Facebook is usually on the receiving end of legal complaints, but late last month the social media company changed course, filing a civil complaint against NSO Group that alleged the  Israeli cyber company hacked into its WhatsApp servers and tracked specific users.

The NSO Group is one of many companies that operate in the "gray market" of developing and selling hacking technology exclusively to various governments. Lawyers say civil suits against  gray market cyber companies are unusual, and Facebook may run into jurisdictional issues, court splits and a host of other challenges that make prevailing against NSO uncertain. 

Facebook filed its civil complaint against NSO Group in the U.S. District Court for the Northern District of California, alleging violations of the Computer Fraud and Abuse Act (CFAA) and California Comprehensive Computer Data Access and Fraud Act, as well as breach of contract violations. 

The company alleged NSO set up WhatsApp accounts; sent malicious codes to activists, journalists, lawyers and others; and hacked into WhatsApp servers to track users' communications. Facebook didn't state the exact amount it seeks, but said its damages exceeds $75,000.

To be sure, Facebook and even the government don't have a blueprint to successfully winning a hacking claim, especially against a corporate entity.

"What's unusual about this NSO and the other affiliated company [Q Cyber Technologies] named as defendants in the case … [is that] most hacking is obviously done by non-incorporated companies or corporations," said Howard Fischer, a Moses & Singer partner and former senior trial counsel at the U.S. Securities and Exchange Commission.

Still, winning a hacking case is challenging and not a sure thing. Peter Toren, a solo practitioner and former prosecutor with the criminal division of the U.S. Department of Justice said Facebook's primary hurdles include establishing the use of the tools to the alleged harm, which NSO Group denied in May.

Secondly, Facebook would need to prove the defendant's actions under the CFAA, which Toren noted hasn't kept up with the evolving cyberattacks faced in the 21st century.

"It's difficult at times to fit the defendants' alleged wrongdoing into the act," Toren said. "The last substantive amendment was 15 years ago, and it didn't really cover, perhaps, cases like this."

He noted that while many have argued Congress should update the law, there is an unresolved circuit split regarding how to define "exceeding authorized access" and "unauthorized computer access." Such uncertainty makes winning these types of cases less prevalent, Toren added.

Toren also noted NSO could raise an issue over jurisdiction by arguing the alleged violations weren't committed in the U.S. However, Fischer noted Facebook's complaint highlighted a jurisdictional "hook" in its complaint that requires NSO—and any other user— to submit to U.S. jurisdiction when agreeing to WhatsApp's terms of service.

The road to prevailing in this lawsuit will also be expensive, lawyers said. Facebook will need to spend heavily for counsel and digital forensics, which puts the social media giant in an opportune position to fight the alleged violations.

"Very few companies have the technical and technological advancements of Facebook. Being able to figure this [alleged hacking] out is very difficult, and I think Facebook is perhaps uniquely positioned," Fischer said.

But while Facebook may have the technical and financial wherewithal to bring the litigation, it is unlikely to stop most "gray market" companies similar to NSO from creating hacks for government agencies.

"Unless these types of lawsuits become more prevalent and successful, the impact on the industry as a whole may be negligible," said Tampa, Florida-based criminal defense lawyer Ronald Frey.