TL;DR:
- Citizen Lab confirms that Italian journalist Ciro Pellegrino and another unnamed European journalist were hacked using Paragon’s Graphite spyware.
- New forensic evidence links the attacks to a single Paragon customer, most likely a European government entity.
- The Italian parliamentary committee COPASIR previously denied involvement, but Citizen Lab’s findings cast doubt on that conclusion.
- Apple patched the exploit in iOS 18.3.1, but attacks occurred before that update.
New Spyware Scandal Hits Italian Journalism
Two European journalists were confirmed to be hacked by the controversial Paragon Graphite spyware, escalating an already politically sensitive surveillance scandal. In a new forensic investigation released by Citizen Lab, researchers found definitive traces of spyware infections on the iPhones of Ciro Pellegrino, a journalist with Fanpage, and an unnamed high-profile journalist based in Europe.
Until now, there was no public evidence that Pellegrino had been infected. He had received an Apple alert in April warning of a mercenary spyware attack but without naming the spyware or its vendor.
Citizen Lab’s findings mark the first confirmed infections with Paragon spyware, potentially implicating a European government client.
Background: Who Was Targeted and Why?
Citizen Lab identified that both attacks originated from the same Paragon operator, suggesting state-level coordination. Pellegrino’s colleague, Francesco Cancellato, who leads Fanpage, had also received spyware warnings, implying a targeted campaign against the outlet.
“A week ago it seemed like Italy was putting this scandal to bed. Now they’ll have to reckon with new forensic evidence,” said John Scott-Railton, senior researcher at Citizen Lab.
Pellegrino, who did not work on any high-profile immigration or political investigations, questioned why he was targeted at all. His concern underscores a chilling broader issue: the opaque use of spyware against journalists with no formal legal justification.
Confirmed Graphite Spyware Victims
| Name | Affiliation | Confirmation Method | Linked Source |
| Ciro Pellegrino | Fanpage | Forensic Evidence | Citizen Lab |
| Unnamed Journalist | Undisclosed | Forensic Evidence | Citizen Lab |
| Luca Casarini | Mediterranea | Device Analysis | TechCrunch |
| Beppe Caccia | Mediterranea | Device Analysis | TechCrunch |
COPASIR’s Position and Citizen Lab’s Pushback
Italy’s parliamentary intelligence committee COPASIR recently published a report claiming no evidence of unauthorized surveillance on Cancellato. The same report confirmed that Italy’s AISI and AISE spy agencies had been customers of Paragon but did not acknowledge Pellegrino’s case.
Citizen Lab’s report directly challenges COPASIR’s conclusions, suggesting that government transparency remains elusive, and oversight may be insufficient.
“This mystery needs an answer,” said Scott-Railton, emphasizing the Italian government’s responsibility in clarifying the extent of the spyware’s use.
Attack Methodology: Zero-Click iMessage Exploit
The infections leveraged a zero-click iMessage vulnerability, a technique requiring no user interaction and often invisible to the victim. According to Citizen Lab, logs show that both devices communicated with a known Paragon server, confirming the infection vector.
Apple reportedly patched this exploit in iOS 18.3.1, released on February 10, 2025. However, both hacks occurred prior to this date—between January and early February.
Apple did not comment on the report but shared details privately with Citizen Lab.
Growing List of Victims and Government Denials
While Pellegrino and the unnamed journalist are the most recent confirmed cases, at least four other individuals have either confirmed infections or received warning alerts. These include:
- Luca Casarini and Beppe Caccia, both working with Mediterranea Saving Humans.
- David Yambio, linked to immigration activism, was targeted but with unconfirmed spyware.
- Mattia Ferrari, a priest working with Mediterranea, received alerts but was not conclusively targeted.
COPASIR claimed that Yambio was lawfully surveilled under a judicial investigation but not with Graphite. Ferrari’s device, while flagged by WhatsApp, showed no infection signs according to government findings.
What Paragon and the Government Are Saying
Paragon, the Israeli firm behind Graphite, has remained largely silent. Through WestExec Advisors, the company reiterated earlier statements denying any involvement and noting that it cut ties with Italy after the government refused its help in investigating the Cancellato hack.
The Italian government has not issued new statements in light of the Citizen Lab report. A COPASIR spokesperson only pointed to the committee’s earlier findings and reserved the right to reopen investigations.
Implications: Journalist Rights and Accountability
Pellegrino criticized the silence from Italian Prime Minister Giorgia Meloni, herself a former journalist, for failing to acknowledge or defend press freedoms in light of the revelations.
“My civil rights have been trampled upon,” Pellegrino stated in his interview with TechCrunch.
With trust in government surveillance oversight already fragile, these revelations increase pressure on Italy—and potentially other European states—to disclose spyware use and ensure legal accountability.
Outlook: Further Investigations Incoming
Citizen Lab continues its forensic work, including on the device of Francesco Cancellato, whose case sparked early scrutiny. However, technical challenges—such as Paragon’s self-deleting infection traces and Android’s limited logging—may prevent further confirmations.
What remains clear is this: the abuse of surveillance tools is not confined to authoritarian regimes. European democracies are now being forced to reckon with their own spyware scandals.
