'It's a free-for-all': how hi-tech spyware ends up in the hands of Mexico's cartels

Cecile Schilis-Gallego and Nina Lakhani
·10 min read
<span>Photograph: Francisco Robles/AFP/Getty Images</span>
Photograph: Francisco Robles/AFP/Getty Images

Corrupt Mexican officials have helped drug cartels in the country obtain state-of-the-art spyware which can be used to hack mobile phones, according to a senior DEA official.

As many as 25 private companies – including the Israeli company NSO Group and the Italian firm Hacking Team – have sold surveillance software to Mexican federal and state police forces, but there is little or no regulation of the sector – and no way to control where the spyware ends up, said the officials.

“It’s a free-for-all,” the official told the Cartel Project, an initiative coordinated by Forbidden Stories, a global network of investigative journalists whose mission is to continue the work of reporters who are threatened, censored or killed. “The police who have the technology would just sell it to the cartels.”

Over the past decade, Mexico has become a major importer of spyware, as officials insist they need to equip themselves against the powerful organised crime groups that have helped drive the country’s murder rate to record levels.

But the surveillance kit has also been used to target individuals not accused of any wrongdoing, including the widow of a murdered journalist, activists campaigning for a sugar tax on sodas and lawyers investigating human rights abuses.

“We found extensive evidence of targeting,” said John Scott-Railton of Citizen Lab at the University of Toronto, which researches spyware. “And that targeting touched all parts of Mexico’s civil society, as well as its political culture.”

An investigation by the Cartel Project can reveal that a 10th Mexican journalist – editor of the country’s foremost investigative magazine – was targeted with the “Pegasus” spyware sold by the Israeli company NSO Group, according to technical analysis by Amnesty International.

Since 2000, 119 journalists have been killed in Mexico, according to the Committee to Protect Journalists, making it the most dangerous country in the world for members of the press, outside a warzone.

Now, 25 international media outlets have come together to pursue the stories of their murdered Mexican colleagues.

Working together across 18 different countries over the course of 10 months, the consortium investigated the global networks of Mexican drug cartels and their political connections around the world.

The collaboration was coordinated by Forbidden Stories, a global network of investigative journalists whose mission is to continue the work of reporters who are threatened, censored or killed.

By simultaneously publishing their stories, the members of The Cartel Project mean to send a powerful message to enemies of the free press: “Killing the journalist won’t kill the story.”

Mexico was one of NSO’s biggest clients for much of the last decade. After an initial contract signed with the secretary of national defense, the Israeli company cemented its place in the market in 2014 by signing a $32m contract with the attorney general’s office.

But more than 20 other companies offering spyware are active in the country, according to the DEA official.

“It seems that almost every tech out there at some point has either been pitched to Mexico, demoed there or perhaps used there,” said Scott-Railton.

The UK has also recently got in on the act. Since 2018, the UK sold Mexico spyware – telecommunications-jamming equipment and interception technology – worth $300,000, which analysts say can be used in conjunction to listen to targets’ conversations, according to government data published by Campaign Against the Arms Trade.

“We are observing a series of explosions in growth of the industry, some of them driven by demand, especially as the demand evolves just from national security services down to more regional and local police services,” added Scott-Railton.

Many of those regional and state forces are accused of colluding with the crime organisations they are supposed to be confronting, so the spyware can easily pass into the hands of the mafia or corrupt politicians.

In the US trial of drug capo Joaquín “El Chapo” Guzmán Loera, one engineer testified that he bought “interception equipment that allows access to phone calls, the internet, text messages” for the Sinaloa cartel. But crime factions who do not have their own engineers can easily corrupt officials who, according to the DEA, agree to hack targets in exchange for bribes.

Related: Murder in Mexico: journalists caught in the crosshairs

The nexus between state and criminal forces has fuelled a wave of targeted violence which have made Mexico the most dangerous country for journalists in the world, outside a war zone. At least 119 media workers have been killed in Mexico since 2000, according to the Committee to Protect Journalists, and the inevitable fear for reporters is that surveillance could lead to more tangible dangers.

In 2016, Jorge Carrasco, editor-in-chief of the Mexican news weekly Proceso, received a text message from an unknown number: “Hello Jorge. I am sharing this memo that Animal Politico published today. I think it’s important to reshare.”

The message came with a link. “Who is this?” Carrasco texted back. The sender never responded.

Analysis by Amnesty International revealed that the mysterious message was an attempt to gain access to Carrasco’s phone using NSO Group’s Pegasus spyware. When clicked, the link installs an invisible software that sucks all the phone’s data, including text messages. It also enables the microphone and camera to be activated remotely.

“This is part of many attempts to know that we journalists are investigating … it’s an act of intimidation,” said Carrasco, who at the time was delving into the huge cache of leaked offshore financial documents knows as the Panama Papers.

According to Amnesty, the phone number that targeted Carrasco was the same number used to send multiple text messages containing malicious links to Carmen Aristegui – one of the country’s best-known investigative journalists who was responsible for a string of embarrassing revelations about then-president Enrique Peña Nieto. The same domain name was also used in 2017 with the same software to target supporters of a soda tax.

“We have seen a narrative that uses security issues in Mexico and the violence related to organised crime as an excuse, as a selling point to spend large sums of money in acquiring technology allegedly to be used under this context,” said Luis Fernando García, director of RD3, a digital rights organisation. “Even though, as we know in Mexico, the line between organised crime and the government is nonexistent or frequently very blurry.”

