Getting your Trinity Audio player ready...
Since its establishment, the Israeli offensive cyber firm Paragon has operated under a central guiding principle: not to be like NSO Group. It sought to distinguish itself from its competitor, which had tarnished the reputation of Israel’s cyber industry. But in the past several weeks, Paragon has found itself at the center of the very kind of trouble it sought to avoid.
Paragon, co-founded by former IDF military intelligence Unit 8200 commander Ehud Schneerson, who serves as its chairman, along with former Israeli Prime Minister Ehud Barak, is now embroiled in allegations of espionage, surveillance and smartphone hacking. The firm is accused of targeting dozens of individuals across Western countries, including Italy, Germany, Spain and Sweden, through their WhatsApp accounts.
Last month, 90 people across 20 countries received a mysterious message from WhatsApp’s support saying that WhatsApp was able to identify and block spyware that targeted their phones and recommending they contact Citizen Lab for assistance. Citizen Lab is a Canadian organization specializing in detecting digital espionage that has previously been involved in investigating NSO Group’s embarrassing affairs.
Three victims of the spyware were quickly identified, causing significant embarrassment for the Italian government, which has been accused of orchestrating the surveillance - an allegation it has so far denied. The individuals targeted include journalist Francesco Cancellato, the head of the migrant rescue group Luca Casarini, and social activist Husam El Gomati, figures whom a democratic state would not typically be expected to spy on.
Since then, Italy has been in turmoil over the affair, which reminds the NSO scandal that nearly led to the establishment of a state commission of inquiry in Israel. And it's not just in Italy, concern is mounting across Europe. This week, both the Italian Parliament and the European Parliament in Strasbourg held discussions on the matter. Victims of the alleged espionage have filed police complaints, opposition parties are demanding an investigation, and Prime Minister Giorgia Meloni’s government denies any involvement. However, even her supporters remain skeptical.
Get the Ynetnews app on your smartphone: Google Play: https://bit.ly/4eJ37pE | Apple App Store: https://bit.ly/3ZL7iNv
The similarity to the NSO scandal is striking. In both cases, citizens were shocked to discover that spyware had targeted their cellphones. In both cases, the entities responsible for deploying the surveillance tools remain in the shadows, leaving politicians to scramble for explanations and the media to deliver harsh criticism.
NSO sold its spyware indiscriminately, from paranoid autocrats in unstable regimes to African dictators. Its technology has been linked – not always justifiably - to espionage and suppression of journalists, human rights activists and dissidents; and even assassinations allegedly carried out with its tools. The company’s actions gave offensive cyber technology such a bad name that the U.S. government ultimately blacklisted it.
Since its inception, Paragon has positioned itself as NSO’s opposite. It claims to sell its spyware, called “Graphite,” exclusively to democratic governments with security service oversight, with the condition that it be used only against criminals and terrorists.
While NSO Group’s scandals often attracted new customers, particularly authoritarian regimes, Paragon is facing a different reality. The company has severed ties with the Italian security agency responsible for spying on the journalist and is now attempting to shift blame onto governments that may have misused its spyware.
The coming days will be a critical test for Paragon. Each day that passes without the exposure of additional surveillance victims strengthens its defense. WhatsApp has reported identifying at least 90 compromised users, yet only four have been publicly named so far. If the remaining 86 are indeed criminals, terrorists or suspects in illegal activity, Paragon may yet salvage its reputation.
Citizen Lab, meanwhile, is conducting what is called a “forensic investigation” – a rigorous examination of the hacked devices. If its findings are damning, Paragon could face severe repercussions. If not, the crisis could turn into the company's finest hour.
The method and the lawsuit
Paragon was founded in 2019 by Schneerson and Barak, along with CEO Idan Nurick and former Unit 8200 members Igor Bogudlov, Liad Avraham and Liran Elkayam. The company has consistently stated that it sells its spyware tools solely to 37 democratic countries.
