Italian hacking scandal exposes the myth of ‘ethical spyware’
Image: FlyD @flyd2069 via Unsplash
The results of an investigation by Italian prosecutors into a domestic spying scandal has brought into sharp relief the disjunct between spin and reality when tech companies make claims about legitimate and ethical uses for their intrusive spyware.
Earlier this month prosecutors in Naples and Rome announced the results of a joint investigation co-ordinated by the National Anti-Mafia and Anti-Terrorism Prosecutor’s Office. It confirmed journalist Francesco Cancellato, editor-in-chief of digital newspaper Fanpage.it, had been hacked using Paragon’s Graphite software.
Graphite is military-grade spyware that can infect devices without any user action, open and read encrypted messages, and access emails, cameras, microphones and location data.
This is the first official confirmation that Cancellato was hacked. He was the first person in Italy to come forward publicly when WhatsApp revealed last year that 90 users in dozens of countries, including journalists and activists, had been targeted with Paragon spyware. Cancellato had previously reported on links between Italian prime minister Giorgia Meloni’s party and neo-fascist groups.
The Citizen Lab, a research unit at the University of Toronto that tracks digital threats and provided information to Meta that led to WhatsApp discovering its users had been targeted, confirmed a colleague of Cancellato’s at Fanpage.it, Ciro Pellegrino, had also been targeted by Graphite, along with another journalist who chose to remain anonymous.
The issue has produced something of a PR crisis for Paragon. The company markets itself as an ethical spyware vendor, distinct from rivals such as NSO, Cellebrite and Intellexa. These companies routinely sell spyware to authoritarian or repressive regimes that use it to target government critics, including journalists. Paragon says it only sells to security agencies in democratic countries to combat organised crime and terrorism. Its customers are contractually bound not to use Graphite to spy on journalists or political activists, and it only deals with governments, not private clients.
An investigation last year by Italy’s Parliamentary Committee for the Security of the Republic subsequently confirmed that both the domestic and foreign intelligence services in Italy had deployed the spyware, and the police may have used it too. The committee reviewed official interception requests and internal audit logs from its intelligence agencies. It concluded immigration activists Giuseppe Caccia and Luca Casarini had been lawfully intercepted with prior approval, but could find no evidence that Cancellato had been hacked.
This investigation was clearly flawed. In a statement issued to Haaretz, Paragon said it had offered to help the Italian government and parliament to clear up whether its systems had been used to target Cancellato. When this was declined, Paragon terminated its contract with Italy. Meloni has vehemently denied her government was responsible for spying on Cancellato, and hinted that another European customer of Paragon’s could have been behind the attack.
Canning the Italian contract is not enough to deflect growing scepticism over Paragon’s claims to occupy the moral high ground among cyber spies. In 2024, US Immigration and Customs Enforcement (ICE) signed a US$2 million contract with Paragon’s American subsidiary. That order was frozen by the Biden administration pending a review, but last year Donald Trump reversed the freeze, sparking fears that ICE will use the software to trample on human rights and target critics of the administration.
This month’s joint press statement by the Italian prosecutors, referencing a technical report that has not been made public yet, casts further doubt on the robustness of the parliamentary probe and the soundness of its conclusions. Although the prosecutors found no evidence linking Cancellato’s hacking to Italy’s domestic intelligence agency, they pointed out that all three attacks took place in the early hours of 14 December 2024, which suggested they “may have been part of the same infection campaign”.
This raises uncomfortable questions about who illegally hacked Cancellato’s phone – notably, whether they are linked to Italy’s intelligence agencies, or perhaps even serving members. The prosecutors say there’s an ongoing investigation to identify the perpetrators.
