Paragon spyware activity found on more journalists’ devices

Two more European journalists’ mobile devices are confirmed to have been targeted — one successfully — with Paragon spyware, the latest development in a broadening scandal involving the use of the company’s powerful surveillance technology to snoop on members of civil society on the continent.

Digital forensics research institute the Citizen Lab reported Thursday morning that the journalists were part of a larger group notified in late April by Apple about possible “mercenary spyware” attacks. The researchers document what is believed to be the first known infection of an Apple device with Graphite, a Paragon product.

The latest targets are a “prominent” European journalist who wishes to stay anonymous and Ciro Pellegrino, a colleague of a previously identified Paragon spyware target, Francesco Cancellato, the Citizen Lab said. 

Both Pellegrino and Cancellato work at the Italian news outlet Fanpage, which published an investigation documenting ties between Italy’s Prime Minister Giorgia Meloni and young fascists last June.

A spokesperson for Israel-based Paragon responded to a request for comment by pointing to a previous statement revealing that it has ended its contract with Italy. Citizen Lab says it made Paragon aware of its findings Tuesday. 

Spokespersons for the Italian Parliament and the prime minister’s office did not respond to requests for comment.

Graphite games

The latest news comes after Paragon publicly cut ties with the Italian government on Monday, four days after a Parliament committee investigating the government’s alleged use of the company’s spyware said it could find no evidence that Cancellato’s phone was targeted. 

The investigating committee and the Italian government at large refused to let Paragon verify the committee’s claims, Haaretz reported Monday. A Paragon spokesperson subsequently confirmed that reporting.

The committee’s report omitted the fact that Paragon had asked to do its own investigation to determine if its product had been used to attack Cancellato’s device.

The Italian government has steadfastly denied using spyware to target Cancellato.

The scandal began in January when WhatsApp accused Paragon of targeting about 90 of its users with its Graphite spyware. The Meta-owned messaging platform said at the time that it had blocked the attack vector. Cancellato has said he was among the victims.

While the Citizen Lab has to date been unable to confirm Graphite targeted Cancellato’s phone, the unnamed prominent European journalist and Pellegrino’s devices have been confirmed “with high confidence” to have been targeted with Graphite, according to the new report. 

The unnamed journalist’s phone was actively communicating with a server that the Citizen Lab has previously attributed to Paragon, the institute’s report said. Digital forensic researchers there also found an iMessage account in the device’s logs “around the same time as the phone was communicating with the Paragon server,” the report says.

The Citizen Lab then zeroed-in on the iMessage account and determined it was the attack vector.

The same iMessage account also showed up on Pellegrino’s phone, the researchers said, leading them there to believe the same attacker targeted both journalists.

“It is standard for each customer of a mercenary spyware company to have its own dedicated infrastructure,” the report says.

The spyware deployed through the iMessage accounts was a “sophisticated” zero-click attack, Citizen Lab says. Zero-click attacks allow spyware to be embedded into mobile devices silently, with no interaction from the victims.

“Spyware like Paragon’s Graphite is hard to catch, but not impossible,” Bill Marczak, who co-authored the new report, said via text. “Claims that any spyware is ‘stealth’ or ‘untraceable’ melt away under close scrutiny.”

Apple mitigated the exploit — tracked as CVE-2025-43200 — as of iOS version 18.3.1, Citizen Lab said. 

One of the two journalist’s devices was compromised in January and early February while running iOS 18.2.1, the report said. It did not say when the other journalist’s phone was attacked or which journalist’s attack occurred in January and February.

Pellegrino revealed in April that he had received an Apple threat notification about spyware targeting but at the time had few details, including whether the spyware used to attack his phone was made by Paragon.

He published a column describing his reaction to receiving the threat notification, saying that he shushed his wife and put his phone in their microwave before telling her of it.

‘Something bigger than me’

Pellegrino is less afraid now than he was when he first received the notification, he told Recorded Future News by text on Thursday. He said that is because he has realized that “this is something much bigger than me and that it will probably concern other Italian journalists too.” 

He said he believes Fanpage as a whole has been specifically targeted.

“I don’t like conspiracies, but there are two Italian journalists from the same newspaper in the same condition,” he said. “It can’t be a coincidence."

Pellgrino said he doesn’t know if the Italian government is behind the attacks.

However, he said, he knows that “up to now the Italian government has done NOTHING to help us discover the truth.” 

The Italian Parliament’s investigation report, released June 5 by Italy’s Parliamentary Committee for the Security of the Republic (COPASIR), acknowledged that the country’s  intelligence agencies deployed Graphite on phones belonging to pro-immigration activists, claiming spying on them was lawful due to their role in fueling illegal immigration.

The government’s refusal to let Paragon verify it did not target Cancellato’s device led to the unprecedented public disclosure from a spyware company that it had decided to terminate its work with a customer.

From there the public spat between the spyware firm and its former client accelerated as Italy’s ANSA news service quoted unnamed sources saying the government’s breakup with Paragon was mutual. 

Several Italian news outlets also reported Monday that the Italian government’s Department of Information for Security (DIS), which manages Italy’s intelligence agencies, said it turned down Paragon’s offer to check Graphite system logs because they are “invasive practices, unverifiable in scope, results and method and, therefore, not compliant with national security requirements.”

Parliament then offered to release Paragon’s committee testimony, according to Citizen Lab, which cited Italian news reports.

Paragon was co-founded by former Israeli prime minister Ehud Barak alongside a former Israeli intelligence official and has sought to position itself as more responsible than peer companies like the NSO Group, the manufacturer of Pegasus, which also uses zero-click exploits.

Read more: Predator spotted in Mozambique for first time, another sign of the spyware’s availability