Two European journalists have been hacked utilizing authorities spyware and adware made by Israeli surveillance tech supplier Paragon, new analysis has confirmed.
On Thursday, digital rights group The Citizen Lab revealed a brand new report detailing the outcomes of a brand new forensic investigation into the iPhones of Italian journalist Ciro Pellegrino and an unnamed “outstanding” European journalist. The researchers mentioned each journalists have been hacked by the identical Paragon buyer, primarily based on proof discovered on the 2 journalists’ units.
Till now, there was no proof that Pellegrino, who works for on-line information web site Fanpage, had been both focused or hacked with Paragon spyware and adware. When he was alerted by Apple on the finish of April, the notification referred to a mercenary spyware and adware assault, however didn’t particularly point out Paragon, nor whether or not his telephone had been contaminated with the spyware and adware.
The affirmation of the first-ever identified Paragon infections additional deepens an ongoing spyware and adware scandal that, for now, seems to be principally centered on using spyware and adware by the Italian authorities, however might develop to incorporate different international locations in Europe.
These new revelations come months after WhatsApp first notified round 90 of its customers in over two dozen international locations in Europe and past, together with journalists, that that they had been focused with Paragon spyware and adware, referred to as Graphite. Amongst these focused have been a number of Italians, together with Pellegrino’s colleague and Fanpage director Francesco Cancellato, in addition to non-profit staff who assist to rescue migrants at sea.
Final week, Italy’s parliamentary committee referred to as COPASIR, which oversees the nation’s intelligence companies’ actions, revealed a report that mentioned it discovered no proof that Cancellato was spied on. The report, which confirmed that Italy’s inner and exterior intelligence companies AISI and AISE have been Paragon clients, made no point out of Pellegrino.
Citizen Lab’s new report places into query COPASIR’s conclusions.
“Every week in the past it appeared like Italy was placing this scandal to mattress. Now they’ll should reckon with new forensic proof,” John Scott-Railton, a senior researcher at The Citizen Lab, informed information.killnetswitch forward of the report’s publication. “Ciro’s case provides to the large and politically tough query: who has been hacking Italian journalists with Paragon spyware and adware? This thriller wants a solution.”
Scott-Railton mentioned the Citizen Lab believes that the Italian authorities is able to definitively reply questions on what was performed with their use of Paragon spyware and adware, significantly concerning Ciro’s case.
Pellegrino informed information.killnetswitch that he believes that his civil rights have been “trampled upon.”
“I perceive that Prime Minister Meloni is knowledgeable journalist like me (I’ve been a journalist since 2005, she has since 2006),” Pellegrino informed information.killnetswitch. “Does she care concerning the rights of this sort of staff? Why has she not spent a single phrase in solidarity with the journalists who’ve been spied on?”
Contact Us
Do you may have extra details about Paragon, and this spyware and adware marketing campaign? From a non-work gadget, you possibly can contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or through Telegram and Keybase @lorenzofb, or e-mail. You can also contact information.killnetswitch through SecureDrop.
After Cancellato revealed he had been focused with spyware and adware, the Italian authorities revealed a press launch denying it was behind the focusing on of any journalist or human rights activists.
The truth that each Cancellato and Pellegrino work for a similar outlet suggests they might be a part of a “cluster” of targets, in accordance with the Citizen Lab report.
Pellegrino mentioned that he didn’t work on the blockbuster Fanpage investigation into the “Gioventù Meloniana,” a gaggle a part of Meloni’s Fratelli d’Italia get together, which revealed that a few of its members sympathize with fascism. Pellegrino, who’s the top of Fanpage’s Naples bureau, additionally mentioned he hasn’t labored on any investigation about immigration.
“It’s doable that somebody hoped to realize details about Fanpage by hacking my smartphone,” mentioned Pellegrino.
information.killnetswitch reached out to the press workplace of the COPASIR; the parliament press workplace of the Partito Democratico (Democratic Get together), whose member Lorenzo Guerini heads COPASIR; and the Italian authorities. None of them responded to our requests for remark.
