Two European journalists were hacked using spyware developed by Israeli surveillance company Paragon, according to new research by digital rights group Citizen Lab.
The investigation revealed that Italian journalist Ciro Pellegrino and another unnamed European journalist were both targeted by the same Paragon customer.
Pellegrino, who works for the online news outlet Fanpage, was alerted by Apple in April 2025 about a mercenary spyware attack, though the notification did not name Paragon specifically. Citizen Lab later confirmed that Pellegrino’s device had been infected with Paragon’s spyware, known as Graphite.
The unnamed journalist also received a similar alert from Apple on the same day as Pellegrino. Forensic analysis showed that this journalist’s device communicated with a server previously linked to Paragon. The spyware used a zero-click exploit via iMessage, meaning no user interaction was needed for the infection to occur.
Citizen Lab found the same iMessage account on both journalists’ devices, suggesting that the same operator targeted them. The infections occurred in January and February 2025. Italy’s intelligence agencies AISI and AISE were confirmed Paragon customers, and COPASIR, the country’s intelligence oversight committee, stated that surveillance systems using Paragon were suspended on February 14, 2025.
COPASIR had earlier denied that Pellegrino’s colleague, Fanpage director Francesco Cancellato, was spied on. However, Citizen Lab’s findings now question COPASIR’s conclusions.
The journalists’ targeting follows earlier incidents where WhatsApp notified 90 users, including journalists and human rights workers, of attempted hacks using Graphite. This included individuals involved in rescue operations for migrants in the Mediterranean.
Citizen Lab also confirmed that Luca Casarini and Beppe Caccia from Mediterranea Saving Humans were infected with Graphite. In another case, David Yambio, president of Refugees in Libya, received an alert from Apple, and traces of spyware were found on his phone. However, the spyware could not be linked to a specific company.
Mattia Ferrari, a priest collaborating with Mediterranea, also received a spyware alert but was not confirmed to be infected. COPASIR said Yambio was under lawful surveillance but not with Graphite.
Citizen Lab continues to investigate other reported cases, including Cancellato’s, to determine the full scope of the spyware campaign.
