Paragon Spyware Found on European Journalists' Apple Devices

Israeli Surveillance Tech Compromises iPhones of European Reporters Through Zero-Click Attacks

Three Key Facts

• First confirmed Paragon spyware infections discovered on Apple devices belonging to at least three European journalists, with over 100 European citizens reportedly under surveillance across multiple EU states
• Italian government’s contract with Israeli company Paragon concluded this week amid scandal, with intelligence oversight committee acknowledging spyware use while denying knowledge of investigation assistance offers
• WhatsApp notified approximately 90 users across more than two dozen countries in Europe and beyond of Paragon spyware targeting in recent months

Introduction

Researchers have confirmed the first-ever detection of Paragon spyware on Apple devices, marking a significant escalation in Europe’s growing surveillance crisis. The University of Toronto’s Citizen Lab discovered the Israeli company’s Graphite spyware on phones belonging to European journalists, including Italian reporters from the investigative outlet Fanpage.

The findings expose a sophisticated zero-click attack campaign that requires no user interaction, making detection extremely difficult. This revelation places Paragon alongside notorious surveillance firms like NSO Group in a widening scandal that has engulfed multiple European governments and raised urgent questions about digital rights violations.

Key Developments

Citizen Lab’s forensic analysis identified Paragon’s Graphite spyware on Italian journalist Ciro Pellegrino’s phone, following earlier alerts regarding colleague Francesco Cancellato’s device. Both reporters work for Fanpage, an Italian investigative publication that has faced apparent targeting for its critical coverage.

The investigation revealed that an unnamed European journalist also fell victim to the same surveillance campaign. Forensic evidence shows high confidence that a single Paragon operator conducted these attacks using a common ATTACKER1 iMessage account, suggesting coordinated targeting across borders.

Apple has since patched the vulnerability exploited in these attacks, designated CVE-2025-43200, in iOS version 18.3.1. The company had previously notified affected users of mercenary spyware attacks through its standard security alert system.

Market Impact

The Paragon revelations highlight the commercial spyware industry’s shift toward zero-click exploits, which represent the most sophisticated and valuable attack methods available. These techniques require no victim interaction, making them highly effective for intelligence operations while remaining virtually undetectable during deployment.

Paragon operates in the “mercenary spyware” sector, selling surveillance capabilities to government clients seeking to monitor specific high-value targets. This business model mirrors that of established players like NSO Group, focusing on targeted operations rather than mass surveillance tools.

The Italian government’s recent contract termination with Paragon signals potential market disruption as regulatory scrutiny intensifies across Europe. Multiple EU member states now face mounting pressure to disclose their surveillance procurement practices and operational frameworks.

Strategic Insights

The targeting pattern reveals strategic focus on journalists and civil society organizations engaged in sensitive reporting or advocacy work. Beyond media professionals, Citizen Lab identified infections on devices belonging to Mediterranea Saving Humans founders Luca Casarini and Giuseppe Caccia, who coordinate Mediterranean sea rescue operations.

According to CyberScoop, this targeting suggests efforts to suppress investigative reporting and monitor humanitarian activities that may conflict with government policies. The surveillance extends to refugee advocacy, with Refugees in Libya co-founder David Yambio receiving spyware notifications, though definitive attribution to Paragon remains under investigation.

Italy’s intelligence oversight committee COPASIR acknowledged using Paragon’s technology while simultaneously expressing concerns about reputational damage from the scandal. This contradiction highlights the political sensitivity surrounding commercial spyware deployment, even when conducted through official channels.

Expert Opinions and Data

John Scott-Railton, senior researcher at Citizen Lab, emphasized Paragon’s failed attempts to maintain a clean reputation. “Paragon is a relatively young company that has tried to present itself as clean and undetectable,” he stated. “Instead, they’ve repeatedly gotten caught and they’re now mired in exactly the kind of scandal that NSO has faced for years.”

The surveillance industry faces increasing criticism from digital rights advocates who warn of systemic abuse. “If you sell mercenary spyware to governments, they are going to use it and potentially abuse it,” Scott-Railton added, highlighting recurring industry-wide problems with accountability and oversight.

Natalia Krapiva from Access Now noted the persistent nature of the crisis. “These new revelations show us that the spyware scandal is not going away, neither for Italy nor for Paragon,” she remarked, pointing to consistent targeting of journalists critical of government actions.

Amnesty International’s Security Lab Head Donncha Ó Cearbhaill described the situation as part of a “worsening digital surveillance crisis across Europe.” His organization’s independent investigation uncovered additional targeting cases involving sea rescue activists, suggesting the scope extends far beyond currently confirmed victims.

The European Parliament has demanded concrete action from the European Commission, citing fundamental rights violations and the need for industry transparency. Despite over a year of recommendations from the PEGA committee investigation, implementation remains stalled while surveillance operations continue expanding across member states.

Conclusion

The confirmation of Paragon spyware on Apple devices represents a watershed moment in Europe’s surveillance accountability crisis. Multiple journalists, human rights defenders, and civil society organizations have faced sophisticated digital intrusion campaigns that bypass traditional security measures through zero-click exploitation techniques.

Italy’s intelligence oversight committee acknowledgment of Paragon usage, combined with contract termination amid public scandal, demonstrates the political costs of commercial spyware deployment. The targeting of investigative journalists and humanitarian organizations raises serious questions about press freedom and civil liberties protection across European democracies.

The technical sophistication of these attacks, coupled with cross-border coordination and systematic targeting of critical voices, underscores the urgent need for comprehensive regulatory frameworks and industry accountability measures that current European responses have failed to deliver.