Military forces behind new cases of spying on Mexican journalists, reveals 'Ejército Espía' investigation

Mexican journalists and organizations defending freedom of expression are already accustomed to saying that Mexico is the country without war conflicts in which most journalists are murdered in the world. As of August of this year, at least 15 press workers have lost their lives violently in that country.

But for journalist Ricardo Raphael, this statement is not entirely correct and must change. Mexico is not at war against another country, he said. Rather, for years it has been facing what international law calls internal armed conflict: the presence of armed organizations disputing control of territory with armed forces.

And as long as things are not called by their true names, it won’t be possible to adopt the necessary measures to, among other things, protect journalists and activists who are being hurt as a result of this conflict, Raphael said.

Mexican journalist Ricardo Raphael

Ricardo Raphael is one of the Mexican journalists spied on during the López Obrador administration. (Photo: Twitter @ricardomraphael)

"We use deceptive terms such as 'the war on drugs' or 'the war between criminal organizations,' as if they were Chicago-style mafias in the 1930s in the United States," Raphael said in an interview with LatAm Journalism Review (LJR). “But when you have half a million people mobilized, approximately 40 percent of the territory under the presence of one of these organizations [...], we are facing a serious problem.”

By calling a spade a spade, the journalist said, it will be possible to determine more clearly the rules of the game regarding, for example, the imposition of intelligence or espionage by the authorities on the civilian population, including journalists who are covering these violent events.

Raphael, who is a columnist in news outlets such as The Washington Post, Milenio Diario and the Mexican weekly Proceso, as well as a television presenter on the ADN40 and Once TV networks, was the victim of spying on his cell phone through the Pegasus spyware, allegedly by the Mexican Armed Forces, according to the investigation "Ejército Espía [spy army]," published in October of this year.

"We need to reframe the way we approach the phenomenon to figure out what are the legal guarantees when participating there [while covering violence] and, in that sense, to figure out what are the limits or the scope that the Armed Forces have to deploy their own armed empire. And this is where I think we have a very serious problem," Raphael said.

At the beginning of July of this year, Raphael was surprised to see that a conversation he had held privately a couple of years ago with an official of the Federal Judiciary had been leaked anonymously to social media.

A few days earlier, suspicions that something had gone awry were activated in his home, when his young son received an audio message via WhatsApp in which the journalist's name was mentioned in a threatening manner.

As recently as January of this year, it was revealed that the devices of 30 journalists from El Salvador's investigative journalism outlet El Faro had been hacked via spyware. And in 2021, the Pegasus Project cross-border collaborative investigation revealed that at least 180 journalists from more than 50 countries - including Mexico - were on a list of victims of illegal surveillance via the Pegasus spyware program.

Raphael turned to the organizations Artículo 19 and Red en Defensa de los Derechos Digitales (R3D), both of which have supported victims of spying. R3D conducted a forensic analysis of the journalist's cell phone with technical support and validation from Citizen Lab, a multidisciplinary laboratory at the University of Toronto specializing in computer security and human rights.

The analysis proved Raphael's suspicions right. His mobile device had been infected with Pegasus spyware, developed by Israeli company NSO Group, at least four times between 2019 and 2020, in addition to having been the target of infection attempts with the same software in 2016. At least one of those attempts resulted in a persistent Pegasus infection, the Citizen Lab report showed.

R3D is one of the organizations that produced "Ejército Espía," along with Artículo 19 Mexico and Central America and Social TIC. The investigation revealed the spying cases with Pegasus on Raphael, Human Rights defender Raymundo Ramos and a journalist from the Mexican digital native media Animal Político, who chose to remain anonymous.

"Ejército Espía" shows evidence that these espionage cases were carried out during the administration of the current president, Andrés Manuel López Obrador. Also, it shows that Mexico's National Defense Secretariat (Sedena, by its Spanish acronym) acquired a remote monitoring system from the company that exclusively sells the Pegasus spyware in that country.

The findings of the investigation contradict López Obrador's repeated assertions that his government would not continue with his predecessor's practices of spying on journalists and opponents.

"When he [López Obrador] came to power and repeatedly said they were not going to acquire spying systems, that they were not going to spy on journalists or human rights defenders or opponents," Luis Fernand García, executive director of R3D, told LJR. "However, we have documented that these cases are not from the past, they are from the present. These are infections that happened between 2019 and 2021 and that call into question the promise that there was going to be no spying."

More sophisticated spyware and an increasingly powerful military

Unlike cases of telephone espionage in previous years, in which the infection was carried out through links sent via SMS messages, the hacks documented in "Spy Army" operated in a more sophisticated and discreet way, according to Citizen Lab's report.

The attacks on Raphael, Ramos and the Animal Político journalist between 2019 and 2021 took place through methods called "zero-click exploits," which do not require users to click on any links and simply enter mobile device systems and begin operating without showing any signs.

Mexico's National Defense Secretary Luis Crescencio Sandoval speaks to the crowd during an event.

