Spyware is installed on an electronic device remotely without the knowledge of the user. It functions as a silent intruder that covertly collects information and sends it to a third party without the consent of the user. Passwords, web browsing history and banking information are common targets. Spyware on mobile devices may activate the microphone, surreptitiously take photos and collect location data. A new report by Citizen Lab has recently examined the military-grade spyware developed by Paragon Solutions that claims to be a responsible vendor to government clients but continues to operate in the shadows.

1. Introduction

On February 6, 2025, Cyber Security News reported that Israeli spyware company Paragon Solutions terminated its contract with Italy following allegations that its surveillance software, Graphite, had been used to target journalists and civil society members. The decision came less than a week after messaging app, WhatsApp, revealed that the spyware had been deployed in a zero-click attack campaign targeting 90 individuals in two dozen countries. According to WhatsApp, all hacking attempts were detected in December 2024 with assistance from Citizen Lab. (here) On March 19, 2025, Citizen Lab published a report titled Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations that identified the governments of Australia, Canada, Cyprus, Denmark, Israel and Singapore as “suspected Paragon deployments”. (here) Reporting on the Citizen Lab findings for TechCrunch, Lorenzo Franceschi-Bicchierai said “Paragon has long tried to distinguish itself from competitors such as NSO Group […] by claiming to be a more responsible spyware vendor.” (here)

2. What is Paragon Solutions?

Paragon Solutions Ltd. is an Israeli company, headquartered in Tel Aviv, founded in 2019 by Ehud Barak and Ehud Schneorson. Mr. Barak is a former general in the Israel Defense Forces who served as the tenth Prime Minister of Israel from 1999 to 2001. Mr. Schneorson is a former commander of Unit 8200, an intelligence corps of the IDF responsible for clandestine operations. In 2023, then United States President Joe Biden signed Executive Order 14093 which was “seen by experts as targeting NSO, while carving out a space for companies like Paragon to continue selling similar spyware, but only to the closest of US allies.” (here and here) Secretive from the beginning, and continuing to operate in obscurity, there is very little information about Paragon online. In 2021, an unidentified senior executive told Forbes that “Paragon would only sell to countries that abide by international norms and respect fundamental rights and freedoms” which excludes “[a]uthoritarian or non-democratic regimes”. (here and here)

3. The Citizen Lab Report

Paragon has claimed, according to Forbes, that Graphite provides “access to the instant messaging applications on a device, rather than taking complete control of everything on a phone,” like NSO Group’s Pegasus spyware that I have discussed in previous posts to On The Wire. (here and here) I will give you four of the key findings in the new report.

• Identifying a Possible Canadian Paragon Customer. Our investigation surfaced potential links between Paragon Solutions and the Canadian Ontario Provincial Police, and found evidence of a growing ecosystem of spyware capability among Ontario-based police services.
• Helping WhatsApp Catch a Zero-Click. We shared our analysis of Paragon’s infrastructure with Meta, who told us that the details were pivotal to their ongoing investigation into Paragon. WhatsApp discovered and mitigated an active Paragon zero-click exploit, and later notified over 90 individuals […] who it believed were targeted, including civil society members in Italy.
• Android Forensic Analysis: Italian Cluster. We forensically analyzed multiple android phones belonging to Paragon targets in Italy (an acknowledged Paragon user) who were notified by WhatsApp. We found clear indications that spyware had been loaded into WhatsApp, as well as other apps on their devices.
• A Related Case of iPhone Spyware in Italy. We analyzed the iPhone of an individual who worked closely with confirmed Android Paragon targets. This person received an Apple threat notification in November 2024, but no WhatsApp notification. Our analysis showed an attempt to infect the device with novel spyware in June 2024. We shared details with Apple, who confirmed they had patched the attack in iOS 18.

Reporting for CBC News, Canada’s national broadcaster, Edmonton-based journalist Kevin Maimann said the OPP would neither confirm nor deny the use of Paragon’s Graphite. Acting Staff Sgt. Jeffrey Del Guidice said in an email that the “interception of private communications” requires judicial authorization and is only used in serious criminal investigations. (here) Staff Sgt. Del Guidice assumed the usual posture of law enforcement that “[r]eleasing information about specific investigative techniques and technology could jeopardize active investigations and threaten public and officer safety.” But Kate Robertson, a senior researcher at Citizen Lab, countered that the findings underscore the need for privacy regulators to address the use of spyware against citizens and for law enforcement to be transparent about the tools they’re using. “When governments themselves become buyers in this proliferating hack-for-hire industry, they’re actually investing in the insecurity and vulnerability of our everyday devices that we depend heavily on to be safe for all of our daily needs,” she added.

The report highlighted concerns similar to those raised by Ms. Robertson. “Even if mercenary spyware has been acquired for a primary purpose, such as investigating organized criminal groups, experience shows that, over time, the temptation to use these powerful technologies for political purposes is substantial,” the report states. While investigations such as this one can expose suspected deployments, “there is another place where signals about spyware use (and abuse) exist: with spyware companies’ government customers.” The report urged that, if a country has been identified as a spyware customer, lawmakers and oversight institutions should not wait for abuses to emerge before asking questions. In 2022, Canada’s House of Commons Standing Committee on Access to Information, Privacy and Ethics released a report on the RCMP’s use of on-device investigative tools (ODITs) that contained recommendations to address a “legislative gap” in the use of new technological tools. (here) None of the recommendations have been implemented by the Canadian government.

4. Conclusion

Prior to publication, Citizen Lab sent a letter to Paragon Solutions offering to publish its response to the key findings. Paragon’s Executive Chairman John Fleming replied that “[t]he brief summary of the report you sent includes several inaccuracies, but without additional details we cannot be more specific or provide comment for the record.” Citizen Lab requested “further details on the claimed inaccuracies” from Mr. Fleming but he ducked the invitation. Although Paragon Solutions may have given undertakings to protect the identity of its customers, Citizen Lab noted “the long history of mercenary spyware companies like NSO Group asserting similar opacity combined with claims of unspecified inaccuracies to frustrate accountability, deny victims access to justice, and attempt to insulate themselves from harms committed with their technology.”