According to the investigation, Ehud #Barak and former 8200 commander Ehud Schneerson allegedly endangered the security of the state when they sold the cyberattack company ‘Paragon’ (‘Python’) to an American company, without approval from the Ministry of Defense, in a way that could expose important security loopholes that Unit 8200 uses. (Read the analysis below)
about 11
The Paragon company responded:
We are sorry that a serious investigative program like yours, which we appreciate, is trailing behind false information from sources that have a financial and political interest.
The Israeli high-tech industry as a whole is mostly based on graduates of the IDF’s technology units, chief among them Unit 8200. Brigadier General Schneerson imposed a two-year cooling-off period on himself, without being required to do so, until the day Paragon was established and established it according to strict ethical standards regarding the selection of customers and sales to democratic regimes only. From the day of its foundation, Paragon gave up in advance most of the world’s countries.
Naturally, the company’s business is secret and its activity is subject to strict regulatory rules that prohibit it from dealing with customers publicly.
However, the company will not hesitate to immediately disconnect a customer from the ability to use the system and will accordingly disconnect any commercial relationship, if there are indications that he acted not in accordance with the instructions and conditions. There is no dispute that an incident of attacking human rights activists or journalists is against the company’s code of ethics and the customer’s obligation according to the agreement.
Recent allegations have raised concern that former Israeli Prime Minister Ehud Barak and ex-Unit 8200 commander Brig. Gen. (res.) Ehud Schneorson endangered Israel’s security by selling the offensive cyber company Paragon Solutions – referred to as “Python” in some accounts – to an American firm without proper Defense Ministry approval. A video posted on the “Predatory Sparrow IL” Telegram channel details these claims, accusing the two of illicitly transferring sensitive cyber capabilities abroad for personal profit. The report translates and analyzes the video’s content and investigates the veracity of its allegations using open sources in English, Hebrew, and other languages. We examine Paragon’s ownership, its spyware tool capabilities, links to the IDF’s elite Unit 8200, and the identity of the U.S. acquiring company. We then assess how the sale, if confirmed, might expose Unit 8200’s methods or create vulnerabilities, and we review the timeline of events and official responses. Throughout, credible sources are cited to verify each key point.
Allegations in the Predatory Sparrow IL Video (Translated)
The Predatory Sparrow IL video (post #109) makes several explosive claims about Paragon’s sale and its fallout. The key allegations (translated from Hebrew) are as follows–
Unauthorized Sale Abroad– Ehud Barak and Ehud Schneorson allegedly “went rogue” by selling Paragon (code-named Python) to a U.S. company without approval from Israel’s Defense Ministry, effectively exporting Israeli cyber-intelligence know-how illicitly. This is said to have been done clandestinely, bypassing required oversight, and thus *“harming Israel’s national security”*.
Theft of Unit 8200 Know-How– The video claims Paragon’s core surveillance technology was built on knowledge “stolen” from Unit 8200 (Israel’s SIGINT unit). In other words, proprietary cyber techniques developed within Unit 8200 were allegedly taken into the private sector without authorization.
Poaching of Personnel– It is alleged that Paragon recruited key Unit 8200 personnel with high salaries, causing a “brain drain” that led to the collapse of at least one sensitive department within the unit. Barak and Schneerson are accused of undermining the IDF’s intelligence capabilities by luring away top cyber talent,
Exposure of Tools– The video highlights that WhatsApp (Meta) discovered and blocked Paragon’s spyware tool, exposing its methods. It alleges that The exposure of “Python” by WhatsApp compromised Israeli intelligence operations since the spyware’s techniques (reportedly similar to those used by Israeli intelligence) were revealed and neutralized. Indeed, WhatsApp identified and notified 90 users targeted by Paragon’s spyware, disrupting numerous operations. The video suggests that the public outing of Paragon’s tool put Israel’s cyber capabilities at risk.
Profiteering and U.S. Connections– Barak and Schneorson are portrayed as putting profit above country. The clip insinuates they used political ties – allegedly including connections to U.S. Secretary of State Antony Blinken – to facilitate the lucrative sale to American investors. The timing of the deal is cast as suspicious, coming amid global scrutiny of Israeli spyware. The accusation is that personal gain and U.S. patronage facilitated a deal that should have undergone Israeli defense vetting.
It must be noted that Barak and Schneorson strenuously deny these accusations. They have filed a defamation suit in Israeli court against venture capitalist Michael Eisenberg, who had amplified an anonymous whistleblower’s claims (originating from a user “Alon”) that mirror the video’s content. Their attorneys insist the claims are “blatantly false” and part of a smear campaign, possibly driven by rivals in the cyber industry. With these allegations laid out, we turn to open-source evidence to verify what actually happened in the Paragon saga.
Background– Paragon (aka “Python”) and Its Ownership
Paragon Solutions is an Israeli offensive cyber startup founded in 2019 with deep roots in the country’s military intelligence sector. Its founding team included former Unit 8200 commander Ehud Schneorson (who serves as Paragon’s chairman) and several Unit 8200 veterans, alongside CEO Idan Nurick, CTO Igor Bogudlov, and others. Former PM Ehud Barak joined as a founding investor and board member, though his equity stake was relatively small (reported at roughly 3–3.5%). Unit 8200, often likened to Israel’s NSA, is responsible for signals intelligence and cyber operations, so Paragon emerged with a strong Unit 8200 pedigree and know-how. The company quickly grew to ~400–450 employees by 2024.
