WhatsApp, the messaging platform owned by Meta, has reported that nearly 100 journalists and civil society members were targeted by spyware allegedly linked to Paragon Solutions, an Israeli company specialising in hacking software.
The spyware attack reportedly exploited a “zero-click” method, requiring no interaction from victims to compromise their devices.
According to The Guardian, WhatsApp informed affected users of the potential breaches and said it had “high confidence” that these devices were “possibly compromised.”
Paragon’s hacking tool, known as Graphite, is comparable to NSO Group’s Pegasus spyware and allows total access to infected phones, including encrypted communications.
It remains unclear which government clients ordered the alleged attacks. Paragon Solutions provides spyware services to 35 government clients, including Singapore, according to sources close to the company.
A WhatsApp spokesperson confirmed that a “cease and desist” letter had been sent to Paragon and that legal options were being explored. The spyware campaign was reportedly disrupted in December 2024, though the duration of the threat remains uncertain.
Paragon Solutions, founded by former Israeli Prime Minister Ehud Barak, has gained attention due to its spyware capabilities and recent business developments.
Reports have linked the company to a US$900 million sale to AE Industrial Partners, a US-based private equity firm, though the deal awaits regulatory approval from Israel’s Ministry of Defence. Cyberweapons like Graphite and Pegasus are tightly regulated by Israel due to their potential misuse.
The spyware attack primarily targeted individuals through malicious PDF files sent in group chats, according to WhatsApp, which confirmed that Paragon’s software was directly involved.
John Scott-Railton, a senior researcher at the Citizen Lab at the University of Toronto, revealed that Citizen Lab had assisted WhatsApp by providing data to identify the vector used in the attacks.
Paragon declined to comment on the matter. However, a source within the company indicated that Paragon refrains from working with governments accused of past spyware abuses, naming countries such as Greece, Poland, Hungary, Mexico, and India as clients they do not serve.
The recent revelations mark another controversy involving spyware companies, with legal scrutiny intensifying after WhatsApp’s victory in a lawsuit against NSO Group. A California judge ruled in favour of WhatsApp, finding NSO liable for infecting 1,400 users with its spyware. NSO remains on the US Commerce Department’s blacklist due to activities deemed harmful to US national security.
While Paragon had previously been considered a “less controversial” player in the commercial spyware industry, Natalia Krapiva, senior tech legal counsel at Access Now, expressed concerns. “WhatsApp’s recent revelations suggest otherwise. This is not just a question of some bad apples—these types of abuses are a feature of the commercial spyware industry,” she said.
WhatsApp is currently notifying those targeted by Paragon’s spyware and said it remains committed to ensuring the security of private communications. Citizen Lab is expected to publish a report offering further details on the nature of the targeting.
Singapore silent on use of spyware
In 2014, WikiLeaks revealed that Singapore-based PCS Security Pte Ltd had purchased spyware from German firm FinFisher, including the powerful surveillance tool FinSpy, for €3.17 million (approximately S$5.1 million). PCS Security, linked to government-related entities such as Phoenix Co-operative Society, reportedly used the spyware for undisclosed purposes.
An investigative report by Canada’s Citizen Lab in 2023 identified at least five individuals targeted by QuaDream’s spyware and traced suspected servers to 10 countries, including Singapore.
In addition, a March 2023 report by Intelligence Online named Singapore as a client of Paragon Solutions, with a contract worth tens of millions of dollars.
Questions about the country’s use of surveillance technologies, including spyware, have been raised multiple times in Parliament by Members of Parliament (MPs).
However, these questions have repeatedly been met with refusals to provide details. Government responses have consistently stated that the government “cannot and should not discuss specifics on any operational aspects or capabilities regarding Singapore’s national security.”