Paragon Graphite Spyware: The Spy in Your Pocket

Paragon Graphite Spyware: Journalism · Intelligence · Power

Paragon Graphite spyware · The smartphone as a vulnerable archive of sources, contacts, and journalistic communications.

Paragon Graphite Spyware: Italy’s Spyware Crisis

The case erupted between 2025 and 2026, after WhatsApp notified around 90 users worldwide that they had been targeted by spyware linked to Paragon. Journalists, activists, and members of civil society were among the profiles involved. In Italy, the government acknowledged that some Italian users were involved, while denying that it had illegally spied on journalists or protected subjects.

The names that entered the public reconstruction are politically sensitive: Francesco Cancellato, editor-in-chief of Fanpage.it; Ciro Pellegrino, a journalist at the same outlet; Luca Casarini and Giuseppe Caccia, linked to Mediterranea Saving Humans; and Roberto D’Agostino, founder of Dagospia, listed by European press freedom organizations among the unresolved cases.

Graphite, developed by Paragon Solutions, belongs to the market of government spyware. It is different from traditional wiretapping. It does not merely follow a phone call or a specific conversation. It can turn a phone into an access surface: chats, archives, contacts, metadata, notifications, encrypted apps, past and future communications.

The issue, then, is not only who was targeted. It is whether the democratic system has enough tools to reconstruct the use of technologies designed to remain invisible.

Paragon Graphite Spyware: Android and iOS

The strongest public reconstruction distinguishes between two technical tracks. The first concerns the Android devices of Francesco Cancellato, Luca Casarini, and Giuseppe Caccia. In March 2026, technical consultants in the Italian investigations identified traces of malware on three Android devices, with anomalies in WhatsApp databases compatible with Graphite’s operation.

The second track concerns iOS and the case of Ciro Pellegrino. Citizen Lab assessed with high confidence that the Fanpage.it journalist was targeted with Paragon’s iOS spyware. The logs included an iMessage account identified as ATTACKER1, also observed in another European case.

This distinction matters. Cancellato should not be placed in the iMessage/ATTACKER1 track. In the more cautious version, his case belongs to the Android/WhatsApp track that emerged from the Italian technical findings in 2026. Pellegrino, by contrast, is the case linked to the iOS/iMessage vector documented by Citizen Lab.

The shared pattern remains: journalists and activists, zero-click tools, opaque infrastructures, and responsibilities that are still not fully clarified.

The Night of December 14, 2024

The most delicate timeline detail comes from the 2026 technical findings. According to public reconstructions, the compromises of the Android devices belonging to Cancellato, Casarini, and Caccia reportedly occurred in the early hours of December 14, 2024. The temporal proximity of the attacks suggests a possible coordinated campaign, although the material authors remain under investigation.

The sequence touches, within the same time window, the editor of a news outlet and two activists connected to sea rescue operations. An investigative newsroom, an NGO, a politically sensitive issue. It is not enough to prove a single motive, but it defines a perimeter that prosecutors must reconstruct.

Access to the Graphite servers used by AISI adds the most controversial passage. Journalistic reconstructions indicate that the analysis reportedly confirmed operations on the devices of Casarini and Caccia, but did not detect traces referring to Cancellato. Based on public information, the attack against Fanpage’s editor-in-chief has not been attributed to AISI.

This absence does not close the case. If the device shows traces compatible with Graphite, but the inspected servers do not return a corresponding operation, several hypotheses remain open: another operator, a different infrastructure, incomplete logs, missing records, or technical chains that cannot be fully verified.

Paragon Graphite Spyware: The Surveillance Chain

The Paragon case cannot be understood by looking only at the infected phone. The phone is the last visible point in a longer chain: contract, license, authorization, vulnerability, technical infrastructure, vendor, server, logs, device, sources.

Contemporary surveillance does not work as a single action. It works as a chain. When one link remains opaque, responsibility disperses.

The surveillance chain · State, vendor, exploit, server, logs, and personal device inside the same technical chain.