In the current affair, it is alleged that cellphones in 20 countries were hacked using Paragon’s spyware, with 14 of them being European democracies, including Italy, Austria, Belgium, Cyprus, the Czech Republic, Denmark, Germany, Greece, Latvia, Lithuania, the Netherlands, Portugal, Spain and Sweden.
Media reports have previously detailed how Paragon’s spyware, Graphite, operates. It uses a "zero-click" method, meaning it does not require any action from the target to install itself on a device. According to some reports, it attacks WhatsApp’s security through a malicious PDF file. Once inside, it extracts stored files and photos and monitors the users' communications on platforms such as WhatsApp, Messenger, Telegram, Signal and the like. Graphite then uploads the data to a cloud, leaving no traces on the device itself. Unlike Pegasus, Graphite does not take control of a phone’s camera or microphone.
However, this description seems to be only a partial depiction of the technology’s capabilities. Paragon’s tools, which were acquired with great enthusiasm by intelligence agencies in various democratic countries, including the U.S. Drug Enforcement Administration (DEA), suggest they may have even broader functionalities. Given the expertise of Israeli military intelligence’s Unit 8200, it is very likely that additional backup technologies are also in play.
Another important element that should be of great interest to the members of the Italian or European investigation committees, should they be established, is that the system keeps detailed logs of all recorded activity. These records are accessible to authorities in the country where the data was collected. If an inquiry takes place in Italy, for example, Italian investigators could review the files to determine exactly what was monitored and whether any laws were violated, potentially creating a political embarrassment for the Italian government.
Graphite uses a "zero-click" method. It attacks WhatsApp’s through a malicious PDF file. Once inside, it extracts stored files and photos and monitors the users' communications on various platforms. Graphite then uploads the data to a cloud, leaving no traces on the device itself. Unlike Pegasus, Graphite does not take control of a phone’s camera or microphone.
The current revelations have placed Paragon in a difficult position with its clients. According to information obtained by Ynet and its sister publication Yedioth Ahronoth, a recent move by WhatsApp to block Graphite on 90 devices disrupted dozens of law enforcement operations against criminals, putting Paragon’s professional reputation at risk. At the same time, Meta, WhatsApp’s parent company, may also face tough questions, especially if it turns out that some of the halted investigations were in the United States. If Meta fails to provide evidence that the affected users were journalists or human rights activists, its professional reputation could also be compromised.
Last month, Meta sent Paragon a “cease and desist” letter, stating it was exploring its legal options. Meta demanded Paragon to cease targeting WhatsApp users. Yedioth Ahronoth and Ynet have learned that Paragon has no intention of stopping its activities and is preparing for a legal battle against Meta. For now, however, the situation remains at a standstill.
'The Paragon scandal cannot simply be erased'
In Europe, however, the turmoil is escalating. Francesco Cancellato, the Italian journalist targeted by the spyware, is the editor-in-chief of the investigative news site Fanpage.it, known for its critical coverage of the Italian government. Last October, he exposed a neo-Nazi-linked antisemitism scandal among young members of Prime Minister Giorgia Meloni’s ruling party. It is safe to assume he is not well-liked in government circles.
In an exclusive interview with Yedioth Ahronoth and Ynet, Cancellato expressed deep concern. "I was really worried. They spied on me just because I'm a journalist." He added that there is a serious problem when a government agency monitors a Western journalist in a democratic country. His phone is currently undergoing forensic analysis by Citizen Lab, and the findings will be published by his news outlet.
Cancellato discovered he had been targeted when he received a message from WhatsApp’s support team. “My first thought was that it was a scam or some kind of joke,” he recalled. “But then Citizen Lab contacted me, explaining that it wasn’t a joke, that my phone had been hacked using Paragon’s spyware, and that I was one of 90 journalists and political activists who had been targeted. I was very concerned; it’s a strange feeling.”
7 View gallery
Francesco Cancellato, the Italian journalist targeted by the spyware
(Photo: Ciaopeople)
Why out of 90 individuals, only your name and two others were made public?
