[marcan_42]

I assume they have iMessage metadata on what accounts the NSO accounts talked to. The contents are E2E encrypted, but unless they have explicitly promised not to keep logs, they probably have the metadata logged.

[gjsman-1000]

Apple claims in their lawsuit that they have over 100 false iCloud accounts that were created, and is confident in their identities to the degree they are going to use them for standing to prove that NSO signed a legal agreement in the lawsuit.

In which case, NSO f!@#ed up and left iCloud Messages Backup enabled, which stores unencrypted copies of the End-to-End messages and makes it trivial for Apple to alert any person that these accounts messaged to. That's one possibility.

[smoldesu]

Because the NSO group definitely used iMessage to communicate with one another...

[HatchedLake721]

Not with one another. With targets

[TheGeminon]

This is more likely targeting phishing messages coming from NSO Group to victims, rather than communication between NSO members.

[kristofferR]

Not even phishing, NSO had a zero-click iMessage exploit (so they could just send a message to their victims and then hack their iPhones remotely).