ICE Is Using Zero-Click Spyware That Reads Your Encrypted Messages — Here's What You Need to Know
Last updated: May 22, 2026
I was texting a friend on WhatsApp when I saw the headline.
Put my phone down. Picked it up again. Read it twice.
ICE is using spyware that can read your encrypted messages without you ever clicking anything. You don't open a link. You don't download a file. You don't do anything wrong. And yet your phone is already compromised.
That's not hypothetical. That's what dropped in early April 2026 when the U.S. Immigration and Customs Enforcement agency officially confirmed for the first time that it is deploying a powerful commercial spyware called Paragon Graphite. I spent the better part of a week reading through the research on this. What I found was more unsettling than the headline.
What Is the ICE Graphite Spyware Story.
In April 2026, acting ICE Director Todd Lyons sent a letter to members of Congress confirming what privacy advocates had long feared.
ICE is actively deploying Graphite, a sophisticated spyware tool developed by the Israeli company Paragon Solutions.
The letter was a belated response. Lawmakers had asked about this back in October 2025. It took six months and significant public pressure to get an answer. And the answer was essentially: yes, we're using it, it's legal, and we're using it to catch fentanyl traffickers and members of foreign terrorist organizations.
The justification sounds reasonable on the surface. Nobody wants fentanyl traffickers running free. But the tool ICE is using has been documented targeting journalists and humanitarian aid workers who had done nothing wrong. That's the part that kept me reading.
📎 Source Link: Citizen Lab — Virtue or Vice? A First Look at Paragon's Proliferating Spyware Operations
So What Exactly Is "Zero-Click" Spyware.
This is the part I want you to really understand. Because "zero-click" sounds technical but the implications are massive.
Most of us imagine getting hacked the same way: someone sends you a sketchy link, you click it, you're compromised. Zero-click attacks are completely different.
Zero-click spyware requires zero action from the target.
No clicking. No downloading. No interaction of any kind. The spyware finds a vulnerability in your phone's operating system or in an app like WhatsApp, and exploits it automatically just by being delivered to your device. You can receive a message, never open it, and still be fully compromised.
In documented cases involving Graphite..
Targets were added to a WhatsApp group. A PDF was sent. The phone automatically processed it, exploiting a vulnerability to install the Graphite implant before the person even looked at their screen.
From that point on, Graphite operates at the deepest level of the device. It can extract messages from encrypted apps like WhatsApp and Signal, access stored data, and activate the microphone and camera.
And here's the detail that makes end-to-end encryption effectively irrelevant against this kind of tool: Graphite reads your messages after they've been decrypted on your device itself. It doesn't crack encryption in transit. It just reads what's already on your screen. By the time you see your friend's message, Graphite has already seen it too.
Who Is Paragon Solutions, and Why Does That Matter.
Paragon Solutions was founded in 2019 by former Israeli Prime Minister Ehud Barak and Ehud Schneorson, the former commander of Israel's elite signals intelligence unit, Unit 8200. The company marketed itself as a more responsible alternative to NSO Group, the maker of the infamous Pegasus spyware, and claimed to sell only to democratic governments.
That framing took a significant hit in early 2025..
WhatsApp disclosed that roughly 90 journalists and members of civil society in various countries had been targeted with Graphite. Independent researchers at the Citizen Lab later confirmed that journalists and humanitarian aid workers in Italy had their devices infected specifically through WhatsApp messages. Paragon subsequently ended its contract with Italian government agencies.
One more detail worth noting: Paragon is now owned by a U.S. private equity firm, AE Industrial Partners. ICE signed an initial $2 million contract with the company at the end of the Biden administration. The contract was paused for human rights compliance review, then revived by the Trump administration in fall 2025.
📎 Source Link: Electronic Frontier Foundation — Surveillance Issues and Analysis
Is WhatsApp Safe From Government Spyware in 2026.
Honest answer: it depends on how you define safe.
End-to-end encryption still works as intended. Your messages are scrambled during transit so that anyone intercepting them between your phone and the recipient's phone cannot read them. That part hasn't changed.
What Graphite targets is something entirely different: the device itself, after decryption has already happened. Once a message arrives on your phone and your app decrypts it so you can read it, a spyware implant installed on your device can read it too. It's the equivalent of locking your front door perfectly but having a hidden camera already installed inside your house.
