Pegasus

Spyware produced by the Israeli company Paragon, which is financially backed by the United States, has been used to target at least three journalists in Europe, including two senior figures at the Italian investigative platform Fanpage.

The findings, made public by the Canadian research organisation Citizen Lab, point to the ongoing misuse of advanced surveillance technology within democratic countries.

The investigation reveals that Ciro Pellegrino, head of Fanpage’s Naples newsroom, was targeted via a zero-click exploit on his iPhone. He received an alert from Apple on 29 April indicating an attempted intrusion. Subsequent forensic analysis identified the presence of Graphite, a spyware tool developed by Paragon.

Fanpage’s editor-in-chief, Francesco Cancellato, had already disclosed earlier this year that his Android phone was targeted. He was among approximately 90 individuals who received WhatsApp alerts in January, warning them of potential surveillance using Paragon’s software. However, no forensic evidence has yet confirmed whether his device was successfully infected.

A third case involves a European journalist who has not been publicly identified. Citizen Lab stated that this individual was targeted through Apple’s iMessage system using the same Graphite software, which enables remote and surreptitious access to a device. The attack relied on a vulnerability that Apple has since patched.

Citizen Lab, operating from the University of Toronto’s Munk School, described the spyware’s functionality as comparable to NSO Group’s Pegasus tool. Graphite can be deployed without any user interaction and can extract content from applications including Signal and WhatsApp. “There’s no link to click, attachment to download, file to open or mistake to make,” said senior researcher John Scott-Railton. “One moment the phone is yours, and the next minute its data is streaming to an attacker.”

The spyware’s presence on Italian journalists’ devices has intensified scrutiny of Prime Minister Giorgia Meloni’s administration, which previously faced criticism following a Fanpage exposé linking members of the Fratelli d’Italiayouth wing to fascist rhetoric and imagery. Both journalists targeted have contributed to critical reporting on Meloni’s government.

COPASIR, the parliamentary body overseeing Italy’s intelligence services, issued a report last week asserting that Paragon’s tools were not used against Cancellato. The panel confirmed that spyware had been used against civil society actors involved in migrant rescue activities, but claimed these operations were lawful and authorised.

The new forensic findings contradict that conclusion. Natalia Krapiva, legal counsel with Access Now, said the evidence undermines the credibility of the parliamentary investigation. “It casts serious doubt on the adequacy of the oversight mechanisms in place,” she stated.

Calls for a renewed inquiry have come from opposition figures and press freedom advocates. “It is unacceptable in a democratic country that journalists are spied on without knowing the reason,” said Vittorio di Trapani, president of Italy’s national journalists’ union FNSI. “The EU should intervene. The democratic integrity of a founding member state is at risk.”

The European Commission, responding to questions from Members of the European Parliament, said on Wednesday: “Any attempts to illegally access data of citizens, including journalists and political opponents, is unacceptable, if confirmed.” It added that it would use “all tools at its disposal” to ensure EU law is upheld.

Both the Italian government and Paragon have stated that their cooperation has ended, although each offered a different explanation. Paragon claimed it had offered technical assistance to investigate the Cancellato case but that Italian officials declined. Italian authorities, by contrast, said the relationship was terminated due to national security concerns and public pressure.

Paragon has attempted to position itself as a responsible actor within the surveillance industry. The company is backed by former Israeli Prime Minister Ehud Barak and was acquired in late 2024 by the Florida-based firm AE Industrial Partners, in a transaction reportedly valued at over €460 million, pending regulatory approval.

Public records show that Paragon holds contracts with U.S. government agencies, including a €1.85 million agreement signed in September 2024 with the Department of Homeland Security for support services linked to U.S. Immigration and Customs Enforcement. Reports also suggest that the U.S. Drug Enforcement Administration has used Graphite in previous operations.

In 2023, an executive order was issued by the U.S. government prohibiting federal agencies from procuring spyware that had been abused by foreign states to suppress dissent or violate fundamental rights. Although still in effect under President Donald Trump, critics argue that loopholes remain.

Meta, which owns WhatsApp, has taken legal and technical steps against spyware providers. The company said the vulnerability used to deliver Graphite was patched and that it had issued cease-and-desist letters. “We’ve seen first-hand how commercial spyware can be weaponised to target journalists and civil society,” a WhatsApp spokesperson stated. “Companies that facilitate such abuse must be held accountable.”

Citizen Lab maintains that it operates independently and receives no funding from governments or commercial entities. Its findings, now implicating Paragon in successful iPhone infections, raise broader concerns about the surveillance industry’s unchecked influence.

As the European Union faces continued challenges related to spyware abuse, this latest case reinforces the urgency for comprehensive regulation and enforcement mechanisms to safeguard civil liberties within member states.