Associated Incidents
The Israeli spyware maker Paragon has terminated its dealings with Italy, including disconnecting its access to Graphite, a military-grade surveillance technology capable of hacking into encrypted smartphones.
The decision follows allegations by WhatsApp on Friday that the software was used to breach the accounts of nearly 100 journalists and civil society activists, with three potential victims actively critical of the current Italian regime of far-right Prime Minister Giorgia Meloni.
Paragon works exclusively with state entities, including the Israeli security establishment and the FBI and others in the U.S., providing them with hacking capabilities in the form of spyware called Graphite. It also has a number of clients in Europe, specifically in the EU -- among them Italy, where it works with two different bodies, a law enforcement agency and an intelligence organization.
This is the first time the company, which was recently sold to an American defense contractor, has been linked to cases where the technology may have been abused.
Sources with knowledge of the incident told Haaretz that following the revelations, Paragon demanded Italy respond to the allegations and provide them with details about the alleged hacking. At the start of this week, the two Italian clients were disconnected from Graphite and lost access to the spyware.
On Wednesday, the Italian government responded to the claims of the alleged breach, denying them to Paragon and later to the public in a statement from the Prime Minister's Office.
The statement denied targeting journalists and even seemed to shift the blame to other European nations: "The users involved so far belong to numbers with telephone prefixes attributable, in addition to Italy, to the following countries: Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, Czech Republic, Denmark, Germany, Netherlands, Portugal, Spain and Sweden," Italy said, de facto providing a list of Paragon clients in the EU, except Latvia and Greece, with which the firm is not known to work. Greece's privacy authority confirmed that a number of Greek citizens received notifications that they too may have been hacked.
Paragon, it seems, did not accept the Italian explanation. On Thursday morning, news broke -- initially in The Guardian and later confirmed by Haaretz -- that Paragon's U.S. owners and Israeli management had decided not to reinstate the Italian clients' access and to terminate all ties with the country effective immediately.
One possible explanation is that Paragon believes the Italians are lying, as the company can review client usage of its system when there are credible concerns of misuse or violations of its so-called "end user agreement," as was allegedly the case here.
Graphite and Pegasus, made by Paragon's more famous competitor NSO, were developed for counterterrorism and serious crime prevention -- offenses that, under Israeli defense export laws, carry a minimum sentence of six years. Sources familiar with offensive cyber exports say that if one of Paragon's two Italian clients indeed used the spyware to hack the devices of a journalist and a political activist, it would have violated both Israeli export regulations and the company's contractual terms.
As a result, Paragon was expected to demand an explanation from the client, who would then have to justify the breaches or risk losing its license and being cut off from the system.
NSO has blocked previously blocked its clients in Poland, Hungary and Saudi Arabia after public revelations that Pegasus had been misused by them, including by targeting journalists and political dissidents.
The latest news challenges the image Paragon has long worked to cultivate as a "clean" and "responsible" company. The Italian case is the first real test for the company, which has long presented itself as committed to human rights and pledged to sever ties with clients who use its spyware against journalists.
If either of Paragon's Italian clients deployed Graphite against civil society targets -- especially journalists -- Paragon would be obligated to terminate the contract and disconnect them from its system. In previous cases of Pegasus abuse, clients in Poland, Hungary and Saudi Arabia were cut off, though this was done at NSO's initiative. Paragon has previously said it rejected offers from these countries and others that NSO continued working with, such as Mexico.
A particularly contentious case is the so-called CatalanGate scandal, involving Spain's use of NSO's Pegasus. As exposed by The New Yorker, the Spanish government -- ironically, itself a target of Moroccan cyberespionage -- used Pegasus to spy on Catalan leaders. The case was considered borderline because, while Catalonia's nationalist movement is nonviolent and advocates for independence through democratic means, Spanish security authorities may have deemed such surveillance justified. As a result, Spain was not cut off.
More broadly, Israel has never forced a cyber company to sever ties with any client. In Saudi Arabia's case, after NSO cut the kingdom off from Pegasus, Israeli officials even pressured the company to reinstate it -- a request that NSO refused.
In August 2022, Haaretz revealed that despite heavy criticism from European countries against Israel's cyber industry, they remain its biggest customers. Representatives of the European Parliament's investigative committee on Pegasus spyware visited Israel, where NSO officials disclosed that the company had active contracts with 12 out of the EU's 27 member states. Internal company responses to the committee's questions obtained by Haaretz at the time showed that NSO was working with 22 European security and law enforcement agencies.
The committee's delegation arrived in Israel during the summer of 2022 to study the country's offensive cyber industry and held discussions with NSO representatives, Israeli Defense Ministry officials, and local experts. Among the committee members was a Catalan lawmaker whose phone had been hacked by an NSO client.
The committee was established in response to the Pegasus Project investigation in 2021, with the goal of drafting EU-wide regulations on the purchase, import and use of offensive cyber tools like Pegasus. However, while committee members were in Israel -- and even more so after returning to Brussels -- it became evident that Europe, too, has a well-developed offensive cyber industry, with many of its clients being European governments.
Now, with the rise of governments like Meloni's in Italy and the return of Donald Trump to the White House, a renewed debate is unfolding in both Europe and the U.S. over surveillance technology and the assumption that Western democracies are less likely to abuse it. This latest revelation is likely to renew demands to ban the sale of such technologies everywhere.
Citizen Lab researcher John Scott-Railton told Haaretz on Wednesday that the discovery of Paragon spyware targeting WhatsApp users "is a reminder that mercenary spyware continues to proliferate, and as it does, so we continue to see familiar patterns of problematic use."
Scott-Railton added, "Italy has a Paragon problem, and now Paragon has an Italy problem. The mercenary spyware business model is flawed and no amount of fine marketing is going to survive confrontation with actual cases. Democracies have surveillance abuses, too, and ignoring that basic historical fact is a cop-out. It's 2025, and a spyware company that isn't constantly skeptical of all of its customers is being willfully blind."