to be released last week.\r\nThe documents also show that despite the hundreds of infections, WhatsApp’s security team repeatedly defeated\r\nPegasus intrusions. Alleged victims included journalists, human rights activists, political dissidents, diplomats and\r\nsenior foreign government officials. Pegasus is “zero-click” spyware, meaning the devices were infected without\r\nthe users interacting directly with a malicious link or other source.\r\nAn unredacted WhatsApp motion for summary judgment asserts that NSO admits that it developed and sold the\r\nspyware used to infect the WhatsApp users’ devices and specifically relied on a zero-click installation vector\r\ncalled “Eden.”\r\n“NSO’s Head of R\u0026D has confirmed that those vectors worked precisely as alleged by Plaintiffs,” the WhatsApp\r\ncourt filing says. WhatsApp is owned by social media giant Meta.\r\nNSO Group admitted to developing the exploits by “extracting and decompiling WhatsApp’s code, reverse-engineering WhatsApp and designing and using their own “WhatsApp Installation Server” (or “WIS”) to send\r\nmalformed messages,” the filing said.\r\nWhatsApp further alleges that because those malformed messages were sent through WhatsApp servers, they\r\ncaused targeted devices to install Pegasus “in violation of federal and state law and the plain language of\r\nWhatsApp’s Terms of Service.”\r\nA spokesman for WhatsApp said in a statement that the newly public evidence “shows exactly how NSO’s\r\noperations violated U.S. law and launched their cyber-attacks against journalists, human rights activists and civil\r\nsociety.”\r\n“We are going to continue working to hold NSO accountable and protect our users.”\r\nEven after WhatsApp discovered and blocked a vulnerability that NSO Group exploited in May 2019,\r\nWhatsApp’s motion alleges that NSO admitted creating another vector, known as Erised, for installing Pegasus\r\nthrough a WhatsApp server.\r\nhttps://therecord.media/pegasus-spyware-infections-detailed-whatsapp-lawsuit\r\nPage 1 of 4\n\n“NSO continued to use and make Erised available to customers even after this litigation had been filed, until\r\nchanges to WhatsApp blocked its access … sometime after May 2020,” the filing says.\r\nReverse engineering\r\nWhatsApp’s filing alleges that NSO Group’s effort to allow Pegasus to hack the WhatsApp account holders’\r\nphones was long in the making and complex.\r\nPrior to April 2018, the filing said, NSO researched, developed and tested potential installation vectors using\r\nWhatsApp by “creating an internal environment replicating WhatsApp’s servers and by ‘decompiling’ the Official\r\nClient’s code to understand how to circumvent the security measures built into it,” the filing says, citing a\r\ndeposition given by NSO’s head of research and development, Tamir Gazneli.\r\nWhatsApp’s filing claims that the reverse engineering allowed NSO to develop an installation vector dubbed\r\n“Heaven” that relied on “NSO’s own modified client application,” the WIS. \r\n“The WIS was able to impersonate the Official Client to access WhatsApp’s servers and send messages, including\r\ncall settings, that the Official Client could not,” the WhatsApp filing says. “NSO began testing Heaven on\r\nWhatsApp servers around April 2018, and began distributing it to customers shortly afterward.”\r\nWhatsApp security updates made in September and December 2018 defeated the exploit, WhatsApp said.\r\nAccording to WhatsApp, again citing the Gazneli deposition, NSO responded in February 2019 by creating the\r\n“Eden” exploit that dodged the security updates.\r\n“The primary difference was that Eden ‘need[ed] to go through WhatsApp relay servers’ not NSO’s own relay\r\nserver,” the WhatsApp filing says. \r\n“NSO admits its Eden technology was responsible for the attacks against the approximately 1,400 devices that\r\nPlaintiffs observed in May 2019,” the filing said. \r\nNSO Group employees took to WhatsApp’s messaging platform to complain about how the company had shut\r\ndown the exploits, according to the WhatsApp filing. In December 2018, WhatsApp’s filing says an NSO Group\r\nemployee told colleagues via the WhatsApp platform that the company “had made changes in their servers that\r\ncurrently fail all installations and can cause crashes.”