Francesco Nicodemo, a prominent political communications strategist who previously served as the Democratic Party’s communications director, has been identified as a new target in the expanding Paragon spyware surveillance campaign. This revelation underscores a concerning escalation in the scope of highly sophisticated digital espionage operations targeting political figures and their associated networks in Italy. Nicodemo, who currently leads the communications agency Lievito, first discovered the security breach on January 31, 2025, after receiving a suspicious WhatsApp message while traveling abroad in Vienna.
The scope of the potential data exposure is significant, as Nicodemo’s agency was instrumental in managing thirteen election campaigns throughout 2024, including key successful center-left victories in the regions of Perugia, Liguria, and Umbria. Furthermore, the compromised device potentially exposed sensitive communications with Democratic Party parliamentarians, election candidates, and senior party officials. The spyware infection proved highly persistent, remaining active on Nicodemo’s Android device even after he had switched to an iPhone, with the compromised hardware sitting unused at his residence.
Fanpage security researchers were able to identify the specific attack pattern only after cross-referencing it with similar incidents involving other high-value targets, including journalists and activists. The timing of the surveillance, coinciding directly with several high-profile regional elections, has raised serious questions about the possibility of espionage intentionally targeting opposition political strategies and critical internal communications. This deliberate targeting suggests an interest in disrupting or preempting political activities at a crucial time in the electoral cycle.
The confirmation of the breach was solidified after John Scott Railton from Citizen Lab, a globally recognized cybersecurity watchdog organization, contacted Nicodemo multiple times via international calls. Railton emphasized the extreme severity and precision of the attack, noting that only a small, highly select number of Italian targets were chosen for this specific, advanced espionage operation. This selection criterion highlights the perceived strategic value of Nicodemo’s communications network and his agency’s political role.
The Paragon Graphite spyware utilizes a highly sophisticated, multi-stage infection process that is typically initiated through a deceptive WhatsApp message seemingly originating from legitimate WhatsApp Support infrastructure. Crucially, unlike traditional phishing attacks that require a user to interact with a malicious link, this advanced variant can establish persistence through “zero-click” exploitation techniques, meaning the user does not need to take any action. The malware is designed to leverage vulnerabilities in messaging protocols to covertly deploy surveillance modules capable of extracting critical data, including messages, call logs, and precise location data, from both active and inactive devices. Security experts have additionally noted that the spyware maintains operational capability even when the target device is powered down, suggesting the employment of advanced firmware-level compromise techniques that are able to effectively bypass standard operating system security controls.
Reference:
