How Mexico Became the Biggest User of the Pegasus Spyware
The Israelis had come to Mexico to clinch a major sale: The Mexican military was about to become the first client ever to buy their product, the world’s most advanced spyware.
But before they could close the deal, an argument erupted over price and how quickly the spy tool could be delivered. A Mexican general overseeing the negotiations called for a pause until later that evening, according to two people present and a third with knowledge of the talks.
“We’ll pick you up at your hotel and make sure to arrange a better atmosphere,” they recalled the general saying.
That night, a convoy of cars arrived at the Israeli executives’ hotel and took them to a new spot for the fateful negotiations: a strip club in the heart of Mexico City.
The general’s security team ordered all the other clientele to leave the club, the three people said, and the talks resumed.
It was in that dark cabaret in March 2011, among women dancing onstage and shots of tequila, that the most powerful cyberweapon in existence got its start.
The spyware, known as Pegasus, has since become a global byword for the chilling reach of state surveillance, a tool used by governments from Europe to the Middle East to hack into thousands of cellphones.
No place has had more experience with the promise and the peril of the technology than Mexico, the country that inaugurated its spread around the globe.
A New York Times investigation based on interviews, documents and forensic tests of hacked phones shows the secret dealings that led Mexico to become Pegasus’ first client, and reveals that the country grew into the most prolific user of the world’s most infamous spyware.
Many tools can infiltrate your digital life, but Pegasus is exceptionally potent. It can infect your phone without any sign of intrusion and extract everything on it — every email, text message, photo, calendar appointment — while monitoring everything you do with it, in real time.
It can record every keystroke, even when you’re using encrypted applications, and watch through your phone’s camera or listen through its microphone, even if your phone appears to be turned off.
It has been used to fight crime, helping to break up child-abuse rings and arrest notorious figures like Joaquín Guzmán Loera, the drug lord known as El Chapo.
But it has also been deployed illegally, again and again, with governments using Pegasus to spy on and stifle human rights defenders, democracy advocates, journalists and other citizens who challenge corruption and abuse.
Alarmed at how Pegasus has been used to “maliciously target” dissidents across the globe, the Biden administration in 2021 blacklisted NSO Group, the Israeli company that manufactures the spyware.
Soon after, Israel’s defense ministry — which must approve the export of Pegasus to other nations — said it would ban sales to countries where there was a risk of human rights violations.
Yet, despite ample evidence of Pegasus abuses in Mexico, the Israeli government has not ordered an end to its use in Mexico, according to four people with knowledge of the contracts for the technology.
In fact, Mexico’s military is not only Pegasus’ longest-running client, the four people say, but it has also targeted more cellphones with the spyware than any other government agency in the world.
And the spy tool continues to be deployed in the country, not just to combat crime.
After the revelations that Pegasus had been wielded against government critics tarred his predecessor, President Andrés Manuel López Obrador, who came to office in 2018, promised to stop what he called the “illegal” spying of the past.
He did not. Previously undisclosed tests show that, as recently as the second half of 2022, Pegasus infiltrated the cellphones of two of the country’s leading human rights defenders, who provide legal representation to the victims of one of the most notorious mass disappearances in Mexican history.
The military has a history of human rights abuses, and its role in the mass disappearance has been a focus of the investigation for years. As new allegations against the military surfaced in the case last year, the two advocates were targeted by Pegasus repeatedly, according to forensic testing conducted by Citizen Lab, a watchdog group based at the University of Toronto.
The Mexican military is the only entity in the country currently operating Pegasus, the four people familiar with the contracts said.
The Israeli defense ministry declined requests for comment. The Mexican defense ministry would not discuss the recent hack but said it followed the government’s position, which asserts that intelligence gathering is “in no way aimed” at invading the private life of political, civic and media figures.
This was the second wave of attacks on the phone of Santiago Aguirre, one of the human rights defenders. He had been targeted with Pegasus during the previous administration, too, Citizen Lab found.
“This government made so many promises that things would be different,” Mr. Aguirre said. “Our first reaction was to say, ‘This can’t be happening again.’”
A spokesman for the Mexican president declined to comment. In a statement, NSO Group said it “adheres to strict regulation and cannot disclose the identity of its customers.” The company challenged the conclusiveness of Citizen Lab’s forensic analyses, while Citizen Lab said it had no doubts about its findings.
To verify whether Pegasus hacked the two Mexican human rights advocates in recent months, NSO Group said it would need to be “given access to the data.” But the advocates said they were not willing to give the government’s spying partner any more of their private information.
Pegasus’ beginnings in Mexico have long been shrouded in secrecy. After the night at the strip club, the Israeli executives of NSO Group, then a fledgling start-up, returned to Tel Aviv with the outlines of their first sale. The next step was an actual contract.
So, a few months later, a team of NSO representatives returned to Mexico to show off the spyware to some of the most powerful people in the country.
On May 25, 2011, Eran Reshef, an Israeli defense industry executive who helped broker the deal, said in an email to NSO’s chairman and its two founders that “the demo to the Secretary of Defense and President will take place next Friday,” referring to the president at the time, Felipe Calderón, and his secretary of defense, Guillermo Galván Galván. A copy of the email surfaced in an Israeli lawsuit over commissions from the sale of Pegasus to Mexico.
Two of the people at the demonstration said it had taken place on a sprawling military base on the outskirts of Mexico City, where the first Pegasus machine would be installed.
Fearing leaks, the Mexican Army made the Israeli executives wait in a tiny room where cleaning supplies were kept so no one would see them before they made their presentation. An armed soldier was stationed outside the door.
