Security researchers at Citizen Lab have obtained clear forensic evidence that the commercial spyware vendor Paragon was recently able to compromise fully updated
iPhones. The group confirmed infections on two journalists’ devices, both of whom had received quiet warnings from Apple earlier this year.
In a report released on Thursday, Citizen Lab detailed how Paragon’s mobile surveillance platform, known as Graphite, was used to target the journalists. Device logs from both individuals showed communication with the same Graphite command-and-control server.
The server also interacted with an iMessage account identified by researchers as ‘ATTACKER1.’ Citizen Lab says this is strong evidence linking the attacks to a single Paragon customer.
Apple addressed the zero-click exploit by releasing a fix in February, listed as CVE-2025-43200 in the iOS 18.3.1 update. However, Citizen Lab emphasized that the breaches occurred during January and early February, when both phones were already running the latest software.
“Our forensic analysis found that one of the journalist’s phones was infected with Paragon’s Graphite spyware during January and early February 2025 while using iOS 18.2.1,” the researchers reported.
The investigation also revealed a shift in tactics, with operators reusing infrastructure across multiple platforms. This reuse makes it easier for researchers to link various attacks back to a common source. In this case, the shared ATTACKER1 account and a separately fingerprinted server in an Austrian data center pointed to a Paragon customer active as recently as mid-April. This customer was targeting both iOS and Android devices.
Paragon, based in Israel and recently acquired by a U.S. private equity firm, promotes Graphite as a lawful surveillance solution for law enforcement. It is designed to extract data from mobile devices and encrypted messaging apps. The company has previously been tied to zero-day exploits affecting Meta’s WhatsApp and has faced scrutiny in Italy for allegedly targeting journalists. Paragon has since ended its contract with the Italian government.
Citizen Lab stated that it shared a summary of its findings with Paragon and offered to publish the company’s response in full.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
