Prominent Italian businessman also among the targets of Paragon spyware

After activists and journalists, the world of finance has now entered the chat. It’s the latest twist in the saga of Graphite, the spyware developed by Israeli firm Paragon Solutions and used by governments and law enforcement agencies in several countries, including Italy. According to information obtained by IrpiMedia and La Stampa, a new name has joined the list of people who, last January, received a message from WhatsApp informing them they had been targeted by the spyware.

That person is Francesco Gaetano Caltagirone — entrepreneur, publisher, and one of Italy’s richest men. It’s unclear who attempted to spy on him, but the notification that appeared on his phone, along with those of at least seven other people in the country, was unambiguous.

On the same day, WhatsApp also notified Fanpage editor-in-chief Francesco Cancellato and the two founders of the Ngo Mediterranea, Luca Casarini and Giuseppe “Beppe” Caccia. We know this because they went public with the information themselves, revealing a network of surveillance activities that stretched far beyond the initial alert.

From Father Mattia Ferrari, Mediterranea’s onboard chaplain, to Fanpage managing editor Ciro Pellegrino, the scope of the spying operation widened rapidly in the months that followed. But this is the first known case in which a businessman — far removed from the worlds of journalism or activism — has been among the targets.

Caltagirone is one of the key players in the series of operations that are reshaping the Italian financial structure. He is a shareholder in several banks – Generali, Mps, and Mediobanca – the latter of which was acquired by Mps (where the state is also a shareholder). At this point, only the authorities will be able to ascertain whether it was a foreign government that targeted Caltagirone’s smartphone, a hypothesis already aired in relation to Cancellato, or whether there is an Italian hand behind the operation. But let’s take it one step at a time.

An exclusive circle

According to sources familiar with the matter who spoke to IrpiMedia, in December 2024 the phone number used by Caltagirone was added to a WhatsApp chat made up of contacts he knew personally. Inside the chat, a Pdf file had been shared. Shortly afterwards, the chat disappeared — and the Pdf along with it.

A month later, WhatsApp informed the affected users that it had identified and fixed a vulnerability that had allowed an attacker to install spyware on a target’s device without their knowledge — and without the need to click on any link or attachment.

These are known as “zero-click attacks”: they exploit a flaw in a system or app — WhatsApp in this case — to silently install malicious software, leaving no trace and requiring no interaction from the target, unlike more common phishing or malware attempts. Caltagirone’s smartphone was among those that received this warning.

According to the accounts of other victims and Citizen Lab itself, this is precisely the method by which Graphite was spread among its targets. The system does not strike at random, but is programmed to install itself exclusively on the target’s phone, leaving other people in the group unscathed, whose role is merely to act as extras, to make the trap more credible.

Following WhatsApp’s security alert, the phone was reset to factory settings — a move that removed the spyware but also erased any digital evidence that could have helped trace it. Contacted by IrpiMedia and La Stampa, Caltagirone’s press office did not respond to a request for comment and did not clarify whether any forensic checks had been carried out on the device.

A wave of notifications

Casarini, Caccia and Cancellato were the first to speak out about being targeted, in the wake of the WhatsApp alerts sent on 31 January. According to WhatsApp and Citizen Lab — the University of Toronto research centre that helped uncover the threat — ninety such notifications were sent simultaneously across several countries, seven of them in Italy. What was not known at the time, and would only emerge in the following days, was that Mediterranea had already been flagged in earlier incidents of this kind.

The first dated back a full year, to February 2024, when Meta — the parent company of Facebook and WhatsApp — sent a similar warning. That alert went to Casarini once again, as well as to Father Mattia Ferrari, Mediterranea’s onboard chaplain.

Ferrari also holds the phone contract used by David Yambio, a Sudanese citizen and spokesperson for the ngo Refugees in Libya, who in turn received a notification from Apple in November 2024 warning of a possible compromise of his device. That made three.

The picture was later reconstructed by an inquiry carried out by Copasir — the Parliamentary Committee for the Security of the Republic, which oversees Italy’s intelligence agencies — in the spring of this year.

The committee’s report, unusually made public, confirmed that Caccia and Casarini had indeed been the subjects of surveillance by the Italian secret services, in operations «aimed at preventing threats to national security by individuals suspected of facilitating the entry of foreign nationals into the country.»

What happened in Cancellato’s case, however, has never been established. The government has consistently denied any role in the affair and has even suggested the involvement of a foreign intelligence service.

To explore the range of possibilities, Copasir carried out inspections at the headquarters of Aise and Aisi (the foreign and domestic secret services, respectively), requesting to see the respective servers from which they interact with Paragon. By entering the phone numbers of the targets, confirmation was found for both Caccia and Casarini. When queried with Cancellato’s number, the system responded: «Number not found.»

Things got complicated in April, when another notification—this time sent by Apple—warned a second batch of targets about the potential compromise of their devices. Among them was Ciro Pellegrino, managing editor of Fanpage. Although nothing was found on Cancellato’s device, it cannot be a coincidence that a second Graphite infection was recorded in the same publication.

Fanpage is known for its undercover investigations, including Gioventù meloniana (Melonian Youth), which, thanks to the work of a journalist who infiltrated Gioventù Nazionale (National Youth), exposes the far-right leanings and fascist nostalgia of the youth wing of the party led by Prime Minister Giorgia Meloni. Subsequent analyses of Pellegrino’s phone, carried out in the Citizen Lab laboratories in Toronto, confirmed the presence of Paragon on his device.

