Computers for Hire: A Look at the Growing Phenomenon of Mercenary Hackers

Overwatch 64 Header Mercenary Hackers

Overwatch 64 Header Mercenary HackersIn December of 2021, the United States Department of State announced a hack had been attempted on several State Department employees’ cellphones. The announcement revealed that the hack had occurred using Pegasus, spyware made by NSO, an Israeli company. The hack targeted U.S. State Department employees active in Uganda. In response, NSO claimed they were unaware of any such use of their technology and ensured clients in question could no longer use the platform.

This NSO case elevates concerns impacting national security and morals. It displays how these types of tactics and tools, once bought, can affect a target’s civil rights or a state’s national security. It also raises questions about the morality and ethics of this type of technology and service, and what legal barriers should be in place when selling this type of product or service. Already, we have seen Israel mandate that NSO obstruct Pegasus from targeting United States-based cell phone numbers, use the technology as a bargaining chip with Middle Eastern Gulf countries, and bar the company from selling the technology to Ukraine and Estonia for fear of damaging Israel’s diplomatic relations with Russia.

In this issue of Overwatch, we will focus on what this digital threat actor landscape looks like in a world where they can pose as legitimate information security companies while selling potentially illegal hacking technology and services to the highest bidder. We will draw on recently publicized cases to understand what is becoming a critical security issue for not only states but also private companies, civil society, and individuals.

Growing Demand for Hack-for-Hires

Hack-for-hire is the act of hiring a firm/individual or purchasing their technology to target someone and gain access to their digital devices for surveillance or theft. These groups are often called Mercenary Advanced Persistent Threat Groups (APTGs) or Private-Sector Offensive Actors (PSOAs) by companies such as Microsoft. While outfits participating in this activity can range from one individual or a small group, accusations against large information security firms engaging in this business are common.

An APTGs is “…a covert cyber-attack on a computer network where the attacker gains and maintains unauthorized access to the targeted network and remains undetected for a significant period.” These attacks often surveil activity and steal data rather than shut down a network or hold it hostage for ransom.

APTGs that engage in cyber-attacks are often linked to nations with adversarial relationships with the United States, such as Russia, China, North Korea, and Iran. However, the existence of mercenary APTGs shows a large and growing market for this type of service both in the private sector and in countries that may not have the resources or skill to establish their own outfits or technologies.

Different national laws surrounding computer hacking can create a grey area regarding the legality of such operations by private individuals or businesses. However, the tools, scope of work, and the hackers themselves, once hired, often have little consideration for national laws or boundaries.

Examples of the names used by targeted tech companies such as Meta or InfoTech Security companies like Norton, to track these types of groups can be seen on the map below. As displayed, attacks by these groups often cross national borders:

Cyjax Map
Source: Cyjax

Phishing Tactics

Frequently these groups can be tied back to legitimate businesses. This was the case with a mercenary APTG traced through the code name “Sourgum,” which was tracked back to an Israeli Surveillance firm named Candiru. More famously, an Indian InfoTech company named BellTroX InfoTech/BellTrox Services or BellTroX D|G|TAL Security (p) Ltd., was tied to the mercenary APTG group codenamed “Dark Basin.”

APTGs use a variety of methods to infiltrate systems. One of the most prominent tactics is phishing attacks, where an email or notification is sent to someone’s phone or computer, enticing engagement to gain access to their device. Additionally, an APTG looking to target a specific individual may practice a tactic called spear phishing, where publicly available information is leveraged to personalize the message, enticing an action from the receiver. An example of this type of tactic can be seen in the image below:

Phishing Email

More advanced tactics include creating bootlegged versions of popular and high-traffic websites to prompt users to click a link, or even the creation of an application for exploitation. In this August 2021 tweet, an Islamic social media app, Jamaat, is accused of being a front for surveillance, enticing targets to download the application. A blog on the campaign showed that once downloaded, access is granted to the target’s phone information: contacts, storage, audio recording, location, camera, device settings, and call logs. The threat actor not only has access to the contents of their phone but can also surveil and track the phone’s owner.

