New Pegasus spyware exploits identified in Mexico | Catch My Job


Key Takeaways

  • The Mexican digital rights organization R3D (Red en los Defensa de los Derechos Digitales) has identified Pegasus infections against journalists and human rights defenders occurring between 2019-2021.
  • Citizen Lab provided technical support for the R3D analysis and confirmed the infections.
  • Among the victims are two journalists who report on issues related to official corruption and a prominent human rights defender.
  • Opposition politician Agustin Basave Alanis was also infected with the Pegasus 2021 spyware.
  • The infections occurred years after the first revelations about Pegasus abuse in Mexico.
  • They also came after Mexico’s current president, Andrés Manuel López Obrador, assured the public that the government was no longer using spyware and that there would be no further abuses.

Click here to read the full R3D report.

Note: The report was updated on October 19, 2022 to add the additional case of Mexican opposition politician Agustin Basave Alanis (see: “October 19, 2022 Update: Agustin Basave Alanis” below).


In 2017, Citizen Lab, along with partners R3D, SocialTic and Article19, published a series of eight reports on the widespread targeting of Pegasus in Mexico. Many sectors of Mexican civil society have been targeted, including investigative journalists and lawyers for the families of cartel victims, anti-corruption groups, prominent lawmakers, international investigators looking into enforced disappearances and even the wife of a journalist killed in a cartel murder.

A public scandal ensued when the Pegasus attack was first revealed, resulting in extensive scrutiny of the surveillance practices of Mexican authorities, and prosecutors in particular. An ongoing criminal investigation has also been opened in Mexico.

In 2021, as part of Project Pegasus revelations (a collaboration between Forbidden Stories, Amnesty International’s Security Lab and a coalition of media organizations), it was reported that at least 50 people in the circle of Andrés Manuel López Obrador, the current president of Mexico, were among the individuals potentially selected for supervision with Pegasus between 2016-2017. The children and wife of the current president were targeted. The same report indicated that at least 45 Mexican governors and former governors may have been similarly selected for surveillance.

Project Pegasus also revealed that a wide range of Mexican civil society, from teachers to journalists, lawyers and international investigators looking into enforced disappearances, may have been singled out for surveillance.

In 2019, after taking power, López Obrador assured Mexicans in a televised press conference that there would be no more Pegasus abuses in Mexico:

We are not involved in that. We have decided here that there will be no persecution against anyone. When we were in the opposition we were spied on (…) now it is forbidden. We didn’t acquire interception systems, among other things, because of the corruption that was involved in the acquisition of all this equipment at very high prices, foreign companies, spy systems, a lot of money was spent, there was unused equipment. bought in the previous government. We don’t do that. And we don’t do that because it’s a matter of principle.” [informal translation]

In 2021, the Mexican president reiterated his claim that the Mexican government did not spy on Pegasus, saying in response to a question: “This is not happening.” The government is not spying on anyone.” [informal translation]

R3D’s latest revelations indicate that the abuse of Pegasus continued in Mexico. Their report also highlights evidence of recent contracts between Mexico’s Secretary of National Defense (SEDENA) and companies associated with the previous sale of Pegasus to the Mexican government.

New knowledge

R3D, with technical support from Citizen Lab, determined that Mexican journalists and a human rights defender were infected by Pegasus between 2019 and 2021.

These cases differ from previous findings in two important ways:

  • We confirm Pegasus infections 2019-2021 using forensic analysis of artifacts collected from the device. Previous findings by Citizen Lab in Mexico only confirmed Pegasus targeting (as evidenced by a malicious message sent to the device).
  • The 2019-2021 infections used clickless attacks: no deception was required to trick victims into clicking. Citizen Lab’s previous reports on cases in Mexico revealed malicious text messages designed to trick targets into clicking on a link that would trigger an infection.

Our technical validation of the forensic artifacts collected from the devices of these individuals with their consent leads us to conclude with high confidence that:

  • Human rights defender Raymundo Ramos was hacked with Pegasus at least three times between August and September 2020.
  • Journalist and writer Ricardo Rafael was hacked with Pegasus at least three times in October and December 2019 and again in December 2020. He was also previously targeted and infected in 2016 and a target in 2017.
  • An anonymous journalist from the respected online media outlet Animal Politico was hacked in June 2021.

Further details for each case are given in Appendix A.

We estimate with high confidence that these individuals have been hacked by Pegasus spyware. The technical data available for these recent cases (2019-2021) does not allow us to attribute the hack to a specific NSO Group user at this time. However, each of the victims would be of great interest to entities within the Mexican government and in some cases, worryingly, to the cartels.

Time frame for hacking

The report published by R3D provides useful context for understanding the potential drivers for Pegasus targeting and infections, which we summarize here:

Raimundo Ramos Vasquez

Ramos has spent years documenting human rights abuses committed by the Mexican army and navy in the state of Tamaulipas:

  • Ramos was infected by Pegasus in August and September 2020. R3D revealed that the infection occurred after the release of a video showing the extrajudicial killing of civilians by the Mexican military in Tamaulipas. Ramos spoke to the media about the case.
  • During the shooting period, Ramos met with representatives of the Office of the United Nations High Commissioner for Human Rights (OHCHR), the Mexican National Commission for Human Rights (CNDH), officials from the Mexican Navy and the Minister of Defense, and members of the media.

