Two European journalists were hacked using government spyware made by Israeli surveillance tech provider Paragon, new research has confirmed.
On Thursday, digital rights group The Citizen Lab published a new report detailing the results of a new forensic investigation into the iPhones of Italian journalist Ciro Pellegrino and an unnamed “prominent” European journalist. The researchers said both journalists were hacked by the same Paragon customer, based on evidence found on the two journalists’ devices.
Until now, there was no evidence that Pellegrino, who works for online news website Fanpage, had been either targeted or hacked with Paragon spyware. When he was alerted by Apple at the end of April, the notification referred to a mercenary spyware attack, but did not specifically mention Paragon, nor whether his phone had been infected with the spyware.
The confirmation of the first-ever known Paragon infections further deepens an ongoing spyware scandal that, for now, appears to be mostly focused on the use of spyware by the Italian government, but could expand to include other countries in Europe.
These new revelations come months after WhatsApp first notified around 90 of its users in over two dozen countries in Europe and beyond, including journalists, that they had been targeted with Paragon spyware, known as Graphite. Among those targeted were several Italians, including Pellegrino’s colleague and Fanpage director Francesco Cancellato, as well as nonprofit workers who help rescue migrants at sea.
Last week, Italy’s parliamentary committee known as COPASIR, which oversees the country’s intelligence agencies’ activities, published a report that said it found no evidence that Cancellato was spied on. The report, which confirmed that Italy’s internal and external intelligence agencies AISI and AISE were Paragon customers, made no mention of Pellegrino.
The Citizen Lab’s new report puts into question COPASIR’s conclusions.
“A week ago it seemed like Italy was putting this scandal to bed. Now they’ll have to reckon with new forensic evidence,” John Scott-Railton, a senior researcher at The Citizen Lab, told TechCrunch ahead of the report’s publication. “Ciro’s case adds to the big and politically tricky question: Who has been hacking Italian journalists with Paragon spyware? This mystery needs an answer.”
Scott-Railton said The Citizen Lab believes that the Italian government is in a position to definitively answer questions about what was done with their use of Paragon spyware, particularly regarding Ciro’s case.
Pellegrino told TechCrunch that he believes that his civil rights have been “trampled upon.”
“I understand that Prime Minister Meloni is a professional journalist like me (I have been a journalist since 2005, she has since 2006),” Pellegrino told TechCrunch. “Does she care about the rights of this type of workers? Why has she not spent a single word in solidarity with the journalists who have been spied on?”
Contact Us
Do you have more information about Paragon, and this spyware campaign? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
After Cancellato revealed he had been targeted with spyware, the Italian government published a press release denying it was behind the targeting of any journalist or human rights activists.
The fact that both Cancellato and Pellegrino work for the same outlet suggests they may be part of a “cluster” of targets, according to the Citizen Lab report.
Pellegrino said that he did not work on the blockbuster Fanpage investigation into the “Gioventù Meloniana,” a group part of Meloni’s Fratelli d’Italia party, which revealed that some of its members sympathize with fascism. Pellegrino, who is the head of Fanpage’s Naples bureau, also said he hasn’t worked on any investigation about immigration.
“It is possible that someone was hoping to gain information about Fanpage by hacking my smartphone,” said Pellegrino.
The Italian government did not respond to TechCrunch’s request for comment.
A spokesperson for COPASIR referred TechCrunch to the report it published last week and in particular to a section of it that said that the committee “reserves the right to conduct further investigations including after the publication of this report,” including “the alleged mobile device intrusions disclosed by two other journalists in recent weeks.”
Apart from Pellegrino, another journalist in Italy, Monica Macchioni, said in early May that she had received a notification from Apple. It’s likely that COPASIR is referring to her as the second journalist.
Referring to an email TechCrunch sent to Paragon and its executive chairman John Fleming, Emily Horne, who works for WestExec Advisors, said the spyware maker “won’t have anything new on this,” apart from what the company said earlier this week. At the time, Paragon told Israeli newspaper Haaretz that it offered the Italian government help to investigate Cancellato’s alleged hack, but the government refused — and that’s why the company cut ties with Italy.
New forensic evidence emerges
On April 29, 2025, the prominent European journalist received a notification from Apple, the same notification that Pellegrino received and on the same day, according to The Citizen Lab. The lab’s researchers analyzed the unnamed journalist’s devices and found that one of them was infected with Graphite, based on forensic evidence showing that the spyware communicated with a server that the researchers had previously established with “high confidence” was part of Paragon’s infrastructure.
Citizen Lab said the journalist was hacked with “a sophisticated zero-click attack against the device via iMessage,” based on the researchers finding a specific iMessage account “present in the device logs around the same time as the phone was communicating with the Paragon server.”
Zero-click hacks are some of the most effective attacks, given that, as the name suggests, they require no interaction from the target. And in this case, The Citizen Lab said it believed the attack was invisible to the victim.
According to the report, Apple told The Citizen Lab that “the attack deployed in these cases was mitigated in iOS 18.3.1,” which was released on February 10, 2025, some two weeks after WhatsApp notified the targets of Paragon spyware.
Apple did not respond to TechCrunch’s request for comment prior to publication.
In the case of Pellegrino, The Citizen Lab said it found the same iMessage account on his iPhone’s logs. Given that it’s typical for each government customer to have its own spyware infrastructure, The Citizen Lab said it believed Pellegrino and the unnamed journalist were likely targeted by the same Paragon operator.
The unnamed journalist’s iPhone was infected in January and early February, said The Citizen Lab.
According to COPASIR’s report, Paragon and its Italian intelligence customers suspended the company’s surveillance systems on February 14, 2025, which means that the spy agencies AISE and AISI were still using Paragon’s spyware when the prominent European journalist was hacked.
For now, The Citizen Lab has not attributed Pellegrino’s and the other unnamed European journalist’s hacks to any government.
The Citizen Lab noted in the report that it’s possible some of the people who were notified of having been targeted with Graphite by WhatsApp may also have been infected, but, due to the fact that Android has limited logs, as well as “efforts by Paragon to delete traces of the infection,” it may be impossible to confirm that.
Other Graphite victims identified
Apart from Pellegrino and the unnamed journalists, two other people have so far been confirmed to have been targeted with Paragon’s spyware: Luca Casarini and Beppe Caccia, who both work for the Italian nonprofit Mediterranea Saving Humans, which rescues immigrants who try to cross the Mediterranean Sea. The Citizen Lab confirmed both were infected after analyzing their devices. In its report, COPASIR confirmed the two were surveilled by Italian spy agencies.
There are other people who have said they received notifications of having been targeted. Their cases, however, are still somewhat unclear.
David Yambio, a Sudanese citizen and president and co-founder of Refugees in Libya, a nonprofit organization active in Italy that works on immigration issues, received a notification from Apple. After analyzing his device, The Citizen Lab said it found traces of a spyware infection, but could not link the compromise to a particular spyware maker nor any government.
COPASIR said Yambio was lawfully targeted by Italian intelligence agencies, but not with Graphite. COPASIR added that Yambio was under surveillance by the country’s judicial authorities for a criminal investigation. Yambio’s phone was registered to Mattia Ferrari, a priest who collaborates with Mediterranea.
Ferrari also received the spyware notification from WhatsApp. COPASIR, however, said it found no evidence he was targeted with Graphite.
Scott-Railton said that The Citizen Lab forensic and technical analyses are ongoing on all cases, including Cancellato.
Updated on Thursday with a response from COPASIR, and to clarify the second journalist the committee was likely referring to.
