Introduction

According to a recent technical report by The Citizen Lab, a prominent digital security research group, the governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are potential customers of Paragon Solutions, an Israeli spyware manufacturer.

Background

On Wednesday, The Citizen Lab, a team of academics and security researchers at the University of Toronto, released a report about Paragon, a surveillance startup founded in Israel, revealing that these six governments are suspected of deploying Paragon’s spyware.

WhatsApp Notifications and Scandal

In late January, WhatsApp informed around 90 users that they were targeted with Paragon spyware, prompting a scandal in Italy, where some of the targets reside. This incident led to a public outcry and raised concerns about the use of spyware by governments.

Paragon’s Claims of Responsibility

Paragon has attempted to differentiate itself from competitors like NSO Group by claiming to be a more responsible spyware vendor. In 2021, a senior Paragon executive stated that the company would never sell its products to authoritarian or non-democratic regimes.

Response to Scandal

In response to the scandal, Paragon’s executive chairman, John Fleming, told TechCrunch that the company only licenses its technology to a select group of global democracies, primarily the United States and its allies.

Acquisition by US Venture Capital

In late 2024, Israeli news outlets reported that US venture capital firm AE Industrial Partners had acquired Paragon for at least $500 million upfront.

Citizen Lab’s Investigation

Mapping Paragon’s Server Infrastructure

The Citizen Lab report reveals that the researchers were able to map Paragon’s server infrastructure used for its Graphite spyware tool, based on a tip from a collaborator.

Evidence and Fingerprints

By developing fingerprints to identify Paragon servers and digital certificates, Citizen Lab found several IP addresses hosted at local telecom companies, which they believe belong to Paragon customers.

Response from Governments and Paragon

TechCrunch reached out to the governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore, as well as the Ontario Provincial Police, but none responded to requests for comment.

Paragon’s executive chairman, John Fleming, stated that Citizen Lab provided limited information, some of which appears to be inaccurate, and therefore, the company cannot offer a comment at this time.

Collaboration and Information Sharing

Citizen Lab noted that all the individuals notified by WhatsApp who reached out for phone analysis used Android phones, allowing researchers to identify a forensic artifact left by Paragon’s spyware, codenamed “BIGPRETZEL”.

Meta’s Statement

Meta spokesperson Zade Alsawah confirmed that the company believes the indicator Citizen Lab refers to as BIGPRETZEL is associated with Paragon, emphasizing the need for commercial spyware companies to be held accountable.

Ongoing Investigation

Given that Android phones may not always preserve certain device logs, Citizen Lab suggests that more people may have been targeted by the Graphite spyware without evidence of Paragon’s spyware on their phones.

Targeting Specific Apps

Citizen Lab found that Paragon’s Graphite spyware targets and compromises specific apps on the phone without needing any interaction from the target, rather than compromising the wider operating system and device data.

Conclusion

Bill Marczak, a senior researcher at Citizen Lab, stated that while Paragon’s spyware may be trickier to spot than competitors, collaboration and information sharing can help unravel even the toughest cases.

Call to Action