"Owner of spyware used in alleged WhatsApp breach ends contract with Italy", 6 February 2025

Like Pegasus, the hacking software made by the rival NSO Group, Paragon’s hacking spyware, called Graphite, can infect a mobile phone without a user’s knowledge. It then gives the operator of the spyware full control and access to messages and encrypted chats sent over apps such as WhatsApp and Signal.

The news has sent shockwaves across the Italian parliament, with one MP saying that, if confirmed, the story represented an “unacceptable violation of fundamental rights and an attack on democracy itself”.

Paragon’s decision to terminate the contract, which was first reported by the Guardian, comes less than a week after WhatsApp announced that Paragon’s spyware had been used to target dozens of people. Like other spyware vendors, Paragon sells its cyberweapon to government clients who are supposed to use it to prevent crime. It remains unclear who all the specific government clients were behind the alleged attacks.

Responding to the allegations of involvement..., Meloni’s office denied that domestic intelligence services or the government were behind the alleged breaches against the journalist and activists.

The person familiar with the matter, who spoke to the Guardian on condition of anonymity, said Paragon had “out of an abundance of caution” initially suspended the Italy contract when the first allegation of potential abuse of the spyware emerged... The decision to fully terminate the contract, the person said, was made.... after Paragon determined that Italy had broken the terms of service and ethical framework it had agreed under its Paragon contract.

The Guardian has contacted an Italian government spokesperson for comment.

Italian opposition parties on Thursday called on Meloni to urgently address parliament amid scepticism over the government’s statement, which also revealed that it had been told by WhatsApp that the number of affected Italians “appeared to be seven”. It is unclear who the other alleged victims are.

...

Barbara Floridia, an M5S senator and president of the supervisory committee for the state broadcaster, Rai, said the case “raises disturbing questions about the protection of privacy and freedom of the press in our country”.

...

Sandro Ruotolo, an MEP with the Democratic party, said: “In the statement excluding its involvement in espionage, the Italian government did not answer the most important question, namely whether or not Italy purchased services from Paragon Solutions. If so, what type [of service] and for what?”

Asked for comment, a Paragon representative declined to confirm or deny the development, and said it was the company’s policy to not discuss potential client matters.

...

WhatsApp said the 90 people who were likely to have been compromised had been added to WhatsApp group chats and been sent malicious PDFs, which then probably infected their phones. The users would not have had to click or download the pdf to be infected.

WhatsApp said all of the hacking attempts had been discovered in December, in part through the help of the Citizen Lab at the University of Toronto, which tracks digital threats against civil society. It is not clear for how long the individuals could have been surveilled or the government clients involved in each case.

While it is not entirely clear why Cancellato may have been targeted, his publication last year published a high-profile investigation that exposed young fascists in Meloni’s party. The two other people who were targeted, Husam El Gomati, a Libyan activist living in Sweden, and Luca Casarini, the founder of NGO Mediterranea Saving Humans, have both been vocal critics of Italy’s alleged complicity in abuses suffered by migrants in Libya.

While Paragon’s move is likely to assuage some concerns, there are still outstanding questions about dozens of other cases that WhatsApp discovered. Italy said earlier on Wednesday that it had been told by WhatsApp that those targets live in countries across Europe – and possibly other countries – including Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, the Czech Republic, Denmark, Germany, the Netherlands, Portugal, Spain and Sweden.

Paragon was reportedly recently acquired by a US firm called AE Industrial Partners... The company has not responded to requests for comment.

Paragon agreed a $2m contract last year with Ice, the US immigration and customs enforcement agency. The contract, agreed under the Biden administration, was reportedly suspended while the administration sought to determine whether it complied with an executive order that restricted the use of spyware by the federal government. The current status of the contract is not known. Neither Ice nor Paragon has responded to the Guardian’s questions about the contract.