ICE Is Using Zero-Click Spyware That Reads Your Encrypted Messages — Here's What You Need to Know
Okay, I need you to sit with this for a second.
You open WhatsApp to text your friend. You don't click any links. You don't download any suspicious files. You don't do anything wrong. And yet — without you ever knowing — a government agency could potentially be reading every word you type.
That's not a dystopian thriller. That's the reality that quietly dropped in early April 2026, when the U.S. Immigration and Customs Enforcement agency — better known as ICE — officially confirmed for the first time that it is using a powerful commercial spyware called Paragon Graphite. And the way this tool works? It doesn't need you to do anything at all.
If you care about your digital privacy — and honestly, who doesn't these days — this is the story you need to understand. Let me break it all down in plain English.
What Is the ICE Graphite Spyware Story?
In April 2026, acting ICE Director Todd Lyons sent a letter to members of Congress confirming what many privacy advocates had long feared: ICE is actively deploying Graphite, a sophisticated spyware tool developed by the Israeli company Paragon Solutions.
The letter was actually a belated response — lawmakers had asked about ICE's potential use of this technology back in October 2025. It took six months and significant public pressure to finally get an answer. And the answer was essentially: yes, we're using it, it's legal, and we're using it to catch fentanyl traffickers and members of foreign terrorist organizations.
Here's where it gets complicated. The justification sounds reasonable on the surface. Nobody wants fentanyl traffickers running free. But the tool ICE is using? It's the kind of surveillance technology that human rights organizations and privacy researchers have been sounding alarms about for years — because of how invasively it works, and because of its documented history of being used against people who had done absolutely nothing wrong.
📎 Source Link: Citizen Lab — Virtue or Vice? A First Look at Paragon's Proliferating Spyware OperationsSo What Exactly Is "Zero-Click" Spyware?
This is the part I want you to really understand, because "zero-click" sounds technical but the implications are massive.
Most of the time when we talk about getting hacked, we imagine the classic scenario: someone sends you a sketchy link, you click it, and boom — you're compromised. That's the model most of us have in our heads for how digital attacks work. Zero-click attacks are completely different, and far more alarming.
As the name suggests, zero-click spyware requires zero action from the target. No clicking, no downloading, no interaction of any kind. The spyware finds a vulnerability in your phone's operating system or in an app — like WhatsApp — and exploits it automatically just by being delivered to your device. You can receive a message, never open it, and still be fully compromised.
In the case of Graphite, researchers documented attacks where the spyware was delivered via WhatsApp. Targets were added to a WhatsApp group, a PDF was sent, and the phone automatically processed it — exploiting a vulnerability to install the Graphite implant before the person even looked at their screen. From that point on, Graphite operates at the deepest level of the device. It can extract messages from encrypted apps like WhatsApp and Signal, access stored data, and even activate the microphone and camera.
Here's the detail that makes end-to-end encryption effectively irrelevant against this kind of tool: Graphite reads your messages after they've been decrypted on your device itself. It doesn't crack the encryption in transit. It just reads what's already on your screen. By the time you see your friend's message, Graphite has already seen it too.
Who Is Paragon Solutions, and Why Should That Matter to You?
Paragon Solutions was founded in 2019 by former Israeli Prime Minister Ehud Barak and Ehud Schneorson, the former commander of Israel's elite signals intelligence unit, Unit 8200. The company has marketed itself as a more responsible alternative to companies like NSO Group — the maker of the infamous Pegasus spyware — and has claimed to sell only to democratic governments.
That framing took a significant hit in early 2025, when WhatsApp disclosed that it had discovered roughly 90 journalists and members of civil society in various countries had been targeted with Graphite. Independent researchers at the Citizen Lab later confirmed that journalists and humanitarian aid workers in Italy had their devices infected specifically through WhatsApp messages. Paragon subsequently ended its contract with Italian government agencies.
And here's an interesting ownership detail that adds another layer: Paragon is now owned by a U.S. private equity firm, AE Industrial Partners. ICE signed an initial $2 million contract with the company at the end of the Biden administration. The contract was quickly paused for human rights compliance review, then revived by the Trump administration in fall 2025.
📎 Source Link: Electronic Frontier Foundation — Surveillance Issues and AnalysisIs WhatsApp Safe From Government Spyware in 2026?
This is the question most people have the moment they hear about Graphite, and the honest answer is: it depends on how you define "safe."
End-to-end encryption — the technology that WhatsApp, Signal, and iMessage use to protect your conversations — still works as intended. Your messages are scrambled during transit so that anyone intercepting them between your phone and the recipient's phone cannot read them. That part of the picture hasn't changed.
