{
	"id": "4155d4a1-14eb-4cf0-9669-438e8c7d81dd",
	"created_at": "2026-04-06T00:06:39.541983Z",
	"updated_at": "2026-04-10T03:21:28.149934Z",
	"deleted_at": null,
	"sha1_hash": "82c93ca17410a863c8667ae76443d2705a389dcd",
	"title": "New Pegasus Spyware Abuses Identified in Mexico - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 93063,
	"plain_text": "New Pegasus Spyware Abuses Identified in Mexico - The Citizen\r\nLab\r\nArchived: 2026-04-02 12:34:54 UTC\r\nKey Findings\r\nThe Citizen Lab provided technical support for R3D’s analysis and validated the infections.\r\nVictims include two journalists that report on issues related to official corruption and a prominent human\r\nrights defender.\r\nOpposition politician Agustín Basave Alanís was also infected with Pegasus spyware in 2021.\r\nThe infections occurred years after the first revelations of Pegasus abuses in Mexico.\r\nMexican digital rights organization R3D (Red en los Defensa de los Derechos Digitales) has identified\r\nPegasus infections against journalists and a human rights defender taking place between 2019-2021.\r\nThey also occurred after Mexico’s current President, Andrés Manuel López Obrador, assured the public\r\nthat the government no longer used the spyware and that there would be no further abuses.\r\nNote: Report updated on October 19, 2022 to add the additional case of Mexican opposition politician Agustín\r\nBasave Alanís (see: “October 19, 2022 Update: Agustín Basave Alanís,” below).\r\nClick here to read the full R3D report.\r\nBackground\r\nIn 2017, the Citizen Lab, along with partners R3D, SocialTic and Article19, released a series of eight reports on\r\nwidespread Pegasus targeting in Mexico. Many sectors of Mexican civil society were targeted, including\r\ninvestigative journalists and lawyers for cartel victims’ families, anti-corruption groups, prominent lawmakers,\r\ninternational investigators examining enforced disappearances, and even the spouse of a journalist killed in a\r\ncartel slaying.\r\nA public scandal ensued when the Pegasus targeting was first revealed, resulting in extensive scrutiny into the\r\nsurveillance practices of Mexican authorities, and especially prosecutors. A still-ongoing criminal investigation\r\nwas also opened in Mexico.\r\nIn 2021, as part of the Pegasus Project revelations (a collaboration between Forbidden Stories, Amnesty\r\nInternational’s Security Lab, and a coalition of media organizations), it was reported that at least 50 people in the\r\ncircle of Andrés Manuel López Obrador, Mexico’s current president, were among individuals potentially selected\r\nfor surveillance with Pegasus between 2016-2017. The targets included the now-President’s children and spouse.\r\nThe same report indicated that at least 45 Mexican governors and former governors may have been similarly\r\nselected for surveillance.\r\nhttps://citizenlab.ca/2022/10/new-pegasus-spyware-abuses-identified-in-mexico/\r\nPage 1 of 5\n\nThe Pegasus Project also found that a wide swath of Mexican civil society, from teachers to journalists, lawyers\r\nand international investigators examining enforced disappearances, may have been selected for surveillance.\r\nIn 2019, after taking power, López Obrador assured Mexicans in a televised press conference that there would be\r\nno more Pegasus abuses in Mexico:\r\n“We are not involved with that. Here we decided that there would not be any persecution against anyone. When we\r\nwere in the opposition we were spied on (…) now that is prohibited. We have not purchased systems for\r\ninterceptions, among other things because of the corruption that was involved in the purchase of all of this\r\nequipment at very elevated prices, to foreign companies, spy systems, a lot of money was spent, there is still\r\nunused equipment purchased in the previous government. We don’t do that. And we don’t do it because it is a\r\nmatter of principle”. [informal translation]\r\nIn 2021, Mexico’s president reiterated his claim that the Mexican government was not spying with Pegasus,\r\nsaying in response to a question: “This does not happen. The government does not spy on anyone.” [informal\r\ntranslation]\r\nThe latest findings by R3D indicate that Pegasus abuses continued in Mexico. Their report also highlights\r\nevidence of recent contracts between Mexico’s Secretary of National Defense (SEDENA), and companies linked\r\nto prior sales of Pegasus to the Mexican government.\r\nNew Findings\r\nR3D, with technical support from the Citizen Lab, has determined that Mexican journalists and a human rights\r\ndefender were infected with Pegasus between 2019 and 2021.\r\nThese cases differ from previous findings in two important ways:\r\nWe validate the 2019-2021 Pegasus infections using forensic analysis of artifacts collected from devices.