At least 100 of the 1,223 persons targeted using Israeli spyware Pegasus in a 2019 WhatsApp hacking campaign were located in India, Medianama reported on Thursday, citing a new legal filing in a United States court.

The legal filing published on April 4 was part of the court exhibits in a lawsuit filed by WhatsApp against Israeli NSO Group Technologies, which makes Pegasus.

WhatsApp, owned by US-based technology company Meta, has been locked in a legal battle with the Israeli cyber intelligence company since 2019. The messaging platform has alleged that the NSO Group’s spyware had been used against 1,400 users of the application over a two-week period in April 2019 and May 2019.

On December 20, a US district court ruled that NSO Group was liable for unauthorised surveillance of the 1,400 WhatsApp accounts using its spyware Pegasus in 2019.

The damages owed by the NSO Group to WhatsApp will reportedly be determined in a separate trial.

During the hearings, WhatsApp had listed the number of persons who were targeted using Pegasus by country over the two-week period. The users were spread across 51 countries.

Mexico topped the list with 456 persons being targeted. This was followed by India (100), Bahrain (82), Morocco (69), Pakistan (58), Indonesia (54) and Israel (51).

Twenty-six persons were targeted in Turkey, 21 in Spain and seven in France, according to the list. At least one person in the US was targeted, alongside two in Canada and the United Kingdom.

The identities of persons targeted in the 2019 WhatsApp hacking campaign were unclear.

Israeli technology news website CTech quoted the NSO Group as saying that the list “is an interpretation of information taken out of context, alongside half-truths and one-sided claims by Meta — claims that have already been refuted and will continue to be refuted” in the legal process.

“For example, the fact that the phone of a suspect in a crime or terrorist activity is identified in a certain territory does not indicate the identity of the customer,” the firm said.

When added to an electronic device, the Pegasus software can generally gain access to phone calls, emails, location information, encrypted messages and photographs without the user’s knowledge.

In July 2021, an investigation by a group of 17 media organisations and human rights group Amnesty International showed that Pegasus was being used for the unauthorised surveillance of journalists, activists and politicians across the world, including in India.

The spyware is licensed to governments around the world by the NSO Group. The cyber intelligence company says it sells the Pegasus software only to “vetted governments” with good human rights records and that it is intended to target criminals.

In India, Congress leader Rahul Gandhi, former Election Commissioner Ashok Lavasa, Union ministers Ashwini Vaishnaw and Prahlad Singh Patel, industrialist Anil Ambani and former Central Bureau of Investigation Director Alok Verma were among the potential targets, The Wire had reported.

The Indian government had denied these allegations. Vaishnaw, the Union information technology minister, told Parliament in July 2021 that illegal surveillance was not possible in India.

Following the reports, the Supreme Court appointed an expert committee to look into the allegations. In August 2022, the court said that some malware was found on five of the 29 phones that the panel examined. However, it was not clear whether the malware was Pegasus.

The judges also took note of a finding by the panel that the Union government did not cooperate with the inquiry.

The US government blacklisted the NSO Group in November 2021 after it determined that the company had acted “contrary to the foreign policy and national security interests of the US”.

WhatsApp hacking case

In its December judgement, Judge Phyllis Hamilton of the US District Court for the Northern District of California said that NSO Group violated sections of the Computer Fraud and Abuse Act and the California Computer Data Access and Fraud Act.

The Computer Fraud and Abuse Act is a federal legislation that criminalises unauthorised access to computers, networks and other digital information. The California Computer Data Access and Fraud Act is the state equivalent of the same law.

Hamilton also said that the Israeli firm violated WhatsApp’s terms of service.

In March 2024, Hamilton ordered the Israeli firm to hand over the code of Pegasus and its other spyware products to WhatsApp as part of the legal proceeding.

The judge said in December that the NSO Group had dragged its feet throughout the litigation and noted that the company repeatedly failed to comply with the court’s orders, The Guardian reported.

The Israeli firm made its code for its spyware available to view only in Israel by an Israeli citizen even though the lawsuit was filed in California, Hamilton said in her ruling, adding that this was “simply impracticable”.

The Israeli firm made its code for its spyware available to view only in Israel by an Israeli citizen even though the lawsuit was filed in California, Hamilton said in her ruling, adding that this was “simply impracticable”.