{ "id": "b47ee4c3-2dc5-49ae-9cb1-7d9322995de0", "created_at": "2026-04-06T01:32:20.922554Z", "updated_at": "2026-04-10T03:36:44.752486Z", "deleted_at": null, "sha1_hash": "e6d3454247a42ef39f4ce2d1879b95b899f9ce0d", "title": "Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations - The Citizen Lab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 461642, "plain_text": "Virtue or Vice? A First Look at Paragon’s Proliferating Spyware\r\nOperations - The Citizen Lab\r\nArchived: 2026-04-06 00:50:17 UTC\r\nKey Findings\r\nIntroducing Paragon Solutions. Paragon Solutions was founded in Israel in 2019 and sells spyware called\r\nGraphite. The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware\r\nabuses that NSO Group and other vendors are notorious for.\r\nInfrastructure Analysis of Paragon Spyware. Based on a tip from a collaborator, we mapped out server\r\ninfrastructure that we attribute to Paragon’s Graphite spyware tool. We identified a subset of suspected\r\nParagon deployments, including in Australia, Canada, Cyprus, Denmark, Israel, and Singapore. \r\nIdentifying a Possible Canadian Paragon Customer. Our investigation surfaced potential links between\r\nParagon Solutions and the Canadian Ontario Provincial Police, and found evidence of a growing ecosystem\r\nof spyware capability among Ontario-based police services.\r\nHelping WhatsApp Catch a Zero-Click. We shared our analysis of Paragon’s infrastructure with Meta,\r\nwho told us that the details were pivotal to their ongoing investigation into Paragon. WhatsApp discovered\r\nand mitigated an active Paragon zero-click exploit, and later notified over 90 individuals who it believed\r\nwere targeted, including civil society members in Italy.\r\nAndroid Forensic Analysis: Italian Cluster. We forensically analyzed multiple Android phones belonging\r\nto Paragon targets in Italy (an acknowledged Paragon user) who were notified by WhatsApp. We found\r\nclear indications that spyware had been loaded into WhatsApp, as well as other apps on their devices. \r\nA Related Case of iPhone Spyware in Italy. We analyzed the iPhone of an individual who worked closely\r\nwith confirmed Android Paragon targets. This person received an Apple threat notification in November\r\n2024, but no WhatsApp notification. Our analysis showed an attempt to infect the device with novel\r\nspyware in June 2024. We shared details with Apple, who confirmed they had patched the attack in iOS 18.\r\nOther Surveillance Tech Deployed Against The Same Italian Cluster. We also note 2024 warnings sent\r\nby Meta to several individuals in the same organizational cluster, including a Paragon victim, suggesting\r\nthe need for further scrutiny into other surveillance technology deployed against these individuals.\r\n1. Background: Paragon Solutions\r\nThis section provides a brief background on Paragon’s corporate structure.\r\nParagon Solutions Ltd.\r\nParagon Solutions Ltd. was established in Israel in 2019. The founders of Paragon include Ehud Barak, the former\r\nIsraeli Prime Minister, and Ehud Schneorson, the former commander of Israel’s Unit 8200. Paragon sells a\r\nspyware product called Graphite, which reportedly provides “access to the instant messaging applications on a\r\ndevice, rather than taking complete control of everything on a phone,” like NSO Group’s Pegasus spyware.\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 1 of 18\n\nAccording to a Forbes report from 2021, a senior executive at Paragon said the company would only sell to\r\ngovernment customers who “abide by international norms and respect fundamental rights and freedoms” and that\r\n“authoritarian or non-democratic regimes would never be customers.”\r\nParagon Solutions (US) Inc.\r\nParagon Solutions (US) Inc. was established as a Delaware corporation in March 2021. In October 2022, Paragon\r\nUS obtained a certificate to conduct business in Virginia.\r\nParagon US’s senior leadership is composed of American personnel with links to the US government, including a\r\nCIA veteran, a former service member and Navy program director that also worked at Twitter, and a former\r\ndirector of contracts at the defense contractor L3Harris.\r\nParagon Parent Inc.\r\nAccording to corporate records, on December 13, 2024, all shares in Paragon Israel were transferred to a US\r\ncompany, Paragon Parent Inc. This deal was reportedly worth $500 million upfront, with an additional $400\r\nmillion payable if Paragon Israel reached set performance targets.\r\nParagon Parent Inc. was registered in Delaware on October 7, 2024. Shareholder information for Paragon Parent is\r\nnot publicly available, though reporting suggests that US private equity firm AE Industrial Partners (AEI)\r\nacquired Paragon Israel with the intention of merging it with US cybersecurity company, REDLattice Inc.1 The\r\nreported merger further bolsters Paragon’s high-ranking intelligence and military connections. According to recent\r\nSEC filings, board members of the REDLattice company, REDL Ultimate Holdings (a company linked to\r\nRedLattice according to corporate records), include Andrew Boyd, a former senior executive at the CIA and US\r\nAir Force, and James McConville, the former Chief of Staff of the US Army.\r\nParagon’s US Business \r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 2 of 18\n\nWhile the specific nature of the relationship between Paragon Solutions (US) Ltd. and Paragon Parent Inc. are\r\nhard to discern, the presence of Paragon Solutions in the US marketplace is noteworthy. In 2022, the New York\r\nTimes reported that the Drug Enforcement Administration (DEA) had used Paragon’s Graphite spyware. On the\r\nother hand, recent contracting between Immigration and Customs Enforcement (ICE) and Paragon Solutions was\r\nreportedly paused under White House review at the end of 2024. Notably, at least 36 civil society organizations\r\nexpressed concern and called for transparency after this contract was first reported by Wired. The status of that\r\ncontract is currently unknown.