Journalist Targeted with Pegasus Spyware via WhatsApp

WhatsApp Alerts Journalist of Potential Spyware Attack

On Friday afternoon, at 2:48 p.m., Francesco Cancellato, while at his home in the Milan area, was alerted to a potential security breach via a notification on his mobile phone.

The message, originating from WhatsApp and reviewed by TechCrunch, stated: “In December, WhatsApp disrupted the operations of a spyware firm believed to have targeted your device. Investigations suggest you may have received a malicious file through WhatsApp, potentially leading to data access, including messages stored on the device.”

The notification further explained that WhatsApp had implemented measures to prevent similar attacks. However, it cautioned that the device’s operating system might still be vulnerable due to the initial spyware compromise.

First Publicly Identified Target

Cancellato is the first individual to publicly disclose receiving such a warning following revelations of a hacking campaign allegedly utilizing spyware developed by Paragon Solutions, as WhatsApp announced on Friday.

The campaign reportedly affected approximately 90 individuals globally, including journalists like Cancellato and members of civil society organizations, with a significant presence in Europe.

“I feel a sense of violation,” Cancellato shared with TechCrunch. Initially, he dismissed the message as a potential hoax or prank. “Journalists often consider the possibility of surveillance, but it’s often a personal apprehension. To be informed it’s actually happening is difficult to accept.”

He then acknowledged the message’s authenticity, prompting questions about the motive behind the targeting. “Why me? What information were they seeking?”

Concerns Over Data Compromise

“The primary concern is what data was accessed,” Cancellato continued. “My phone contains a comprehensive record of my life – vacations, relationships, family, banking details, and professional work.” He also questioned the identity of those responsible for the intrusion.

Cancellato serves as the director of Fanpage.it, an Italian news outlet recognized for its investigative reporting on sensitive topics such as corruption, organized crime, the Catholic Church, and the youth wing of Italy’s governing far-right party, led by Prime Minister Giorgia Meloni.

Undercover Investigation

Last year, Fanpage.it conducted an undercover investigation, deploying reporters to infiltrate “Gioventù Meloniana,” a group affiliated with Meloni’s Fratelli d’Italia party, which has been in power since 2022.

The investigation revealed video footage of party members expressing racist views towards Jewish and Black individuals, uttering racial slurs, and invoking fascist symbols and figures like Benito Mussolini.

Cancellato explained his decision to come forward publicly, citing his role as a journalist to report on newsworthy events. However, he refrained from speculating on the perpetrators, acknowledging the numerous unanswered questions surrounding the incident, including the success of the hacking attempt and the attackers’ objectives.

Paragon Solutions and Graphite

WhatsApp attributed the hacking campaign to Paragon Solutions, an Israeli firm specializing in government spyware. The company reportedly markets Graphite, a product designed to infiltrate encrypted messaging applications like WhatsApp and Signal, as reported by Forbes in 2021.

A WhatsApp spokesperson declined to confirm whether Cancellato was specifically targeted. However, a source familiar with the company informed The Guardian that Paragon Solutions serves 35 democratic governments.

Ynetnews, an Israeli news source, reported on Monday that Italy is among Paragon’s clientele.

Additional Target Identified

Also on Monday, The Guardian reported that Husam El Gomati, a Libyan activist based in Sweden, also received a notification from WhatsApp indicating he was a target of the same hacking campaign.

El Gomati has been a vocal critic of Italy’s relationship with Libya, particularly a bilateral agreement aimed at curbing immigration across the Mediterranean Sea.

TechCrunch’s attempts to obtain a response from the Italian government’s press office and Fabrizio Alfano, Meloni’s press chief, via email and WhatsApp were unsuccessful.

Paragon’s Stance on Surveillance

Paragon Solutions positions itself as a responsible provider of surveillance technology. Its website states that the company “provides our customers with ethically based tools, teams, and insights to disrupt intractable threats.”

An anonymous source from Paragon Solutions told The New Yorker last year that a deal with U.S. Immigration and Customs Enforcement involved a vetting process ensuring the technology wouldn’t be used against American citizens, but allowed its use by the U.S. government.

In December 2024, Paragon Solutions was acquired by AE Industrial Partners, an American private equity firm.

Neither Paragon Solutions nor AE Industrial responded to requests for comment.

Seeking Expert Assistance

WhatsApp’s message to Cancellato recommended contacting Citizen Lab, a digital rights group at the University of Toronto renowned for its investigations into spyware abuse worldwide, including in Ethiopia, Mexico, Morocco, Saudi Arabia, and Spain.

Cancellato, who stated that he and Fanpage have contacted the authorities, confirmed he followed the recommendation. “It’s unusual for a journalist to be targeted in a Western democracy,” he remarked, adding that the compromised device was a company-issued phone, representing “an attack on Fanpage, not on me personally.”