“I know why my name was published – I’m known as a reporting journalist. Even if the report is about me, I can’t just keep it to myself. I don’t know why others weren’t identified. Maybe they’re afraid, or maybe their cases are still being investigated.”
Did you notice anything unusual with your cellphone before the discovery? Was there a sign of someone spying on you?
“Now that I think about it, in recent months, my WhatsApp crashed for no apparent reason. At first, I thought it was my fault, because I’m really bad with smartphones, so I didn’t give it much thought. I never suspected those crashes were connected to spyware. Even now, I’m not sure if there’s a connection."
Are you concerned about the files and data taken from your device? Was there anything of great importance?
“As the editor of an investigative news site, I see this as an intrusion into my newsroom, not just my cellphone, and that worries me. I was told this spyware isn’t like Pegasus [the Israeli spyware by NSO, which records and captures what the target does], but they could have taken any data they wanted from my device."
Do you have any idea why you were targeted?
“I don’t know who spied on me or why. But I doubt they were interested in where I vacation or who I have dinner with. They probably wanted to know about my work, about our investigations. That’s the only thing I’m sure of."
Could your exposé on Meloni’s party be the reason?
"Indeed, we conducted investigative reports on Meloni's party, and they received wide coverage. It was a scandal because it is a pro-Israel party, and we exposed young fascists within it who were singing and joking about antisemitism. That investigation had a major impact on the government, so maybe there’s a connection."
You may have angered someone in the government or the police.
“I don’t know, that’s speculation. But I want to know that I live in a democracy where no one spies on journalists, and I want to be sure this won’t happen again in my country."
Do you think spyware should be banned in democratic nations?
“I think that in some cases when it comes to law enforcement operations against criminals, terrorists, drug traffickers and smugglers, these tools can be useful. After all, criminals also have access to such technologies as well as the ability to hack computers,” he said. "But for governments, it’s like in Spider-Man: with great power comes great responsibility. If you use these tools, you must do so responsibly and uphold the principles of democracy."
Francesco Cancellato: "I want to know that I live in a democracy where no one spies on journalists"
One of the three publicly identified surveillance targets, Husam El Gomati, is known for his criticism of government actions against migrants. This week, TechCrunch revealed another name - Beppe Caccia, who is also an activist in an organization assisting migrants.
The common thread appears to be immigration enforcement by Italian intelligence agencies AISE (External Intelligence and Security Agency Intelligence) or AISI, Italy’s domestic intelligence and security service, and an attempt to locate information that would lead to the capture of immigrants and those who help them. Both agencies are Paragon clients, though according to Israeli sources, AISI has since been cut off from its services.
The Italian government initially tried to distance itself from the affair. Later, government spokespeople acknowledged that seven Italian citizens had been monitored using the spyware, but insisted it was "not by the Italian government."
That same evening, John Fleming, the executive chairman of Paragon's U.S. subsidiary, announced that the company suspended services in Italy. "Paragon requires that all users agree to terms and conditions that explicitly prohibit the illicit targeting of journalists and other civil society figures," he told The Guardian. "We have a zero-tolerance policy against such targeting and will terminate our relationship with any customer that violates our terms of service.”
The farce continued this week when Luca Ciriani, Italy’s minister for Relations with Parliament, claimed in a parliamentary discussion that Paragon had not cut off Italian intelligence from its services. On the same day, AISE chief Giovanni Caravelli appeared before the Italian parliament’s intelligence oversight committee to provide a briefing on the case. According to reports in Italian media, he denied that AISE had spied on Cancellato.
This is likely true, but an Israeli source said that other evidence was presented to the committee by another organization, suggesting that the journalist had engaged in activities beyond his reporting and that some of the human rights activists whose phones were hacked had previous criminal convictions.
Italy’s political system bears a strong resemblance to Israel’s. Since the scandal broke, opposition parties have seized on it. In a rare show of unity, they held a press conference at the European Parliament, joined by three surveillance targets, demanding an EU-led investigation into spyware abuse in 13 countries, saying it is a serious breach of journalistic rights and freedoms.
