Two European journalists had been curious using the government’s spyware conducted by the Israeli Paragon surveillance technology provider, the new research confirmed.
On Thursday, the Digital Rights Group, the Citizen Laboratory, published a new report describing the results of a new forensic investigation into Italian journalist Ciro Pellegrino’s iPhones and an anonymous “prominent” European journalist. The researchers said that both journalists were lost by the same Paragon customer, based on the data found on the devices of the two journalists.
Until now, there were no evidence that Pellegrino, who works for Online news fanpage websitehad either targeted or tired with Paragon spyware. When he was alerted by Apple in late April, the notice referred to a Spyware mercenary attack, but did not specifically mention Paragon, not even if his phone was infected with Spyware.
Confirmation of the first known Paragon infections further deepens an ongoing spyware scandal that now seems to focus on the use of Spyware by the Italian government, but could be expanded to include other European countries.
These new revelations come months after the first notification of WhatsApp about 90 of its users to over two dozen countries in Europe and beyond, including journalists, that they had targeted with Paragon Spyware, known as graphite. Among those targeted were many Italians, including his colleague Pellegrino and director Fanpage Francesco Cancellato, as well as non -profit workers who help rescue immigrants at sea.
Last week, Italy’s Parliamentary Committee, known as Copasir, which oversees the country’s intelligence services, published a report that reported no evidence that Cancellato was spying on. The report, which confirmed that the internal and external intelligence services of Italy and AISE were Paragon customers, did not mention any reference to Pellegrino.
Citizen Lab’s new report calls on Copasir’s conclusions.
“A week ago it seemed that Italy had put this in bed scandal. Now they should calculate with new forensic data,” said John Scott-Railton, a labe researcher at TechCrunch in front of the report. “Ciro’s case adds to the big and politically difficult question: Who has been teased Italian journalists with Paragon Spyware? This mystery needs an answer.”
Scott-Rilton said the citizen workshop believes that the Italian government is able to answer questions about what happened with the use of Paragon Spyware, especially in the case of Ciro.
Pellegrino told TechCrunch that he believes that his political rights have been “violated”.
“I understand that Prime Minister Meloni is a professional journalist like me (I am a journalist since 2005, he has been in 2006),” Pellegrino told TechCrunch. “Does he take care of the rights of this kind of workers? Why hasn’t he spent a single word in solidarity with the journalists who have spying on?”
Contact us
Do you have more information about Paragon and this spyware campaign? From a non-work device, you can contact Lorenzo Franceschi-bicchierai safely on the signal on +1 917 257 1382, or via the telegraph and keybase @lorenzofb or email. You can also contact TechCrunch via securedrop.
After Cancellato revealed that it was targeted with Spyware, the Italian government published a press release that was behind the targeting of any journalist or human rights activists.
The fact that both Cancellato and Pellegrino work for the same exit indicate that it can be part of a “cluster” of targets, according to the Lab Citizen report.
Pellegrino said he did not work for the fanpage research on “Gioventù Meloniana”, a part of Meloni’s Fratelli D’Italia party, which revealed that some of its members were sympathizing with fascism. Pellegrino, who is the head of the Fanpage Naples office, also said he has not worked in any research on migration.
“It is likely that someone was hoping to get information about fanpage with my smartphone piracy,” Pellegrino said.
The Italian government did not respond to TechCrunch’s request for comments.
A Copasir spokesman reported TechCrunch in the report she published last week, and in particular in a part of it, which said the Commission “reserves the right to conduct further investigations, including the publication of this report”, including the “alleged mobile mobile device”.
In addition to Pellegrino, another journalist in Italy, Monica Macchioni, he said in early May that Had received notice from Apple. It is likely that Copasir is referred to as the second journalist.
Referring to an e -mail TechCrunch sent to Paragon and its executive President John Fleming, Emily Horne, who works for Westexec Advisors, said the manufacturer Spyware “will have nothing new to it” except what the company said earlier this week. At that time, Paragon said Israeli newspaper Haaretz That he offered the Italian government to help investigate Cancellato’s supposed hack, but the government refused – and so the company cut ties with Italy.
New forensic items appear
On April 29, 2025, the prominent European journalist received a notice from Apple, the same notice that Pellegrino received and the same day, according to Lab Lab. The researchers at the laboratory analyzed the appliances of the anonymous journalist and found that one of them was infected with graphite, based on forensic evidence showing that Spyware was communicating with a server that the researchers had previously created with “high confidence” was part of the Paragon infrastructure.
The Lab Citizen Lab said the journalist had been tired of “a refined attack with zero -click on the device through the IMESSAGE”, based on researchers finding a specific IMESSAGE account “in the device files around the same time as the phone communicated to the Paragon server”.
Zero -click hacks are some of the most effective attacks, since, as the name suggests, they do not require the interaction from the target. In this case too, Lab Citizen said that it believed that the attack was invisible to the victim.
According to the report, Apple told Lab Citizen Lab that “the attack developed in these cases was tempered on iOS 18.3.1”, which was Released on February 10th 2025About two weeks after Whatsapp has been updated on Paragon Spyware’s goals.
Apple did not respond to TechCrunch’s request for comments before posting.
In the case of Pellegrino, Lab Citizen said it found the same IMESSAGE account in its iPhone logs. Since it is characteristic for each government client to have his own Spyware infrastructure, the Lab Citizen Lab said he believed that Pellegrino and the anonymous journalist were probably targeted at the same Paragon operator.
The anonymous journalist’s iphone was infected in January and early February, Citizen Lab said.
According to Copasir’s report, Paragon and Italian Intelligence clients suspended the company’s surveillance systems on February 14, 2025, which means that espionage organizations and Aisi continued to use Paragon’s spyware when the prominent European journalist had been tired.
For the time being, Lab Citizen has not attributed Pellegrino and the other anonymous European journalist to any government.
The Lab Citizen Lab noted in the report that some of the people who were informed are likely to be targeted by whatsapp may also have been infected, but due to the fact that Android has limited logs, as well as “Paragon’s efforts to delete traces of infection”, it may be impossible to confirm.
Other graphite victims were identified
In addition to Pellegrino and anonymous journalists, two other people have so far been confirmed that they have targeted with Paragon’s Spyware: Luca Casarini and Beppe Caccia, who both work for Italian non -profit Mediterranean saving peoplewhich rescues immigrants trying to cross the Mediterranean Sea. Citizen Lab confirmed that both were infected after analyzing their devices. In his report, Copasir confirmed that the two had undergone Italian espionage agencies.
There are other people who have said that they have received alerts that they have targeted. Their cases, however, are still somewhat unclear.
David Yambio, a Sudanese citizen and president and co -founder of Refugees in LibyaA non -profit organization operating in Italy working on immigration issues has received a notice from Apple. After analyzing his device, Citizen Lab said he found traces of spyware infection, but could not link the compromise to a specific spyware manufacturer or any government.
Copasir said Yambio was legally targeted by Italian intelligence organizations, but not with toner. Copasir added that Yambio was under surveillance by the country’s judicial authorities for criminal investigation. Yambio’s phone was registered with Mattia Ferrari, a priest working with Mediterranea.
Ferrari also received the spyware alert from WhatsApp. Copasir, however, said he had no evidence to target graphite.
Scott-Rilton said Citizen Lab forensics and technical analyzes are ongoing in all cases, including Cancellato.
He was informed on Thursday with a response from Copasir and to clarify the second journalist that the committee may be reported.
