Jorge Santiago Aguirre is a lawyer at the Centro de Derechos Humanos Miguel Agustin Pro Juarez, a major human rights group in Mexico City, so he was curious when he got this text message in April 2016:
“Mr. Jorge this is Juan Magarino,” it read in Spanish. “Please help with my brother Heriberto a teacher who has been kidnapped by police it’s a crime.”
Then, there was a hyperlink.
He says the text didn’t feel like random spamming.
“It was related to information that was personal to us,” he says.
Aguirre is one of the lawyers representing the parents of 43 students who had been kidnapped by police in 2014.
Eager to help, Aguirre clicked on the link. But nothing happened — at least, not right away.
Days later, audio was leaked by alleged drug traffickers of a call between Aguirre and one of his clients, the father of a student who had disappeared. The call had been heavily edited and painted them as criminals.
Aguirre had been hacked.
“Like any good attack, this one begins with deception,” says John Scott-Railton of the University of Toronto’s Citizen Lab, which investigates cyber surveillance. “And the deception is designed to trick the target into clicking a link.”
Scott-Railton and the Citizen Lab had investigated similar hacks before, so two Mexican digital rights nonprofits, R3D and Social TIC, asked in late 2016 for their help in tracking down the source of dozens of suspicious texts received by journalists, activists and lawyers.
Scott-Railton recognized the texts as having the hallmarks of advanced spyware called Pegasus.
Once a link is clicked and “the phone is infected, it becomes a mobile spy in the pocket of the victim,” he says. “It becomes a bug, an audio bug, a video bug. But also, all of the personal and work activities that happen on the phone – text messages, Skype chats, WhatsApps, photographs – can all be pulled from the phone.”
Aguirre was far from the only person targeted. A report issued Monday by Citizen Lab, R3D and Social TIC identified 11 others, including journalists, activists and lawyers. Among them was an American citizen representing victims of sexual abuse and torture in Mexico.
The report says that “infection attempts often coincided with work on specific high-profile investigations and sensitive issues between January 2015 and August 2016.” People were systematically targeted while investigating or pressuring the government on cases of human rights abuses and corruption.
“Surveillance in Mexico has become an effective tool for intimidation,” the report says. “It is a form of controlling the flow of information and is an abuse of power.”
In a criminal complaint filed with the attorney general’s office on Monday, the researchers from all three organizations point the finger straight at the Mexican government, which the complaint says had the help of an Israeli firm called the NSO Group. It developed the Pegasus spyware and sells this sophisticated surveillance software exclusively to governments.
Mexico’s attorney general’s office and defense ministry are believed to be among its clients. Citizen Lab says Mexico accounts for 45 percent of NSO Group’s sales.
And this kind of spying is not cheap. According to a New York Times investigation from last September, a government would pay a $500,000 setup fee and then $650,000 for every 10 iPhones hacked.
A story published in the paper on Monday says, “Since 2011, at least three Mexican federal agencies have purchased about $80 million worth” of Pegasus spyware.
The NSO Group has said user agreements require governments to use the software only for criminal investigations. However, none of the targets identified in the Citizen Lab report meets that standard.
Scott-Railton tells NPR the revelations in Mexico are unprecedented.
“This is the most reckless case of the use of this kind of expensive software that we’re aware of,” he says.
The phishing text messages were manipulative and malicious. One pleaded with a target to help with an AMBER Alert for a missing child. And when phishing attempts failed to dupe Carmen Aristegui, a defiant Mexican journalist responsible for various investigations into government corruption, the next target was her son — a minor. He received a text that appeared to come from the U.S. embassy in Mexico City, telling him he had a problem with his American visa while he was on U.S. soil.
“What’s next if you are capable of getting to the point of spying on an adolescent?” Aristegui asked in a press conference on Monday. “Does that not seem sinister to you, Mr. President?”
When asked for comment, the American embassy referred NPR to the Mexican government, which has so far responded to the claims of hacking in a statement.
“There is no evidence that agencies of the Mexican government are responsible for the alleged surveillance,” the statement from President Enrique Pena Nieto’s spokesman said Monday. “We condemn any attempt to violate any person’s right to privacy.”
The researchers admit they can’t prove with 100 percent certainty the government was behind the spying. But they say the circumstantial evidence leaves no other explanation.
The revelations come at a time when journalists already are under attack in Mexico. So far this year, four journalists have been murdered.
“A government that acts as if critical journalists and human rights defenders are the enemy,” says Aguirre, “is a government that simply cannot be understood as a democratic government.” He’s signed onto the criminal complaint, but he’s not confident that the government is willing to investigate itself.