WhatsApp says it disrupted a hacking campaign targeting journalists with Paragon spyware | TechCrunch

Another year…another targeted spyware campaign aimed at journalists and civil society members. This time, the company of concern is technically owned by an American private equity firm :upside_down_face:

WhatsApp said on Friday that it had disrupted a hacking campaign that targeted around 90 users, including journalists and members of civil society.

A WhatsApp spokesperson told TechCrunch that the campaign was linked to Paragon, an Israeli spyware maker that was acquired in December of last year by American private equity giant AE Industrial.

Paragon’s attack vector is also quite interesting.

WhatsApp said that the hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets and said it had pushed a fix to prevent this mechanism.

Did the victims had their phone numbers leaked or publicized? I am not sure if this was exactly what happened, but they could had been added to these group chats without consent.

1 Like

One victim (an Italian investigative journalist) has now come forward and identified themselves. This is extremely concerning for freedom of the press in the EU given it seems possible, if not likely, that the Italian government may be behind this.

3 Likes

Very brave. It is not uncommon for activist/investigative Journalists to end up behind bars (like it happened in Jordan).

I personally know of an entire newsroom targeted by mercenary spyware (presumably planted by the State). Some of its main Journos moved to the UK / Canada fearing for their lives.

2 Likes

Read the linked article. I get infuriated that human rights activists and journalists are targeted for trying to make the world a better place. Wish journalists had more protections and better honor for freedom of press.

2 Likes

Seems like a weird attack vector to my uneducated eye. Zero click by sending malicious PDFs in group chats? You can block people from directly adding you to group chats, so there must be some reason group chats were used even with this additional obstacle. Also can’t find if it compromised the whole device or just WhatsApp. Hopefully Citizen Lab’s future report will give some clarity.

1 Like

It does seem weird from my end too. Unless of course, the victims did not disable that feature in their WhatsApp settings…but that seems unlikely

1 Like

The work of the three alleged targets to have come forward so far – Casarini, the journalist Francesco Cancellato, and the Sweden-based Libyan activist Husam El Gomati – have one thing in common: each has been critical of the prime minister, Giorgia Meloni. The Italian government has not responded to a request for comment on whether it is a client of Paragon.

Italian involvement is starting to look less and less like speculation.

2 Likes

Whoops, it made it a reply to you! Anyway, lots of text upcoming…

Fanpage (the Italian investigative news outlet) wrote an article about the hack, including the message received from Whatsapp. Also on techcrunch in English & more of the message:

“This is a message from WhatsApp,” read the message in Italian, which was obtained by TechCrunch. “In December, WhatsApp interrupted the activities of a spyware company which we believe attacked your device. Our investigations indicate that you may have received a harmful file via WhatsApp and that the spyware may have resulted in accessing your data, including messages saved on the device.”
“We have made changes to prevent this specific attack from happening again. However, your device’s operating system may remain compromised due to the spyware,” continued the message.

It appears it isn’t the entire message however, as later this is stated.

WhatsApp’s message to Cancellato suggested he could contact Citizen Lab …


Spyware maker Paragon confirms US government is a customer:

Paragon’s executive chairman John Fleming said in a statement to TechCrunch on Tuesday that “Paragon licenses its technology to a select group of global democracies — principally, the United States and its allies.”
Fleming also said that Paragon “requires that all users agree to terms and conditions that explicitly prohibit the illicit targeting of journalists and other civil society figures. We have a zero-tolerance policy against such targeting and will terminate our relationship with any customer that violates our terms of service.”

Ynetnews reported on Monday that Italy is a Paragon customer.


Italy says seven people targeted by spyware on WhatsApp
https://www.reuters.com/world/italian-sea-rescue-activist-targeted-with-spyware-according-meta-alert-2025-02-05/

In a statement, Meloni’s office said the cybersecurity agency was informed by WhatsApp, via a law firm, about seven confirmed cases in Italy, but was not told the names of the people affected, “to protect their privacy.”
ACN was also told that spyware was found among WhatsApp users in other European Union nations, namely Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, Czech Republic, Denmark, Germany, Netherlands, Portugal, Spain and Sweden.

Prime Minister Giorgia Meloni’s office said it asked the National Cybersecurity Agency to look into the affair, while denying any involvement, after …

Agenzia per la Cybersicurezza Nazionale (ACN; Italian: National Cybersecurity Agency) is an Italian government agency.

The countries listed are based on the phone numbers’ country codes.

Reminder: “targeted around 90 users … [WhatsApp] said that the targets were in over two dozen countries, including several in Europe.” Separately: “a person close to [Paragon] said it had about 35 government clients, which the person described as democratic governments.” More than 24 countries, and now here are 13 European countries listed… I think that a country does not necessarily respond to a client. E.g. one of the public targets was a Swedish-based critic of Italy-Libya migration pact. But at the same time, in 2022 Pegasus Spyware Maker NSO had active contracts with 12 of the 27 European Union members.


Paragon Solutions … has terminated its client relationship with Italy, according a person familiar with the matter.
The person familiar with the matter, who spoke to the Guardian on the condition of anonymity, said Paragon had “out of an abundance of caution” initially suspended the Italy contract when the first allegation of potential abuse of the spyware emerged last Friday. The decision to fully terminate the contract, the person said, was made on Wednesday after Paragon determined that Italy had broken the terms of service and ethical framework it had agreed under its Paragon contract.

No longer speculation that Italy is a customer but confirmed it seems like.


Paragon demands Italy responds to the allegation, hints Paragon may believe Italy has lied. Paragon has two Italian clients (law enforcement & intelligence). (linked article requires registration to read. Also, this is the relevant Citizen Lab researcher and they have been consistently posting about this story on their twitter.).

2 Likes

A lot of fingerpointing so far. Sad that nobody’s taking responsibility.

I don’t understand how app attacks like this get out of the app sandboxing. The articles seem to suggest that the spyware can target the whole device, not just the whatsapp chats. By accessing the pdf reader they use an OS vulnerability? Meta again seems to be ignoring their responsibility to release info for researchers.

The fundamental reason this happens is, in the von Neumann architecture (all modern computers), data is indistinguishable from code.

This means, when you’ve got unsafe code parsing / reading malicious data, funny things happen. The key, then, is to write safe code, not solely rely on sandboxing.

Highly recommend reading this blogpost on how media files (a common way to get code to parse data) pwned Android, back in the day. These bugs led to dramatic changes in Android Framework’s design wrt security (work that’s still ongoing).

I’m sure they’re learning, but you’ve a point (which I don’t agree with) that something as ubiquitous as WhatsApp ought to have its infrastructure / code more permissively accessible to researchers. It doesn’t help that Meta’s CISO (Chief Information Security Officer) is a former Unit 8200 lead, from whence spyware companies like NSO & Paragon have propped up.

2 Likes