Journalists Hacked with Paragon Spyware

Journalists Hacked with Israeli Spyware: New Evidence Emerges

Recent investigations have confirmed that two European journalists were compromised through the use of government spyware developed by Israeli surveillance technology firm, Paragon.

Details of the Investigation

The Citizen Lab, a digital rights group, released a report on Thursday detailing forensic analysis of the iPhones belonging to Italian journalist Ciro Pellegrino and another unnamed journalist from Europe. The research indicates both individuals were targeted by the same client of Paragon.

Prior to this, there was no prior indication that Pellegrino, a journalist with Fanpage, had been targeted or successfully hacked using Paragon spyware. He received a notification from Apple in late April regarding a mercenary spyware attack, but Paragon was not specifically identified, nor was infection confirmed.

Expanding Spyware Concerns

This confirmation of the first known Paragon infections significantly expands an ongoing scandal. The focus currently centers on the potential misuse of spyware by the Italian government, though the scope could broaden to encompass other European nations.

These findings follow WhatsApp’s earlier notification to approximately 90 users across more than two dozen countries, including journalists, about being targeted with Paragon’s Graphite spyware. Several Italians were among those notified, including Pellegrino’s colleague, Francesco Cancellato, and individuals involved in migrant sea rescue operations.

Contradictory Reports from Italy

Italy’s COPASIR, the parliamentary committee overseeing intelligence agencies, recently published a report stating no evidence supported claims that Cancellato was spied upon. The report acknowledged that Italy’s intelligence agencies, AISI and AISE, were Paragon customers, but made no mention of Pellegrino’s case.

The Citizen Lab’s report challenges the conclusions reached by COPASIR.

Questions for the Italian Government

“Just a week ago, it appeared Italy was resolving this issue,” stated John Scott-Railton, a senior researcher at The Citizen Lab. “Now, they must address new forensic evidence.” He emphasized the need to determine who authorized the hacking of Italian journalists with Paragon spyware.

Scott-Railton believes the Italian government possesses the information necessary to provide definitive answers regarding the use of Paragon spyware, particularly concerning Pellegrino’s situation.

Journalist's Response

Pellegrino expressed his belief that his civil rights were violated.

“As a journalist since 2005, and knowing Prime Minister Meloni also has a journalistic background (since 2006), I question her concern for the rights of professionals like myself,” Pellegrino stated. “Why has she remained silent regarding the surveillance of journalists?”

Following Cancellato’s disclosure of being targeted, the Italian government issued a statement denying involvement in the targeting of journalists or human rights activists.

Potential Targeting Cluster

The fact that both Cancellato and Pellegrino are employed by the same news organization suggests they may represent a targeted “cluster,” according to the Citizen Lab report.

Pellegrino clarified that he was not involved in Fanpage’s investigation into “Gioventù Meloniana,” a group associated with Meloni’s Fratelli d’Italia party, which uncovered fascist sympathies among some members. He also stated he has not worked on any investigations related to immigration.

“It’s conceivable that someone sought to obtain information about Fanpage by compromising my smartphone,” Pellegrino suggested.

Lack of Response and Further Investigation

The Italian government did not respond to TechCrunch’s request for comment.

A COPASIR spokesperson directed TechCrunch to their previously published report, specifically referencing a section that reserves the right to conduct further investigations, including those related to the alleged mobile intrusions disclosed by two other journalists in recent weeks.

Monica Macchioni, another Italian journalist, reported receiving a similar notification from Apple in early May, and is likely the second journalist referenced by COPASIR.

Paragon's Stance

Emily Horne, representing WestExec Advisors, stated that Paragon would have no new information beyond their previous statement to Israeli newspaper Haaretz. Paragon had offered assistance to the Italian government in investigating Cancellato’s alleged hack, but the offer was declined, leading to the company severing ties with Italy.