\r\n2. Mapping Paragon’s Infrastructure\r\nOur initial investigation into Paragon began with mapping infrastructure that we believe Paragon and its\r\ngovernment customers use to carry out or support spyware attacks. We find that this infrastructure included cloud-based servers likely rented by Paragon and/or its customers, as well as servers likely hosted on the premises of\r\nParagon and its government customers.\r\nTier 1: Victim-Facing Servers\r\nIn 2024, we received a tip from a collaborator about a single piece of infrastructure: a domain name pointing to a\r\nserver that also returned several distinctive self-signed TLS certificates. The certificates had multiple curious\r\nelements, including various pieces of missing information and a distinctive naming scheme. We developed\r\nFingerprint P1 for these certificates:\r\nFingerprint P1:\r\nparsed.validity_period.length_seconds=31536000 and\r\nparsed.extensions.subject_alt_name.dns_names=/.+/ and not\r\nparsed.extensions.subject_alt_name.uniform_resource_identifiers=/.+/ and not\r\nparsed.extensions.key_usage.value=[0 to 255] and not\r\nparsed.extensions.extended_key_usage.server_auth=`true` and\r\nparsed.subject_dn=/O=[a-z0-9-.]+, CN=[a-z0-9-.]+/ and\r\n(parsed.issuer_dn=/O=[a-z0-9-.]+, CN=[a-z0-9-.]+/ or not\r\nparsed.issuer_dn=/.+/) and ((parsed.extensions.subject_key_id=/.+/ and parsed.extensions.authority_key_id=/.+/)\r\n(not parsed.extensions.subject_key_id=/.+/ and not parsed.extensions.authority_key_id=/.+/)) and not\r\nparsed.extensions.basic_constraints.is_ca=true and not\r\nparsed.extensions.basic_constraints.is_ca=false and labels=`unexpired`\r\nUsing this fingerprint, we found 150 related certificates on Censys2 with approximately half of the certificates\r\nactively served on IP addresses. The IP addresses appear to be primarily sourced from cloud-based server rental\r\ncompanies. The infrastructure appears to be consistent with a dedicated command and control infrastructure\r\n(“Tier 1”). We would expect victim devices to communicate with this infrastructure under certain conditions.\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 3 of 18\n\nPivoting to Tier 2: Paragon and Customer Endpoints\r\nWhile conducting our investigation, we observed two Tier 1 IPs (matching Fingerprint P1) that also returned a\r\ndifferent type of certificate:\r\nIP Other Certificate Nature of Overlap\r\n84.110.122[.]27\r\nC=AU, ST=Some-State,\r\nO=Internet Widgits Pty Ltd,\r\nCN=forti.external-Staging-02.com\r\nCertificate observed contemporaneously\r\nwith Tier 1 certificates between July and\r\nSeptember 2023. Afterwards, only Tier 2\r\ncertificates observed.\r\n178.237.39[.]204\r\nC=AU, ST=Some-State,\r\nO=Internet Widgits Pty Ltd,\r\nCN=awake-wood.io\r\nCertificate observed approximately two\r\nmonths after Tier 1 certificate was\r\nobserved on the IP.\r\nTable 1\r\nFingerprint P1 results that return a different certificate\r\nThe first IP, 84.110.122[.]27, appears to be a static IP address geolocated to Israel. The IP address returned the\r\nforti.external-Staging-02[.]com certificate until January 2024. Between July 2023 and September 2023, it\r\nreturned both the aforementioned forti.external-Staging-02[.]com certificate as well as several Tier 1\r\ncertificates. We developed the P2 fingerprint for this certificate:\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 4 of 18\n\nFingerprint P2:\r\nparsed.issuer.organization=\"Internet Widgits Pty Ltd\" and\r\nparsed.extensions.subject_alt_name.dns_names=/.+/ and\r\nparsed.extensions.key_usage.value=96\r\nWhen we checked, Censys recorded 47 certificates3 matching Fingerprint P2.  The results included a certificate\r\nwith the exact same subject and issuer DN as the certificate returned by the second IP, 178.237.39[.]204. However,\r\nthe certificate returned by 178.237.39[.]204 had a different hash. We further noted that in fact, all 47 certificates\r\nmatching Fingerprint P2 had a “twin” certificate not matching Fingerprint P2, but with identical issuer DN, and\r\neither identical subject DN, or a subject DN identical except with the addition of a subdomain “forti” to the\r\ncommon name.  We define certificates matching Fingerprint P2, as well as their twins, to be Tier 2 certificates.\r\nThe IPs that returned these certificates were often not cloud-based servers (as with Tier 1 infrastructure), but were\r\ninstead IPs procured from local wireline telecommunications operators. Thus, we suspected that they might be run\r\ndirectly from Paragon and customer premises. \r\nTier 2 Nodes in Israel Have Links to “Paragon”\r\nExamining Censys records shows that at various times, a range of static IPs in Israel (84.110.47.82 –\r\n84.110.47.86) returned Tier 2 certificates:\r\nIP Subject Common Name Dates\r\n84.110.47.82 forti.paraccess[.]com 2021-02-10 – 2025-01-01\r\n84.110.47.83 forti.paraccess[.]com 2021-01-21 – 2024-12-31\r\n84.110.47.84 – –\r\n84.110.47.85 modern-money[.]org 2024-09-10 – Present\r\n84.110.47.86 ancient-thing[.]it\r\n2022-03-09 – 2024-01-29\r\n2024-05-10 – Present\r\nTable 2\r\nStatic IPs in Israel returning Tier 2 certificates\r\nIPs in the same range also returned self-signed certificates matching Fingerprint P3:\r\nFingerprint P3:\r\nparsed.issuer_dn=\"C=US, ST=CA, CN=Root CA\"\r\nCensys’ Certificates dataset records a total of eight certificates matching Fingerprint P3 (though the Hosts\r\ndataset records additional ones that are missing from the Certificates dataset, perhaps due to Censys data loss\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 5 of 18\n\naround this time).