Researchers Identify Multiple Countries as Possible Paragon Spyware Clients

New Report Links Paragon Spyware to Multiple Governments

A new investigation by Citizen Lab has identified six countries—Australia, Canada, Cyprus, Denmark, Israel, and Singapore—as suspected users of Paragon Solutions' Graphite spyware, raising fresh concerns about government surveillance and digital privacy.

The report, published on Wednesday, comes after WhatsApp notified around 90 users earlier this year that they were targeted with Paragon spyware, leading to an outcry in Italy. Paragon, an Israeli-based spyware vendor, has long positioned itself as a "responsible" alternative to NSO Group, whose Pegasus spyware has been linked to multiple cases of human rights violations. However, Citizen Lab’s findings challenge this claim.

An example of the attack flow for the Graphite spyware.Image Credits:Citizen Lab

Tracking Paragon’s Operations

Citizen Lab, a cybersecurity research group from the University of Toronto, traced server infrastructure linked to Paragon’s spyware. Using a tip from a collaborator, researchers identified IP addresses hosted at telecom providers in the six countries, which they believe are linked to government clients. Additionally, digital certificates associated with these servers featured country initials that matched their locations.

One of the biggest revelations in the report was the discovery of a certificate registered to Graphite, suggesting an operational error by Paragon. Citizen Lab described this as “strong circumstantial evidence” confirming the spyware’s presence in these countries.

Among the suspected government clients, the Ontario Provincial Police (OPP) in Canada was specifically identified, as one of the tracked IP addresses was linked directly to the agency.

Paragon’s Response

Paragon Solutions has repeatedly claimed that it only sells spyware to "global democracies" and allied nations. In response to Citizen Lab’s findings, Paragon's executive chairman John Fleming stated that the researchers provided only “limited and potentially inaccurate” information. However, he refused to clarify what was incorrect or comment on the countries named in the report.

When asked whether Paragon still has Italian clients following the WhatsApp scandal, Fleming did not respond.

WhatsApp and Meta Confirm Spyware Presence

WhatsApp's January warnings to targeted users played a key role in bringing attention to Paragon’s spyware operations. According to Meta, the parent company of WhatsApp, the forensic indicator identified as “BIGPRETZEL” is associated with Paragon spyware.

Meta emphasized the dangers of commercial spyware, stating:

"We've seen firsthand how spyware can be weaponized against journalists and civil society. These companies must be held accountable."

Stealthy Yet Detectable

Citizen Lab highlighted how Graphite operates differently from Pegasus. Instead of taking over an entire device, it targets specific apps, making it harder to detect through standard forensic analysis. However, this method gives tech companies more visibility into spyware operations, which could eventually lead to better countermeasures.

While analyzing devices of victims in Italy, Citizen Lab found that Paragon’s spyware infected certain apps on Android phones without user interaction. They suspect that iPhones may also be vulnerable, though evidence was inconclusive in one examined case.

Ongoing Investigations

Despite Paragon’s attempts to distance itself from the controversies surrounding NSO Group, its spyware is now under increasing scrutiny. With companies like Meta and Apple actively monitoring spyware threats, and cybersecurity experts uncovering traces of Graphite in multiple countries, the full extent of Paragon’s operations remains an ongoing investigation.

TechCrunch reached out to government representatives from Australia, Canada, Cyprus, Denmark, Israel, and Singapore for comment, but none responded. Apple also declined to comment on Citizen Lab’s findings.

As spyware usage continues to raise privacy and human rights concerns, experts warn that even the most advanced spyware leaves digital footprints—and it’s only a matter of time before more evidence surfaces.



News Source: TechCrunch