A Canadian law enforcement agency is suspected to have used spyware designed to hack into mobile phones and eavesdrop on messages, according to cybersecurity researchers from the University of Toronto.
Tel Aviv-based Paragon sells the spyware to governments and law enforcement agencies for the purposes of fighting serious crime. However, Meta Platforms Inc.’s WhatsApp said in February it had identified Paragon’s technology being used against activists and journalists in Europe.
Researchers at the watchdog group Citizen Lab in a report published Wednesday said they found evidence linking Paragon’s spyware to countries including Australia, Canada, Cyprus, Denmark, Israel, and Singapore.
Paragon’s spyware, known as “Graphite,” breaks into a device and covertly records messages sent using WhatsApp and other encrypted chat apps, such as Signal. Citizen Lab found that spyware victims, who were using Android phones, had been added to a WhatsApp group and then sent a malicious PDF file, which silently compromised the devices without them clicking on the PDF or otherwise engaging in the group.
Citing a detailed analysis of digital records, the research organization said it suspected that computers under the control of Ontario Provincial Police had deployed the spyware.
John Fleming, executive chairman of Paragon’s US division and a former assistant director of the Central Intelligence Agency, said in a statement that some of Citizen Lab’s research “appears to be inaccurate,” but declined to offer specifics. He said Paragon’s technology was designed to support counterterrorism, counter-narcotics, and counterintelligence.
“We require all users of our technology to adhere to terms and conditions that preclude the illicit targeting of journalists and other civil society leaders,” Fleming said. “While we are not able to discuss individual customers, we have a zero-tolerance policy for violations of our terms of service.”
Ontario Provincial Police didn’t immediately respond to a request for comment.
Paragon’s spyware enables what are known as “zero click” intrusions, because they require no user interaction for the phone to be compromised. Once it had gained a foothold on the device, the spyware appeared to hide itself within other legitimate apps on the phone, making it difficult to discover, according to Citizen Lab’s report.
John Scott-Railton, senior researcher at Citizen Lab, said the findings amounted to the first-ever public forensic analysis of Paragon’s spyware. He called on governments to be more transparent about how they are using the technology.
“We just know, even in democracies, states have an appetite for abusing secret surveillance powers, and the more secret this stuff is, the more likely it is to be abused,” said Scott-Railton.
Paragon has previously said it would only sell its technology to democratic governments, positioning itself as an alternative to Israel’s notorious spyware seller NSO Group, which was persistently dogged by allegations of helping autocratic governments target journalists and activists.
WhatsApp announced in February that it discovered Paragon’s spyware had been used in a hacking campaign that had targeted nearly 100 people across Europe, including activists and journalists. A WhatsApp spokesperson said commercial spyware had been “weaponized” to target civil society and added companies selling it “must be held accountable.” Paragon didn’t respond to requests for comment on WhatsApp’s allegations.
In December, Paragon was acquired by US private equity firm AE Industrial Partners in a deal worth up to US$900 million. A representative for AE declined to comment.
---
Ryan Gallagher, Bloomberg News
©2025 Bloomberg L.P.
