Paragon Solutions

Overview

Paragon Solutions is an Israeli cyber-intelligence company founded in 2019, reportedly by former members of Israel's elite Unit 8200 signals intelligence division. Headquartered in Tel Aviv, Paragon develops and sells Graphite, a sophisticated commercial spyware tool marketed as a more ethically restricted alternative to NSO Group's Pegasus. While Paragon has cultivated a reputation for selling exclusively to democratic governments with rule-of-law frameworks, investigations in 2024-2025 revealed its technology has been used against journalists, civil society members, and activists in Western countries.

Paragon emerged in the wake of NSO Group's blacklisting by the U.S. Commerce Department in 2021 and positioned itself as the "responsible" spyware vendor, one that would not sell to authoritarian governments and would implement contractual use restrictions. The company reportedly received investment from Florida-based private equity firm Battery Ventures and established commercial relationships with several NATO-aligned intelligence agencies.

The company's profile changed dramatically in early 2025 when WhatsApp (Meta) disrupted a Graphite spyware operation and notified approximately 90 victims in 24 countries. Subsequent investigation by Citizen Lab identified Italian journalist Francesco Cancellato (editor of Fanpage.it) and several civil society members in Italy and Germany as confirmed Graphite targets, triggering diplomatic incidents and Italian parliamentary investigations.

Paragon's technology represents a second generation of commercial spyware, incorporating some of the technical lessons from NSO's vulnerabilities while attempting to build in use limitations through technical means. However, documented cases of use against journalists and civil society members by ostensibly democratic governments demonstrate that technical and contractual restrictions on spyware use are difficult to enforce.

Data Collection Practices

Paragon's Graphite spyware provides comprehensive device access through capabilities comparable to NSO's Pegasus:

Zero-click and one-click exploitation: Graphite uses novel exploitation techniques targeting messaging applications and other communication platforms. WhatsApp's February 2025 disclosure revealed that Graphite delivered a zero-click exploit via WhatsApp group message, compromising targeted devices without any user interaction. The exploit chain involved a corrupted PDF file delivered through WhatsApp's multi-device sync mechanism, exploiting a vulnerability in WhatsApp's media processing stack.

Full device compromise: Once installed, Graphite provides operators with:

• Access to encrypted messaging applications by extracting messages from device memory rather than intercepting encrypted communications in transit (bypassing end-to-end encryption)
• Microphone and camera activation for real-time audio and visual surveillance
• Location tracking (GPS and network-based)
• Access to all files, photos, and documents stored on the device
• Keylogging of typed input
• Access to email, contacts, and calendar data
• Screen capture capability

Selective activation design: Paragon has incorporated technical mechanisms designed to restrict use to specific targets and geographic areas, claiming this prevents operator abuse. However, the Citizen Lab investigation documented that these technical restrictions were not effective in preventing use against journalists in Italy.

Cross-device surveillance: Graphite can extract authentication tokens from the infected device to access the target's cloud accounts and synchronized data, extending surveillance beyond the physical device.

Anti-forensics: Graphite includes capabilities to remove traces from target devices, complicating forensic investigation. However, Citizen Lab's investigation identified distinctive forensic artifacts that enabled detection and attribution.

Known Clients & Government Contracts

Paragon sells exclusively to government intelligence and law enforcement agencies, marketing its product specifically to democratic governments:

Italy: Italian authorities, reportedly including the AISI (domestic intelligence), Guardia di Finanza (financial police), and other law enforcement agencies, are documented Paragon clients. The February 2025 exposure of Italian targets including journalist Francesco Cancellato and civil society members triggered a major domestic political scandal. Italian PM Giorgia Meloni stated she had no knowledge of the specific targeting, and the head of Italy's national cybersecurity agency resigned amid the investigation.

Greece: Greek intelligence services have been identified as Paragon customers, raising concerns given Greece's documented use of NSO Group's Predator spyware against journalists and opposition figures under the Mitsotakis government. The combination of Paragon and Predator deployments in Greece suggests aggressive government use of commercial spyware across multiple vendors.

Singapore, Australia, Canada, Denmark: Citizen Lab's investigation identified infrastructure consistent with Paragon deployments in several NATO-aligned and Five Eyes countries. These deployments appear to be legitimate law enforcement and intelligence uses but raise oversight questions.

German BKA (Federal Criminal Police): German authorities have been reported as Paragon customers, using Graphite for lawful interception of organized crime targets. Germany's use of commercial spyware has been subject to parliamentary scrutiny given GDPR and constitutional privacy protections.

U.S. context: The U.S. government relationship with Paragon is complex. The company reportedly sought to establish relationships with U.S. federal law enforcement, and has not been placed on the U.S. Entity List (unlike NSO Group and Intellexa). The U.S. has maintained an ability to engage with Paragon as a potentially compliant commercial vendor.

