TL;DR: On February 11, 2026, Israeli spyware company Paragon Solutions accidentally published screenshots of their Graphite surveillance platform on LinkedIn. The images showed active interception logs, a Czech phone number labeled "Valentina," and WhatsApp monitoring interfaces. Citizen Lab researcher John Scott-Railton called it an "epic OPSEC fail." This is the same company with a $2 million ICE contract (quietly reactivated in September 2025) that gives federal agents zero-click access to encrypted phones. Congress has demanded answers from DHS about the contract. The agency's response was due March 5, 2026. We're still waiting.
What Got Posted
Paragon Solutions' general counsel made the kind of mistake that gets security professionals fired. On February 11, 2026, they uploaded screenshots to LinkedIn that showed Graphite's control panel in action [1].
Here's what was visible:
- A Czech phone number labeled "Valentina": an apparent surveillance target
- Interception logs marked "Completed" from February 10, 2026
- Interfaces for monitoring WhatsApp and other encrypted applications
- Application-level data targeting across various platforms
Cybersecurity researcher Jurre van Bergen spotted the images and alerted the security community. The posts were deleted within hours, but not before researchers archived everything [2].
John Scott-Railton, a senior researcher at the University of Toronto's Citizen Lab, summarized it bluntly: "Epic OPSEC fail by Paragon exposing Graphite spyware capabilities" [1].
An Israeli spyware firm that sells secrecy just demonstrated it can't manage its own LinkedIn account.
What Graphite Does to Your Phone
Graphite isn't like the phone-cracking tools you've heard about. Cellebrite and Graykey require physical access to a device. Graphite works over the air [3].
It's a "zero-click" exploit. No phishing link. No fake app. Nothing for the target to click. Graphite finds vulnerabilities in encrypted messaging apps and uses them to install itself silently.
Once installed, Graphite gives the operator access to:
- Encrypted messages: accessed before encryption or after decryption
- Stored photos and files
- The phone's microphone: turning the device into a listening device
- The camera
- Real-time location
Paragon positions itself as the "ethical" alternative to NSO Group's Pegasus. The company claims it only works with democratic governments and doesn't sell to authoritarian regimes [4].
That distinction matters less when you realize ICE is using it to read Signal and WhatsApp messages.
ICE's $2 Million Graphite Contract
ICE signed a $2 million contract with Paragon Solutions on September 27, 2024. The one-year agreement covers "a fully configured proprietary solution that includes license, hardware, warranty, maintenance, and training" [5].
The contract was paused pending compliance review. The Biden administration's executive order restricted government use of commercial spyware. But in September 2025, the Trump administration lifted the stop-work order [6].
A government procurement notice updated the status: "This modification is to lift the stop work order."
ICE can now deploy Graphite. The contract runs through Paragon's U.S. subsidiary in Chantilly, Virginia. What ICE is doing with it remains unclear, which is exactly the point.
The Track Record
Paragon's "ethical spyware" branding hasn't held up well under scrutiny.
In January 2025, WhatsApp notified approximately 90 users (including journalists and civil society members) that their devices had been targeted with Paragon-linked spyware [7].
Citizen Lab's investigation found that Italian authorities used Graphite to target at least three journalists and two individuals working with organizations that rescue refugees at sea in Europe [8].
On April 29, 2025, Apple notified users that they'd been targeted with "advanced spyware." Citizen Lab confirmed with high confidence that Italian journalist Ciro Pellegrino was among the targets [9]. His colleague Francesco Cancellato, an editor at Fanpage.it, had already been notified by WhatsApp in January.
The targets weren't criminals. They weren't terrorists. They were journalists doing journalism.
Congress Wants Answers
On February 28, 2026, twelve members of Congress sent a letter to DHS Secretary Kristi Noem demanding information about ICE's surveillance technology acquisitions, including the Paragon contract [10].
The letter was led by Rep. Shontel Brown (OH-11), ranking member on the Cybersecurity, Information Technology, and Government Innovation Subcommittee. Co-signers included Representatives Ro Khanna, Rashida Tlaib, and nine others.
