European Journalists Targeted by Paragon Spyware, Citizen Lab Confirms

Researchers from the Citizen Lab have revealed the first forensic evidence that the iPhones of at least two European journalists were infected with Graphite, a piece of spyware developed by the Israeli company Paragon Solutions.

In a June 12 post, Bill Marczak and John Scott-Railton, two researchers at the University of Toronto’s digital forensic research center, stated that they had found forensic evidence confirming, with high confidence, that the devices of both an anonymous European journalist and Italian journalist Ciro Pellegrino had Graphite installed.

“We identify an indicator linking both cases to the same Paragon operator,” the researchers added.

Apple had confirmed to the researchers that the zero-click attack deployed in these cases exploited a critical vulnerability (CVSSv3 score of 9.8) in iOS that could allow disabling ‘USB Restricted Mode’ on a locked device. This flaw was mitigated in the latest iOS version, 18.3.1.

Confirmed Graphite Zero-Click Infection Attempts

The Citizen Lab’s forensic analysis followed an alert from Apple on April 29, 2025, which the tech giant said it had detected a select group of iOS users had been targeted with advanced spyware.

Two journalists decided to hand over their devices to the researchers, who found that one of the anonymous European journalist’s devices was compromised with Paragon’s Graphite spyware in January and early February 2025 while running iOS 18.2.1.

“We attribute the compromise to Graphite with high confidence because logs on the device indicated that it made a series of requests to a server that, during the same time period, matched our published Fingerprint P1. We linked this fingerprint to Paragon’s Graphite spyware with high confidence,” the researchers say.

Pellegrino allowed the researchers to analyze his devices after receiving the Apple notification on April 29. “Our analysis of the device’s logs revealed the presence of the same iMessage account used to target the [anonymous European] journalist, which we associate with a Graphite zero-click infection attempt,” added the researchers.

A third journalist and colleague of Pellegrino, Fanpage.it editor Francesco Cancellato, was notified in January 2025 by WhatsApp that he was targeted with Paragon’s Graphite spyware.

The Citizen Lab has conducted a forensic analysis of Cancellato’s Android device but did not find any confirmation of a successful infection.

The Citizen Lab sent a summary of its findings to Paragon on June 10, 2025, and gave them the chance to respond, but had not received a reply by the time of publication.

Italy Cuts Ties with Paragon

These new findings come a few days after the Italian government’s parliamentary committee, COPASIR, published a report on June 5, 2025, confirming that the Italian government had used Paragon’s Graphite spyware against two individuals, Luca Casarini and Giuseppe “Beppe” Caccia.

According to The Citizen Lab, subsequent developments revealed that Paragon had offered to assist in investigating a third individual, Mr. Cancellato, who had been targeted with the same spyware.

However, their offer was rejected by the Italian government on June 9, 2025, as reported by Haaretz. Paragon also suggested that they had unilaterally terminated Italy’s contracts.

The Italian Department of Security Intelligence (DIS) cited national security concerns as the reason for rejecting Paragon’s offer, stating that it would compromise their reputation among international peer services, and denied that they had unilaterally terminated their contract with Paragon.

The COPASIR committee, however, clarified that it had chosen not to proceed with Paragon’s offer, opting instead to directly access Paragon’s databases and expressed its willingness to declassify Paragon’s testimony to the committee.

Read now: How to Mitigate Spyware Risks and Secure Your Business Secrets