Toronto, Canada (19 June 2017) — A new report from the Citizen Lab at the Munk School of Global Affairs details a spyware campaign targeting Mexican journalists, lawyers, and anti-corruption investigators. The government-exclusive spyware is developed by Israeli “cyberwarfare” firm NSO Group.

The investigation documents more than 75 infection attempts against 12 high-profile targets working on a range of issues that include the forced disappearance of Mexican students, investigations of corruption by the Mexican President, and the participation of Mexico’s Federal authorities in human rights abuses.

The operations used SMS messages as bait in an attempt to trick targets into clicking on links to the NSO Group’s exploit infrastructure. Clicking on the links would lead to the remote infection of a target’s phone. The messages included many upsetting ruses, including impersonating official messages from the Embassy of the United States of America in Mexico, AMBER Alerts about abducted children, and warnings about personal safety.

At least one target, the child of a targeted journalist (and a minor), was sent over 20 infection attempts, including a communication impersonating the United States Government, while physically located in the United States.

“The cross-border targeting of a minor child with a government-exclusive spyware is distasteful. Doing so by impersonating the United States government is reckless, and might have violated the law.” — John Scott-Railton, Senior Researcher, The Citizen Lab, Munk School of Global Affairs, University of Toronto

The researchers found that over 76 messages with links to the surveillance infrastructure of the Israeli-based company, NSO Group, were sent to Mexican journalists, lawyers, and a minor child. NSO Group is a self-described “cyber warfare” company that sells lawful intercept products and services.

“The infection attempts were text messages bearing links to servers that we know to be part of the NSO Group’s Exploit Framework.” — Bill Marczak, Senior Research Fellow, The Citizen Lab, Munk School of Global Affairs, University of Toronto

In August 2016, Citizen Lab released a report uncovering how United Arab Emirates (UAE) activist Ahmed Mansoor was targeted with NSO infrastructure and exploits designed to infect his iPhone 6 via a malicious link in an SMS text message. In February 2017 Citizen Lab, with assistance of Mexican non-governmental organizations (NGOs) R3D and SocialTic, documented how Mexican government food scientists, health, and consumer advocates also received links to infrastructure that were connected to NSO Group.

The Citizen Lab’s latest report expands the Mexican investigation and shows how 11 Mexican journalists and human rights defenders, and one United States citizen, were targeted with NSO’s Exploit Framework.

The report provides yet more evidence of the abuse of powerful commercial spyware sold to government agencies ostensibly to track terrorists and criminals, but which ends up being deployed against civil society.

“Time and again, companies like these, when presented with evidence of abuse, effectively pass the buck, claiming that they only sell to ‘government agencies’ to use their products for criminal, counterintelligence, or anti-terrorism purposes.  The problem is that many of those government clients are deeply corrupt; what constitutes a ‘crime’ for officials and powerful elites can include any activity that challenges their position of power — especially investigative journalism.” — Ron Deibert, Professor of Political Science and Director of the Citizen Lab, Munk School of Global Affairs, University of Toronto

The Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs, has extensive experience uncovering the abuse of commercial spyware and has produced numerous reports on surveillance companies such as FinFisher, Hacking Team, and NSO Group.

For Media Inquiries

Dena Allen
Executive Director, Public Affairs and Engagement
Munk School of Global Affairs
University of Toronto
Telephone: +1-416-946-0123
Mobile: +1-416-795-3902

Guide on Citing in Media

Title: Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware
Authors: John Scott-Railton, Bill Marczak, Bahr Abdulrazzak, Masashi Crete-Nishihata, and Ron Deibert
Published by: The Citizen Lab, Munk School of Global Affairs, University of Toronto
Publication date: 19 June 2017
Report URL:
Hashtag: #recklessexploit