A set of seized accounting records is adding a new layer to how organized crime operates online in Mexico. The documents show line items for hackers, travel costs, and encrypted messaging accounts, alongside routine operating expenses. The targets listed are not street-level rivals but financial platforms and federal security agencies. What the records do not show is just as important: whether any breach succeeded, and how investigators are separating plans from outcomes. For residents and expats, it also reframes everyday fraud risks.

What the documents show

Mexican security forces killed Nemesio Oseguera Cervantes, known as El Mencho, during a February 22, 2026, operation in Tapalpa, Jalisco. Mexican authorities later confirmed his death. After the raid, investigators recovered accounting records from a hideout linked to the group. Those ledgers, described as a narconómina, read like a payroll and expense log. One section lists payments totaling 630,000 pesos to seven people described as hackers. The entries date the work to December 2025 and link it to attacks on financial systems and federal security agencies. The two largest payments are 250,000 pesos to one hacker and 244,536 pesos to another specialist. The same pages include smaller items for equipment upkeep, vehicle maintenance, and errands tied to the hackers’ work. The records also show purchases of accounts for Threema, an encrypted messaging service used for coordination. One line item lists 25 Threema accounts at 4,800 pesos each. The documents indicate planning and spending, but they do not show which systems were breached.

From hacking to fraud revenue

The same records link the paid hackers to schemes that look closer to consumer fraud than espionage. Notes tied to the payments describe uses that include identity theft, tech-support scams, advance-fee demands, and timeshare fraud. That mix aligns with broader warnings from international policing bodies about fraud moving online. In an assessment released in 2024, INTERPOL said there is emerging evidence that Latin American syndicates, including CJNG, are involved in financial fraud. It also listed common patterns across the Americas, including impersonation, romance scams, tech-support deception, and advance-payment fraud. More recently, US authorities sanctioned a Mexico-based timeshare fraud network they linked to CJNG. In that case file, officials said victims reported hundreds of millions of dollars in losses over several years. The sanctions narrative describes call-center operations that rely on stolen customer data and repeated follow-up. Taken together, the ledgers and official warnings point to cyber-enabled fraud as a revenue line, not a side activity.

Pressure on government networks

The ledgers describe targets that go beyond scams and into public security systems. Separate reports, citing military sources, have described investigations into hackers linked to CJNG. The goal, according to those accounts, was access to networks at the federal security ministry and intelligence services. They also describe interest in military systems and strategic entities such as Pemex. Defense officials have published figures on attempted intrusions against their own networks. Those figures describe cyberattack attempts rising from about six a day in 2021 to 39 a day in 2023. For 2024, the same reporting cites an average of 27 intrusion attempts per day. Mexico’s navy has reported roughly 4,600 attempted cyberattacks per day from 2018 through 2024. Officials say the attempts were blocked and systems were regularly updated. The interest is not only disruption but access to identities, locations, and plans. A 2025 audit by the US Justice Department inspector general described a Sinaloa cartel hacker tracking an FBI official in Mexico City. The audit said the hacker used phone and camera data to identify meetings. It is a separate case, but it shows why cartels invest in cyber capabilities.

What this means for expats in Mexico

For people living in Mexico, including many expats, cybercrime tied to organized crime can resemble routine fraud. The documents point to tactics that often begin with a phone call, an email, or a message claiming urgency. Timeshare resale pitches, fake legal services, and tech-support offers can all be entry points for payment demands or data theft. One reason these scams work is that the caller may already know personal details from leaked or purchased databases. A practical response is less about spotting a single red flag and more about slowing the process. Verify any offer using official numbers you find independently, not the number you were given. If money has already moved, contact your bank immediately and document every step. Reporting can also matter, because patterns across victims help investigators map a network. For residents who travel, the story is also a reminder that online accounts and devices carry location signals. Keeping software up to date, using strong passwords, and enabling multi-factor authentication reduces exposure to many common attacks.

With information from INTERPOL, Grupo Milenio, US Department of Justice Office of the Inspector General, Reuters, US Department of the Treasury