Publications
In May 2025, Keir Giles, a well-known expert on Russian military operations, was targeted with a highly sophisticated and personalized phishing attack. Using a method not previously observed by the Citizen Lab, the attacker posed as a U.S. State Department employee to convince Mr. Giles to create and send app-specific passwords for his email accounts, bypassing multi-factor authentication. Google spotted and blocked the attack, attributing it to a Russian state-backed operator.
On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists who consented to the technical analysis of their cases. In this report, we discuss key findings from our forensic analyses of their devices.
In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon’s mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy.
In a joint investigation with Access Now, we found that seven Russian and Belarusian-speaking independent journalists and opposition activists based in Europe were targeted and/or infected with NSO Group’s Pegasus mercenary spyware.
We confirm that two members of Serbian civil society were targeted with spyware earlier this year. Both have publicly criticized the Serbian government. We are not naming the individuals at this time by their request. The Citizen Lab’s technical analysis of forensic artifacts was conducted in support of an investigation led by Access Now in collaboration with the SHARE Foundation. Researchers from Amnesty International independently analyzed the cases and their conclusions match our findings.