Business Model and Ethos– From inception, Paragon sought to distinguish itself from NSO Group, the embattled maker of Pegasus spyware. Paragon pledged to work only with vetted democratic governments (about 34 countries at first, later reportedly ~10 active clients) and to target only criminals or terrorists. The self-imposed restriction was intended to avoid the abuses and reputational damage that NSO suffered. Indeed, Paragon positioned itself as an “ethical” spyware provider, marketing tools for lawful intercept under strict oversight. The strategy paid off in some respects– Paragon did not get blacklisted by the U.S. (unlike NSO and others) and even secured U.S. government customers in law enforcement.
Notable Investors– Paragon was venture-funded by both Israeli and U.S. firms. Major investors included Battery Ventures (USA) and Red Dot Capital (Israel), among others. Despite raising only about $30 million in venture funding over five years, Paragon became profitable with estimated annual revenues above $100 million by 2024. The financial success set the stage for a high-value exit.
The “Python” Moniker– (Note– The question refers to Paragon as “Python.” To clarify, Paragon’s product is a spyware platform named Graphite, but some sources or discussions may have informally nicknamed it after the python snake, akin to NSO’s “Pegasus.” In The report, we treat Paragon and “Python” as the same entity for consistency, referring to the company and its tool.)
Sale to AE Industrial Partners and Defense Ministry Concerns
In December 2024, news broke that AE Industrial Partners (AE) – a Florida-based private equity firm specializing in defense, aerospace, and national security assets – had agreed to acquire Paragon Solutions. According to reports in Israeli media (later confirmed by sources to Reuters), AE would pay $500 million upfront (potentially up to $900 million) for Paragon. The sale was described as a “sensational exit” for such a young cyber firm. Following the sale, Paragon would continue operating in Israel but under U.S. ownership and eventually merge into an AE-owned U.S. cybersecurity company called Red Lattice. AE Industrial Partners had recently acquired Red Lattice, a Virginia-based cyber contractor with ties to U.S. agencies (FBI, NSA). By folding Paragon into Red Lattice, AE signaled plans to build a larger U.S.-Israeli cyber defense enterprise, potentially to later sell to a major U.S. defense contractor (e.g., Lockheed Martin or General Dynamics).
Identity of the Buyer– AE Industrial Partners is an American investment group focused on government-linked technology and defense businesses. It often invests in firms that serve U.S. military and intelligence needs. AE’s installation of John (Finbarr) Fleming, a former senior CIA official, as executive chairman of Paragon’s U.S. arm illustrates the close interface with the American security establishment. Under AE, Paragon’s headquarters for international business shifted to the U.S. (Virginia), with ex-CIA and defense personnel at the helm. In essence, Paragon transformed from an Israeli startup into a U.S.-controlled subsidiary—a fact central to the security concerns discussed later.
Defense Ministry Approval – Or Lack Thereof– Normally, Israeli companies selling sensitive dual-use or military technology require authorization under defense export laws. However, in Paragon’s case, the Ministry of Defense (MoD) publicly announced that it had “not approved” the sale at the time of its disclosure. In a highly unusual move, two days after the sale was reported, Israel’s MoD issued a statement emphasizing that no formal request to approve Paragon’s acquisition had been submitted, and officials were examining the deal’s “implications.” The MoD clarified that only general discussions with Paragon had occurred and that **“contrary to reports, the Ministry of Defense did not approve the sale”**. Such public airing of an approval dispute is rare, indicating the sensitivity of The transaction.
Legal Nuances– Despite initial headlines suggesting Paragon violated the law, the situation is a gray area. Under Israel’s Defense Export Control Law, a company must notify the MoD’s Defense Export Controls Agency (DECA) within 30 days of a change in controlling ownership, after which the ministry can retroactively object if it finds a security issue. Paragon’s team asserts they believed they had tacit approval after waiting six months for any MoD response before signing the deal. Indeed, as Paragon insiders noted, prior pre-approval is not explicitly required – only prompt reporting is. The MoD’s statement was, therefore, technically correct but somewhat misleading, creating the impression of a veto it did not formally exercise. In the end, the sale did go through, as Paragon was not legally obligated to obtain advance permission (it complied by notifying authorities post-factum).
That said, MoD and DECA officials emphasized that any transfer of sensitive security knowledge to foreign entities – including new foreign owners – requires export licenses and adherence to strict conditions. In its statement, the ministry warned that Paragon’s new American ownership “may affect [its] continued registration as a defense exporter” and that every technology transfer must be licensed. DECA has tightened its supervision of offensive cyber exports in recent years, subjecting each deal to rigorous review. These remarks imply that if Barak and Schneorson sold Israeli-developed cyber capabilities without securing export licenses, they could indeed have skirted the law. The MoD notably emphasized that no political influence was involved in its scrutiny – perhaps responding to speculation that Barak’s prominent role made regulators especially wary.