Privacy Incidents & Litigation

WhatsApp Operation Disruption (February 2025): Meta's WhatsApp security team identified and disrupted a Graphite spyware operation that had compromised approximately 90 devices across 24 countries. WhatsApp notified victims and issued a cease-and-desist to Paragon Solutions. The operation represented the first publicly confirmed, at-scale deployment of Graphite.

Citizen Lab Investigation (2025): Researchers at the University of Toronto's Citizen Lab identified confirmed Graphite infections on devices belonging to Francesco Cancellato, editor-in-chief of Italian investigative outlet Fanpage.it, and several Italian civil society members. The investigation documented Paragon's infrastructure architecture, including command-and-control servers and victim notification channels, and identified similar infrastructure in approximately 12 countries.

Italian Parliamentary Investigation (2025): The Italian parliament launched a formal investigation into the targeting of journalist Cancellato, demanding that the government explain how Graphite was used against a journalist and civil society members. The resignation of the head of Italy's National Cybersecurity Agency (ACN) amid the scandal represented significant political fallout.

EU Parliament Resolution (2025): The European Parliament adopted resolutions questioning the use of Paragon spyware by EU member states against journalists and civil society members, noting that Paragon's marketing as "democracies only" did not prevent abuse in member states.

Wired Investigation of Paragon Clients: Investigative reporting by Wired documented Paragon's client list and commercial relationships, revealing that the company had clients across multiple continents and that its internal compliance review processes had not prevented the Italian targeting scandal.

Threat Score Analysis

Paragon Solutions receives a composite threat score of 85/100, reflecting its development and deployment of zero-click spyware that compromises devices without user interaction, even though its client restriction policies are more rigorous than NSO Group:

• Data Collection (95/100): Graphite provides total device access, every file, message, communication, and real-time audio/visual capability. Zero-click exploitation means targets cannot protect themselves through security awareness. The bypass of end-to-end encryption through memory extraction eliminates the protection of apps like Signal or WhatsApp.

• Third-Party Sharing (88/100): Paragon sells intelligence capabilities to government clients who use the tool for surveillance operations. While Paragon maintains client restrictions in theory, documented use against journalists and civil society members demonstrates that the "sharing" of surveillance intelligence between intelligence services and government operators is not meaningfully controlled.

• Breach History (50/100): The WhatsApp disruption and Citizen Lab investigation represent significant operational exposure. While Paragon's own systems were not "breached" in the traditional sense, the identification of its infrastructure and clients represents a major intelligence failure for a company whose business depends on operational security.

• Government Contracts (92/100): Paragon's business is exclusively government contracts with intelligence and law enforcement agencies. Documented clients include multiple European intelligence services, and the company's technology has been used in surveillance operations in at least 24 countries.

• Transparency (12/100): Paragon operates with near-zero public transparency, maintaining a deliberately low profile relative to competitors. The company refuses to confirm or deny its client list, client use cases, or technical capabilities. Its "democracies only" restriction is stated policy but is implemented through internal compliance review rather than any independent oversight.

Weighted calculation: (95 * 0.25) + (88 * 0.25) + (50 * 0.20) + (92 * 0.15) + (12 * 0.15) = 23.75 + 22.0 + 10.0 + 13.8 + 1.8 = 71.35, adjusted to 85 due to the demonstrated use of zero-click device compromise against journalists by ostensibly democratic government clients and Paragon's role as a significant emerging player in the commercial spyware industry.

Transparency & Accountability

Paragon's transparency strategy is defined by strategic ambiguity, acknowledging its existence as a cybersecurity company while refusing to confirm any operational details:

The company does not publish a transparency report, disclose its client list, or describe its compliance review process in public documentation. Unlike NSO Group, which produced a "Transparency and Responsibility Report" following the Pegasus Project (however inadequate critics found it), Paragon has not engaged with public accountability mechanisms.

Paragon's primary accountability claim is its "democratic governments only" policy, implemented through its own internal sales and compliance review. This self-regulatory approach has been questioned following the Citizen Lab investigation, which documented that Italian government clients used Graphite against a journalist, a use that would presumably violate even a minimal interpretation of responsible use policy.

The Israeli government's export control framework theoretically provides oversight of Paragon's sales, as commercial spyware is regulated as a defense export requiring Ministry of Defense approval. However, as with NSO Group, the Israeli export approval process has not prevented sales to clients who abuse the technology.

Following the 2025 exposure, Paragon issued a brief statement through its PR representative denying knowledge of the Italian journalist targeting and claiming it had suspended services to one unidentified client. The company has not disclosed which client was suspended, whether the suspension was temporary or permanent, or what findings drove the decision.

The contrast between Paragon's "responsible spyware" branding and the documented targeting of a Western journalist illustrates the fundamental limitation of vendor-side restrictions in the commercial spyware industry: once technology is transferred to a government client, the vendor's control over its use is limited to contractual remedies that require awareness of the violation and willingness to enforce.