ICE Confirms Purchase and Use of Paragon Spyware in Drug Trafficking Investigations

In a significant disclosure, the acting director of U.S. Immigration and Customs Enforcement has confirmed the agency acquired and deployed spyware from Paragon Solutions for use in drug trafficking cases. This revelation, detailed in a letter to lawmakers, spotlights the ongoing tension between national security imperatives and the protection of civil liberties in the digital age.

Official Justification for Spyware Deployment

Acting Director Todd Lyons outlined the rationale in his correspondence. He stated he approved the use of “cutting-edge technological tools” by the Homeland Security Investigations (HSI) unit. The stated goal is to counter the exploitation of encrypted communication platforms by foreign terrorist organizations and criminal networks. Consequently, this official acknowledgment provides a rare window into the operational tactics employed by domestic law enforcement agencies.

Navigating the Encryption Dilemma

For years, law enforcement has argued that strong encryption creates insurmountable barriers to criminal investigations. Tools like those from Paragon Solutions offer a potential workaround by extracting data directly from a target’s device. However, this capability sits at the heart of a fierce debate. Critics consistently warn that such powerful surveillance technology, once acquired, is prone to misuse and threatens the privacy of journalists, activists, and political dissidents.

Constitutional Assurances and Mounting Skepticism

In his letter, Director Lyons sought to preempt concerns by asserting that ICE’s use of the spyware would “comply with constitutional requirements.” He further certified that the tool did not pose significant security risks or risks of improper use by foreign entities. Building on this, the agency appears to be framing the technology as a necessary and controlled instrument for high-stakes investigations.

Nevertheless, these assurances have failed to satisfy key lawmakers. Representative Summer Lee, who was among those requesting information from ICE, expressed deep skepticism. “Instead of answering the serious constitutional and civil rights concerns that we raised, DHS is asking the public to accept vague assurances and fear-based justifications,” Lee stated. This response indicates a clear disconnect between the agency’s internal risk assessment and the external scrutiny from legislative overseers.

A Contract Mired in Controversy and Scandal

The path to this deployment was neither straightforward nor without controversy. ICE initially signed a contract with the U.S.-Israeli spyware maker in 2024. Almost immediately, the Biden administration suspended the deal. This pause was to determine if it complied with an executive order restricting U.S. agencies from using spyware that could target Americans abroad or facilitate human rights abuses.

By September 2025, ICE had lifted the block and reactivated the contract. Until now, however, it was unclear whether the agency had moved beyond procurement to actual operational use. This confirmation from the acting director settles that question definitively. For more context on government surveillance tools, you can read our analysis on evolving surveillance trends.

Paragon’s Troubled International Profile

The decision to proceed with Paragon is notable given the company’s recent history. Paragon has been entangled in a major scandal in Italy, where its Graphite spyware was allegedly used to target journalists and pro-immigration activists. In reaction to the fallout, Paragon severed its ties with Italian intelligence agencies. This international context raises pertinent questions about vendor selection and the lifecycle accountability of surveillance technologies purchased by the U.S. government.

Civil Rights and Community Impact Concerns

The implications of domestic spyware use extend far beyond the specific drug cases cited by ICE. Representative Lee emphasized the broader threat, noting that the agency is moving forward “with invasive spyware technology inside the United States.” She highlighted the populations most vulnerable to potential overreach, including immigrants, Black and brown communities, journalists, and organizers.

“The people most at risk… deserve more than secrecy and deflection from an agency with a long record of overreach and abuse,” Lee argued. This perspective underscores a fundamental fear: that tools justified for targeting foreign terrorists and drug traffickers will inevitably be turned inward, chilling dissent and undermining trust. Our previous report on digital privacy rights explores these themes in greater depth.

Ultimately, the ICE letter does more than confirm a procurement detail; it reignites a critical conversation about the boundaries of state power in a digitally connected world. While the fight against transnational crime demands effective tools, the precedent set by deploying commercial spyware domestically carries profound and lasting consequences for civil liberties.