Open sources confirm that Paragon’s sale was genuine and that it caught the Israeli defense authorities off guard. While Barak and Schneorson insist they followed the law, the MoD’s public intervention shows institutional alarm. The alarm lends partial credence to the video’s claim that the deal was done without the standard approval process – even if it ultimately was not blocked. We next examine Paragon’s product and how its exposure supports (or does not) the allegations of security harm.
Paragon’s Spyware Capabilities and Links to Unit 8200
Paragon’s flagship spyware platform, Graphite, is at the center of both its success and controversy. Understanding Graphite’s capabilities is key to evaluating the security implications of the sale.
Graphite’s Known Capabilities– Graphite is a state-of-the-art mobile phone hacking tool in the vein of NSO’s Pegasus but with some differences in technique. Notably, Graphite employs “zero-click” exploits – meaning it can penetrate a target device without any action by the victim. According to reports, Graphite specifically targeted WhatsApp’s infrastructure via a malicious PDF file sent to the victim. Once the spyware gains a foothold (likely by exploiting a vulnerability in WhatsApp or the device OS), it **extracts data stored on the phone – files, photos, messages – and monitors the user’s communications across apps (WhatsApp, Telegram, Signal, Messenger, etc.)**. A key feature is that Graphite then uploads the harvested data to a remote cloud server, leaving minimal traces on the device itself. The stealthy exfiltration means the victim might never notice anything amiss (no obvious battery drain or phone disruptions, aside from rare hints like a WhatsApp crash).
Importantly, Graphite appears designed to focus on data capture rather than device takeover. Unlike Pegasus, it does not hijack the phone’s microphone or camera to live-spy on conversations. Instead, its value is in quietly copying the contents of encrypted messaging apps and phone backups. In fact, Paragon advertised Graphite as able to collect even data that’s backed up to cloud services from a phone, showing the spyware may obtain cloud authentication tokens or leverage platform-specific backup flaws to retrieve information from services like iCloud, Google Drive, WhatsApp backup, etc., even when it cannot crack end-to-end encryption directly. Table 1 compares Graphite’s features with known aspects of Israeli cyber doctrine and Unit 8200 methods, illustrating their alignment–
|
Paragon’s Graphite Spyware |
Unit 8200 Cyber Methods & Israeli Doctrine |
|
Developed by ex-8200 specialists, employs zero-click exploits (e.g., a malicious WhatsApp PDF) to penetrate targets remotely. |
Unit 8200 is known for its highly sophisticated cyber-offensive operations, often leveraging zero-day exploits and tailored malware. As an IDF SIGINT unit, 8200 “develops ad hoc tools” for intelligence collection. Graphite’s silent, remote infection approach aligns with the kind of capabilities one would expect 8200 to pioneer. |
|
Extracts data from encrypted apps and cloud backups (WhatsApp, Signal, Telegram, etc.), focusing on content collection rather than device disruption. |
Israeli cyber doctrine emphasizes intelligence gain – accessing adversaries’ communications and data. Unit 8200’s mission is to collect and analyze digital data from target systems. A tool that pulls chat logs, files, and backups fits squarely into The ethos of comprehensive SIGINT gathering. |
|
Does not activate a microphone or camera; instead operates stealthily to exfiltrate stored information. |
Tradecraft and stealth– Unit 8200 operations are highly covert. In some cases (as with NSO’s Pegasus used by government clients), full device takeover, including mic and cam, was possible; however, Paragon’s quieter approach reduces the risk of detection. This indicates an evolution in tactics – obtaining valuable intel (texts, records) while minimizing forensic footprint, a priority in professional intelligence operations. |
|
Markets itself as an “ethical” spyware vendor, selling only to approved democratic governments with oversight. Paragon even maintains detailed logs of tool usage, which are accessible to authorities for auditing any potential misuse. |
Export Controls & Oversight– Post-NSO, Israel pledged to restrict offensive cyber exports to responsible regimes. Paragon’s client policy mirrored Israeli government preferences (i.e., working with allies, not sanctioned autocracies). Unit 8200 itself operates under Israel’s legal and ethical directives; its targets are supposed to be security threats (terrorists, enemy states) rather than dissidents. Paragon’s built-in logging and compliance checks echo the IDF’s internal oversight (though in 8200’s case, logs remain classified). Both aim to prevent abuse, at least in principle. |
|
Derived from top Israeli cyber talent (multiple 8200 alumni on staff) and reportedly built on techniques honed within 8200. Graphite’s sophistication suggests access to zero-day vulnerabilities and expertise typically found in military cyber units. |
Human capital and knowledge transfer– It is common for Unit 8200 veterans to apply their military-acquired skills in startups. However, the allegation here is that Paragon may have used actual classified knowledge from 8200 without authorization. While direct evidence is scarce, the overlap in capability implies that Israeli intelligence tools at least inspire Paragon’s toolset. The concern for security officials is that what was once exclusively in 8200’s domain is now in private (and now foreign) hands. |
Table 1– Comparison of Paragon’s Graphite spyware features with Unit 8200’s known cyber operations doctrine. Sources– Ynetnews; Digital Conflicts/Predatory Sparrow IL.