Ricardo Raphael

Rafael, a prominent journalist and author who focuses on topics including official corruption and the relationship between the Mexican government and cartels, was widely targeted and infected with the Pegasus spyware:

  • Rafael was first targeted and infected in 2016, and targeted again in 2017 during a period of critical coverage of investigations into the Iguala mass disappearances (43 students disappeared in Ayocinapa in 2014).
    • We attribute the targeting for 2017 to the operator we call RUDE-1, which also targeted the slain Mexican journalist’s spouse and colleagues, as well as Mexican public health researchers. Personal evidence connects RUDE-1 the Mexican government, since the operator spied exclusively in Mexico.
  • In 2019, he was repeatedly infected by Pegasus while on tour for a book that provides a fictional account of the Los Zetas cartel and its origins in the Mexican military.
  • In 2020, he was infected after writing about extrajudicial detentions and official impunity, like this The Washington Post editorial. Not long before he became infected in December 2020, he accused Mexican Attorney General of serious misconduct in their investigation into the case of the Iguala mass disappearances. This criticism was quoted by a respected news paper Aristegui Noticias the day before the hack.

According to the R3D report, Rafael stated that in 2022, portions of private communications were taken out of context and shared with his contacts in an apparent attempt to discredit him.

Anonymous Animal Politico reporter

Animal Politico is a prominent online news site reporting on topics such as official corruption, extrajudicial killings and accountability:

  • A journalist from that house was infected the same day they published a report on human rights violations by the Mexican armed forces.

Update October 19, 2022: Agustin Basave Alanis

On October 18, 2022, we publicly confirmed that analysis of forensic indicators from the device of Mexican opposition MP Agustin Basave Alanis identified a Pegasus spyware infection that occurred sometime between 2021-09-05 and 2021-09-11. Basave, a member of the House of Representatives, is the secretary of the Civil Security Commission and belongs to the Movimiento Ciudadano (“Citizens’ Movement”) party. Reporting would Reuters notes that Basave is close to Luis Donald Colosio Riojas, who is considered a potential presidential candidate in 2024. The R3D report indicates that the timeline of the contagion coincides with Colosio Riojas’ visit to the House of Representatives.

The need for an independent investigation

These latest cases, which come years after the first revelations of problematic Pegasus targeting in Mexico, illustrate the potential for mercenary spyware abuse in a context of misguided public accountability and transparency. Even in the face of global scrutiny, domestic outrage, and a new administration that has pledged never to use spyware, the Pegasus spyware has continued to target journalists and human rights defenders in Mexico.

Appendix: Details of casualties

Victim of Pegasus: Raymundo Ramos

Analysis of forensic indicators collected from the device of human rights defender Raimundo Ramos shows that it was infected with the KISMET exploit without clicking on or about:

  • 2020-08-28
  • 2020-09-02
  • 2020-09-03

Victim of Pegasus: Ricardo Raphael

Analysis of forensic indicators from journalist Ricardo Rafael’s phone shows that it was hacked three times with what we call the HOMAGE zero-click exploit in 2019, on or around:

  • 2019-10-30
  • 2019-11-07
  • 2019-11-16

Raphael was then hacked with another exploit without clicking on or about:

Analysis of Raphael’s device also found evidence of previous hacking and targeting of Pegasus as far back as 2016.

Rafael was targeted first May 26, 2016 via Pegasus SMS:

date: May 26, 2016
From the: +525572778337Tomar justicia k propia mano es prueba del Edo. fallido i la crisis institutional, este video es prueba ello hkkp://bit[.]li/1sB5kiPT translation:
Self-serving justice is proof of a failed state and institutional crisis, and this video is also proof [malicious link]

The URL, which is shortened to, redirects to the Pegasus infection domain hkkps://netvork190[.]com/5557819s/.

This targeting led to a persistent Pegasus infection.

Raphael was again, twice, targeted via SMS in 2017. We found no evidence that this targeting resulted in successful infections.

Date: February 22, 2017
From the: +523338200726Mi estimado Ricardo hoi publikue mi columna en 24 horas, esperando tu mejor opinion saludos: hkkp://bit[.]li/2lM9jkp translation:
Dear Ricardo, my column was published today at 24 hours, I would like your opinion, greetings: [malicious link]

The URL redirects to hkkps://notisms[.]net/bNBzPerL. Domain Notifications[.]net was part of the Pegasus Group NSO infection infrastructure when the message was sent. We link to domain notices[.]to the net operator we call RUDE-1which we associate with the Mexican government.

Date: February 24, 2017
From the: +522222607851Has realizado un Retiro/Compra Tarjeta **** Amount $23,500.00 MN Verifikacie detalles de operación: hkkps://banca-movil[.]net/Fi9iZJURT translation:
You have made a card withdrawal/purchase **** amount of $23,500.00 MN Check transaction details: [malicious link]

The domain banca-movil[.]net was also part of the Pegasus Group NSO infection infrastructure when the message was sent. We connect the banca-movil domain[.]to the net operator we call RUDE-1which we associate with the Mexican government.

Victim of Pegasus: An anonymous reporter from Animal Politico

Analysis of forensic indicators collected from the device of the journalist, who wishes to remain anonymous, shows that he was once infected with a zero click on or around FORCEDENTRI:


Source link