Jury smacks NSO Group with $168 million in damages over WhatsApp spying

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

In the latest in a series of legal victories for Meta-owned WhatsApp in its pioneering lawsuit against spyware maker NSO Group, a federal jury decided that NSO must pay WhatsApp approximately $168 million in damages after a judge ruled that it violated anti-hacking laws when 1,400 of the messaging application’s users became infected with NSO's Pegasus spyware.

The jury settled on nearly $167.3 million in punitive damages and $444,719 in compensatory damages that NSO Group must pay after the judge limited the kinds of evidence NSO Group could use in making its case before the jury.

“Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone,” Meta said. “Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”

NSO Group spokesman Gil Lanier responded to the ruling by saying, “We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies.

Both sides said they expect additional court action before all is said and done. (Tim Starks / Cyberscoop)

Related: Meta, TechCrunch, Reuters, Courthouse News Service, CNA, Politico, Washington Post, New York Times, Security Affairs, BBC, CyberScoop, Ars Technica, Reuters, The Register, The Record, DataBreachToday.com, Axios, Access Now, CTech, Platformer, Cyber Security News, SiliconANGLE, Politico, Neowin, The Intercept, Default, Financial Times, The Guardian, Tech in Asia, israelhayom.com, Digit, Engadget, UPI, Verdict, The Verge, dailyjournal.com, Social Media Today, The Hill, r/privacy   

Despite its misleading marketing, TeleMessage, the company that makes a modified version of Signal used by senior Trump officials, can access plaintext chat logs from its customers.

The admins for organizations that use TeleMessage set up archive plans and assign users to them.

Each archive plan has a source messaging app (like TM SGNL) and a destination controlled by the TeleMessage customer. Destinations can include Microsoft 365, email servers (SMTP), or file servers (SFTP). The admin assigns TeleMessage users like Mike Waltz to an archive plan, which determines where their chat logs will be archived.

Once the TM SGNL app sends chat logs to the archive server, the archive server is supposed to do something like this: It looks up the user that sent the chat log, then looks up that user's archive plan, then forwards the messages to destination defined in the archive plan (via SMTP or SFTP), and presumably (but who knows for sure) deletes the chat logs from the archive server.

The archive server connects directly to SMTP and SFTP destinations to push chat logs. However, according to Microsoft's documentation, Microsoft 365 works the opposite way: Microsoft 365 logs into the archive server and pulls the chat logs once a day.

However, once they're at an endpoint, they are in plaintext (if they weren't, you wouldn't be able to read your texts). At this point, they're protected by various forms of disk encryption depending on the device. This is how Signal messages sometimes end up as evidence in court records: someone's phone or laptop with Signal installed was searched, after the messages were already decrypted.

TM SGNL completely breaks this security. The communication between the TM SGNL app and the final archive destination is not end-to-end encrypted.

Senator Ron Wyden published a letter to Attorney General Pam Bondi, which cites a 404 Media article discussing how the TM SGNL was hacked. The letter requests that the Justice Department investigate the "serious threat to US national security posed by TeleMessage, a federal contractor that sold dangerously insecure communications software to the White House and other federal agencies." (Micah Lee / Micah Lee Blog)

Related: Wired, Washington Post, 404 Media, NBC News, Senator Ron Wyden, Hacker News (ycombinator)

SK Chairman Chey Tae-won publicly apologized for a recent large-scale data breach at SK Telecom Co., which may have leaked the sensitive information of some 25 million users.

"I apologize for the concerns and inconvenience caused by a cyberattack at SK Telecom," Chey said during a press conference.

"I also feel regretful for the lack of communication and response that followed the incident. The criticism we have received from customers, the media, the National Assembly and government agencies is well-deserved, and we humbly accept it," he added. (Yonhap News Agency)

Related: The Chosun Daily, Reuters, The Korea Times

Bellingcat, in collaboration with Danish outlets Tjekdet, Politiken, and the Canadian Broadcasting Corporation (CBC), conducted an investigation to reveal the identity of a key administrator behind MrDeepFakes, which billed itself as the “largest and most user-friendly” platform for celebrity deepfake pornography.

Based on open source information, the journalists discovered that David Do, a Canadian pharmacist who lives an unassuming and respectable life in the suburbs outside of Toronto, is Mr. DeepFakes. Photos and videos posted online show him with family, friends, and colleagues. The university graduate has a well-paying job in a public hospital and drives a new Tesla.

But Do has been living a double life: in secret, he is the most prominent figure identified to have had control over the administration of MrDeepFakes. He was also an influential member of its growing online community, producing his own deepfake porn and assisting users who want to make theas own.

Online posts show that Do is a technically minded individual with a long-standing interest in creating and distributing adult content, and provide insight into his efforts to obfuscate his identity.

