European journalists hacked with Israeli spyware, new investigation finds

Two European journalists, including Italian reporter Ciro Pellegrino, have been confirmed as victims of sophisticated spyware attacks using surveillance technology developed by Israeli firm Paragon Solutions. This is according to a new investigation by digital rights watchdog The Citizen Lab.

Published Thursday, the report details a forensic analysis of the journalists’ iPhones and confirms the use of Paragon’s spyware, known as Graphite, in the hacks. The findings mark the first publicly confirmed infections involving Paragon's tools, which had previously only been linked to attempted attacks via WhatsApp and Apple threat notifications.

The report identifies Pellegrino, who heads the Naples bureau of Fanpage, an Italian investigative news site, and an unnamed “prominent” European journalist as having been targeted by the same Paragon customer, suggesting a coordinated surveillance effort. The Citizen Lab linked the spyware to an infrastructure previously attributed to Paragon with “high confidence.”

Zero-click exploits and iMessage intrusions

According to the report, the journalists were infected through a zero-click exploit, an advanced technique that allows spyware to be installed without any action from the target. In both cases, forensic traces showed a malicious iMessage account was used to deliver the attack. Apple confirmed the underlying vulnerability was patched in iOS 18.3.1, released in February 2025.

Pellegrino had received a generic spyware alert from Apple in late April but had no prior confirmation that his phone was actually compromised, or that Paragon was involved, until Citizen Lab's findings.

The same day Pellegrino received the Apple alert, the second journalist was also notified. Forensic evidence confirmed their device had communicated with Paragon-linked servers in January and February of this year, a period during which Italy’s spy agencies were still using the spyware, according to a recent Italian parliamentary report.

Italy’s role under scrutiny

The revelations have reignited scrutiny of Italy’s intelligence services and their relationship with Paragon. The country’s parliamentary oversight committee, COPASIR, confirmed last week that Italy’s internal and external intelligence agencies — AISI and AISE — were Paragon clients. However, it denied any involvement in spying on Fanpage director Francesco Cancellato, another journalist who had previously received spyware alerts.

Broader pattern of targeting

The case is part of a broader pattern. WhatsApp previously notified around 90 users globally, including journalists and human rights defenders, that they were targeted with Paragon’s spyware. Among them were other Italians, including Cancellato and members of Mediterranea Saving Humans, a nonprofit that rescues migrants in the Mediterranean.

Citizen Lab confirmed that Mediterranea’s Luca Casarini and Beppe Caccia were both infected. COPASIR admitted those surveillances were carried out by Italian intelligence but insists they were lawful.

Meanwhile, other individuals, such as Sudanese activist David Yambio and Italian priest Mattia Ferrari, also received spyware alerts. Though forensic analysis revealed signs of intrusion on Yambio’s device, the Citizen Lab could not conclusively link it to Paragon. COPASIR claims that surveillance on Yambio was conducted legally by judicial authorities and involved different spyware.

Unanswered questions

Despite mounting evidence, the Italian government has yet to respond to the latest findings. Paragon Solutions, through a spokesperson, declined to comment beyond a previous statement to Israeli media that it had offered to assist the Italian government in investigating the hacks but cut ties when the offer was refused.