{
	"id": "2b5121f5-5165-40ba-a618-bf7d66cc2bbf",
	"created_at": "2026-04-06T00:20:21.36302Z",
	"updated_at": "2026-04-10T13:12:25.401398Z",
	"deleted_at": null,
	"sha1_hash": "58e3d0ee843ce4355edf4ad424db575558e2bbc7",
	"title": "Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 608289,
	"plain_text": "Graphite Caught: First Forensic Confirmation of Paragon’s iOS\r\nMercenary Spyware Finds Journalists Targeted - The Citizen Lab\r\nArchived: 2026-04-05 16:28:03 UTC\r\nIntroduction\r\nOn April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced\r\nspyware. Among the group were two journalists that consented for the technical analysis of their cases. The key\r\nfindings from our forensic analysis of their devices are summarized below:\r\nOur analysis finds forensic evidence confirming with high confidence that both a prominent European\r\njournalist (who requests anonymity), and Italian journalist Ciro Pellegrino, were targeted with Paragon’s\r\nGraphite mercenary spyware.\r\nWe identify an indicator linking both cases to the same Paragon operator.\r\nApple confirms to us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1 and\r\nhas assigned the vulnerability CVE-2025-43200.\r\nOur analysis is ongoing.\r\nCase 1: Prominent European Journalist\r\nWe analyzed Apple devices belonging to a prominent European journalist who has requested to remain\r\nanonymous. On April 29, 2025, this journalist received an Apple notification and sought technical assistance. \r\nOur forensic analysis concluded that one of the journalist’s devices was compromised with Paragon’s Graphite\r\nspyware in January and early February 2025 while running iOS 18.2.1. We attribute the compromise to Graphite\r\nwith high confidence because logs on the device indicated that it made a series of requests to a server that, during\r\nthe same time period, matched our published Fingerprint P1. We linked this fingerprint to Paragon’s Graphite\r\nspyware with high confidence.\r\nGraphite spyware server contacted by the journalist’s device:\r\nhttps://46.183.184[.]91/\r\nThe server appears to have been rented from VPS provider EDIS Global. The server remained online and\r\ncontinued to match Fingerprint P1 until at least April 12, 2025.\r\nhttps://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/\r\nPage 1 of 8\n\nFigure 1. Censys result for the IP address contacted by the journalist’s phone during the infection\r\nperiod.\r\nWe identified an iMessage account present in the device logs around the same time as the phone was\r\ncommunicating with the Paragon server 46.183.184[.]91 . We redact the account and refer to it as\r\nATTACKER1. Based on our forensic analysis, we conclude that this account was used to deploy Paragon’s\r\nGraphite spyware using a sophisticated iMessage zero-click attack. We believe that this infection would not have\r\nbeen visible to the target. Apple confirms to us that the zero-click attack deployed here was mitigated as of iOS\r\n18.3.1 and has assigned CVE-2025-43200 to this zero-day vulnerability.\r\nCase 2: Ciro Pellegrino\r\nCiro Pellegrino is a journalist and head of the Naples newsroom at Fanpage.it, where he has reported on\r\nnumerous high-profile cases. On April 29, 2025, Mr. Pellegrino received an Apple notification and sought our\r\ntechnical assistance. \r\nWe analyzed artifacts from Mr. Pellegrino’s iPhone and determined with high confidence that it was targeted with\r\nParagon’s Graphite spyware. Our analysis of the device’s logs revealed the presence of the same ATTACKER1\r\niMessage account used to target the journalist from Case 1, which we associate with a Graphite zero-click\r\ninfection attempt.\r\nhttps://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/\r\nPage 2 of 8\n\nFigure 2. Attribution to Paragon’s Graphite spyware via artifacts found on the devices of Ciro\r\nPellegrino and the unnamed prominent European journalist.