Apple initiated a significant round of threat notifications this week, reaching iPhone owners across 100 distinct countries. The alerts caution users about targeted intrusion attempts using sophisticated “mercenary spyware attacks.”
According to the company’s message, these campaigns likely single out individuals “specifically because of who you are or what you do,” a pattern often seen with attacks aimed at journalists, activists, and political figures.
The geographical scope of this alert wave, spanning 100 nations, marks an increase from a similar warning issued last spring that affected users in 92 countries. Apple’s communication, parts of which were shared by recipients, noted that “Today’s notification is being sent to affected users in 100 countries,” adding that historically, the company has alerted users in over 150 countries in total regarding such threats.
Understanding the “Mercenary” Threat
The term “mercenary spyware” typically describes advanced surveillance tools developed by private companies for sale to government agencies. These tools, sometimes compared in sophistication to NSO Group’s infamous Pegasus spyware, can provide attackers with deep access to a device’s data and functions.
Apple’s notification emphasized the severity, stating, “Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously.”
The company also highlighted that the high cost, sophistication, and global nature of these attacks make them some of the most advanced digital threats, distinct from common malware and described as exceptionally rare.
Targets Come Forward
While the exact number of individuals alerted remains undisclosed, a few have publicly acknowledged receiving the notification. Ciro Pellegrino, a journalist for the Italian news outlet Fanpage.it, documented his experience after receiving the alert via email and SMS past Tuesday. He described the notification as creating an “horrible sensation” and reflected on the potential scope of compromise: audio, financial data, messages, location, and even real-time monitoring. “Did this really happen? Yes, it is not a joke,” he wrote.
Dutch activist Eva Vlaardingerbroek also confirmed receiving the alert, posting on X that she viewed it as an “attempt to intimidate me, an attempt to silence me, obviously.”
Yesterday I got a verified threat notification from Apple stating they detected a mercenary spyware attack against my iPhone.
— Eva Vlaardingerbroek (@EvaVlaar) April 30, 2025
We’re talking spyware like Pegasus.
All I know for sure right now is that someone is trying to intimidate me.
I have a message for them: It won’t work. pic.twitter.com/mLPVyttFwm
Potential Links to Previous Incidents
Pellegrino’s targeting is particularly notable as he is the second journalist at Fanpage.it to receive such a warning this year. In January 2025, his director, Francesco Cancellato, was informed by Meta via WhatsApp that he was targeted by spyware linked to the Israeli firm Paragon Solutions.
WhatsApp confirmed disrupting a campaign using Paragon spyware at that time. Subsequently, two other Italians working with the migrant rescue NGO Mediterranea Saving Humans also reported being targeted in the same campaign.
These prior events involving Paragon raise questions about potential connections to the current Apple alerts, though the specific spyware and actors in this latest wave have not been identified. According to TechCrunch reporting, Paragon was said to have cut ties with an Italian government customer following the January revelations.
The Italian government has previously denied involvement. Pellegrino questioned the implications and referenced Italian Law 124 of 2007, which aims to protect journalists from surveillance by national intelligence agencies. He called for accountability to understand “who, in this Country, has made shreds of the clear border between security and surveillance, between legality and abuse.”
Apple’s Guidance for Users
Apple reassures the general user population that these attacks are highly targeted and most users are unlikely to be affected unless they receive a specific notification.
The company recommends standard security practices, primarily keeping iOS updated by installing new versions promptly, as these updates often contain patches for the vulnerabilities exploited by spyware. For individuals who might be specific targets due to their profile or work, Apple offers Lockdown Mode. This optional security setting significantly restricts certain iPhone functionalities, thereby reducing the device’s vulnerability to highly sophisticated cyberattacks.
