In a groundbreaking investigation, Citizen Lab has uncovered a sophisticated spyware operation leveraging a zero-click exploit in WhatsApp to target journalists, activists, and civil society members.
The spyware, developed by Paragon Solutions, an Israeli firm, has been linked to surveillance operations in multiple countries, including Italy, Canada, and Australia. This revelation raises significant concerns about the misuse of commercial spyware and the growing threat to digital privacy.
Paragon Solutions, founded in 2019, markets its spyware product, Graphite, as a tool with built-in safeguards to prevent abuse. Unlike NSO Group’s Pegasus, which takes complete control of a device, Graphite reportedly focuses on accessing instant messaging applications. However, Citizen Lab’s findings suggest that Paragon’s claims of ethical use may not hold up under scrutiny.
The investigation began with a tip about a suspicious domain name linked to Paragon’s infrastructure. Citizen Lab identified a network of servers, some hosted on cloud platforms and others on government premises, that were used to deploy Graphite.
The spyware’s infrastructure was traced to several countries, including Australia, Canada, Cyprus, Denmark, Israel, and Singapore.
The WhatsApp Zero-Click Exploit
One of the most alarming aspects of the investigation is the discovery of a zero-click exploit in WhatsApp.
Zero-click attacks require no interaction from the victim, making them particularly dangerous. In this case, the attacker adds the victim to a WhatsApp group and sends a specially crafted PDF file. When the victim’s device automatically parses the PDF, it triggers the exploit, allowing the spyware to infiltrate the device.
Meta, the parent company of WhatsApp, confirmed that Citizen Lab’s findings were pivotal in identifying and mitigating the exploit and notified over 90 individuals believed to have been targeted, including members of civil society in Italy, on January 31, 2025.
Citizen Lab conducted forensic analyses on several Android devices belonging to Italian targets who received WhatsApp notifications. The analysis revealed traces of a unique forensic artifact, dubbed BIGPRETZEL, which is linked to Paragon’s Graphite spyware. The spyware not only infiltrated WhatsApp but also propagated to other apps on the devices, demonstrating its advanced capabilities.
One of the targets, Dr. Giuseppe “Beppe” Caccia, a co-founder of the humanitarian organization Mediterranean Saving Humans, quoted by Citizen Lab, showed multiple instances of BIGPRETZEL on his device. Another target, Luca Casarini, also had traces of the spyware, though the extent of the infection remains unclear due to limited forensic data.
In a related case, an iPhone belonging to David Yambio, a close associate of Casarini and Caccia, was targeted with spyware in June 2024. While the forensic evidence, referred to as SMALLPRETZEL, does not conclusively link the attack to Paragon, the contextual factors suggest a possible connection. Apple confirmed that the attack was mitigated in iOS 18, highlighting the ongoing cat-and-mouse game between spyware developers and tech companies.
The investigation also uncovered a troubling trend: the proliferation of spyware capabilities among law enforcement agencies. In Canada, the Ontario Provincial Police (OPP) has been linked to using Paragon’s spyware. Public records suggest that the OPP used spyware in at least one investigation, raising concerns about the lack of oversight and transparency in using such powerful tools.
Citizen Lab’s findings underscore the need for comprehensive reforms to regulate the use of commercial spyware.
As Bill Marczak, a senior researcher at Citizen Lab, noted, “Even if mercenary spyware has been acquired for a primary purpose, such as investigating organized criminal groups, experience shows that, over time, the temptation to use these powerful technologies for political purposes is substantial.”