For most ordinary people, the realistic threat is low but not zero. Deploying zero-click spyware is expensive, technically complex, and typically reserved for specific high-value targets. The documented use of Graphite has been against drug cartel members, suspected terrorists, and unfortunately, journalists and activists.
But three things still matter to everyone.
First, the legal framework governing who can be targeted is opaque. ICE's confirmation letter didn't answer basic questions about targeting criteria, legal authorization, or whether Graphite has been used against people inside the United States. Without judicial oversight requirements, the line between "fentanyl trafficker" and "someone ICE decides to investigate" is uncomfortably blurry.
Second, collateral data collection is real. When spyware compromises a phone, it doesn't just see the target's messages. It sees every conversation the target has had with other people, including people completely uninvolved in any investigation.
Third, the precedent matters enormously. Once a government agency normalizes the domestic use of commercial zero-click spyware, future administrations inherit that infrastructure. The norms established now shape how this technology will be used for decades.
I'm not sure what to do with that last one. Still thinking about it.
What Did Congress Say About This.
To give credit where it's due, several lawmakers on both sides pushed back hard.
Representative Summer Lee of Pennsylvania called ICE's response deeply inadequate. She said the agency failed to answer substantive questions about targeting criteria and the legal basis for deploying the tool inside the United States. Her statement explicitly named the communities she believes are most at risk: immigrants, Black and brown communities, journalists, organizers, and people who have publicly criticized government actions.
The revelation also landed at a sensitive moment. Congress was actively preparing to debate whether to reauthorize a key surveillance law, and whether to close a legal loophole that allows the federal government to purchase bulk data about millions of Americans from commercial data brokers without a warrant.
Privacy advocates raised a specific legal concern worth understanding: unlike a traditional wiretap warrant, which requires a judge's approval, some forms of surveillance can be authorized through administrative subpoenas with no judicial oversight required. ICE has not clarified whether its use of Graphite falls within the warrant framework or relies on these lower-bar administrative tools.
📎 Source Link: ACLU — Surveillance Technologies and Your Rights
How Paragon Graphite Works: A Plain-English Technical Breakdown
For those who want to understand the actual mechanics. Based on documented cases and analysis by organizations like Citizen Lab.
Step 1: Delivery
The spyware operator adds the target to a WhatsApp group or sends a file, often a PDF. The phone's apps automatically process incoming files even before the user opens them, triggering the exploit.
Step 2: Exploitation
The delivered file exploits a "zero-day" vulnerability. A flaw in the app's code that the developer hasn't yet discovered or patched. This is what makes zero-click attacks so powerful: they target vulnerabilities that don't yet have defenses.
Step 3: Sandbox Escape
Modern phones are designed so that each app operates in an isolated "sandbox," it shouldn't be able to touch data from other apps. Graphite escapes this containment, gaining access to the broader operating system.
Step 4: Implantation
Once the sandbox is breached, Graphite installs itself at the device level. From here it can read decrypted messages from Signal, WhatsApp, Telegram, and other apps; access the camera and microphone; extract stored photos and contacts; and transmit data back to an operator.
Step 5: Persistence
Advanced implants like Graphite are designed to survive phone restarts and, in some configurations, even factory resets, though the latter has not been definitively confirmed for Graphite specifically.
📎 Source Link: Citizen Lab — University of Toronto's Munk School, Interdisciplinary Research on Spyware
What Can You Actually Do to Protect Yourself.
I want to be honest here. If you are specifically targeted by a nation-state using Graphite, there is no consumer-grade solution that provides complete protection.
Zero-click attacks that exploit unknown vulnerabilities are, by definition, defenses that haven't been built yet.
That said, there are steps that meaningfully reduce your exposure. These are the ones I've actually taken.
Keep everything updated, always. When security vulnerabilities are discovered, developers release patches. Keeping your iOS or Android operating system and all apps current is the single most impactful thing you can do. It closes the known exploits that spyware depends on.
Enable Lockdown Mode if you're on iPhone. Apple introduced Lockdown Mode specifically for people at elevated risk of sophisticated attacks. It dramatically restricts certain phone functions to minimize the attack surface. It does limit functionality, but it's worth knowing it exists.
Regularly restart your phone. Some spyware implants don't fully survive restarts. Doesn't guarantee removal. Can disrupt in-memory implants.
