Targeting of Italian Political Adviser with Paragon Graphite Spyware
Francesco Nicodemo, a prominent Italian political adviser and communications executive, was identified as the fifth Italian individual targeted with Paragon’s Graphite spyware. Nicodemo, who has managed numerous election campaigns and is known for his work with center-left political candidates, was notified by WhatsApp of evidence linking his device to the spyware. The attack was later confirmed by Citizen Lab’s John Scott-Railton, highlighting ongoing concerns about the use of invasive surveillance tools against political figures in Italy.
The Italian government has acknowledged using Paragon spyware in some cases but denies involvement in all incidents, particularly those involving journalists. The growing number of unexplained infections, now totaling at least 90 victims notified by WhatsApp, underscores the broader issue of government surveillance and the targeting of individuals involved in politics and elections. Experts have raised alarms about the human rights implications of such spyware, calling for greater transparency and potential bans on its use.
Timeline
Nov 6, 2025
Researchers warn unexplained Paragon cases are increasing
Digital forensic researcher John Scott-Railton said unexplained Paragon Graphite cases are growing and that political and election-related targeting remains a recurring theme. The warning underscored the broader expansion of the spyware scandal beyond the known Italian cases.
Nov 6, 2025
Francesco Nicodemo discloses Paragon Graphite targeting
Communications executive and political adviser Francesco Nicodemo publicly revealed that he had been targeted with Paragon's Graphite spyware, becoming the fifth Italian to report being affected in the scandal. Fanpage first reported Nicodemo's case.
Nov 6, 2025
Italian government acknowledges some use of Paragon spyware
The government of Prime Minister Giorgia Meloni acknowledged using Paragon spyware in attempts to spy on some of the five publicly known Italian victims. It denied involvement in the targeting of two Fanpage journalists who reported infections.
Nov 6, 2025
WhatsApp notifies about 90 Paragon Graphite targets
WhatsApp notified roughly 90 victims that evidence indicated they had been targeted with Paragon's Graphite spyware. According to later reporting, Francesco Nicodemo was among those notified.
Jun 1, 2024
Fanpage publishes exposé on Meloni's ties to young fascists
Italian outlet Fanpage published a June 2024 investigation describing ties between Prime Minister Giorgia Meloni and young fascists. The report was later cited as relevant context in the spyware scandal involving Fanpage journalists.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Affected Products
Sources
Related Stories
European Spyware Scandals Involving Predator and Paragon Targeting Journalists and Civil Society
A Greek court sentenced **four Intellexa executives** to **eight years in prison** for their role in the “**Predatorgate**” spyware scandal, which involved use of **Predator** spyware against **90+ public figures**. Prior investigations by **The Citizen Lab** and others documented Predator’s presence in Greece and confirmed infections on devices belonging to journalist **Thanasis Koukakis** and former Meta trust-and-safety manager **Artemis Seaford**, marking a rare case where executives at a mercenary spyware firm faced criminal conviction and prison time. In Italy, prosecutors in Rome and Naples confirmed via a technical report that journalist **Francesco Cancellato** and immigration activists **Giuseppe Caccia** and **Luca Casarini** showed traces consistent with **Paragon Solutions** spyware infections during the early hours of **2024-12-14**, suggesting a coordinated infection campaign. Italian authorities also inspected a Paragon spyware server used by the intelligence agency **AISI** and found evidence of operations against Caccia and Casarini but not against Cancellato, leaving attribution for Cancellato’s compromise unresolved; the case follows **WhatsApp** notifications to roughly **90** people warning they were targeted with Paragon spyware.
1 months ago
Fake iPhone WhatsApp App Delivered Italian Government Spyware to Users
WhatsApp said it notified about 200 users, mostly in Italy, after they were tricked into installing an unofficial iPhone version of WhatsApp embedded with spyware. The company said the incident did not stem from a vulnerability in WhatsApp itself, but from highly targeted social engineering that led victims to download the malicious client. WhatsApp logged affected users out, warned them of the privacy and security risks, and urged them to delete the fake app and reinstall the official version. The company attributed the operation to **ASIGINT**, a subsidiary of Italian spyware maker **SIO**, and said it plans to send SIO a formal legal demand to halt the activity. The campaign adds to scrutiny of Italian surveillance vendors, following earlier reporting on SIO-linked Android spyware, including fake WhatsApp apps associated with **Spyrtacus**, and a separate WhatsApp notification campaign tied to **Paragon Solutions** and its **Graphite** spyware that reportedly targeted journalists and pro-immigration activists in Italy.
1 months ago
Predator Spyware Infection of Angolan Journalist via WhatsApp Links
Amnesty International reported that the iPhone of Angolan journalist and press freedom advocate **Teixeira Cândido** was infected with **Intellexa’s Predator spyware** after he received multiple **malicious links via WhatsApp** in 2024. According to the investigation, Cândido was messaged from an unknown Angolan number over several weeks; he clicked one link on **May 4, 2024**, after which Predator was installed, and the spyware was later removed the same day when the device was restarted. Amnesty described this as the **first documented Predator case in Angola**, and said attribution remains unclear, though the activity is consistent with use by a government customer. The reporting underscores continued alleged abuse of commercial spyware against civil society despite international pressure on Intellexa. Intellexa and associated individuals have faced U.S. actions including placement on the **Entity List** and subsequent **sanctions** (with later changes to some designations noted in coverage), yet Predator has been repeatedly linked to targeting of journalists and officials in multiple countries. Amnesty’s findings add to prior public reporting on Predator’s use in places such as **Greece, Egypt, and Vietnam**, reinforcing the ongoing risk posed by link-based mobile spyware delivery through common messaging platforms like WhatsApp.
1 months ago