When Mr. Calderón and Mr. Galván Galván arrived, they sat in front of large screens on the wall — and watched a phone get hacked, the attendees said.
Udi Doenyas, the chief technology officer of NSO Group who invented the Pegasus architecture and led the team that wrote the code behind the first version of the spyware, confirmed that he had connected the Pegasus system to a screen and handed a BlackBerry phone to senior Mexican officials. He asked them to use it.
As they did, the phone showed no signs of being compromised, but the Pegasus system methodically began extracting every piece of data, beaming it onto the screen for all to see.
This was the spyware’s superpower: the sneak attack.
Miguel Ángel Sosa, a spokesman for Mr. Calderón, acknowledged that the former president had paid a visit to a military facility, where he was “given various presentations about the tasks” being carried out, “including the gathering of information and intelligence.”
But he said Mr. Calderón was never informed whether the spyware was eventually purchased, and that the former president was never told — “nor did he inquire” — what tools were used to capture criminals.
At the time, Mexico desperately needed a way to reliably crack into BlackBerry phones, a device of choice for the nation’s fearsome drug cartels. From the start of his term in 2006, Mr. Calderón had pushed a so-called kingpin strategy for confronting organized crime, focusing on the groups’ top leaders.
Pinpointing the drug lords required technology that allowed spies to follow their location constantly. The criminals were careful, former law enforcement officials said, moving around and shutting down their phones to avoid being captured.
“It didn’t give you enough time to launch an operation,” said Guillermo Valdés, the former director of CISEN, which was the country’s equivalent of the C.I.A., from 2007 to 2011. “If someone turned off his phone, we no longer knew where he was.”
Up to that point, Mexico had relied heavily on the United States.
“The pressure on the military to raise its game in terms of intelligence capabilities was intense,” said Alejandro Hope, a former intelligence officer during the Calderón administration. A potential draw of Pegasus, he said, is that it would give Mexico its own capabilities.
“They no longer wanted to be dependent on the Americans,” Mr. Hope said.
The military signed the contract to buy the spyware soon after the demonstration.
In September 2011, about 30 NSO employees, most of the company’s staff, flew to Mexico to set up Pegasus, test it and instruct a team of about 30 Mexican soldiers and officers how to operate the technology, according to three people familiar with the installation. The Mexican unit chosen to operate it was called the Military Intelligence Center, a secretive arm of the army about which little has been made public.
Once the Mexicans were ready to run Pegasus on their own, a short ceremony took place that December as a way of “handing over the keys,” two of the people said.
A document from 2019, unearthed in an enormous hack of Mexican military emails last year, indicates that the Mexican intelligence center is housed in a horseshoe-shape complex. Three people familiar with it say commanders can watch through internal glass walls as information unspools on huge screens.
In a 2021 document, also made public by the hack, the army says that one of the main risks facing the center is “that the activities carried out by this center are revealed to the public.”
Pegasus was quickly embraced by the Mexican authorities, and after Enrique Peña Nieto took office as president in 2012, two more government agencies bought it: the attorney general’s office and CISEN, according to Mexican officials and three people with knowledge of the contracts.
Within a few years, the spyware began infiltrating the phones of some of Mexico’s most prominent human rights lawyers, journalists and anti-corruption activists — surveillance that strayed far from the agreement with the Israelis to target serious crime and terrorism.
Condemnation came swiftly from at home and abroad, and the scandal clung to Mr. Peña Nieto for the rest of his presidency. In all, Mexico has spent more than $60 million on Pegasus, according to Mexican officials, citing spending by past administrations.
The Mexican military has acknowledged having Pegasus only from 2011 to 2013. But a group of independent experts investigating the disappearance of 43 students who were planning to attend a protest said the military had Pegasus when they were abducted in 2014, and was spying on the phones of people involved in the crime on the night the events unfolded.
It is not clear why the military was spying, but the intelligence was not used to help find the students, the experts said.
After Mr. López Obrador took office in 2018, he dissolved the federal police and replaced the Mexican spy agency with a new entity.
From 2019 through today, only the military has had Pegasus, four people with knowledge of the contracts say. And during that time, the spyware has continued to be deployed against journalists, human rights defenders and an opposition politician, according to Citizen Lab’s analyses.
Under Mexican law, government entities need a judge’s authorization to spy on private communications. But in public disclosures, the military has said it has not made any request to do that kind of surveillance in recent years.
On a Thursday afternoon last December, Mr. Aguirre got an email that read like something out of a spy novel.
“Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID,” said the message, which was reviewed by The Times. “These attackers are likely targeting you individually because of who you are or what you do.”
In 2021, Apple announced it would begin sending warnings like this to users whose cellphones had been hacked by sophisticated spyware. The email went on to say that “sensitive data” on Mr. Aguirre’s phone may be compromised, “even the camera and microphone.”
Mr. Aguirre, the executive director of the Miguel Agustín Pro Juárez Human Rights Center, had been targeted years earlier with Pegasus.
His stomach sank thinking of government spies poring over his entire digital life, from messages with torture survivors to family photos with his young daughter.
Then it hit him: Others might be compromised, too.
He ran down the hall to the office of María Luisa Aguilar, the lead advocate handling the group’s international work. She had gotten the same email.
The two advocates contacted the Mexican digital rights group known as R3D, which had their phone data analyzed by Citizen Lab. It confirmed that both were hacked multiple times by Pegasus from June through September 2022.
“In the eyes of the armed forces, we represent a risk,” Ms. Aguilar said. “They don’t want to lose the power they have accumulated.”
Natalie Kitroeff reported from Mexico City, and Ronen Bergman from Tel Aviv.