\r\nIP Subject Common Name (and Port) Dates\r\n84.110.47.82 firewall (4443/TCP) 2021-02-09 – 2021-02-18\r\n84.110.47.83 – –\r\n84.110.47.84\r\nmilka (443/TCP)\r\nGateway (443/TCP)\r\ninstallerserver (4443/TCP)\r\ndashboard (1443/TCP)\r\n2020-11-10 (or earlier) – 2021-01-09\r\n84.110.47.85\r\ndashboard (1443/TCP)\r\ninstallerserver (4443/TCP)\r\n2020-11-24 (or earlier) to 2021-01-09\r\n84.110.47.86\r\nrproxyworkers (4432/TCP)\r\nfirewall (4443/TCP)\r\ndashboard (2443/TCP)\r\n2020-11-10 (or earlier) to 2021-01-08\r\nTable 3\r\nThe same range of static IPs in Israel returned certificates matching Fingerprint P3\r\nIn all cases we identified, after the “dashboard” certificate was returned, a page with the title “Paragon” was\r\nreturned:\r\nA Link to “Graphite”\r\nWe looked for related certificates with the same “installerserver” name using Fingerprint P4:\r\nFingerprint P4:\r\nparsed.subject.common_name=\"installerserver\" and\r\nparsed.issuer.common_name=\"Root CA\"\r\nThis yielded only one certificate not included in the results of Fingerprint P3: a certificate apparently created in\r\nNovember 2019 with the organization name “Graphite”.\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 6 of 18\n\nIt is not clear which IP address returned this certificate, as historical Censys data for that time period appears to be\r\nincomplete.\r\nAttribution of Infrastructure to Paragon\r\nIn summary, strong circumstantial evidence supports a link between Paragon and the infrastructure we mapped\r\nout. The infrastructure we found is linked to webpages entitled “Paragon” returned by IP addresses in Israel\r\n(where Paragon is based), as well as a TLS certificate containing the organization name “Graphite”, which is the\r\nname of Paragon’s spyware, and the common name “installerserver” (Pegasus, a competitor spyware product, uses\r\nthe term “Installation Server” to refer to a server designed to infect a device with spyware).\r\nTier 2 Nodes Highlight Several Potential Paragon Customers\r\nWe identified other interesting IPs apparently procured from local telecom companies that returned Tier 2\r\ncertificates. Because the IPs appear to belong to local telecom companies rather than cloud-based server rental\r\ncompanies, we suspect these IPs belong to Paragon’s customer deployments. We also note that the first letter of\r\neach customer’s apparent “codename” matches the first letter of the country associated with the customer’s IP\r\naddress (except in the case of Israel).\r\nSubject Common Name\r\nIP Returning\r\nCertificate\r\nIP in\r\nCountry\r\nexternal-astra[.]com 120.150.253.xxx Australia\r\ninternal-Abba[.]com 150.207.167.xxx Australia\r\nexternal-cap[.]com 67.69.21.xxx Canada\r\nexternal-drt[.]com 195.249.167.xxx Denmark\r\nforti.external-muki[.]com 31.168.219.xxx Israel\r\nexternal-cag[.]com 217.27.58.xxx Cyprus\r\nforti.external-sht-prd-4[.]com forti.external-shotgun3[.]com forti.external-sht[.]com forti.external-Sht_prd_2[.]com\r\n58.185.8.xxx Singapore\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 7 of 18\n\nSubject Common Name\r\nIP Returning\r\nCertificate\r\nIP in\r\nCountry\r\nforti.internal-stg[.]com 61.16.116.xxx Singapore\r\nTable 4\r\nSome suspected Paragon customer deployments\r\nIn addition, we noted that Tier 2 certificates were returned by at least eleven IPs that geolocate to a German\r\ndatacenter of Digital Realty, a datacenter holding company.  The IPs were all registered to a single “Digital Realty\r\nDE IP Customer” ID, and certificates returned included various codenames, like “nelly”, “soundgarden”, “slash”,\r\n“galaxy”, and “chance”.  Additionally, the use of names such as “p-internal”, “p-external”, and “access” and\r\n“management” leads us to believe that Digital Realty’s customer may be Paragon.  More recently, Paragon\r\ndeployments appear to use more ambiguous codenames in the form of fictitious domains such as “anxious-poet”\r\nor “sincere-cookie”.\r\nNote that this methodology cannot enumerate all customers, as no Internet scanning service (e.g., Censys) has a\r\ncomplete historical view of the Internet at all times.  Furthermore, some customers likely took measures to prevent\r\ntheir infrastructure from being exposed in Internet scans. For example, Italy is an admitted Paragon customer (see:\r\nSection 4).\r\n“Cap”: Registration Information Raises Canadian Questions\r\nThe IP address for the Canadian customer Cap was delegated to ARIN customer C06874702, named “Integrated\r\nCommunications.”  We searched ARIN’s WHOIS data and found five additional “Integrated Communications”\r\ncustomers in Canada, all in Ontario (C02423261, C07940612, C09095096, C10862989, C10948330).  Each\r\ncustomer controls a single range of 8 or 16 IP addresses. \r\nThe address of one of the customers, C10862989, matches that of the “Ontario Provincial Police – General\r\nHeadquarters.” The other customer addresses include what appear to be a shared warehouse, a strip mall, a\r\nbrewery, and an apartment.  The small number of customers named “Integrated Communications”, the fact that all\r\nsuch customers in Canada are in Ontario, and the use of the Ontario Provincial Police (OPP) address for one of\r\nthem, suggests the OPP as a potential Paragon Solutions customer.\r\nCanadian Law Enforcement’s History with Surveillance\r\nThe OPP has previously been linked to other instances involving the procurement or use of controversial\r\nsurveillance technologies. In 2019, the Toronto Star reported that for several years the OPP was the only police\r\nservice in Canada to procure cell site simulator technology (i.e., “Stingray” equipment) which can be used to\r\nintercept private communications. In 2020, The Citizen Lab reported that the OPP developed and deployed\r\ntechnology to scrape communications from private, password-protected online chatrooms without obtaining\r\njudicial authorization for the mass interceptions. \r\nIn 2022, the Royal Canadian Mounted Police (RCMP), Canada’s national police force, disclosed that the RCMP\r\nhad been using spyware from an unnamed vendor. The RCMP referred to the spyware as an “On-Device\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 8 of 18\n\nInvestigative Tool” (ODIT)4\r\n, and said it had used ODITs in 32 investigations between 2017 and 2022. The RCMP\r\ndid not consult with the public, or the Privacy Commissioner of Canada on its use of ODITs. Canada’s Public\r\nSafety Minister refused to disclose which vendors supplied RCMP with ODITs, and did not deny that other\r\ngovernment agencies might also use ODITs.