It was only in June that prosecutors in Rome and Naples ordered forensic examinations of the phones belonging to individuals under surveillance, authorising non-repeatable analyses of the devices. Following that move, more victims of Paragon spyware came to light: among them were Roberto D’Agostino, founder of the gossip site Dagospia, and Eva Vlaardingerbroek, a Dutch far-right influencer based in Rome.

«Governments have so many different tools to monitor a target that it’s simply unthinkable they’d all work the same way or be easy to detect,» a source who analysed several of the devices told IrpiMedia. “There are far more spyware products than those made by Paragon or Nso, and there’s also a web of quid pro quos between countries — if I can’t intercept a specific citizen, I’ll ask a neighbouring state to do it for me,” the expert said, unable to discuss concrete examples for confidentiality reasons.

Contacted by IrpiMedia, Paragon did not respond to a request for comment.

Who are Paragon’s clients

Among those in the surveillance industry, Graphite is a well-known name. Paragon Solutions, the company behind it, is an Israeli firm that develops and researches cutting-edge surveillance technologies. Its flagship product has become one of the most sought-after tools on the market — especially since rival company Nso was forced to scale back operations following a series of scandals over the misuse of its technology by numerous governments, as documented by IrpiMedia in investigations spanning from Marocco to Messico.

In the surveillance business, the value of a product lies not only in the quality of its software but in the company’s ability to bypass the security systems of smartphones, computers, and both Android and Apple devices, allowing it to operate on virtually any target or platform. That is precisely the service Paragon offers — and one that has even attracted investment from the European Union over time.

In December 2024, about a month before the WhatsApp notifications exposed one of Paragon’s infection methods, the Us investment fund AE Industrial Partners — focused on the aerospace, defence, and cyber-surveillance sectors — acquired the company for $900 million, according to industry reports. Public sources indicate that Paragon continues to sign contracts with Us government agencies.

The most recent, worth $2 million, was with Ice, the federal agency responsible for border and immigration enforcement. Sources familiar with the contract between Paragon and Italy told IrpiMedia that the deal was «in the order of tens of millions of euros — around thirty.»

Over the years, Paragon has managed to brand itself as the “ethical” alternative to Nso: no scandals, only legitimate state clients, and only “democratic countries that have successfully passed its rigorous due diligence and vetting process,” as the company stated in a press release last June. Although Paragon’s contracts are not public, the company has claimed they explicitly prohibit the use of Graphite against journalists or activists.

Officially, this is the reason why, in early February — shortly after the wave of notifications — Paragon announced it would unilaterally terminate its contract with Italy. A softer version of events later appeared in Copasir’s report, which referred instead to a “mutually agreed termination” between the parties. In either case, the logic behind such a move remains unclear — particularly if Paragon itself believes it was not the Italian government that spied on journalists, but another of its clients.

After initially denying any wrongdoing, the Italian government eventually admitted to having used Graphite against Luca Casarini and Beppe Caccia — not as human rights activists, it claimed, but «in relation to their activities potentially linked to irregular immigration.» Excluding Yambio, who as noted was not targeted through Graphite, that leaves the unexplained notification received by Cancellato. 

A murky world

The cyber-surveillance market is populated by researchers who hunt for vulnerabilities in every system so those flaws can be weaponised to spy on targets. One such flaw — the WhatsApp vulnerability analysed with the help of Citizen Lab at the University of Toronto — allowed Graphite to be installed remotely without any interaction from the target. Another was an Apple vulnerability that led to alerts to Ciro Pellegrino and other journalists known to IrpiMedia who have chosen to remain anonymous.

In every case the reporters turned to Citizen Lab to have their devices examined. As the organisation itself has reported, each forensic analysis uncovered signs of compromise consistent with the Israeli spyware.

According to what has been reconstructed by technicians and confirmed to IrpiMedia by independent sources, the vulnerability found on the affected iPhones is linked to iMessage, Cupertino’s instant messaging app that sorts both messages exchanged between iPhones and text messages. Again, this is a zero-click attack: Paragon found a way to break the iPhone’s security mechanisms by sending a message containing an image file.

IrpiMedia was able to view it in another case related to the story, and in this case, it was a trivial image of a profile photo silhouette, one of those preset on social networks until you decide to insert your own.  

«They are extremely expensive, technically sophisticated attacks, and there is a whole market worth billions,» a sector source who asked to remain anonymous told IrpiMedia. According to four experts consulted for this article, attacks against Android or Apple devices cost «around half a million euros per target, because the more they are used the higher the risk the vulnerable vendor will discover them,» one source explained.

The experts themselves are groping in the dark as they try to analyze the devices involved. There are numerous technical reasons why an analysis may not produce results. Time is a key factor: the longer the analysis of the device is delayed, the more difficult it will be to identify compromising elements.

This stems primarily from the way smartphones manage logs, records of some—but not all—activities that take place within the phone. Then there are anomalies, such as the fact that Caltagirone’s smartphone is also the first known case of an iPhone receiving a notification from WhatsApp, whose vulnerability was believed to be effective only on Android devices.

However, there are several plausible explanations: experts explain that one may be the presence in the past of a backup traceable to an Android device. «Attackers always work with incomplete information,» says one source, «and this means that they may make mistakes in choosing which weapon to use.»

Le inchieste e gli eventi di IrpiMedia sono anche su WhatsApp. Clicca qui per iscriverti e restare sempre aggiornat*. Ricordati di scegliere “Iscriviti” e di attivare le notifiche.