An in-depth Paragon spyware investigation has uncovered new evidence suggesting that governments from Australia, Canada, Cyprus, Denmark, Israel, and Singapore are using surveillance tools developed by Israeli firm Paragon Solutions.
Citizen Lab, a digital security research group at the University of Toronto, published the findings this week after analyzing technical infrastructure linked to Paragon’s spyware tool, codenamed Graphite. The report offers a rare glimpse into how this lesser-known surveillance startup operates and identifies suspected global customers — including Canada’s Ontario Provincial Police (OPP).
Citizen Lab’s investigation comes on the heels of recent alerts sent by WhatsApp to nearly 90 users believed to have been targeted by Paragon spyware — sparking a political uproar in Italy, where some of the targeted individuals live.
Paragon, which has long marketed itself as a more “responsible” alternative to controversial players like NSO Group, claims it works only with democratic governments. Still, the new report raises serious questions about those assurances and the company’s transparency.
According to the researchers, they identified Paragon’s server infrastructure based on unique digital fingerprints and TLS certificates—one of which openly referenced Graphite. The servers were traced to telecom operators in each of the suspected countries, matching the digital certificates’ initials to country names, strengthening the link.
One of the most direct connections was found in Canada, where an IP address linked back to the Ontario Provincial Police. In response, an OPP spokesperson declined to confirm or deny their involvement, citing risks to ongoing investigations and officer safety.
Paragon executives, when contacted, claimed that Citizen Lab’s findings were based on limited and partly inaccurate information. However, they declined to elaborate or answer direct questions about whether the listed countries are indeed clients.
Earlier reports indicated that U.S. venture capital firm AE Industrial Partners acquired Paragon for at least $500 million in late 2024, suggesting strong investor confidence in the surveillance company’s global reach.
Citizen Lab’s research also uncovered a forensic trail left by the spyware on infected Android phones — a marker they labeled BIGPRETZEL. Meta, the parent company of WhatsApp, later confirmed that BIGPRETZEL was linked to Paragon’s tool.
One of the Italian targets, Beppe Caccia, who works for a nonprofit supporting migrants, was infected by Graphite, which stealthily compromised two specific apps on his Android device. Researchers did not publicly name the apps but noted this method of targeting apps — rather than taking full control of the operating system — makes the spyware harder to detect while still harvesting sensitive data.
This approach, experts noted, creates challenges for forensic investigators but potentially increases the chance for app developers themselves to detect abnormal activity. “Paragon’s spyware is trickier to spot than competitors like Pegasus,” Citizen Lab’s senior researcher Bill Marczak explained. “But with collaboration and information sharing, even the toughest cases unravel.”
While Citizen Lab analyzed other cases, including that of David Yambio — another NGO worker who received Apple’s mercenary spyware warning — they found no evidence of Paragon’s spyware on his device.
According to the report, many victims used Android phones, where certain logs often disappear over time, meaning more people were likely targeted but left with no visible traces.
Citizen Lab’s findings further underscore growing concerns over commercial spyware’s global reach — even from companies claiming to operate responsibly. As spyware companies evolve, their tools grow harder to detect, but researchers warn that the risks to journalists, activists, and civil society remain dangerously high.
