🚨NEW REPORT: first forensic confirmation of #Paragon mercenary spyware infections in #Italy...

Known targets: Activists & journalists.

We also found deployments around the world. Including ...Canada?

So #Paragon makes zero-click spyware marketed as better than NSO's Pegasus...

Harder to find...

...And more ethical too!

This caught our attention at #Citizenlab. And we were skeptical.

So.. it was time to start digging.

We got a tip about a single bit of #Paragon infrastructure & my brilliant colleague Bill Marczak developed a technique to fingerprint some of the mercenary spyware infrastructure (both victim-facing & customer side) globally.

So much for invisibility.

What we found startled us.

We found a bunch of apparent deployments of Paragon's mercenary spyware in places like #Australia, #Denmark, #Israel, #Cyprus #Singapore and... #Canada.

Fun.

We also found interesting stuff at a datacenter in #Germany

Caveats: the methodology we use only surfaces a subset of customers at a particular time.

So ...about #Canada.

My colleagues on the legal side began digging. The more they pulled, the more questions surfaced about whether the Ontario Provincial Police is rolling mercenary spyware.

While investigating, we found signs #WhatsApp was being used as a vector for infections.

We shared our analysis with Meta which had an ongoing investigation into Paragon.

They shared findings with WhatsApp which discovered & mitigated a zero-click attack.

They went public, and notified ~90 users that they believed were targeted.

WhatsApp's notifications to targets turbocharged what we all knew about #Paragon.

Cases began coming out: an investigative journalist in #Italy and sea rescue activists were among the first. Francesco Cancellato. Editor in Chief of Fanpage.it, & Luca Casarini and Dr. Giuseppe “Beppe” Caccia of Mediterranea Saving Humans

They consented to us doing a forensic analysis...

Sure enough, we found traces of infection on several Androids.

We call the indicator #BIGPRETZEL & #WhatsApp confirms that they believe BIGPRETZEL is associated with #Paragon's spyware.

In the weeds a bit: Android log forensics are tricky. Logs get overwritten fast, are captured sporadically & may not go back very far. So, not finding BIGPRETZEL on a targeted phone wouldn't be enough to say it wasn't infected. In such a case, the only safe course of action for a notified Paragon target would be to presume they had been infected.

Our analysis is ongoing.

.... but There's more!

There's more! We'd been analyzing the iPhone of human rights activist David Yambio, who is focused on abuses against migrants in Libya (they are often victims of torture, trafficking, and killings) who works closely with the other targets.

Last year he got notified by Apple that he was targeted with sophisticated spyware.

We've forensically confirmed the infection & shared details with Apple.

Apple confirms they fixed the vectors used to target him as of iOS 18.

We're not doing a full technical attribution of this novel spyware to a particular company yet. But it's not like anything we've seen.

Troublingly, timeline of David's spyware targeting lines up with when he was providing information to the International Criminal Court about torture by human traffickers in #Libya.

But there's even more spying afoot against this cluster of activists!

Luca also got a notification last February about targeting with a different kind of surveillance tech.

He wasn't alone. Father Mattia Ferrari, chaplain of Luca's lifesaving organization' also got a notification.

#Italy's response to the unfolding #Paragon scandal has been exceptionally chaotic. So we included a little timeline.

Denials, then admissions, then refusals to say more citing secrecy.

Honestly, deja vu of how Pegasus-abusing governments have handled PR...

TAKEAWAYS:

TAKEAWAY 1: you can't abuse-proof mercenary spyware. Selling just democracies won't prevent abuses. Most democracies have plenty of historic examples of surveillance abuses. Why should spyware be different?

TAKEAWAY 2: #Paragon's technical tradeoffs to be less detectable didn't prevent them getting discovered.

Just made it harder.

TAKEAWAY 3: I think we're only looking at the tip the #Paragon hackberg

For example, the ~90 notification number from #WhatsApp

only represents 1 infection vector that got caught & notified.

There may be non-notified spyware victims walking around right now who were infected via a different mechanism.

In #Italy, too we also need to better understand the other surveillance technologies pointed at this cluster of people.

Finally, we gave #Paragon room to respond to a summary of our key findings.

Their US Executive Chairman, a 30+ year #CIA veteran, responded in a way that sounded very familiar to how NSO Group did PR.

1 - Say there are inaccuracies..

2- ..But refuse to specify them

3-Cite customer confidentiality as a reason to not say more.

We welcome any clarifications they have now that they've read our full report.

FINAL NOTES: our #citizenlab investigations are usually big, collaborative team productions. Smart co-authors, awesome collaborators.

The key to nearly all our research into spyware is targets' brave choice to speak out.

And work with us to forensically analyze their devices... We are very grateful to them.

This is how we collectively get a better understanding of mercenary spyware abuses.

And journey towards accountability.

Thanks for reading! Drop questions in the replies!

Kavkazskaya oil pumping station in Kuban, Russia. This facility transfers oil by rail into pipelines for export.

Lots of other Russian infrastructure was hit in the past few days too. But this is the best video to come out recently.

GM 🦆