Citizen Lab Confirms Two Journalists Hacked with Paragon Spyware, Deepening Italian Scandal

In a significant development for the ongoing global debate surrounding the use of commercial government spyware, new research from digital rights group The Citizen Lab has provided the first forensic confirmation that two European journalists were successfully hacked using technology made by Israeli surveillance tech provider Paragon.

The Citizen Lab's new report, published on Thursday, details the findings of a forensic investigation into the iPhones belonging to Italian journalist Ciro Pellegrino and a “prominent” European journalist who has chosen to remain anonymous. According to the researchers, evidence found on both devices strongly suggests that the two journalists were compromised by the same customer utilizing Paragon spyware, specifically the variant known as Graphite.

This confirmation marks a critical turning point in a scandal that has been unfolding over several months, particularly in Italy. While Pellegrino, who works for the online news website Fanpage, had previously received an alert from Apple indicating he was a potential target of a mercenary spyware attack, the notification did not specify the vendor or confirm a successful infection. Citizen Lab's findings now provide that crucial forensic link, confirming that his device, along with that of the unnamed European journalist, was indeed compromised by Paragon's technology.

The confirmation of these infections further intensifies the scrutiny on the use of spyware by governments, with the current focus heavily centered on Italy, although the potential for the scandal to involve other European nations remains. The revelations from Citizen Lab arrive just weeks after Italy's parliamentary committee overseeing intelligence agencies, known as COPASIR, released a report claiming it found no evidence that Francesco Cancellato, Pellegrino's colleague and Fanpage director who was also notified by WhatsApp of being targeted, had been spied on. The COPASIR report did, however, confirm that Italy's internal and external intelligence agencies, AISI and AISE, were customers of Paragon, but made no mention of Ciro Pellegrino.

The Citizen Lab's new report directly challenges COPASIR's conclusions, at least concerning Pellegrino's case. John Scott-Railton, a senior researcher at The Citizen Lab, highlighted the significance of the findings: “A week ago it seemed like Italy was putting this scandal to bed. Now they’ll have to reckon with new forensic evidence.” He added, “Ciro’s case adds to the big and politically tricky question: who has been hacking Italian journalists with Paragon spyware? This mystery needs an answer.”

Scott-Railton expressed the Citizen Lab's belief that the Italian government possesses the necessary information to definitively address questions surrounding their use of Paragon spyware, particularly in light of Pellegrino's confirmed infection.

The Journalist's Perspective and the Call for Accountability

The human impact of such surveillance is profound. Ciro Pellegrino shared his perspective with TechCrunch, stating his belief that his civil rights have been “trampled upon.” His words underscore the chilling effect that state-sponsored surveillance can have on independent journalism and the fundamental rights of citizens.

Pellegrino also raised pointed questions regarding the response, or lack thereof, from Italian Prime Minister Meloni, herself a professional journalist. “I understand that Prime Minister Meloni is a professional journalist like me (I have been a journalist since 2005, she has since 2006),” Pellegrino told TechCrunch. “Does she care about the rights of this type of workers? Why has she not spent a single word in solidarity with the journalists who have been spied on?” This sentiment highlights the perceived silence from the highest levels of government on an issue directly impacting the press.

Following Cancellato's public disclosure of being targeted, the Italian government issued a press release denying any involvement in targeting journalists or human rights activists. However, the Citizen Lab's findings, particularly the confirmation of Pellegrino's infection by the same operator as the unnamed European journalist, suggest a potential “cluster” of targets, possibly linked by their affiliation with Fanpage or related work.

Pellegrino clarified that he had not worked on Fanpage's high-profile investigation into the “Gioventù Meloniana,” a youth group associated with Prime Minister Meloni's Fratelli d’Italia party, which exposed members sympathizing with fascism. He also stated he had not worked on any investigations related to immigration, a topic that has also been linked to spyware targeting in Italy. Despite this, he speculated, “It is possible that someone was hoping to gain information about Fanpage by hacking my smartphone.” This suggests that the motive might have been broader intelligence gathering on the news outlet itself, rather than specific investigations.

