Mar 06, 2026 · 6 min read
Italy Confirmed a Journalist Was Hacked With Paragon Spyware—But Can't Figure Out Who Did It
Prosecutors proved Francesco Cancellato's phone was infected. Then they checked the intelligence agency's server and found nothing. The mystery is now deeper than ever.
The Hack Is Confirmed
On March 5, 2026, Italian prosecutors confirmed what Francesco Cancellato had feared for over a year: his phone was hacked with military grade spyware made by Israeli firm Paragon Solutions.
A forensic analysis showed that Cancellato's device was infected with Paragon's Graphite spyware in the early hours of December 14, 2024. Graphite is a zero click tool, meaning the target does not need to open a link or download a file. The spyware simply arrives and takes over.
Cancellato is the editor in chief of Fanpage, one of Italy's most widely read digital news outlets. He was among roughly 90 people, including journalists and civil society members across 20 countries, who were alerted by WhatsApp in January 2025 that their accounts had been targeted.
The Intelligence Agency Says It Wasn't Them
Here is where the story takes a strange turn. Italian judicial authorities inspected the Paragon spyware server operated by AISI, Italy's domestic intelligence agency. The server contained evidence that AISI had used Graphite to surveil humanitarian activists Luca Casarini, Giuseppe Caccia, and Father Mattia Ferrari, all of whom were involved in refugee rescue operations and had been critical of Prime Minister Giorgia Meloni's government.
But there was no trace of an operation against Cancellato on that server. Someone hacked the journalist. The Italian government says it was not them. And no one knows who it was.
A Second Journalist, the Same Spyware
Cancellato is not alone. Ciro Pellegrino, head of Fanpage's Naples newsroom, was also confirmed as a Graphite target. Citizen Lab, the University of Toronto research group that has become the de facto forensic authority on commercial spyware, verified both cases along with a third unnamed prominent European journalist.
Cancellato has publicly stated he believes he was targeted for Fanpage's investigative reporting, including stories that exposed neo fascist and antisemitic connections within Italian political circles. He confronted Prime Minister Meloni directly during a press conference at Italy's Chamber of Deputies, demanding answers about the wiretapping.
The Paragon Machine
Paragon Solutions was co founded by former Israeli Prime Minister Ehud Barak and markets itself as an ethical alternative to NSO Group, the company behind the Pegasus spyware. Graphite is designed to exploit vulnerabilities in encrypted messaging apps like WhatsApp and Signal, extracting data from the device without detection.
Meta's security team discovered approximately 100 WhatsApp account breaches across 20 countries linked to Paragon's tools. Citizen Lab identified that Graphite systems may have been operated from servers located in Germany.
After the scandal broke, Paragon terminated its contracts with Italy, citing licensing violations. The contracts were reportedly worth tens of millions of euros. Italy subsequently replaced Paragon with NEGG, an Italian firm, for its offensive cyber operations.
Cover Up Allegations
The Italian parliamentary investigation has drawn criticism for what journalists' unions describe as deliberate obfuscation. Sources indicated that the government rejected Paragon's own verification method, which could have identified who authorized the surveillance, to avoid political embarrassment for Meloni's administration.
Vittorio di Trapani, president of the Italian journalists' federation FNSI, said it plainly: "It is unacceptable that after months we still do not know who spied on these journalists and why." The European Federation of Journalists joined the call for accountability, with its president Maja Sever condemning what she described as the inaction of Italian authorities.
Italian journalists' unions have filed criminal complaints with the Rome Public Prosecutor's Office, and both the International and European Federations of Journalists have called for a European Parliament Commission of Inquiry into the Paragon scandal.
Why This Pattern Keeps Repeating
Italy's Paragon scandal follows a familiar script. A government acquires commercial spyware ostensibly for national security purposes. The tools end up on the phones of journalists and activists. An investigation produces partial answers and bureaucratic deflection. The spyware company severs ties and moves on to the next client.
Greece convicted four individuals linked to Intellexa's Predator spyware in a landmark ruling in February 2026. Poland charged its own spy chiefs for using Pegasus against 600 political targets. Spain dropped its Pegasus investigation entirely after Israel refused to cooperate. Saudi Arabia was ordered by a UK court to pay damages for a Pegasus attack on a satirist.
The commercial spyware industry continues to operate across borders, selling tools that can turn any smartphone into a surveillance device. The targets are almost always the same: the people whose job it is to hold power accountable.
What You Can Do
Zero click spyware like Graphite is designed to be undetectable by its targets. But there are steps that reduce your exposure:
- Keep your devices updated. Spyware exploits known vulnerabilities. Every OS update closes potential entry points.
- Enable lockdown mode on iOS if you have reason to believe you may be a target. It restricts several features but significantly narrows the attack surface.
- Use disappearing messages in encrypted apps. Even if a device is compromised, auto deleting messages limits what an attacker can extract.
- Reboot regularly. Some spyware does not survive a device restart. iOS 26's reboot behavior clears certain types of infections automatically.
The Italian investigation has proven that Cancellato's phone was hacked. What it has not proven is who gave the order. Until the commercial spyware market faces real regulation, that question will keep going unanswered.