TL;DR: ICE reactivated a $2 million contract with Israeli company Paragon Solutions for spyware called Graphite. This isn't ordinary surveillance software. Graphite uses "zero-click" exploits to silently infiltrate your phone and extract messages from Signal, WhatsApp, and other encrypted apps, without you clicking anything. The Biden administration suspended this contract over human rights concerns. The current administration brought it back. Paragon's spyware has already been used to target journalists and refugee rescue workers in Europe. Now ICE has it.

What Is Graphite?

Graphite is Paragon Solutions' flagship spyware product. It's designed to do one thing extremely well: bypass encryption.

When you use Signal or WhatsApp, your messages are end-to-end encrypted. In theory, only you and the recipient can read them. Graphite doesn't break the encryption. It doesn't have to. Instead, it compromises the device itself.

According to Citizen Lab's technical analysis, Graphite "silently loads spyware into the device's existing legitimate apps and processes" [1]. It hides inside apps you trust, reading your messages after they're decrypted on your screen.

Zero-Click: No Action Required

Most malware requires you to do something: click a link, download an attachment, install an app. Graphite doesn't.

Paragon's spyware uses "zero-click" exploits: attacks that require no action from the target [2]. WhatsApp discovered and patched "an active Paragon zero-click exploit" that allowed infection through the messaging platform itself [1].

You could be targeted while your phone sits in your pocket. No suspicious link. No warning. The spyware just appears.

Once installed, Graphite extracts:

  • Text messages from Signal, WhatsApp, Telegram, and other encrypted apps
  • Call logs
  • Photos and videos
  • Microphone recordings
  • Location data

Who Has Paragon Targeted?

Paragon markets itself as the "ethical" alternative to NSO Group (makers of the notorious Pegasus spyware). The evidence suggests otherwise.

Italian Journalists and Rescue Workers

In January 2025, WhatsApp revealed that around 90 of its users (including journalists and human rights workers) had been targeted with Graphite [3].

Citizen Lab's forensic analysis identified specific victims [1]:

  • Francesco Cancellato: Journalist and editor
  • Luca Casarini: Founder of a humanitarian sea rescue organization
  • Giuseppe Caccia: Scholar and co-founder of rescue organization
  • David Yambio: Founder of a refugee advocacy organization (received Apple threat notification)

Their crime? Documenting refugee rescues in the Mediterranean and criticizing Italian immigration policy.

After the revelations, Paragon claimed it had stopped working with Italian government agencies [3]. The damage was done.

A Pattern of Abuse

Access Now documented that Italian authorities used Graphite to target "at least three journalists and two individuals working in organizations involved in rescuing refugees at sea," plus "a campaigner for migrants in Libya" [2].

This is the company ICE is now paying.

The ICE Contract

ICE signed a $2 million contract with Paragon Solutions on September 30, 2024 [4].

When news broke, the Biden administration put the contract under review. A "stop work order" was issued to determine whether it complied with a 2023 executive order prohibiting the purchase of spyware that could violate human rights or target Americans abroad [3].

The current administration lifted that order. A federal procurement form showed instructions to "lift the stop work order" [4].

ICE now has access to spyware capable of reading encrypted messages from any target.

Constitutional Questions

Congressional representatives have warned that deploying Graphite domestically could violate [2]:

  • First Amendment: Spying on communications chills free speech and assembly
  • Fourth Amendment: Warrantless extraction of private messages violates protections against unreasonable searches

ICE doesn't need a warrant to surveil non-citizens. But Graphite doesn't check citizenship status. Once deployed, it captures messages from everyone in a target's contacts: citizens and non-citizens alike.

404 Media has sued ICE demanding they publish the full Paragon contract. The agency has refused to release details about how they intend to use the technology [5].

Who Is Paragon Solutions?

Paragon Solutions is an Israeli surveillance company founded in 2019. The company's leadership includes former Israeli intelligence officials [1].

Paragon has tried to position itself as more ethical than NSO Group, claiming it only sells to democratic governments and doesn't target journalists or dissidents. The evidence from Italy contradicts this [2].

After WhatsApp's revelations, Meta sent Paragon a cease-and-desist letter. The company's reputation as "ethical spyware" is increasingly difficult to maintain [3].

Part of the Surveillance Ecosystem

Paragon isn't ICE's only tool for accessing private communications:

  • Cellebrite ($11M contract): Physically cracks locked phones and extracts all data
  • Mobile Fortify: Street-level facial recognition
  • Palantir ImmigrationOS ($30M): Integrates all surveillance data into targeting profiles

Graphite fills a specific gap: remote, silent access to encrypted messages without physical access to the device. Where Cellebrite requires seizing your phone, Graphite works from a distance.

Protecting Yourself

Zero-click exploits are difficult to defend against, but not impossible:

Keep Software Updated

Zero-click exploits rely on unpatched vulnerabilities. Install iOS and Android updates immediately. WhatsApp patched the Paragon exploit, but only for users who updated.

Use Lockdown Mode (iPhone)

Apple's Lockdown Mode significantly restricts attack surface. It disables many features spyware exploits. Enable it in Settings > Privacy & Security if you're at high risk.

Reboot Daily

Many spyware variants don't survive device reboots. Restarting your phone daily can clear non-persistent infections. It's not a guarantee, but it helps.

Assume Compromise

If you're in sensitive communications (immigration legal work, journalism, activism), assume your phone could be compromised. Use in-person meetings for the most sensitive conversations.

For Journalists and Advocates

If you work with immigrant communities, cover immigration enforcement, or communicate with people who might be ICE targets:

  • Compartmentalize: Use a separate device for sensitive communications. Don't mix personal and professional.
  • Watch for Apple/Google warnings: Both companies notify users when they detect state-sponsored attacks. Take these seriously.
  • Contact Citizen Lab: If you suspect targeting, Citizen Lab offers forensic analysis for journalists and human rights workers.
  • Document everything: Note unusual phone behavior, battery drain, or overheating. These can indicate infection.

References

  1. Citizen Lab. Virtue or Vice? A First Look at Paragon's Proliferating Spyware Operations (March 2025)
  2. Access Now. The U.S. has reactivated its Paragon contract, and it should alarm everyone
  3. TechCrunch. ICE reactivates contract with spyware maker Paragon (September 2025)
  4. Immigration Policy Tracking Project. ICE contracts with Paragon to gain access to sophisticated spyware
  5. 404 Media. We're Suing ICE for Its $2 Million Spyware Contract