Jamaat tweet

Once information is retrieved by the mercenary APTG, the detection information can be delivered in several ways, a mass dump of data into paste bins or through the use of Internet dead drops. An Internet dead drop can be a link in a bio, post comment, or product description. The link contains an encryption key used to decipher and access information stored in a second dead drop.

Mercenary APTGs have been known to target several entities on behalf of governments and private individuals or businesses. The purposes of these cases have ranged from the discovery of evidence during litigation to targeting activists, journalists, and politicians or corporate espionage operations.

Downfall of BellTroX

Darkmatter is a recent example that came into the news last year, with a September 2021 press release by the U.S. Department of Justice stating that three former NSA employees had been fined over $1.68 million for their role in hacking operations. In place of criminal charges, the three were also banned from holding security clearances, pursuing work involving network exploitation, and receiving U.S. security clearances.

The severity of this punishment stems from several factors surrounding the case. None of the three men had received the proper license from the U.S government to work for the United Arab Emirates (UAE) in this capacity, shared classified information and techniques, and Darkmatter programs were used to target U.S. companies and individuals. These three, as well as other alleged former U.S. Intelligence Community members, were also implicated in launching an app called ToTok, which is suspected to be a surveillance tool used by the Emirati government. At the time of this brief, ToTok is still available in several app stores, including the Apple Store and the Galaxy Store.

Galaxy Store

Darkmatter and the government of the UAE deny charges that their actions and technologies were used to target Americans. Since 2019, Darkmatter and the UAE have been blacklisted from obtaining the status of internet security watchdog by many large technology services such as Mozilla Firefox and Google. Darkmatter is still an active company and continues to attract employees from large tech firms and even the U.S. Intelligence community. A look at the company’s SignalHire page, a corporate data aggregator, shows employees that worked for Microsoft/Dell, the Rand Corporation, Hewlett Packard/AT&T, Sony, Russian Tech companies, and most interestingly, the U.S. Army/ODNI. Darkmatter’s continued existence and client base reinforce how mercenaryAPTGs can operate in a grey zone under the sanction of their home state.

Unlike Darkmatter, not all organizations operate as openly. Insert, BellTroX. On the surface, BellTroX InfoTech Services looked like a legitimate information and technology security company based in New Delhi, India. The company’s now-deleted website claimed to provide services such as Medical Transcription, IT Security, Cyber Security, and training on how to spot malware and protect your company from cyber threats. In other words, the company claimed to be dealing only in defensive and preventative IT Security; however, as early as 2015, this turned out to be a lie.


In 2015, the United States Department of Justice indicted the company’s founder Sumit Gupta, AKA Sumit Vishnoi, in a case about email hacking by private investigators supporting a party in a litigation suit. Though indicted, Mr. Gupta’s residence in India prevented his apprehension, and the company continued to operate. Searches for Mr. Gupta revealed an archived post he made on the website promoting his business. In the post, Mr. Gupta, under the name Sumit Vishnoi, advertises the services of BellTroX to “Private Investigators, Corporate Lawyers, Corporate Investigators, Corporate Firms, Celebrities, Politicians.”

Sumit Vishnoi

In 2020, a report released by The Citizen Lab out of the University of Toronto alleged that a notorious hack-for-hire group nicknamed Dark Basin was tied to BellTroX. The report claims a series of operations taken by the group targeted both foreign nationals and U.S. citizens. Some of the most prominent campaigns associated with the group were focused on activists and nonprofits orchestrating a movement called #ExxonKnew, which alleged the company had purposefully misconstrued and hit data about climate change, and a campaign against organizations pushing to uphold net neutrality in the U.S.