Venom PhaaS: The New Phishing-as-a-Service Platform Behind Sophisticated Executive Credential Theft

Security researchers have exposed a highly targeted credential theft campaign that operated for months, focusing on top-tier executives at major global corporations. This operation, analyzed by experts at Abnormal Security, was powered by a previously unseen and sophisticated phishing platform known as Venom.

This discovery signals a dangerous evolution in the cyber threat landscape. Building on this, the campaign’s success was not due to a single breakthrough but to the meticulous integration of multiple evasion and deception techniques.

The Anatomy of a Deceptive Phishing Campaign

The attackers employed a multi-layered approach to lure their high-value targets. Instead of generic spam, they crafted emails that appeared to be SharePoint document-sharing notifications. These messages were sent to a curated list of CEOs, CFOs, and other senior leaders across more than twenty different industries.

Personalized Lures and Evasion Tactics

To appear legitimate, the emails used financial report themes and contained a QR code directly in the body, urging the recipient to scan it. However, the deception went much deeper. Each email was uniquely structured with randomized HTML elements to avoid signature-based detection systems.

Furthermore, the phishing template automatically generated a fake, multi-message email thread. This thread was personalized with the target’s own email prefix and display name, complete with a fabricated signature containing their real details. A second, randomly generated persona was added as a correspondent, and the message bodies used multilingual text from fixed templates to mimic authentic corporate chatter.

Bypassing Human and Automated Defenses

Once a target scanned the QR code, they were taken to a landing page designed as a verification checkpoint. This page’s primary function was to filter out non-human visitors, such as security scanners, sandboxes, or automated analysis tools.

As a result, only visitors who passed these checks were directed to the actual credential-harvesting page. Everyone else was sent to a dead end, leaving no trace of malicious activity for security teams to find. This step was crucial for isolating real human targets from automated defenses.

How This Phishing Platform Neutralizes Multi-Factor Authentication

The campaign’s most alarming feature was its ability to render multifactor authentication (MFA) ineffective. Victims faced one of two sophisticated harvesting methods.

In the first, an adversary-in-the-middle (AiTM) setup perfectly cloned the victim’s real corporate login portal. It included company branding, a pre-filled email field, and even mimicked the organization’s actual identity provider. While the victim entered their credentials and MFA code, the platform silently relayed this information to the legitimate Microsoft servers, simultaneously giving the attacker access.

Alternatively, the second method avoided login forms altogether. It tricked the user into approving a device sign-in via Microsoft’s legitimate device code flow, which then handed access tokens directly to the attacker. This meant the attacker never needed to see the password at all.

Ensuring Persistent Access

In the AiTM mode, the attacker would quietly register a secondary MFA device on the compromised account, leaving the victim’s original authenticator untouched. In the device code mode, the stolen refresh token remained valid even after a password reset, unless an administrator manually revoked all active sessions—a step not commonly taken by default.

Therefore, the attack blended seamlessly into normal authentication flows, evaded detection, and maintained long-term access.

Venom PhaaS: A Force Multiplier for Cybercrime

The engine behind this operation was the Venom Phishing-as-a-Service platform. This platform featured a professional licensing model, structured token storage, and a full campaign management interface, indicating a high level of commercial development.

Critically, at the time of discovery, Venom had not appeared in any public threat intelligence feeds or open marketplaces, suggesting it is a closed-access, private service. This makes the phishing platform particularly dangerous, as its capabilities are not limited to a single operator but can be rented by others.

Researchers warn that the discovery of Venom acts as a force multiplier. The techniques documented are engineered to work together in an end-to-end pipeline where each stage actively protects the next. Consequently, defensive strategies that rely on MFA as an impenetrable final barrier require immediate reassessment. For more on evolving authentication threats, see our analysis on advanced MFA bypass techniques.

In summary, the Venom platform represents a significant shift towards industrialized, service-based cybercrime. Its focus on high-value targets, sophisticated evasion, and MFA circumvention means organizations must adopt more proactive, behavior-based security measures to defend their most critical accounts.

Duc Money Transfer App Exposes Thousands of Driver’s Licenses and Passports in Major Security Failure

A significant security failure at a Canadian fintech company has put the personal data of potentially hundreds of thousands of people at risk. The Duc App, a money-transfer service, left a cloud storage server containing sensitive user documents openly accessible to anyone on the internet without a password. This incident highlights a persistent and dangerous trend in digital finance.

