Judicial documents reveal the locations of WhatsApp victims affected by NSO spyware.

A recent court document revealed that the spyware Pegasus, developed by NSO Group, was used to target 1,223 WhatsApp users in 51 different countries during a hacking campaign in 2019. This information was disclosed on Friday in the context of a lawsuit filed by WhatsApp, which is owned by Meta, against NSO Group, accusing the surveillance technology manufacturer of exploiting a vulnerability in the messaging app to target hundreds of users, including over a hundred human rights activists, journalists, and other members of civil society. At the time, WhatsApp stated that around 1,400 users had been attacked.

The court document provides specific details about the countries where the 1,223 individuals were located when they were targeted by the spyware. Among the countries with the highest number of victims are Mexico, with 456 people; India, with 100; Bahrain, with 82; Morocco, with 69; Pakistan, with 58; Indonesia, with 54; and Israel, with 51. Victims were also identified in European countries and other regions, such as Spain (12), the Netherlands (11), Hungary (8), France (7), the United Kingdom (2), and one case in the United States. This breakdown of countries offers a unique insight into the activities of NSO Group’s clients and the targeting of their victims.

Runa Sandvik, a cybersecurity expert, emphasized that numerous reports have documented the use of Pegasus worldwide, but there is often a lack of clarity regarding the scope of the problem and the number of victims who were not notified or did not share their stories publicly. The revelation of 456 cases just in Mexico highlights the actual extent of the spyware problem.

Furthermore, the hacking campaign targeting WhatsApp users took place over a short period of only two months, specifically between April and May 2019. It is important to note that it has not been confirmed whether the existence of a victim in a particular country indicates that the government of that country was the client that used the spyware against those individuals. In some cases, a government client may have directed Pegasus at individuals outside their country.

The number of victims also provides clues about who the highest-paying clients of NSO Group are. It has been reported that Mexico spent over $60 million on the spyware, which could explain the number of Mexican targets on the list. In the past year, WhatsApp achieved a judicial milestone by determining that NSO Group had violated U.S. hacking laws by attacking its users, and a hearing is expected to determine the damages that NSO will have to pay.

Additionally, the case has revealed that NSO Group disconnected 10 government clients following reports of abuse of the spyware, and that the WhatsApp hacking tool produced by NSO Group cost up to $6.8 million for an annual license, generating at least $31 million in revenue for the company in 2019.