Two European journalists had been hacked utilizing authorities spyware and adware made by Israeli surveillance tech supplier Paragon, new analysis has confirmed.
On Thursday, digital rights group The Citizen Lab printed a new report detailing the outcomes of a brand new forensic investigation into the iPhones of Italian journalist Ciro Pellegrino and an unnamed “outstanding” European journalist. The researchers mentioned each journalists had been hacked by the identical Paragon buyer, based mostly on proof discovered on the 2 journalists’ gadgets.
Till now, there was no proof that Pellegrino, who works for online news website Fanpage, had been both focused or hacked with Paragon spyware and adware. When he was alerted by Apple on the finish of April, the notification referred to a mercenary spyware and adware assault, however didn’t particularly point out Paragon, nor whether or not his cellphone had been contaminated with the spyware and adware.
The affirmation of the first-ever recognized Paragon infections additional deepens an ongoing spyware and adware scandal that, for now, seems to be largely centered on using spyware and adware by the Italian authorities, however might increase to incorporate different nations in Europe.
These new revelations come months after WhatsApp first notified round 90 of its customers in over two dozen nations in Europe and past, together with journalists, that that they had been focused with Paragon spyware and adware, often called Graphite. Amongst these focused had been a number of Italians, together with Pellegrino’s colleague and Fanpage director Francesco Cancellato, in addition to non-profit staff who assist to rescue migrants at sea.
Final week, Italy’s parliamentary committee often called COPASIR, which oversees the nation’s intelligence companies’ actions, printed a report that mentioned it discovered no proof that Cancellato was spied on. The report, which confirmed that Italy’s inner and exterior intelligence companies AISI and AISE had been Paragon clients, made no point out of Pellegrino.
Citizen Lab’s new report places into query COPASIR’s conclusions.
“Every week in the past it appeared like Italy was placing this scandal to mattress. Now they’ll need to reckon with new forensic proof,” John Scott-Railton, a senior researcher at The Citizen Lab, advised TechCrunch forward of the report’s publication. “Ciro’s case provides to the large and politically tough query: who has been hacking Italian journalists with Paragon spyware and adware? This thriller wants a solution.”
Scott-Railton mentioned the Citizen Lab believes that the Italian authorities is able to definitively reply questions on what was accomplished with their use of Paragon spyware and adware, notably concerning Ciro’s case.
Pellegrino advised TechCrunch that he believes that his civil rights have been “trampled upon.”
“I perceive that Prime Minister Meloni is knowledgeable journalist like me (I’ve been a journalist since 2005, she has since 2006),” Pellegrino advised TechCrunch. “Does she care concerning the rights of this sort of staff? Why has she not spent a single phrase in solidarity with the journalists who’ve been spied on?”
Contact Us
Do you might have extra details about Paragon, and this spyware and adware marketing campaign? From a non-work system, you may contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Telegram and Keybase @lorenzofb, or e mail. You can also contact TechCrunch by way of SecureDrop.
After Cancellato revealed he had been focused with spyware and adware, the Italian authorities printed a press launch denying it was behind the concentrating on of any journalist or human rights activists.
The truth that each Cancellato and Pellegrino work for a similar outlet suggests they might be a part of a “cluster” of targets, in accordance with the Citizen Lab report.
Pellegrino mentioned that he didn’t work on the blockbuster Fanpage investigation into the “Gioventù Meloniana,” a bunch a part of Meloni’s Fratelli d’Italia social gathering, which revealed that a few of its members sympathize with fascism. Pellegrino, who’s the top of Fanpage’s Naples bureau, additionally mentioned he hasn’t labored on any investigation about immigration.
“It’s doable that somebody hoped to achieve details about Fanpage by hacking my smartphone,” mentioned Pellegrino.
TechCrunch reached out to the press workplace of the COPASIR; the parliament press workplace of the Partito Democratico (Democratic Social gathering), whose member Lorenzo Guerini heads COPASIR; and the Italian authorities. None of them responded to our requests for remark.
