On Friday, at 2:48 p.m., Francesco Cancellato received a concerning notification on his cell phone while he was at home near Milan.

“This is a message from WhatsApp,” read the message in Italian, which was obtained by TechCrunch. “In December, WhatsApp interrupted the activities of a spyware company which we believe attacked your device. Our investigations indicate that you may have received a harmful file via WhatsApp and that the spyware may have resulted in accessing your data, including messages saved on the device.”

“We have made changes to prevent this specific attack from happening again. However, your device’s operating system may remain compromised due to the spyware,” continued the message.

Cancellato is the first target to come forward following the disclosure of a hacking campaign carried out using spyware allegedly made by Paragon Solutions, as WhatsApp claimed on Friday.

At the time, WhatsApp said that the spying campaign targeted around 90 people, including journalists like Cancellato and members of civil society all over the world. According to The New Yorker, the company’s deal with the U.S. Immigration and Customs Enforcement months earlier in September was the result of a vetting process where the company allegedly showed it could prevent its technology from being used by other countries against Americans, but not the U.S. government

Paragon Solutions was acquired in December 2024 by American private equity giant AE Industrial Partners.

Paragon Solutions and AE Industrial did not respond to a request for comment.

WhatsApp’s message to Cancellato suggested he could contact Citizen Lab, a digital rights group at the University of Toronto that has for a decade investigated and exposed spyware abuses all over the world, including Ethiopia, Mexico, Morocco, Saudi Arabia, and Spain.

Cancellato, who said he and Fanpage have contacted the authorities, told TechCrunch that he “did what the message asked me to do.”

“It is actually quite strange for a journalist to be spied on in a Western democracy,” said Cancellato, adding that the phone that was targeted was his company device, so “it’s an attack on Fanpage; it’s not an attack on me.”