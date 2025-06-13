Researchers from the Citizen Lab have revealed the first forensic evidence that the iPhones of at least two European journalists were infected with Graphite, a piece of spyware developed by the Israeli company Paragon Solutions.

In a June 12 post, Bill Marczak and John Scott-Railton, two researchers at the University of Toronto’s digital forensic research center, stated that they had found forensic evidence confirming, with high confidence, that the devices of both an anonymous European journalist and Italian journalist Ciro Pellegrino had Graphite installed.

“We identify an indicator linking both cases to the same Paragon operator,” the researchers added.

Apple had confirmed to the researchers that the zero-click attack deployed in these cases exploited a critical vulnerability (CVSSv3 score of 9.8) in iOS. The flaw, tracked as CVE-2025-43200, stems from a logic issue when processing a maliciously crafted photo or video shared via an iCloud Link. It was mitigated in the latest iOS version, 18.3.1.

Confirmed Graphite Zero-Click Infection Attempts

The Citizen Lab’s forensic analysis followed an alert from Apple on April 29, 2025, which the tech giant said it had detected a select group of iOS users had been targeted with advanced spyware.

Two journalists decided to hand over their devices to the researchers, who found that one of the anonymous European journalist’s devices was compromised with Paragon’s Graphite spyware in January and early February 2025 while running iOS 18.2.1.

“We attribute the compromise to Graphite with high confidence because logs on the device indicated that it made a series of requests to a server that, during the same time period, matched our published Fingerprint P1. We linked this fingerprint to Paragon’s Graphite spyware with high confidence,” the researchers say.

Pellegrino allowed the researchers to analyze his devices after receiving the Apple notification on April 29. “Our analysis of the device’s logs revealed the presence of the same iMessage account used to target the [anonymous European] journalist, which we associate with a Graphite zero-click infection attempt,” added the researchers.