Paragon Scandal: Denmark And Cyprus Potential Spyware Customers Alongside Italy
By EurActiv
By Vas Panagiotopoulos
(EurActiv) — Paragon Solutions, the Israeli company behind Graphite spyware, appears to be active in more EU countries than it has been previously known, according to a new report published today.
Revelations confirmed by WhatsApp in January that the spyware had been used in Italy and elsewhere to target at least 90 individuals, including journalists and activists, sparked a scandal that has shaken the country.
The report by the Canada-based human rights group Citizen Lab, an organisation that has investigated spyware abuses since 2012, highlights several potential Paragon customers in Denmark and Cyprus, alongside Italy, as well as in non-European countries like Australia, Canada, Singapore and Israel. Citizen Lab’s investigation also surfaced potential links between Paragon Solutions and the Canadian Ontario Provincial Police.
The report marks the first time that it has been forensically confirmed – independently of WhatsApp – that there are Paragon infections among the spyware’s Italian targets.
“Paragon’s spyware is trickier to spot than competitors like Pegasus, but, at the end of the day, there is no ‘perfect’ spyware attack,” Bill Marczak, a senior researcher at Citizen Lab, told Euractiv.
“Maybe the clues are in different places than we’re used to, but with collaboration and information sharing, even the toughest cases unravel,” he said.
Citizen Lab researchers highlighted that there is a steep learning curve in detecting novel attacks, and investigations like this show the need to shift focus to where subtle signs of exploitation may be.
“When forensics experts and app creators are able to pinpoint these signs, the trade-offs that spyware companies made become a liability,” said Rebekah Brown, a senior researcher at Citizen Lab.
The German connection
The report maps out the server infrastructure that Citizen Lab attributes to Paragon’s Graphite spyware tool. Among other findings, the report points toward the involvement in a German data centre in the attacks.
“We don’t know for sure that the German data centre was used in infections,” explained Marczak. “We can see is that there’s a chunk of Paragon infrastructure being run by a single customer of the German data centre. The purpose of the infrastructure isn’t fully clear, but it looks similar to the infrastructure used by Paragon customers.”
“This raises important questions around who is operating the infrastructure, who is maintaining the infrastructure, how much visibility both [the spyware’s] developer and the operator might have and again suggests that there is multiple overlapping European nexuses in spyware cases,” said John Scott-Railton, a senior researcher at Citizen Lab.
Recently, Euractiv exclusively reported that Paragon has set up shop in Germany, potentially allowing the company to exploit the advantages of the single market to trade their tools within the EU with minimal oversight.
Paragon’s customers and victims across the EU
However, it still remains unclear where exactly Paragon’s EU customers or victims are based. In response to press inquiries and requests for clarification, the Italian government issued a statement on 5 February claiming that WhatsApp said that the users in question were based in no less than 13 EU member states – Austria, Belgium, Cyprus, Czech Republic, Denmark, Germany, Greece, Latvia, Lithuania, the Netherlands, Portugal, Spain, and Sweden – according to their country phone codes.
“It is Groundhog Day for spyware abuse. And the problem extends beyond Italy: recent reports indicate that Germany has also been a customer of Paragon spyware. And so have Denmark and Cyprus,” said Hannah Neumann, a Green MEP from Germany who is a former member of the Parliament’s PEGA inquiry committee into spyware.
“It is crucial to check now how Paragon has been used there and on whom. We have already sent a series of questions to the German government demanding transparency,” Neumann added.
According to WhatsApp’s revelations in January, Paragon’s victims in Italy included Francesco Cancellato, editor-in-chief of Fanpage.it, and David Yambio, a campaigner for migrants in Libya. Both spoke at an event in the European Parliament in Strasbourg recently that highlighted the European Commission’s lack of legislative follow-up on spyware, despite a resolution adopted by the European Parliament and the findings of its PEGA inquiry committee.
“The Commission remains silent. No action, no urgency – despite repeated warnings. If we do not close the regulatory loopholes, enforce strict bans, and protect the victims, spyware abuse will continue unchecked. The EU must act now – we need binding rules, real oversight, and accountability to end this cycle once and for all,” said Neumann.“The European Commission’s continued inaction is no longer acceptable. We urge the Commission to immediately publish its long-overdue communication on spyware, expected in late 2023. We also call on the Polish Presidency to make the fight against spyware abuse a top priority within the Council of the EU. If we do not respect the standards we claim to uphold, we risk setting a dangerous precedent, one that could allow spyware to be misused with harmful consequences,” said Silvia Lorenzo Perez, Director of the Security, Surveillance and Human Rights Programme at CDT Europe, which is leading a civil society coalition to combat spyware abuse across the EU.