\r\nPublic records obtained and reviewed by The Citizen Lab suggest there is a growing ecosystem of spyware\r\ncapability among Ontario-based police services. According to public court records obtained by The Citizen Lab,\r\nthe OPP used the RCMP’s ODITs in the course of a 2019 investigation to infect a mobile phone for remote\r\ninterception of private communications. A 2023 judgment from the Superior Court of Justice in Toronto describes\r\na joint investigation between the Toronto Police Service and the York Regional Police Service where investigators\r\nhad considered the use of an ODIT. The Citizen Lab also obtained an additional public court record (a 2023 search\r\nwarrant application) prepared by the Toronto Police Service (TPS), which reveals that the TPS has independently\r\nobtained ODIT software from an unknown source. The application sought authorization to use ODIT software to\r\nremotely intercept cellular communications sent through encrypted instant messaging applications.\r\nIn the course of the preparation of this report, we have also learned through informal consultations of other cases\r\nthat have been–or currently are–before the courts in Ontario involving other police services that now also possess\r\nor have sought authorization to deploy ODITs, including the OPP, York Regional Police Service, Hamilton Police\r\nService, and Peel Regional Police Service. The apparent expansion of spyware capabilities to potentially multiple\r\npolice services across Ontario reflects a widening gap in public awareness surrounding the extent to which\r\nmercenary spyware is being deployed in Canada.\r\n3. WhatsApp’s Paragon Investigation\r\nWe shared details about our mapping of Paragon’s infrastructure (Section 2) with Meta, because we believed that\r\nWhatsApp might be used as an infection vector. Meta told us that these details were pivotal to their ongoing\r\ninvestigation into Paragon. Meta shared information with WhatsApp that led them to identify, mitigate, and\r\nattribute a Paragon zero-click exploit. On January 31, 2025, WhatsApp sent notifications to approximately 90\r\nWhatsApp accounts they believed were targeted with Paragon’s spyware, including journalists and members of\r\ncivil society.\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 9 of 18\n\nThe Citizen Lab coordinated with WhatsApp to ensure that targets in civil society were offered additional support\r\nand optional forensic analysis. In Italy, several individuals that chose to participate in forensic analysis with the\r\nCitizen Lab spoke out publicly about receiving notifications from WhatsApp (Section 4). They include a\r\njournalist and multiple members of civil society that work in organizations involved in the rescue of refugees and\r\nmigrants at sea.\r\n4. Paragon Targets: The Italian Connection\r\nThis section describes our forensic analysis of the devices of targets who received Paragon notifications from\r\nWhatsApp, as well as our analysis of a potentially related iPhone case.\r\nMultiple WhatsApp notification recipients in Italy elected to participate in The Citizen Lab’s research program\r\nand have The Citizen Lab forensically analyze their devices. They are identified below, with their consent:\r\nFrancesco Cancellato is the Editor in Chief of Fanpage.it, an Italian online news outlet known for\r\ninvestigative journalism and reporting on political topics. The outlet has reported on connections between\r\nextremist elements and Italian Prime Minister Meloni’s party.\r\nLuca Casarini is the founder of Mediterranea Saving Humans, an organization known for rescuing\r\nmigrants from the Mediterranean Sea. Mr. Casarini is well-known for his criticism of the Meloni\r\ngovernment’s treatment of migrants. Mr. Casarini is also a personal friend of Pope Francis.\r\nDr. Giuseppe “Beppe” Caccia is an Italian scholar and co-founder of Mediterranea Saving Humans. Dr.\r\nCaccia works closely with Mr. Casarini.\r\nForensically Confirming Android Paragon Infections\r\nIn the course of our investigation into Paragon we obtained BIGPRETZEL, an Android forensic artifact that we\r\nbelieve uniquely identifies infections with Paragon’s Graphite spyware. We analyzed the Android devices of the\r\nthree individuals identified above. Based on their receipt of the WhatsApp notification, we believe all were\r\ntargeted with Paragon spyware. We found traces of BIGPRETZEL on two devices. WhatsApp has also confirmed\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 10 of 18\n\nto The Citizen Lab that they believe that BIGPRETZEL is attributable to a Paragon spyware infection, and\r\nprovided us with the following statement:\r\nWhatsApp’s Statement\r\nWe can confirm that we believe that the indicator Citizen Lab refers to as BIGPRETZEL is associated with\r\nParagon. We’ve seen first-hand how commercial spyware can be weaponized to target journalists and civil society,\r\nand these companies must be held accountable. Our security team is constantly working to stay ahead of threats,\r\nand we will continue working to protect peoples’ ability to communicate privately.\r\nGiven the sporadic nature of Android logs, the absence of a finding of BIGPRETZEL on a particular device does\r\nnot mean that the phone wasn’t successfully hacked, simply that relevant logs may not have been captured or may\r\nhave been overwritten. We also believe that the forensic indicators we have surfaced during this analysis may not\r\nfully capture the complete retrospective timeframe of infections for the same reasons. There may have been\r\ninfections prior to the period observed, but not captured in the logs. Our forensic analysis is ongoing.\r\nDr. Caccia’s phone showed traces of BIGPRETZEL at several times, indicating that Paragon’s spyware was\r\nrunning on or around these times:\r\n2024-12-22 – BIGPRETZEL present.\r\n2024-12-26 – BIGPRETZEL present.\r\n2025-01-03 – BIGPRETZEL present.