ATTACKER1 and CVE-2025-43200

The iOS track introduces a decisive technical detail: the CVE-2025-43200 vulnerability. Apple confirmed to Citizen Lab that the observed zero-click attack had been mitigated with iOS 18.3.1 and associated with this vulnerability. The vector exploited Messages and content shared through iCloud Link.

Zero-click means the victim does not have to touch anything. There is no need to open an attachment, follow a link, or reply to a message. The device can be reached through an apparently ordinary channel and compromised without any visible action by the user.

Citizen Lab links Ciro Pellegrino’s case to the iMessage account ATTACKER1. The same indicator appears in another European case. Because each spyware customer usually tends to have dedicated operational infrastructure, the recurrence of the same account suggests a connection between the operations.

Not every responsibility has been defined in judicial terms. But the technical layer indicates a structure, not a random incident. When that structure touches journalists, sources, and newsrooms, the matter stops being only technical.

Paragon Graphite Spyware: The Invisible Newsroom Companion

A smartphone is not a private object in the traditional sense. A journalist’s phone contains contacts, sources, drafts, unpublished messages, communications with lawyers, editors, whistleblowers, intermediaries. An activist’s phone contains operational maps, coordination chats, documents, photographs, movements.

By breaching the device, spyware does not enter a conversation. It enters an organized life. Classic wiretapping follows a stream. Modern spyware can move through the archive, read what has already been written, and prepare to read what will be written next.

For this reason, Graphite cannot be treated as a simple technical evolution of wiretapping. It is a remote, invisible, potentially continuous search. Access to the digital body of the person.

When the target is a journalist, the damage does not concern individual privacy alone. It concerns freedom of information, because every potential source learns a practical lesson: the channel may not be protected.

Fanpage.it and the Effect on Sources

Fanpage.it occupies a central place in the affair. The outlet has published politically sensitive investigations, including investigations into the youth wing of Brothers of Italy. European press freedom organizations have recalled this context when discussing the attack on Francesco Cancellato, while not publicly assigning a definite motive to the targeting.

Caution is necessary. It cannot be claimed that the attack occurred because of those investigations if public evidence does not prove it. The political effect, however, does not depend only on motive.

An editor-in-chief surveilled with spyware changes the behavior of both newsroom and sources. Anyone who has spoken with him may wonder whether their name, number, message, or document ended up in unknown hands. Anyone who was about to do so may stop.

This is the chilling effect: not declared censorship, but induced silence. No formal ban. No newsroom closure. Only the suspicion that the channel is no longer safe.

Mediterranea and the Expansion of National Security

The Italian government acknowledged the use of spyware against Luca Casarini and Giuseppe Caccia, framing it within national security and irregular migration. According to parliamentary documentation reported by Reuters, the surveillance of the two Mediterranea activists was reportedly authorized within the security framework.

The issue does not end with the presence of an authorization. Proportionality remains central. Casarini and Caccia are linked to Mediterranea Saving Humans, an NGO active in sea rescue. Using military-grade spyware against humanitarian activists shifts the boundary between security and dissent.

The category of irregular migration can become an elastic container: crime, logistical networks, political activity, solidarity, and international relations can all be placed inside it. Technology, however, does not change nature depending on the legal label. It remains a tool capable of opening the entire device.

The risk is the normalization of the exceptional instrument. First terrorism, then organized crime, then migration, then activism. Each step can seem justified in the specific case. Over time, however, the perimeter widens.

The Broken Relationship Between Italy and Paragon Graphite Spyware

The relationship between Italy and Paragon Solutions breaks down amid conflicting versions. Some reconstructions indicated that Paragon had ended its contract with Italy after allegations that the spyware had been used against journalists, activists, and members of civil society, in possible violation of contractual terms.

Reuters documented a more complex sequence. Copasir maintained that Italy had first suspended and then terminated the contracts with Paragon after the media outcry. Paragon, by contrast, said it had stopped providing the service and had proposed a technical mechanism to clarify whether the system had been used against Cancellato.

This fracture reveals the paradox of digital sovereignty. The state purchases from a foreign vendor a tool for highly sensitive operations. When suspicion of abuse arises, the vendor defends its reputation, the state invokes national security and secrecy, Parliament receives a filtered version, and prosecutors search for technical evidence in an infrastructure they do not fully control.

