CPJ: Mexican Journalist's Email Hacked, Malware Found

The intrusion followed a pattern that surveillance researchers recognize. Sixteen days before Montaño noticed the unauthorized access, she received an unsolicited email from an unknown sender asking about her investigations into fraudulent government contracts. The timing suggests the message may have been a reconnaissance probe — an attempt to confirm her email address was active and her inbox was monitored. By April 29, an unrecognized device had been connected to her email account and unidentified files had appeared on her laptop. She reported her belief to the Committee to Protect Journalists that both devices had been compromised by malicious software.

Key Takeaways

• On April 29, 2026, María Teresa Montaño discovered an unknown device connected to her email account and unrecognized files on her laptop — consistent with malware infection.
• The attack followed a suspicious email received on April 13 from an unknown sender asking about her corruption investigations, which may have been a reconnaissance message to verify her inbox.
• Montaño is a 2023 CPJ International Press Freedom Award winner and investigative journalist covering corruption and human rights abuses in Estado de México.
• CPJ formally called on Mexican authorities to investigate and provide her with adequate protection — Mexico is the deadliest country for journalists in the western hemisphere.
• Mexico has a documented history of deploying Pegasus spyware against journalists; accountability for past cases remains close to zero.

Who Is María Teresa Montaño?

Montaño founded and edits The ObserverMX, an investigative publication based in Estado de México that covers corruption, graft, and human rights abuses — the exact categories of reporting that make journalists targets in Mexico. In November 2023, CPJ presented her with its International Press Freedom Award, recognizing her work under sustained threat. That same year, CPJ documented how her previous reporting had led to threats, harassment, and attempts to silence her from both state authorities and criminal groups.

In 2021, Montaño was briefly kidnapped by three armed men who held her at gunpoint and took her work equipment, including files related to an active corruption investigation involving state officials. She survived and continued reporting. She subsequently enrolled in a federal journalist protection program. The April 2026 digital attack is the latest in a pattern of targeting that has spanned years.

How Was Her Email Compromised?

The specific malware responsible has not been publicly identified. The indicators Montaño reported — an unrecognized device authorized on her email account and unknown files appearing on her laptop — are consistent with several attack categories. A device appearing in email account settings typically means an attacker obtained her credentials and logged in from a new device, either through phishing, credential stuffing from a prior breach, or malware that captured her password. Unknown files on a laptop suggest a more invasive compromise, potentially a remote access tool or spyware installed without her knowledge.

The April 13 email is significant context. Surveillance operations against journalists frequently begin with a social engineering message designed to achieve two goals simultaneously: to confirm that the email address is actively monitored and to potentially deliver a malicious payload if the recipient clicks a link or opens an attachment. Even a message that appears to be a legitimate press inquiry can contain a tracking pixel that logs the recipient's IP address and mail client before any click occurs, confirming inbox activity without any action on the journalist's part.

Montaño told CPJ that she does not know whether the digital attacks connect directly to any of her current investigations. That uncertainty is itself informative — it reflects how difficult attribution is in practice, particularly when state or state adjacent actors may be involved and when forensic analysis requires resources that freelance and independent journalists rarely have.

Mexico's Documented History of Journalist Surveillance

Mexico has the worst documented record of spyware use against journalists in Latin America. A 2023 joint investigation by The New York Times and Aristegui Noticias revealed that the Mexican Armed Forces used NSO Group's Pegasus spyware to surveil journalists and human rights defenders, including reporters at the newspaper El Universal. At least six journalists received malicious text messages containing Pegasus links. The "Spy Army" investigation documented that surveillance operations were run from a secret military unit with minimal oversight.

CPJ's spyware tracking database records dozens of confirmed Mexican journalists targeted with commercial surveillance tools. Mexico is consistently ranked among the top five countries globally for Pegasus infections in independent research by Citizen Lab and Amnesty International's Security Lab. Despite numerous documented cases, Mexican authorities have not prosecuted a single person for the unlawful surveillance of journalists. NGOs have repeatedly called for international mechanisms to be invoked because domestic accountability has consistently failed.

The Montaño case fits this pattern precisely. A prominent journalist who has survived physical attacks and continues covering corruption is targeted digitally. CPJ is calling for an investigation. The historical record suggests that investigation is unlikely to produce consequences. That context is not background noise — it is the operating environment that makes email and device security non-optional for journalists working in Mexico.

What Journalists and Activists Can Do

The techniques used against journalists like Montaño range from sophisticated state sponsored spyware to relatively basic email account compromise. Defense against each layer requires different tools. For email account security: use unique strong passwords, enable phishing resistant two factor authentication (hardware keys where possible), regularly review authorized devices in your email provider's security settings, and treat any unsolicited email about your investigations as a potential reconnaissance or delivery mechanism.

For tracking pixels and surveillance via email — the passive layer that many journalists overlook — blocking incoming tracking images is a baseline measure. Tracking pixels in unsolicited emails can confirm to senders that your inbox is monitored, log your IP address and location, identify your device type and email client, and provide operational intelligence about when you are actively reading email. A tracker blocking extension in Gmail intercepts these requests before they fire. It does not stop a sophisticated implant already installed on a device, but it removes one passive surveillance vector that requires no action on the attacker's part once the email is delivered. Our guide on how to tell if your email is being tracked covers what standard email tracking reveals and how to detect it.

For high threat journalists, the Freedom of the Press Foundation's digital security resources and Citizen Lab's research on spyware infections provide specialized guidance beyond what general consumer tools can offer. The level of threat Montaño faces requires a threat model that goes beyond what any browser extension addresses alone.

Sources: CPJ: Mexican journalist and IPFA recipient Montaño targeted in possible malware attacks; CPJ spyware tracker; LatAm Journalism Review: Spy Army investigation.