\r\nIt is standard for each customer of a mercenary spyware company to have its own dedicated infrastructure. Thus,\r\nwe believe that the ATTACKER1 account would be used exclusively by a single Graphite customer / operator,\r\nand we conclude that this customer targeted both individuals.\r\nOur forensic analyses of these attacks, and Paragon’s iOS capabilities, are ongoing.\r\nThe Fanpage.it Paragon Cluster\r\nhttps://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/\r\nPage 3 of 8\n\nMr. Pellegrino’s close colleague and Fanpage.it editor, Francesco Cancellato, was notified in January 2025 by\r\nWhatsApp that he was targeted with Paragon’s Graphite spyware.\r\nThe Citizen Lab has been conducting forensic analysis of Mr. Cancellato’s Android device. However, as of our\r\ninitial report, we were unable to obtain forensic confirmation of a successful infection of Mr. Cancellato’s\r\nAndroid. As we explained at the time: “Given the sporadic nature of Android logs, the absence of a finding of\r\nBIGPRETZEL on a particular device does not mean that the phone wasn’t successfully hacked, simply that\r\nrelevant logs may not have been captured or may have been overwritten.”\r\nFollowing Mr. Cancellato’s case, the identification of a second journalist at Fanpage.it targeted with Paragon\r\nsuggests an effort to target this news organization This appears to be a distinct cluster of cases that warrants\r\nfurther scrutiny.\r\nStatements by Paragon and the Italian Government\r\nOn June 5, 2025, the Italian government’s parliamentary committee overseeing Italy’s intelligence services\r\n(COPASIR: Comitato Parlamentare per la Sicurezza della Repubblica) published the report of their inquiry into\r\nthe Paragon affair in Italy.\r\nThe report acknowledged that the Italian government had used Paragon’s Graphite spyware against Luca Casarini\r\nand Dr. Giuseppe “Beppe” Caccia, the two individuals where we found forensic evidence of Graphite present (via\r\nthe BIGPRETZEL Android indicator). However, the report stated that they were unable to determine who might\r\nhave targeted Mr. Cancellato with Graphite.\r\nOn June 9, 2025, Haaretz reported that Paragon had offered to assist the Italian government in investigating the\r\ncase of Mr. Cancellato, an offer that they say was rejected by the Italian government. Paragon also suggested that\r\nthey had unilaterally terminated Italy’s contracts.\r\nIn response later that day, the Italian Department of Security Intelligence (DIS: Dipartimento delle Informazioni\r\nper la Sicurezza), which coordinates Italy’s intelligence services, stated that it had rejected Paragon’s offer\r\nbecause of national security concerns with exposing their activities to Paragon. They stated that providing Paragon\r\nsuch access would impact the reputation of Italy’s security services among peer services around the world. They\r\ndenied that the contract termination was unilateral. Later the same day, the COPASIR committee stated that they\r\nhad chosen not to proceed with Paragon’s offer, but instead elected to directly query the Paragon databases, having\r\ndeemed the approaches to be equivalent.\r\n1\r\n The committee also stated a willingness to declassify Paragon’s testimony to the committee.\r\nResponse from Paragon Solutions\r\nOn June 10, 2025, we sent a summary of our latest findings to Paragon Solutions and offered them the opportunity\r\nto reply, which we undertook to publish in full. As of the time of publication we have not received a response. \r\nEurope’s Continuing Spyware Crisis: Journalists at Risk\r\nhttps://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/\r\nPage 4 of 8\n\nAt the time of publishing, three European journalists have been confirmed as targets of Paragon’s graphite\r\nmercenary spyware. Two of these confirmations are now forensically based, and the third follows from a\r\nnotification by Meta. Yet to date, there has been no explanation as to who is responsible for spying on these\r\njournalists. \r\nFurthermore, the confirmation of a second case linked to a specific Italian news outlet (Fanpage.it) adds urgency\r\nto the question of which Paragon customer is responsible for this targeting, and pursuant to what legal authority (if\r\nany) this targeting took place.