\r\n2025-01-13 – BIGPRETZEL present.\r\n2025-01-23 – BIGPRETZEL present.\r\n2025-01-28 – BIGPRETZEL present.\r\n2025-01-31 – BIGPRETZEL present.\r\nAdditionally, analysis of Dr. Caccia’s phone showed evidence that the spyware had also infected two other apps\r\non the device, including a popular messaging app. We have shared forensic indicators with the developers of that\r\napp, who confirm that their investigation is ongoing.\r\nMr. Casarini’s phone showed traces of BIGPRETZEL on at least one date:\r\n2024-12-23 – BIGPRETZEL present.\r\nGiven limited available indicators, we were unable to determine if the spyware had loaded itself into other apps on\r\nMr. Casarini’s device, but cannot exclude the possibility.\r\nA Related iPhone Spyware Victim: Is it Paragon?\r\nOn November 13, 2024 (approximately two-and-a-half months before the WhatsApp notifications), David\r\nYambio–a close associate of Mr. Casarini and Dr. Caccia–was notified by Apple that his iPhone had been targeted\r\nwith mercenary spyware.\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 11 of 18\n\nMr. Yambio is an Italy-based founder of the organization Refugees in Libya. Mr. Yambio’s work focuses on\r\nadvocating for lifesaving efforts for migrants that cross the Mediterranean, and on helping victims seek justice and\r\naccountability for abuses committed in Libya. He is a former child soldier kidnapped by the Lord’s Resistance\r\nArmy who eventually escaped and was able to reach Europe where he claimed asylum. During this journey, he\r\nwas tortured while in detention in Libya.\r\nAfter he received the Apple notification, Mr. Yambio contacted digital security expert Artur Papyan of Cyber\r\nHUB-AM for assistance. Mr. Papyan performed an initial screening of the device supported by The Citizen Lab\r\nwhich identified potential anomalies. We immediately began an investigation into Mr. Yambio’s case, and Mr.\r\nPapyan provided extensive support in collecting forensic artifacts from the device. \r\nWhile our investigation was ongoing, multiple close associates of Mr. Yambio also received notifications from\r\nWhatsApp concerning Paragon targeting of their Android devices, including Mr. Casarini and Dr. Caccia.\r\nAnalysis of Mr. Yambio’s Device\r\nWe found that Mr. Yambio’s device showed clear signs of implausible CloudKit activity relating to the\r\nappleaccountd process on 13 June 2024. We call this activity SMALLPRETZEL. The device did not test positive\r\nfor any indicators we link to other spyware types, including NSO Group’s Pegasus, Intellexa’s Predator,\r\nQuaDream’s Reign, Triangulation, and others.\r\nWith Mr. Yambio’s consent, we shared forensic details with Apple, including SMALLPRETZEL. Apple confirmed\r\nto us that our forensic findings matched an attack that they had identified, investigated, and mitigated in iOS 18.\r\nApple provided us with the following statement:\r\nApple’s Statement\r\n“Mercenary spyware attacks like this one are extremely sophisticated, cost millions of dollars to develop, often\r\nhave a short shelf life, and are used to target specific individuals because of who they are or what they do. After\r\ndetecting the attacks in question, our security teams rapidly developed and deployed a fix in the initial release of\r\niOS 18 to protect iPhone users, and sent Apple threat notifications to inform and assist users who may have been\r\nindividually targeted. While the vast majority of users will never be the victims of such attacks, we sympathize\r\ndeeply with the small number of users who are, and we continue to work tirelessly to protect them.”\r\nLinks to Paragon?\r\nWhile it is clear that an attempt was made to infect Mr. Yambio’s device with spyware, we cannot yet establish a\r\nconclusive technical link between SMALLPRETZEL and any particular type of spyware. That said, we note there\r\nare some contextual factors that suggest the spyware used against Mr. Yambio may have also been Paragon’s\r\nGraphite. In particular, Mr. Yambio works closely with the cluster of forensically confirmed Paragon targets and\r\nWhatsApp-notified individuals. While we are not attributing this attack to Paragon at this time, we continue to\r\ninvestigate this case.\r\nAdditional Prior Targeting\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 12 of 18\n\nMr. Casarini also received a notification on February 8, 2024, from Meta concerning government-backed\r\ntargeting. Father (Don) Mattia Ferrari, an Italian priest and the chaplain of Mediterranea Saving Humans, also\r\nreceived a Meta notification on the same day as Mr. Casarini. Mr. Ferrari, like Mr. Casarini, is a personal friend of\r\nPope Francis and manages the group’s relationship with the Bishops’ Conference of Italy.\r\nThe English translation of the above message (Figure 7):\r\n“Take a moment to strengthen your privacy settings. Luca, it is possible that a sophisticated hacker is\r\ninterested in your Facebook account.\r\nWhat it means: We do not believe that your account was compromised, but someone could try to extract\r\ninformation based on the contents that you share publicly.\r\nWhat you can do:Visit our Help Center to find out what you can do to protect your account.”\r\nMeta published a wide-ranging report entitled “Countering the Surveillance-for-Hire Industry” at the same time\r\nas the notifications. The report named several vendors whose technology, including spyware, was used against\r\ntargets in Italy.\r\nThe notifications are interesting because they expand the time window of potential targeting with spyware, and\r\nsuggest that multiple types of spyware may be used as part of interrelated surveillance operations.\r\nTargeting Civil Society Sea Rescue Operations: Notes on A Possible Cluster\r\nLike elsewhere, migration and refugee issues are a contentious topic in Italy. Italy’s geographic location makes it a\r\nnatural first landing point for people fleeing from conflicts and poverty in the Sahel and Sub-Saharan regions.