A new technical investigation by The Citizen Lab has identified Australia, Canada, Cyprus, Denmark, Israel, and Singapore as likely customers of the Israeli-founded spyware manufacturer Paragon Solutions. The report, published this Wednesday, exposes the infrastructure behind the company’s “Graphite” surveillance tool, mapping its deployment across these six nations.
Unmasking the Graphite Infrastructure
Researchers at The Citizen Lab, based at the University of Toronto, utilized a tip from a collaborator to track server infrastructure linked to Paragon. By developing unique digital fingerprints and identifying associated TLS certificates, the team pinpointed IP addresses hosted at local telecommunications providers. Several certificates featured initials that correspond directly to the nations where the servers are physically located, providing strong circumstantial evidence of government deployment.
In one notable operational failure, the spyware maker left a digital certificate explicitly registered to “Graphite.” Furthermore, researchers discovered IP addresses in Israel—Paragon’s home base—returning webpages titled “Paragon,” reinforcing the link between the vendor and the monitored infrastructure.
The Ontario Provincial Police Connection
Among the suspected clients, the report highlights the Ontario Provincial Police (OPP) in Canada. Researchers traced one of the Canadian IP addresses directly to the agency. When questioned regarding these findings, an OPP spokesperson declined to deny the report, stating that disclosing details about investigative technologies could jeopardize active operations and public safety.
WhatsApp Alerts and Forensic Artifacts
The investigation follows a late January scandal triggered when WhatsApp notified approximately 90 users that they had been targeted by Paragon spyware. Analysis of Android devices belonging to victims revealed a distinct forensic artifact labeled “BIGPRETZEL.” Meta confirmed that this indicator is indeed associated with Paragon’s operations.
“We’ve seen first-hand how commercial spyware can be weaponized to target journalists and civil society, and these companies must be held accountable,” a Meta spokesperson stated.
Technical Evasion Tactics
Unlike competitors such as NSO Group, whose Pegasus software often compromises an entire operating system, Paragon’s Graphite focuses on compromising specific applications. By avoiding a full-system breach, the spyware leaves fewer traces for traditional forensic tools to detect. However, the researchers noted that this strategy provides app developers with greater visibility into the malicious operations.
“Paragon’s spyware is trickier to spot than competitors like Pegasus, but there is no ‘perfect’ spyware attack,” said Bill Marczak, a senior researcher at The Citizen Lab. “Maybe the clues are in different places than we’re used to, but with collaboration and information sharing, even the toughest cases unravel.”
Paragon’s Response
Paragon has historically attempted to position itself as a “responsible” vendor, with executive chairman John Fleming previously claiming the firm only licenses technology to a “select group of global democracies.” In response to the latest report, Fleming stated that Citizen Lab provided limited information, some of which he characterized as inaccurate, though he failed to specify which parts were disputed or clarify the status of the company’s relationships with the identified governments.
Governments from Australia, Canada, Cyprus, Denmark, Israel, and Singapore did not respond to requests for comment regarding their alleged use of the technology.