How Mexico Became the Biggest User of the Pegasus Spyware

The Israelis were in Mexico to make a big sale. The Mexican military would be the first to purchase their most advanced spyware.

Before they could seal the deal, a dispute erupted about price and the speed of delivery. According to two witnesses and a third person with knowledge of the negotiations, the Mexican general who was overseeing the negotiation called for a break until later in the evening.

They remembered the saying: "We will pick you up from your hotel, and we'll make sure that we create a better atmosphere."

The Israeli executives were taken to the strip club located in Mexico City by a convoy that night.

Three people claimed that the general's security force ordered the other clients to leave the club. Then, the conversation resumed.

In that cabaret, in March 2011, with women dancing and tequila shots being sipped by the audience, was where the world's most powerful cyberweapon began.

Pegasus is a spyware that has become synonymous with the terrifying reach of state surveillance. Governments from Europe to the Middle East use it to hack into thousands and thousands of mobile phones.

Mexico is the first country to have experienced the dangers and promises of this technology.

The New York Times conducted an investigation using interviews, documents, and forensic testing of hacked phone to reveal the secret deals that led Mexico, the company's first client, to become the most prolific user in the world of Pegasus spyware.

Pegasus has the ability to infiltrate digital life. It can steal everything from your phone -- including every text message, email, calendar event, and photo -- without leaving any trace.

Even if the phone is off, it can still record your keystrokes, watch your camera, or listen to its microphone.

The technology has been used in the fight against crime. It helped to bust up child abuse rings and arrest notorious figures such as El Chapo, Joaquin Guzman Loera.

Pegasus has been used illegally by governments to spy and silence human rights activists, democracy advocates and journalists, as well as other citizens who are against corruption and abuse.

The Biden administration, alarmed by the use of Pegasus to "maliciously" target dissidents around the world, blacklisted NSO Group in 2021, the Israeli firm that manufactured the spyware.

Israel's Defense Ministry, which must approve exports of Pegasus in other countries, announced that it would prohibit sales to nations where there is a risk of violations of human rights.

Four people familiar with the contracts for this technology claim that despite the numerous evidences of Pegasus abuses, the Israeli government still hasn't ordered a stop to the use of the technology in Mexico.

The four individuals claim that not only is Mexico's army Pegasus’ longest-running customer, but also it has targeted more phones with the spyware than other governments in the world.

The spy tool is still being used in the country to fight crime, and not only.

After revelations that Pegasus was used to spy on government critics, Andres Manuel Lopez Obrador who took office in 2018 promised to end what he termed the "illegal” spying from the past.

Pegasus, according to previously undisclosed testing, infiltrated two of Mexico's most prominent human rights advocates, who represent the victims of the largest mass disappearances ever in Mexican history, in the second half 2022.

Since years, the military's role in mass disappearances has been the focus of investigation. The military is known for its human rights violations. Pegasus targeted the two advocates repeatedly as new allegations were made against the military in the case. This was according to Citizen Lab's forensic testing, which is based at University of Toronto.

Four people who are familiar with the contract said that the Mexican military is currently the only entity operating Pegasus in the country.

The Israeli Defense Ministry declined to comment. The Mexican Defense Ministry refused to discuss the recent hack, but stated that it was following the government's position which states that intelligence gathering "in no way" is intended to invade the privacy of media, political and civic figures.

Santiago Aguirre is a human rights activist. This was his second round of phone attacks. Citizen Lab discovered that he had also been targeted by Pegasus under the previous administration.

Aguirre stated that the government had made many promises about how things would change. "Our initial reaction was that this could not be happening again."

A spokesperson for the Mexican President declined to comment. NSO Group issued a statement saying it adheres to strict regulations and can't disclose the identities of its clients. Citizen Lab, however, said that it has no doubts regarding its findings.

NSO Group stated that it needed "access to the data" to verify if Pegasus had hacked two Mexican human-rights advocates in the past months. But the advocates refused to provide any additional information to the spying partner of the Mexican government.

Pegasus's beginnings in Mexico were long shrouded by secrecy. The Israeli executives from NSO Group, a fledgling startup, returned to Tel Aviv after the night in the strip club with the outline of their first sales. Next, a contract was signed.

A few months later, NSO representatives went back to Mexico to demonstrate the spyware to the country's most powerful individuals.

In an email sent on May 25, 2011, Eran Reshef (an Israeli defense industry executive, who assisted in brokering the deal) informed NSO's Chairman and the two founders of the company that the "demo to Secretary of Defense and the President" would take place the following Friday. He was referring to Felipe Calderon at the time and Guillermo Galvan Galvan, his secretary of defence. In an Israeli lawsuit concerning commissions on the sale of Pegasus in Mexico, a copy of this email was revealed.

Two people who were at the demonstration claimed that it was held on a vast military base outside of Mexico City where the first Pegasus would be installed.

The Mexican Army feared leaks and made the Israeli executives sit in a small room with cleaning supplies so that no one could see them until they gave their presentation. A soldier with a gun was posted outside the door.

The attendees reported that when Mr. Calderon, and Mr. Galvan Galvan, arrived, they sat before large screens mounted on the wall and watched as a phone was hacked.

