Apr 29, 2026 · 7 min read
Paragon Sold Spyware to Italy, Then Refused to Help Investigate When Journalists' Phones Got Hacked—A Year Later It Still Has Not Replied
Italian prosecutors filed a formal request through the Israeli government one year ago. Paragon, the company whose Graphite spyware ended up on two reporters' iPhones, has yet to respond. The investigation into who pushed the button is functionally stalled.
A Year of Silence
According to a TechCrunch report published April 28, 2026, Paragon Solutions has not responded to a formal information request that Italian prosecutors filed through diplomatic channels in early 2025. The request asked the spyware maker to explain how its product, Graphite, was used to hack at least two journalists and several activists in Italy. A year on, the file is open and Paragon's mailbox is closed.
The dynamic mirrors what happened with NSO Group when Mexican prosecutors tried to get answers about Pegasus targeting in 2024. The Israeli government, which regulates spyware exports under defense ministry rules, has historically intervened to prevent its national champions from cooperating with foreign investigators. Paragon was acquired by AE Industrial Partners and reincorporated as a Delaware company, but the products and the people are still subject to Israeli export controls.
Who Was Targeted
The Citizen Lab confirmed that Francesco Cancellato and Ciro Pellegrino, both reporters for the Italian news site Fanpage, had their iPhones infected with Paragon's Graphite spyware. Italian prosecutors later confirmed Cancellato's compromise; the technical findings on Pellegrino remained inconclusive. Several activists working with Mediterranea Saving Humans, an NGO that conducts migrant rescue operations in the Mediterranean, were also targeted.
Prime Minister Giorgia Meloni's government denied hacking the journalists. It did, however, acknowledge that targeting Mediterranea Saving Humans activists was lawful—an admission that someone in the Italian state was running Graphite against civil society at the same time it was running it against organized crime suspects.
Paragon's Public Position vs. Its Silence to Investigators
Paragon has cultivated a public image as the "ethical" spyware vendor. When the Fanpage scandal broke, the company publicly criticized the Italian government for refusing its offer to assist with an investigation. Paragon then cancelled its contracts with Italy's two main intelligence agencies, AISE (foreign intelligence) and AISI (domestic intelligence).
The cancellation made for good headlines. The follow through has been less convincing. Italian prosecutors are not the Italian government. They are an independent judicial branch trying to determine whether journalists were unlawfully hacked, by whom, and under what authority. Paragon's offer to "help investigate" has not extended to actually answering them.
Why This Matters Beyond Italy
Paragon's Graphite is the same product that ICE recently admitted using under a multi year contract. ICE described the use as targeting transnational criminal organizations and drug trafficking. The same spyware family, sold by the same company, is now operating against US persons and persons in the US. The Italian precedent matters because it shows what happens when a government wants to know who pulled the trigger and the vendor refuses to say.
The Citizen Lab has documented dozens of similar cases involving NSO Group's Pegasus, Intellexa's Predator, and now Paragon's Graphite. The pattern is consistent: spyware lands on a journalist's phone, victims and researchers attribute it to a specific tool, and the manufacturer either declines to comment or insists that customers misused the product. Investigations stall because the technical evidence sits with the company, not the prosecutor.
The Zero Click Problem
Graphite is what researchers call a zero click product. It does not need a victim to tap a malicious link or open a document. The infection occurs through a vulnerability in a messaging app, an iMessage attachment, or a web rendering engine, and the user sees nothing. By the time the phone shows any sign of compromise, the operator has already accessed messages, contacts, microphone, and camera.
For journalists, the implication is severe. Standard hygiene—do not click suspicious links, do not open unknown attachments, use end to end encrypted messengers—does not prevent zero click attacks. The only reliable mitigation is reducing the attack surface itself: Apple's Lockdown Mode, which has yet to record a confirmed spyware infection, GrapheneOS for Android users, and minimizing the apps that have parsing access to incoming content.
What This Means for Source Protection
A reporter targeted with Graphite has lost not only their own privacy but the privacy of everyone they communicated with. Sources, editors, family members, and confidential contacts are all exposed retroactively. For investigative journalists in Italy and the US, the message from the Fanpage case is straightforward: assume the phone in your pocket is a hostile environment, and design your source workflow accordingly.
Concretely, that means using burner devices for sensitive contacts, using SecureDrop for whistleblower intake, never discussing identifying details over messaging apps, and storing sensitive notes in air gapped or end to end encrypted environments. The Committee to Protect Journalists has published detailed guidance on digital safety for reporters that is now table stakes in any investigative newsroom.
The Regulatory Vacuum
The European Union spent years debating whether commercial spyware should be regulated like a weapon. The Pegasus inquiry committee in the European Parliament concluded that abuse was widespread and recommended sanctions, export controls, and victim notification requirements. None of those recommendations have been implemented. Paragon's contracts with Italian intelligence were entirely lawful under current rules, even after the journalist targeting became public.
Until the regulatory environment changes, the only enforcement mechanism is the criminal investigation Paragon is currently ignoring. A spyware company that can simply not respond to a prosecutor for a year, with no consequences, has very little reason to behave differently next time.
What Comes Next
The Italian prosecutors have indicated they will continue pursuing the case, but their leverage is limited. Without Paragon's cooperation, attribution of who specifically authorized the targeting of Cancellato becomes nearly impossible to prove in court. The political question—whether the Meloni government illegally targeted journalists or whether someone within the security services acted outside of authority—will probably remain unanswered.
For everyone watching from outside Italy, the case is a preview. The same playbook will run wherever a government buys commercial spyware and the deployment touches a journalist, an activist, or a political opponent. Paragon's silence is not a bug. It is the business model.