\r\nAgain quoting from the Gazneli deposition, WhatsApp’s filing says that NSO admitted its spyware allows users\r\naccess to the “same information [in a target device] that you could access if you had a password to the device.”\r\nTurnkey access\r\nA second unredacted WhatsApp document details how NSO made Pegasus work for customers by setting up a\r\nvirtual private server that they could use anonymously. According to WhatsApp, NSO created a “fake persona”\r\nwho used bitcoin to lease the server and used a California-based server to carry out the 2019 Pegasus attacks.\r\nWhatsApp’s filings portray the use of Pegasus as turnkey for NSO customers, saying that the customer “only\r\nneeded to enter the target device’s number and ‘press Install, and Pegasus will install the agent on the device\r\nhttps://therecord.media/pegasus-spyware-infections-detailed-whatsapp-lawsuit\r\nPage 2 of 4\n\nremotely without any engagement,’” the WhatsApp filing says, citing a deposition from Josh Shaner, a former\r\nemployee of Westbridge, a U.S.-based affiliate of NSO. \r\n“The rest is done automatically by the system,” Shaner said in his deposition, according to the WhatsApp filing.\r\n“In other words, the customer simply places an order for a target device’s data, and NSO controls every aspect of\r\nthe data retrieval and delivery process through its design of Pegasus,” the WhatsApp filing said.\r\nCiting a deposition from NSO CEO Yaron Shohat, who was chief operating officer at the time of the WhatsApp\r\nhacks, WhatsApp asserts that NSO “admits the actual process for installing Pegasus through WhatsApp was ‘a\r\nmatter for NSO and the system to take care of, not a matter for customers to operate.’” \r\nGil Lainer, a spokesperson for the NSO Group, said via email that NSO “stands behind its previous statements in\r\nwhich we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its\r\nemployees have access to the intelligence gathered by the system.” \r\n“We are confident that these claims, like many others in the past, will be proven wrong in court, and we look\r\nforward to the opportunity to do so.\"\r\nA third WhatsApp court filing reveals that Shohat admitted in his deposition that Pegasus was used to target\r\nDubai’s Princess Haya, who fled to Britain in 2019 after discovering Sheikh Mohammed bin Rashid Al Maktoum\r\n— the ruler of Dubai and vice president and prime minister of the United Arab Emirates — had previously\r\nabducted two of his daughters and forced them back to the UAE as captives against their will. Pegasus was\r\nreportedly used to spy on them as well. \r\nNSO Group has not yet released its own unredacted filings, which are due to the court this week.\r\nUpdated 11/15/2024 with comments from NSO Group.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/pegasus-spyware-infections-detailed-whatsapp-lawsuit\r\nPage 3 of 4\n\nSuzanne Smalley\r\nis a reporter covering digital privacy, surveillance technologies and cybersecurity policy for The Record. She was\r\npreviously a cybersecurity reporter at CyberScoop. Earlier in her career Suzanne covered the Boston Police\r\nDepartment for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington\r\nwith her husband and three children.\r\nSource: https://therecord.media/pegasus-spyware-infections-detailed-whatsapp-lawsuit\r\nhttps://therecord.media/pegasus-spyware-infections-detailed-whatsapp-lawsuit\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/pegasus-spyware-infections-detailed-whatsapp-lawsuit"
	],
	"report_names": [
		"pegasus-spyware-infections-detailed-whatsapp-lawsuit"
	],
	"threat_actors": [],
	"ts_created_at": 1775433990,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1dc73435bedb3c0c687925609f27d1eea5d51c4f.pdf",
		"text": "https://archive.orkl.eu/1dc73435bedb3c0c687925609f27d1eea5d51c4f.txt",
		"img": "https://archive.orkl.eu/1dc73435bedb3c0c687925609f27d1eea5d51c4f.jpg"
	}
}