Referring to an e mail TechCrunch despatched to Paragon and its govt chairman John Fleming, Emily Horne, who works for WestExec Advisors, mentioned the spyware and adware maker “gained’t have something new on this,” other than what the corporate mentioned earlier this week. On the time, Paragon advised Israeli newspaper Haaretz that it supplied the Italian authorities assist to research Cancellato’s alleged hack, however the authorities refused — and that’s why the corporate minimize ties with Italy.
New forensic proof emerges
On April 29, 2025, the outstanding European journalist acquired a notification from Apple, the identical notification that Pellegrino acquired and on the identical day, in accordance with Citizen Lab. The lab’s researchers analyzed the unnamed journalist’s gadgets and located that certainly one of them was contaminated with Graphite, based mostly on forensic proof exhibiting that the spyware and adware communicated with a server that the researchers had beforehand established with “excessive confidence” was a part of Paragon’s infrastructure.
Citizen Lab mentioned the journalist was hacked with “a classy zero-click assault towards the system by way of iMessage,” based mostly on the researchers discovering a selected iMessage account “current within the system logs across the identical time because the cellphone was speaking with the Paragon server.”
Zero-click hacks are among the only assaults on condition that, because the title suggests, they require no interplay from the goal. And on this case, Citizen Lab mentioned it believed the assault was invisible to the sufferer.
In line with the report, Apple advised Citizen Lab that “the assault deployed in these circumstances was mitigated in iOS 18.3.1,” which was released on February 10, 2025, some two weeks after WhatsApp notified the targets of Paragon spyware and adware.
Apple didn’t reply to TechCrunch’s request for remark previous to publication.
Within the case of Pellegrino, Citizen Lab mentioned it discovered the identical iMessage account on his iPhone’s logs. On condition that it’s typical for every authorities buyer to have its personal spyware and adware infrastructure, Citizen Lab mentioned it believed Pellegrino and the unnamed journalist had been doubtless focused by the identical Paragon operator.
The unnamed journalist’s iPhone was contaminated in January and early February, mentioned Citizen Lab.
In line with COPASIR’s report, Paragon and its Italian intelligence clients suspended the corporate’s surveillance techniques on February 14, 2025, which signifies that the spy companies AISE and AISI had been nonetheless utilizing Paragon’s spyware and adware when the outstanding European journalist was hacked.
For now, Citizen Lab has not attributed Pellegrino’s and the opposite unnamed European journalist’s hacks to any authorities.
Citizen Lab famous within the report that it’s doable among the individuals who had been notified of getting been focused with Graphite by WhatsApp may additionally have been contaminated, however, as a result of the truth that Android has restricted logs, in addition to “efforts by Paragon to delete traces of the an infection,” it could be inconceivable to substantiate that.
Different Graphite victims recognized
Other than Pellegrino and the unnamed journalists, two different folks have to this point been confirmed to have been focused with Paragon’s spyware and adware: Luca Casarini and Beppe Caccia, who each work for the Italian non-profit Mediterranea Saving Humans, which rescues immigrants who attempt to cross the Mediterranean Sea. Citizen Lab confirmed each had been contaminated after analyzing their gadgets. In its report, COPASIR confirmed the 2 had been surveilled by Italian spy companies.
There are different individuals who have mentioned they acquired notifications of getting been focused. Their circumstances, nonetheless, are nonetheless considerably unclear.
David Yambio, a Sudanese citizen and president and co-founder of Refugees in Libya, a non-profit group lively in Italy that works on immigration points, acquired a notification from Apple. After analyzing his system, Citizen Lab mentioned it discovered traces of a spyware and adware an infection, however couldn’t hyperlink the compromise to a specific spyware and adware maker nor any authorities.
COPASIR mentioned Yambio was lawfully focused by Italian intelligence companies, however not with Graphite. COPASIR added that Yambio was below surveillance by the nation’s judicial authorities for a prison investigation. Yambio’s cellphone was registered to Mattia Ferrari, a priest who collaborates with Mediterranea.
Ferrari additionally acquired the spyware and adware notification from WhatsApp. COPASIR, nonetheless, mentioned it discovered no proof he was focused with Graphite.
Scott-Railton mentioned that Citizen Lab forensic and technical analyses are ongoing on all circumstances, together with Cancellato.