Paragon’s technology is cutting-edge and very much in line with the capabilities one would expect from Israel’s top cyber warfare unit. This lends credibility to the idea that Unit 8200 expertise heavily influenced Graphite’s development. It also explains why Israeli officials might worry that the sale of Paragon equates to handing over some of Israel’s cyber “family jewels” (advanced exploits and methods) to a foreign entity. We will explore these security implications in the next section.
Before that, it is important to note how Paragon’s tool came under global scrutiny, as referenced in the allegations. Despite Paragon’s attempts to operate “under the radar” and only for legitimate uses, Graphite was exposed in late 2024 —Meta (WhatsApp’s parent) detected the spyware’s activity and took action. In November 2024, WhatsApp identified and remotely blocked Graphite infections on 90 users’ devices across 20 countries, sending warning messages to those targets and referring them to Citizen Lab (a digital espionage watchdog). The unprecedented move effectively burned Graphite’s zero-click exploit – a devastating blow to Paragon’s secrecy and any agencies using the tool. Meta followed up by sending Paragon a cease-and-desist letter in December 2024, accusing it of violating WhatsApp’s terms of service by targeting its users.
Paragon’s leadership has insisted that the vast majority of those 90 targets were legitimate criminals or terrorists (e.g., members of organized crime, trafficking rings, etc.), and only a handful were journalists/activists (notably in Italy). They have portrayed Meta’s blanket blocking of the spyware as an overreach that “disrupted dozens of law enforcement operations” globally. Nonetheless, from Israel’s perspective, WhatsApp’s intervention meant that a highly valued cyber tool – possibly analogous to techniques used by Israeli intel – was exposed to the public and security researchers. Indeed, Citizen Lab and European investigators are now dissecting Graphite’s remains, which could reveal its inner workings. The development directly supports the video’s point that WhatsApp’s actions *“put Israeli intelligence capabilities at risk”* by neutralizing a tool and informing adversaries of its existence.
Implications for Unit 8200 and Israeli Security
If the allegations around Paragon’s sale are true, the implications for Unit 8200 and Israel’s cyber security are significant. Based on verified information, we can assess several dimensions of potential impact–
Loss of Exclusive Tech Advantage– Unit 8200 is often at the forefront of cyber-espionage capabilities. By having its alumni create Graphite and then selling it off, Israel may have forfeited the exclusivity of some cutting-edge methods. Once Paragon is owned by a U.S. firm (and, by extension, possibly accessible to U.S. agencies and partners), Israeli intelligence will no longer hold a monopoly on that tool. American experts can study the spyware, replicate it, or even use it in ways that Israel cannot fully control. In essence, a piece of Israel’s cyber toolkit is now shared. While Israel and the U.S. are allies, intelligence cooperation has limits – Israel might not be comfortable with even allies knowing the full extent of its cyber tradecraft. The Israeli MoD’s statement underscored that any transfer of security know-how to foreigners **“requires an appropriate license”** – a nod to precisely The concern. If Barak and Schneorson proceeded without such licensing initially, they risked unauthorized knowledge transfer. Even if they later obtain export licenses retroactively, the proverbial cat is out of the bag– vulnerabilities that 8200 discovered and quietly exploited may now be known to more parties, accelerating their patching or countermeasure development. Citizen Lab’s forensic analysis and WhatsApp’s disclosures mean that any overlap between Graphite’s exploits and Unit 8200’s tools could blow back on Israeli intel operations, forcing them to abandon those methods.
Burning of Exploits and Techniques– The exposure of Graphite by WhatsApp did not just affect Paragon’s clients – it also potentially affected Unit 8200 (if similar zero-click exploits were in use by Israeli government hackers). Once Meta’s security team detected the mode of attack (the malicious PDF vector) and notified platform engineers, that vulnerability was likely fixed or mitigated. In practical terms, any zero-day exploit used by Graphite ceased to be effective after late 2024. If Unit 8200 had been leveraging the same vulnerability (a reasonable possibility, given that top exploits are often discovered within the Israeli cyber community and sometimes shared), then Israeli intelligence operations using that vector would have been simultaneously compromised. There is historical precedent for this worry —when NSO’s Pegasus was uncovered in 2021, Apple and others patched the exploits, blocking not just Pegasus but also any other actor (state or private) using the same bugs. Thus, by allowing Graphite to be in multiple hands, Israel ran the risk that detection in one context (WhatsApp) would nullify its utility in all others. The video’s claim that Israeli capabilities were put at risk is borne out by The dynamic – Paragon’s commercial use of a sophisticated exploit led to its global exposure and neutralization.
