ICE Confirms Domestic Use of Paragon Graphite Spyware, Raising Constitutional Alarms
ICE's acting director confirmed in an April letter that the agency deploys Paragon's zero-click Graphite spyware against fentanyl suspects, months after the same tool was linked to attacks on European journalists and civil society members.
Overview
U.S. Immigration and Customs Enforcement has confirmed that it actively deploys Graphite, a powerful commercial spyware tool developed by Israeli firm Paragon Solutions, in domestic criminal investigations. The admission, contained in an April 1 letter from ICE acting director Todd Lyons to members of Congress, marks the first time the agency has explicitly acknowledged using the surveillance tool — and arrives just months after the same spyware was forensically linked to attacks on journalists and civil society workers across Europe.
What Happened
Lyons’ letter, reviewed by NPR, was written in response to an October inquiry from three Democratic members of the House Committee on Oversight and Government Reform who had pressed the agency about potential Graphite use. Lyons stated the approval came “in response to the unprecedented lethality of fentanyl” and described the tool as helping address criminal exploitation of “encrypted communication platforms.”
According to NPR, ICE first signed a $2 million contract with Paragon Solutions at the end of the Biden administration. That contract was subsequently paused for review, then reinstated by the Trump administration in fall 2025. ICE’s Homeland Security Investigations unit — rather than its immigration enforcement arm — reportedly handles deployments, and Lyons framed the usage as narrowly focused on fentanyl trafficking.
Graphite employs “zero-click” technology, meaning it can silently compromise a smartphone and access encrypted messages, call logs, photos, and other data without the target ever interacting with a malicious link, as Gizmodo reported. Once installed, the spyware can record activity within encrypted messaging apps and, according to published technical analyses, delete itself to cover its tracks.
Background: A Tool with a Troubling Record
Paragon Solutions was founded by former members of Israeli intelligence and was acquired in late 2024 by U.S. private equity firm AE Industrial Partners. Its Graphite spyware gained international attention in January 2025 when WhatsApp disclosed that approximately 90 journalists and civil society members had been targeted using the tool through a zero-click exploit involving malicious PDF files delivered via group chats.
In a cease-and-desist letter to Paragon that month, WhatsApp stated: “This is the latest example of why spyware companies must be held accountable for their unlawful actions,” as Gizmodo noted.
A subsequent investigation by Amnesty International’s Security Lab identified further victims. According to Amnesty International, forensic analysis confirmed Graphite was used to target Italian journalist Francesco Cancellato, as well as Luca Casarini and Dr Giuseppe Caccia, founders of Mediterranea Saving Humans — a sea rescue charity operating in the Mediterranean. Amnesty characterized its findings as “the tip of the iceberg” and called for a complete ban on tools “that can never be human rights compliant.”
The infections spread across multiple European democracies. As Amnesty International documented, spyware scandals involving law enforcement misuse have been recorded in Serbia, Spain, Greece, Poland, and Hungary — with European authorities failing to implement adequate regulatory responses in any of these cases.
Civil Liberties Concerns
Civil liberties advocates reacted sharply to Lyons’ letter. Cooper Quintin of the Electronic Frontier Foundation told NPR that the agency’s response fails to rule out a particularly alarming scenario: “The biggest concern now is that Lyons’ response doesn’t rule out ICE using an administrative subpoena to deploy this malware against people living in the United States as part of their ideological battle against constitutionally protected protest.”
Rep. Summer Lee, one of the lawmakers who sent the original October inquiry, noted that Lyons provided insufficient answers about the criteria used to identify targets and the legal authorization governing domestic deployment.
Lyons’ letter asserts that Graphite poses no significant security risks and that the agency intends to comply with constitutional requirements and former President Biden’s 2023 executive order on commercial spyware — an order that was never codified into law and remains subject to revision by subsequent administrations.
The Broader Commercial Spyware Landscape
Paragon’s growing footprint in the United States sits alongside a broader push by commercial spyware vendors to win American contracts. NSO Group, maker of the rival Pegasus spyware, is also seeking removal from the U.S. Entity List after new American ownership took control, as TechCrunch reported in January. Critics described NSO’s new transparency report as “window dressing” offering no verifiable accountability data.
The pattern reflects a widening gap between U.S. policy rhetoric on commercial surveillance and operational procurement decisions. While the Biden administration sought to constrain commercial spyware use through executive action and export controls, the tools themselves — and the vendors who build them — are finding renewed government interest under the Trump administration.
What Remains Unknown
Key questions remain unanswered. ICE has not disclosed how many individuals have been targeted with Graphite on U.S. soil, what judicial or administrative process authorizes each deployment, whether targets are exclusively non-citizens or also include U.S. persons, and whether any oversight mechanism independent of the executive branch reviews its use. Members of Congress who requested the original briefing say Lyons’ letter does not constitute an adequate response to those questions.