Targeting of Italian Political Adviser with Paragon Graphite Spyware
Francesco Nicodemo, a prominent Italian political adviser and communications executive, was identified as the fifth Italian individual targeted with Paragon’s Graphite spyware. Nicodemo, who has managed numerous election campaigns and is known for his work with center-left political candidates, was notified by WhatsApp of evidence linking his device to the spyware. The attack was later confirmed by Citizen Lab’s John Scott-Railton, highlighting ongoing concerns about the use of invasive surveillance tools against political figures in Italy.
The Italian government has acknowledged using Paragon spyware in some cases but denies involvement in all incidents, particularly those involving journalists. The growing number of unexplained infections, now totaling at least 90 victims notified by WhatsApp, underscores the broader issue of government surveillance and the targeting of individuals involved in politics and elections. Experts have raised alarms about the human rights implications of such spyware, calling for greater transparency and potential bans on its use.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers warn unexplained Paragon cases are increasing
Digital forensic researcher John Scott-Railton said unexplained Paragon Graphite cases are growing and that political and election-related targeting remains a recurring theme. The warning underscored the broader expansion of the spyware scandal beyond the known Italian cases.
Francesco Nicodemo discloses Paragon Graphite targeting
Communications executive and political adviser Francesco Nicodemo publicly revealed that he had been targeted with Paragon's Graphite spyware, becoming the fifth Italian to report being affected in the scandal. Fanpage first reported Nicodemo's case.
Italian government acknowledges some use of Paragon spyware
The government of Prime Minister Giorgia Meloni acknowledged using Paragon spyware in attempts to spy on some of the five publicly known Italian victims. It denied involvement in the targeting of two Fanpage journalists who reported infections.
WhatsApp notifies about 90 Paragon Graphite targets
WhatsApp notified roughly 90 victims that evidence indicated they had been targeted with Paragon's Graphite spyware. According to later reporting, Francesco Nicodemo was among those notified.
Fanpage publishes exposé on Meloni's ties to young fascists
Italian outlet Fanpage published a June 2024 investigation describing ties between Prime Minister Giorgia Meloni and young fascists. The report was later cited as relevant context in the spyware scandal involving Fanpage journalists.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Paragon Graphite Spyware Scandal Deepens in Italy
Italian prosecutors are investigating a spyware scandal after **WhatsApp** and **Apple** alerted journalists, activists, and NGO workers that they had been targeted with mercenary spyware linked to **Paragon Solutions’ Graphite** platform. The campaign reportedly affected about 90 people worldwide, and public disclosures in Italy included journalist **Francesco Cancellato**, Fanpage journalist **Ciro Pellegrino**, and Mediterranea Saving Humans figures **Luca Casarini** and **Beppe Caccia**. Researchers at **Citizen Lab** later confirmed infections of Pellegrino and another European journalist, tying one case to a sophisticated zero-click **iMessage** exploit that Apple said was mitigated in `iOS 18.3.1`. The case has intensified scrutiny of Italy’s intelligence services after a parliamentary committee said agencies **AISI** and **AISE** were Paragon customers, even as the government denied targeting legally protected subjects such as journalists. Paragon said it had offered help investigating the alleged surveillance and later cut ties with Italy, but prosecutors in Rome and Naples reportedly have not received the company’s cooperation through formal channels, raising questions about accountability and Israeli assistance in spyware investigations. The dispute echoes earlier battles over Israeli spyware vendors, including **NSO Group’s Pegasus**, which was previously used in WhatsApp-based attacks and became the subject of major litigation and international scrutiny.
May 26, 2026
WhatsApp Spyware Campaign Linked to Paragon Triggers Italy Contract Fallout
WhatsApp said it disrupted a **zero-click spyware campaign** that targeted about 90 users, including journalists and civil society members across more than two dozen countries, and linked the activity to Israeli spyware maker **Paragon**. The company said attackers used malicious PDF files sent through WhatsApp groups to compromise devices, patched the attack path, notified affected users, and sent Paragon a cease-and-desist letter. Researchers at Citizen Lab said they had also observed Paragon using the same vector, marking one of the first public cases tying the company to alleged surveillance of journalists and activists. The disclosure escalated into a political dispute in Italy after journalist **Francesco Cancellato** was identified among the targets. Paragon said it terminated contracts with Italian government customers after Rome refused its help in determining whether its **Graphite** spyware had been used unlawfully, while Italian officials said broader access to spyware logs would have exposed sensitive intelligence information and described the suspension as mutual. Italy’s parliamentary committee **COPASIR** said there was no evidence that intelligence agencies targeted Cancellato, though it confirmed the agencies were Paragon customers and found that some other individuals had been lawfully surveilled in investigations, intensifying scrutiny of Paragon’s claims that it operates as a more responsible spyware vendor.
May 25, 2026
European Spyware Scandals Involving Predator and Paragon Targeting Journalists and Civil Society
A Greek court sentenced **four Intellexa executives** to **eight years in prison** for their role in the “**Predatorgate**” spyware scandal, which involved use of **Predator** spyware against **90+ public figures**. Prior investigations by **The Citizen Lab** and others documented Predator’s presence in Greece and confirmed infections on devices belonging to journalist **Thanasis Koukakis** and former Meta trust-and-safety manager **Artemis Seaford**, marking a rare case where executives at a mercenary spyware firm faced criminal conviction and prison time. In Italy, prosecutors in Rome and Naples confirmed via a technical report that journalist **Francesco Cancellato** and immigration activists **Giuseppe Caccia** and **Luca Casarini** showed traces consistent with **Paragon Solutions** spyware infections during the early hours of **2024-12-14**, suggesting a coordinated infection campaign. Italian authorities also inspected a Paragon spyware server used by the intelligence agency **AISI** and found evidence of operations against Caccia and Casarini but not against Cancellato, leaving attribution for Cancellato’s compromise unresolved; the case follows **WhatsApp** notifications to roughly **90** people warning they were targeted with Paragon spyware.
Mar 26, 2026