Paragon Is Stonewalling Italian Prosecutors Investigating Graphite Spyware Attacks on Journalists
More than a year after Italian prosecutors opened criminal investigations into Graphite spyware attacks on journalists, Israeli-American vendor Paragon Solutions has not responded to formal legal assistance requests routed through the Israeli government — raising questions about accountability for commercial spyware firms.
Paragon Solutions, the Israeli-American maker of the Graphite spyware platform, has not cooperated with Italian prosecutors investigating attacks on journalists — despite formal legal assistance requests sent through the Israeli government more than a year ago, according to a Wired Italy report published April 28.
The victims are documented. Citizen Lab independently confirmed that Francesco Cancellato and Ciro Pellegrino, journalists at the Italian online outlet Fanpage, had their phones compromised with Graphite. Both filed criminal complaints with Italian authorities. Other victims include WhatsApp users in Italy who received Graphite infections through a zero-click vulnerability WhatsApp disclosed in early 2025 — the same disclosure that initially exposed Paragon’s operations.
Italian prosecutors sent a formal rogatory letter to Israel — the standard mechanism for international judicial cooperation — requesting technical documentation and cooperation from Paragon regarding the attacks. Paragon has not responded. The company’s silence is notable given that it previously presented itself as a responsible, government-only spyware vendor that subjects clients to ethical vetting. In 2025, Paragon cancelled its own contracts with Italian intelligence agencies AISE and AISI, claiming the Italian government refused to cooperate with an internal investigation Paragon offered to conduct.
Now the sequence has flipped: Paragon itself is the uncooperative party, ignoring formal legal process from the jurisdiction whose journalists were targeted.
The case illustrates the structural accountability gap in commercial spyware. Vendors like Paragon, NSO Group, and Intellexa operate in a legal grey zone: they sell to governments, claim those governments are solely responsible for how the tools are used, and then invoke that same structure to deflect legal inquiries when abuses surface. When a government client (Italy) is itself the suspected abuser, and the spyware vendor cancels the contract, the chain of accountability dissolves entirely.
Graphite is technically distinct from NSO’s Pegasus. It can compromise both Android and iOS devices, primarily targets messaging app data and call logs, and reportedly uses zero-click delivery vectors. Citizen Lab’s analysis found no persistence mechanism — the infection requires periodic redelivery — but the intelligence gathered in a single session window is substantial.
The Italian investigation is ongoing. If Paragon continues to stonewall, prosecutors have limited practical options: international warrants are slow, and Paragon operates from Israel, which has no extradition treaty with Italy for corporate liability cases. The most realistic pressure point is the U.S.: Paragon is backed by American investors and has U.S.-based operations, which means the State Department’s export control framework and potential secondary sanctions are more actionable levers than Italian criminal law alone.
European regulators are watching. The European Data Protection Board has signaled that commercial spyware used against EU citizens may trigger GDPR enforcement actions against the member states that deployed it — a mechanism that targets the governments, not the vendors, but one that has been gathering momentum since the Pegasus scandal in 2021.