The release of this report sparked renewed interest leading to the arrest of Aviram Azari, a former employee of a covert surveillance unit in Israel by the Department of Justice (DOJ). Mr. Azari has been acting as a private detective in New York City and working with BellTroX on behalf of his clients to undertake a corporate espionage campaign against various hedge funds, according to court documents.

The publication of their identity as Dark Basin and the guilty pleas and cooperation of Mr. Azari is likely what led BellTrox to shut down its website and social media presence. To date, it is unclear in what capacity this group is still active. While the company’s digital footprint has been erased, including the company’s listing on Google, which lists it as permanently closed, the corporation is still registered as active according to an India-based corporate data aggregator, and Mr. Gupta has yet to be apprehended.

Adding to the evidence that the group is still active is the fact that Overwatch analysts were able to find a private Facebook group using the name and company logo. Analysts also found recent posts referencing Dark Basin’s hacking services on various sites and forums, including Blizzard. forum (a video game forum), Good Reads, Reddit, and even that a site compiled emails and domains used by Dark Basin to track the group.

Analysts searched the dark web to track the forum with partial success. During the investigation, analysts located an onion URL for another group called T3AMPOISON, which claims to be selling illegal hacking services.

Analysts did find a mirrored webpage potentially attributed to the group. The website’s header displays the name Dark Basin and claims hacking offerings such as: hacking of personal email and social media accounts, content removal from websites, spying into email accounts, and boosting/hacking credit scores. It is likely that even if this website is not attributed to the Dark Basin Mercenary APTG, the group still exists in some form despite the alleged closure of their front company BellTroX.

Dark BasinDark Basin Services

Our Assessment

Considering the threat landscape and specific examples outlined above, Overwatch assesses that as the commercial environment and market share for open-source intelligence (OSINT) and information technology companies continue to expand, so will the number of bad actors in the space. This will make trusting your OSINT provider to follow legal and moral guidelines even more critical, as failure to do so could lead to legal issues and scandal down the road. In other words, ensuring the companies you work with practice #OSINT4GOOD will become even more important.

Additionally, Overwatch assesses that we will continue to see hacking services and technologies advertised by private companies to companies, individuals, and nation-states. This may lead to increased civil rights and legal violations, as what was once the purview of state intelligence and security apparatuses—constrained by legal codes, jurisdictions/authorities, and time-tested best practices—bleeds into the private sector, where national boundaries and jurisdiction mean little. This trend will continue to increase until the point in which the private sector either imposes its own standard operating procedures on the sale/use of hacking technology/services or has one imposed on them by state actors. This resolution, though, will not likely come for a long time as the creation of industry norms both organically and artificially is often a lengthy process.


Professional Social Media and Professional Con Artists: The Dangers of Fraud on LinkedIn

Before LinkedIn, lying on your resume was common practice for job seekers. According to a 2020 ResumeLab study, 56% of people embellish the truth on their resumes, with 36% outright lying. Recruiters are experts at honing in on the usual areas where white lies exist – experience, skills, grade point average, salary, and references.

On LinkedIn, profiles are digital resumes and fall into diverse forms of exaggeration and sometimes fraud. According to the Federal Trade Commission, fraud reports across social media have soared over the last five years.

LinkedIn is equally vulnerable to hackers and impersonators seeking to take advantage of the increased demand in employment and challenges straining human resource departments since the pandemic, everything from the debate of remote or hybrid work environments, pay gaps, diversity and inclusion, scarcity in middle management, and now, “quiet quitting.” These are all factors that play into the high cost of employee turnover.

In this brief, Overwatch analysts investigate the common mis- and disinformation found on LinkedIn. We will also explore the impact on human resources and how recruiters can apply critical thinking skills taught in open-source intelligence (OSINT) to hire qualified and honest candidates to reduce turnover costs.

The Bottleneck of Employment Verification

According to LinkedIn’s mission statement, they strive to connect the world’s professionals to make them more productive and successful. This makes LinkedIn an excellent source to publish employment history and a glimpse into a candidate’s professional circle of influence. However, a surprising lack of verification goes on when posting information on the site.

