Ninety journalists, activists and civilians across Europe have been illegally spied with an Israeli spyware called Graphite.

Three of the ninety people have come forward: Francesco Cancellato, Luca Casarini, and Husam El Gomanti. They have one thing in common: they have all been critical of the conduct of the Italian government led by Giorgia Meloni.

Graphite, the most powerful spyware in trade

Graphite is spyware, a “computer program that is secretly installed on a person’s computer, [tablet] or mobile device to obtain the owner’s private information, such as lists of websites visited, passwords and credit card numbers.” It turns the phone into a listening device, giving access to data, photos, videos, contacts, encrypted messages, files, and calls. It can also activate the microphone and camera to record audio and video.

Graphite uses the so-called zero-click or exploit zero-click attack. This means that users don’t have to click on a malicious file or link for the device to be infected; the infection is completely remote. These exploits are usually the most sought after (especially on the underground exploit market), as the target usually has no way of knowing they have been compromised during exploitation. Zero-click attacks are so dangerous because they are difficult to detect, selective in their targets, highly technical and difficult to prevent. They often leave no obvious traces, making infection difficult to detect. These attacks are often used against journalists, activists, politicians or high-profile individuals to obtain sensitive information. They are developed by companies specialising in cyber intelligence and require advanced resources, making them accessible only to governments or entities with strong financial capabilities. Even with regular software updates, there is no such thing as zero risk, as the vulnerabilities exploited are often unknown to the public. Zero-click attacks are one of the most insidious threats in the cybersecurity landscape and will continue to be a critical issue, especially for those handling sensitive information.

WhatsApp said the vector (how the infection was delivered to individuals) was a malicious PDF file sent to users in group chats to which they were temporarily added. Meta’s app claims that all the hacking attempts were discovered in December 2024, but Meta couldn’t understand when the hacking started or who the instigators were.

Graphite is tens of thousands of dollars worth of military surveillance technology produced by Paragon Solution. According to its ethical terms, it can only spy on terrorists and criminals.

Paragon Solutions, the Israeli firm sold to Americans

Paragon Solutions is an agency that creates advanced cybersecurity solutions. It was founded in 2019 by Ehud Barak and Ehud Schneorson. The former is the ex-prime minister of Israel and ex-chief of Israel’s national security, and the latter is the former commander of Israel’s intelligence unit 8200, which specialises in offensive and defensive cyber operations and eavesdropping. 

Paragon’s clients are public bodies such as the FBI. The Israeli Ministry of Defence decides who to sell to, and 37 democracies have been selected. According to Ha’aretz, Paragon had two clients in Italy, a police force and an intelligence agency, with which it cut off all contact after the Italian government failed to address claims that it had spied on journalists and activists critical of the far-right prime minister, Meloni.

According to The Guardian, the group was sold in 2024 to US private equity firm AE Industrial Partners, based in Boca Raton, Florida, for $900 million. However, reports suggest that the Israeli government has not yet approved the deal. Also, Paragon is not yet listed among its investments on the company’s website. AE Industrial Partners is a private aerospace investment firm focused on defence, government services and high-tech target markets.

Paragon also has an office in Chantilly, Virginia, whose executive chairman is John Fleming, a former CIA veteran. Again according to The Guardian, Paragon had a $2 million contract with the Homeland Security Investigations division of the US Immigration and Customs Enforcement agency during the Biden administration. However, the deal was put on hold after questions were raised about the agreement’s compliance with an executive order restricting the use of spyware by the federal government.

Francesco Cancellato, Luca Casarini and Husam El Gomanti: the critics of Meloni

Cancellato is the editor-in-chief of Fanpage, an Italian investigative news agency. In 2024, Fanpage published an undercover investigation into the youth organisation (National Youth – Gioventù Nazionale) of Brothers of Italy (Fratelli d’Italia), the far-right party led by Meloni. The investigation revealed the party’s roots in fascism. The youth chant fascist slogans such as “Duce” (a reference to Mussolini) and Nazi salutes such as “Seig Heil”, and boast of their familiarity with historical figures linked to neo-fascist terrorism.

On 31 January 2024, Cancellato received a WhatsApp text saying that his work phone had been hacked and that he should contact Citizen Lab. 

Citizen Lab is an independent research centre at the University of Toronto that tracks and identifies cases where technology is used to violate human rights. Citizen Lab helped Meta, the owner of WhatsApp, understand that some of its users were being targeted.

Casarini is the founder and director of Mediterranea Saving Humans, a migrant search and rescue NGO. He has been very critical of the Italian government’s alleged complicity with the Libyan coastguard and its human rights abuses. 

Italy supports and coordinates the Libyans. In 2019, the Libyan fleet had (at least) six vessels provided by Italy, twelve Corrubia-class patrol boats and four 500-class boats. Internazionale states, “None of them is ‘just’ a coastguard, each has links, often of a tribal nature, with local militias”. According to Amnesty International, militias, armed groups and security forces have intensified their repression of dissent and attacks on civil society throughout the country. Refugees and migrants have been subjected to widespread and systematic human rights violations and abuses by security forces, armed groups and militias, who have acted with impunity. “To reduce the number of refugees and migrants crossing the Mediterranean to reach Europe, Italy continues to have no qualms about condemning these people to die at sea – as confirmed by the progressive increase in the mortality rate – or to suffer inhuman treatment on land once they are transferred to Libyan detention centres,” Amnesty International said.

According to Il Corriere, at least three, if not four, of the people intercepted belong to Mediterranea.

Similarly, El Gomanti – a Libyan activist and entrepreneur living in Sweden – has been critical of Italy’s alleged complicity in the abuses suffered by migrants in Libya. Interviewed by Fanpage, El Gomati explains that Italy has a vested interest in Libya. “Regarding the migration policy that the Italians have tried to implement in Libya, it is as if they have tried to deal directly with the militias, not with the government.” El Gomati contributes to a Telegram page where Libyan activists and officials post news about corruption in Libya. They have published pictures from police sources of crimes committed by the militias, and they are crude pictures of massacres that are not investigated because the people who committed them are the militia leaders and control bodies. One of the stories he published concerns the cold-blooded murder of seventeen people. The person responsible for this crime has visited Italy several times. There are hundreds of photographs of him in Italy.

Because of his contributions to exposing the political situation in Libya, El Gomati has been banned from returning to his country.

The reaction of the Italian government

At first, the Chigi Palace – the seat of the Council of Ministers and the official residence of the Italian Prime Minister – denied any involvement in the above-mentioned intelligence cases. After Ha’aretz proved them wrong, instead of clarifying, they threatened to sue those who accused them of spying on journalists.

Of the ninety people spied on, seven users have the international code +39 (Italy). According to the Chigi Palace, the other codes come from Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, the Czech Republic, Denmark, Germany, the Netherlands, Portugal, Spain and Sweden.

The Media Freedom Act (MFA), developed by the EU to protect the independence of the publishing world, makes it illegal to use spyware on journalists. Spying on journalists is not only unlawful under EU law but also in Italian law.