Udi Doenyas is the chief technology officer at NSO Group, who invented the Pegasus Architecture and led the team responsible for writing the code that was behind the first version spyware. He confirmed that he connected the Pegasus System to a screen, and gave a BlackBerry to high-ranking Mexican officials. He told them to use it.

The phone was still intact, and the Pegasus system began to extract every bit of information, beaming them onto the screen.

Sneak attack was the superpower of spyware.

Miguel Angel Sosa is a spokesperson for Mr. Calderon. He acknowledged that former President Calderon had visited a military installation, where "he was given various presentations" about the tasks being performed, "including gathering information and intelligence."

He said that Mr. Calderon never knew if the spyware had been purchased and the former president never asked what tools were used for capturing criminals.

Mexico was desperate to find a reliable way to crack BlackBerry phones. These were the devices of choice by the country's feared drug cartels. Calderon, who began his presidency in 2006, had been pushing a strategy to combat organized crime that focused on the top leaders of the criminal groups.

To pinpoint the drug lords, spies needed technology that would allow them to track their location continuously. Former law enforcement officials claimed that criminals would move around and turn off their phones in order to avoid being caught.

Guillermo Valdes said, "It did not give you enough time for an operation," the former director at CISEN (the country's equivalent to the C.I.A.) from 2007 to 2011, Guillermo Valdes. "If someone switched off their phone, we didn't know where they were."

Mexico was heavily dependent on the United States up until that point.

Alejandro Hope is a former intelligence officer who served under the Calderon Administration. He said that the pressure was on the military, to improve its intelligence capabilities. He said that Pegasus could be attractive because it would allow Mexico to have its own capabilities.

Hope stated that "they no longer wanted Americans to be their sole source of income."

After the demonstration, the military quickly signed a contract to purchase the spyware.

According to three sources familiar with the installation, in September 2011, 30 NSO employees flew to Mexico, the majority of their staff, to install Pegasus, to test it, and to train a team of 30 Mexican officers and soldiers on how to use the technology. Three people familiar with the installation say that in September 2011, about 30 NSO employees, most of the company's staff, flew to Mexico to set up Pegasus and teach a team of around 30 Mexican soldiers and officers how to operate the technology.

Two people claimed that a small ceremony was held in December to "hand over the keys" once the Mexicans were ready.

Documents from 2019 found in a massive hack of Mexican military email last year indicate that the Mexican Intelligence Center is located in a horseshoe shaped complex. According to three people who are familiar with the complex, commanders can view information on large screens through internal glass walls.

In a document from 2021, which was also made public through the hack, the Army says that "the activities of this center will be revealed to the public." This is one of the biggest risks for the center.

Pegasus quickly became a favorite of the Mexican authorities. After Enrique Pena Nieto was elected president in 2012, the Attorney General's Office and CISEN purchased it, according to Mexican officials as well as three individuals with knowledge of these contracts.

In a matter of years, spyware infiltrated the phones of Mexico's leading human rights lawyers, journalists, and anti-corruption activists. This surveillance was far removed from the Israeli agreement to target serious crimes and terrorism.

The scandal followed Mr. Pena Nieto throughout his presidency, bringing swift condemnation from both home and abroad. Mexico spent over $60 million in total on Pegasus according to Mexican officials citing past administrations.

The Mexican military acknowledged that Pegasus was only used from 2011 until 2013. The Mexican military has acknowledged having Pegasus only from 2011 to 2013.

Experts said that it is unclear why the military spied on the students but that the intelligence collected was not used in order to find them.

In 2018, Mr. Lopez Obrador assumed office and dissolved the Federal Police. He replaced the Mexican spy agency by a new organization.

Four people who have knowledge of the contracts claim that only the military had Pegasus from 2019 to today. Citizen Lab analyses show that the spyware was used against journalists, human-rights defenders, and opposition politicians during this time.

According to Mexican law, a judge must give permission for government agencies to spy on private communication. In public disclosures the military said that it had not asked for this type of surveillance in the past years.

On a Thursday in December last year, Mr. Aguirre received an email that sounded like it was taken from a spy book.

The Times reviewed the message and found that "Apple believes state-sponsored attackers are targeting you to try to remotely compromise your iPhone connected with your Apple ID." These attackers may be targeting you specifically because of your identity or what you do.

Apple has announced that it will begin sending these warnings to users in 2021 whose phones have been compromised by sophisticated spyware. The email continued to state that "sensitive data," including the phone's camera and microphone, may have been compromised.

Pegasus had targeted Mr. Aguirre years before, when he was the executive director at the Miguel Agustin Pro Juarez Human Rights Center.

He felt sick to his stomach when he thought of the government spying on his digital life. From messages with torture victims to photos of his daughter and family, everything was there.

He realized that others might also be compromised.

He ran to Maria Luisa Aguilar's office, the international advocate for the group. She received the same email.

Citizen Lab analyzed the phone data of two activists who contacted R3D (a Mexican digital rights group). It confirmed both had been hacked by Pegasus multiple times between June and September 2022.

"In the eyes the military, we are a threat," said Ms. Aguilar. They don't wish to lose their power.

Ronen Bergman reported from Tel Aviv, while Natalie Kitroeff was in Mexico City.