Disable auto-download of media in WhatsApp. In WhatsApp settings, you can turn off automatic downloads of photos, videos, and documents. Adds a small barrier, though zero-click attacks can sometimes work before downloads complete.
Use Signal as your primary messaging app. Signal is not immune to device-level spyware. But it collects and stores the least metadata of any major messaging platform, minimizing what an attacker could harvest even if they got in.
I went through my own settings after reading the research. Turned off auto-download. Updated everything. Turned on Lockdown Mode and turned it back off about an hour later because it made too many things difficult. Still thinking about the right tradeoffs.
The Bigger Picture: Why This Is About More Than ICE
It would be easy to frame this as a story about one agency and one tool.
But the reason the ICE-Graphite disclosure has generated such intense reaction from privacy advocates isn't really about ICE specifically. It's about the normalization of a category of technology that fundamentally undermines the digital privacy architecture that hundreds of millions of people depend on every day.
When governments deploy zero-click spyware domestically, several things happen that are hard to walk back.
The commercial market for these tools grows and becomes more sustainable. More actors, including authoritarian regimes and criminal organizations, gain access to similar technology. Companies that build secure messaging apps face pressure to weaken protections. And the legal framework for regulating this kind of surveillance lags years behind the technology itself.
There's also a documented pattern with surveillance technology labeled as being for one specific purpose: scope creep. Tools deployed to target cartel leaders have a history of eventually being used against protesters, journalists, and political opponents. ICE's own history with surveillance technology, including license plate readers, facial recognition, and commercial data brokers, provides context for why civil liberties advocates aren't simply taking the agency's word on how narrowly Graphite will be applied.
None of this means the technology shouldn't exist. There are real, serious criminals who communicate over encrypted platforms. Law enforcement has a legitimate interest in lawful surveillance. The question isn't whether this capability should exist. It's whether it should be deployed domestically without clear judicial oversight, without transparency to the public, and without meaningful accountability for how it's used.
I don't have a clean answer to that. I'm not sure anyone does right now.
Frequently Asked Questions
Q1: Does ICE currently have the ability to read my WhatsApp messages?
If you are not a target of a specific ICE investigation, the practical answer is almost certainly no. Deploying Graphite is resource-intensive and reserved for specific high-value targets. That said, ICE has not disclosed the full criteria for who can be targeted, which is one of the core concerns lawmakers have raised.
Q2: Is Signal safer than WhatsApp against spyware like Graphite?
Signal is generally considered stronger on privacy due to its open-source code, minimal metadata collection, and disappearing message options. However, no messaging app can protect you if the spyware is installed directly on your device. Graphite and tools like it operate below the app layer, reading messages after they've been decrypted. Both apps have similar vulnerabilities to device-level compromise.
Q3: How is Graphite different from Pegasus, the NSO Group spyware?
Both are Israeli-developed, zero-click commercial spyware tools. Paragon positioned Graphite as a more restricted, more accountable alternative to Pegasus, claiming to sell exclusively to vetted democratic governments. However, the documented use of Graphite against journalists in Italy has significantly undermined that self-characterization. The core technical functionality, silent device compromise, is similar in nature.
Q4: What legal protections do US citizens have against being targeted by tools like Graphite?
This is genuinely murky territory. The Fourth Amendment protects against unreasonable searches and seizures, and courts have generally held that accessing digital content requires a warrant. However, the specific legal requirements for deploying commercial spyware domestically are not clearly established, and ICE has declined to clarify whether it seeks judicial approval before using Graphite. This is one of the central questions lawmakers are now pushing the agency to answer.
Q5: Can I tell if my phone has been infected with Graphite?
In most cases, no. Zero-click spyware is specifically designed to be undetectable by the user. Unusual battery drain, unexpected data usage spikes, or your phone heating up when idle can sometimes be indicators of hidden processes, but these symptoms have many benign explanations and are not reliable detection methods. Citizen Lab and other security research organizations have developed forensic tools to detect some spyware infections, but these require technical expertise to run and aren't available as consumer apps.
Still have WhatsApp open right now. Still not sure exactly how to think about that.
Going to keep watching how Congress handles this one.
Sophia
Asset management consultant and economic columnist with 10 years of experience. Specializes in translating complex global financial market trends into practical wealth-building strategies for individuals. Helps readers move closer to financial freedom through data-driven analysis and realistic household economic solutions.