Prosecutors Confirm Journalist Hacked With Paragon Spyware

Gregory Zuckerman
By Gregory Zuckerman
Technology
7 Min Read

Italian prosecutors have confirmed that a prominent journalist’s phone was compromised by commercial spyware tied to Paragon Solutions, deepening a political and legal storm over the use of hacking tools against civil society figures. A technical analysis ordered by prosecutors in Rome and Naples found forensic traces of infection on devices belonging to journalist Francesco Cancellato and two migration activists, offering the clearest independent validation to date of a suspected campaign.

What Prosecutors Confirmed About the Infections

In a statement to reporters, the prosecutors’ offices said a forensic report identified indicators of compromise on the phones of Cancellato and activists Giuseppe Caccia and Luca Casarini. The infections occurred in the early hours of December 14, 2024. Investigators said three back-to-back attempts were recorded that night, a pattern consistent with a coordinated, single operation trying multiple delivery vectors or redundancy steps.

Table of Contents
The Paragon logo, featuring a stylized black and grey upward-pointing arrow design above the word PARAGON in black capital letters, presented on a professional light grey background with subtle geometric patterns.

The full forensic report remains under seal, but authorities characterized its findings as conclusive for those three devices. Notably, the analysis did not confirm infections on several other alleged victims whose cases have been publicly discussed over the past year.

Who Was Targeted And When the Attacks Occurred

The confirmation follows a wave of threat notifications in early 2025, when WhatsApp warned Cancellato and roughly 90 other people in Italy that they had likely been targeted by a mercenary spyware vendor. Separate alerts from Apple flagged attempts against additional journalists, including reporter Ciro Pellegrino. Subsequent research by the Citizen Lab linked some of these cases to Paragon’s product, known as Graphite, though prosecutors say the latest technical review did not find infection traces on Pellegrino’s phone.

Cancellato is the director of the investigative outlet Fanpage, and the two activists have long been associated with high-profile migration rescue efforts. Together, the targets reflect a cross-section of watchdog voices frequently of interest to powerful institutions—one reason the findings are resonating far beyond Italy’s media community.

Questions Around Attribution And Responsibility

Despite the forensic confirmation, attribution remains murky. Prosecutors said they examined a Paragon server reportedly used by Italy’s domestic intelligence agency AISI. Operational evidence on that system aligned with targeting of Caccia and Casarini, but investigators did not find records indicating an operation against Cancellato. The Parliamentary Committee for the Security of the Republic (COPASIR) previously concluded that the activists had been lawfully targeted by intelligence services, while it found no proof of a hack on Cancellato at the time.

The result is a paradox: a journalist’s phone shows signs of Paragon spyware, yet the government server thought to host such operations appears clean of his case. Prosecutors say they are continuing to investigate who carried out the intrusion on Cancellato’s device.

A diagram titled ATTRIBUTING APPLE iOS PARAGON INFECTIONS showing a flow of connections. It illustrates ATTACKER1 (represented by an Apple Messages icon) found on phones belonging to Ciro Pellegrino and a European Journalist. Both phones show Traffic to an IP address 46.183.184.91, which is linked by Temporal Correlation to ATTACKER1. A Fingerprint P1 is connected to the IP address and points to Paragon Solutions (represented by the Paragon logo). The image is presented in a 16:9 aspect ratio.

Government Response And Press Freedom Stakes

Prime Minister Giorgia Meloni’s government has denied any role in the journalist’s hack, saying it is providing assistance to clarify what happened. Cancellato has publicly criticized the lack of answers, arguing that prolonged silence erodes trust and chills reporting. Press freedom advocates warn that even a single confirmed spyware infection targeting a journalist risks deterring sources, undermining accountability reporting, and normalizing extraordinary surveillance powers outside of rigorous oversight.

Paragon Under Scrutiny Amid Italian Spyware Furor

Paragon Solutions, an Israel-based maker of the Graphite spyware platform, has come under mounting pressure amid the Italian revelations. The company, now owned by U.S. private equity firm AE Industrial Partners, merged with REDLattice following the acquisition and has previously held a contract with U.S. Immigration and Customs Enforcement. In the wake of the scandal, Paragon canceled contracts with Italian government customers, a rare public rupture for a sector that typically operates in near-total secrecy.

How Investigators Trace Spyware on Compromised Phones

Mobile spyware detection is notoriously difficult. Advanced tools often rely on zero-click exploits delivered via messaging apps or network injection, leaving only faint forensic breadcrumbs—unusual processes, rare configuration files, or traces in crash logs. Independent teams like the Citizen Lab and Amnesty International’s Security Lab have refined methods to spot these artifacts, but server-side records can be incomplete or intentionally purged. That helps explain why a device may show signs of compromise even when operational logs on a suspected control server do not.

Tech firms now routinely warn users of suspected government-backed attacks. Those alerts are not courtroom proof, but they have proven to be early indicators in many confirmed cases, prompting victims to preserve evidence and seek independent analysis before traces vanish in normal phone maintenance cycles.

Italy joins a growing list of European countries grappling with domestic scandals tied to commercial spyware. Greece has already seen courtroom consequences: a Greek court recently sentenced Intellexa co-founder Tal Dilian and three other executives to prison over illegal wiretapping and privacy offenses linked to the Predator spyware saga. Lawmakers across the EU have pressed for stricter procurement rules, tighter judicial oversight, and clearer red lines for domestic agencies.

What to Watch Next in Italy’s Spyware Investigation

Prosecutors say they are pursuing attribution in Cancellato’s case, a step that could determine whether Italy faces allegations of unauthorized domestic spying, the involvement of a rogue operator, or a foreign service acting on Italian soil. Expect renewed calls from civil society for stronger transparency around spyware purchasing, mandatory reporting to independent watchdogs, and sharper sanctions on vendors that enable abuses. For journalists and activists, the immediate priority is pragmatic: device hygiene, rapid forensic triage after platform alerts, and legal support to ensure that validated abuses do not fade without consequences.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News