Security researchers at Citizen Lab say they have hard forensic proof that commercial spyware maker Paragon could until recently compromise up-to-date iPhones, confirming infections on two journalists who were quietly warned by Apple earlier this spring.
In a new report published Thursday, Citizen Lab documented the use of Paragon’s ‘Graphite’ mobile hacking platform against two journalists whose mobile device logs show both phones communicating with the same Graphite command-and-control server.
The server was observed interacting with an iMessage account the researchers dub ‘ATTACKER1’, evidence Citizen Lab says ties the operations to a single Paragon customer.
Apple shipped a patch to block the underlying zero-click exploit in February and catalogued it as CVE-2025-43200 in iOS 18.3.1, but Citizen Lab notes that the compromise periods (January through early February) make clear that the phones were breached while fully up to date at the time.
“Our forensic analysis concluded that one of the journalist’s devices was compromised with Paragon’s Graphite spyware in January and early February 2025 while running iOS 18.2.1,” the researchers said.
The Citizen Lab report also underscores a tactical evolution where operators appear to reuse infrastructure across multiple platforms, making it easier for researchers to pivot from a single IP address to an entire customer cluster.
In this case, Citizen Lab said the shared ATTACKER1 account and a different fingerprinted server hosted at an Austrian data centre point to a customer who targeted both iOS and Android devices and was still active as of mid-April.
Paragon, which has roots in Israel and was recently acquired by a US private equity firm, markets Graphite as a lawful intercept tool for law enforcement capable of capturing data from mobile devices and encrypted messaging apps.
The company has been linked to zero-day attacks against Meta’s popular WhatsApp messenger and has been embroiled in a scandal in Italy over the targeting of journalists. Paragon recently announced the severing of its contract with the Italian government.
Citizen Lab said it sent a summary of its latest findings to Paragon and offered to publish a response in full.
“As of the time of publication we have not received a response,” the research outfit said.
Related: Paragon Spyware Attacks Exploited WhatsApp Zero-Day
Related: Italian Gov Denies Surveilling Journalists with Paragon Spyware
Related: Spyware Maker NSO Ordered to Pay $167 Million Over WhatsApp Hack
Related: Google Ships Android ‘Advanced Protection’ Mode to Thwart Spyware