Unit 8200 Talent Drain– The allegation that Paragon’s recruiting caused a Unit 8200 department to “collapse” may be hyperbolic, but it points to a real challenge. Israel’s tech sector aggressively courts 8200 alumni with lucrative salaries, and Paragon was co-founded by some of the unit’s brightest officers. Open sources do not confirm an entire division shut down, but the MoD’s unusual alarm and industry chatter hint that there was indeed discontent within the IDF. An in-depth Globes report noted that Paragon’s rise “created a crisis in 8200” and drew criticism regarding the ethical framework of its work. It likely refers to the drain of experts who left government service for Paragon’s high-paying roles, possibly hampering ongoing military SIGINT projects. Such brain drain can weaken Unit 8200’s capacity in certain domains (e.g., if the team specializing in messaging-app exploits lost too many people, their projects might stall). Over time, repeated loss of top talent to startups could erode the unit’s institutional knowledge base. The Paragon case, given its high profile, may prompt the IDF to implement retention incentives or post-service non-compete periods for cyber officers to prevent the abrupt transfer of knowledge to the private sector.
Operational Security and Intelligence Exposure —Unit 8200’s operations are inherently covert. However, Paragon’s sale and the ensuing international scrutiny have shone a light on offensive cyber activities that Israel normally never acknowledges. For instance, the Italian Parliament and European Parliament launched probes after journalists and activists were revealed among Graphite’s targets. This has significant political implications —it drags Israel (and, by extension, Unit 8200) into a continent-wide spyware scandal akin to the Pegasus affair. While the Israeli government can distance itself by saying Paragon was a private company, the fact that a celebrated IDF intel commander founded it blurs that line. There is a risk of blowback on Unit 8200’s reputation – painting it as a training ground for mercenary tech that ends up spying on dissidents. Indeed, Italian opposition figures, including former Prime Minister Matteo Renzi, have underscored the gravity of the “Paragon scandal” and demanded accountability. Such rhetoric, if it spreads, could complicate Israel’s intelligence partnerships in Europe. At a minimum, it has already caused Israel’s defense export regulators (DECA) to step in and cut off at least one client– when evidence emerged that an Italian agency misused Graphite to surveil an anti-government journalist, Paragon (under DECA’s guidance) suspended Italy’s access to the spyware. The responsive measure shows Israel trying to contain damage, but it also validates the concern that misuse abroad can expose the methods and put allied governments in political hot water – none of which serves Israel’s strategic interests.
U.S.-Israel Dynamics —Interestingly, the United States’ role in the saga is double-edged. On one hand, the U.S. is now effectively in control of Paragon’s technology via AE’s acquisition. They might assure Israel that the tool is in friendly hands rather than, say, a rival nation. On the other hand, the U.S. could become a major user of these Israeli-developed tools, raising questions– Would Israel be comfortable if the U.S. employs Paragon’s spyware in ways Israel cannot oversee? (For example, hypothetically surveilling Israeli officials or businesspeople – a far-fetched but not impossible scenario in the realm of espionage). Moreover, if the U.S. government, particularly under a future administration, chose to use Paragon’s capabilities for domestic political purposes, it could drag Israel’s name into controversy. A Ynet analysis noted that American media observers are already asking whether a returned Trump administration might weaponize Paragon’s spyware against domestic “enemies within,” given Trump’s past championing of agencies like DHS/ICE that have contracted Paragon. Such speculation shows how an Israeli tool, once sold, can take on a life of its own in another country’s political context – potentially coming back to haunt Israel diplomatically. For now, the White House under Biden has treated the Paragon sale cautiously– a senior official emphasized **“the U.S. government never ‘approved’ The sale…there was not some sort of green light”**, and in fact, a $2 million pilot contract that ICE signed with Paragon was put on pause pending review. This indicates that the U.S. is aware of the sensitivities and is treading carefully to avoid the perception of endorsing Israeli spyware without due diligence. The longer-term concern for Unit 8200 is that if U.S. agencies become dependent on Israeli-origin tools, Israel might be pressured to share more code or exploits. Conversely, if the U.S. develops its versions, Israel could lose its cybersecurity export edge.
In light of these points, the core of the “endangering state security” allegation holds weight– the Paragon case has arguably exposed Israeli cyber operations to unprecedented scrutiny and risk. Barak and Schneorson’s detractors argue that their actions prioritized profit over protecting the secrecy of Israel’s cyber arsenal. While the founders counter that they followed all laws and that Paragon boosts security by helping fight crime, the incident shows a tension between Israel’s startup culture and its security establishment. The tension came to a head publicly when the MoD had to clarify its stance, something it typically avoids. The episode may lead to policy reforms, such as more stringent vetting of ex-officers ventures or closer monitoring of tech transfer in the cyber realm.
Before concluding, we compile a brief timeline of the key events to put the pieces in a chronological context.
Timeline of Key Events and Responses
2019 – Paragon Founded– Paragon Solutions was established in Tel Aviv by Ehud Schneorson (just retired as Unit 8200 commander), Idan Nurick, Igor Bogudlov, Liad Avraham, Liran Elkayam, and others, with Ehud Barak as founding board member. From the start, it focuses on offensive cyber tools for democratic governments, positioning itself as a “clean” alternative to NSO.
Dec 2021 – U.S. Blacklists Competitors– The U.S. Commerce Dept. blacklists Israel’s NSO Group and Candiru over human rights abuse concerns. Paragon, having avoided selling to repressive regimes, is not banned – a factor that later enables it to court U.S. customers.
