BY MATTATHIAS SCHWARTZ
After a maker of surveillance software was hacked, its leaked documents shed light on a shadowy global industry that has turned email theft into a terrifying — and lucrative — political weapon.
On the morning of May 18, 2014, Violeta Lagunes was perplexed by a series of strange messages that appeared in her Gmail inbox. It was Election Day to choose the leadership of Mexico’s right-wing Partido Acción Nacional, or PAN, and Lagunes, a former federal congresswoman, was holding a strategy meeting in her office in Puebla city. The emails seemed harmless, at least at first. One appeared to come from the account of a trusted colleague. It asked her to download and review a document. Lagunes clicked on the link, but it seemed to be broken, so she wrote back to her colleague and asked him to send it again. Elsewhere in her inbox was an email from Google warning her that someone had tried to log in to her account. Meanwhile, she began to receive phone calls from PAN allies, who claimed that they had received emails from Lagunes’s account that she did not remember sending.
Now Lagunes was worried. Around 1 o’clock, she called the colleague who appeared to have emailed her. She reached him at a restaurant, where he was finishing lunch with other campaign allies. “I did not send you an email,” he insisted. A consultant with the campaign — who asked to remain anonymous in order to preserve his relationships with other candidates — overheard the conversation. He knew of other campaign workers who had been receiving similar messages: emails with vague subject lines, asking the recipient to review a document or click a link. The campaign, he realized, had been hacked.