\r\nMigrants and refugees typically use improvised or precarious boats to make this journey, which has led to\r\nnumerous tragic shipwrecks. Over the past decade, more than 30,000 migrants and refugees have died trying to\r\ncross the Mediterranean Sea. Civil society organizations conduct humanitarian search and rescue (SAR)\r\noperations with the goal of reducing the number of fatalities and bringing migrants and refugees to safety at the\r\nclosest landing port, which is often in Italy.\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 13 of 18\n\nOver the past two years, humanitarian organizations operating in the area have faced increasing pressure from the\r\nItalian authorities. For example, in early 2023, the Italian Parliament passed a law put forward by the government\r\nincreasing the restrictions on SAR operations. The law was denounced by the UN High Commissioner for Human\r\nRights as “effectively punish[ing] both migrants and those who seek to help them”.\r\nPotential Relationship Between the Various Paragon Targets\r\nIt is clear that Mr. Casarini, Dr. Caccia, and Mr. Yambio all work closely together. They have told The Citizen Lab\r\nthat they believe that they have been targeted based on this association, and their collective work and criticism of\r\nthe Italian government’s handling of specific issues concerning migration. Italian media has also speculated about\r\nthe specific implications of the timing of the targeting and its relationship to their advocacy work. \r\nWhile our forensic findings include dates of infection for each individual, as we note above (see: Forensically\r\nConfirming Android Paragon Infections), targeting may in fact have extended prior to the dates we have found. \r\nWe note, for example, the notification sent to Mr. Casarini and Mr. Ferrari by Meta in February 2024 regarding\r\ntargeting with what is likely a different surveillance technology (see above: Additional Prior Targeting)\r\nItaly’s Conflicting Response to the Paragon Revelations \r\nThe response from the Italian government to the Paragon situation has evolved over time. In a familiar pattern that\r\nbegan with denials, the Italian government has been forced to acknowledge contracts with Paragon Solutions.\r\nHowever, the government’s response was marked by a lack of clarity, transparency and specificity about the cases\r\nreported thus far.\r\nOn February 6, 2025, the Italian government issued a statement denying knowledge of the affair.\r\nLater that night, The Guardian published a report stating that Paragon had cancelled their contract with two\r\nItalian customers. The report indicated that Paragon had received unsatisfactory answers to their questions\r\nabout the Italian cases.\r\nA second report from Haaretz indicated two Italian Paragon customers: a law enforcement entity and an\r\nintelligence entity. \r\nOn February 12, 2025, the Italian Minister for Relations with Parliament publicly confirmed that the\r\ngovernment was a Paragon customer, claiming that all the related systems were still active, while still\r\ndenying that the national intelligence services had spied on the known targets.\r\nOn the same day, the director of the external intelligence service (AISE) confirmed that Paragon’s Graphite\r\nspyware had been deployed by his agency on multiple occasions, and listed them to the parliamentary\r\ncommittee overseeing the intelligence services in a classified hearing. He denied the agency having spied\r\non journalists and activists.\r\nOn February 14, 2025, the Italian government stated that, together with Paragon, they had jointly agreed to\r\nsuspend the deployment pending an investigation.\r\nOn February 19, 2025, the government issued a letter to Parliament stating that it could not respond to\r\nparliamentary inquiries on the Paragon affair, as any information not yet disclosed should have been\r\nconsidered classified.\r\nIn the parliamentary session that ensued, however, the Minister of Justice contradicted that statement,\r\nresponding to the inquiries put forth by opposition parties and stating that no agency reporting into his\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 14 of 18\n\nMinistry had stipulated a contract with Paragon.\r\nA History of Mercenary Spyware in Italy\r\nItaly is perhaps best known as a producer of, rather than a customer of, mercenary spyware. A March 2023 report\r\nnoted several mercenary spyware firms operating from Italy at the time, including AREA, RCS, SIO, INNOVA,\r\nMemento Labs (formerly known as Hacking Team), Raxir, Negg, and Cy4gate.\r\nThe recent Venice Commission report on the regulation of spyware in the European Union notes that the use of\r\nspyware is regulated in Italian law. Its framework for criminal proceedings limits its use to “particularly serious\r\noffences (such as, for example, mafia-type criminal association),” or in limited circumstances, “for offences\r\ncommitted by public officials against the public administration” that carry a maximum penalty of at least five\r\nyears’ imprisonment. The report notes that, among other constraints, authorization for targeted surveillance\r\nmeasures must be obtained from the judiciary under domestic law in Italy.\r\nConclusion: You Can’t Abuse-Proof Mercenary Spyware\r\nParagon Solutions is a relatively new entrant in the mercenary spyware ecosystem. Like many other mercenary\r\nspyware companies, Paragon appears to have aggressively sought access to the US market. There are many\r\nreasons for this emphasis on access to the US market: it is large, lucrative, and spyware companies have a track\r\nrecord of considering having US customers as a kind of protection.\r\nIn the wake of action from the White House and Congress to pump the brakes on mercenary spyware\r\nproliferation, the incentives likely grew for commercial spyware companies to seek the government’s ‘good side.’