As troubles mount for the Israeli spyware firm NSO, Mexico’s attorney general announced the first arrest for using the company’s Pegasus software to illegally hack a journalist’s phone.
In July, the Mexican federal prosecutor's office issued a statement saying that journalist Carmen Aristegui provided the information necessary to determine that NSO Group used a Mexican company, a reference to a company called KBH, from which investigators removed a hard disk showing that KBH tapped telephones of various officials, the identity of whom on legal grounds has not yet been made public. "We can confirm with certainty that in the case of [Mexican] National Security Adviser Dr. Manuel Mondragon, his phone was tapped," the statement added.
The announcement contradicts NSO’s repeated claims – and those of Israel’s Defense Ministry – that Pegasus is sold only to government security and law enforcement organizations, and that it is only used to fight terror and crime, as the figure is suspected of operating it from the offices of a private company.
Read more >> The Israeli cyber weapon used against 180 journalists ■ Khashoggi’s fiancee, son targeted by NSO tech, investigation reveals ■ How NSO's Pegasus is used to spy on journalists ■ Analysis: How Israeli spy-tech became dictators' weapon of choice ■ India’s Gandhi and Pakistan’s Khan tapped as targets in Israeli NSO spyware scandal ■ Israel's cyber-spy industry helps dictators hunt dissidents and gays
According to the announcement, Juan Carlos García Rivera was arrested for “committing the crime of illegally infiltrating a journalist’s communications, using the software known to the public as Pegasus.” According to a previous announcement by the prosecution, Rivera worked in technical support for the private companies Proyectos y Diseños and KBH Track – two of the dozens founded by an Israeli national named Uri (Emmanuel) Ansbacher. NSO denies any connection to the case.
Leopoldo Maldonado, the regional director for Mexico and Central America for the Article 19 human rights organization, told Haaretz that these companies acted as mediators between NSO Group and Mexican security and law enforcement organizations, including the military, its CIA and the attorney general’s office.
While Rivera’s arrest for illegally operating Pegasus software, the first of its kind, is significant, so is the location from which he operated it. In July, while Defense Minister Benny Gantz was in France to quell another NSO-related scandal there, Mexico’s attorney general declared that she found evidence that Pegasus was used from the offices of KBH Track, one of Ansbacher’s private companies. According to the same announcement, Ansbacher himself fled Mexico more than two years ago.
- Palestinians targeted by Pegasus shows Israel's sense of arrogance
- How NSO's Pegasus is used to spy on journalists
- Five French ministers possibly targeted by Israeli NSO's Pegasus spyware, report says
This attorney general’s announcement contradicts claims repeated by NSO and the Defense Ministry, which is the regulator responsible for overseeing security-related exports. According to both the company and the ministry – and according to the export oversight law – Pegasus is sold exclusively to official defense and law enforcement organizations, and is used only to fight serious crime and terrorism.
“This is another case in NSO’s long history,” Maldonado said. “This indictment proves that it is incorrect that government agencies alone use Pegasus. Now we know that Pegasus is being misused by private and public organizations.”
One of the central figures in Rivera’s case was Tomas Zerón de Lucia, a former top Mexican security official. He is wanted in his home country for a long list of suspected crimes, including his involvement in the disappearance of 43 students from the Raul Isidro Burgos Teachers College in Ayotzinapa in 2014 and is suspected of embezzling millions of dollars.
Authorities also want to investigate him in connection to misuse of Pegasus software. NSO insists that it had no connection with Zerón or with the attorney general’s office, but a number of official announcements and Mexican media reports contradict those claims, as does Maldonado.
Zerón fled to Israel in 2019, and according to several reports is seeking asylum there, as Mexico’s president presented a formal request to the Israeli government and Interpol for the former official’s extradition. NSO claims that they had no contact with him before or after he fled Mexico.
NSO released a statement denying any connection to the case saying "the person reported arrested is not, and never was, an employee of NSO Group, or any of its affiliates.
"As stated in the past, NSO’s technologies are only sold to vetted and approved government entities, and cannot be operated by private companies or individuals.
"We regret to see that, over and over again, the company’s name is mentioned in the media in events that has nothing to do with NSO, directly or indirectly."
With regard NSO's reference to affiliates, it should be noted that KBH and the web of companies that Ansbacher opened in Mexico, the United States and Panama did not involve NSO subsidiaries but rather intermediaries.
Based on the leak of more than 20,000 documents, the Mexican media outlets Aristegui Noticias and Proceso disclosed that Ansbacher had opened at least 18 firms that served as "straw" companies – including many with very similar names – making it difficult to monitor their activities. Among them, for example, were KBH Geolocation Systems, KBH Applied Technology Group and KBH Aviatio. In many cases, he even signed documents with a different spelling of his name.
"New companies were established all the time to prevent the same company from attracting attention as a contractor of the Mexican government," Proceso reported. Between 2009 and 2018, various companies were opened in Mexico City and other places. "Those same companies were awarded official contracts and were later replaced by others that were part of the commercial structure."
Uri Ansbacher denied the allegations. "These are baseless claims," Ansbacher told Haaretz. He added that the software was never operated from his company's offices and none of his workers has run this kind of activity. "It is fake," the statement said.
"The relation was purely for marketing purposes and under DECA's approval. No of us is familiar with the technological side [of the software]."