A new wave of advanced spyware surveillance has struck Italy’s political landscape. Francesco Nicodemo, a prominent political communications strategist and former communications director for the Democratic Party, has been identified as a key target in the expanding Paragon spyware campaign.
This discovery highlights a growing trend of state-level digital espionage operations aimed at political figures, strategists, and journalists across Europe.
Breach Discovery and Political Context
Nicodemo, currently heading the communications agency Lievito, uncovered the breach on January 31, 2025, after receiving a suspicious WhatsApp message while traveling in Vienna.
His agency managed thirteen election campaigns during 2024 — including successful center-left victories in Perugia, Liguria, and Umbria. The timing of the infection coincided with several regional elections, raising serious concerns that political communications and campaign strategies were being actively monitored.
Although Nicodemo switched to an iPhone soon after, the Paragon spyware infection persisted on his Android device, which remained powered off at his residence — a strong indicator of deep-level persistence capabilities.
Security researchers from Fanpage uncovered patterns consistent with other spyware attacks targeting journalists and activists, suggesting a coordinated surveillance operation rather than an isolated breach.
Citizen Lab Confirms the Breach
Cybersecurity researcher John Scott Railton of Citizen Lab contacted Nicodemo multiple times before confirming that his device had been compromised. Railton noted that only a small number of Italian individuals were selected for this operation, underscoring the targeted and highly strategic nature of the espionage.
The infected device may have exposed confidential communications involving Democratic Party officials, election candidates, and senior strategists — data that could significantly influence political outcomes if exploited.
Infection Vector and Delivery Mechanism
Researchers attribute the breach to the Paragon Graphite spyware, a highly sophisticated surveillance tool capable of compromising mobile devices through zero-click exploits — attacks that require no interaction from the victim.
Unlike traditional phishing-based malware, the Paragon Graphite variant spoofs legitimate WhatsApp Support infrastructure to deliver its payload. Once triggered, it installs multi-stage infection modules capable of:
- Extracting messages, call logs, and location data from both active and idle devices.
- Gaining firmware-level access, allowing persistence even after reboot or OS reinstallation.
- Maintaining stealth operations by bypassing Android and iOS security controls.
- Operating silently even when the device is powered off, suggesting deep firmware compromise.
This level of access implies nation-state-level capabilities, likely employed for political intelligence gathering or targeted surveillance.
Implications for Political and Digital Security
The Nicodemo case underscores the increasing overlap between cybersecurity threats and democratic processes. Political strategists, campaign managers, and journalists have become high-value espionage targets, especially in the run-up to elections.
As spyware vendors like Paragon, NSO Group, and Cytrox continue to evolve their attack vectors, governments and political organizations must adopt comprehensive mobile security strategies to defend against zero-click exploits.
Recommended Defensive Actions
- Implement mobile threat defense (MTD) tools capable of detecting firmware-level anomalies.
- Restrict communication channels for sensitive political discussions to vetted, encrypted platforms.
- Regularly update devices and apply all security patches for messaging apps.
- Use device isolation protocols — keep high-risk communications off mobile devices.
- Conduct threat intelligence sharing across political and cybersecurity communities.
Broader Trend: Espionage in European Politics
Nicodemo’s targeting follows a growing list of European political figures reportedly surveilled via commercial spyware. In recent years, similar campaigns have surfaced in Spain, Greece, and Hungary, signaling an escalation in cyber-enabled political interference.
Security analysts warn that the continued development of zero-click exploit chains by private spyware vendors poses an existential threat to democratic transparency, requiring stronger international regulations and accountability mechanisms.
Summary
- Francesco Nicodemo, a leading Italian political strategist, was targeted by Paragon Graphite spyware via a zero-click WhatsApp exploit.
- The attack coincided with major regional elections, potentially compromising sensitive communications.
- The spyware demonstrates firmware-level persistence, enabling operation even when powered off.
- Experts urge heightened mobile security for political, media, and civil society figures in Europe.
