DHS Says ICE Has No Relationship With Spyware Maker Paragon Solutions

The U.S. Department of Homeland Security told NPR that ICE has "no relationship" with spyware maker Paragon Solutions, after ICE reactivated a previously paused contract with the Israeli-founded company last year.

“These users' devices were compromised without the victims having to click on malicious links”

Alianza de Medios MX

NPR reported that DHS said "ICE has no relationship with Paragon Solutions, Inc. or with the company that acquired them," while noting that ICE first entered into a contract with the U.S. subsidiary of Paragon Solutions in 2024 for an unspecified product.

Alianza de Medios MX

NPR also said the Biden administration put that contract on hold to decide whether it complied with a 2023 executive order barring federal agencies from purchasing commercial spyware that poses a significant security risk to the U.S. or risk of misuse by foreign governments.

In a separate thread of the same controversy, NPR described how ICE’s departing acting Director Todd Lyons acknowledged in an April 1 letter that he approved ICE’s Homeland Security Investigations team to use a commercial spyware tool to disrupt foreign terrorist organizations and fentanyl traffickers, certifying compliance with the 2023 executive order.

NPR added that when NPR asked DHS whether ICE agents still had access to Paragon-developed tools, DHS declined to confirm or deny law enforcement capabilities or methods, saying "DHS is not going to confirm or deny law enforcement capabilities or methods."

Alianza de Medios MX reported that WhatsApp warned about a targeted attack aimed at around 100 journalists and civil society members using Graphite software developed by Paragon Solutions.

The outlet said WhatsApp described the compromise as a "zero-click" attack, in which devices were compromised without the victims having to click on malicious links.

Amnesty International

Alianza de Medios MX also reported that WhatsApp said it had interrupted a Paragon espionage campaign and that it sent a cease-and-desist letter to Paragon while exploring legal options to curb such activities.

The same article stated that Paragon Solutions declined to comment and that WhatsApp said the attacks were halted in December 2024, though it had not determined how long the affected devices remained exposed.

In parallel, Bitdefender reported that the Citizen Lab at the University of Toronto provided scientific evidence that Paragon Solutions’ iOS spyware Graphite was used to hack the phones of European journalists, including an Italian journalist named Ciro Pellegrino of Fanpage.it.

Bitdefender said Citizen Lab researchers Bill Marczak and John Scott-Railton detailed how a prominent European reporter who requested anonymity and Ciro Pellegrino were compromised, with Apple warning the two journalists on April 29 that they were "targeted by state-sponsored spyware."

“The Citizen Lab at the University of Toronto has provided scientific evidence that Paragon Solutions’ iOS spyware Graphite was used to hack the phones of European journalists, reinforcing concerns about the thriving mercenary spyware industry”

Bitdefender

The report added that the analysis showed their iPhones were targeted in January and early February by a zero-click iMessage exploit that Apple later patched in iOS 18.3.1, and that device logs revealed the phones secretly contacted the same server controlled by Paragon (46.183.184.91).

Bitdefender further stated that the vulnerability exploited in this case was listed as CVE-2025-43200 in the iOS 18.3.1 security advisory as a logic flaw in the Messages app "when processing a malicious photo or video shared via an iCloud link."

TechCrunch, meanwhile, framed the response as practical user defenses, saying Apple, Google, and Meta offer opt-in features designed to counter targeted spyware attacks and quoting Runa Sandvik that "These features are free, easy to enable, and the best defense we have today against sophisticated spyware."

TechCrunch also quoted Apple’s description of Lockdown Mode, saying that when it is enabled, "your device won’t function like it typically does," and listed that incoming FaceTime calls are blocked if you haven’t contacted that person before or in the last 30 days.