The governments of Mexico, Saudi Arabia, and Uzbekistan, among others, were behind the 2019 hacking campaign that targeted more than 1,200 WhatsApp users with NSO Group’s Pegasus spyware, according to a lawyer working for the Israeli spyware maker.

During a hearing in the lawsuit between WhatsApp and NSO Group last Thursday, NSO Group’s lawyer Joe Akrotirianakis specifically named the three governments as the spyware-using customers, according to a transcript of the hearing obtained by TechCrunch this week.

This is the first time that representatives for NSO Group have publicly confirmed who the spyware maker’s customers are (or were), after years of refusing to acknowledge or discuss its clientele, arguing that it was “unable” to do so, an NSO Group spokesperson told TechCrunch in 2023, for example. 

The revelation comes as part of a lawsuit brought by Meta-owned WhatsApp in 2019, which accused NSO Group of hacking around 1,400 WhatsApp users by exploiting a vulnerability in the messaging app’s systems between around April and May that same year.

The content of last week’s hearing was first reported by Courthouse News Service.

In the lawsuit’s complaint, WhatsApp claimed that there were more than 100 targeted victims who work as human rights activists, journalists, and “other members of civil society.” Citizen Lab, a digital rights group that has investigated government spyware abuses for more than a decade, said in a report at the time that it helped WhatsApp identify those victims.  

Last week, NSO Group’s lawyer Akrotirianakis told the judge that, “there’s at least eight customers whose names are part of the discovery in this case,” but only named three during the hearing. 

At the same time, the lawyer also hinted that a list of countries included in a court document unsealed last week, which shows in what countries 1,223 victims of the 2019 spyware campaign were located, is also a list containing NSO Group customers. 

“Pegasus was licensed for territories and it can only be used in those territories,” said Akrotirianakis, referring to NSO Group’s marquee spyware. 

Apart from Mexico and Uzbekistan, the list of 51 countries includes Bahrain, India, Morocco, Spain, United Kingdom, and the United States. Saudi Arabia, which was mentioned by NSO Group’s lawyer in the hearing, however, does not appear in the list. 

This could be explained by the fact that some NSO Group’s customers can target individuals outside of their own territory. For example, in 2017, Citizen Lab reported that there was “circumstantial evidence” to suggest that one or more of NSO Group’s government customers in Mexico targeted several individuals, including the child of a well known Mexican journalist, who was inside the United States at the time he was targeted. 

Reached by TechCrunch, NSO Group spokesperson Gil Lainer declined to comment. When asked, Lainer did not dispute that Mexico, Saudi Arabia and Uzbekistan were three company customers at the time of the WhatsApp spyware campaign.

WhatsApp’s spokesperson Zade Alsaway told TechCrunch that the company is looking forward “to the upcoming trial to determine damages, and securing an injunction against NSO to protect WhatsApp and people’s private communication.”

On Tuesday, in a pre-trial order, the judge presiding over the lawsuit said that while NSO Group said that documents provided as part of the lawsuit identify “at least four countries as NSO customers,” the company has not confirmed that those countries are its customers. 

“The evidentiary record is opaque as to which of [NSO’s] clients were responsible for the attacks at issue, and thus [WhatsApp] were unable to discover evidence about whether screening procedures were followed with respect to those clients,” wrote the judge. “Moreover, to the extent that the parties discuss facts regarding clients who were found to have misused Pegasus, those facts appear to have come from media reports, rather than from defendants.”

For years, organizations like Citizen Lab and Amnesty International have documented cases where Pegasus was used to target or hack journalists, dissidents, and human rights defenders in some of the countries mentioned in the victim list, such as Mexico, Hungary, Spain, and the United Arab Emirates, among several others.

TechCrunch reached out for comment to the embassies of Mexico, Saudi Arabia, and Uzbekistan in the U.S. and will update the story if we receive a response.