\r\nPrior Citizen Lab findings in Mexico only confirmed Pegasus targeting (as evidenced by a malicious\r\nmessage sent to a device).\r\nThe 2019-2021 infections leveraged zero-click attacks: no deception was required to trick victims into\r\nclicking. The Citizen Lab’s previous reports on Mexican cases found malicious text messages designed to\r\ntrick targets into clicking on a link that would trigger an infection.\r\nOur technical validation of forensic artifacts collected from the devices of these individuals with their consent\r\nleads us to conclude with high confidence that:\r\nHuman rights defender Raymundo Ramos was hacked with Pegasus at least three times between August\r\nand September 2020.\r\nJournalist and author Ricardo Raphael was hacked with Pegasus at least three times in October and\r\nDecember 2019, and again in December 2020. He was also previously targeted and infected in 2016, and\r\ntargeted in 2017.\r\nAn anonymous journalist from prominent online media outlet Animal Politico was hacked in June 2021.\r\nFurther details for each case are provided in Appendix A.\r\nhttps://citizenlab.ca/2022/10/new-pegasus-spyware-abuses-identified-in-mexico/\r\nPage 2 of 5\n\nWe assess with high confidence that these individuals were hacked with Pegasus spyware. The technical data\r\navailable for these recent cases (2019-2021) does not enable us to attribute the hacking to a particular NSO Group\r\ncustomer at this time. However, each of the victims would be of intense interest to entities within the Mexican\r\ngovernment and in some cases, troublingly, to cartels.\r\nHacking Timeframe\r\nThe report published by R3D provides helpful context for understanding the potential triggers for Pegasus\r\ntargeting and infections, which we summarize here:\r\nRaymundo Ramos Vázquez\r\nRamos has spent years documenting human rights violations committed by the Mexican Army and Navy in the\r\nstate of Tamaulipas:\r\nRamos was infected with Pegasus in August and September 2020. R3D found that the infections occurred\r\nafter the publication of a video showing the extrajudicial killing of civilians by the Mexican army in\r\nTamaulipas. Ramos had spoken to the media about the case.\r\nDuring the timeframe of the targeting, Ramos was meeting with representatives of the Office of the United\r\nNations High Commissioner for Human Rights (OHCHR), Mexico’s National Human Rights Commission\r\n(CNDH), officials from Mexico’s Navy and Secretary of Defense, and members of the media.\r\nRicardo Raphael\r\nRaphael, a prominent journalist and author who focuses on themes including official corruption and the nexus\r\nbetween the Mexican government and cartels, was extensively targeted and infected with Pegasus spyware:\r\nRaphael was first targeted and infected 2016, and again targeted in 2017 during a period of critical\r\nreporting on investigations into the Iguala Mass Disappearances (the 43 students disappeared in Ayotzinapa\r\nin 2014).\r\nWe attribute the 2017 targeting to an operator that we call RECKLESS-1, which also targeted the\r\nspouse and colleagues of an assassinated Mexican journalist, as well as Mexican public health\r\nresearchers.  Circumstantial evidence connects RECKLESS-1 to the Mexican Government, as the\r\noperator was spying exclusively in Mexico.\r\nIn 2019, he was repeatedly infected with Pegasus while on tour for a book that provides a fictionalized\r\naccount of Los Zetas Cartel and its origins in the Mexican Army.\r\nIn 2020, he was infected after writing on extrajudicial detentions and official impunity, such as this\r\nWashington Post editorial. Not long before he was infected in December 2020, he had accused Mexico’s\r\nAttorney General of serious misconduct in their investigation of the Iguala Mass Disappearances case. This\r\ncritique was cited by prominent news outlet Aristegui Noticias the day prior to the hacking.\r\nAccording to the R3D report, Raphael stated that, in 2022, snippets of a private communication were taken out of\r\ncontext and shared with his contacts in an apparent effort to discredit him.\r\nAnonymous Journalist at Animal Politico\r\nhttps://citizenlab.ca/2022/10/new-pegasus-spyware-abuses-identified-in-mexico/\r\nPage 3 of 5\n\nAnimal Politico is a prominent online news website that reports on themes such as official corruption,\r\nextrajudicial killings, and accountability:\r\nA journalist at the outlet was infected on the same day they published a report on human rights violations\r\nby the Mexican Armed Forces.