According to statistics from the Mexican government, more than a third of attacks on journalists were committed by public officials.

Gérard Araud, the former French ambassador to Washington who worked as NSO Group’s external adviser on human rights issues from 2019 to 2020, admitted to the Cartel Project that he did not know “everything that was implemented or what was not”.

“Secrecy is an integral part of the business, which puts my contribution into perspective,” he said. “My job was more to have discussions with the investors, rather than with the company itself.”

NSO Group has praised Araud’s “important role” in advising the company.

In a written statement to the Cartel Project, the company said it had investigated all alleged misuses of its technology, adding that “in multiple instances, NSO [had] terminated contracts and severed relationships with customers after misuses were identified,” without naming any specific client.

Israeli authorities have not sanctioned NSO Group despite evidence of Pegasus being used against civilians, and continues to renew its export license.

“The fact that there were journalists and activists targeted with Pegasus, for the Israeli government that’s just a basic fact of life,” said Eitay Mack, an Israeli human rights lawyer.

A spokesperson from the Israel ministry of defense told Forbidden Stories: “Human rights, policy and security issues are all taken into consideration.”

Spy state

Political spying is not new to Mexico. In the state of Veracruz, where 19 journalists have been killed since 2012, a sophisticated espionage unit run by the public security ministry has been in place since the 1990s, according to well-placed government sources.

The unit kept detailed files on journalists, activists and political opponents detailing their professional relationships, political affiliations, and sexual orientation, the sources said. Intelligence officers maintained a network of paid informants – including waiters, shoeshiners, street vendors, small scale drug dealers, as well as bogus activists and journalists – were paid in cash, gifts and political favours.

The state’s surveillance technology was upgraded between 2016 and 2018, when the unit acquired high tech spyware from Europe, sources confirmed.

But, leaked emails from Hacking Team revealed that by 2012, Veracruz already had access to a trial version of the company’s Remote Control System (RCS), which infects computers through malicious files.

“Veracruz has very sophisticated spy technology. It’s not Pegasus, but it’s just as good,” reported a well-placed source. “Intelligence analysts are very experienced and have the skill and technology to hack into phones and computers.”

Ironically, Hacking Team’s emails were hacked and published online in 2015.

In 2018, the current governor of Veracruz announced an end to such activities, but it’s unclear if the spying was suspended or dismantled permanently. The state’s public security department did not respond to multiple emails from the Cartel Project.

Javier Duarte, the former governor of Veracruz, with police in Guatemala in 2017.
Javier Duarte, the former governor of Veracruz, with police in Guatemala in 2017. Photograph: STRINGER/Reuters

For journalists, the situation is particularly dangerous. In 2012, journalist Regina Martínez was murdered while investigating allegations of corruption and organised crime during the administration of two state governors, Fidel Herrera and Javier Duarte. Sixteen journalists were murdered during Duarte’s six-year term, when reporters and photographers said surveillance intensified.

Andrés Timoteo, a friend and colleague of Martínez, said that she always felt watched. “She heard noises from her phone, echoes. But we were all spied on. It was part of daily life.” Timoteo fled Mexico after Regina Martínez was murdered, fearing for his safety.

Duarte is currently serving nine years after admitting some corruption charges and admitting to working with criminal elements.

Mexico’s opaque and lucrative system of cyber-surveillance contracts is ripe for corruption, according to García, director of RD3. “Companies and intermediaries fight for becoming friends with the official that makes the decision of who to allocate the contract to.”

Hacking Team appeared to find a friend in Tomás Zerón, former chief director of the Criminal Investigation Agency (AIC) at the attorney general’s office. “His idea is, step by step and if is getting success, install an RCS on each [local prosecutor] of the country,” wrote a Hacking Team employee in an email in 2014 which was subsequently leaked.

Zerón is currently a fugitive from justice and believed to be in Israel, according to the Mexican president, Andrés Manuel López Obrador. He is charged with embezzlement related to three contracts to acquire espionage equipment between 2013 and 2014, among other crimes. He is also wanted for falsifying elements of an investigation into the forced disappearance of 43 trainee teachers from Guerrero in 2014. Citizen Lab was able to prove that a group of international experts investigating this case were also targeted by Pegasus software.

Israel’s foreign ministry said: “Israel has received a request [from the Mexican authorities] about this and we are looking into the matter.”

The former director of Hacking Team, David Vincenzetti, declined to respond to questions from the Cartel Project. The company was sold in 2019.

Amid growing criticism at the misuse of spyware, the newly elected President López Obrador said that the government would stop using Pegasus software, but has not commented on the topic since.

Neither the president nor the attorney general’s office responded to questions from the Cartel Project on this subject.

David Kaye, the UN special rapporteur on freedom of expression until July 2020, said: “We’re in a situation where we need to assume that these tools are still available to be used, and it’s up to the government to demonstrate that they’ve put them under significant rule of law constraint.”

Reporting by Cecile Schilis-Gallego (Forbidden Stories) and Nina Lakhani (the Guardian). Additional reporting by Paloma Dupont de Dinechin (Forbidden Stories), Amitai Ziv (Haaretz) and Mathieu Tourlière (Proceso)