Graphite Spyware Was Used to Infect iPhones of European Journalists, Researchers Confirm

The University of Toronto’s Citizen Lab has produced forensic proof that Paragon Solutions’ “Graphite” iOS spyware was used to hack European journalists’ phones, deepening concern over the booming mercenary-spyware industry.

In a report published 12 June, researchers Bill Marczak and John Scott-Railton detail how a prominent European reporter, who requested anonymity, and an Italian journalist named Ciro Pellegrino, of Fanpage.it, were both compromised.

Apple had warned the pair on April 29 that they were “targeted with state-sponsored spyware.”

Both targeted by the same attacker

Analysis showed their iPhones were hit in January and early February through a zero-click iMessage exploit that Apple later patched in iOS 18.3.1.

Read: Apple Issues Emergency iOS 18.3.1 Update to Plug ‘Extremely Sophisticated’ Attack Vector on iPhones and iPads. Patch Now!

Device logs revealed that both phones secretly contacted the same Paragon-controlled server (46.183.184[.]91) and received commands from an iMessage account the researchers call “ATTACKER1,” linking the intrusions to a single, still-unknown Paragon customer.

Graphite, marketed as a lawful-intercept tool able to siphon messages from apps such as Signal and WhatsApp, left few traces. Only Apple’s notification and deep forensic work exposed the breach.

CVE-2025-43200

The vulnerability exploited in this case, tracked as CVE-2025-43200, is described in the iOS 18.3.1 security advisory as a logic issue in the stock Messages app “when processing a maliciously crafted photo or video shared via an iCloud Link.”

“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the Cupertino tech giant notes.

The issue is addressed on devices updated to iOS 18.3.1 and newer versions.

‘Graphite’ in the spotlight

The findings come as Italy grapples with earlier disclosures that government agencies bought Graphite to spy on high-profile individuals.

On 5 June, a report by parliament’s intelligence-oversight committee, COPASIR, acknowledged that the government used the product against two activists but said it could not determine who targeted Fanpage.it staff.

Paragon, an Israeli firm now majority-owned by US investors, claimed it cut ties with Rome and offered investigative assistance — an overture the Italian security service rejected as a “national-security risk.”

Citizen Lab says three European journalists have now been confirmed targets of Graphite and warns the episode underscores “Europe’s continuing spyware crisis.”

The lab urges anyone who receives threat notifications from tech giants Apple, Google, and Meta to seek expert help.

Keep your iDevices updated with the latest security patches

Spyware operators – often working for an authoritarian regime – have become notorious for targeting activists, dissidents, political rivals, human rights advocates, investigative journalists and other high-profile people.

Apple, Google, and Meta, Facebook’s parent company, have been fighting the threat for years.

Even if you’re not a high-risk person, you never know when you accidentally trip a wire and become a target. So it’s always a good idea to stay up to date with the latest security patches.

For peace of mind, run a dedicated security solution on all your personal devices. On iOS and macOS, keep the trusty Lockdown Mode toggle handy if you have reason to believe hackers might be targeting you.

You may also want to read:

10 Cyberthreats iPhone Users Can’t Afford to Ignore in 2025

WhatsApp Patches Zero-Click Spyware Attack Vector on Android

How to Protect Your WhatsApp from Hackers and Scammers – 8 Key Settings and Best Practices