The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of Israeli spyware maker Paragon Solutions, according to a new technical report by a renowned digital security lab.
On Wednesday, The Citizen Lab, a group of academics and security researchers housed at the University of Toronto that has investigated the spyware industry for more than a decade, published a report about the Israeli-founded surveillance startup, identifying the six governments as “suspected Paragon deployments.”
At the end of January, WhatsApp notified around 90 users that the company believed were targeted with Paragon spyware, prompting a scandal in Italy, where some of the targets live.
Paragon has long tried to distinguish itself from competitors, such as NSO Group — whose spyware has been abused in several countries — by claiming to be a more responsible spyware vendor. In 2021, an unnamed senior Paragon executive told Forbes that authoritarian or non-democratic regimes would never be its customers.
In response to the scandal prompted by the WhatsApp notifications in January, and in what was perhaps an attempt to bolster its claims about being a responsible spyware vendor, Paragon’s executive chairman John Fleming told TechCrunch that the company “licenses its technology to a select group of global democracies — principally, the United States and its allies.”
Israeli news outlets reported in late 2024 that U.S. venture capital AE Industrial Partners had acquired Paragon for at least $500 million upfront.
In the report out Wednesday, Citizen Lab said it was able to map the server infrastructure used by Paragon for its spyware tool, which the vendor codenamed Graphite, based on “a tip from a collaborator.”
Starting from that tip, and after developing several fingerprints capable of identifying associated Paragon servers and digital certificates, Citizen Lab’s researchers found several IP addresses hosted at local telecom companies. Citizen Lab said it believes these are servers belonging to Paragon customers, in part based on the initials of the certificates, which seem to match the names of the countries the servers are located in.
According to Citizen Lab, one of the fingerprints developed by its researchers led to a digital certificate registered to Graphite, in what appears to be a significant operational mistake by the spyware maker.
“Strong circumstantial evidence supports a link between Paragon and the infrastructure we mapped out,” Citizen Lab wrote in the report.
“The infrastructure we found is linked to webpages entitled ‘Paragon’ returned by IP addresses in Israel (where Paragon is based), as well as a TLS certificate containing the organization name ‘Graphite’,” the report said.
Citizen Lab noted that its researchers identified several other codenames, indicating other potential governmental customers of Paragon. Among the suspected customer countries, Citizen Lab singled out Canada’s Ontario Provincial Police (OPP), which specifically appears to be a Paragon customer given that one of the IP addresses for the suspected Canadian customer is linked directly to the OPP.
Contact Us
Do you have more information about Paragon, and this spyware campaign? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
TechCrunch reached out to spokespeople for the following governments: Australia, Canada, Cyprus, Denmark, Israel, and Singapore. TechCrunch also contacted the Ontario Provincial Police. None of the representatives responded to our requests for comment.
When reached by TechCrunch, Paragon’s Fleming said that Citizen Lab reached out to the company and provided “a very limited amount of information, some of which appears to be inaccurate.”
Fleming added: “Given the limited nature of the information provided, we are unable to offer a comment at this time.” Fleming did not respond when TechCrunch asked what was inaccurate about Citizen Lab’s report, nor responded to questions about whether the countries identified by Citizen Lab are Paragon customers, or the status of its relationship with its Italian customers.
Citizen Lab noted that all the people that were notified by WhatsApp, who then reached out to the organization to have their phones analyzed, used an Android phone. This allowed the researchers to identify a “forensic artifact” left by Paragon’s spyware, which the researchers called “BIGPRETZEL.”
Meta spokesperson Zade Alsawah told TechCrunch in a statement that the company “can confirm that we believe that the indicator Citizen Lab refers to as BIGPRETZEL is associated with Paragon.”
“We’ve seen first-hand how commercial spyware can be weaponized to target journalists and civil society, and these companies must be held accountable,” read Meta’s statement. “Our security team is constantly working to stay ahead of threats, and we will continue working to protect peoples’ ability to communicate privately.”
Given that Android phones do not always preserve certain device logs, Citizen Lab noted that it’s likely more people were targeted by the Graphite spyware, even if there was no evidence of Paragon’s spyware on their phones. And for the people who were identified as victims, it’s not clear if they were targeted on previous occasions.
Citizen Lab also noted that Paragon’s Graphite spyware targets and compromises specific apps on the phone — without needing any interaction from the target — rather than compromising the wider operating system and the device’s data. In the case of Beppe Caccia, one of the victims in Italy, who works for an NGO that helps migrants, Citizen Lab found evidence that the spyware infected two other apps on his Android device, without naming the apps.
Targeting specific apps as opposed to the device’s operating system, Citizen Lab noted, may make it harder for forensic investigators to find evidence of a hack, but may give the app makers more visibility into spyware operations.
“Paragon’s spyware is trickier to spot than competitors like [NSO Group’s] Pegasus, but, at the end of the day, there is no ‘perfect’ spyware attack,” Bill Marczak, a senior researcher at Citizen Lab, told TechCrunch. “
Maybe the clues are in different places than we’re used to, but with collaboration and information sharing, even the toughest cases unravel.”
Citizen Lab also said it analyzed the iPhone of David Yambio, who works closely with Caccia and others at his NGO. Yambio received a notification from Apple about his phone being targeted by mercenary spyware, but the researchers couldn’t find evidence that he was targeted with Paragon’s spyware.
Apple did not respond to a request for comment.
