When the Army Spies on Its Own Citizens (2022-2024)
In September 2022, a hacktivist collective called “Guacamaya” breached the Mexican Ministry of National Defense (SEDENA), exfiltrating six terabytes — over four million documents — in the largest hack in Mexico’s history. What emerged was a portrait of a military establishment that had turned its surveillance apparatus against journalists, activists, and political opponents rather than criminal organizations.
The Guacamaya Revelations
The leaked documents, distributed to journalists and human rights organizations, revealed multiple layers of military surveillance and information operations:
Pegasus Spyware Deployment: Despite President Andrés Manuel López Obrador’s (AMLO) repeated public assurances that his government does not spy on journalists or political opponents, the documents showed continued use of Pegasus spyware during his administration. Investigation by R3D (Digital Rights Defense Network), Article 19, and Citizen Lab found infections on phones of human rights defenders and journalists in 2019, 2020, and 2021.
The documents revealed that SEDENA had contracts with Comercializadora Antsua — NSO Group’s authorized Mexican distributor — paying approximately 140 million pesos (~$7.7 million USD) for “remote monitoring service licenses.” When confronted with information requests, SEDENA denied such contracts existed, then later classified the information as “national security” matters for five years.
Secret Military Intelligence Center (CMI): The leaks exposed a previously unknown intelligence unit called CMI (Centro Militar de Inteligencia). According to R3D’s investigation, the documents reveal that one of CMI’s identified “threats” was that “the activities of this center are made public.” The CMI has no formal legal establishment and operates outside normal oversight mechanisms.
Surveillance Targets: The documents showed SEDENA monitored feminist collectives, the Zapatista movement (EZLN), social leaders attending presidential events, and human rights advocate Raymundo Ramos — who was investigating a suspected extrajudicial killing by the Army in the border town of Nuevo Laredo.
The National Security Archive found that years before the 2014 disappearance of 43 students from Ayotzinapa, the military had the school under surveillance and “considered its students to be subversives.”
The Cyberspace Operations Center (COC)
A February 2024 investigation by R3D detailed the functions of another secret SEDENA division: the Cyberspace Operations Center (COC), established in 2016 to conduct “military operations in cyberspace.”
According to Freedom House, the COC uses commercial software to monitor social media users who are critical of the state. But it goes beyond surveillance — the COC’s “Influence Operations Group” actively manipulates online conversations.
In one documented instance from 2020, the Influence Operations Group created at least six social media accounts that shared more than 5,000 items favorable to the military, including posts attempting to manipulate conversations about the army’s human rights violations.
The investigation found that COC uses commercial software to deploy “inauthentic bots that exert soft influence on public opinion.” The leaked documents also revealed that SEDENA was using TikTok to spread propaganda, assigning military personnel to “fight in social networks.”
The 2024 Election: A Disinformation Battleground
Mexico’s June 2024 presidential election — the largest in the country’s history, with nearly 20,000 positions on the ballot — became a testing ground for AI-generated disinformation.
Bot Armies from Multiple Directions: According to Freedom House, disinformation analyst Alberto Escorcia reported that 92% of posts using the #NarcoPresidenteAMLO hashtag were created by bots. Meanwhile, Julián Macías Tovar of Spain’s Pandemia Digital found that over 50,000 posts using the misspelled hashtag #NarcoGobiermoAMLO originated from more than 4,000 accounts — with more than half coming from Argentina, Spain, and Colombia, suggesting inauthentic coordination.
Pro-government accounts also manipulated conversations. Animal Político reported in October 2023 that a network of at least 160 X accounts called “Liga de Guerreros” (League of Warriors) shared false and manipulated content supporting opposition candidate Xóchitl Gálvez.
Deepfakes Targeting Both Sides: In February 2024, a deepfake video of Claudia Sheinbaum surfaced, showing the presidential candidate promoting a fraudulent investment scheme. Sheinbaum quickly denounced it: “It’s a video that they’re doing with artificial intelligence because you’ll see that it’s my voice, but it’s a fraud.”
Another disinformation campaign falsely claimed Sheinbaum was born in Hungary or Bulgaria — not Mexico — stemming from her Jewish heritage and grandparents’ emigration from Eastern Europe. She was forced to publicly display her birth certificate.
YouTube Disinformation Networks: Animal Político reported in February 2024 that at least four YouTube channels — one with 351,000 subscribers — were “systematically” sharing inaccurate claims about López Obrador and Sheinbaum while promoting opposition candidate Gálvez.
Attacks on Electoral Independence
Beyond disinformation, President López Obrador spent years attacking Mexico’s independent electoral authority (INE — Instituto Nacional Electoral), the institution that had enabled his own 2018 election victory.
AMLO proposed cutting INE’s budget, reducing staff, and closing local offices. According to the Wilson Center, AMLO used his daily morning press conferences to systematically attack “political opponents, the media, journalists, and any other person or entity who inconveniences him.”
When the Supreme Court blocked his attempts to amend the Constitution and subjugate INE, the harassment continued. Critics compared the pattern to Donald Trump’s attacks on U.S. electoral institutions.
U.S. lawmakers from both parties raised alarms, with former Mexican Ambassador Arturo Sarukhan warning: “By 2024, policymakers in Washington may well be asking themselves, ‘How—and when—did we lose Mexico?’ This is how, this is when.”
The Outcome
Despite the disinformation campaigns and institutional attacks, Mexico’s election proceeded. Claudia Sheinbaum won with approximately 60% of the vote, becoming Mexico’s first female and first Jewish president.
However, narratives attacking her appearance and alleging election fraud continued to circulate even after her victory — demonstrating that the information environment remains contested.
The Lesson
Mexico illustrates how domestic actors — particularly military and security services — can pose as significant a threat to information integrity as foreign adversaries. The Guacamaya leaks revealed a military establishment that had turned surveillance tools inward, monitoring citizens rather than protecting them, and actively manipulating online discourse to protect its own reputation.
As researchers noted, the documents show the government is “more concerned about the opposition parties than it is of the narco” — a damning indictment of misplaced priorities in a country plagued by cartel violence.
The 2024 election showed both sides deploying bot networks and disinformation, with cross-border coordination from Spain and South America adding an international dimension. Mexico’s experience demonstrates that in the age of AI-generated deepfakes and coordinated inauthentic behavior, threats to electoral integrit.
Sources:
- National Security Archive. Guacamaya Leaks and the Ayotzinapa Case. March 2023.
- Freedom House. Mexico: Freedom on the Net 2024.
- The Record. Internal documents show Mexican army used spyware against civilians. November 2023.
- LatAm Journalism Review. Spying on Mexican journalists took place in a secret military unit. March 2023.
- Blackbird.AI. Deepfakes, Identity Politics Target Mexican Election. 2024.
- Wilson Center. Elections in Mexico: Beyond Deepfakes.
- ABC News. Mexican president’s push to change elections agency. February 2023.