Former Italian Prime Minister Matteo Renzi summed up that “the Paragon scandal cannot simply be brushed aside. Those who are responsible must be held accountable."
The unusual Israeli move and the concerns in the U.S.
It is still too early to determine the full impact of the scandal on Paragon. Last year, the Israeli cyber firm was acquired by the American private equity fund Aero-Equity (AE) for $500 million, with the deal set to increase to $900 million if the company meets certain business targets. Paragon now operates as an American subsidiary of AE, headquartered in Virginia and led by John Fleming, a former senior CIA official.
Two days after the sale was announced, an unusual event occurred: Israel’s Defense Ministry issued an official statement declaring that the sale had not been approved and that it was examining the sale procedure and its implications." This was an extraordinary move. Normally, companies do not go public with such deals without obtaining all necessary approvals from Defense Ministry, and the Defense Ministry rarely "airs its dirty laundry" in an official statement. The announcement led to speculation that political considerations played a role, with some suggesting that Ehud Barak’s involvement in Paragon may not have been to certain officials' liking.
Perhaps anticipating such uncertainties, the Defense Ministry clarified that all decisions by the Ministry of Defense are based solely on professional considerations. The Ministry has not received inquiries regarding the sale from any political or private entity.
7 View gallery
Paragon is not legally required to obtain prior Defense Ministry approval
(Photo: PR)
Ultimately, the sale went through. Paragon, as it turned out, was not legally required to obtain prior approval from the Defense Ministry, so the ministry's announcement that it did not approve the deal was correct but misleading. The law mandates that companies notify the ministry within 30 days of a sale, after which the ministry has the authority to retroactively object.
Paragon remains an Israeli company subject to oversight by the Defense Export Control Agency (DECA), which must approve all transactions involving its technology. In fact, it was DECA that ultimately severed Paragon’s ties with the Italian intelligence agency after the company reported suspicions that its spyware had been misused in violation of licensing terms.
American media outlets are now raising their own questions about the Paragon affair and its potential impact on U.S. politics. One key issue is whether the Trump administration will continue using Israeli spyware. During Trump’s first term, the FBI reportedly obtained a limited license to evaluate NSO’s Pegasus spyware, though officials claim it was never used in investigations within the United States.
In recent years, U.S. authorities have taken enforcement actions against Israeli offensive cyber firms, including NSO, Candiru and Intellexa (founded by former Israeli intelligence officer Tal Dilian). These companies develop spyware capable of hacking into virtually any phone, accessing all its documents, photos and recordings, and even remotely activating the device’s camera and microphone. They have been accused of selling their technology to repressive regimes, which allegedly used it to track, persecute, and even eliminate political dissidents.
In 2021, the Biden administration blacklisted NSO and Candiru, stating that their technologies enabled foreign governments to engage in "transnational repression," posing a national security threat to the United States.
Paragon’s legal battle with Meta is also raising eyebrows within the U.S. cyber industry, as it appears to contradict Meta CEO Mark Zuckerberg’s strategy of maintaining good relations with the Trump administration. Meta’s public confrontation with Paragon could disrupt the operations of American security agencies that are Paragon's customers, such as Homeland Security Investigations (HSI), a division of U.S. Immigration and Customs Enforcement (ICE) and the Department of Homeland Security (DHS), both of which Trump has championed.
The American media is now asking a troubling question: Could the new administration, which has openly stated its intention to use government power against its political opponents, whom Trump has called "the enemy within," utilize Paragon’s spyware as part of that effort?
Should Americans affiliated with the Democratic Party, military personnel, members of Congress, intelligence agents and former government officials be concerned about surveillance on their phones or even legal action against them?
A source in the cyber industry told us that Paragon retains the authority to decide who its clients are and can terminate contracts with customers it does not trust. Could that principle ever extend to the U.S. government? “That’s hard to imagine,” the source admitted.