The organizations identified Do by cross-referencing data from massive credential leaks, publicly available via breach databases. A series of burner emails, IP addresses, repeated usernames, and a unique password reveal a more than decade-long digital trail that allowed researchers to link him to MrDeepFakes.

MrDeepFakes was shut down on May 4 after Do was informed that he would be identified. (Bellingcat)

Related: TjekDet, Politiken, CBC, NPR

According to three people familiar with the plan, the National Security Agency (NSA) has been directed to cut potentially thousands of civilian employees as part of the Trump administration’s push to reduce the federal government's size.

The largest electronic spy agency in the world must axe 8 percent of its civilian workforce, which covers everything from administrative staff to defense and offensive cybersecurity operators. While the number of non-military personnel working at NSA is classified, between 1,500 and 2,000 positions are expected to be cut.

One source said the agency is expected to make the cuts by the end of the year; however, that deadline could change, according to one person, as it is tied to the Defense Department’s broader push to reduce its budget by 8 percent in each of the next five years.

This person suggested that the civilian workforce cut would ultimately apply to every “combat support agency” that provides tactical-level expertise to the Pentagon, including the NSA, the Defense Intelligence Agency, the National Reconnaissance Office, and the National Geospatial-Intelligence Agency.

The Washington Post first reported the effort to shrink the US intelligence community, including an estimated 1,200 positions from the CIA. (Martin Matishak / The Record)

Related: The Hill, r/politics

The US Treasury Department said it sanctioned the Karen National Army, which operates in Myanmar’s southeast Kayin state bordering Thailand, as well as its leader, Saw Chit Thu, and his two sons, for supporting and profiting from cyber scams “on an industrial scale” that have cost Americans billions of dollars.

According to Treasury, the group leases land to organized crime groups. It provides support for large-scale operations, including security and electricity for “scam compounds,” as well as human trafficking and smuggling.

The Treasury’s Financial Crimes Enforcement Network accused the group of laundering money for North Korean cyber heists and crypto “pig butchering scams” by transnational criminal organizations in Southeast Asia. (Ramsey Al-Rikabi / Bloomberg)

Related: Treasury Department, Radio Free Asia, Mashable

Turkey’s intelligence service thwarted a remote attack using pagers last year in Lebanon, days after similar attacks by Israel killed dozens and wounded thousands, including members of Lebanon’s Hezbollah group.

Details of the 2024 operation newspaper one year later show 1,300 pager devices and 710 chargers rigged with explosives were seized inside a cargo at Istanbul Airport en route to Lebanon from Hong Kong.

A Turkish security official, speaking on condition of anonymity in line with regulations, confirmed the report but would not provide further details.

Hezbollah’s chief spokesman, Youssef el-Zein, said that days after the Sept. 17 pager attack in Lebanon and Syria, Hezbollah informed Turkish intelligence that a shipment of pagers was in Turkey and about to be sent to Lebanon.

El-Zein said Turkish authorities confiscated the pagers and most likely destroyed them. (Daily Sabah and Suzan Fraser and Bassem Mroue / Associated Press)

Related: The New Arab, Naharnet, Hürriyet

The UK Ministry of Justice (MoJ) said it is working with the National Crime Agency and National Cyber Security Centre to investigate a data breach reported by the Legal Aid Agency (LAA), which warned last week it had identified a "security incident."

The organisation, which provides legal aid in civil and criminal cases in England and Wales, said, "It is possible that financial information relating to legal aid providers may have been accessed by a third party."

The LAA said it could not confirm "what, if any, information was accessed", but said it was "possible that payment information may have been accessed." (Henry Vaughan / Sky News)

Related: Bleeping Computer

The US Cybersecurity & Infrastructure Security Agency (CISA) tagged a Langflow remote code execution vulnerability as actively exploited, urging organizations to apply security updates and mitigations as soon as possible.

The vulnerability is tracked as CVE-2025-3248 and is a critical unauthenticated RCE flaw that allows any attacker on the internet to take full control of vulnerable Langflow servers by exploiting an API endpoint flaw.

Langflow is an open-source visual programming tool for building LLM-powered workflows using LangChain components. It provides a drag-and-drop interface for creating, testing, and deploying AI agents or pipelines without writing full backend code.

The tool, which has nearly 60k stars and 6.3k forks on GitHub, is used by AI developers, researchers, and startups for prototyping chatbots, data pipelines, agent systems, and AI applications.

Langflow exposes an endpoint (/api/v1/validate/code) designed to validate user-submitted code. In vulnerable versions, this endpoint does not safely sandbox or sanitize the input, allowing an attacker to send malicious code to that endpoint and execute it directly on the server.

