Italian investigative journalist Ciro Pellegrino displays his phone screen, showing a threat notification from Apple warning of a mercenary spyware attack, in Naples, Italy, on June 11, 2025. REUTERS/Matteo Ciambelli
Two Italian journalists’ phones were infiltrated with spyware. Nobody seems to know why
“I’ve been spied on.” This is the message Italian journalist Ciro Pellegrino shared with his readers on April 30. Pellegrino leads the Naples coverage for the news site Fanpage.
Fanpage has more online reach than any other Italian outlet, according to our own Digital News Report. It has published investigations that have been embarrassing to Italian Prime Minister Giorgia Meloni, particularly one in 2024 that saw a journalist go undercover in the youth organisation of Meloni’s party, Fratelli d’Italia, and record fascist songs, slogans and salutes performed by its members.
Pellegrino was not the first journalist from Fanpage to receive a message telling him he’d been surveilled. In January, the outlet’s editor-in-chief, Francesco Cancellato, revealed he was one of 61 European journalists and civil society members notified by WhatsApp that they had been targeted by a spyware product called Graphite, made by the Israeli company Paragon Solutions. Seven of them had been in Italy. As well as Cancellato, they included two co-founders of Mediterranea Saving Humans, a union of organisations and activists coordinating search and rescue operations for migrants in the Mediterranean.
On 12 June, Citizen Lab, a digital research centre at the University of Toronto in Canada, confirmed ‘with high confidence’ that Pellegrino was spied on with Paragon. There’s also a third reporter targeted by the same Paragon operator, identified only as ‘a prominent European journalist’, having requested to remain anonymous. Before the lab’s report, which follows forensic investigation of the journalists' phones, Apple had only described ‘advanced mercenary spyware’ in communications to Pellegrino.
A few days before, on 3 June, a security committee at the Italian parliament concluded a four-month inquiry into the Paragon hacks. Its findings confirmed that the Italian security services spied on the Mediterranea activists, apparently legally, starting under populist Prime Minister Giuseppe Conte, and continuing under his successors Mario Draghi and Giorgia Meloni.
However, the report concluded that the security services did not spy on Fanpage’s editor-in-chief, Cancellato. It also suggested there wasn’t evidence to confirm Cancellato’s phone was infected with Paragon at all. Pellegrino’s case wasn’t investigated by the committee.
Who targeted journalists?
Paragon claims it only signs contracts with government actors. Reports by the Guardian and Israeli newspaper Haaretz said the company ended its contracts with Italy after the first seven Italian spyware cases were made public. Days after these reports, the Italian government said no contract with Paragon had been withdrawn. According to the committee’s report, two contracts were subsequently paused and then ended by Italy.
These contracts, one with Italy’s internal and the second with its external intelligence agency, did not allow for journalists or ‘human rights activists’ to be targeted, and the agencies did not violate the terms in their use, the report says.
Following the release of the Copasir report, Paragon released a statement to Haaretz saying it had offered the Italian government help to determine if its system had been used against journalists in the country, but Italy had refused. In response, the Italian security services said they denied Paragon’s proposal because the method it suggested was too invasive and did not conform to national security requirements.
Targeting journalists with spyware is illegal in Italy, and cannot be excused even if carried out by security services, provided the journalist is listed as a professional in Italy’s official register of journalists. Pellegrino’s name has been in that register for 20 years.
The Italian government has provided little clarity on the issue. After Cancellato went public with his story, the government issued a statement denying illegal surveillance had been carried out by the security services.
According to Cancellato, neither the government nor the parliamentary committee invited the individuals targeted to share their own experiences. In a response to the report, Cancellato pointed to WhatsApp’s over two billion users as evidence of the unlikelihood of Meta having made a mistake in telling him he’d been spied on, in addition to the chances that another journalist from the same outlet would receive a similar communication from a different tech company.
Citizen Lab said it had been ‘unable to obtain forensic confirmation of a successful infection of Mr. Cancellato’s Android’, but that doesn't mean he wasn’t spied on. The absence of the indicator the researchers look for could be due to ‘the sporadic nature of Android logs’, they said.
Paragon’s website consists of a single page, mostly taken up by the words ‘Empowering Ethical Cyber Defense’ superimposed on a nondescript image of a lighthouse.
