In December 2024, Meta analysts detect abnormal surveillance activity conducted through Graphite, an advanced spyware software developed by the Israeli company Paragon Solutions, used to infiltrate the devices of WhatsApp users. The attack is detected and blocked, but in the meantime around 90 people in more than 14 European countries areaffected, includingactivists, journalists and members of civil society.

Following the discovery, Meta launched a notification campaign, directly alerting victims of the malicious activity against them.
In Italy, the first to make public the receipt of the notification is Francesco Cancellato, editor-in-chief of Fanpage.it, a magazine that is particularly critical of the Italian government, who, on 31 January 2025 , claims to have received a warning from WhatsApp, informing him of espionage activity suffered in the previous months, until December 2024.

According to available information, among the approximately 90 people affected, at least seven are in Italy, while the other victims are in several European countries. They include Luca Casarini, founder of the NGO Mediterranea Saving Humans, and exiled Libyan activist Husam El Gomati.

Graphite, the spearhead of digital surveillance

The spyware used, called Graphite, was developed by Paragon Solutions, an Israeli company now owned by a US-based fund. Graphite is said to be able to access all the information on a smartphone, compromise messaging apps such as Signal and WhatsApp, and infect devices without the need to click on links or attachments by using vulnerabilities that have not yet been detected, so-called 0-dayvulnerabilities, i.e.vulnerabilities for which no countermeasures have yet been developed.

Meta reported that affected users were added to compromised WhatsApp groups and received infected PDFs, which triggered the infection automatically, without the need for interaction.

Paragon’s restrictions and the revocation of Italy’s licence

Paragon Solutions has always adopted a much more restrictive policy than other companies operating in the digital surveillance sector, such as NSO Group, producer of the spyware Pegasus. The terms of service of Graphite, the software provided by Paragon, clearly adhered to the company’s policy, which limited its use exclusively to the surveillance of suspected criminals of a certain severity, such as members of terrorist organisations or organised crime.

Unlike other companies in the sector, Paragon does not offer its services to private customers, but only to state bodies, subject to verification of adherence to the requirements imposed by the company. Failure to comply with these conditions has already led Paragon in the past to revoke licences from governments that had made improper use of them, and it is precisely in this direction that the decision to discontinue collaboration with the Italian authorities would have moved.

It emerged that the licence granted to Italy for the use of Graphite had been revoked by Paragon itself, following internal audits that allegedly revealed a use that did not comply with the established purposes, opening questions about the real purpose of the surveillance conducted.

The Italian government denies any involvement and launches an investigation

After the first reports were published, Prime Minister Giorgia Meloni ‘s office denied any involvement of the government or the Italian secret services, while describing the allegations as ‘particularly serious’.

The government instructed the National Cybersecurity Agency (NCA) to investigate the matter. The ACN consulted the law firm Advant, which represents WhatsApp Ireland, and confirmed that the number of Italian users affected ‘would appear to be seven‘. However, no list of names was provided.

According to the available data, those affected have numbers with international dialling codes from Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, Czech Republic, Denmark, Germany, the Netherlands, Portugal, Spain and Sweden.

Citizen Lab: “Who was the customer?”

The case also caught the attention of the Citizen Lab, a research centre at the University of Toronto that specialises in monitoring digital surveillance and the use of spyware by governments around the world. Researcher John Scott Railton

Researcher John Scott Railton, interviewed by The Guardian, said:

‘It is now clear: Italy has a problem with Paragon. Given the number of cases that have already emerged, it is time to ask: who was the client? And how far does this affair extend?”

A person close to Paragon Solutions, contacted by The Guardian, declined to comment on the identity of the clients, but stated that they ‘do not deny that Italy is a client’.

Digital surveillance and civil liberties: an increasingly fragile balance

WhatsApp did not disclose how long the targets were under surveillance, but confirmed that monitoring was detected in December 2024 and subsequently stopped.

The ACN investigation is still ongoing, while pressure is mounting on Paragon Solutions to clarify who commissioned the use of the spyware and for what purpose. The Paragon case, however, goes beyond the single surveillance incident and raises broader questions about the risk that such invasive tools could be used against journalists and activists disliked by incumbent governments in Europe and around the world.

The possibility of advanced intrusion technologies being used to spy on those who criticise power represents a direct threat to press freedom and civil rights. Activists and independent journalists, often engaged in exposing violations and abuses, risk becoming targets of an increasingly pervasive system of control that undermines transparency and the right to information.