\r\nThe lack of accountability available to these spyware targets highlights the extent to which journalists in Europe\r\ncontinue to be subjected to this highly invasive digital threat, and underlines the dangers of spyware proliferation\r\nand abuse.\r\nOur analysis of Paragon targeting on iOS and Android is ongoing. We thank Access Now for their support.\r\nHave You Received a Warning?\r\nIf you are a journalist, human rights defender, or other member of civil society and received a spyware warning\r\nfrom Apple, Meta, WhatsApp, Google or others, take it seriously and seek expert assistance. \r\nHere is an example of one such notification:\r\nFigure 3. An excerpt of the Apple threat notification received by Ciro Pellegrino that triggered our\r\ninvestigation.\r\nhttps://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/\r\nPage 5 of 8\n\nOrganizations like Access Now and their Digital Security Helpline can assist you in understanding the attack, and\r\nquickly taking the next steps to increase your device security. We work with Access Now to ensure that cases get\r\nexpert support. Similarly, the Security Lab at Amnesty International also maintains a resource and investigative\r\ncontact point for notification recipients.\r\nAppendix: Confirmed Paragon Targeting in Italy, Current Knowledge\r\nAs there are now multiple cases and reports of Paragon targeting and infection, we are providing a table with an\r\noverview of each case, along with the associated evidentiary basis. Importantly, we use the term “Targeted”\r\ndescribing an individual being selected for infection by a Paragon operator and reserve “Infected” to describe a\r\nforensic confirmation of a successful infection. In many cases, full forensic findings may not be available even in\r\ncases where an infection has likely happened, due to limitations in logs and efforts by Paragon to delete traces of\r\nthe infection.\r\nFor example, Mr. Caccia is doubly confirmed as a Paragon target from both WhatsApp’s notification and Citizen\r\nLab’s previously published forensic analysis. Additionally, we were able to identify specific dates that\r\nBIGPRETZEL was on his device, helping to illuminate the timeframe of the Paragon infection.\r\nMeanwhile, Mr. Cancellato is confirmed as a Paragon target via a notification from WhatsApp, but our Citizen\r\nLab analysis has yet to identify forensic evidence on the device providing additional information about Paragon\r\ntargeting or infection. This is not necessarily surprising given forensic limitations when conducting research on\r\nAndroid devices.The following table summarizes these cases:\r\nName\r\nType of\r\nnotification\r\nreceived \u0026\r\nnotification\r\ntype\r\nDevice forensic\r\nanalysis\r\nconfirms\r\nParagon\r\ntargeting\r\nAdditional forensic Findings\r\nconcerning Paragon infection(s)\r\nCiro\r\nPellegrino\r\nNotification\r\nfrom Apple:\r\nTargeted with\r\nunspecified\r\nadvanced\r\nspyware\r\nYes. Citizen Lab\r\nfound artifacts on\r\nthe Apple device\r\nthat we attribute\r\nwith high\r\nconfidence to\r\nParagon spyware\r\ntargeting.\r\nPresence of ATTACKER1 iMessage\r\naccount that we link to a customer of\r\nParagon’s spyware.\r\n“Prominent\r\nEuropean\r\nJournalist”\r\nNotification\r\nfrom Apple:\r\nTargeted with\r\nunspecified\r\nadvanced\r\nspyware\r\nYes. Citizen Lab\r\nfound artifacts on\r\nthe Apple device\r\nthat we attribute\r\nwith high\r\nconfidence to\r\nGraphite infection present in January\r\nand early February 2025 (exact dates\r\nredacted). Communication with\r\nhttps://46.183.184[.]91, a server that\r\nwe attribute to a Paragon customer.