Paragon’s ‘clean’ spyware image shattered by WhatsApp hacking allegations
Paragon’s ‘clean’ spyware image shattered by WhatsApp hacking allegations
Israeli firm once seen as a responsible player accused of targeting journalists and activists.
Spyware developed by Israeli company Paragon was used to attack the smartphones of 90 journalists and civil society activists through their WhatsApp accounts, according to Meta-owned WhatsApp. While WhatsApp did not reveal the identities of the victims, The Guardian identified one as the editor of an Italian investigative website known for its critical coverage of far-right Prime Minister Giorgia Meloni and her party.
“Commercial spyware makers will inevitably face abuse of their products once they start selling to a broader customer base,” said John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto, who specializes in the study of commercial spyware. “It’s not just dictatorships that abuse spyware—it happens in democracies too.”
Paragon was founded in 2019 by a group of Unit 8200 veterans led by Ehud Schneerson, the unit’s former commander and current chairman of the company. Another prominent shareholder is former Israeli Prime Minister and IDF Chief of Staff Ehud Barak. Other major investors include Battery Ventures and Yoram Oron’s Red Dot Capital Partners.
In December, it was reported that the American private equity firm AE Industrial Partners intended to acquire Paragon for $500 million in cash, with an option to increase the value to $900 million if certain targets were met. However, three days after the deal was revealed, Israel’s Ministry of Defense announced that a request to approve the sale had never been submitted and that the deal had not been approved, as required by the Israeli Defense Export Controls Agency (DECA).
Paragon’s Graphite spyware has capabilities similar to NSO Group’s notorious Pegasus. Like Pegasus, Graphite can give attackers near-complete control over infected smartphones, including access to all stored information, even encrypted messages on apps like WhatsApp and Signal.
Paragon has tried to position itself as an "ethical" company, claiming to sell its products only to democratic countries. (In contrast, NSO has reportedly sold its spyware to countries such as Saudi Arabia and the United Arab Emirates.) Paragon also claims to be on the U.S. government’s approved vendor list because it operates exclusively in democratic nations. This has been part of its strategy to differentiate itself from competitors like NSO, Candiru, and Tal Dilian’s Intellexa, which have been blacklisted by the U.S. Department of Commerce in recent years.
However, Paragon’s reputation is now under scrutiny following WhatsApp’s revelations. According to WhatsApp, it can say with "high confidence" that 90 journalists and civil society activists were targeted and potentially harmed using Graphite.
The attack exploited a zero-click vulnerability in WhatsApp, meaning the spyware could infect devices without any action from the victims. WhatsApp has sent Paragon a cease-and-desist letter, ordering the company to stop using the app to infiltrate devices, and is reportedly considering further legal action.
WhatsApp is already pursuing a long-running legal case against NSO Group following a 2019 hack that compromised 1,400 users. In December, a court ruled in WhatsApp’s favor, finding NSO responsible for the attacks, in violation of both the law and WhatsApp’s terms of service. NSO is expected to appeal.
“WhatsApp has disrupted a spyware campaign by Paragon that targeted a number of users including journalists and members of civil society. We’ve reached out directly to people who we believe were affected. This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately,” a company spokesperson told the Guardian.
While WhatsApp did not disclose further details about the identities of Paragon’s victims, The Guardian identified one as Italian investigative journalist Francesco Cancellato. Cancellato, the editor-in-chief of Fanpage, is known for exposing ties between fascist groups and Prime Minister Meloni’s party. Last year, he revealed that young party activists were using anti-Semitic language, performing fascist salutes, and singing fascist chants.
In an interview with The Guardian, Cancellato said he had no reason to suspect that his device had been compromised or that he was under government surveillance.
“We just began the technical analysis on the device in order to evaluate the actual extent of this attack, what was actually taken or spied on, and for how long. Obviously, it is also in our interest to know, if it’s possible to do so, who ordered this espionage activity,” Cancellato said.
Researchers note that the Paragon revelations highlight the challenge of preventing commercial spyware misuse, even when it’s sold exclusively to democratic governments.
“Paragon has spent a lot of time claiming, ‘We are the anti-NSO,’” Scott-Railton told Calcalist. “What we’re seeing now, based on WhatsApp’s findings, is that commercial spyware vendors will inevitably face product misuse once they expand their customer base.”
“This is a fact of the industry,” he added. “It’s not limited to one or two companies. The targeting of civil society members and journalists goes hand in hand with the growth of commercial spyware. If I were a senior U.S. government official or one of its allies, I’d be asking myself: Are any of my people—or our allies—being targeted by this spyware? Paragon may not be as well-known as others, but it seems that no matter how small your customer base is, it can always be too broad.”
“For some time Paragon has had the reputation of a ‘better’ spyware company not implicated in obvious abuses, but WhatsApp’s recent revelations suggest otherwise. This is not just a question of some bad apples – these types of abuses are a feature of the commercial spyware industry,” Natalia Krapiva, senior tech legal counsel at Access Now, told the Guardian.
Indeed, the exposure of Paragon’s alleged abuses—about which more details are expected in the coming days—underscores the difficulties in regulating commercial spyware to prevent misuse. Even when spyware is sold to democratic governments, companies have little control over how their products are used once in the hands of clients.
Even government agencies in democratic countries can abuse powerful spyware tools, especially when operations are conducted in secret, despite legal oversight. This was evident in the Israeli police’s use of NSO’s Pegasus spyware, and now, seemingly, with Paragon.
Paragon did not respond to Calcalist’s request for comment. Ehud Barak also did not respond.