Their concerns:
- ICE's acquisition of tools enabling collection and analysis of cellphone location data "across entire neighborhoods"
- Identification and tracking of "individuals observing ICE actions"
- The Paragon contract enabling access to encrypted applications "without the device owner's knowledge or consent"
Congress requested a briefing by March 5, 2026. That deadline passed yesterday. We haven't heard of any response.
Part of Something Bigger
Paragon isn't ICE's only phone-hacking contract. It's part of a $85 billion surveillance arsenal that includes [11]:
- Cellebrite and Graykey: for cracking seized phones
- Palantir ELITE: for identifying deportation targets using Medicaid data
- Mobile Fortify: facial recognition against 1.2 billion photos
- Clearview AI: 60 billion images scraped from the internet
- Zignal Labs: monitoring 8 billion social media posts daily
Graphite's zero-click capability fills a specific gap: targets who are tech-savvy enough to avoid phishing links and secure enough to not leave their phones lying around. Against Graphite, none of that matters.
What This Leak Actually Reveals
Forget the OPSEC failure for a second. Focus on what the screenshots showed:
"Valentina" is a real person. Someone with a Czech phone number was under active surveillance as recently as February 10, 2026. We don't know who they are. We don't know why. We just know Paragon was watching.
Interception logs marked "Completed." This wasn't a demo. This was operational. The dashboard showed active monitoring of a real target.
WhatsApp monitoring interfaces. Despite WhatsApp's end-to-end encryption, Graphite can read your messages. The zero-click exploit means you don't have to click anything suspicious. You can do everything right and still get owned.
Paragon markets itself as serving democracies. ICE is a customer. Whether mass deportation operations in America qualify as democratic governance is a question Congress hasn't answered.
What You Can Do
Keep Your Phone Updated
Apple patched the iMessage zero-click attack used by Graphite in iOS 18.3.1 (CVE-2025-43200). Update immediately. Zero-click exploits target known vulnerabilities, and patches close them.
Enable Lockdown Mode (iOS)
Apple's Lockdown Mode blocks most zero-click attack surfaces. It limits iMessage functionality and other features spyware exploits. It's not perfect, but it significantly raises the bar for attackers.
Use Signal with Disappearing Messages
While Graphite can read messages before encryption, disappearing messages mean less data to extract. Set your default timer to 24 hours or less. It won't stop surveillance, but it limits what gets captured.
Know You May Be a Target
Journalists, activists, immigration attorneys, and anyone working with immigrant communities are at elevated risk. If you receive a notification from Apple or WhatsApp about spyware, contact Citizen Lab or EFF immediately.
References
- Ahmed Eldin: The Israeli Spyware Firm That Accidentally Just Exposed Itself (February 2026)
- CyberWebSpider: Paragon Spyware Blunder: LinkedIn Post Reveals Control Panel (February 2026)
- TechCrunch: ICE Reactivates Contract with Spyware Maker Paragon (September 2025)
- Access Now: The U.S. Has Reactivated Its Paragon Contract, And It Should Alarm Everyone (September 2025)
- IT Magazine: ICE Awards $2 Million Contract to Paragon Solutions for Surveillance Technology (October 2024)
- Jack Poulson: Exclusive: ICE Reactivated Its $2 Million Contract with Israeli Spyware Firm Paragon (September 2025)
- Al Jazeera: WhatsApp Says Its Users Targeted by Israeli Spyware Company Paragon (January 2025)
- Citizen Lab: Virtue or Vice? A First Look at Paragon's Proliferating Spyware Operations
- Citizen Lab: Graphite Caught: First Forensic Confirmation of Paragon's iOS Mercenary Spyware Finds Journalists Targeted (April 2025)
- Rep. Shontel Brown: Brown Leads Oversight Letter to DHS on ICE's Troubling Mass Surveillance Tech (February 2026)
- State of Surveillance: Inside ICE's $85 Billion Arsenal: Every Surveillance Tool and How They Work Together