Paragon Graphite
Paragon Solutions · Israel / US
Confidence 5/5
Technical capabilities
Graphite is mercenary spyware focused on accessing instant messaging applications rather than taking complete control of the device, distinguishing it from Pegasus. Per Citizen Lab and Forbes reporting, Paragon publicly framed Graphite as compliant with international human rights norms and only sold to Western government clients.
Per Citizen Lab “Virtue or Vice?” report (March 2025), Paragon used a WhatsApp zero-click exploit chain. Per Citizen Lab “Graphite Caught” report (June 2025), Paragon also deployed an iMessage zero-click attack targeting iOS devices, mitigated by Apple in iOS 18.3.1 and assigned CVE-2025-43200.
Documented victims
WhatsApp notified approximately 90 Paragon spyware targets on January 2025, with Apple following with iOS notifications on April 2025. Forensically confirmed victims include:
- Francesco Cancellato, director of Italian news website Fanpage.it. Italian prosecutors confirmed forensic infection on December 2024.
- Ciro Pellegrino, head of Fanpage.it Naples newsroom. Citizen Lab forensic confirmation June 2025.
- Giuseppe Caccia and Luca Casarini, Italian immigration activists with Mediterranea Saving Humans.
- Husam El Gomati, Italy critic regarding Italy-Libya relations.
- Father Mattia Ferrari, Italian priest with close ties to Pope Francis.
- An anonymous prominent European journalist, forensically confirmed by Citizen Lab June 2025 (running iOS 18.2.1 at time of infection).
Customer states
- Italy: AISE (external intelligence) and AISI (internal intelligence). Government confirmed contract on February 2025. Paragon terminated the contract in February 2025, citing breach of terms of service.
- United States: ICE (Immigration and Customs Enforcement) initial $2M contract paused October 2024, reactivated September 2025. DEA (Drug Enforcement Administration) authorized for use under Biden administration per New York Times.
- Citizen Lab identified suspected government customers in six additional countries not previously publicly named.
Legal and sanctions status
- Not on US Entity List.
- Not subject to OFAC sanctions.
- March 2026: Italian Rome and Naples public prosecutors confirmed in a joint technical report that the phones of Cancellato, Caccia, and Casarini were infected with Paragon spyware in December 2024.
- April 2026: Paragon has not responded to formal information requests from Italian prosecutors despite earlier promises of cooperation.
- Italian Parliamentary Committee for the Security of the Republic (COPASIR) concluded June 2025 that targeting of Caccia and Casarini was lawful, but found no evidence of a hack against Cancellato.
- October 2025: ICE notified members of US Congress that it has used Paragon spyware in drug trafficking cases.
Technical countermeasures
- Update iOS to 18.3.1 or later: mitigates the documented iMessage zero-click exploit (CVE-2025-43200).
- WhatsApp targeting: WhatsApp patched the underlying zero-day vulnerability in early 2025. Keep messaging apps updated.
- Apple Threat Notifications: as with Pegasus and Predator, victims may receive Apple notifications.
- Lockdown Mode recommended for high-risk profiles, especially journalists and human rights defenders.
Sources
- Citizen Lab, Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations (March 2025)
- Citizen Lab, Graphite Caught: First Forensic Confirmation (June 2025)
- Amnesty International, Europe spyware crisis (March 2025)
- TechCrunch, Italian prosecutors confirm Cancellato hack (March 2026)
- Access Now, US ICE Paragon contract reactivation
Update log
March 7, 2026: Entry created. Initial sourcing through Citizen Lab, Amnesty Security Lab, Microsoft Threat Intelligence, Google TAG, Lookout, Kaspersky GReAT, US Treasury OFAC, court documents and investigative press.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.
