Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 29, 2026 · 6 min read

Maria Teresa Montaño Delgado Found an Unknown Device Logged Into Her Email on April 29 and Files She Did Not Recognize on Her Laptop—CPJ Raised the Alarm on May 19 and Asked Mexico to Investigate the Possible Surveillance of a 2023 International Press Freedom Award Recipient Who Has Already Been Kidnapped Once

The pattern is familiar—anonymous device logins, files on disk that the journalist did not create—and the country is the one where Pegasus surveillance of the press has been documented every year for almost a decade.

On April 29, 2026, Maria Teresa Montaño Delgado—a Mexican investigative journalist and the 2023 recipient of the Committee to Protect Journalists' International Press Freedom Award—opened her email account and found a session from an unknown device. A check of her laptop turned up files she did not recognize. Twenty days later, on May 19, CPJ published an alert calling on the Mexican authorities to "immediately and credibly investigate possible malware and digital surveillance attacks" against her and to "take appropriate steps to guarantee her safety." Montaño is already enrolled in Mexico's Federal Mechanism for Protection of Journalists, the program the government runs for reporters whose work has put them at risk of physical harm. The program did not stop the 2021 kidnapping during which her equipment was seized. It is unlikely to stop whoever is reading her email now.

Key Takeaways

  • Maria Teresa Montaño Delgado reported the incident to CPJ on May 18, 2026; CPJ published its alert on May 19 demanding Mexican authorities investigate possible malware and digital surveillance against her.
  • Montaño discovered an unknown device session connected to her email account on April 29, 2026, and unidentified files on at least one of her laptops.
  • Montaño is the founder and editor of The ObserverMX, an investigative outlet covering corruption, graft, and human rights abuses in Estado de México, the state neighboring Mexico City.
  • She received CPJ's International Press Freedom Award in 2023 and was briefly kidnapped in 2021 by unknown assailants who threatened her and seized her equipment; she is enrolled in Mexico's Federal Mechanism for Protection of Journalists.
  • Mexico is documented as the deadliest country for journalists in the western hemisphere and has an extensive prior record of Pegasus surveillance against reporters, documented by Citizen Lab, R3D, and Article 19 between 2017 and 2022.

What Did Montaño Find on Her Devices?

The two artifacts Montaño identified are the classic forensic signature of an account compromise. The first was an unrecognized device logged into her email account—a session from hardware she did not own, in a location she could not identify, with access she did not authorize. Email session hijacking is most often achieved through a stolen authentication token, harvested from another infected device or replayed after a phishing campaign captured the cookie. Once the token is in the operator's hands, multi factor authentication does not stop the access because the second factor was already satisfied when the cookie was issued.

The second was files on at least one of her laptops that she did not create or download. Unrecognized files are the calling card of a remote access trojan or a more sophisticated implant that has been writing to disk—staging payloads, dropping persistence mechanisms, or temporarily caching exfiltrated material before sending it to the operator. Forensic confirmation of the specific malware would require imaging the disk and analyzing it offline, which is exactly the kind of independent investigation CPJ is asking the Mexican authorities to authorize.

Why Estado de México Is the Story?

Montaño's outlet, The ObserverMX, investigates the Estado de México state government—Mexico's most populous state, home to 17 million people, and the political base of multiple presidents including current incumbent Claudia Sheinbaum's predecessor. The state has a long documented history of corruption, criminal infiltration of municipal governments, and surveillance of journalists who report on either. ObserverMX's beat is precisely the work that historically draws Pegasus and similar commercial spyware in Mexico: official corruption, human rights abuses by public security forces, and fact checking of statements made by elected officials.

In 2021, Montaño was abducted by unknown assailants who threatened her and confiscated her equipment. The kidnapping was brief but the message was not subtle. Her enrollment in the Federal Mechanism for Protection of Journalists followed shortly after. The Mechanism provides physical protection measures—panic buttons, occasional escorts, monitored housing—but it does not protect against the digital surveillance vectors that Mexican journalists have been targeted with since at least 2017.

A journalist's notebook and recorder on a wooden desk in soft natural light illustrating the suspected spyware attack against Maria Teresa Montano

What Is Mexico's Track Record With Press Surveillance?

Mexico is the most prolific government customer of commercial spyware against journalists ever documented. Citizen Lab, R3D, Article 19, and Social TIC traced Pegasus infections of at least 25 Mexican journalists and human rights defenders between 2016 and 2023, including reporters at Aristegui Noticias, Animal Político, and the Centro Prodh. The targets included people investigating the 2014 disappearance of 43 students from Ayotzinapa, official corruption inside the Peña Nieto administration, and the Mexican Army's role in extrajudicial killings.

In 2023, NPR reported on a Mexican investigation into the Army's continued use of Pegasus against human rights activists, despite repeated public denials by senior officials. The Mexican federal government has never publicly acknowledged purchasing Pegasus, though procurement records leaked by the Guacamaya hacktivist group in 2022 confirmed contracts with NSO Group through intermediary companies. CPJ has cited those records when explaining why it does not consider denials from the Sheinbaum or López Obrador governments credible without independent forensic verification.

Why Does Email Session Hijacking Beat Multi Factor Authentication?

For high risk users like Montaño, the email account is the perimeter. It holds source communications, scheduled meetings with subjects, attachments containing leaked documents, and the chain of trust for password resets across every other service. When an operator compromises the email account, everything downstream becomes accessible: cloud storage, financial accounts, social media, and the secondary devices that receive notification codes.

The mechanism is almost always the same. The operator harvests an authentication cookie or refresh token from an infected endpoint—a phone, a laptop, a synced tablet—and replays it from their own infrastructure. Google and Microsoft's anomaly detection might flag the new geography, but the alert lands in the same inbox the operator is reading, and the operator silences the warning. Multi factor authentication is bypassed because the second factor was satisfied when the cookie was minted. For journalists in high threat environments, the only durable defense is hardware backed FIDO2 keys that bind authentication to the physical device, and disciplined session hygiene that revokes tokens proactively rather than waiting for an alert.

What Comes Next?

CPJ's statement asks Mexican authorities to do three things: investigate, attribute, and protect. The likelihood of public attribution in the short term is low—Mexico's prior Pegasus investigations have rarely produced public results, and the country's Federal Mechanism for Protection of Journalists is chronically under resourced relative to the scale of threats it is supposed to address. Citizen Lab and R3D will likely receive Montaño's devices for forensic analysis at some point in the coming months. That analysis will be the most reliable indicator of what malware family was used and whether the operator was a government, a cartel, or a hybrid.

In the meantime, Montaño keeps reporting. The ObserverMX continues to publish. The Federal Mechanism for Protection of Journalists keeps her on its list. And the legal fight to constrain the spyware industry continues elsewhere—including the amicus brief CPJ and ten other civil society groups filed at the Ninth Circuit on May 20 asking the court to keep the permanent injunction against NSO Group in place. The case for that injunction rests on facts like the ones Montaño's devices may yet confirm.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.