When individuals update their profile, they can link to companies, universities, and professional connections, but like Wikipedia or other social media platforms, not all content posted can be taken at face value, leaving it to recruiters to verify the information.Notifications are not sent to page administrators to verify the information. Only mentions in LinkedIn posts receive LinkedIn notifications to invite companies or brands to engage with the post.

Based on the latest information on LinkedIn’s site, it does look like there is progress to help recruiters verify employment.

The feature was unavailable when we attempted to turn on employee verification for our company page. As HR recruiters, we recommend turning on the option, if available. This helps monitor brand sentiment and gives fellow recruiters greater confidence and validation behind LinkedIn profiles. Instead, it leads to a backlog of validation.

LinkedIn Profiles

It all starts with a LinkedIn profile. A LinkedIn profile consists of a profile picture, avatar, and digital resume of experience, certifications, referrals, and posts to share accolades and gain grassroots professional development. Because of this, LinkedIn is where 94% of recruiters vet potential candidates for a position. This is where good actors’ white lies live and where bad actors thrive.

In LinkedIn’s User Agreement, it is prohibited to create a fake profile. This does not hinder bad actors from creating accounts to spread disinformation with the intent of spamming job seekers for money or building a digital presence for more significant harm. LinkedIn’s latest Transparency Report outlines how they combat fake accounts and scams through automated defenses. Last year, LinkedIn said they removed more than 32 million fake LinkedIn accounts.

Bad Hires and Bad Actors

Beyond bad hires and the cost of turnover, there is the risk of bad actors. A bad actor’s intent could range in scope and scale from personal stalking, spreading disinformation online, or even targeting specific people or businesses to perform material theft or corporate espionage. When uncovering a fake profile, some indicators can help you spot the profiles. It is why inviting and connecting with another profile without knowing their intent requires you to stop and take a moment to ask yourself why the connection matters.

Perhaps the most well-known example demonstrating just how far a bad actor with a fake profile can go in exploiting LinkedIn comes from the “Robin Sage Experiment” conducted by Thomas Ryan, a “White Hat” hacker and Threat Intelligence expert. Ryan created a fake profile on LinkedIn and other social media channels. In 28 days, he connected with nearly 300 people, including security specialists, military personnel, defense contractors, and intelligence personnel. In addition, the profile gained privileged information about the people she connected with and their businesses; information such as home addresses, email addresses, bank accounts, and even classified information about the location of military units.

However, the revelations of Robin Sage do not appear to have stemmed the tide regarding the ease with which a fake profile can connect to high-value targets on LinkedIn. A confidential source close to Overwatch analysts spoke with us during the research process for this brief and claimed to be running a similar experiment. In just one week, they maintain that they have been able to amass fifty LinkedIn connections, all of whom are in the aerospace and defense contracting sector. Some people have even reached out to talk with this fake profile, unprompted.

While the above-listed examples showcase altruistic experiments to raise awareness about the dangers of bad actors online, there still exist actual bad actors on LinkedIn. A more recent example is an incident with the company Meta-Play, which brands itself as a blockchain incubator for Defi, Gamefi, and the Metaverse. On January 12, 2022, the company released a tweet claiming that a former employee named Jikun Liao had stolen $2.7 million.

A look at Liao’s LinkedIn profile begins to paint an interesting picture. He is from Singapore, allegedly living in Houston, Texas, and since 2013 he has worked for eleven companies, lasting 2-3 months or less. Attempts to verify employment using open-source business data aggregators and company websites confirmed only three of the listed experiences. While Liao had deleted his LinkedIn profile after the theft, the company had an archived version and published it on the tweet. This leads analysts to believe that the profile’s work experience could be exaggerated or fabricated.