\r\nPresence of ATTACKER1, an\r\nhttps://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/\r\nPage 6 of 8\n\nName\r\nType of\r\nnotification\r\nreceived \u0026\r\nnotification\r\ntype\r\nDevice forensic\r\nanalysis\r\nconfirms\r\nParagon\r\ntargeting\r\nAdditional forensic Findings\r\nconcerning Paragon infection(s)\r\nParagon spyware\r\ntargeting.  \r\niMessage account we attribute to a\r\nParagon customer.\r\nLuca\r\nCasarini\r\nNotification\r\nfrom\r\nWhatsApp:\r\nTargeted with\r\nParagon’s\r\nSpyware\r\nYes. Citizen Lab\r\nfound artifacts on\r\nthe Android\r\ndevice that we\r\nattribute with\r\nhigh confidence\r\nto Paragon\r\nspyware\r\ntargeting.  \r\nGraphite infection present on seven\r\ndates between 2024-12-22 – 2025-01-\r\n31 (BIGPRETZEL present)\r\nGiuseppe\r\nCaccia\r\nNotification\r\nfrom\r\nWhatsApp:\r\nTargeted with\r\nParagon’s\r\nSpyware\r\nYes. Citizen Lab\r\nfound artifacts on\r\nthe Android\r\ndevice that we\r\nattribute with\r\nhigh confidence\r\nto Paragon\r\nspyware\r\ntargeting.\r\nGraphite infection present on 2024-\r\n12-23 (BIGPRETZEL present)\r\nFrancesco\r\nCancellato\r\nNotification\r\nfrom\r\nWhatsApp:\r\nTargeted with\r\nParagon’s\r\nSpyware\r\nNot at this time,\r\nanalysis ongoing.\r\n \r\nIn addition to the cases listed above, two individuals have been described in our prior reporting: David Yambio\r\nand Father Mattia Ferrari. At the time of writing this report neither individual has been confirmed as a Paragon\r\nmercenary spyware target, although both are connected to the cases listed above.\r\nhttps://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/\r\nPage 7 of 8\n\nName\r\nType of notification\r\nreceived \u0026\r\nnotification type\r\nDevice Forensic Finding \r\nDavid\r\nYambio\r\nNotification from\r\nApple: Targeted with\r\nunspecified advanced\r\nspyware\r\nCitizen Lab confirmed that the device was targeted with\r\nspyware, and affirms the presence of the\r\nSMALLPRETZEL forensic indicator.  Compromise\r\nwas not attributed to a specific actor, but the report\r\nnotes proximity to multiple Paragon targets.\r\nFather\r\nMattia\r\nFerrari\r\nNotification from\r\nMeta: targeted by a\r\n“sophisticated\r\nattacker”\r\nNot at this time, analysis ongoing.\r\nNote on Research Ethics\r\nAll research involving human subjects conducted at the Citizen Lab is governed under research ethics protocols\r\nreviewed and approved by the University of Toronto’s Research Ethics Board.\r\nThe Citizen Lab does not take general or unsolicited inquiries related to individual concerns regarding\r\ninformation security and cannot provide individual assistance with security concerns.\r\nAcknowledgements \r\nWe wish to acknowledge the victims that chose to work with us and graciously consented to have their cases\r\ndiscussed. Without them, such research would not be possible. Their participation contributes to our collective\r\ndigital security. \r\nWe thank our Citizen Lab colleagues, especially Bahr AbdulRazzak for technical investigative support, and Siena\r\nAnstis, Rebekah Brown, M. Scott and Adam Senft for review, editing and feedback and Alyson Bruce for editing\r\nand communications support.\r\nResearch for this project was supervised by Professor Ronald J. Deibert.\r\nSpecial thanks to TNG.\r\nWe thank Access Now for their support.\r\nSource: https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/\r\nhttps://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/"
	],
	"report_names": [
		"first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted"
	],
	"threat_actors": [
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434821,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58e3d0ee843ce4355edf4ad424db575558e2bbc7.pdf",
		"text": "https://archive.orkl.eu/58e3d0ee843ce4355edf4ad424db575558e2bbc7.txt",
		"img": "https://archive.orkl.eu/58e3d0ee843ce4355edf4ad424db575558e2bbc7.jpg"
	}
}