WhatsApp Spyware Campaign Linked to Paragon Triggers Italy Contract Fallout
WhatsApp said it disrupted a zero-click spyware campaign that targeted about 90 users, including journalists and civil society members across more than two dozen countries, and linked the activity to Israeli spyware maker Paragon. The company said attackers used malicious PDF files sent through WhatsApp groups to compromise devices, patched the attack path, notified affected users, and sent Paragon a cease-and-desist letter. Researchers at Citizen Lab said they had also observed Paragon using the same vector, marking one of the first public cases tying the company to alleged surveillance of journalists and activists.
The disclosure escalated into a political dispute in Italy after journalist Francesco Cancellato was identified among the targets. Paragon said it terminated contracts with Italian government customers after Rome refused its help in determining whether its Graphite spyware had been used unlawfully, while Italian officials said broader access to spyware logs would have exposed sensitive intelligence information and described the suspension as mutual. Italy’s parliamentary committee COPASIR said there was no evidence that intelligence agencies targeted Cancellato, though it confirmed the agencies were Paragon customers and found that some other individuals had been lawfully surveilled in investigations, intensifying scrutiny of Paragon’s claims that it operates as a more responsible spyware vendor.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
US court bars Paragon from targeting WhatsApp users
A US court ordered Israeli spyware firm Paragon not to target WhatsApp users, marking a new legal action stemming from the earlier spyware campaign linked to the platform. The ruling represents a judicial escalation beyond WhatsApp's prior cease-and-desist and technical mitigations.
EFF says ICE used Paragon spyware
The Electronic Frontier Foundation published a statement asserting that US Immigration and Customs Enforcement used Paragon Solutions malware. This introduced a new alleged government deployment of Paragon spyware beyond the previously documented Italian cases.
Paragon says it ended Italian contracts over refusal to investigate journalist attack
Paragon said it terminated contracts with Italian government customers after the government refused the company's help in determining whether its Graphite spyware had been used unlawfully against Francesco Cancellato. Italian government sources disputed Paragon's account, saying the suspension and termination were mutual and that sharing logs would have exposed sensitive intelligence data.
COPASIR says Italian intelligence bought Paragon spyware but denies targeting Cancellato
Italy's parliamentary committee COPASIR concluded there was no evidence that journalist Francesco Cancellato had been targeted by intelligence agencies AISI or AISE, while confirming both agencies were Paragon customers. COPASIR also said some other individuals were lawfully targeted in investigations tied to alleged illegal immigration and found no evidence of surveillance against priest Mattia Ferrari.
Italian spyware scandal expands after victim identification and scrutiny of Paragon
Following WhatsApp's notifications, journalist Francesco Cancellato was identified among the targets, helping trigger broader scrutiny in Italy over possible misuse of Paragon's Graphite spyware. The case drew attention because Paragon had marketed itself as a more responsible spyware vendor.
WhatsApp blocks attack path, notifies victims, and sends Paragon a cease-and-desist
After detecting the campaign, WhatsApp deployed a fix to block the PDF-based attack vector, directly notified affected users, and sent spyware maker Paragon a cease-and-desist letter. This marked the first public reporting linking Paragon to a campaign allegedly targeting journalists and civil society.