A close look at the profile photo also shows an indication that it is a fake or at least an altered picture. A look at Liao’s ears shows that they are somewhat mismatched, a general sign of an altered profile picture of a human being. Additionally, the outline of Liao is blurry, suggesting that the photo was possibly cropped and dropped onto a vague background.

Taking the research further, analysts searched for Liao on various social media sites and forums using his names, including multiple variations/aliases in English, Mandarin, Malay, and Tamil. Overall, Liao has a minimal online presence and appears not to be present on any of the leading social media platforms where most people usually congregate. Analysts could find potential profiles on GitHub, KeyBase, Telegram, DXDao, OutSourcely, and VK. The OutSourcely and VK profiles contain the most interesting information, as the OutSourcely profile lists Liao’s age as 29. In contrast, the VK profile includes a new picture and a birthday that would fit the age listed on OutSourcely. In addition, the VK lists Mr. Liao’s location as Vladivostok, Russia.

Analysts then ran the account’s profile photo through a free, open-source tool called FotoForensics.  As can be seen from the results, the lack of color on the background indicates that the photo was cropped and placed on a different background, accounting for the fuzziness of the edges. Proof that this photo is inauthentic can further be seen in the video below, provided by Forensically, which shows that the edges of the individual in the photo are full of inconsistencies and errors, again denoting that it was cropped.

The above evidence leads Overwatch analysts to believe that Jikun Liao is likely not a real person and that MetaPlay potentially hired someone posing as Liao based solely on his LinkedIn profile. The use of open-source intelligence techniques by HR recruiters and knowledge of the potential threats on LinkedIn likely could have stopped this alleged crime from happening, saving the company and its investors a large amount of money.

Our Assessment

Overwatch analysts assess that companies will have to make a more significant investment in human resource departments to grow their skills and capabilities in open-source intelligence training (OSINT).  To meet the growing demands and respond to cultural trends in a digital hiring age, employers will require a more in-depth understanding of how social media platforms play into hiring. The role of recruiters has evolved tremendously, requiring critical thinking skills to invest in a company’s most significant investment – their people.

Similar to the skills used to monitor current trends, HR experts will require a long-term investment in OSINT skills. While these skills may be used to monitor the activities of current employees, it is more likely they will be used to anticipate trends within the workforce and to monitor former (possibly disgruntled) employees. Understanding this digital space allows recruiters to proactively show current and prospective employees how a company’s core values come to fruition.

The most significant value a company will see from this investment is protecting its brand and its assets. A loud voice ofg brand sentiment comes from employees and having bad actors represent your company without acknowledgment can devastate your brand as they are an extension of your team.

Ultimately, companies will not be able to rely on social media sites like LinkedIn to protect them. While many sites are making strides to verify and validate information, it will always be up to the company to take their best interests to heart by investing in additional skills for their people.

Learn more about open-source intelligence courses for recruiters, check out Echo Academy here:


Top Issues Facing HR Leaders Heading Into 2022, Forbes, December 2021

What is ‘quiet quitting,’ and ow it may be a misnomer for setting boundaries at work, NPR, August 2022

‘Quiet quitting’ trend may lead to layoffs and complicate the Fed’s inflation fight, USA Today, August 2022

HR Trends in 2022. Changes in the Human Resources Landscape

How many job seekers like on their resume? CNBC, February 2020

The risk of a little white lie on your resume. Fast Company, February 2021

Fake LinkedIn Profile Accounts. NPR, March 20

What is Driving the Assassinations of Mayoral Politicians by Cartels in Mexico?

On March 10, 2020, at approximately 4:40 pm local time, Cèsar Valencia Caballero, the mayor of Aguililla, Michoacan, Mexico, was found dead. According to reports by the Agence France-Presse, a French-based international news agency, the man had been shot at least twice in the chest and neck.

