On April 29, 2025, Apple issued alerts: select iOS users were being targeted with advanced spyware. Among those notified were two journalistsβone of them prominent in Europe and the other, Ciro Pellegrino, head of the Naples newsroom at Fanpage.it. Both turned to Citizen Lab for technical assistance. What followed was a forensic investigation that confirmed the use of Graphite, a mercenary spyware tool developed by Paragon Solutions.
βOur analysis finds forensic evidence confirming with high confidence that both a prominent European journalistβ¦ and Italian journalist Ciro Pellegrino, were targeted with Paragonβs Graphite mercenary spyware,β Citizen Lab reported.
Graphite is part of a new breed of military-grade surveillance tools developed by private contractors and sold to government clients. It operates via zero-click attacks, capable of silently compromising devices through apps like iMessage, without requiring user interaction.
Citizen Lab confirmed that Pellegrinoβs and the unnamed European journalistβs iPhones were compromised through zero-click iMessage attacks, attributed to an iMessage account dubbed ATTACKER1.
βWe conclude that this account was used to deploy Paragonβs Graphite spyware using a sophisticated iMessage zero-click attackβ¦ this infection would not have been visible to the target,β the report noted.
βA logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link,β the company revealed in an advisory.
βApple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.β
Apple has fixed CVE-2024-23222 with improved check in
Apple iOS 15.8.4/16.7.11/18.3.1iPadOS 15.8.4/16.7.11/17.7.5/18.3.1macOS 13.7.4/14.7.4/15.3.1The scope of the targeting extended beyond one journalist. Another Fanpage.it editor, Francesco Cancellato, had received a spyware notification from WhatsApp earlier this year. Although forensic analysis of his Android phone did not yield conclusive infection evidence, Citizen Lab emphasizes that absence of forensic proof does not mean an attack did not occur.
βGiven the sporadic nature of Android logsβ¦ relevant logs may not have been captured or may have been overwritten,β Citizen Lab explains.
This pattern of multiple targets from one media outlet suggests a dedicated espionage campaign, potentially by a single Paragon client with specific interest in Fanpage.it.
The revelations have ignited controversy in Italy. On June 5, 2025, the Italian Parliamentary Committee for Intelligence Oversight (COPASIR) acknowledged the use of Graphite against two individualsβLuca Casarini and Dr. Giuseppe βBeppeβ Caccia. However, they stated they could not confirm who targeted Cancellato.
Meanwhile, Paragon offered assistance in the Cancellato case but was rebuffed by the Italian Department of Security Intelligence (DIS), citing national security concerns.
βThey stated that providing Paragon such access would impact the reputation of Italyβs security services among peer services around the world,β the report noted.
To date, Citizen Lab has identified three journalists targeted by Graphite in Europeβtwo via Apple notifications and forensic confirmation, and a third via Meta. The organization warns that the lack of accountability raises serious questions about the unchecked proliferation of commercial spyware.
βThe lack of accountability available to these spyware targets highlights the extent to which journalists in Europe continue to be subjected to this highly invasive digital threat,β Citizen Lab concludes.