A different spyware tool by another Israeli company, Pegasus, became infamous after the Pegasus Project, an investigative journalism collaboration, revealed the extent to which governments had used it to spy on journalists and civil society leaders around the world.
Ciro Pellegrino’s story
I recently spoke to Pellegrino, who discussed what he had been through in the past month. “Your phone is the black box of your life. You do everything with your phone,” he said.
When he found out his iPhone had been infected with malware, Pellegrino started to consider all the sensitive information his device contained. This included details about his work as a journalist, but also his health data and his conversations with his family and friends.
Before receiving any messages from Apple, Pellegrino hadn’t considered himself at risk despite working as an editor in a “complicated city” like Naples, and being active on social media, where some of his posts are critical of Meloni’s government.
Pellegrino’s day-to-day work centres around stories about Naples, from reporting on local controversies to running point on stories of national significance that take place in and around the city, such as the recent tragic murder of a 14-year-old girl. He also authors a personal Substack-based newsletter about Naples, and recently published a book about the city.
In a country like Italy, organised crime poses a threat, and there’ve been recent concerns about the attitude of the Meloni government towards press freedom, but most Italian journalists don’t live in fear.
“On 29 April, around 5:00 pm, there was this email from Apple in English in my computer feed. I'm not a native speaker, so it took me a little longer to understand the words,” Pellegrino said.
He thought the email could be a scam, but the sender was verified by Google, and it didn’t contain any links. He received the same communication via iMessage and through his Apple account. The messages stressed he should take the information seriously.
As Francesco Cancellato was in the Naples newsroom, Pellegrino showed him the email, and Cancellato told him, “So it happened to you, too.” With Cancellato’s help, Pellegrino put his phone in ‘lockdown mode’, a feature especially designed to protect from sophisticated cyber attacks. Then, he got in touch with Citizen Lab.
Citizen Lab supported the journalists working on the Pegasus Project. Its researchers are “the most advanced and knowledgeable people in this area,” according to Philip Di Salvo, an academic researching internet surveillance based at the University of St. Gallen in Switzerland.
“That's where it all started, because then you realise that you have to warn the people close to you. And then, little by little, it starts to sink in. The first evening was very emotional,” Pellegrino said.
He went home, put his phone on flight mode as well as lockdown mode, wrapped it in tin foil and put it in the microwave. Then, he told his wife.
One of the most difficult things for Pellegrino is not knowing who spied on him, or why. Was it related to one of his articles? Were they gathering his personal information to weaponise it against him on a later date?
“As a journalist, the fact that your phone, with your contacts, sources, photos and videos, is in someone else's hands, is something that makes you very angry,” he said. “I don’t recognise this kind of stuff. It doesn't seem like Italy to me. I'm talking about it with you right now, and I say, ‘Is it possible that I'm talking about this?’ It seems like a joke.”
As well as the many emotions related to the discovery of having been surveilled, Pellegrino also expressed disappointment at how the authorities have handled his case.
“I’m shocked and disturbed by the silence that until now, the Italian government has kept on the whole matter,” he said. He perceives the conclusions of the Copasir report as an attempt to downplay the seriousness of the situation.
The context
The Paragon case is new ground for Italy, but not for Europe. Spyware has been deployed against journalists, members of civil society and even politicians in other European countries in the past.
In Spain, Pegasus was used to spy on Prime Minister Pedro Sánchez and prominent Catalan politicians. Greece also had a surveillance scandal in 2022, sometimes referred to as ‘Greek Watergate’, when it came to light that a large group of politicians, activists and journalists were being spied on by the national intelligence services.
“The thing with spyware and digital surveillance is that we don't know what is happening until it's found out, as it was for Paragon in Italy. There was no prior indication that this was happening to journalists,” Di Salvo explained.
Obscurity is not a bug but a feature of the system, he said: “Everything about spyware is a black box. The technology itself, the market, is a black box. The companies have structures that make them quite opaque, and the use law enforcement and intelligence agencies make of these tools is a black box as well.”
So far, there is no evidence of companies or other non-state actors using this kind of spyware, Di Salvo said, but journalists fear this to be the case, according to research he published in 2024.
