Paragon Spyware: Six Countries Identified as Potential Customers

Report Links Governments to Israeli Spyware Maker Paragon Solutions

A recent technical report from a leading digital security lab indicates that the governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are potential clients of Paragon Solutions, an Israeli spyware developer.

Citizen Lab Investigation Reveals Suspected Deployments

The Citizen Lab, a University of Toronto-based group specializing in spyware research, released a report on Wednesday identifying these six governments as having “suspected Paragon deployments.” The group has been investigating the global spyware industry for over a decade.

In late January, approximately 90 WhatsApp users were alerted to potential targeting by Paragon spyware, sparking a controversy, particularly in Italy where several of those affected reside.

Paragon's Claims of Responsible Practices

Paragon Solutions has consistently attempted to differentiate itself from competitors like NSO Group, whose spyware has faced accusations of misuse, by positioning itself as a more ethical vendor.

In 2021, a Paragon executive, speaking anonymously to Forbes, stated that the company would not serve authoritarian or undemocratic regimes.

Following the WhatsApp notifications, Paragon’s executive chairman, John Fleming, told TechCrunch that the company’s technology is licensed to a limited number of global democracies, primarily the United States and its allies, in an effort to reinforce its responsible vendor image.

Acquisition by AE Industrial Partners

Reports surfaced in late 2024 indicating that U.S. venture capital firm AE Industrial Partners had acquired Paragon for a minimum of $500 million.

Mapping Paragon's Infrastructure

Citizen Lab’s report details how they mapped the server infrastructure utilized by Paragon for its spyware, internally known as Graphite. This mapping was initiated by information received from a confidential source.

Researchers developed several identifying characteristics to pinpoint Paragon servers and digital certificates. They discovered multiple IP addresses hosted by local telecommunications companies.

Citizen Lab believes these IP addresses belong to Paragon’s customers, based on certificate initials that correspond with the countries where the servers are located.

Operational Error Reveals Key Information

The researchers identified a digital certificate registered to Graphite, which Citizen Lab believes represents a significant oversight by the spyware vendor.

“Strong circumstantial evidence supports a link between Paragon and the infrastructure we mapped out,” the report states.

The infrastructure is connected to webpages labeled “Paragon” hosted on IP addresses in Israel, Paragon’s base of operations, and a TLS certificate listing “Graphite” as the organization name.

Potential Customers Identified

Citizen Lab identified additional codenames, suggesting further potential governmental clients of Paragon. Specifically, Canada’s Ontario Provincial Police (OPP) is strongly suspected to be a customer, as one of the IP addresses linked to the suspected Canadian deployment is directly associated with the OPP.

Government Responses

TechCrunch contacted representatives from Australia, Canada, Cyprus, Denmark, Israel, and Singapore for comment, but received no responses.

Jeffrey Del Guidice, an OPP spokesperson, did not refute Citizen Lab’s findings, stating that disclosing investigative techniques could compromise ongoing investigations and endanger public and officer safety.

Paragon's Response

Paragon’s Fleming acknowledged that Citizen Lab contacted the company with “a very limited amount of information, some of which appears to be inaccurate.”

Fleming declined to elaborate on the inaccuracies or confirm whether the identified countries are Paragon customers, or the status of its Italian client relationships.

"BIGPRETZEL" Forensic Artifact

Citizen Lab noted that all WhatsApp-notified individuals who requested phone analysis used Android devices. This allowed researchers to identify a unique forensic marker left by Paragon’s spyware, dubbed “BIGPRETZEL.”

Meta spokesperson Zade Alsawah confirmed to TechCrunch that the company believes “BIGPRETZEL” is associated with Paragon.

“We’ve seen first-hand how commercial spyware can be weaponized to target journalists and civil society, and these companies must be held accountable,” Meta stated. “Our security team is constantly working to stay ahead of threats, and we will continue working to protect peoples’ ability to communicate privately.”

Limitations and Future Research

Citizen Lab acknowledged that Android devices don’t always retain device logs, suggesting that more individuals may have been targeted by Graphite than currently known.

The researchers also noted uncertainty regarding whether identified victims were targeted on previous occasions.

Targeting Specific Apps

Paragon’s Graphite spyware reportedly targets specific applications on a device, rather than compromising the entire operating system. In the case of Beppe Caccia, an Italian NGO worker, the spyware infected two other apps on his Android device.

Citizen Lab suggests that this approach may make detection more difficult for forensic investigators, but could provide app developers with greater visibility into spyware operations.

“Paragon’s spyware is trickier to spot than competitors like [NSO Group’s] Pegasus, but, at the end of the day, there is no ‘perfect’ spyware attack,” stated Bill Marczak, a senior researcher at Citizen Lab. “Maybe the clues are in different places than we’re used to, but with collaboration and information sharing, even the toughest cases unravel.”

Apple's Involvement

Citizen Lab also analyzed the iPhone of David Yambio, a colleague of Caccia, who received a notification from Apple regarding potential mercenary spyware targeting. However, no evidence of Paragon’s spyware was found on Yambio’s device.

Apple did not respond to a request for comment.

This story was updated to include OPP’s comment.