Attempts by TechCrunch to obtain comments from COPASIR, the Democratic Party's parliamentary press office (headed by COPASIR member Lorenzo Guerini), and the Italian government were unsuccessful, with none responding to requests.

Paragon's Position and the Technical Evidence

Paragon, through Emily Horne of WestExec Advisors, indicated they had nothing new to add beyond their previous statement earlier in the week. That statement, reported by Israeli newspaper Haaretz, claimed Paragon had offered the Italian government assistance in investigating Cancellato's alleged hack, but the government refused, leading Paragon to terminate its contracts with Italy. This adds another layer of complexity and conflicting accounts to the unfolding situation.

The Citizen Lab's report is grounded in concrete forensic evidence. The unnamed prominent European journalist received an Apple notification on April 29, 2025, the same day as Pellegrino. Analysis of this journalist's devices revealed infection with Graphite spyware. The key forensic finding was evidence showing the spyware communicating with a server that Citizen Lab had previously identified with “high confidence” as part of Paragon's infrastructure.

The attack vector identified was particularly concerning: a sophisticated zero-click attack delivered via iMessage. Zero-click exploits are among the most insidious forms of surveillance technology because they require no interaction from the target – simply receiving a malicious message can be enough to compromise the device. Citizen Lab believes this attack was invisible to the victim.

Apple informed Citizen Lab that the specific exploit used in these cases was mitigated in iOS version 18.3.1, which was released on February 10, 2025. This release date is approximately two weeks after WhatsApp first alerted users to potential Paragon spyware targeting, suggesting a rapid response from Apple to counter the threat.

Crucially, Citizen Lab found traces of the same iMessage account on Ciro Pellegrino's iPhone logs. Given that different government customers typically operate their own distinct spyware infrastructure, the presence of the same iMessage account on both journalists' devices led Citizen Lab to conclude they were likely targeted by the same Paragon operator. The unnamed journalist's iPhone was reportedly infected in January and early February 2025.

According to the COPASIR report, Italy's intelligence agencies (AISE and AISI) and Paragon suspended the surveillance systems on February 14, 2025. This timeline indicates that the Italian spy agencies were still utilizing Paragon's spyware during the period when the prominent European journalist's device was infected.

While the forensic evidence points to a common operator, Citizen Lab has not yet formally attributed the hacks of Pellegrino and the unnamed journalist to any specific government entity. However, the context provided by the COPASIR report and Paragon's own statements strongly implicates Italian state actors as the likely customer.

Other Confirmed and Potential Victims

The scope of the Paragon spyware scandal in Italy extends beyond journalists. Apart from Pellegrino and the unnamed European journalist, Citizen Lab has also forensically confirmed infections on the devices of two individuals associated with the Italian non-profit Mediterranea Saving Humans, which is involved in rescuing migrants in the Mediterranean Sea. These individuals are Luca Casarini and Beppe Caccia. The COPASIR report confirmed that both Casarini and Caccia were indeed surveilled by Italian spy agencies, aligning with Citizen Lab's technical findings.

Other individuals have also reported receiving notifications of potential targeting, though their cases remain less clear-cut based on publicly available information. David Yambio, a Sudanese citizen and co-founder of Refugees in Libya, an organization active in Italy focusing on immigration issues, received an Apple notification. Citizen Lab's analysis of his device found traces of a spyware infection, but the researchers could not definitively link it to a specific vendor or government.

The COPASIR report addressed Yambio's case, stating he was lawfully targeted by Italian intelligence agencies, but not with Graphite spyware. The report added that Yambio was under surveillance by judicial authorities as part of a criminal investigation. Interestingly, Yambio's phone was registered to Mattia Ferrari, a priest who collaborates with Mediterranea Saving Humans. Ferrari also received a spyware notification, this one from WhatsApp. However, the COPASIR report claimed it found no evidence that Ferrari was targeted with Graphite.

