Report

The control and strategic manipulation of information has long played a role in the geopolitical and ideological competition between the Islamic Republic of Iran and its political adversaries, including Israel. Prior Citizen Lab research has uncovered Iranian disinformation efforts, however, in this investigation we focus on the “other side” of the geopolitical competition. We analyzed an influence operation we assess as most likely undertaken by an entity of the Israeli government or a private subcontractor working closely with it.

In May 2025, Keir Giles, a well-known expert on Russian military operations, was targeted with a highly sophisticated and personalized phishing attack. Using a method not previously observed by the Citizen Lab, the attacker posed as a U.S. State Department employee to convince Mr. Giles to create and send app-specific passwords for his email accounts, bypassing multi-factor authentication. Google spotted and blocked the attack, attributing it to a Russian state-backed operator.

Our preliminary analysis of Bill C-2 situates the legislation within the context of existing research by the Citizen Lab about two potential data-sharing treaties that are most relevant to the new proposed powers being introduced in Bill C-2: the Second Additional Protocol to the Budapest Convention (2AP) and the CLOUD Act. Both of which carry significant constitutional and human rights risks.

Our investigation of a spearphishing campaign that targeted senior members of the World Uyghur Congress in March 2025 reveals a highly-customized attack delivery method. The ruse used by attackers replicates a pattern in which threat actors weaponize software and websites aimed at preserving and supporting marginalized and repressed cultures to target those same communities.

A sustained, coordinated social media harassment and doxxing campaign – which we codenamed JUICYJAM – targeting the pro-democracy movement in Thailand has run uninterrupted, and unchallenged, since at least August 2020. Through our analysis of public social media posts we determined that the campaign was not only inauthentic, but the information revealed could not have been reasonably sourced from a private individual.

In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon’s mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy.

Legal researchers Cynthia Khoo and Kate Robertson warn that a Canada-U.S. CLOUD agreement would extend the reach of U.S. law enforcement into Canada’s digital terrain to an unprecedented extent, and that if signed, this agreement would effectively allow U.S. police to demand personal data directly from any provider of an “electronic communication service” or “remote computing service” in Canada, so long as it had some ties to the U.S.

Our network security analysis of the popular social media app, RedNote, revealed a number of issues with both the Android and iOS versions of the app.

Our analysis of spyware covertly implanted on a phone returned to a Russian programmer after he was released from custody, finds that the spyware placed on his device allows the operator to track a target device’s location, record phone calls, keystrokes, and read messages from encrypted messaging apps, among other capabilities.

Drawing on the lived experiences of 85 women human rights defenders originating from 24 countries of origin and residing in 23 host countries, we examine how gender and sexuality play a central role in digital transnational repression.