This killing came just three weeks after the mayor, previously a local rancher and farmer, had allegedly declared an end to the cartel wars in the area. This announcement had been prompted by action taken by the federal police and military of Mexico to “free” the city after months under the control of the Cártel de Jalisco Nueva Generación (CJNG), also known as the Jalisco Cartel.

For this Overwatch, analysts will leverage publicly available data from various sources to statistically answer the question: what is driving the assassination of mayoral politicians by cartels in Mexico?

Mayor Caballero’s death is just the most recent in a long line of mayoral assassinations, as seen in Figures 1 and 2, created using data from The Justice in Mexico Project. According to the Justice in Mexico Project 2021 Special Report, a mayoral figure, defined as a mayor, candidate, or former mayor, was four times more likely than the average citizen to be killed in Mexico in 2020, as opposed to 13 times more likely, which was the statistic the year prior in 2019.

By looking at the context in which Caballero’s assassination took place, we can begin to pull out salient factors that might affect the assassination of mayoral politicians throughout all of Mexico.

The city of Aguililla was one of many in the region that have served as the focal points of a battle between Carteles Unidos (CU) and CJNG. The fighting between these groups has seen the State of Michoacan become the state with the fifth-highest homicide rate (59.3/100,000) in the country from June 2021 to May 2022. This was an increase of approximately 8.7/100,000 compared to one year ago.

Unlike the CJNG, which resembles a more traditional cartel, the CU started as a loose affiliation of cartels and gangs native to the Michoacan who had once come together in 2010 to fight off the encroachment of the Los Zetas cartel. As the original cartels of the region began to fall from power, what replaced them was a series of localized gangs, coalitions of smaller cartels, and self-defense forces. Most of these armed groups are made from the remnants of those former groups and often fight amongst each other or against external threats to seize control of the territory they inhabited.

This fragmentation process, the process through which large national cartels are reduced to smaller localized regional cartels and criminal cells, is not only underway in the state of Michoacan. A look at the series of maps (Figures 3, 4, and 5) shows an increasingly fragmented cartel landscape. According to the International Crisis Group, there were roughly 205 in 2020, a sharp increase from the 76 present in 2010.

As a result of this fragmentation, criminal actors, necessity, and a desire for profit have increasingly turned their sights inward to domestic sources of profit. As early as 2014, it was reported that the Zeta and the Knights Templar cartels were no longer making most of their earnings through drug trafficking but through iron ore. However, diversified illicit profit streams extend outside the extortion of mining companies and illegal mining operations. They include the extortion of avocado farmers, the extortion of local businesses, oil and gas theft, endangered wildlife trafficking, kidnapping, and smuggling.

The prevalence of these forms of extortion and looting of the local population by criminal actors in Mexico can be seen in the worries of the residents of Aguililla. After the end of their occupation by the CJNG, they are not celebrating. They are described as being worried about possible reprisal killings and the continuation of the CU “War Tax,” an extortion method in which the CU targets lucrative agricultural resources grown in and exported out of the area, such as avocados, limes, and mineral wealth.

The overall fate of the town of Aguililla and the region remains to be seen. Still, from the events described, we begin to get a picture of an evolving landscape of cartel violence in Mexico, especially compared to the 2006-2014 period of the conflict. Two key features mark this ongoing situation. First, the number and type of actors in this conflict have shifted, and second, the revenue streams these actors draw from have diversified. These and some control variables will be the main characteristics tested in the model below to understand local political violence.

To understand what factors are significantly contributing to this type of violence, Overwatch will use a method of quantitative analysis. This information places environmental factors derived from open-source state-level data[1], such as cartel fragmentation, political pluralization, the killing or arrest of cartel leaders, mining output, avocado output, and the number of illegal pipeline taps against the event of a mayoral assassination, allowing us to see what factors are statistically significant in predicting incidents of mayoral assassination in a State. The model will control for several factors, including election years, the number of municipalities in a state, the homicide rate of a state, the estimated population of a state, the end of Mexico’s gas subsidy, and the Human Development Index (HDI), an aggregated measure of prosperity in the area. The model will be run twice, first from the time of 2006-2019 and then from the period of 2012-2019, to consider the roles that fuel theft is playing when it comes to mayoral assassinations.

