{
	"id": "07eb2baf-079d-4554-9e46-35e8db6820b2",
	"created_at": "2026-04-06T00:22:11.042186Z",
	"updated_at": "2026-04-10T03:24:18.686373Z",
	"deleted_at": null,
	"sha1_hash": "f44b2ca07040405764f37df524a658bf29e16a01",
	"title": "Internal documents show Mexican army used spyware against civilians, set up secret military intelligence unit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3769621,
	"plain_text": "Internal documents show Mexican army used spyware against\r\ncivilians, set up secret military intelligence unit\r\nBy Dina Temple-Raston\r\nPublished: 2023-03-07 · Archived: 2026-04-02 11:28:33 UTC\r\nTwo digital rights groups, Mexico's R3D and the University of Toronto’s Citizen Lab, have just released an update\r\nto their “Ejército Espía” (“Spying Government”) report from late last year. In October 2022, they revealed that\r\nthe Mexican army bought spyware and deployed it against at least two Mexican journalists and a human rights\r\nadvocate between 2019 and 2021. While they had compelling circumstantial evidence, there was no smoking gun.\r\nThe newly-released internal classified documents appear to prove it.\r\nLuis Fernando Garcia, a lawyer and executive director of R3D, told Click Here in an interview that a roster of\r\nfreedom of information requests and internal Ministry of Defense documents – released as part of last year’s\r\nmassive hack-and-leak operation by the hacktivist group Guacamaya – connect officials at the highest levels of\r\nthe Mexican army to the purchase of Pegasus spyware. R3D found a 2019 acceptance letter that links the military\r\nto a company with the exclusive right to sell licenses for the NSO Group’s Pegasus spyware in Mexico.\r\nNSO Group created Pegasus in 2011 and it has been linked to everything from the capture of the drug lord El\r\nChapo to the murder of journalist Jamal Khashoggi. Pegasus’ super power is its ability to infect smartphones\r\nwithout a user knowing — the phone becomes a spy in their pocket, capturing their location, their\r\ncommunications, and information on their friends.\r\nAmong the new revelations are documents from the Mexican Secretariat of National Defense , or SEDENA, that\r\ndiscuss a previously unknown military intelligence agency in charge of the nation’s surveillance programs. The\r\nleaked files show the agency, referred to as CMI or the Military Intelligence Center, spied on a human rights\r\nadvocate named Raymundo Ramos who has been investigating a suspected extrajudicial killing by the Army that\r\noccurred in July 2020 in a border town called Nuevo Laredo.\r\nThe interview has been edited for space and clarity. A fuller version of the story can be heard on the Click Here\r\npodcast.\r\nCLICK HERE: For people who don’t know, can you explain the mission of R3D (The Digital Rights\r\nDefense Network)?\r\nLUIS FERNANDO GARCIA: The Digital Rights Defense Network is a NGO that works on issues related to\r\nhuman rights and technology. Since the beginning we've been working to uncover and to investigate and pushback\r\nagainst the surveillance apparatus in Mexico.\r\nCH: You started your latest investigation into government surveillance in collaboration with the University\r\nof Toronto’s Citizen Lab in early 2022. What did the initial investigation [published last October] reveal?\r\nhttps://therecord.media/mexican-army-spyware\r\nPage 1 of 8\n\nLG: We started checking phones of human rights defenders, journalists, trying to see if we could find forensic\r\nevidence of Pegasus in Mexico. We started to document cases of people who were infected in 2019, 2020, and\r\n2021, which means [it was deployed] during the current government, not the previous government.\r\nA week or maybe less from our publication date, something really important happened. The army's email system\r\nwas hacked and an activist group called Guacamaya was offering access to those emails to media organizations\r\nand to human rights organizations. And this gave us like the missing key that we needed to actually point the\r\nfinger at the army and say we found these Pegasus cases [and connected them to the military].\r\nCH: Can you talk about some of the specific things you discovered in the Guacamaya documents?\r\nLG: We were able to find a kind of acceptance letter from the army, directed to the secretary, which is the head of\r\nthe army — the General Secretary of National Defense in Mexico. And here it talks about a contract with\r\nComercializadora Antsua, the same company that we already had a strong suspicion was the intermediary\r\ncompany that was being used by NSO Group to commercialize Pegasus in Mexico. This was proof that the\r\ncontract existed and the head of the army knew about it because this was a document created for the head of the\r\narmy.\r\nhttps://therecord.media/mexican-army-spyware\r\nPage 2 of 8\n\nAn internal military\r\ndocument lays out details of a contract with Comercializadora Antsua, a company that sells licenses to Pegasus\r\nspyware in Mexico. (Image: R3D).\r\nCH: And did you ever have any concerns that this might be a set-up or that the documents might be fake?\r\nLG: Not at all. The president himself [Andrés Manuel López Obrador] has said that the hack happened, that the\r\ndocuments are real, and we have verified some of the documents ourselves. We found an email directed to the\r\nSecretary of the Army and we asked about that email through legal means, through an access information request,\r\nand they gave us the same email. And it hasn’t been disputed by the government or the Army that the documents\r\n[in the hack] are fake.\r\nCH: You’d been working on surveillance issues in Mexico for years, so how did this new information help\r\nwith your research?\r\nhttps://therecord.media/mexican-army-spyware\r\nPage 3 of 8\n\nLG: Now we have the number of the contract, the date of the contract, the amount paid for the contract — around\r\n140 million pesos – so that solidifies our belief that the army was actively trying to hide the information related to\r\nthis and lying to different authorities. [R3D had been requesting this document and they were told it didn’t exist.]