ICE Confirms Paragon Spyware Use as U.S. Commercial Spyware Policy Faces Scrutiny
U.S. Immigration and Customs Enforcement confirmed to lawmakers that it bought and used Paragon Solutions spyware, including Graphite, in investigations tied to drug trafficking, fentanyl networks, and other organizations using encrypted communications. Acting ICE Director Todd Lyons said the deployment complied with constitutional requirements and the 2023 executive order restricting government use of commercial spyware, but House Democrats including Rep. Summer Lee said ICE had not provided enough documentation, safeguards, or oversight to justify such invasive surveillance. The disclosure followed the reactivation of ICE’s Paragon contract after an earlier suspension for review, and came amid wider controversy over reports linking Paragon spyware to targeting of journalists and activists.
The admission intensified concerns that U.S. policy may be softening toward the commercial spyware industry even as evidence mounts that these vendors are driving serious cyber abuse. Reporting and research cited growing alarm over the lifting of sanctions on Intellexa executives, new U.S.-linked ownership of NSO Group and Paragon, and the expanding role of brokers, resellers, and other intermediaries that help spyware vendors evade export controls and obscure supply chains. Analysts also noted that Google attributed more zero-day exploitation to commercial surveillance vendors than to traditional state-backed groups in 2025, while lawmakers pressed for briefings on federal spyware use and U.S. investment in firms long associated with abuses involving Pegasus, Predator, and related surveillance tools.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Rep. Summer Lee seeks Commerce briefing on spyware use
Rep. Summer Lee asked the Commerce Department to brief Congress on federal use of commercial spyware and on U.S. investment in spyware vendors, citing concerns about the administration's posture toward the industry.
House Democrats criticize ICE spyware deployment
Three House Democrats—Summer Lee, Shontel Brown, and Yassamin Ansari—publicly criticized ICE's confirmed use of Paragon spyware, arguing the agency had not provided sufficient documentation, safeguards, or meaningful oversight.
ICE confirms use of Paragon spyware
ICE confirmed to lawmakers that it bought and used Paragon Solutions spyware in investigations involving drug trafficking and other targets using encrypted communications, saying the use complied with constitutional requirements and applicable policy restrictions.
Atlantic Council publishes spyware intermediaries report
The Atlantic Council published an issue brief examining how brokers, resellers, infrastructure providers, and other intermediaries enable proliferation in the offensive cyber capabilities and spyware market while obscuring accountability.
OMB rescinds federal software supply chain guidance
A recent OMB memo rescinded earlier Biden administration federal software supply chain guidance, making mechanisms such as secure software development attestations and SBOM requests optional rather than durable requirements.
Executive order targets cyber-enabled fraud
On March 6, the U.S. government issued an executive order aimed at raising costs for cybercriminals through coordination, disruption, prosecutions, intelligence sharing, resilience measures, and diplomatic pressure on states that shelter such operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
One House Democrat is pressing Commerce on the government’s spyware use | CyberScoop
cyberscoop.com
Open sourceICE Uses Graphite Spyware - Schneier on Security
schneier.com
Open sourceHouse Dems decry confirmed ICE usage of Paragon spyware | CyberScoop
cyberscoop.com
Open sourceICE says it bought Paragon's spyware to use in drug trafficking cases | TechCrunch
techcrunch.com
Open sourceIntermediaries Driving Global Spyware Market Expansion
darkreading.com
Open sourceMythical Beasts: Investigating the role of intermediaries in the proliferation of offensive cyber capabilities - Atlantic Council
atlanticcouncil.org
Open sourceCommercial Spyware Opponents Fear US Policy Shifting
darkreading.com
Open sourceIf consequences matter, they should apply to vendors, too | CyberScoop
cyberscoop.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ICE Expands Use of Commercial and Technical Surveillance Data for Immigration Enforcement
U.S. Immigration and Customs Enforcement (**ICE**) is exploring expanded access to commercially available data from online advertising and technology brokers to support investigations, issuing a **Request for Information (RFI)** to understand the availability of personal, financial, location, and health data and how it could be provided to federal investigative entities. The effort is framed as market research rather than a direct procurement, and follows an earlier RFI seeking open-source intelligence and social media data to improve targeting for ICE’s Enforcement and Removal Operations. Privacy and civil liberties advocates warn that purchasing brokered data can function as a workaround to traditional warrant requirements, and point to proposed legislation such as the **Fourth Amendment Is Not For Sale Act** as a potential constraint on government acquisition of data that would otherwise require judicial authorization. Reporting on ICE’s broader deportation and enforcement posture describes the agency’s reliance on multiple surveillance technologies to identify and track individuals, including **cell-site simulators** (also known as *stingrays* / **IMSI catchers**) that impersonate cellular towers to locate and potentially identify nearby phones. The coverage also highlights legal controversy around enforcement tactics, including allegations of warrantless home entry that legal experts argue conflicts with **Fourth Amendment** protections. Separately, European policymakers are described as reassessing dependence on U.S. technology amid geopolitical tensions and sanctions risk, but that discussion is not specific to ICE’s surveillance or data-broker acquisition activity.
Mar 21, 2026
Predator Spyware Campaigns Spur Sanctions and Convictions Tied to Intellexa
Investigations by Amnesty International, media partners, and other researchers linked the **Predator** mercenary spyware ecosystem to campaigns targeting politicians, journalists, civil society figures, and officials across multiple countries. One probe found suspected Vietnamese government-linked operators used malicious X posts and fake news links in an attempt to infect the phones of U.S. lawmakers and journalists, including members of Congress and reporters covering national security and Taiwan. Separate reporting tied Predator to earlier abuses in Greece and elsewhere, while technical analysis showed the malware could exploit multiple zero-days, pair with the **Alien** component for persistence, and steal messages, record calls, and activate device microphones. The widening scandal triggered government action and court cases against the spyware network behind Predator. The United States blacklisted Intellexa and Cytrox and later imposed additional sanctions on Intellexa, citing national security risks from the commercial surveillance trade. In Greece, courts convicted executives in the Predator wiretapping case, including an Israeli spyware maker who received an eight-year sentence, while Amnesty continued to document new alleged targeting, including a journalist in Angola and further evidence from the **"Intellexa Leaks"** that the spyware industry remained active despite mounting scrutiny.
May 26, 2026
Paragon Graphite Spyware Scandal Deepens in Italy
Italian prosecutors are investigating a spyware scandal after **WhatsApp** and **Apple** alerted journalists, activists, and NGO workers that they had been targeted with mercenary spyware linked to **Paragon Solutions’ Graphite** platform. The campaign reportedly affected about 90 people worldwide, and public disclosures in Italy included journalist **Francesco Cancellato**, Fanpage journalist **Ciro Pellegrino**, and Mediterranea Saving Humans figures **Luca Casarini** and **Beppe Caccia**. Researchers at **Citizen Lab** later confirmed infections of Pellegrino and another European journalist, tying one case to a sophisticated zero-click **iMessage** exploit that Apple said was mitigated in `iOS 18.3.1`. The case has intensified scrutiny of Italy’s intelligence services after a parliamentary committee said agencies **AISI** and **AISE** were Paragon customers, even as the government denied targeting legally protected subjects such as journalists. Paragon said it had offered help investigating the alleged surveillance and later cut ties with Italy, but prosecutors in Rome and Naples reportedly have not received the company’s cooperation through formal channels, raising questions about accountability and Israeli assistance in spyware investigations. The dispute echoes earlier battles over Israeli spyware vendors, including **NSO Group’s Pegasus**, which was previously used in WhatsApp-based attacks and became the subject of major litigation and international scrutiny.
May 26, 2026