A prominent activist in Italy has warned the international criminal court that his mobile phone was under surveillance when he was providing the ICC with confidential information about victims of torture in Libya.

A report released on Wednesday by the Citizen Lab at the University of Toronto, which tracks digital surveillance of members of civil society, has confirmed that David Yambio, the founder of an organisation called Refugees in Libya, was targeted by mercenary spyware. The attack occurred at a time when he was in communication with The Hague, he said. At least one attack took place around June 2024, researchers said.

In a statement to the Guardian, Yambio said he alerted the ICC to the attack after it had been confirmed and urged members of the court to have their phones checked for spyware. The ICC’s office of the prosecutor said it would not comment on matters related to “ongoing investigations”.

The revelation raises questions about whether a government agency with access to military-grade spyware may have been seeking to interfere with ICC proceedings by keeping tabs on individuals who have access to and advocate on behalf of victims of torture. It will probably put pressure on Giorgia Meloni, who has faced questions about the use of spyware in her government since revelations emerged in January that a handful of Italian activists and journalists had received warnings from WhatsApp, the messaging app owned by Meta, that their phones had been targeted by spyware.

Meloni’s government has been heavily criticised after authorities in Italy released a Libyan citizen wanted by the ICC for war crimes who had been arrested in Rome. Osama Najim, who is known as Almasri, is the director of a detention centre in Mitiga in Tripoli, which has been condemned by human rights organisations for its arbitrary detention, torture and abuse of political dissidents, migrants and refugees.

The Citizen Lab report has confirmed that several activists and associates of Yambio, including two personal friends of Pope Francis, were targeted by hacking software that is supposed to be used against targets in terrorism investigations and other serious crime.

Researchers have not yet been able to determine the exact kind of spyware used against Yambio, but are continuing their investigation. They were able to confirm that the hacking software used against other activists was made by Paragon Solutions, an Israeli surveillance technology company that is now owned by a US financial investor. The researchers included Luca Casarini and Giuseppe Caccia, the two founders of an NGO that tries to protect migrants and refugees who are crossing the Mediterranean.

The researchers said: “We forensically analysed multiple Android phones belonging to Paragon targets in Italy [an acknowledged Paragon user] who were notified by WhatsApp. We found clear indications that spyware had been loaded into WhatsApp, as well as other apps on their devices.”

The Italian government has acknowledged it was a client of Paragon but has denied it was behind a spate of surveillance attacks against a journalist and several activists. Paragon has since suspended its contract with Italy because, according to a a person close to the matter, of a failure to abide by Paragon’s rules that forbid spyware to be used against journalists or other members of civil society.

WhatsApp first revealed in January that 90 of its users, including civil society members and journalists, had been the target of government clients of Paragon. When it is successfully deployed, Paragon’s spyware, which is called Graphite, can hack into any phone and access a user’s messages and listen to mobile phone conversations, including those held over encrypted apps such as WhatsApp or Signal.

Yambio was first notified by Apple of a possible attack in November and his mobile phone was subsequently examined by experts at Cyber Hub-AM and the Citizen Lab.

Forensic details of the researchers’ investigation was then shared for further analysis with Apple, which said in a statement that attacks like the one used against Yambio were “extremely sophisticated, cost millions of dollars to develop … and are used to target specific individuals because of who they are or what they do”. Apple confirmed it had developed and deployed “a fix” to the security flaw that had been exploited to attack Yambio, and that the fix was released in its iOS 18 to protect iPhone users.

The Citizen Lab researchers said its investigation found a number of other countries appeared to be clients of Paragon, including: Australia, Canada, Denmark, Cyprus, Singapore and Israel. No other details about the alleged relationship of those countries with Paragon were revealed in the report.

John Scott-Railton, a senior Citzen Lab researcher, said the emergence of fresh information about Paragon clients ought to raise questions about who was running the deployment of spyware, what was being done with information gathered, and whether the use of the spyware was aligned with domestic laws.

John Fleming, the executive chair of Paragon US, said in a statement: “Paragon has been contacted by Citizen Lab and provided with a very limited amount of information, some of which appears to be inaccurate. Given the limited nature of the information provided, we are unable to offer a comment at this time.”

The company, which has previously agreed a contract with US immigration authorities, said it required all users to adhere to terms and conditions that “preclude the illicit targeting of journalists and other civil society leaders”.

Fleming said: “While we are not able to discuss individual customers, we have a zero-tolerance policy for violations of our terms of service.”

Hannah Neumann, an MEP who investigated the abuse of spyware inside the EU, said in a statement that spyware abuse continued in Europe, and followed a similar pattern.

She said: “We have seen this pattern before – denial, deflection, and ultimately, no justice for the victims. It is Groundhog Day for spyware abuse, and unless we fix the loopholes in regulation and strengthen victim protection, these violations will continue unchecked. We need strong European rules and accountability measures to stop this cycle once and for all.”