Prosecutors Confirm an Italian Journalist Was Hacked with Paragon Spyware

Governments worldwide have spent years insisting spyware is a precision tool, reserved for terrorists and organized criminals, never turned on their own citizens. Yet, somehow, the targets keep turning out to be journalists, sea rescue volunteers, and people who write things that embarrass whoever is currently in power. At some point, the gap between the official story and the actual target list stops being a coincidence.

Yesterday, prosecutors in Rome and Naples confirmed that the phone of Francesco Cancellato, director of Italian investigative outlet Fanpage, was infected with Paragon's Graphite spyware in the early hours of December 14, 2024.

Two immigration activists, Giuseppe Caccia and Luca Casarini of the nonprofit Mediterranea Saving Humans, were compromised the same night. Prosecutors described the three consecutive attacks as likely part of a single coordinated infection campaign.

Three Phones, One Night, Zero Answers

The prosecutors' technical report found evidence that Italian intelligence agency AISI ran operations against Caccia and Casarini. For Cancellato, there was nothing. No trail, no confirmed operator, no explanation.

The Italian government, led by far-right Prime Minister Giorgia Meloni, has denied involvement. Meloni's response to a direct question from Cancellato at a press conference was that her government is "offering all its assistance." Cancellato's characterization of that assistance, published on Fanpage, was blunter: a year of silence, and lies when the silence broke.

The story started in January 2025, when WhatsApp notified roughly 90 people across multiple countries that their devices had been targeted with Paragon's spyware. Journalists and civil society members dominated the list. Paragon subsequently canceled its contracts with Italian government customers.

The Citizen Lab adds an unresolved contradiction. Researchers confirmed that Ciro Pellegrino, a Fanpage colleague of Cancellato, was hacked with Graphite after receiving an Apple threat notification in April 2025. The prosecutors' report found no evidence on his device.

Pellegrino told TechCrunch he was "pretty disconcerted," asking how Citizen Lab, Apple, and the prosecutors' experts could reach opposite conclusions about the same phone. Nobody has answered that.

Europe Is Just the Part That's Making the News

Italy is not an outlier. Governments in Ethiopia, India, Mexico, Saudi Arabia, and the UAE have all used sophisticated spyware against journalists and activists. The difference in Europe right now is that some of those governments are getting caught and, occasionally, prosecuted.

Just last month, Intellexa founder Tal Dilian and three other executives were found guilty of using Predator spyware against at least 87 confirmed victims, including journalists, politicians, military officials, and business leaders. They were sentenced to more than 126 years each across all charges, though under Greek law, the maximum time any of them will actually serve is capped at eight years. The case, known as the "Greek Watergate," had been grinding through the courts for years while the people responsible kept operating.

Serbia didn't bother with subtlety. Amnesty documented how Serbian police used Pegasus alongside a homegrown spyware called NoviSpy to hack journalists and activists, in at least one case infecting a phone during a routine traffic stop detention. By March 2025, that was the third time in two years Amnesty had documented Serbia targeting its own press. Hungary, Poland, and Spain have their own documented records, too.

Amnesty International's Security Lab called the situation a worsening digital surveillance crisis across Europe, with authorities at the national and EU levels still failing to act. The European Commission has had its own Parliament's spyware recommendations sitting unimplemented for over a year. And that's just the cases we know about.

Spyware Today, "Child Safety" Tomorrow

Governments that face zero meaningful consequences for planting surveillance software on journalists' phones do not develop a sudden conscience when the method changes. The instinct is identical, and it’s only the branding that shifts.

Covert device compromise becomes "lawful interception," while mass identity collection becomes "protecting children online." Age verification systems that harvest government IDs, facial scans, and biometric data are not a departure from the logic of Graphite or Predator. They are the retail version of it, sold to a public primed to accept surveillance as a safety feature.

Deploying Paragon against a journalist carries political risk, even if the legal cost has so far been close to zero. Requiring everyone to upload their ID to access the internet carries, apparently, almost none. That asymmetry is exactly why governments are moving in that direction.

The Italy case is confirmation of what has already been documented for years: surveilling journalists and activists is not a bug in how these governments operate – it literally is how they operate. And expecting that same political class to draw a principled line at age verification is just pure naivety.