Security researchers have obtained the first forensic confirmation that Paragon Solutions' Graphite spyware successfully infiltrated iOS devices belonging to European journalists, marking a significant escalation in the ongoing mercenary spyware crisis targeting media professionals across the continent.
The Citizen Lab at the University of Toronto announced that their analysis of devices belonging to two journalists—including Italian reporter Ciro Pellegrino from Fanpage.it and an unnamed prominent European journalist—revealed clear evidence of sophisticated zero-click attacks using Paragon's Graphite spyware platform.
The attacks occurred between January and February 2025, exploiting a critical vulnerability that Apple has since patched in iOS 18.3.1.
The attacks demonstrated remarkable technical sophistication, utilizing what researchers describe as "zero-click" exploits that required no user interaction to compromise devices.
The spyware leveraged a vulnerability in iMessage processing (now designated CVE-2025-43200) that allowed attackers to deploy malicious code simply by sending specially crafted messages to target devices.
"Apple confirms to us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1," researchers noted in their report. The vulnerability affected devices running iOS 18.2.1, highlighting how even recent iOS versions remained susceptible to state-sponsored spyware techniques.
Forensic analysis revealed that compromised devices communicated with Paragon's command-and-control infrastructure, specifically a server at IP address 46.183.184.91 hosted by VPS provider EDIS Global. The server remained active and matched known Paragon fingerprints until at least April 12, 2025, suggesting ongoing operational capabilities.
Pattern of Coordinated Targeting
Perhaps most concerning is the discovery that both journalist cases involved the same iMessage account (dubbed "ATTACKER1" by researchers), indicating a coordinated campaign by a single Paragon customer. This finding suggests that the attacks weren't random but represented a systematic effort to surveil specific media targets.
 |
| Attribution to Paragon’s Graphite spyware |
The targeting appears particularly focused on Italian media outlet Fanpage.it, where both Pellegrino and his colleague Francesco Cancellato received spyware warnings. Cancellato had previously been notified by WhatsApp in January 2025 that he was targeted with Paragon's spyware, though forensic confirmation of his Android device remains ongoing.
Broader European Implications
The confirmed attacks add to a growing pattern of mercenary spyware deployment against European journalists. According to the researchers, three European journalists have now been confirmed as Paragon targets, with two confirmations based on forensic evidence and one through Meta notifications.
The Italian government's parliamentary intelligence committee (COPASIR) has acknowledged using Paragon's spyware in some cases but stated they couldn't determine who targeted the Fanpage.it journalists.
This gap in accountability highlights what researchers describe as a critical weakness in the oversight of commercial spyware operations.
Protection and Response Measures
Apple's iOS 18.3.1 update, released February 10, 2025, addresses both the Messages vulnerability and a separate Accessibility issue that could disable USB Restricted Mode on locked devices. The company noted in its security advisory that both vulnerabilities "may have been exploited in extremely sophisticated attacks against specific targeted individuals."
For journalists and civil society members who receive spyware warnings from Apple, Meta, WhatsApp, or Google, researchers emphasize the importance of taking such notifications seriously and seeking expert technical assistance immediately.