Paragon Graphite Spyware Scandal Deepens in Italy
Italian prosecutors are investigating a spyware scandal after WhatsApp and Apple alerted journalists, activists, and NGO workers that they had been targeted with mercenary spyware linked to Paragon Solutions’ Graphite platform. The campaign reportedly affected about 90 people worldwide, and public disclosures in Italy included journalist Francesco Cancellato, Fanpage journalist Ciro Pellegrino, and Mediterranea Saving Humans figures Luca Casarini and Beppe Caccia. Researchers at Citizen Lab later confirmed infections of Pellegrino and another European journalist, tying one case to a sophisticated zero-click iMessage exploit that Apple said was mitigated in iOS 18.3.1.
The case has intensified scrutiny of Italy’s intelligence services after a parliamentary committee said agencies AISI and AISE were Paragon customers, even as the government denied targeting legally protected subjects such as journalists. Paragon said it had offered help investigating the alleged surveillance and later cut ties with Italy, but prosecutors in Rome and Naples reportedly have not received the company’s cooperation through formal channels, raising questions about accountability and Israeli assistance in spyware investigations. The dispute echoes earlier battles over Israeli spyware vendors, including NSO Group’s Pegasus, which was previously used in WhatsApp-based attacks and became the subject of major litigation and international scrutiny.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
16 events from the most recent confirmed update back to the earliest known activity.
Report says Paragon did not answer Italian prosecutors' request
Despite previously saying it would help investigate, Paragon reportedly did not respond to a formal request for information sent by Italian prosecutors through the Israeli government. The reported lack of cooperation raised questions about Israeli assistance in the spyware inquiry.
Italian victims file complaints, prompting Rome and Naples probe
Victims in Italy filed criminal complaints over the spyware targeting, leading prosecutors in Rome and Naples to open a joint investigation. The inquiry focused on attacks linked to Paragon's Graphite platform and possible involvement of Italian intelligence services.
Italian prosecutors confirm 2024 spyware targeting of activists and journalist
Italian prosecutors confirmed that activists and a journalist in Italy had been targeted with spyware in 2024, adding official investigative validation to allegations surrounding the Paragon-linked surveillance scandal. The confirmation clarified that the attacks predated WhatsApp's January 2025 disruption and public victim notifications.
Citizen Lab publishes broader report on Paragon spyware operations
Citizen Lab published a new report examining Paragon's expanding spyware operations, marking a broader research disclosure beyond its earlier confirmation of individual Graphite infections. The publication indicated that scrutiny of Paragon had widened from the Italy-focused cases to the vendor's broader operational footprint.
Amnesty reports new Italian journalist targeted with Graphite spyware
Amnesty International disclosed a new case of an Italian journalist targeted with Paragon's Graphite spyware, adding another victim to the Italy surveillance scandal. The report indicated the spyware use was broader than previously publicly documented and reinforced concerns about unlawful surveillance in Italy.
Apple says iMessage attack vector was mitigated in iOS 18.3.1
In response to Citizen Lab's findings, Apple said the exploit path used in one Paragon-linked infection had been mitigated in iOS 18.3.1. This provided a technical update on how at least one confirmed infection route had been addressed.
Citizen Lab confirms first public Paragon Graphite infections
Citizen Lab confirmed that two European journalists, including Italian journalist Ciro Pellegrino, were hacked with Paragon's Graphite spyware, marking the first publicly confirmed infections tied to the vendor. The researchers said the attacks likely involved the same Paragon customer and linked one infection to a zero-click iMessage exploit.
COPASIR says Italian intelligence used Paragon but denies targeting Cancellato
Italy's parliamentary intelligence oversight committee, COPASIR, confirmed that intelligence agencies AISI and AISE were Paragon customers. It also said it found no evidence that journalist Francesco Cancellato had been spied on and stated that legally protected subjects such as journalists were not targeted by Italian intelligence services.
COPASIR says Italian intelligence rescinded Paragon contracts
Italy's parliamentary intelligence oversight committee reported that intelligence agencies AISE and AISI had contracts for Paragon's Graphite spyware and had since rescinded them. The committee disclosed this while reviewing agency contracts and spyware logs during its inquiry into surveillance of activists and journalist Francesco Cancellato.
Beppe Caccia publicly discloses WhatsApp spyware targeting
Mediterranea Saving Humans co-founder Beppe Caccia said he was among those notified by WhatsApp that they had been targeted with Paragon-linked spyware. His disclosure added another Italian civil society figure to the list of known targets.
Paragon ends its contract with Italy
Paragon said it offered Italy assistance in investigating the alleged hacking of journalist Francesco Cancellato, but the government refused. The company then cut ties with Italy, according to later reporting.
WhatsApp notifies Italian targets of Paragon-linked spyware attacks
Journalists and activists in Italy, including Francesco Cancellato, Luca Casarini, Husam El Gomati, and later Beppe Caccia, said they received WhatsApp notifications that they had been targeted in the campaign. These disclosures helped trigger public scrutiny and later criminal complaints in Italy.
WhatsApp disrupts Paragon-linked spyware campaign
WhatsApp disrupted a spyware campaign on January 31, 2025, after roughly 90 people worldwide were reportedly targeted. The campaign was linked to Paragon Solutions' Graphite platform, though the responsible government customer was not publicly identified.
