Two European journalists were hacked using government spyware created by Israeli surveillance technology provider Paragon, a new study confirmed.
On Thursday, digital rights group The Citizen Lab released a new report detailing the results of a new forensic investigation into Italian journalist Ciro Pellegrino’s iPhone and the iPhone of an unknown “prominent” European journalist. Researchers said both journalists were hacked by customers of the same Paragon based on evidence found on the devices of the two journalists.
So far, there was no evidence that Pellegrino, who works for the online news website FanPage, was targeted or hacked by Paragon Spyware. When Apple received warnings at the end of April, the notification mentioned mercenary spyware attacks, but not specifically mention Paragon.
The first-ever known paragon infection confirmation appears to be focused primarily on the use of spyware by the Italian government for now, but deepens the ongoing spyware scandal that can expand to include other countries in Europe.
These new revelations come months after WhatsApp first notified that around 90 users of more than 20 European and later, including journalists, have been targeted by Paragon Spyware, known as Graphite. Among the targets were Francesco Cancerato, a colleague of Pellegrino and fan page director, and a nonprofit worker who helped rescue immigrants at sea.
Last week, an Italian parliamentary committee known as Copasir issued a report that it could not find any evidence that Cancerato was spied on as it oversees the activities of the country’s intelligence reporting agency. The report confirmed that Italy’s internal and external intelligence agencies AISI and AISE are Paragon’s customers, but does not mention Pellegrino.
A new report from Citizen Lab raises doubts Copasir’s conclusions.
“A week ago, Italy seemed to have put this scandal to bed. Now they have to consider new forensic evidence,” John Scott-Railton, a senior researcher at Citizen Lab, told TechCrunch ahead of the publication of the report. “The Ciro incident adds to a big, politically tricky question: Who is hacking Italian journalists with paragon spyware? This mystery needs an answer.”
Scott-Railton said Citizen Lab believes the Italian government is in a position to clearly answer questions about what has been done with the use of Paragon Spyware, especially with regard to the case of Ciro.
Peregrino told TechCrunch he believes his civil rights have been “trampled.”
“I understand that Prime Minister Meloni is a professional journalist like me (I have been a journalist since 2005 and she has since 2006),” Peregrino told TechCrunch. “Does she care about the rights of this type of worker? Why didn’t she spend every word with a spied journalist?”
inquiry
Do you have more information about Paragon and this spyware campaign? From non-work devices, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or send an email. You can also contact TechCrunch via SecureDrop.
After Cancello revealed that Spyware had targeted, the Italian government issued a press release denying it was behind targets of journalists or human rights activists.
The fact that both Catellato and Pellegrino work in the same outlet suggests that, according to a report from Citizen Lab, they may be part of the target “cluster.”
Peregrino said he has not been working on a survey of the blockbuster fan page for Giovento Meloniana, a group of Meloni’s Fratelli Italiana. Peregrino, head of the Napoli Bureau of Fan Page, also said he was not working on an investigation into immigration.
“It’s possible that someone wanted to get information about the fan page by hacking my smartphone,” Peregrino said.
TechCrunch contacted the Copasir news agency. Partito Democratico’s Congressional Press, its member Lorenzo Guerini, leads Copasir. And the Italian government. None of them responded to our request for comment.
Referring to an email sent to Paragon, who works at Westexec Advisors, its executive chairman John Fleming and Emily Horn, the spyware maker said, “There’s nothing new in this,” except what he said earlier this week. At the time, Paragon told the Israeli newspaper Haaretz that it helped the Italian government investigate allegedly hacking Cancerato, but the government refused – which cut the company’s ties with Italy.
New forensic evidence appears
According to Citizen Lab, on April 29, 2025, prominent European journalists received a notification from Apple. Lab researchers analyzed the devices of unnamed journalists and found that one of them was infected with graphite. This showed that it was part of Paragon’s infrastructure, based on forensic evidence that researchers communicated with a server they previously established as “high confidence.”
Citizen Lab said the journalist was hacked with a “sleek zero-click attack on devices via Imessage.” The researchers found a specific iMessage account that “is present on the device around the same time that the phone was communicating with the Paragon server.”
Zero-click hacks are some of the most effective attacks given that they do not require interaction from the target, as the name suggests. And in this case, the Civic Research Institute said it believes the attack is invisible to the victims.
According to the report, Apple told Citizen Lab, “The attacks deployed in these cases were mitigated in iOS 18.3.1.”
Apple did not respond to TechCrunch’s request for comment prior to its release.
For Pellegrino, Citizen Lab said it found the same iMessage account in its iPhone logs. Given that it is typical for each government client to have its own spyware infrastructure, Citizen Lab said it believes Pellegrino and the unknown journalist are likely to be targeted by the same Paragon operator.
The nameless journalist’s iPhone was infected in January and early February, Citizen Lab said.
According to a report by Copasir, Paragon and its Italian intelligence customer stopped the company’s surveillance system on February 14, 2025. That is, when prominent European journalists were hacked, spy agencies Aise and Aisi were still using Paragon spyware.
For now, Citizen Lab believes it has not attributed the hacking of Pellegrino and other unknown European journalists to the government.
Citizen Lab may also be infected with some of those notified of being targeted by WhatsApp in Graphite, but it may be impossible to confirm it, due to the fact that the logs are limited on Android and the “effort by Paragon to remove traces of infection.”
Other graphite victims have been identified
Apart from Peregrino and the unknown journalist, two other people have been confirmed to have been targeted by Paragon spyware so far. Luca Casarini and Beppecaccia work for the human beings who save the non-profit Mediterranean in Italy. Citizen Lab confirmed that both were infected after analyzing the devices. In the report, Copasir confirmed that the two are being monitored by Italian spy agencies.
There are others who said they received a notification that they were targeted. However, their case is still somewhat unknown.
David Yambio, a Sudanese citizen and president and co-founder of Libyan refugees, is the co-founder of Libyan refugees, a nonprofit working in Italy that is working on immigration issues, and received a notification from Apple. The Civic Research Institute found traces of spyware infection after analyzing the devices, but said the compromise could not be linked to a particular spyware manufacturer or government.
Copasir said Yambio is legally targeted by Italian intelligence agency, but not Graphite. Copasir added that Yambio is under surveillance by the national judicial authorities for criminal investigations. Yambio’s phone has been registered with Mattia Ferrari, a priest who works with Mediterranea.
Ferrari also received spyware notifications from WhatsApp. However, Copasir said he discovered there was no evidence that he was targeted with graphite.
Scott-Railton said Citizen Lab’s forensic and technical analysis is ongoing in all cases, including Cancellato.