The Citizen Lab published the first reports on the abuse of numerous mercenary spyware firms’ products, including Gamma Group (2012), Hacking Team (2012), Dark Matter (Stealth Falcon) (2016), NSO Group (2016), Cyberbit (2017), Circles (2020), Candiru (2021), Cytrox’s Predator (2021), and Quadream (2023).
And now here we are with yet another first: a report on Paragon Solutions.
Founded in Israel in 2019, Paragon sells a spyware product called Graphite, which reportedly provides “access to the instant messaging applications on a device, rather than taking complete control of everything on a phone.”
Paragon has attempted to distinguish itself from other notorious mercenary spyware firms, like NSO Group, by claiming it has safeguards to prevent the kinds of spyware abuses the Citizen Lab and others have identified in the mercenary spyware marketplace.
(You can read more about those claims in this excellent profile of the firm by Forbes‘ Thomas Brewster).
But just like every other spyware firm we have analyzed who have made similar claims, our latest report presents evidence that calls those safeguards into question.
Mapping > Disclosure > Victim Notifications > Forensics
Our technical investigation into Paragon, led by senior researcher Bill Marczak, began with a tip from a colleague. Based on this tip, Marczak was then able to develop various fingerprints, which in turn allowed us to map some of the firms’ infrastructure.
This analysis also led us to believe the firm was targeting WhatsApp as a vector to infect victim’s devices.
We shared our analysis of Paragon’s infrastructure with Meta (WhatsApp’s parent company), who told us that the details were pivotal to their ongoing investigation into Paragon.
WhatsApp fixed the issue, and then issued notifications to 90 individuals whose phones were infected with Paragon spyware. We then forensically analyzed multiple Android phones of Italians who received those notifications and found clear indications that spyware had been loaded into WhatsApp, as well as other apps on their devices.
Those individuals include:
Francesco Cancellato who is the Editor in Chief of Fanpage.it, an Italian online news outlet known for investigative journalism and reporting on political topics;
Luca Casarini who is the founder of Mediterranea Saving Humans, an organization known for rescuing migrants from the Mediterranean sea. Mr. Casarini is also well-known for his criticism of the Meloni government’s treatment of migrants. Mr. Casarini is a personal friend of Pope Francis;
Dr. Giuseppe “Beppe” Caccia, who is an Italian scholar and co-founder of Mediterranea Saving Humans. Dr. Caccia works closely with Mr. Casarini.
Our analysis found traces of Paragon infections on their devices, which we refer to as “BIGPRETZEL.” WhatsApp confirmed they also believe the indicator we call BIGPRETZEL is associated with Paragon spyware.
We also analyzed the device of David Yambio, who is an Italy-based founder of the organization Refugees in Libya. Mr. Yambio received a notification from Apple about two-and-a-half months before the WhatsApp notifications. We analyzed his device and discovered clear indications of infections, although we could not conclusively attribute those infections to Paragon’s Graphite spyware. Mr. Yambio’s work focuses on advocating for lifesaving efforts for migrants that cross the Mediterranean, and on helping victims seek justice and accountability for abuses committed in Libya.
The hacking of Yambio’s device coincides with the time he was providing information to the International Criminal Court.
Our analysis into infections of other victim’s devices is ongoing.
Mapping Paragon’s Government Client Base
With his fingerprints as a starting point, Marczak mapped out Paragon’s command and control infrastructure — the system of computers that are used to send and receive data from infected devices around the world. Based on that mapping, we were able to identify a subset of potential government clients in several countries because their firewalls were improperly implemented, including Australia, Canada, Cyprus, Denmark, Israel, and Singapore.
Importantly, this is not an exhaustive list of customers.
Paragon in Ontario
A significant finding related to this mapping is the surfacing of potential links between Paragon Solutions and the Canadian Ontario Provincial Police. Led by Citizen Lab senior research associate Kate Robertson, we also found evidence of a growing ecosystem of spyware capability among Ontario-based police services.
The Citizen Lab has previously reported on the need for comprehensive reforms to address the growing array of advanced surveillance technologies that are in use in Canada. None of our recommendations, nor those of Canada’s Standing Committee on Access to Information, Privacy, and Ethics which held hearings on spyware in Canada, have been implemented by the federal government.
These findings are troubling, especially in light of the increased funding for and capabilities being directed towards Canadian security agencies in recent months and the numerous democracies that have been documented abusing mercenary spyware.
It is essential the Canadian government implement these recommendations and put in place regulations before it becomes yet another democracy with a spyware abuse problem.
Correspondence with Paragon’s principals
Prior to publication, we sent a letter with a summary of our key findings to Paragon’s principals inviting comments about our upcoming report.
John Fleming, the Executive Chairman of Paragon US, replied saying that “the brief summary of the report you sent includes several inaccuracies, but without additional details we cannot be more specific or provide comment for the record.”
I replied asking for more detail on what he claims are “several inaccuracies.” Mr. Fleming replied saying ” without additional details on your findings, we are not able to address the inaccuracies” — which does not make sense.
You can find the record of these correspondences in the report.
Read the full report here: https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/
Authors: Bill Marczak, John Scott-Railton, Kate Robertson, Astrid Perry, Rebekah Brown, Bahr Abdul Razzak, Siena Anstis, and Ron Deibert