Late 2022 – U.S. Agencies Begin Using Graphite– Reports emerge (via NY Times, December 2022) that the U.S. Drug Enforcement Administration (DEA) quietly obtained Paragon’s Graphite spyware for investigations. This reveals that despite official policy against Pegasus, U.S. law enforcement found Paragon’s product acceptable, likely due to its “democracies-only” usage policy.
Sept 2023 – First U.S. Contract– The U.S. Department of Homeland Security’s ICE (Homeland Security Investigations) signs a 1-year, $2 million contract with Paragon’s U.S. subsidiary for a “fully configured proprietary solution” – essentially licensing Graphite. However, news of The only becomes public later, and the contract is soon paused amid higher-level U.S. review. Around the same period, Paragon also secures a $2M contract with an Israeli government body for a project, illustrating that it was selling domestically as well (this detail from the Hebrew press shows that Paragon even did business with Israel’s agencies, raising questions about competition with 8200).
December 16, 2024 – Sale to AE Announced– Israeli media (e.g., Globes, Geektime) report that AE Industrial Partners will acquire Paragon for ~$500M cash, potentially $900M with milestones. Founders and investors stand to gain massively; Ehud Barak’s share could net him a few million dollars. Paragon’s merger with AE’s Red Lattice is noted, and it is highlighted that Paragon had operated in only 34 democracies, helping it avoid U.S. blacklisting. The news is framed as a major success and excitement for an Israeli cyber startup.
December 19, 2024 – Israeli MoD Issues Statement– In response to the media reports, Israel’s Ministry of Defense publicly denies approving the Paragon sale. The statement explains that no formal request was made and that DECA is examining the change of ownership. It reminds us that any transfer of technology to foreign owners requires a license. The unusual announcement sparks domestic debate, with some speculating it is driven by the high-profile names involved (Barak) or concerns within Unit 8200. Paragon sources express puzzlement, saying MoD approval was not actually required by law and that they will duly report the sale as needed.
Nov–Dec 2024 – WhatsApp Exposes Spyware– Around the same time, WhatsApp’s security team identifies Paragon’s spyware activity. In late November, WhatsApp messages about 90 targeted users (across 20 countries) are sent, and the malicious infrastructure is blocked. By December 2024, Meta’s legal department sends Paragon a cease and desist letter, accusing it of abusing WhatsApp and “exploring legal options.” The event quickly gained public attention (Reuters and The Guardian reported it in early 2025), putting Paragon in the spotlight and prompting calls in Europe for investigations. Paragon, for its part, gears up to fight back legally against Meta, denying wrongdoing and refusing to cease operations.
Jan 2025 – Italy Spyware Scandal Breaks– In the wake of WhatsApp’s disclosures, Italy’s government is rocked by revelations that its intelligence agencies (AISE/AISI) possibly misused Paragon’s spyware to surveil journalists and migrant-rights activists. An Italian journalist, Francesco Cancellato, is identified as a target and speaks out in the press. The Meloni government denies involvement, but the Italian Parliament launched inquiries. Under pressure, Paragon (via its U.S. chairman John Fleming) announces suspension of service to Italy and reiterates a “zero tolerance” policy for targeting civil society. European Parliament members also raise the issue as part of a broader push to regulate spyware in the EU.
Feb 2025 – Whistleblower Allegations and Social Media Storm– An anonymous Twitter (X) user known as “Alon” posts a detailed thread in Hebrew accusing Paragon’s founders (Barak, Schneorson) of betraying the state – essentially the same points covered by the Predatory Sparrow IL video. Michael Eisenberg, a well-known Israeli tech investor, translated and amplified The thread in English on February 8, 2025, stating that Paragon *“seem to have gone rogue and even harmed the security of the State of Israel.”* He suggests the sale to the U.S. (and Barak’s ties to Blinken) looks suspicious. Eisenberg, who has a stake in competitor ventures, calls on journalists to investigate. His posts gain significant attention and spark debate in Israel’s tech community.
Mar–Apr 2025 – Lawsuit and Official Reactions– Ehud Barak and Ehud Schneorson respond forcefully to Eisenberg’s campaign. They file a defamation lawsuit in Israel against Eisenberg, seeking a public apology and NIS 10 million in damages (to be donated to charity). Court filings reveal they accuse Eisenberg of spreading false claims motivated by business rivalry (Eisenberg is alleged to have a conflict of interest through ties to NSO Group). They identify “Alon” as an anonymous smear agent, possibly using bots. By mid-2025, the case will proceed in court after mediation fails. The Defense Ministry, for its part, stays relatively quiet after its December statement, likely handling the matter behind closed doors. No public indication has emerged that the MoD ultimately blocked or reversed the sale – to the contrary, Ynet reports that Paragon’s sale went through, and it was not actually subject to prior approval by law. DECA’s involvement is noted mainly in enforcing the suspension of rogue clients (like the Italian case). Meanwhile, U.S. officials (White House, State Dept.) continue to distance the government from approving the deal, emphasizing it was a private transaction and that any U.S. usage of Paragon’s tech is under review.
This timeline highlights how quickly Paragon went from a relatively obscure startup to the nexus of international controversy. In the span of a few months, its prized tool was exposed, and its ownership changed hands, prompting responses from Tel Aviv to Washington to Rome.
