Digital Conflicts is a bi-weekly briefing on the intersections of digital culture, AI, cybersecurity, digital rights, data privacy, and tech policy with a European focus.

Brought to you with journalistic integrity by Guerre di Rete, and authored by Carola Frediani and Andrea Signorelli.

New to Digital Conflicts? Subscribe for free to receive it by email every two weeks.

N.21 - 13 February 2025

A sensational exit. That's how the sale of a young Israeli offensive cyber company to the American private equity fund AE Industrial Partners for half a billion dollars was described in December. An exit that could reach 900 million, depending on the achievement of growth and profitability targets. Almost unicorn status for Paragon, a company founded in 2019 by a group of former members of 8200, one of the three units of the Military Intelligence Directorate of the Israeli Defence Forces (IDF), responsible for collecting intelligence and signals intelligence (SIGINT) and developing ad hoc tools.

Paragon, which now employs some 450 people, is a company that immediately set out to achieve very high standards. Its founders include Idan Norik, who is CEO, Lior Avraham, Liran Alkobi and Igor Bogdanov. Its president is Ehud Schneerson, a former commander of the same military intelligence unit. And its shareholder and board member is none other than former Labour Prime Minister and former Chief of Staff Ehud Barak.

The Graphite Software and The Context of the Spyware Market

Paragon's flagship product is the Graphite software, a spyware from which very little has been technically leaked. It seems to have the characteristics of other spyware or trojans that have been seen in the past, taking control of the mobile phone and intercepting communications in applications such as Whatsapp, Signal, Telegram, Gmail. This is the only function that is repeated in the media and at different times. Some write of persistence capabilities (a spyware that resists a reboot of the device), but also of a type of software that is more limited in its access to the device than others. But the technical part is still too vague at the moment.

What there is more information about is how Paragon is positioned. The context is that of companies selling spyware to governments for investigative purposes of a judicial or intelligence nature. A business that has grown in recent years, but which has generated many controversies (and inquiry committees, such as the European PEGA) for the use of these tools against journalists and political opponents. Controversies that have materialised in media and political attention, judicial investigations, lawsuits (WhatsApp against NSO, for example), as well as cyber attacks and information leaks. So much so that its direct competitor, the Israeli company NSO, which produces the Pegasus spyware, was placed on the Entity List, a kind of blacklist of the Department of Commerce, by the Biden administration, along with two other spyware companies founded by Israelis, Candiru and Intellexa.

Paragon and the Etical Marketing

It is easy to see why, until recently, Paragon emphasised how it had managed to get on the US government-approved list of suppliers, even for the more "ethical" choice of selling only to democratic countries, excluding regimes or states accused of violating human rights. Paragon, the ethical spyware company. A difficult statement to digest for any digital rights activist, but one that had a very clear business rationale and a certain political positioning. Also in Israel and in relations with the US. In short: political opposition to Netanyahu, closeness to the Democratic administration in the US. Thus, while NSO, a key company in Netanyahu's cyber-diplomacy, was the target of journalistic investigations such as the Pegasus Project into the alleged misuse of its Pegasus spyware, and was blacklisted by the Biden administration, Paragon was weaving its commercial and diplomatic web in Washington (here a view from the Israeli right).

This is to outline the - much more complex - political plan. On the economic front, the Israeli cyber startup sector welcomed Paragon's exit with enthusiasm, despite the apparent reluctance of the Ministry of Defence to grant the authorization, and perhaps also despite the discontent of some sectors of the intelligence community. "To date," wrote Calcalist, "Paragon has only raised about $30 million, so this is a high return on investment, even though not all of the deal was in cash and some will be in shares of the company created by the merger."

The AE fund plans to merge Paragon with another company in its portfolio, RED LATTICE, which operates in the defence sector. "The agreement," writes Globes, "will allow Paragon to expand its market presence in countries such as the United Kingdom and Ireland, Australia, New Zealand, Canada and the United States.All this to arrive at the announcement of Meta/WhatsApp on the 31st of January, which comes as a bombshell for the company, which until now has not been affected by any investigations or controversies, and which has a very private profile. WhatsApp informed some media that it had sent a cease and desist letter to Paragon, ordering it to stop hacking some of its users. An attempted breach of about 90 users in more than 24 countries, including people in Europe, via malicious electronic documents [PDFs distributed in group chats, according to the Guardian. Ed]. The malicious document was sent to the targets in December and did not require any user interaction to be compromised, a zero-click attack. The 90 include members of civil society and journalists, WhatsApp spokespeople told the media, although it is not clear whether they are all or just some of the 90”.

The Italian angle

But some of them are certainly in Italy. WhatsApp sent a message to all the victims. Among them is the director of the news site Fanpage, Francesco Cancellato, as reported by the Italian media on 31 January; then the activist Luca Casarini, head of the mission and one of the founders of the NGO Mediterranea, which rescues migrants in the Mediterranean; and then the Libyan activist Husman El Gomati, critical of the policy on migrants between Italy and Libya. In the days that followed, other names linked to the same Mediterranea were involved, such as the shipowner Beppe Caccia. Meanwhile, some international newspapers wrote that Paragon had two clients in Italy, a police force and an intelligence agency.

This is where the all-Italian ballet begins. The requests for clarification to the government, which denies involvement, and in a note "rules out the possibility that [Italian users, ed] were under the control of the intelligence services and therefore the government". It added that it had asked the National Agency for Cyber Security (ACN), which is under the control of the government, to speak with the law firm Advant, which represents WhatsApp. From this conversation, the government said that the Italian users targeted were 7. And they also revealed who the other Paragon customers in Europe might be, to the delight of the other governments (it must be said that a user in a certain country does not necessarily mean that country has the spyware, a person could be a target of foreign intelligence services. But in general the chances are high, especially if there are many users): "From the same conversation it is clear that the users involved so far belong to numbers with telephone prefixes attributable to the following countries, in addition to Italy Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, the Czech Republic, Denmark, Germany, the Netherlands, Portugal, Spain and Sweden", said the government note.

Who Used Paragon?

But if, according to official statements, it is not the secret service, could it still be someone operating without the government's knowledge? And if it really is not the secret service, could it instead be the judicial authority—such as a public prosecutor’s office—given that this type of tool, similar to Paragon's Graphite, has been used in investigations for years?

In fact, the government itself has alluded to public prosecutors. Although, according to the Italian newspaper Il Messaggero, "none of the largest and most important prosecutor's offices in Italy uses the Israeli spying system, which can exfiltrate data, intercept conversations and locate people. Graphite is not used for wiretapping in Rome, Milan, Naples, Palermo or Genoa", but in the past there have been investigations by prosecutors and the National Anti-Mafia Directorate (DNAA) against NGOs involved in the rescue of migrants. And more than one in seven Italian users belongs to this world.

Meanwhile, Paragon has announced that it has first asked for clarifications and then cancelled the contracts in Italy for violating the terms of the contracts themselves, which do not allow journalists or members of civil society to be targeted with the spy software, the foreign press writes. However, sources in the executive continue to say that the spyware is still in use.

Perhaps the most disturbing aspect of the whole affair is this institutional stalling on a crucial issue. Among the victims is at least one journalist who has co-ordinated critical and embarrassing investigations for the government. And activists who, if they were to be intercepted in this way as part of an investigation, would have to be accused of very serious crimes.