Apple notifies David Yambio of mercenary spyware targeting
Refugees in Libya co-founder David Yambio said Apple notified him in November 2024 that he had been targeted by a mercenary spyware attack. Reporting later noted it was unclear whether his case was connected to the Paragon-linked campaign.
Father Mattia Ferrari says Meta warned him of government-linked spyware targeting
Italian priest Mattia Ferrari, affiliated with Mediterranea Saving Humans, said Meta notified him in February 2024 that he had been targeted by a sophisticated surveillance tool backed by unidentified government entities. His disclosure added another Italian civil society figure to the widening spyware scandal involving activists and journalists connected to migrant rescue work.
WhatsApp begins fixing Pegasus voice-call spyware flaw
WhatsApp disclosed a vulnerability that allowed NSO Group's Pegasus spyware to be installed via WhatsApp voice calls, including cases where targets did not answer. The company began deploying server-side mitigations on 2019-05-10 and released an updated app version on 2019-05-13, while notifying users and relevant organizations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
18 references tracked. Mallory keeps watching after this page renders.
Paragon is not collaborating with Italian authorities probing spyware attacks, report says | TechCrunch
techcrunch.com
Open sourceItalian activists and journalist targeted by spyware in 2024, prosecutors confirm | Italy | The Guardian
theguardian.com
Open sourceVirtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations - The Citizen Lab
citizenlab.ca
Open sourceVirtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations - The Citizen Lab
citizenlab.ca
Open sourceNew target of Paragon spyware comes forward | TechCrunch
techcrunch.com
Open sourceJournalist targeted on WhatsApp by Paragon spyware: 'I feel violated' | TechCrunch
techcrunch.com
Open sourceWhatsApp voice calls used to inject Israeli spyware on phones
ft.com
Open sourceUnclassified
documenti.camera.it
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
WhatsApp Spyware Campaign Linked to Paragon Triggers Italy Contract Fallout
WhatsApp said it disrupted a **zero-click spyware campaign** that targeted about 90 users, including journalists and civil society members across more than two dozen countries, and linked the activity to Israeli spyware maker **Paragon**. The company said attackers used malicious PDF files sent through WhatsApp groups to compromise devices, patched the attack path, notified affected users, and sent Paragon a cease-and-desist letter. Researchers at Citizen Lab said they had also observed Paragon using the same vector, marking one of the first public cases tying the company to alleged surveillance of journalists and activists. The disclosure escalated into a political dispute in Italy after journalist **Francesco Cancellato** was identified among the targets. Paragon said it terminated contracts with Italian government customers after Rome refused its help in determining whether its **Graphite** spyware had been used unlawfully, while Italian officials said broader access to spyware logs would have exposed sensitive intelligence information and described the suspension as mutual. Italy’s parliamentary committee **COPASIR** said there was no evidence that intelligence agencies targeted Cancellato, though it confirmed the agencies were Paragon customers and found that some other individuals had been lawfully surveilled in investigations, intensifying scrutiny of Paragon’s claims that it operates as a more responsible spyware vendor.
May 25, 2026
Targeting of Italian Political Adviser with Paragon Graphite Spyware
Francesco Nicodemo, a prominent Italian political adviser and communications executive, was identified as the fifth Italian individual targeted with Paragon’s Graphite spyware. Nicodemo, who has managed numerous election campaigns and is known for his work with center-left political candidates, was notified by WhatsApp of evidence linking his device to the spyware. The attack was later confirmed by Citizen Lab’s John Scott-Railton, highlighting ongoing concerns about the use of invasive surveillance tools against political figures in Italy. The Italian government has acknowledged using Paragon spyware in some cases but denies involvement in all incidents, particularly those involving journalists. The growing number of unexplained infections, now totaling at least 90 victims notified by WhatsApp, underscores the broader issue of government surveillance and the targeting of individuals involved in politics and elections. Experts have raised alarms about the human rights implications of such spyware, calling for greater transparency and potential bans on its use.
Mar 21, 2026
European Spyware Scandals Involving Predator and Paragon Targeting Journalists and Civil Society
A Greek court sentenced **four Intellexa executives** to **eight years in prison** for their role in the “**Predatorgate**” spyware scandal, which involved use of **Predator** spyware against **90+ public figures**. Prior investigations by **The Citizen Lab** and others documented Predator’s presence in Greece and confirmed infections on devices belonging to journalist **Thanasis Koukakis** and former Meta trust-and-safety manager **Artemis Seaford**, marking a rare case where executives at a mercenary spyware firm faced criminal conviction and prison time. In Italy, prosecutors in Rome and Naples confirmed via a technical report that journalist **Francesco Cancellato** and immigration activists **Giuseppe Caccia** and **Luca Casarini** showed traces consistent with **Paragon Solutions** spyware infections during the early hours of **2024-12-14**, suggesting a coordinated infection campaign. Italian authorities also inspected a Paragon spyware server used by the intelligence agency **AISI** and found evidence of operations against Caccia and Casarini but not against Cancellato, leaving attribution for Cancellato’s compromise unresolved; the case follows **WhatsApp** notifications to roughly **90** people warning they were targeted with Paragon spyware.
Mar 26, 2026