What we do know is that spyware like the one made by Paragon is very expensive, at the high end of cyberattack tools. This makes it relatively rare and only used against high-level targets.
Even within spyware, though, there is a range in price and sophistication. “Pegasus is the Lamborghini of spyware. It's the most powerful, expensive and prestigious, and it's also the most dangerous,” Di Salvo said.
Paragon, he explained, is in a similar league, as they are both ‘zero-click’ spyware tools. This means they can be installed without the target clicking on a link or downloading a file, for example. Instead, they exploit technological vulnerabilities in software that the developers themselves don’t know about.
So far, Big Tech has been on the side of individual security in this issue, Di Salvo said. Cancellato was notified by Meta, and Pellegrino by Apple. If these companies hadn’t said anything, we might never have known about these cases at all. However, Di Salvo also suggested this has the potential to change under Donald Trump.
What can journalists do (if anything)?
Stories like Pellegrino’s often elicit two different reactions.
The first is denying that anything of this magnitude could happen to us. Unfortunately, that’s also what Pellegrino thought before realising he had been the target of one of these tools.
The second reaction is a fatalist attitude: a feeling that, in the face of such a powerful attack, we have no way of protecting ourselves, so we shouldn’t even try. While it’s true that no-click spyware attacks are almost impossible to identify while ongoing, never mind to prevent, and also that most journalists are unlikely to be targeted, newsrooms should have a serious conversation about digital safety, Di Salvo said.
Firstly, spyware is only the most sophisticated weapon in a very large digital arsenal. There is lower-hanging fruit for potential hackers to use, including techniques that have been around for years, such as phishing, when the target is prompted to reveal information or grant access through an email in which the hacker impersonates a trusted actor.
Secondly, it’s dangerous to assume you won’t be a target because you cover a beat traditionally seen as ‘soft’, like music or sports.
“Although not all of us are a potential target, we all carry a responsibility towards making sure the digital ecosystem we live in is as safe as possible, so we should all play a part in this. Journalists who work in a newsroom are part of an ecosystem,” Di Salvo said. “The weak note in the network is not the advanced investigative journalist, but the colleague they go for lunch with.” The investigative journalist might already know more about digital security and employ tools and techniques to protect themselves, but that might not be true for everyone they come into close contact with at work.
Di Salvo recommends basic digital hygiene as a starting point: promptly installing updates, being aware of phishing emails and using alternative communication platforms such as Signal.
For higher-risk journalists, such as those conducting sensitive interviews, another measure is to compartmentalise devices, meaning using different phones and laptops for work and private life. Ultimately, Di Salvo said, no single measure is 100% foolproof.
What's next?
“They took everything, and the damage is done,” said Pellegrino. He’s upset about what happened to him, but also recognises it pales in comparison to the risks faced by other journalists around the world.
“I don't even want to compare myself to colleagues who go to work in the morning and find themselves in a war zone. It would seem indecent and inappropriate to me. I have a lot of respect for my colleagues who are really at risk,” said Pellegrino. Nonetheless, he will keep trying to learn the truth.
“Journalists are protected from this kind of surveillance, and the fact that it can happen with impunity, in total lack of accountability, is deeply concerning,” Di Salvo said.
On 30 May, a delegation of members of the European Parliament arrived in Italy to delve into the spyware case. They belong to the Committee on Civil Liberties, Justice and Home Affairs and spoke to Cancellato and Pellegrino, as well as to other parties, including opposition politicians and the public official who oversees the activities of the Italian security services.
Speaking to Fanpage, Italian MEP Sandro Ruotolo stressed that targets beyond Italy had also been spied on with Paragon, and that their identities remain unknown. “This is a European scandal, not an Italian one,” he said.
Meanwhile, Pellegrino has kept working as normally as possible. “Newspapers can never, must never stop,” he said. “If there are colleagues in other parts of the world who risk their lives to write 10 lines, or to take a photo or a video, or to send a news item, if they don't stop, why should I?”
In every email we send you'll find original reporting, evidence-based insights, online seminars and readings curated from 100s of sources - all in 5 minutes.
- Twice a week
- More than 20,000 people receive it
- Unsubscribe any time