3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Mexican Mafia Hackers Team

Mexican Mafia Hackers Team

ID: fb9fd8bad1eb99b5ffd606d3081a039142875
Hacktivist Group Hacktivism
Threat types: Hacktivism, Intrusion
Mexico MEX
Updated: 2026-04-11
Created: 2026-04-10
Progress: 92% Completeness: 88% Freshness: 100%
Operation zone: Mexico
Aliases Limited alias preview
Mexican Mafia Mexican Mafia ALV Me**************** Me**********
Me************** M*** M**
Showing 2 of 7 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Mexican Mafia Hackers Team / Mexican Mafia is a Mexico-focused breach-and-leak cluster linked in public reporting to compromises of government, judicial, police, academic, and selected private-sector targets. Its public operating pattern centers on exploitation of exposed services, bulk data extraction, sample publication, and forum-based sale or release of stolen data.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2024-04-02 — Public reporting linked the CDMX e-mail compromise narrative to exploitation of a public-facing Zimbra issue and to exposed government-facing services. · ref
  • 2024-05-28 — SAT-related reporting tied Lord Peña to public discussion of a reflected XSS weakness, reinforcing the actor’s reliance on exposed public-facing applications and weak web surfaces. · ref
T1213 Data from Information Repositories TA0009
  • 2024-03-30 — The Oaxaca police incident involved extraction of approximately 2.9 million lines of police-related information, consistent with collection from information repositories. · ref
  • 2024-08-07 — The PJCDMX incident exposed judiciary-related user information at scale, again fitting repository-focused theft rather than endpoint-only collection. · ref
T1005 Data from Local System TA0009
  • 2024-04-17 — Public reporting tied Dyce to theft of sensitive records from a UNAM institute, including access-relevant and identity-linked data. INFERENCE (confidence: medium): collection included locally accessible files and institutional records after initial compromise. · ref
T1491.001 Internal Defacement TA0040
  • 2024-05-21 — Public reporting linked Pancho Villa to a compromise of the Iztapalapa official site and prolonged disruption; related reporting described a visible defacement / public-facing tampering component. · ref
T1595 Active Scanning TA0043
  • 2025-01-22 — INFERENCE (confidence: medium): repeated targeting of exposed government, judicial, academic, and municipal systems across 2024 suggests active identification of reachable public services before compromise. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2024-04-12 — INFERENCE (confidence: low): the sale of 1.3 TB of CDMX data implies large-scale exfiltration over actor-controlled or actor-selected channels, though the technical transport mechanism is not publicly documented. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-04-11T22:14:53+00:00
Mexican Mafia Hackers Team / Mexican Mafia — Mexican public-sector breach-and-leak cluster

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Cybercrime / Breach-and-Leak / Opportunistic Intrusion Cluster — Origin: Mexico (assessed)

Author: iQBlack CTI Team


Executive Summary

Mexican Mafia Hackers Team, also referred to publicly as Mexican Mafia, is best assessed as a Mexico-focused cyber intrusion and data-leak cluster that gained visibility during 2024 through a rapid sequence of breaches, leak sales, and public humiliation operations affecting Mexican government entities, academic institutions, and selected private-sector organizations. Public reporting repeatedly associates the cluster with the handles Pancho Villa, Lord Peña, Dyce, and a smaller set of recurring aliases. Confidence is medium: the victim pattern and recurring actor labels are consistent, but many specific claims still come from actor-controlled or actor-amplified channels.


The cluster’s operational profile is not that of a mature ransomware program or a high-end espionage unit. Instead, it appears to revolve around opportunistic compromise of exposed services, extraction of large volumes of e-mails or database content, selective free release of samples to prove access, and subsequent sale or threatened release through criminal forums. In several reported cases, the group appears to have exploited weak public-facing infrastructure and outdated web or mail platforms rather than advanced custom tooling.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Mexican Mafia Hackers Team / Mexican Mafia

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Mexican Mafia Hackers Team / Mexican Mafia


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-04-11T22:17:49+00:00

IOC Appendix — Mexican Mafia Hackers Team / Mexican Mafia

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-04-11T22:18:11+00:00

OSINT Library — Mexican Mafia Hackers Team / Mexican Mafia


2024-03-30 — Publimetro México — “Mexican Mafia hackea a la policía de Oaxaca y roba 17 años de información”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/2
Address Verification SOCMINT
t.me/+-J************** Restricted Not integrated
t.me/mex************* Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–6 of 6 images
Hacked website / Propaganda / Members evidence Free Preview
Hacked website / Propaganda / Members evidence
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda
Alliance with Chronus Team Free Preview
Alliance with Chronus Team
Logo / Avatar Free Preview
Logo / Avatar
Showing 4 of 6 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.