\r\nCH: Did you find anything in the documents that was surprising or presented new information entirely?\r\nLG: Yes. We didn't know about [a military intelligence unit called] CMI. If you Google CMI, you are not going to\r\nfind much of anything. The objective of the CMI, the document says, is to give to the intelligence arm of the chief\r\nof staff intelligence products generated from information obtained through closed systems. In other words, it is not\r\nopen source intelligence – they are talking about communications intercepts. Legally they don't have any powers\r\nto do interception of communications of civilians at any point.\r\n One of the Guacamaya\r\nleak documents shows the logo of a previously undisclosed military intelligence unit doing illegal surveillance.\r\n(Image: R3D)\r\nWhat’s more, I looked and I couldn’t find any formal, legal establishment of this institution. We did find a\r\ndocument that lays out an analysis of CMI’s strengths, opportunities, weaknesses, and threats. One of the threats\r\nthat they specifically identify is that the activities of this [CMI] center are made public. That’s one of the main\r\nthreats that they identify — that the people know that CMI exists and what it does.\r\nCH: Meaning they don't want people to know they exist or what they do…\r\nLG: Exactly.\r\nCH: You found specific surveillance information on a human rights advocate named Raymundo Ramos, tell\r\nus about that?\r\nhttps://therecord.media/mexican-army-spyware\r\nPage 4 of 8\n\nLG: [One of the documents talks] about communications between Raymundo Ramos and journalists around the\r\ntime a controversial video was released that seemed to capture an extrajudicial killing by the military in [the\r\nborder town] of Nuevo Laredo.\r\nRamos was investigating the shooting. All his conversations with journalists at that time were on encrypted apps,\r\nso the only way they could have captured the conversations was with something like Pegasus. Espionage carried\r\nout by the Military Intelligence Center is absolutely illegal since the Army lacks the legal authority to intervene in\r\nthe private communications of civilians.\r\nThe document also suggests that the military has secret information that shows Ramos had a relationship with the\r\ncartel in Nuevo Laredo. They have never proved anything, and they have never charged him of being involved\r\nwith the cartels at any point.\r\n An internal military\r\ndocument details the activities of Raymundo Ramos around the time he was found to have been infected with\r\nhttps://therecord.media/mexican-army-spyware\r\nPage 5 of 8\n\nPegasus spyware.\r\nBut they repeat this accusation and in the document it says that this intelligence product is being given in a\r\nconfidential manner to the military prosecutor police. So it's considered as an element of judgment in this\r\ninvestigation.\r\n**CH: So connect the dots for us, why is it so important to see Ramos mentioned here? **\r\nLG: So we determined last year [with the technical help of Citizen Lab] that Ramos’ phone was infected with\r\nPegasus. This document proves that it was the army who was spying on him because they wanted to find out his\r\nconnection or alleged involvement in the publication of the Nuevo Laredo shooting video that was creating such a\r\nheadache for the army.\r\nCH: Some people say the Guacamaya leaks were huge but haven't had the impact that some people had\r\nhoped for. Does today’s news change that?\r\nLG: I think those assessments are premature. I think the volume of information is so great, it has posed\r\ntechnological challenges to those who might try to sort through the documents. It's not easy to find this\r\ninformation. It's not just control-f search, and you get all these results. You need to do a lot of methodic work and\r\nbe strategic about what you look for and how.\r\nAnd it's not only about information that comes from Guacamaya. You need to complement it with your own\r\ninvestigations. And here we have documents that we have obtained through freedom of information requests,\r\nforensic analysis that's been done with the help of Citizen Lab. There’s a lot of legwork above and beyond the\r\nGuacamaya leaks that are part of this story. I don't think I'm the only one. I think there's a lot of people who are\r\ntaking their time.\r\nhttps://therecord.media/mexican-army-spyware\r\nPage 6 of 8\n\nDina Temple-Raston\r\nis the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future\r\nNews. She previously served on NPR’s Investigations team focusing on breaking news stories and national\r\nsecurity, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were\r\nYou Thinking.”\r\nhttps://therecord.media/mexican-army-spyware\r\nPage 7 of 8\n\nWill Jarvis\r\nis a podcast producer for the Click Here podcast. Before joining Recorded Future News, he produced podcasts and\r\nworked on national news magazines at National Public Radio, including Weekend Edition, All Things Considered,\r\nThe National Conversation and Pop Culture Happy Hour. His work has also been published in The Chronicle of\r\nHigher Education, Ad Age and ESPN.\r\nSource: https://therecord.media/mexican-army-spyware\r\nhttps://therecord.media/mexican-army-spyware\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://therecord.media/mexican-army-spyware"
	],
	"report_names": [
		"mexican-army-spyware"
	],
	"threat_actors": [
		{
			"id": "ae7c5e09-a79b-4dae-8ed3-f288b8d99810",
			"created_at": "2023-11-08T02:00:07.110982Z",
			"updated_at": "2026-04-10T02:00:03.416181Z",
			"deleted_at": null,
			"main_name": "Guacamaya",
			"aliases": [],
			"source_name": "MISPGALAXY:Guacamaya",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434931,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f44b2ca07040405764f37df524a658bf29e16a01.pdf",
		"text": "https://archive.orkl.eu/f44b2ca07040405764f37df524a658bf29e16a01.txt",
		"img": "https://archive.orkl.eu/f44b2ca07040405764f37df524a658bf29e16a01.jpg"
	}
}