What Graphite (and tools like it) targets is something entirely different: the device itself, after decryption has already happened. Once a message arrives on your phone and your app decrypts it so you can read it, a spyware implant installed on your device can read it too. It's the equivalent of locking your front door perfectly but having a hidden camera already installed inside your house.
This means the realistic threat model for most ordinary people is low but not zero. Deploying zero-click spyware is expensive, technically complex, and typically reserved for specific, high-value targets. The documented use of Graphite has been against people like drug cartel members, suspected terrorists, and unfortunately, journalists and activists. If you're none of those things, the odds that your phone specifically is being targeted by this type of surveillance are extremely low.
That said, there are three important reasons why this still matters to everyone:
First, the legal framework governing who can be targeted is opaque. ICE's confirmation letter to Congress didn't answer fundamental questions about targeting criteria, legal authorization, or whether Graphite has been used against people physically located inside the United States. Without judicial oversight requirements, the line between "fentanyl trafficker" and "someone ICE decides to investigate" is uncomfortably blurry.
Second, collateral data collection is a real concern. When spyware compromises a phone, it doesn't just see the target's messages. It sees every conversation the target has had with other people — including people who are completely uninvolved in any investigation.
Third, the precedent matters enormously. Once a government agency normalizes the domestic use of commercial zero-click spyware, future administrations inherit that infrastructure. The norms established now shape how this technology will be used for decades.
What Did Congress Say About This?
To give credit where it's due: several lawmakers on both sides of the aisle have pushed back on this hard.
Representative Summer Lee of Pennsylvania, one of the original authors of the October 2025 inquiry letter, called ICE's response deeply inadequate. She said the agency failed to answer substantive questions about targeting criteria and the legal basis for deploying the tool inside the United States. Her statement explicitly named the communities she believes are most at risk: immigrants, Black and brown communities, journalists, organizers, and people who have publicly criticized government actions.
The revelation also landed at a sensitive moment: Congress was actively preparing to debate whether to reauthorize a key surveillance law, and whether to close a legal loophole that currently allows the federal government to purchase bulk data about millions of Americans from commercial data brokers without a warrant.
Privacy advocates have raised a specific legal concern that deserves attention: unlike a traditional wiretap warrant, which requires a judge's approval, some forms of surveillance can be authorized through administrative subpoenas — no judicial oversight required. ICE has not clarified whether its use of Graphite falls within the warrant framework or relies on these lower-bar administrative tools.
📎 Source Link: ACLU — Surveillance Technologies and Your RightsHow Paragon Graphite Works: A Plain-English Technical Breakdown
For those who want to understand the actual mechanics, here's how researchers believe Graphite operates, based on documented cases and analysis by organizations like Citizen Lab.
Step 1: Delivery
The spyware operator adds the target to a WhatsApp group or sends a file — often a PDF. The phone's apps automatically process incoming files even before the user opens them, triggering the exploit.
Step 2: Exploitation
The delivered file exploits a "zero-day" vulnerability — a flaw in the app's code that the app developer hasn't yet discovered or patched. This is what makes zero-click attacks so powerful: they target vulnerabilities that don't yet have defenses.
Step 3: Sandbox Escape
Modern phones are designed so that each app operates in an isolated "sandbox" — it shouldn't be able to touch data from other apps. Graphite escapes this containment, gaining access to the broader operating system.
Step 4: Implantation
Once the sandbox is breached, Graphite installs itself at the device level. From here it can read decrypted messages from Signal, WhatsApp, Telegram, and other apps; access the camera and microphone; extract stored photos and contacts; and transmit data back to an operator.
Step 5: Persistence
Advanced implants like Graphite are designed to survive phone restarts and, in some configurations, even factory resets — though the latter has not been definitively confirmed for Graphite specifically.
📎 Source Link: Citizen Lab — University of Toronto's Munk School, Interdisciplinary Research on SpywareWhat Can You Actually Do to Protect Yourself?
I want to be honest here: if you are specifically targeted by a nation-state using Graphite, there is no consumer-grade solution that provides complete protection. Zero-click attacks that exploit unknown vulnerabilities are, by definition, defenses that haven't been built yet.
That said, there are steps that meaningfully reduce your overall exposure and shrink your attack surface:
Keep everything updated, always. When security vulnerabilities are discovered, developers release patches. Keeping your iOS or Android operating system and all apps current is the single most impactful thing you can do — it closes the known exploits that spyware depends on.
Enable Lockdown Mode if you're on iPhone. Apple introduced Lockdown Mode specifically for people at elevated risk of sophisticated attacks. It dramatically restricts certain phone functions to minimize the attack surface. It's not for everyday users — it does limit functionality — but it's worth knowing exists.
