ICE confirms Paragon spyware purchase

ICE has confirmed it bought and used commercial spyware from Paragon Solutions for drug trafficking investigations, according to a letter reviewed by TechCrunch and first reported by Bloomberg. In the letter, ICE Acting Director Todd Lyons told three members of Congress that he approved Homeland Security Investigations (HSI) to deploy the tool, describing it as a response to “foreign terrorist organizations’” use of encrypted communications.

The disclosure matters less for the vendor’s name than for what it reveals about how surveillance capabilities spread inside large agencies. Spyware is sold as an exceptional measure for exceptional threats: terrorism, cartel violence, high-end organized crime. But once the contract is signed and staff are trained, the decision to use it becomes operational routine. The marginal cost of a new target falls toward zero, while the internal cost of not using an available tool rises—especially when investigators can argue that encryption has “gone dark.” The letter offers a familiar set of assurances—compliance with “constitutional requirements,” and a certification that use of the “specific tool” does not pose “significant security or counterintelligence risks”—without spelling out the practical constraints that determine how often device compromise is attempted, how targets are selected, or how long extracted data is retained.

Paragon’s Graphite has already been tied to political scandal abroad. Italian journalists and pro-migration activists were revealed last year to have been targeted with Paragon spyware, prompting the company to cut off Italy’s intelligence services, TechCrunch reports. In the US, the procurement history reads like a compliance obstacle course rather than a policy decision: ICE signed the contract in 2024, the Biden administration suspended it to assess whether it complied with an executive order limiting US use of spyware implicated in human-rights abuses, and ICE reactivated the deal in September 2025. The pause did not kill the capability; it delayed it.

The remaining question is not whether warrants exist in theory, but which legal authorities are actually being used in practice, and who gets notified after the fact—if anyone. Device-level spyware is not a wiretap in the traditional sense. It can capture messages before encryption, pull files, access photos, and potentially activate microphones and cameras depending on the implant. That changes evidentiary handling, third-party exposure, and the blast radius for data sharing inside DHS and across federal partners. It also creates a perverse security loop: the same “cutting-edge” access depends on stockpiled vulnerabilities and clandestine techniques that, if leaked or reused, become risks to everyone using the affected devices.

Lyons’ letter is an answer to lawmakers’ questions, but it leaves the operational details where agencies prefer them: in classified annexes, internal policy memos, and vendor nondisclosure agreements. The public now knows that a domestic law-enforcement unit inside DHS bought spyware built for covert device compromise.

ICE lifted its own block on the Paragon contract in September 2025. The first confirmed use case is drug trafficking.