\r\nThis has clearly included insider lobbying and public messaging that seeks to portray these companies as aligned\r\nwith US priorities. \r\nParagon’s communications strategy focuses on framing itself as taking a different approach than NSO Group with\r\nrespect to its client base, technology, and safeguards. Much of this marketing seems focused on seeking to\r\npersuade the US that the company aligns with US interests. \r\nParagon specifically courts media attention with claims that by only selling to a select group of governments, they\r\ncan avoid the abuse scandals plaguing their peers. The implicit message: if you do not sell to autocrats, your\r\nproduct will not be used recklessly and in anti-democratic ways. History, however, shows us that this is not always\r\nthe case. Many democratic states have histories of using secret surveillance powers and technologies against\r\njournalists and members of civil society. \r\nMercenary spyware is no exception, with multiple democracies deploying spyware against journalists, human\r\nrights defenders, and other members of civil society. Indeed, organizations working against the proliferation and\r\nabuse of spyware, including the Citizen Lab, have warned that the temptation to use this technology in a rights-abusing way is so great that, even in democracies, it will be abused. \r\nOverall, the cases described in this report suggest that Paragon’s claims of having found an abuse-proof business\r\nmodel may not hold up to scrutiny. We acknowledge that this report does not seek to cover the totality of Paragon\r\ncases, but rather a set of cases where targets have chosen to come forward at this time and in our report. However,\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 15 of 18\n\nthe pattern in these cases challenges Paragon’s marketing approach which has claimed that the company would\r\nonly sell to clients that “abide by international norms and respect fundamental rights and freedoms.”\r\nThis report is a first step towards understanding the scope and scale of potential Paragon spyware abuses. The 90-\r\nsome targets notified by WhatsApp likely represent a fraction of the total number of Paragon cases. Yet, in the\r\ncases already investigated, there is a troubling and familiar pattern of targeting human rights groups, government\r\ncritics, and journalists.\r\nThe Twilight of Forensics?\r\nIn traditional cases of mobile compromise, an attacker exploits vulnerabilities on a device and activates the\r\nfunctionality of their spyware by invoking their own app or process. This app or process must then perform certain\r\nprivileged actions on the device, which may leave side effects that a forensic analyst can later observe.\r\nParagon takes a different approach: in a technique reminiscent of Android spyware deployed by the Poison Carp\r\nthreat actor, Paragon appears to silently load their spyware into the device’s existing legitimate apps and\r\nprocesses, which serve as the spyware’s unwitting hosts. This approach is ultimately less likely to leave obvious\r\nforensic evidence that an analyst with device-in-hand can easily find; an analyst would probably need a detailed\r\nunderstanding of the workings of each host app in order to reach a conclusion that the device was compromised.\r\nParagon’s approach has been likened to “hypersonic weapons, in cybersecurity terms”, but it is better understood\r\nas a tradeoff. Their focus on targeting legitimate apps is certainly a difficulty multiplier for forensic analysis, but it\r\nis also likely to multiply the number of entities that have visibility into Paragon’s activities, given that app\r\ndevelopers collect diagnostic data, crash reports, and other telemetry from their apps. This speaks to the value of\r\ncollaboration between civil society, forensic experts, and tech platforms’ threat intelligence teams.\r\nNotifications and the Spyware Accountability Ecosystem: Critical Ingredients\r\nWhen WhatsApp chose to notify Paragon targets and be explicit with their attribution, they performed an\r\nimportant service, as warnings to users about mercenary spyware targeting are a critical component of the growing\r\naccountability ecosystem around mercenary spyware abuses. \r\nToday, several of the largest companies have increasingly mature notification procedures and language. These\r\nnotifications often lead to cases flowing to civil society organizations and helplines organically. This assistance is\r\nespecially important as companies like Paragon shift tactics in ways that may be more visible to app developers,\r\nand perhaps less so to forensic analysts. \r\nThe cases described in this report would have largely remained undiscovered without WhatsApp and Apple\r\nnotifying users. The case of Mr. Yambio came to our attention thanks to Cyber Hub-AM, who he contacted after\r\nreceiving a notification from Apple. This case also points to the importance of the ecosystem of organizations\r\nworking on mercenary spyware.\r\nTime for Questions\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 16 of 18\n\nWe note media reports that Paragon’s Graphite spyware maintains “detailed logs” on the premises of government\r\ncustomers. Given the concerns about the publicly-known targets in Italy, these logs should be a natural target of\r\nany official investigation into reports of misuse. They might also provide a better understanding of the scope and\r\nscale of use in Italy.\r\nEven if mercenary spyware has been acquired for a primary purpose, such as investigating organized criminal\r\ngroups, experience shows that, over-time, the temptation to use these powerful technologies for political purposes\r\nis substantial. Mexico’s case is a strong illustration of this phenomenon, with Pegasus spyware abuses linked to\r\ntwo successive governments.\r\nWhile investigations such as this one can painstakingly assemble cases and suspected deployments, there is\r\nanother place where signals about spyware use (and abuse) exist: with the spyware companies’ government\r\ncustomers. Our infrastructure analysis uncovered evidence of multiple suspected Paragon customers, and we\r\nbelieve there are more. If a country has been identified as a customer, lawmakers and oversight institutions should\r\nnot wait until reports of abuse surface to start to ask questions about its use. \r\nParagon’s Response\r\nPrior to publication, the Citizen Lab sent Paragon Solutions a letter summarizing key findings from our\r\ninvestigation and offered to publish any response they might have in full.  