How the Duc App Data Breach Happened

Security researcher Anurag Sen discovered the exposed server earlier this week. The server, hosted on Amazon Web Services, was configured to publicly list its contents. Consequently, anyone with a web browser could view and download the files simply by knowing its web address. The data was stored without encryption, removing any final barrier to accessing the full contents of the files.

According to Sen’s analysis, the server contained over 360,000 files. These were not just random documents; they were the core identity verification materials submitted by users. This means the breach involved driver’s licenses, passports, and user-uploaded selfies—the very documents used to prove “who you are” in the digital world.

The Scope of the Exposed Information

Building on this, the exposure was not limited to static images. The server also held spreadsheets with detailed customer records. These files listed names, home addresses, and the specific dates, times, and details of financial transactions. The files dated back to September 2020 and were being updated daily, indicating a live, ongoing leak of personal and financial data.

Company Response and Lingering Questions

When contacted by TechCrunch, Duales CEO Henry Martinez González stated the data was on a “staging site” used for testing. However, he did not explain why real, sensitive customer information was present on a test server or why that server was publicly accessible. His claim that “all protections are in place” stands in stark contrast to the reality of the open server.

After the notification, the company made the files inaccessible. Nevertheless, a critical question remains unanswered: Martinez González would not confirm if the company has logs to determine who accessed the data or how many times it was downloaded. This lack of visibility means affected users may never know if their data was copied by malicious actors.

A Recurring Problem in Digital Verification

This Duc App data breach is not an isolated event. It fits a worrying pattern where companies aggressively collect sensitive identity documents but fail to implement corresponding security measures. Apps and websites increasingly demand passports and driver’s licenses for “Know Your Customer” (KYC) checks, yet the custodianship of this data is often shockingly weak.

For instance, last year, the social app TeaOnHer exposed thousands of similar documents required for user verification. In another case, Discord confirmed a breach affecting about 70,000 government IDs uploaded for age verification. Each incident erodes user trust and demonstrates a systemic failure to prioritize data security from the outset.

Therefore, the core issue extends beyond a single misconfigured server. It points to a flawed approach where data collection is prioritized over data protection. Companies treat sensitive ID documents as just another file type, storing them in standard cloud buckets without the stringent, additional safeguards they inherently require.

Regulatory Scrutiny and User Fallout

In response to this incident, the Office of the Privacy Commissioner of Canada has initiated contact with Duales. The regulator is seeking more information to determine its next steps, which could include an investigation and potential penalties. This regulatory attention is becoming more common as the frequency and severity of such breaches increase.

For users of the Duc App, the implications are severe. Exposure of a driver’s license or passport number creates a high risk of identity theft and fraud. These documents are difficult to change and are master keys to a person’s identity. Combined with exposed home addresses and transaction histories, the potential for targeted phishing attacks or financial fraud is significantly heightened.

As a result, affected individuals must remain vigilant. They should monitor their financial accounts for unusual activity, be wary of sophisticated phishing attempts referencing their Duc App transactions, and consider placing fraud alerts with credit bureaus. For more guidance on protecting yourself after a data breach, read our guide on post-breach security steps.

Preventing the Next Cloud Storage Catastrophe

So, what can be done to stop this cycle? First, companies must adopt a “security by design” philosophy. Sensitive data like government IDs should be encrypted at rest and in transit by default. Access should be governed by strict, role-based permissions, not left open to the public internet. Regular security audits and penetration testing are non-negotiable for any service handling financial or identity data.

Furthermore, the use of production data on staging or test servers should be strictly prohibited. These environments are inherently less secure and are frequent targets for attacks. Instead, anonymized or synthetic data should be used for all testing and development purposes. Learn more about secure development practices in our article on building secure fintech applications.

Ultimately, the Duc App data breach serves as another stark reminder. In the rush to build and launch digital services, fundamental security practices are too often an afterthought. Until companies are held fully accountable for the data they collect—both legally and in the court of public opinion—these preventable exposures will continue to put millions of people at risk.