Court Document Reveals Scale of NSO's WhatsApp Victims

A newly released court document from WhatsApp’s lawsuit against NSO Group has confirmed that 1,223 users across 51 countries were targeted by Pegasus spyware in a two-month attack campaign in 2019. The breakdown, based on internal WhatsApp data, provides the most detailed picture yet of how widely the surveillance tool was used by government bodies.

The data, submitted to a California court, shows the largest number of victims in Mexico (456), followed by India (100), Bahrain (82), Morocco (69), and Pakistan (58. The hacking campaign occurred “between in and around April 2019 and May 2019,” exploiting a vulnerability in WhatsApp that allowed users to be infected through a call — regardless of whether the user picked up or not.

Calcalist reported that NSO earned around $40 million from the operation, with a leaked Meta document showing the spyware enjoying a total revenue of $61.71 million over two years in relation to the WhatsApp breach. Mexico alone reportedly spent over $60 million on NSO products.

However, the presence of victims in countries like Syria, where NSO products cannot be sold due to sanctions, suggests that governments may be using the software to target people outside their territories.

A 2024 forensic analysis by Amnesty International found Pegasus traces on the phones of Indian journalists, while mobile security firm iVerify found “2.5 infected devices per 1,000 scans” in its December 2024 analysis. These findings suggest the threat remains active and underreported.

NSO Group has rejected the lawsuit’s claims and said in a statement that the data represents “information taken out of context” and that “the fact that the phone of a suspect in a crime or terrorist activity is identified in a certain territory does not indicate the identity of the customer.”