These varying outcomes highlight the complexities of investigating spyware cases, particularly when official government accounts differ from independent forensic analysis. John Scott-Railton noted that Citizen Lab's forensic and technical analyses are ongoing for all cases, including that of Francesco Cancellato, Pellegrino's colleague.

The Broader Implications for Journalism and Civil Society

The confirmed use of sophisticated mercenary spyware like Paragon's Graphite against journalists and civil society members raises serious concerns about the state of press freedom and civil liberties. Spyware, particularly zero-click variants, allows governments or other powerful actors to gain unfettered access to a target's communications, contacts, location data, and potentially even activate microphones and cameras, all without the target's knowledge or interaction.

For journalists, such surveillance is not merely a privacy violation; it is an existential threat to their ability to report freely and protect their sources. If journalists fear their devices are compromised, they may self-censor or be unable to communicate securely with whistleblowers and confidential contacts, thereby undermining the public's right to information and the role of the press as a watchdog.

Similarly, targeting individuals involved in humanitarian work, such as those assisting migrants, suggests a potential misuse of surveillance tools intended for national security or criminal investigations against those engaged in legitimate civil society activities. This raises questions about the legal frameworks governing the use of such powerful tools and the oversight mechanisms in place.

The discrepancy between Citizen Lab's forensic findings and the COPASIR report is particularly troubling. It suggests either a lack of transparency, incomplete information, or potentially conflicting objectives between different branches of government or oversight bodies. The call from Citizen Lab for the Italian government to provide definitive answers underscores the need for accountability and a thorough, independent investigation into who authorized these specific hacks and why.

The Mercenary Spyware Industry Under Scrutiny

The Paragon case is part of a larger pattern of mercenary spyware being used globally, often against journalists, human rights defenders, opposition politicians, and academics. Companies like Paragon develop and sell these powerful tools, often claiming they are sold only to legitimate government entities for lawful purposes. However, repeated investigations by organizations like Citizen Lab, coupled with notifications from technology companies like Apple and Meta (which owns WhatsApp), have revealed a pattern of misuse and abuse.

The industry operates in a largely unregulated space, making it difficult to track sales, end-users, and instances of misuse. The confirmed hacks in Italy add to the growing body of evidence highlighting the urgent need for greater transparency, stricter export controls, and robust accountability mechanisms for both the companies that produce this technology and the governments that purchase and deploy it.

The fact that Paragon reportedly cancelled contracts with Italy due to the government's alleged refusal to investigate the hack on Cancellato, while Citizen Lab's findings confirm infections linked to an Italian customer, further complicates the narrative and emphasizes the difficulty in achieving accountability within this opaque industry.

Conclusion: A Call for Transparency and Investigation

The Citizen Lab's forensic confirmation that Ciro Pellegrino and another European journalist were hacked with Paragon spyware is a critical piece of evidence in the ongoing Italian spyware scandal. It directly challenges official accounts and reinforces concerns about the potential misuse of powerful surveillance tools against members of the press and civil society.

The case highlights the vital role of independent researchers like Citizen Lab in uncovering instances of state-sponsored hacking and holding powerful actors accountable. It also underscores the vulnerability of even sophisticated devices like iPhones to advanced zero-click exploits developed by private companies.

As the investigation continues, the focus remains on the Italian government to provide clear and transparent answers regarding its use of Paragon spyware, the identities of those targeted, and the justification for such surveillance. The confirmed hacks serve as a stark reminder of the threats posed by the mercenary spyware industry to democratic values, press freedom, and fundamental human rights across Europe and beyond.

The mystery of who specifically targeted these journalists and why persists, but Citizen Lab's findings provide undeniable forensic proof that the attacks occurred and were carried out using Paragon's technology by an operator linked to Italy. The pressure is now on the relevant authorities to ensure a full and impartial investigation is conducted and that those responsible are held accountable.