WhatsApp says Paragon spyware campaign targeted users in December
WhatsApp said a spyware campaign using Paragon infrastructure targeted about 90 users, including journalists and civil society members, during December 2024 across more than two dozen countries. The attack reportedly used malicious PDF files sent in WhatsApp groups to compromise targets in a zero-click manner.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Tech giants vow to defend users in US as spyware companies make inroads with Trump administration | Apple | The Guardian
theguardian.com
Open sourceUS court bars Israeli spyware firm from targeting WhatsApp users | Cybersecurity News | Al Jazeera
aljazeera.com
Open sourceEFF Statement on ICE Use of Paragon Solutions Malware | Electronic Frontier Foundation
eff.org
Open sourceParagon says it canceled contracts with Italy over government's refusal to investigate spyware attack on journalist | TechCrunch
techcrunch.com
Open sourceWhatsApp says it disrupted spyware campaign aimed at reporters, civil society | CyberScoop
cyberscoop.com
Open sourceWhatsApp says it disrupted a hacking campaign targeting journalists with Paragon spyware | TechCrunch
techcrunch.com
Open sourceCorrection: Ecuador-Hacking The Opposition story | AP News
apnews.com
Open sourceHacking Team Promises Customers They Can Resume Surveillance Operations Soon - Business Insider
businessinsider.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Paragon Graphite Spyware Scandal Deepens in Italy
Italian prosecutors are investigating a spyware scandal after **WhatsApp** and **Apple** alerted journalists, activists, and NGO workers that they had been targeted with mercenary spyware linked to **Paragon Solutions’ Graphite** platform. The campaign reportedly affected about 90 people worldwide, and public disclosures in Italy included journalist **Francesco Cancellato**, Fanpage journalist **Ciro Pellegrino**, and Mediterranea Saving Humans figures **Luca Casarini** and **Beppe Caccia**. Researchers at **Citizen Lab** later confirmed infections of Pellegrino and another European journalist, tying one case to a sophisticated zero-click **iMessage** exploit that Apple said was mitigated in `iOS 18.3.1`. The case has intensified scrutiny of Italy’s intelligence services after a parliamentary committee said agencies **AISI** and **AISE** were Paragon customers, even as the government denied targeting legally protected subjects such as journalists. Paragon said it had offered help investigating the alleged surveillance and later cut ties with Italy, but prosecutors in Rome and Naples reportedly have not received the company’s cooperation through formal channels, raising questions about accountability and Israeli assistance in spyware investigations. The dispute echoes earlier battles over Israeli spyware vendors, including **NSO Group’s Pegasus**, which was previously used in WhatsApp-based attacks and became the subject of major litigation and international scrutiny.
May 26, 2026
Targeting of Italian Political Adviser with Paragon Graphite Spyware
Francesco Nicodemo, a prominent Italian political adviser and communications executive, was identified as the fifth Italian individual targeted with Paragon’s Graphite spyware. Nicodemo, who has managed numerous election campaigns and is known for his work with center-left political candidates, was notified by WhatsApp of evidence linking his device to the spyware. The attack was later confirmed by Citizen Lab’s John Scott-Railton, highlighting ongoing concerns about the use of invasive surveillance tools against political figures in Italy. The Italian government has acknowledged using Paragon spyware in some cases but denies involvement in all incidents, particularly those involving journalists. The growing number of unexplained infections, now totaling at least 90 victims notified by WhatsApp, underscores the broader issue of government surveillance and the targeting of individuals involved in politics and elections. Experts have raised alarms about the human rights implications of such spyware, calling for greater transparency and potential bans on its use.
Mar 21, 2026
European Spyware Scandals Involving Predator and Paragon Targeting Journalists and Civil Society
A Greek court sentenced **four Intellexa executives** to **eight years in prison** for their role in the “**Predatorgate**” spyware scandal, which involved use of **Predator** spyware against **90+ public figures**. Prior investigations by **The Citizen Lab** and others documented Predator’s presence in Greece and confirmed infections on devices belonging to journalist **Thanasis Koukakis** and former Meta trust-and-safety manager **Artemis Seaford**, marking a rare case where executives at a mercenary spyware firm faced criminal conviction and prison time. In Italy, prosecutors in Rome and Naples confirmed via a technical report that journalist **Francesco Cancellato** and immigration activists **Giuseppe Caccia** and **Luca Casarini** showed traces consistent with **Paragon Solutions** spyware infections during the early hours of **2024-12-14**, suggesting a coordinated infection campaign. Italian authorities also inspected a Paragon spyware server used by the intelligence agency **AISI** and found evidence of operations against Caccia and Casarini but not against Cancellato, leaving attribution for Cancellato’s compromise unresolved; the case follows **WhatsApp** notifications to roughly **90** people warning they were targeted with Paragon spyware.
Mar 26, 2026