Sovereignty becomes operational dependence. Possessing the license is not enough. The technical chain, logs, maintenance, access, and evidence must also be controlled.

Copasir, Secrecy, and Partial Oversight

Copasir is one of the political junctions of the case. On one side, the Parliamentary Committee for the Security of the Republic is the body responsible for overseeing intelligence services. On the other, secrecy limits what can be publicly communicated.

Parliamentary documentation and later reconstructions indicate that Copasir considered the use of Graphite against Casarini and Caccia legitimate, while excluding the involvement of Italian intelligence services in the Cancellato case. This institutional reconstruction still leaves a gap: if Cancellato was targeted, but not through the AISI servers inspected, who did it?

The question does not automatically accuse a specific actor. It exposes a systemic problem. A democracy can tolerate invasive tools only if the chain of authorization, use, audit, and responsibility remains verifiable.

If the investigation stops before missing logs, uncooperative vendors, or separate infrastructures, parliamentary oversight risks becoming partial. And partial oversight is not enough when facing total spyware.

Privacy, the Constitution, and Media Freedom

The Italian Data Protection Authority intervened in February 2025 with an explicit warning: using Graphite or similar systems outside the uses permitted by law violates the Privacy Code and can result in heavy sanctions. This step removes the case from the grammar of intelligence alone.

Spyware is also a personal data processing system. It collects, transfers, organizes, consults, and potentially stores extremely sensitive information. When its use is unlawful, the damage concerns identity, relationships, political orientations, professional communications, legal strategies, and journalistic sources.

The case arrives as the European Union is trying to strengthen media protection through the European Media Freedom Act. The EMFA introduces standards for the protection of editorial independence and journalistic sources, including against intrusive surveillance software.

The problem is operational. It is not enough to have a European rule limiting the use of spyware against journalists. A structure is needed that can establish the abuse, attribute it, document it, and sanction it. Otherwise, the law arrives after the infection, after the compromise of sources, after the loss of trust.

The End of “Ethical” Spyware

Paragon presented itself as a more controlled alternative to the toxic market made infamous by Pegasus and NSO Group. The idea was simple: invasive tools, but sold only to democratic governments; offensive capabilities, but governed by clauses; dangerous technologies, but guided by commercial ethics.

The Italian case consumes that promise. Not because every responsibility has already been definitively established, but because it shows the insufficiency of the model. Spyware can be sold with ethical clauses and still end up at the center of a scandal involving journalists, activists, intelligence services, prosecutors, Parliament, foreign vendors, and European institutions.

Contractual ethics are not enough when the technology enables an invisible search of an entire digital life. Non-alterable logs, independent audits, strengthened authorizations for cases involving journalists, spyware license registries, and clear limits on use against civil society and newsrooms are needed.

Above all, spyware must be recognized as something other than ordinary wiretapping. It is total access.

The Paragon Graphite spyware case remains open because none of the elements that have emerged is enough, on its own, to close the chain of responsibility.

There are traces compatible with Graphite on devices belonging to journalists and activists. There are operations recognized as legitimate against Casarini and Caccia. There is the Cancellato case, technically confirmed but not attributed to the AISI servers inspected by investigators. There is the iOS track involving Ciro Pellegrino, documented by Citizen Lab. There is a broken relationship between Italy and Paragon, with divergent versions. There is a foreign vendor that does not appear to have delivered all the answers requested by Italian investigators.

The picture does not produce a simple conclusion. It produces a structural problem.

Spyware of this category does not follow only one conversation. It enters a device containing work, sources, memory, relationships, archives, past and future communications. For this reason, when the target is a journalist, the potential damage does not concern individual privacy alone. It concerns the infrastructure of information itself.

The democratic response cannot be limited to determining whether a single use was authorized. It must determine whether the system is controllable. Without registries, audits, verifiable logs, and clear limits, surveillance remains more advanced than the oversight meant to contain it.

Listen to Paragon Graphite Spyware

An audio-video summary of the Paragon Graphite spyware case: journalists, activists, intelligence, private vendors, and democratic oversight inside the new surveillance chain.

Click here to accept Marketing cookies and load this content