The issue of spyware compromising the devices of journalists is back in the news headlines, after a warning from Canadian security researchers.

Researchers at the University of Toronto’s Citizen Lab revealed that advanced iOS spyware from Paragon’s Graphite had targetted at least three prominent journalists in Europe, two of whom are editors at an investigative news site in Italy called Fanpage.it.

It comes after WhatsApp in February 2025 had warned that dozens of WhatsApp users, including journalists and other members of civil society, had been targeted by hacking activity from spyware maker Paragon Solutions.

Journalist devices

WhatsApp at the time had said it had “high confidence” that some 90 users had been targeted and may have been compromised, but it could not identify the Paragon clients that had launched the attacks (Paragon says it only sells to governments).

Now three months after the WhatsApp warning, Citizen Labs has warned that more journalists have been targetted.

“On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware,” it wrote. “Among the group were two journalists that consented for the technical analysis of their cases.”

Citizen Lab said its analysis found forensic evidence confirming with high confidence that both a prominent European journalist (who requests anonymity), and Italian journalist Ciro Pellegrino, were targeted with Paragon’s Graphite mercenary spyware.

Citizen Lab said it had identified an indicator linking both cases to the same Paragon operator, and that Apple confirmed the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1 and has assigned the vulnerability CVE-2025-43200.

Citizen Lab then detailed the cases, including that of Ciro Pellegrino – a journalist and head of the Naples newsroom at Fanpage.it. On 29 April 2025, Pellegrino received an Apple notification and sought the technical assistance of Citizen Lab.

“We analysed artifacts from Mr. Pellegrino’s iPhone and determined with high confidence that it was targeted with Paragon’s Graphite spyware,” it said. “Our analysis of the device’s logs revealed the presence of the same ATTACKER1 iMessage account used to target the journalist from Case 1, which we associate with a Graphite zero-click infection attempt.”

Meanwhile Pellegrino’s close colleague and Fanpage.it editor, Francesco Cancellato, had been notified in January 2025 by WhatsApp that he was targeted with Paragon’s Graphite spyware.

Who dunit?

Paragon says it sells only to government customers, prompting questions about the government of Italian Prime Minister Giorgia Meloni.

“Any attempts to illegally access data of citizens, including journalists and political opponents, is unacceptable, if confirmed,” the European Commission said in a statement Wednesday in response to questions from members of parliament, the Associated Press reported. “The Commission will use all the tools at its disposal to ensure the effective application of EU law.”

Meloni’s office declined to comment Thursday, but a prominent member of her Cabinet reportedly said that Italy “rigorously respected” the law and that the government hadn’t illegally spied on journalists.

Reuters meanwhile noted that the Fanpage.it investigative news site has previously published critical coverage of Meloni’s government, notably an exposé tying her party’s youth wing to neo-Nazi activity.

But Reuters also noted that on Monday, the Italian government and Paragon had announced that they were no longer working together, both offering conflicting explanations about who fired whom.

NSO scandal

Spyware companies such as Paragon and NSO Group say their software is for use in fighting crime and protecting national security, but such tools have been repeatedly found to have compromised the devices of journalists, activists, politicians, raising questions around their proliferation.

NSO Group and its Pegasus spyware for example become notorious within cybersecurity circles a few years back.

The legal trouble for NSO began in October 2019, when Meta’s Whatsapp sued the Israeli firm, and alleged NSO was behind the cyberattack that had infected 1,400 WhatsApp users with advanced surveillance hacks in May 2019.

Matters became even more serious in December 2020, after a report by Citizen Lab alleged that dozens of Al Jazeera journalists had been hacked with the help of Pegasus, by exploiting a vulnerability in the iPhone operating system.

Worse was to come in July 2021, when the Pegasus Project (a collaboration of more than 80 journalists and media organisations) alleged that NSO’s Pegasus had been used “to facilitate human rights violations around the world on a massive scale.”

It allegedly uncovered evidence that the phone numbers for 14 heads of state, including French President Emmanuel Macron, Pakistan’s Imran Khan and South Africa’s Cyril Ramaphosa, as well as 600 government officials and politicians from 34 countries, had appeared in a leaked database at the heart of the investigative project.

In December 2024 WhatsApp won a significant legal ruling against NSO Group, with a US federal judge in California ruling the Israeli firm illegally hacked into WhatsApp’s systems to plant spyware on the phones of some some 1,400 targeted people.