Mexican Secretary of Defense, Luis Cresencio Sandoval. Under the current government, the Mexican Armed Forces have strengthened their dominance in security and intelligence tasks. (Photo: YouTube screenshot)

However, the most concerning difference with past cases for the authors of "Ejército Espía" is that the new evidence points to Mexican military authorities being behind the attacks discovered this year. The cases of espionage with Pegasus in the administration of former President Enrique Peña Nieto would have been executed by civilian security entities, such as the then Attorney General's Office (PGR), the Center for Investigation and National Security (CISEN) and the Federal Police, according to various investigations.

The analysis of "Ejército Espía" showed that the victims' work was linked to investigations of issues related to human rights violations by the Armed Forces. In Raphael's case, the hacks on his phone in October and November 2019 coincide with the dates of the presentation and media promotion of his book "Hijo de la guerra" [son of war], a non-fiction account of the creation of the Los Zetas cartel. The book hypothesizes that a group of elite Mexican ex-military personnel formed a paramilitary group that epitomized the origin of the violence Mexico is experiencing today.

Likewise, the December 2020 attack was registered one day after the publication of an article that takes up a column by Raphael on the case of the disappearance of 43 students in 2014, in which the Army was involved.

"Hardly any intelligence body other than the Armed Forces would be interested in spying on me about this issue," Raphael said. "Because we also know that there were only three buyers of this program [Pegasus] on those dates: one is the Armed Forces, the other is the intelligence sections and the other is the Attorney General's Office. So, by logical difference, it leads me to say the Armed Forces spied on me.”

"Ejército Espía" published documents revealed as a result of the leak by the hacker group Guacamaya. This leak made it known that Sedena acquired a "remote information monitoring service" from the company representing NSO Group in Mexico, Comercializadora Antsua, in April 2019, despite the fact that Sedena has repeatedly denied links with that firm.

The evidence linking Sedena to espionage cases is of concern to journalists and organizations defending freedom of expression, given the enormous power that the Armed Forces have acquired during López Obrador's administration. Not only have they consolidated a dominance in public security tasks, but also in intelligence tasks. In addition, the president has granted them powers to control customs and build public works.

"Today all intelligence and federal security bodies are presided over by the military, including many of those who head local public security agencies are also military. Today the director of the National Intelligence Center is from the military, the director of the National Guard is from the military," García said. "It is an unusual, exacerbated power. And it’s a well-founded and even proven fear that this power has no controls, no boundaries, not even the boundary of the supreme commander’s orders [President López Obrador]."

In the specific case of Raphael, there is also evidence that the information obtained through the hacking would have been shared with private individuals. The conversation that was leaked on social media last July was presented as evidence by anti-kidnapping activist Isabel Miranda de Wallace in a complaint in which she accuses Raphael of having links to a criminal group and of bribing the president of Mexico's Supreme Court.

Miranda de Wallace is the subject of a journalistic investigation by Raphael that points to the activist having fabricated a criminal act.

"Nor do we rule out, we even suspect, that although surely it is only the state, in this case the Armed Forces, who have obtained a license for the operation of Pegasus [...], that they may be sharing intelligence with private actors or even doing investigations or interventions with Pegasus 'on demand' of actors who can corrupt whoever has access to these systems so they can spy on whomever they want," García said.

Whistleblowing faces a bleak future

When Raphael learned that he was being spied on, colleagues and managers of the news outlet he works for advised him to keep quiet, keep a low profile and consider dropping his investigation into the case of activist Miranda de Wallace.

However, the journalist not only decided to make the hacking public and continue with his investigation, but also filed a complaint with the Attorney General's Office, together with the other two victims and with the support of R3D and Article 19.

Logo of the journalistic and forensic investigation "Ejército Espía"

The "Ejército Espía" investigation was carried out by Red en Defensa de los Derechos Digitales and Artículo 19, with support from the Citizen Lab at the University of Toronto. (Photo: EjercitoEspia.mx)

Although the victims and the organizations have reasons to doubt that the complaint will be successful, since judicial investigations for spying on journalists with Pegasus in previous years have not yielded any results, they hope that at least their cases will expose the authorities responsible for spying on journalists and contribute to prevent new cases playing out.

"I do not know if the Prosecutor's Office will investigate, I do not know if this will end up in the hands of a judge who will evaluate the case and eventually hand down a sentence. That I do not know [...] Appearing publicly does favor the principle of non-repetition and encourages - I hope - other female and male colleagues who found themselves in similar circumstances to mine," Raphael said. He went on Oct. 27 to the Prosecutor's Office to ratify the complaint.

"The reason [to denounce] is for the principle of non-repetition and knowing that we journalists have journalism to defend ourselves, not even justice, in a country like ours," he said.

For the authors of "Ejército Espía," the revelation of these new cases of spying on journalists has had a mainly political impact, by overthrowing the thesis that has been used by the López Obrador government to promote the militarization of the country, which assured that the current Army did not violate Human Rights as in previous administrations.

"This investigation and other revelation have dismantled this thesis because, either the president ordered them to spy on these people, which I believe is not the case, or rather, more likely, is that the Armed Forces, despite the promises and the direct order of their alleged supreme commander, disobey orders and spy. And what is worse, the president seems to be unable to do anything about it," Garcia said.