Referring to an e-mail information.killnetswitch despatched to Paragon and its govt chairman John Fleming, Emily Horne, who works for WestExec Advisors, mentioned the spyware and adware maker “gained’t have something new on this,” aside from what the corporate mentioned earlier this week. On the time, Paragon informed Israeli newspaper Haaretz that it supplied the Italian authorities assist to research Cancellato’s alleged hack, however the authorities refused — and that’s why the corporate minimize ties with Italy.
New forensic proof emerges
On April 29, 2025, the outstanding European journalist acquired a notification from Apple, the identical notification that Pellegrino acquired and on the identical day, in accordance with Citizen Lab. The lab’s researchers analyzed the unnamed journalist’s units and located that one in every of them was contaminated with Graphite, primarily based on forensic proof exhibiting that the spyware and adware communicated with a server that the researchers had beforehand established with “excessive confidence” was a part of Paragon’s infrastructure.
Citizen Lab mentioned the journalist was hacked with “a complicated zero-click assault towards the gadget through iMessage,” primarily based on the researchers discovering a particular iMessage account “current within the gadget logs across the identical time because the telephone was speaking with the Paragon server.”
Zero-click hacks are a number of the handiest assaults on condition that, because the title suggests, they require no interplay from the goal. And on this case, Citizen Lab mentioned it believed the assault was invisible to the sufferer.
In accordance with the report, Apple informed Citizen Lab that “the assault deployed in these instances was mitigated in iOS 18.3.1,” which was launched on February 10, 2025, some two weeks after WhatsApp notified the targets of Paragon spyware and adware.
Apple didn’t reply to information.killnetswitch’s request for remark previous to publication.
Within the case of Pellegrino, Citizen Lab mentioned it discovered the identical iMessage account on his iPhone’s logs. On condition that it’s typical for every authorities buyer to have its personal spyware and adware infrastructure, Citizen Lab mentioned it believed Pellegrino and the unnamed journalist have been probably focused by the identical Paragon operator.
The unnamed journalist’s iPhone was contaminated in January and early February, mentioned Citizen Lab.
In accordance with COPASIR’s report, Paragon and its Italian intelligence clients suspended the corporate’s surveillance techniques on February 14, 2025, which signifies that the spy companies AISE and AISI have been nonetheless utilizing Paragon’s spyware and adware when the outstanding European journalist was hacked.
For now, Citizen Lab has not attributed Pellegrino’s and the opposite unnamed European journalist’s hacks to any authorities.
Citizen Lab famous within the report that it’s doable a number of the individuals who have been notified of getting been focused with Graphite by WhatsApp can also have been contaminated, however, on account of the truth that Android has restricted logs, in addition to “efforts by Paragon to delete traces of the an infection,” it could be not possible to substantiate that.
Different Graphite victims recognized
Other than Pellegrino and the unnamed journalists, two different folks have to this point been confirmed to have been focused with Paragon’s spyware and adware: Luca Casarini and Beppe Caccia, who each work for the Italian non-profit Mediterranea Saving People, which rescues immigrants who attempt to cross the Mediterranean Sea. Citizen Lab confirmed each have been contaminated after analyzing their units. In its report, COPASIR confirmed the 2 have been surveilled by Italian spy companies.
There are different individuals who have mentioned they acquired notifications of getting been focused. Their instances, nevertheless, are nonetheless considerably unclear.
David Yambio, a Sudanese citizen and president and co-founder of Refugees in Libya, a non-profit group lively in Italy that works on immigration points, acquired a notification from Apple. After analyzing his gadget, Citizen Lab mentioned it discovered traces of a spyware and adware an infection, however couldn’t hyperlink the compromise to a specific spyware and adware maker nor any authorities.
COPASIR mentioned Yambio was lawfully focused by Italian intelligence companies, however not with Graphite. COPASIR added that Yambio was beneath surveillance by the nation’s judicial authorities for a legal investigation. Yambio’s telephone was registered to Mattia Ferrari, a priest who collaborates with Mediterranea.
Ferrari additionally acquired the spyware and adware notification from WhatsApp. COPASIR, nevertheless, mentioned it discovered no proof he was focused with Graphite.
Scott-Railton mentioned that Citizen Lab forensic and technical analyses are ongoing on all instances, together with Cancellato.