Paragon Solutions Executive Chairman\r\nJohn Fleming responded with the following message:\r\nParagon Solutions:\r\n“[Salutation], The brief summary of the report you sent includes several inaccuracies, but without additional\r\ndetails we cannot be more specific or provide comment for the record. We would also like to note that, as part of\r\nour commitment to our customers and their national security missions, we are dedicated to maintaining the\r\nconfidentiality of their operations while ensuring they are properly vetted agencies. Furthermore, legal restrictions\r\nrelated to national security and foreign relations may limit our ability to comment.”\r\nWe replied to Mr. Fleming requesting further details on the claimed inaccuracies, and received the following\r\nresponse:\r\nCitizen Lab:\r\n“[Salutation] As noted in the initial response, without additional details on your findings, we are not able to\r\naddress the inaccuracies.”\r\nWe recognize that Paragon Solutions may have undertaken to protect the identity of their customers, but we also\r\nnote the long history of mercenary spyware companies like NSO Group asserting similar opacity combined with\r\nclaims of unspecified inaccuracies to frustrate accountability, deny victims access to justice, and attempt to\r\ninsulate themselves from harms committed with their technology.\r\nThe Citizen Lab welcomes any clarifications Paragon Solutions wishes to provide about the inaccuracies that they\r\nhave declined to specify, upon reading the full report. \r\n…And Canadian Questions\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 17 of 18\n\nThe Citizen Lab has previously reported on the need for comprehensive reforms to address the growing array of\r\nadvanced surveillance technologies that are in use in Canada. In November 2022, Canada’s Standing Committee\r\non Access to Information, Privacy, and Ethics released a report concerning the RCMP’s use of ODITs, which\r\ncontained numerous recommendations to address a “legislative gap regarding the use of new technological\r\ninvestigative tools.” To date, none of the committee’s law reform recommendations have been implemented by the\r\nfederal government. The Canadian government is also a signatory to the US-led 2023 Joint Statement on Efforts to\r\nCounter the Proliferation and Misuse of Commercial Spyware. However, it has not yet put forward any concrete\r\nregulations to prohibit procurement of spyware from firms whose technology presents a risk to national security or\r\nis involved in human rights abuses abroad, as the US did in Executive Order 14093. In light of the apparent use of\r\nspyware by law enforcement in Ontario, it is essential the Canadian government implement regulations before it\r\nbecomes yet another democracy with a spyware abuse problem.\r\nAcknowledgements\r\nWe acknowledge and thank the victims that chose to work with us in this investigation and come forward. Without\r\ntheir participation and engagement this research, like so much accountability work around spyware, simply would\r\nnot be possible.\r\nSpecial thanks to Artur Papyan of Cyber HUB-AM for his assistance in this investigation, and Access Now,\r\nespecially their helpline team, for their exceptional assistance in this case.\r\nSpecial thanks to our Citizen Lab colleagues Cooper Quintin and Jeffrey Knockel for providing internal peer\r\nreview and feedback on the report, Adam Senft for writing and editorial assistance, and Alyson Bruce for\r\ncommunications assistance and report editing.\r\nSpecial thanks to Censys.\r\nSpecial thanks to Arl3cchino and TNG.\r\nNote: Research Ethics\r\nAll research involving human subjects conducted at the Citizen Lab is governed under research ethics protocols\r\nreviewed and approved by the University of Toronto’s Research Ethics Board. The Citizen Lab does not take\r\ngeneral or unsolicited inquiries related to individual concerns regarding information security and cannot provide\r\nindividual assistance with security concerns.\r\nSource: https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nhttps://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/\r\nPage 18 of 18\n\nFingerprint The first IP, P1 results 84.110.122[.]27, that return a different appears to be a certificate static IP address geolocated to Israel. The IP address returned the\nforti.external-Staging-02[.]com certificate until January 2024. Between July 2023 and September 2023, it\nreturned both the aforementioned forti.external-Staging-02[.]com certificate as well as several Tier 1\ncertificates. We developed the P2 fingerprint for this certificate: \n Page 4 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/" ], "report_names": [ "a-first-look-at-paragons-proliferating-spyware-operations" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fea75bf4-c510-4146-bbac-0802351f4eb0", "created_at": "2023-01-06T13:46:38.714847Z", "updated_at": "2026-04-10T02:00:03.076837Z", "deleted_at": null, "main_name": "Unit 8200", "aliases": [ "Duqu Group" ], "source_name": "MISPGALAXY:Unit 8200", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b8c7c542-43ed-498c-af6b-b4b5f0c75724", "created_at": "2024-02-02T02:00:04.026045Z", "updated_at": "2026-04-10T02:00:03.529714Z", "deleted_at": null, "main_name": "Carmine Tsunami", "aliases": [ "DEV-0196", "QuaDream" ], "source_name": "MISPGALAXY:Carmine Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439140, "ts_updated_at": 1775792204, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6d3454247a42ef39f4ce2d1879b95b899f9ce0d.pdf", "text": "https://archive.orkl.eu/e6d3454247a42ef39f4ce2d1879b95b899f9ce0d.txt", "img": "https://archive.orkl.eu/e6d3454247a42ef39f4ce2d1879b95b899f9ce0d.jpg" } }