CISA has given federal agencies until May 26, 2025, to apply the security update or mitigations or stop using the software. (Bill Toulas / Bleeping Computer)

Related: CISA, GitHub, Heise Online, CSO Online, SC Media, GBHackers, Dark Reading, Security Affairs

US House appropriators challenged proposed budget cuts for the Cybersecurity and Infrastructure Security Agency (CISA), with Democrats saying the Trump administration was disturbingly moving money away from the agency and a key Republican saying he needed to see justifications for the reductions.

The Trump administration has proposed cutting CISA funding by $491 million, and some members of a House Appropriations subcommittee raised doubts about that idea during testimony from Department of Homeland Security Secretary Kristi Noem. Specific details for those budget cuts weren’t released in the so-called “skinny budget” last week.

Rep. Mark Amodei (R-NV) said at the end of the hearing, “When somebody says, ‘Hey, you guys presided over cutting half a billion dollars to do other stuff, what was that based on?’ We don’t want to be in the position of, and won’t be in the position of, ‘That’s what they said we needed.’ We need some building blocks. What’s the plan for us to be kicking China’s butt, and how we’re still OK on that civilian sector stuff?”

The top Democrat on Amodei’s panel, Rep. Lauren Underwood (D-IL), decried DHS for “moving money away from CISA,” as she said to Noem.

“Last week you said we should ‘just wait’ for the president’s grand cyber plan,” Underwood said. “But you have not waited to erode the department’s cyber defense capabilities by removing resources and personnel from CISA and other components.”

Noem said the president’s cyber plan would be “coming out shortly and that’s the president’s prerogative.” (Tim Starks / Cyberscoop)

Related: Homeland Security, The Record, Federal News Network

Donald Trump escalated the federal attempt to upend Colorado’s prosecution of former Mesa County Clerk Tina Peters.

“Tina is an innocent Political Prisoner being horribly and unjustly punished in the form of Cruel and Unusual Punishment,” he wrote.

In the post, Trump directed the US Department of Justice to “take all necessary action to help secure the release of former Mesa County clerk Tina Peters,” referring to her as a hostage that was “being held in a Colorado prison by the Democrats, for political reasons.”

Last August, Peters was found guilty by a jury of Mesa County residents on seven counts, including four felonies, after she helped facilitate unauthorized access to county voting equipment that she was supposed to safeguard in search of voter fraud. Despite years of investigation and attention from election conspiracy groups, neither her supporters nor her legal defense has ever shown that the machines were involved in any election manipulation. (Bente Birkeland and Tom Hesse / Colorado Public Radio)

Related: Cyberscoop, The Hill, Ars Technica, MSNBC, Newsweek, Democracy Docket, Colorado Politics

According to Amazon's inaugural AWS Generative AI Adoption Index, generative AI will surpass cybersecurity in many corporate tech budgets this year, with 45% of global IT leaders naming it their top spending priority for 2025.

Rahul Pathak, AWS VP of Data & AI Go-to-Market said he interpreted the finding not as a sign that organizations view AI as more important than security, but as an indication of AI’s growing impact on business. He noted that security is also a top concern within AI projects, including data protection and responsible AI use.

The study, conducted by Access Partnership, is based on a global survey of 3,739 senior IT decision-makers across nine countries, including the US, UK, Germany, Japan, and India.

The study found that 90% of organizations already use generative AI tools in some capacity, nearly half moving beyond experimentation to full integration. (Todd Bishop / GeekWire)

Related: About Amazon, VentureBeat

CrowdStrike said it will cut about 500 jobs, or 5% of its global workforce, as part of a plan to improve business efficiencies.

The cybersecurity company said Wednesday that it intends to cut positions in some areas of the business while continuing to hire customer-facing and product-engineering roles.

“These changes position us to move faster, operate more efficiently, and continue our cybersecurity leadership,” Chief Executive George Kurtz said in a letter to employees.

CrowdStrike said it would start meeting with affected employees over the next day and that company offices would be closed on Wednesday and Thursday. Staff have been asked to work from home on those days, and anyone already in the office has been instructed to head home for the day. (Dean Seal / The Wall Street Journal)

Related: Reuters, Barron's Online

Best Thing of the Day: Diversity is Strength

At CYBERUK 2025, NCSC CEO Dr Richard Horne said that a cybersecurity workforce requires diversity, something the industry has not been a beacon of in the past.

Worst Thing of the Day: Wrecking American Jewels of Science, Part 13

Top cybersecurity staffers at the National Institute of Standards and Technology (NIST) are leaving the agency as part of the Trump administration’s downsizing operation.

Bonus Worst Thing of the Day: The 'But Her Emails' Crowd Will Surely Be P*ssed, Right?

Tulsi Gabbard, director of national intelligence, used the same easily cracked password for different online accounts over a period of years, even when she served on the Armed Services Committee, its Subcommittee on Intelligence and Special Operations, and the Foreign Affairs Committee.

Closing Thought