ICE, IRS Explored Using Hacking Tools, New Documents Show

A cache of documents shared with Motherboard show much broader interest from the U.S. government in using malware in criminal investigations.
Image: Smith Collection/Gado/Getty Images

Federal agencies including Immigration and Customs Enforcement (ICE) and the Internal Revenue Service (IRS) are at least exploring the use of, if not actively deploying, hacking tools in criminal investigations, according to a newly released cache of documents shared with Motherboard.

The documents, which stem from a Freedom of Information Act lawsuit brought by activist group Privacy International, the ACLU and the Civil Liberties & Transparency Clinic of the University at Buffalo School of Law against various government agencies, are heavily redacted, but draw the contours of how other federal law enforcement agencies beyond the FBI and DEA are interested in hacking criminal suspects.


"The documents show a growing perception among agencies that government hacking is not just acceptable, but an efficient and desirable solution for law enforcement activities. The fact that we’ve seen interest in acquiring hacking capabilities by organisations such as the U.S. Secret Service, the Drug Enforcement Agency, and even the Internal Revenue Service, reveals that there is a broader range of circumstances for which hacking is likely to be used," Laura Lazaro Cabrera, a legal officer from Privacy International, told Motherboard in an emailed statement.

Do you produce NITs for the government? Do you deploy NITs or know anything else about them? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on, or email

Some parts of the Department of Justice, including the FBI, use the term network investigative techniques (NITs) to broadly refer to hacking tools that agencies may use in cases. The FBI has deployed NITs against child abusers, people making bomb threats, and cybercriminals. Often they consist of Word documents or other files that are designed to communicate to an FBI controlled server once opened by a target, revealing their real IP address, particularly if they are using the Tor anonymity network to hide their location. Motherboard previously reported how other NITs deployed by the FBI include exploits targeting the Tails operating system and Tor Browser.


As Motherboard recently revealed, the U.S. Secret Service has also used NITs. The DEA has held discussions with controversial malware vendor NSO Group, and has purchased and used products from Italian surveillance vendor Hacking Team.

But the new documents show that more government agencies are exploring how to use hacking in their own investigations too.

Some of the documents concern ICE, and even some reasons for redactions in the files point to ICE's potential deployment of a remote access tool.

"The HSI Special Agents are seeking legal advice from the OPLA attorneys who provide legal advice back to the HSI Special Agents regarding the possible use of an investigative technique to remotely access an electronic device as part of a criminal investigation/case," one file reads while explaining why some sections have been withheld by the government. The file adds that the HSI Special Agents sought a warrant for the case.

Stephen Smith, a retired federal judge and now the director of the Fourth Amendment and Open Courts at Stanford's Center for Internet and Society, told Motherboard in a phone call that if he was approving a warrant for a network investigative technique, he would want to know the specific information the agency wants to gather, how that information is related to the crime at hand, and how long this surveillance is going to take place for, among other criteria.


"We don't have a lot of information about how often these techniques are being used or which agencies are making use of these techniques," he said. In 2013, Smith denied an FBI application to deploy a NIT that would have infected a target computer with malware and remotely turned on its webcam to try and identify an unknown suspect.

Several ICE emails discuss the case of Operation Pacifier, in which the FBI took over a dark web child abuse site, and deployed malware against the site's visitors in order to obtain their real IP addresses.

"Thought this might be of interest to everyone," the Deputy Chief of the Criminal Law Section at HSI Law Division wrote in one email sharing a legal ruling related to the operation.

One email from an attorney advisor at the U.S. Secret Service to the DHS reads "Have you ever addressed a similar issue at HSI, and if so would you be free for a quick phone call to discuss? We're still at a very conceptual level." The subject of the email reads "Government Use of Malware."

Included in the document disclosure from the IRS is a contract for two products from software manufacturer Adobe: Adobe Experience Manager Forms and Adobe Experience Manager Document Security. It is unclear why an IRS purchase of Adobe software is connected to the use of network investigative techniques. One IRS email describes the purchase as "the Adobe DRM project."


But one reason for the IRS' withholding of records was that a memorandum between a Supervisory Special Agent and a Special Agent in Charge from 2017 would reveal "specific techniques to be utilized and specific procedures and guidelines to be followed, with respect to an undercover operation that IRS CI [Criminal Investigation] sought to deploy to combat certain illegal activity," according to a redaction log. CI is tasked with investigating a wide range of financial and fraud-related crimes, and makes use of other technological investigative tools, including location data harvested from smartphone apps.

ICE and the IRS did not respond to a request for comment or questions on whether they have deployed such techniques, and, if so, to combat what sort of crimes.

Clarification: This piece has been updated to mention other parties that also worked on the lawsuit.