Government and Policy Responses
The Paragon affair has prompted responses on multiple levels – regulatory, legal, and diplomatic–
Israeli Regulatory Response– The Israeli Ministry of Defense’s public intervention in December 2024 was a clear signal of concern. While Paragon was ultimately not stopped from selling, the MoD made it known that it was scrutinizing the deal under export control laws. Ministry sources suggested that despite the alarm, they did not necessarily intend to block the acquisition, but they might tighten Paragon’s export license or impose new conditions* during the review. Indeed, Israeli defense officials have an array of tools– they can revoke or amend Paragon’s registration as a defense exporter if they deem the new ownership a risk. Thus far, there is no public evidence that Israel cancelled Paragon’s export license; instead, DECA has acted in specific instances (cutting off Italy for misuse) to demonstrate vigilance. The lesson for Israel’s defense establishment is apparent – future sales of offensive cyber companies will likely face earlier and closer oversight. The MoD’s statement was unprecedented, and it may deter other founders from bypassing early consultation. We may also see moves to formalize requirements (e.g., mandating pre-approval for critical cyber IP sales, not just notification). Politically, some have insinuated that the current Israeli government (which is at odds with Ehud Barak politically) had an interest in complicating his lucrative deal. The MoD denied any political motivation. Nonetheless, Barak’s involvement undoubtedly made the issue high-profile.
Legal (Defamation) Battle in Israel– Barak and Schneorson’s lawsuit against Michael Eisenberg is an attempt to push back against what they call baseless smears. The outcome of the case could set a precedent regarding the discussion of sensitive defense deals in public. If the court finds that Eisenberg’s repetition of “Alon’s” claims was libelous, it might discourage whistleblowers or critics from airing security allegations on social media without solid evidence. On the other hand, if Eisenberg successfully defends his comments as reasonable in light of the public interest, it could lead to more scrutiny of the shadowy offensive cyber sector. Notably, Yedioth Ahronoth (Ynet’s Hebrew sister publication) has been investigating the Paragon story in depth, indicating that Israeli media see The as a matter of national importance, not just a business story. The fact that Barak – a former IDF Chief of Staff and Prime Minister – is entangled in this makes it political dynamite. Barak has hinted that the outcry is overblown and possibly orchestrated by competitors (recall NSO’s founders have been trying to rehabilitate their company’s reputation, and seeing a rival stumble could be in their interest). The Israeli government itself has not taken any legal action against Barak or Paragon’s team. If the MoD truly believed laws were broken, we might expect an official probe, but so far, none is public. This suggests that at least legally, Barak and Schneorson operated within the letter of the law, even if pushing its limits.
Israeli Policy on Cyber Exports– Israel’s policy on offensive cyber exports has been evolving. Following the Pegasus backlash, Israel restricted the number of countries eligible to purchase such tools in late 2021, aiming to allow sales only to democratic, human rights-respecting governments. Paragon was often cited as faithfully following that policy, yet its case shows that even sales to friendly democracies (Italy is a democracy) can backfire if oversight fails. It will not be surprising if DECA further tightens the leash — possibly through more frequent audits of companies like Paragon, more stringent vetting of foreign clients, and perhaps requiring notification before any major ownership or strategic changes. The incident also highlights the need for clarity– Paragon’s folks thought no pre-approval was needed; MoD thought otherwise. The ambiguity will likely be addressed through clearer regulations or, at the very least, informal protocols (e.g., expecting a quiet heads-up from companies well before any sale announcement in the future).
International/Diplomatic Responses–
United States —U.S. officials have been cautious yet engaged. The White House distancing itself from “approving” the sale was one response. Concurrently, the U.S. halted the ICE contract and is reviewing it, indicating an internal debate on the use of Israeli spyware. Interestingly, the U.S. did not blacklist Paragon even after the WhatsApp revelations – a contrast to NSO’s treatment. This could indicate that Washington views Paragon as salvageable, perhaps because it is now American-owned and can be guided to comply with U.S. standards. U.S. Secretary of State Blinken’s name came up in allegations, but no concrete evidence ties him directly to the deal aside from the fact that Barak knows many U.S. officials. On a higher level, the Paragon case will test the recently discussed “Spyware guidelines” between the U.S. and its allies. The Biden administration has pushed for democratic governments to commit not to misuse such tools. Since Paragon’s tool reportedly ended up in the hands of American agencies, the U.S. must ensure it is used lawfully – otherwise, it undermines their stance against abuse. If a new administration in 2025 had a different view (as hinted with Trump’s possible return), policies could shift to be more permissive, which in turn would reflect on Israel’s calculus of to whom it sells its cyber tech. So far, the U.S. response can be summarized as– keep it quiet, keep it legal, and keep it under American supervision – hence, absorbing Paragon into a U.S. company might ironically be seen by some in D.C. as a way to control it better (as opposed to NSO which was foreign and uncontrolled).
