Hacks on the Mexican government: not sophistication, but negligence
Mexico received over 40 billion cyberattack attempts in the first half of 2025. Four per second. That's a number so large it ceases to mean anything — until you see who is on the other side defending.
The Mexican State has been losing data for years. SPEI in 2018, PEMEX in 2019, Lotería Nacional in 2021, SEDENA in 2022, INE in 2024, IMSS in 2025, and in January 2026 the Chronus group stole 2.3 TB from 25 government agencies — SAT, IMSS-Bienestar, Secretaría de Salud — containing data on 36.5 million people. Almost a third of the country.
It's easy to blame "sophisticated hackers." But when one reviews the technical reports, what appears again and again is not cutting-edge offensive engineering. It's technical debt, compromised credentials, and vendors who hadn't applied a patch for a decade.
What's actually happening
In 2018, the SPEI attack didn't touch Banxico's core. It focused on the peripheral connection applications that institutions used to interact with the central infrastructure. They injected transactions with non-existent issuing accounts and real recipient accounts, and the system automatically settled. Between 300 and 400 million pesos were lost through a layer that no one was auditing properly.
In 2019, PEMEX fell to DoppelPaymer. The entry point was not a zero-day. It was an employee opening an email with Emotet — the most common malware on the market — and attackers escalating with stolen signed certificates to evade detection. The ransom demanded was 4.9 million dollars. The cleanup cost 71.
In 2022, Guacamaya extracted 6 terabytes from SEDENA. The vector was ProxyShell: three CVEs in Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) chained to achieve remote execution as SYSTEM. Microsoft published the patches months before the attack. No one applied them. The Mexican Army — with a national security budget — was running an unupdated mail server for half a year after the manufacturer screamed that it was urgent.
The INE hack in 2024 didn't even touch the central systems. It was misconfigurations in external cloud provider databases. 1.2 billion records exposed — including biographical photos from voting credentials — because someone forgot to close a bucket.
The IMSS in 2025 was worse, or more honest, depending on how you look at it. There was no hack. It was an internal leak: own staff with legitimate credentials selling the database of 20 million pensioners on the dark web for 50,000 pesos. Not a single perimeter firewall in the world stops that if the agency doesn't have DLP or granular access controls.
And the Chronus hack of 2026 — the largest — ATDT itself admitted they entered with compromised valid credentials, through infrastructures over 20 years old, managed by private vendors who never applied critical patches. The government paid the third party, the third party didn't do its job, and no one was monitoring.
Guacamaya's Exposure
What makes the SEDENA hack different isn't the size, it's the 6 TB of emails. It's what was inside.
The documents proved that SEDENA continued using Pegasus in 2019 to monitor journalists and human rights defenders, while the Executive publicly swore they no longer did. Medical diagnoses of the president that were never transparently reported were leaked. Surveillance of the parents of the Ayotzinapa 43 and feminist collectives categorized as "subversive" appeared. The official version of the Culiacanazo fell apart: the real number of military casualties was higher than reported, and the truce with the Cártel de Sinaloa was the result of direct threats to the families of the uniformed personnel.
All of this came to light because an Exchange server didn't receive a public patch. The technical lesson is embarrassing. The political lesson is worse: the same "intelligence" tools used to spy on citizens were exposed by the same incompetence that kept them operating.
The National Plan and its gaps
The formal response is the National Cybersecurity Plan 2025-2030, presented by the ATDT under the Sheinbaum administration. Eight axes, National CSIRT, Zero Trust, mandatory audits for providers, training for 150,000 public servants via the Public Code School.
On paper, it's good. In practice, there are two problems already pointed out by analysts like Víctor Ruiz.
The first is budget. The plan was published without specific allocation in the Federal Expenditure Budget. A Federated CSOC without a budget line is a PowerPoint.
The second is the horizon. Goals set for 2030 for threats that mutate every week. Chronus and Scorpion Carmen don't operate on five-year cycles. They are already using generative AI to automate vulnerability discovery and produce polymorphic malware that evades traditional antiviruses. A plan with six-year terms loses to adversaries with sprint times.
And the Federal Cybersecurity Law has not yet been published. It is expected by the end of 2026. Without a law, there are no real sanctions — neither for officials who ignored patches for months, nor for providers who ran fifteen-year-old software with access to millions of people's data.
The talent gap
Mexico has an estimated deficit of 300,000 cybersecurity specialists. In the public sector, it's worse because salaries don't compete even with private Mexican companies, much less with those from abroad. So agencies hire providers. Providers subcontract. No one does 24/7 monitoring. When a Chronus incident happens, the ATDT activates "contingency protocols" and issues a bulletin.
Digital sovereignty, boasted in speeches, does not exist if SAT databases live on servers that the provider stopped maintaining in 2015.
But this is also a concrete opportunity for the Mexican technical community. Not the romanticized version. We need people who know how to configure a WAF, rotate credentials, review HTTP headers, audit a supply chain, respond to an incident. We need to train those 300,000 people, and it won't come from a six-year plan. It will come from communities, bootcamps, workshops, and mentorships. From companies that stop seeing cybersecurity as an expense and treat it as part of the product from day one. From developers who stop accepting two decades of technical debt as if it were normal.
The attacks won't stop. The question is whether the next generation of engineers will be on the side that builds real defenses, or on the side that writes the forensic reports after the disaster.
What do you think? Join the conversation on our Discord and share your perspective.