Regularly restart your phone. Some spyware implants don't fully survive restarts. This doesn't guarantee removal but can disrupt in-memory implants.
Be selective about which apps can process incoming media automatically. In WhatsApp settings, you can disable auto-download of photos, videos, and documents. This adds a small barrier — though zero-click attacks can sometimes work even before downloads complete.
Use Signal as your primary messaging app. While Signal is not immune to device-level spyware, it collects and stores the least metadata of any major messaging platform, minimizing what an attacker could harvest.
The Bigger Picture: Why This Is About More Than ICE
It would be easy to frame this as a story about one agency and one tool. But the reason the ICE-Graphite disclosure has generated such intense reaction from privacy advocates isn't really about ICE specifically.
It's about the normalization of a category of technology that fundamentally undermines the architecture of digital privacy that hundreds of millions of people depend on every single day. When governments — even democratic ones with the best intentions — deploy zero-click spyware domestically, several things happen that are hard to walk back.
The commercial market for such tools grows and becomes more sustainable. More actors — including authoritarian regimes and criminal organizations — gain access to similar technology. The companies that build secure messaging apps face pressure to weaken protections. And the legal framework for regulating this kind of surveillance lags years behind the technology itself.
There's also a documented pattern with surveillance technology that's been labeled as being for one specific purpose: scope creep. Tools deployed to target cartel leaders have a history of eventually being used against protesters, journalists, and political opponents. ICE's own history with surveillance technology — including the use of license plate readers, facial recognition, and commercial data brokers — provides context for why civil liberties advocates aren't simply taking the agency's word on how narrowly Graphite will be applied.
None of this means the technology shouldn't exist at all. There are real, serious criminals who communicate over encrypted platforms, and law enforcement has a legitimate interest in lawful surveillance. The question isn't whether this capability should exist — it's whether it should be deployed domestically without clear judicial oversight, without transparency to the public, and without meaningful accountability for how it's used.
Frequently Asked Questions (FAQ)
Q1: Does ICE currently have the ability to read my WhatsApp messages?
If you are not a target of a specific ICE investigation, the practical answer is almost certainly no. Deploying Graphite is resource-intensive and reserved for specific, high-value targets. That said, ICE has not disclosed the full criteria for who can be targeted, which is one of the core concerns lawmakers have raised.
Q2: Is Signal safer than WhatsApp against spyware like Graphite?
Signal is generally considered stronger on privacy due to its open-source code, minimal metadata collection, and disappearing message options. However, no messaging app can protect you if the spyware is installed directly on your device. Graphite and tools like it operate below the app layer, reading messages after they've been decrypted. Both apps have similar vulnerabilities to device-level compromise.
Q3: How is Graphite different from Pegasus, the NSO Group spyware?
Both are Israeli-developed, zero-click commercial spyware tools. Paragon has positioned Graphite as a more restricted, more accountable alternative to Pegasus, claiming to sell exclusively to vetted democratic governments. However, the documented use of Graphite against journalists in Italy has significantly undermined that self-characterization. The core technical functionality — silent, warrantless device compromise — is similar in nature.
Q4: What legal protections do US citizens have against being targeted by tools like Graphite?
This is genuinely murky territory. The Fourth Amendment protects against unreasonable searches and seizures, and courts have generally held that accessing digital content requires a warrant. However, the specific legal requirements for deploying commercial spyware domestically are not clearly established, and ICE has declined to clarify whether it seeks judicial approval before using Graphite. This is one of the central questions lawmakers are now pushing the agency to answer.
Q5: Can I tell if my phone has been infected with Graphite?
In most cases, no. Zero-click spyware is specifically designed to be undetectable by the user. Unusual battery drain, unexpected data usage spikes, or your phone heating up when idle can sometimes be indicators of hidden processes — but these symptoms have many benign explanations and are not reliable detection methods. Citizen Lab and other security research organizations have developed forensic tools to detect some spyware infections, but these require technical expertise to run and aren't available as consumer apps.
Final Thoughts
I'll be honest with you: when I first started reading about this story, my immediate instinct was to check my own phone settings. That's a completely normal reaction. And the answer I came to — the answer I'd encourage you to come to as well — is that the individual actions matter, but they're not the whole story.
The most important thing happening here isn't just a technical question about whether WhatsApp is safe. It's a political and legal question about what oversight should exist when the government deploys the most invasive surveillance technology ever created, domestically, against its own residents.
That's a question that deserves a real, public debate — not a six-month wait for a vague letter to Congress that doesn't answer the basic questions about who's being watched, under what legal authority, and who's checking the work.
In the meantime: update your apps, restart your phone occasionally, and pay attention to what your representatives are doing with this issue. The people who have asked the right questions — and the people who have dodged them — are both on the record. That matters.