Journalists and human rights defenders in Mexico were hacked using spyware made by Israel’s NSO Group as recently as 2021, even after the country’s current government swore it was no longer going to use the hacking software, new research has found.
The alleged victims of the spyware include two journalists who report on issues related to official corruption and a prominent human rights defenders, according to digital rights researchers at R3D (Red en Defensa de los Derechos Digitales) and The Citizen Lab at the University of Toronto, which tracks such infections.
The news was considered especially shocking in light of political promises by Mexico’s current president, Andrés Manuel López Obrador, that the country would no longer use spyware.
His statement followed revelations by the Guardian and more than a dozen other media organizations who reported last year that the phone numbers of at least 50 people linked to the Mexican president, popularly known as Amlo – including his wife, children, aides and doctor – were included in a leaked database at the heart of the Pegasus Project, an investigation into NSO.
The database contained tens of thousands of phone numbers of people who are believed to have been selected as people of interest by government clients of NSO.
The news created a storm in Mexico in part because the extraordinary number of Mexican numbers in the leaked data – about 15,000 individuals including priests, victims of state-sponsored crimes and the children of high-profile figures – appeared to undermine NSO’s claims that its hacking software should only be used by its government clients to fight serious crime and terrorism.
Mexico was the first country in the world to buy Pegasus, and the software was purchased or operated by various state organs including the defense ministry, the attorney general’s office, the national security intelligence service (Cisen).
R3D, who received technical support from Citizen Lab, said their new research shows abuses involving Pegasus continued in Mexico.
R3D said its research had led it to conclude with high confidence that the human rights defender Raymundo Ramos was hacked using Pegasus at least three times between August and September 2020. In one case Ramos was found to have been digitally infected with Pegasus after the publication of a video that showed extrajudicial killings of civilians by the Mexican army, which was a case Ramos had discussed in the media.
It also found that journalist Ricardo Raphael, who was reportedly previously targeted and hacked in 2016 and 2017 by a government client of NSO, was hacked using Pegasus again at least three times in 2019 and once in 2020.
Raphael is known for taking on corruption and the nexus between the Mexican government and cartels. When he was first reportedly hacked in 2016, he was reporting on investigations into the forced disappearance of 43 student teachers.
In 2020, the research showed, he was infected with spyware after writing about extrajudicial detentions and impunity, including in an editorial for the Washington Post. In December that year he was infected shortly after accusing Mexico’s attorney general of misconduct in connection to the student disappearances.
R3D noted that each of the hacked individuals would be of “intense interest” to entities within the Mexican government and, in some cases, cartels.
Citizen Lab said: “These latest cases, which come years after the first revelations of problematic Pegasus targeting in Mexico, illustrate the abuse potential of mercenary spyware in a context of flawed public accountability and transparency. Even in the face of global scrutiny, domestic outcry, and a new administration that pledged to never use spyware, the targeting of journalists and human rights defenders with Pegasus spyware continued in Mexico.”
Responding to the latest report, Amlo denied that his administration spied on reporters or political opponents. “It’s not true that journalists or opponents are spied on,” López Obrador told reporters on Tuesday.
NSO has said the database at the heart of the Pegasus Project had no connection to the Israeli company. It has also said it has no knowledge of how its spyware is used – or against whom – and that it investigates all credible allegations of abuse.
In response to questions about the new Mexico findings, an NSO spokesperson said the only way the new data could be verified is if it was reviewed by NSO, but that it had not been given access to the data by Citizen Lab.
NSO also accused Citizen Lab of not being able to differentiate between its spyware tools and those of other cyber intelligence companies.
The NSO spokesperson said: “NSO does not operate Pegasus, has no visibility into its usage, and does not collect information about customers or who they monitor. NSO licenses Pegasus solely to law enforcement and intelligence agencies of sovereign states and government agencies following approval by the Israeli government. When we determine wrongdoing, we terminate contracts.”
Citizen Lab’s senior researcher John Scott-Railton responded to the criticism. He told the Guardian: “When NSO can’t deny the abuses, they try to discredit the research. Our research into NSO’s spyware has been independently validated, and has resulted in patches to billions of devices.”
Scott-Railton added: “NSO’s claims to be the only party that can ‘truly’ verify infections is like a robber claiming to be the only one who can truly confirm whether he committed a crime.”