Citizen Lab report details global infrastructure, zero-click exploitation, and forensic artifacts linked to mercenary spyware
An in-depth investigation by Citizen Lab has brought renewed scrutiny to Paragon Solutions, an Israeli spyware vendor, following new findings related to its surveillance platform known as “Graphite.”
Graphite is classified as mercenary spyware — software developed and sold to government clients for intelligence and investigative purposes. Unlike Pegasus, which is widely known for full device compromise, Graphite is reported to focus on accessing messaging applications such as WhatsApp. However, operationally, the outcome remains similar: monitoring communications and extracting sensitive data.
Company Background
Paragon Solutions was founded in Israel in 2019. Public records and reporting indicate that several founders have prior experience in Israeli intelligence and military units. The company has positioned itself as a more regulated and standards-compliant alternative within the commercial spyware market.
Infrastructure Findings
Infrastructure analysis conducted by Citizen Lab identified server links associated with Graphite activity in multiple jurisdictions, including:
- Australia
- Canada
- Cyprus
- Denmark
- Israel
- Singapore
In Italy, WhatsApp confirmed detection of a zero-click exploit attributed to Paragon. Approximately 90 individuals — including journalists and civil society members — were reportedly notified of potential targeting.
Forensic Evidence
On Android devices, investigators identified a forensic artifact labeled “BIGPRETZEL,” linked to Graphite infections.
In a separate case involving an iPhone device, Apple confirmed patching a vulnerability in iOS 18 following the detection of an attempted compromise.
One of the more concerning operational characteristics of Graphite is its deployment method. Rather than operating as a standalone visible application, the spyware is reportedly injected into existing legitimate apps, making forensic detection significantly more complex.
Government Links and Oversight Questions
The report also raised questions regarding potential usage by law enforcement entities in Canada. Meanwhile, the Italian government acknowledged contractual relations but denied targeting journalists.
The broader issue extends beyond a single company or product. Commercial spyware vendors often claim strict safeguards against misuse.
However, historical patterns across the surveillance industry demonstrate that advanced monitoring tools — regardless of jurisdiction — carry inherent risks of abuse.
Graphite represents another chapter in what is increasingly described as the “surveillance-for-hire” industry.
The critical question is no longer who develops or sells these tools.
The more pressing question is:
Who monitors the monitors?