Journalists Targeted in Silent Spyware Attacks via iMessage

In a disturbing development for mobile security, forensic investigations have confirmed that powerful spyware known as Graphite was used to hack the iPhones of at least two European journalists according to a report by CitizenLab. The spyware, developed by Israeli firm Paragon, was delivered using a method that required no interaction from the victims—known as a “zero-click” attack.

The attacks took place in early 2025 and exploited a previously unknown vulnerability in iOS, labeled CVE-2025-43200. This flaw involved how Apple devices handled media shared through iCloud links. Victims’ phones could be silently infected just by receiving a malicious message via iMessage, without opening it or clicking anything.

Apple patched the flaw on February 10 with the release of iOS 18.3.1, but only disclosed the vulnerability publicly in June. The company had notified the affected users back in April, warning that they had been targeted with advanced spyware.

Fig 1: A diagram attributing the attack to Paragon’s Graphite spyware. Source: CitizenLab

Two Journalists Confirmed as Victims

One of the confirmed victims was Ciro Pellegrino, a journalist at the Italian outlet Fanpage.it. The other was a prominent European journalist who has chosen to remain anonymous. Both had forensic traces on their devices that linked back to the same spyware operator. Investigators identified the same attacker-controlled iMessage account—nicknamed “ATTACKER1”—in both cases.

Once installed, the Graphite spyware allowed the attacker to communicate with the infected phones remotely, issuing commands through a command-and-control server. In these cases, the devices connected to an IP address associated with Paragon’s infrastructure, which remained active into April.

Fig 2: The threat notification received by Ciro Pellegrino. Source: CitizenLab

Fanpage.it Under the Microscope

This is not the first time Paragon’s spyware has been implicated in surveillance of Italian citizens. Other victims include activists and journalists notified by Meta and WhatsApp earlier this year. While some infections were confirmed on Android phones using forensic indicators like “BIGPRETZEL,” others are still under investigation due to the difficulty of retrieving data from Android devices.

The targeting of two journalists from the same newsroom has raised serious concerns that Fanpage.it was deliberately singled out. Italian parliamentary oversight bodies have acknowledged the use of Graphite spyware by state entities but have not clarified who authorized these attacks on the press.

Spyware Warnings: What You Should Do

So far, Paragon has not publicly commented on these latest findings, despite being offered the chance to respond. Meanwhile, watchdog groups such as Citizen Lab and Access Now continue to call for accountability and offer support to those who receive spyware warnings.

For consumers and journalists alike, this case highlights the ongoing threat posed by commercial spyware and the need for robust device security. If you receive a warning from Apple, Meta, or another tech company about being targeted, it’s essential to seek help immediately.