Introduction

In early 2025 [6], a significant cybersecurity incident involving the infection of European journalists’ iPhones with Graphite spyware, developed by Israeli firm Paragon Solutions [7], was uncovered. This incident highlights the growing threat of sophisticated spyware targeting journalists and raises concerns about governmental involvement and press freedom.

Description

Researchers from the Citizen Lab have uncovered forensic evidence indicating that the iPhones of at least four European journalists [2], including prominent Italian journalist Ciro Pellegrino [2], bureau chief at Fanpage.it [1], were infected with Graphite spyware [2] [4] [7], developed by the Israeli surveillance tech provider Paragon Solutions [3]. The investigation revealed that Pellegrino and another unnamed journalist were targeted by the same Paragon customer, suggesting a coordinated effort against their media outlet [4].

Forensic analysis confirmed that Pellegrino was among the two journalists infected through a sophisticated zero-click attack via iMessage, which required no interaction from the targets and left minimal traces. This attack exploited a critical zero-day vulnerability in the iOS operating system, tracked as CVE-2025-43200 [2] [4] [6] [7], arising from a logic issue when processing maliciously crafted photos or videos shared via iCloud Links [2] [6]. The devices were running iOS 18.2.1 during the attack in January and early February 2025. Logs indicated requests to a server associated with Paragon’s Graphite spyware [8], with traffic logged from an attacker-operated iMessage account identified as ATTACKER1 [1], and Pellegrino’s iPhone exhibited evidence of targeting, revealing the same iMessage account used in the first case [8].

In late April 2025 [5], both Pellegrino and the unnamed journalist received notifications from Apple regarding their targeting with advanced spyware, prompting them to seek assistance from Citizen Lab [5]. Apple acknowledged the vulnerability [2] [6], which has a CVSSv3 score of 9.8 [2], and confirmed that a fix was implemented in the latest iOS version, 18.3.1, released on February 10, 2025 [6]. The investigation raised concerns about the Italian government’s involvement [3], as it has been linked to the use of Paragon spyware against journalists and human rights activists [3].

In addition to Pellegrino and the unnamed journalist [3], two other individuals [3], Luca Casarini and Dr [3] [4]. Beppe Caccia [3] [4], were confirmed to have been infected with Paragon’s spyware [3]. Although Francesco Cancellato [4] [5], another journalist from the same newsroom [4], was notified of a potential spyware attack via WhatsApp, forensic analysis of his Android device found no definitive proof of infection [4]. A report from Italy’s Parliamentary Committee for the Security of the Republic (COPASIR) acknowledged the use of Graphite spyware by intelligence services against activists but denied targeting Cancellato [5].

Ongoing analysis of Paragon’s targeting on iOS and Android devices continues [8], with further forensic investigations being conducted on all related cases [3], including those involving nonprofit workers engaged in migrant rescue operations. The report emphasizes the ongoing threat to journalists in Europe from spyware and highlights the lack of accountability for such invasive digital attacks [6].

Following the scrutiny, Paragon publicly terminated its contracts in Italy [4], marking a significant shift in the relationship between spyware firms and government clients [4]. The growing market for mercenary spyware [1], including tools like NSO Group’s Pegasus and Cytrox’s Predator [1], raises serious concerns about press freedom [1], as such technologies can compromise journalists’ ability to protect their sources by accessing sensitive information without their knowledge [1].

In response to these threats [1], European Parliament members are investigating spyware abuses [1], and Italy’s intelligence oversight committee has initiated hearings into Paragon Solutions following reports of Graphite’s use against activists [1]. To mitigate the risk of such spyware [7], it is recommended that users keep their iPhones updated and enable Lockdown Mode for enhanced protection [7]. This mode reduces functionality but increases security against targeted attacks [7]. Users in sensitive roles should also consider turning their devices off and on again as a temporary measure against spyware [7]. For those who suspect their devices may be infected [7], contacting organizations like Amnesty or Access Now for assistance is advised [7]. Regular updates to the latest software [7], currently iOS 18.5 [7], are crucial for protecting against vulnerabilities that could compromise device security [7].

Conclusion

The exposure of Graphite spyware’s use against European journalists underscores the urgent need for robust cybersecurity measures and accountability in the deployment of surveillance technologies. The incident has prompted significant scrutiny of spyware firms and their government clients, leading to contract terminations and investigations. As the market for mercenary spyware grows, it is imperative to safeguard press freedom and protect sensitive information. Users are advised to maintain updated software and employ security measures like Lockdown Mode to mitigate risks. Ongoing investigations and legislative actions are crucial in addressing the challenges posed by advanced spyware and ensuring the protection of journalists and activists.

References

[1] https://www.macobserver.com/news/zero-tap-imessage-hack-let-hackers-slip-into-iphones-undetected/
[2] https://www.infosecurity-magazine.com/news/european-journalists-paragon/
[3] https://techcrunch.com/2025/06/12/researchers-confirm-two-journalists-were-hacked-with-paragon-spyware/
[4] https://securityaffairs.com/178940/mobile-2/paragon-graphite-spyware-used-a-zero-day-exploit.html
[5] https://www.helpnetsecurity.com/2025/06/13/ios-zero-click-attacks-used-to-deliver-graphite-spyware-cve-2025-43200/
[6] https://www.techworm.net/2025/06/apples-imessage-flaw-exploited-to-target-journalists.html
[7] https://www.forbes.com/sites/kateoflahertyuk/2025/06/13/new-iphone-spyware-warning—act-now-to-prevent-attacks/
[8] https://citizenlab.ca/2025/06/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/