European Journalists Targeted by Paragon Spyware, Citizen Lab Confirms

Researchers have uncovered the first forensic evidence indicating that the iPhones of at least two European journalists were compromised by Graphite, spyware developed by Paragon Solutions. In a report dated June 12, experts from the University of Toronto’s Citizen Lab confirmed, with high confidence, that the devices belonging to an anonymous European journalist and Italian journalist Ciro Pellegrino were infected with this malicious software.

The researchers noted, “We identify an indicator linking both cases to the same Paragon operator.” Apple confirmed to the researchers that the zero-click attack utilized in these incidents exploited a significant vulnerability (CVSSv3 score of 9.8) in iOS. This flaw, designated as CVE-2025-43200, is linked to a logic error when handling maliciously crafted images or videos shared via iCloud Links and has been resolved in the latest version of iOS (18.3.1).

The forensic analysis conducted by Citizen Lab was prompted by an alert from Apple on April 29, 2025, which indicated that a specific group of iOS users had become targets of sophisticated spyware. Following this, two journalists submitted their devices for investigation, leading to the discovery that one journalist’s device had been compromised with Graphite spyware in January and early February 2025 while operating on iOS version 18.2.1.

The researchers expressed high confidence in attributing the breach to Graphite due to logs indicating that the device had made requests to a server, which corresponded with a fingerprint linked to Paragon’s spyware. Pellegrino’s willingness to allow analysis of his devices revealed that the same iMessage account used to target the unnamed journalist was involved in a Graphite zero-click infection attempt.

Furthermore, another journalist, Francesco Cancellato, editor of Fanpage.it, was warned via WhatsApp in January 2025 of attempts to infect his device with Paragon’s Graphite spyware. Forensic analysis of Cancellato’s Android device did not confirm a successful infection.

These revelations follow a report from the Italian government’s parliamentary committee, COPASIR, indicating that the government had previously employed Paragon’s Graphite spyware against individuals Luca Casarini and Giuseppe “Beppe” Caccia. Reports suggest that Paragon had offered to assist in investigating Cancellato, the targeted journalist, but the Italian government declined this offer citing national security concerns. They maintained that cooperation with Paragon could jeopardize their reputation with international peer services and refuted claims that they had mutually dissolved their contract with Paragon, despite the company asserting that their agreements had been unilaterally terminated.

COPASIR clarified its decision to bypass Paragon’s cooperation, opting instead for direct access to Paragon’s databases and expressing intentions to declassify their testimonies to the committee.