NSO Group acknowledges canceling contracts with 10 clients for the improper use of its Pegasus spyware, according to uncovered court documents.

WhatsApp achieved a legal victory by getting a U.S. federal judge to order the public disclosure of three court documents that reveal internal aspects about Pegasus, the spyware developed by NSO Group, an Israeli surveillance technology company. The declassified documents include information from testimonies of NSO employees during the legal proceedings, internal company documents, and WhatsApp messages exchanged between NSO employees, obtained by WhatsApp through subpoenas.

Among the revelations, it stands out that NSO disconnected ten government clients from access to Pegasus in recent years, citing abuses in the use of its service. This revelation is part of the lawsuit filed by WhatsApp in 2019, in which it accuses NSO of violating anti-hacking laws, specifically the Computer Fraud and Abuse Act, as well as violating WhatsApp's terms of service by accessing its servers and attacking individual users with spyware sent through the chat application. The accusations are based on cyberattacks targeting WhatsApp users, including journalists, dissidents, and human rights defenders.

According to a WhatsApp spokesperson, the revealed evidence illustrates how NSO's operations violated U.S. law and facilitated cyberattacks against journalists and activists. WhatsApp is committed to continuing its efforts to hold NSO accountable and protect its users.

The court documents also highlight that NSO had created a hacking toolkit called "Hummingbird," which allowed access to private data on the targets' phones. This toolkit could cost NSO's government clients up to $6.8 million in a year and generated at least $31 million in revenue during 2019. NSO is estimated to have installed Pegasus on “tens of thousands” of devices using these tools.

Until now, it was unclear who was actually sending the malicious messages via WhatsApp. Despite NSO claiming to have no knowledge of its clients' operations, the new court documents raise doubts about these claims. WhatsApp argued that the involvement of NSO's clients was minimal, as they only needed to enter the target phone number, and the software installation was done remotely.

An NSO employee acknowledged that the decision to use WhatsApp messages to activate the spyware rested with the clients. In response, an NSO spokesperson reiterated that the system is operated exclusively by its clients and that the company has no access to the intelligence obtained through its tools.

One of the methods used by NSO to attack WhatsApp users was creating a "WhatsApp Installation Server," a modified version of the app to send its exploits. NSO admitted to having set up real WhatsApp accounts for its clients. WhatsApp managed to neutralize the "Eden" and "Heaven" exploits with security updates. These exploits were designed to redirect WhatsApp devices to a malicious relay server controlled by NSO.

Another exploit, called "Erised," allowed compromising a phone without user interaction. WhatsApp blocked its use in May 2020, months after filing the lawsuit. Recently, it was revealed that Pegasus was used against Princess Haya of Dubai, leading NSO to disconnect access to Pegasus for ten of its clients due to abuses.

In this context, WhatsApp is seeking a summary judgment in the case while awaiting a decision from the judge. The revealed information could be valuable for other individuals who have sued NSO in different countries, as it may help strengthen their cases against the company.