Europe —The European Union has been grappling with spyware regulation in the wake of Pegasus and the Paragon revelations, which add fuel to the fire. The European Parliament’s committee on Pegasus has already extended its scope to include newer cases like Paragon/Graphite. There are calls for an EU-wide ban or strict oversight on spyware used against EU citizens. Italy’s government, embarrassed by the incident, has had to deny wrongdoing and clarify its position. As of mid-2025, at least four victims of Paragon’s spyware in Europe (three in Italy, one in Spain) have been publicly identified, which is fewer than the 90 WhatsApp-notified targets but enough to cause scandal. If investigations reveal that Italian agencies or other European security services have breached laws by using Paragon on journalists, there could be legal consequences for those agencies and stricter controls on the purchase of such tools. For Israel, This means its cyber exports might face more buyer-side regulation. Paragon’s new owners in the U.S. will also have to navigate European privacy laws if they want to sell to Europe again. In short, Paragon inadvertently became a case study that prompted stronger governance of spyware in democracies, which, in the long run, aligns with what Israel claims it wants (ethical use), but in the short run, it tarnishes the country’s cyber industry image.
Unit 8200/Internal IDF– While no public statements have come from the IDF on The (and likely never will, given the secrecy around Unit 8200), one can infer some internal repercussions. The IDF may review its policies on the timing of retirement for officers to engage in related private ventures. They might also bolster counterintelligence to ensure that no classified tools or code were improperly transferred. Unit 8200 prides itself on innovation, but cases like The show the fine line officers walk when transitioning to civilian startups. The ethos of service versus profit is being debated– some commentators in Israel argue that cyber veterans should remember their commitment to the state and not sell critical secrets for personal gain. Others say Israel benefits from these companies as a form of “tech diplomacy” and economic strength. It is a nuanced debate, and Paragon sits at its heart.
Wrap Up
The case of Paragon (alias “Python”) encapsulates the promises and perils of Israel’s powerhouse offensive cyber industry. On the one hand, an Israeli startup founded by decorated Unit 8200 alumni has created a cutting-edge spyware tool, Graphite, which has attracted legitimate law enforcement use across democracies and even sparked interest from the U.S. government – a testament to Israel’s innovation and its close security ties with allies. On the other hand, the swift sale of that company to American investors, allegedly without initial sign-off from the Defense Ministry, and the concurrent revelations of misuse against civil society exposed a seam where national security, ethics, and commerce painfully intersect.
From the evidence gathered, many of the allegations in the Predatory Sparrow IL video hold some truth, albeit with important context. Barak and Schneorson indeed sold Paragon to a U.S. firm – and the MoD was not fully in the loop at first, prompting an exceptional public rebuke. It is also evident that Paragon’s technology draws from the expertise of Unit 8200 and that several 8200 veterans have left to join the company. The harm to state security, while difficult to quantify, can be argued in terms of lost exclusive capabilities and increased exposure to Israeli methods, as detailed above. However, intent matters —there is no clear proof that Barak or Schneerson acted maliciously or for pure personal gain at the expense of the country. Indeed, they maintain that arming Western allies with Israeli cyber tools strengthens collective security (e.g., helping to fight terrorism). Their decision to limit clients to democracies was supposed to protect Israel’s reputation, and for a while, it did. The scandal arose not from selling to dictators but from the inherent invasive power of the tool, even in democracies, and the lack of transparency around its transfer.
Moving forward, The episode is likely to influence policy and practice. Israel will have to strike a balance between encouraging its “cyber champions” and safeguarding its national security secrets. Companies like Paragon will face more scrutiny at home and abroad. For Unit 8200, the situation serves as a reminder that its dominance in cyber warfare can be a double-edged sword if not carefully managed – the world is eager to buy what its veterans are selling, but with that comes a loss of control and new accountability. As the Paragon saga continues to unfold (in courtrooms and government halls), it serves as a case study of the importance of oversight in the high-stakes realm of cyber intelligence. The genie of offensive cyber capability, once out of the bottle, is hard to put back in – even for a nation that helped create it.
Sources–
- Ynet News – _“Ehud Barak, ex-cyber chief, sue VC Michael Eisenberg for defamation Over Paragon posts”_
- Ynet News – “Espionage, targets and a scandal– How a former Israeli prime minister’s cyber firm got into trouble” (Tal Shahaf)
- Reuters – _“US, Israeli officials deny approving sale of Israeli spyware firm to US investors”_
- Times of Israel – _“US private equity firm said to bid for Israeli spyware maker Paragon.”_
- Calcalist (CTech) – _“Paragon’s $900M sale in limbo as Defense Ministry steps in”_
- Al Jazeera / Reuters – _“WhatsApp says its users targeted by Israeli spyware company Paragon”_
- Guardian / Reuters – “WhatsApp warns 2023– Israeli firm’s spyware targeted journalists (Paragon)” (referenced in Ynet and Al Jazeera)
- Geektime (Hebrew) – _“Hundreds of millions exit for startup of ex-8200 commander and Ehud Barak”_ (translated)
- Globes (Hebrew) – _“Ehud Barak’s profit and the storm in 8200– behind the huge exit”_ (translated excerpt)
- Yedioth Ahronoth – investigative reporting on Paragon (as cited by Ynet)
- Digital Conflicts – _“Paragon set out for America, and got stuck in Italy”_ (context on Unit 8200 and Paragon’s sale)
You must be logged in to post a comment.