At least one use of GhostChat
February 2, 2026
•[ spyware, phishing, mobile malware ]
A fake Android dating app (GhostChat) identified by researchers as spyware. The app lures victims with locked profiles and fake access codes, then redirects them to WhatsApp and abuses permissions to extract data from victims phones.
Francesco Gaetano Caltagirone
October 9, 2025
•[ spyware, espionage, government ]
Report that Graphite spyware was used to spy on the businessman; tool sold to governments.
Colombian Justice Minister Andres Idarraga
August 1, 2025
•[ spyware, Pegasus, surveillance ]
Colombias justice minister stated that forensic evidence indicates his phone was hacked using Israeli Pegasus spyware during the second half of 2025 while he was investigating alleged corruption in the military. He alleged the operation was ordered through the Defense Ministry using state counterintelligence structures and confidential funds. According to his statement, investigators found his phone was taken over more than 8,700 times and that 2.3 GB of data were downloaded, including sensitive corruption complaints, and that the camera/microphone were illicitly activated on numerous occasions. The incident is characterized as a targeted spyware intrusion against a senior government official with alleged state involvement.
Boniface Mwangi (Kenyan activist)
July 1, 2025
•[ spyware, surveillance, data extraction ]
An AFP/Digital Journal report said Kenyan activist Boniface Mwangi feared for his life after learning spyware was installed on his phone while it was in police custody following his July 2025 arrest. The article cited Citizen Lab findings that a surveillance tool linked to Cellebrite technology enabled Kenyan police to access extensive content on the device, including messages, private files, financial information, passwords, and other sensitive data. The report describes state-enabled device compromise/data extraction rather than an enterprise network breach.
Beppe Caccia
March 11, 2025
•[ spyware, targeted attack ]
Italian report described alleged surveillance using commercial spyware against a public figure.
Balkan Investigative Reporting Network Journalists
February 26, 2025
•[ spyware, phishing, targeted attack ]
Amnesty reported two Serbian journalists targeted with Pegasus spyware via one-click links.
Fanpage.it / Francesco Cancellato
January 31, 2025
•[ spyware, espionage, zero-click ]
Francesco Cancellato, editor-in-chief of Fanpage.it, was targeted with the Israeli-made Graphite spyware developed by Paragon Solutions, delivered via WhatsApp zero-click exploit. Citizen Lab and CPJ linked the campaign to a likely state client of Paragon, with political-espionage motives tied to Fanpages undercover investigation exposing neo-fascist youth elements within Italys ruling party. No confirmed infection or data exfiltration publicly reported.
At least one Russian industrial company
January 1, 2025
•[ phishing, spyware, data leak ]
Kaspersky-reported campaign uses phishing and a new spyware ('Batavia') to exfiltrate sensitive documents and system info from Russian industrial firms.
Italian Political Consultant, Francesco Nicodemo
January 1, 2025
•[ spyware, government surveillance, targeted attack ]
Italian political consultant Francesco Nicodemo, who has worked with centre-left politicians, revealed in November 2025 that he was notified by WhatsApp in January that his phone had been targeted with Paragon spyware. His case broadens an existing spyware scandal in Italy that has already affected journalists, activists and business leaders. Parliamentary committee COPASIR has acknowledged that Italian intelligence agencies used Paragon in some cases, but it is unclear who ordered surveillance on Nicodemo or whether his device was successfully infected, prompting calls from experts for greater transparency from both the government and the spyware vendor.
Teixeira Cândido (Angolan journalist) / Syndicate of Angolan Journalists context
May 3, 2024
•[ spyware, Predator, mobile infection ]
Amnesty Internationals Security Lab reported forensic confirmation that Intellexas Predator spyware successfully infected the iPhone of Angolan journalist and press freedom activist Teixeira Cndido on May 4, 2024 after he opened a malicious link sent via WhatsApp. Amnesty said the attacker could have gained wide access to device data (including messages and files) and that the infection appears to have been removed after the phone was restarted later that day. The investigation described multiple additional infection links sent afterward that did not appear to succeed. Attribution to a specific government customer was not made in the public report.
Loïc Lawson and Anani Sossou
January 16, 2024
•[ spyware, surveillance, Pegasus ]
Reporters Without Borders (RSF) announces to have found traces of spyware resembling NSO groups Pegasus surveillance tool on the phones of two journalists in Togo (Loc Lawson and Anani Sossou).
