Italian Journalists Targeted with Sophisticated Zero-Click Attacks

Researchers at The Citizen Lab have published a new report detailing the results of a forensic investigation into the iPhones of two European journalists who were hacked using government spyware made by Israeli surveillance tech provider Paragon. The report confirms that Italian journalist Ciro Pellegrino and a prominent European journalist were targeted with Paragon’s Graphite spyware, and that the attacks were carried out with a sophisticated zero-click vulnerability that was exploited through iMessage.

According to the report, Pellegrino received a notification from Apple in April, alerting him that his phone had been targeted with mercenary spyware. However, the notification did not specifically mention Paragon or the Graphite spyware. The Citizen Lab’s researchers analyzed Pellegrino’s devices and found that one of them was infected with Graphite, based on forensic evidence showing that the spyware communicated with a server that the researchers had previously established with “high confidence” was part of Paragon’s infrastructure.

The report also reveals that the prominent European journalist was hacked with a similar zero-click attack, and that the attack was invisible to the victim. Apple had told The Citizen Lab that the attack deployed in these cases was mitigated in iOS 18.3.1, which was released on February 10, 2025. However, it is unclear why Apple did not disclose the existence of this patched flaw until four months after the release of the iOS update.

The Citizen Lab’s researchers believe that the Italian government is in a position to definitively answer questions about what was done with their use of Paragon spyware, particularly regarding Pellegrino’s case. Pellegrino himself has expressed concern about the targeting of journalists and the potential impact on his civil rights.

“I understand that Prime Minister Meloni is a professional journalist like me,” Pellegrino told TechCrunch. “Does she care about the rights of this type of worker? Why has she not spent a single word in solidarity with the journalists who have been spied on?”

The Paragon spyware scandal began in January, when WhatsApp notified around 90 of its users that they had been targeted with Paragon’s Graphite spyware. The targets included several Italians, including Pellegrino’s colleague and Fanpage director Francesco Cancellato, as well as nonprofit workers who help rescue migrants at sea. The Italian government has denied any involvement in the targeting of journalists and human rights activists, but The Citizen Lab’s report raises questions about the government’s role in the scandal.

The report also highlights the potential for other people who were notified of having been targeted with Graphite by WhatsApp to have also been infected. However, due to the limited logs on Android devices and efforts by Paragon to delete traces of the infection, it may be impossible to confirm this.

The Citizen Lab’s research is ongoing, and the organization is working to analyze all cases, including Cancellato’s. The Italian government has not responded to requests for comment, but The Citizen Lab’s findings are likely to raise further questions about the use of spyware by the government and the potential impact on civil rights.

“It’s unclear why Apple did not disclose the existence of this patched flaw until four months after the release of the iOS update,” said John Scott-Railton, a senior researcher at The Citizen Lab. “This raises questions about the transparency and accountability of tech companies in responding to security threats.”

The Paragon spyware scandal has significant implications for the use of surveillance technology by governments and the potential impact on civil rights. As The Citizen Lab’s research continues, it is likely to shed further light on the extent of the scandal and the role of governments and tech companies in responding to security threats.