Key Players: Paragon, The Citizen Lab, Ciro Pellegrino, Francesco Cancellato, COPASIR, Italian Government
Spyware: Graphite

Newly Discovered Forensic Data Surfaces

A leading European journalist received an alert from Apple on April 29, 2025, mirroring the notification previously received by Pellegrino and occurring on the identical date, as detailed by The Citizen Lab. Analysis of the journalist’s devices by the lab’s researchers revealed an infection with Graphite.

This determination was based on forensic evidence indicating communication between the spyware and a server previously identified with strong certainty as belonging to Paragon’s infrastructure.

Details of the Attack

Citizen Lab’s investigation concluded that the journalist was compromised through a highly sophisticated, zero-click attack delivered via iMessage. Researchers identified a specific iMessage account present in the device logs coinciding with communication to the Paragon server.

Zero-click exploits represent a particularly potent threat, as they necessitate no action on the part of the intended target. In this instance, The Citizen Lab posits that the attack remained entirely imperceptible to the victim.

Apple informed The Citizen Lab that the attack vector utilized in these cases was neutralized with the release of iOS 18.3.1 on February 10, 2025. This occurred approximately two weeks following WhatsApp’s notification to targets regarding Paragon spyware.

TechCrunch’s request for comment from Apple was not met with a response before this publication.

Connection to Pellegrino’s Case

The same iMessage account was also detected in the iPhone logs of Pellegrino, according to The Citizen Lab. Considering the typical practice of each government client maintaining a distinct spyware infrastructure, researchers believe Pellegrino and the journalist were likely targeted by the same Paragon operative.

The journalist’s iPhone was compromised during January and early February, as reported by The Citizen Lab.

COPASIR’s report indicates that Paragon and its Italian intelligence clients deactivated the company’s surveillance systems on February 14, 2025. This means that the Italian intelligence agencies, AISE and AISI, were still actively employing Paragon’s spyware when the European journalist experienced the hack.

Currently, The Citizen Lab has not formally attributed the attacks on Pellegrino and the unnamed journalist to any specific government entity.

Challenges in Attribution

The Citizen Lab acknowledges the possibility that individuals notified by WhatsApp of potential Graphite targeting may have also been infected. However, confirming this is proving difficult.

Limited logging capabilities on Android devices, coupled with Paragon’s apparent efforts to erase infection traces, present significant obstacles to conclusive verification.

Additional Individuals Affected by Graphite Spyware

Beyond Pellegrino and the journalists previously identified, two further individuals have been verified as targets of Paragon’s spyware. These are Luca Casarini and Beppe Caccia, both associated with Mediterranea Saving Humans, an Italian nonprofit dedicated to rescuing migrants attempting the Mediterranean Sea crossing.

Device analysis conducted by the Citizen Lab substantiated these infections. The COPASIR committee’s report also affirmed that both individuals were subjected to surveillance by Italian intelligence services.

Several other individuals have reported receiving alerts indicating potential targeting. However, the details surrounding these cases remain presently ambiguous.

David Yambio, a Sudanese national and the president and co-founder of Refugees in Libya – an Italian-based nonprofit focused on immigration – received a notification from Apple. Subsequent analysis by The Citizen Lab revealed indications of a spyware infection, though a definitive attribution to a specific spyware vendor or government agency could not be established.

COPASIR stated that Yambio was legitimately targeted by Italian intelligence, but not utilizing Graphite. The committee clarified that surveillance of Yambio was authorized by judicial authorities in connection with a criminal inquiry.

Yambio’s phone was officially registered to Mattia Ferrari, a priest who actively collaborates with Mediterranea.

Ferrari himself also received a spyware notification via WhatsApp. However, COPASIR indicated that no evidence supports his targeting with Graphite.

Scott-Railton indicated that ongoing forensic and technical analyses by The Citizen Lab are being performed on all reported cases, including that of Cancellato.

This article was updated on Thursday to include a response from COPASIR and to provide clarification regarding the second journalist referenced by the committee.