Researchers name several countries as potential customers of Paragon Spyware

The governments of Australia, Canada, Cyprus, Denmark, Israel and Singapore are probably customers of Israeli spyware manufacturer Paragon Solutions, according to a new technical report by a well -known digital security laboratory.

On Wednesday, a civil laboratory, a group of security scientists and researchers accommodated at the University of Toronto, which has been investigating the spy industry for more than a decade,, published a report For the launch of the Israeli startup for observation, identifying the six governments as “suspected deployment of a paragon.”

At the end of January, WhatsApp notified about 90 users that the company believes they are targeted at Paragon Spyware, By prompting a scandal in Italy, where some to goal LivelyS

Paragon has long been trying to distinguish himself from competitors, such as NSO Group – whose spyware software have it was abused in several country – Having claimed to be more responsible for spyware. In 2021, an unnamed senior CEO of Paragon told Forbes This authoritarian or undemocratic regime will never be its customers.

In response to a scandal, encouraged by whatsapp notifications in January, and what was perhaps an attempt to strengthen his allegations that he was a responsible provider of spyware, the executive chairman of the Paragon John Fleming told TechCrunch that the company “licensing its technology for a selected group of global democracies – mainly the United States and its allies.”

Israeli newsletters reported at the end of 2024 that American Risk Capital AE Industrial Partners have acquired Paragon For at least $ 500 million in advance.

In the Wednesday report, Citizen Lab said he was able to map the server infrastructure used by Paragon for his spy instrument, which the provider named graphite based on an “associate advice”.

Starting with this advice and after the development of several fingerprints capable of identifying associated Paragon servers and digital certificates, Citizen Lab researchers have found several IP addresses hosted in local telecommunications companies. Citizen Lab said it believes that these are servers belonging to Paragon customers, partly based on the initials of the certificates that appear to be in line with the names of the countries in which the servers are located.

According to Citizen Lab, one of the fingerprints developed by its researchers has led to a digital certificate registered with Graphite, in what seems to be a significant operative error by Spyware Maker.

“Strong circumstantial evidence support a link between the paragon and the infrastructure we have outlined,” the Citizen Lab report wrote.

“The infrastructure we found is related to web pages entitled” Paragon “, returned from IP addresses in Israel (where Paragon is based), as well as the TLS certificate containing the name of the Graphite organization,” the report said.

Citizen Lab noted that its researchers identify several other code names, showing other Paragon state customers. Among the suspects of the customers, the Citizen lab was allocating the provincial police in Ontario in Canada (OPP), which specifically seems to be a customer of Paragon, given that one of the IP addresses for the suspected Canadian client is connected directly to OPP.

TechCrunch addressed the following governments: Australia, Canada, Cyprus, Denmark, Israel and Singapore. TechCrunch also contacted the provincial police in Ontario. None of the representatives answered our requests for comment.

When reached by TechCrunch, Paragon’s Fleming said Citizen Lab reached the company and provides “very limited amounts of information, some of which seem inaccurate”.

Fleming added: “Given the limited nature of the information provided, we cannot currently offer a comment.” Fleming did not answer when TechCrunch asked what was inaccurate about the Citizen Lab report, nor answered questions about whether the countries identified by Citizen Lab are customers of Paragon or the status of his connection with their Italian clients.

Citizen Lab noted that all people who were notified by WhatsApp, who then turned to the organization to analyze their phones, used an Android phone. This allowed the researchers to identify a “forensic artifact” left by the spyware of the paragon, which researchers called “Bigpretzel”.

Meta spokesman Alsawa told TechCrunch in a statement that the company “can confirm that we believe that the civil performance laboratory refers to Bigpretzel, is related to Paragon.”

“We saw first -hand how commercial spy software can be armed to target journalists and civil society and these companies must be held accountable,” Meta’s statement read. “Our security team is constantly working to stay with the threats and we will continue to work to protect people’s ability to communicate alone.”

Given that Android phones do not always save certain diaries on the device, Citizen Lab noted that more people were probably directed by graphite spyware, even if there is no data on Paragon’s spy software on their phones. And for people who have been identified as victims, it is unclear whether they have been directed to previous cases.

Citizen Lab also noted that Paragon’s Graphite Spyware and compromises specific applications on the phone – without the need for interaction from the target – instead of compromising the wider operating system and the data of the device. In the case of Bepped Caccia, One of the victims in ItalyWho works for a non -governmental organization that helps migrants, Citizen Lab has found evidence that spy software infected two other applications on its Android device without naming applications.

Targeting specific applications, as opposed to the device’s operating system, noted Citizen Lab, it can make it difficult for criminals to find evidence of a hack, but can give the appointments of applications more visibility in spyware operations.

“Paragon’s spy is more complicated to notice than competitors as (NSO Group) Pegasus, but at the end of the day there is no” perfect “spy attack,” Bill Bill Bill, a senior researcher at Citizen Lab, told TechCrunch.

The clue may be in different places than we are used to, but with cooperation and sharing of information, even the most difficult cases are untangled. ”

Citizen Lab also said it analyzes the iPhone by David Yambio, who works closely with Caccia and others in his NGO. Yambio received an Apple notice of his phone, which was directed by Mercenary Spyware, but researchers could not find evidence that he was targeting spyware of Paragon.

Apple did not answer a comment request.