\r\nOctober 19, 2022 Update: Agustín Basave Alanís \r\nOn October 18, 2022, we publicly confirmed that an analysis of forensic indicators from the device of Mexican\r\nopposition lawmaker Agustín Basave Alanís identified a Pegasus spyware infection occurring sometime between\r\n2021-09-05 and 2021-09-11. Basave, a member of the Chamber of Deputies, is secretary of the Citizen Security\r\nCommission, and belongs to the Movimiento Ciudadano party (“Citizens’ Movement”). Reporting by\r\nReuters notes that Basave is close to Luis Donaldo Colosio Riojas, who is viewed as a potential presidential\r\ncandidate for 2024. A report by R3D indicates that the infection timeframe coincides with a visit by Colosio\r\nRiojas to the Chamber of Deputies.\r\nNeed for an Independent Investigation\r\nThese latest cases, which come years after the first revelations of problematic Pegasus targeting in Mexico,\r\nillustrate the abuse potential of mercenary spyware in a context of flawed public accountability and transparency.\r\nEven in the face of global scrutiny, domestic outcry, and a new administration that pledged to never use spyware,\r\nthe targeting of journalists and human rights defenders with Pegasus spyware continued in Mexico.\r\nAppendix: Victim Details\r\nPegasus Victim: Raymundo Ramos\r\nAnalysis of forensic indicators collected from the device of human rights defender Raymundo Ramos shows that\r\nit was infected with the KISMET zero-click exploit on or around:\r\n2020-08-28\r\n2020-09-02\r\n2020-09-03\r\nPegasus Victim: Ricardo Raphael\r\nAn analysis of forensic indicators from journalist Ricardo Raphael’s phone indicates that he was hacked three\r\ntimes with what we refer to as the HOMAGE zero-click exploit in 2019, on or around:\r\n2019-10-30\r\n2019-11-07\r\n2019-11-16\r\nRaphael was then hacked with a different zero-click exploit on or around:\r\n2020-12-27\r\nhttps://citizenlab.ca/2022/10/new-pegasus-spyware-abuses-identified-in-mexico/\r\nPage 4 of 5\n\nAnalysis of Raphael’s device also found evidence of prior Pegasus hacking and targeting as far back as 2016.\r\nRaphael was first targeted on May 26, 2016 via a Pegasus SMS:\r\nDate: 26 May 2016\r\nFrom: +525572778337Tomar justicia x propia mano es prueba del Edo. fallido y la crisis institucional, este video\r\nes prueba ello hxxp://bit[.]ly/1sB5xiP (Translation:\r\nTaking justice by one’s own hand is proof of a failed state and an institutional crisis, this video is proof of that\r\n[malicious link])\r\nThe URL, which is shortened with bit.ly, redirects to the Pegasus infection domain\r\nhxxps://network190[.]com/5557819s/.\r\nThis targeting resulted in a persistent Pegasus infection.\r\nRaphael was again, twice, targeted via SMS in 2017. We found no evidence that this targeting resulted in\r\nsuccessful infections.\r\nDate: 22 February 2017\r\nFrom: +523338200726Mi estimado Ricardo hoy publique mi columna en 24 horas, esperando tu mejor opinion\r\nsaludos: hxxp://bit[.]ly/2lM9jqp (Translation:\r\nDear Ricardo, my column was published today in 24 Horas, I’d love your opinion, greetings: [malicious link])\r\nThe URL redirects to hxxps://notisms[.]net/bNBzPerL. The domain notisms[.]net was part of NSO Group’s\r\nPegasus infection infrastructure when the message was sent.  We link the domain notisms[.]net to the operator we\r\ncall RECKLESS-1, which we link to the Mexican Government.\r\nDate: 24 February 2017\r\nFrom: +522222607851Has realizado un Retiro/Compra Tarjeta **** monto $23,500.00 M.N. Verifica detalles de\r\noperacion: hxxps://banca-movil[.]net/Fy9yZJUR (Translation:\r\nYou have made a withdrawal /purchase Card **** amount $23,500.00 M.N. Verify transaction details: [malicious\r\nlink])\r\nThe domain banca-movil[.]net was also part of NSO Group’s Pegasus infection infrastructure when the message\r\nwas sent.  We link the domain banca-movil[.]net to the operator we call RECKLESS-1, which we link to the\r\nMexican Government.\r\nPegasus Victim: Anonymous Journalist from Animal Politico\r\nAnalysis of forensic indicators collected from the device of a journalist who prefers to remain anonymous shows\r\nthat it was infected once with the FORCEDENTRY zero-click on or around:\r\n2021-06-10\r\nSource: https://citizenlab.ca/2022/10/new-pegasus-spyware-abuses-identified-in-mexico/\r\nhttps://citizenlab.ca/2022/10/new-pegasus-spyware-abuses-identified-in-mexico/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://citizenlab.ca/2022/10/new-pegasus-spyware-abuses-identified-in-mexico/"
	],
	"report_names": [
		"new-pegasus-spyware-abuses-identified-in-mexico"
	],
	"threat_actors": [],
	"ts_created_at": 1775433999,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/82c93ca17410a863c8667ae76443d2705a389dcd.pdf",
		"text": "https://archive.orkl.eu/82c93ca17410a863c8667ae76443d2705a389dcd.txt",
		"img": "https://archive.orkl.eu/82c93ca17410a863c8667ae76443d2705a389dcd.jpg"
	}
}