[1] Sources used for the quantitative models

Mayoral Assassinations: Justice in Mexico Project Memoria Dataset. Supplemented through advanced queries for missed assassination events.

Cartel Fragmentation, Political Pluralization, Arrest/Death of Cartel Leaders 2006-2015: Laura Blume’s academic article The Old Rules No Longer Apply: Explaining Narco-Assassinations of Mexican Politicians – Laura Ross Blume, 2017 (

Cartel Fragmentation, Political Pluralization, Arrest/Death of Cartel Leaders 2016-2019: supplemented through open-source research queries.

Mining Output: The Mexican Geology Service

Illegal Pipeline Taps: IGAVIM (NGO charting fuel theft in Mexico)

Avocado Output: Secretary of Agriculture and Rural Development

Number of Municipalities, Estimated Population, Violent Homicide Rate: National Institute of Statistics

Human Development Index: Global Data Lab


  Model 1 (2006-2019) Model 2 (2012-2019)
Dependent: Mayoral Assassinations ZINB ZIP ZINB ZIP
Avocado Production Value (100,000s of pesos) 3.25e-06***




3.09e-06*** (9.66e-07) 3.09e-06***


Designated Red Triangle Area .3440403 (.293146) .3776276 (.3067098) .1315405 (.2806082) .131554


Number of Illegal Pipeline Taps Detected .0004163** (.00014) .0004163** (.00014)
Total Value of Mined Lootable Resources (100,000s of pesos) -3.34e-07 (8.46e-07) -3.18e-07 (8.39e-07) 6.49e-07 (8.54e-07) 6.49e-07


Gas Shock 1.644253* (.6910199) 1.711019* (.6824836) .5952097 (.3603463) .595184


Total Cartels .1492155 (.0783382) .1459798 (.0777265) .0086074 (.0920103) .0085645


Kingpin .1536357 (.2005211) .122137 (.199723) -.0923125 (.1881991) -.0923967


Lagged Political Pluralization 1.172203 (.9245133) 1.1806 (.9493756) .6671332 (.9917837) .6671474


Human Development Index -8.823877** (3.138733) -9.3168***


-16.481*** (3.742241) -16.4833***


Homicides/100,000 people .0173533*** (.002475) .0170105*** (.0022406) .0158983** (.0048266) .0158989***


Population Estimates 1.03e-07*** (1.78e-08) 1.01e-07***


9.74e-08*** (2.08e-08) 9.75e-08***


Number of Municipalities .0032946*** (.0005619) .0031435*** (.000582) .0025737*** (.0005316) .0025733***


Inflated Total Cartels -1.014295* (.4326191) -.3714208 (.873021) -1.631413** (.5462995) -.8482871*


# of observations (N) 434 434 248 248
Wald chi^2 302.97 *** 304.31 *** 277.79 *** 277.79 ***

Standard errors in parenthesis, p-value *=.05 **=.01 ***=.001

After running these models, it was determined that for every unit, 100,000-peso (~$5,000), increase in estimated value from avocado farming, there is an expected increase in the mayoral assassinations rate of .000003, all else being equal. Additionally, for every additional illegal tap detected, we expect the number of mayoral assassinations in a region to be a .000416 increase in mayoral assassinations. Though these numbers may seem insignificant, they have a statistically significant effect, meaning that when predicting incidents of mayoral assassinations, these two variables are better indicators than factors that focus on the fragmentation of cartels.

Notably, the control variable HDI is also significant, meaning states with lower HDI scores are more likely to suffer from mayoral assassinations. This is possibly because fragmented criminal groups cannot easily target affluent and well-secured regions in Mexico and prefer to prey on lower socio-economic areas.

In both models, factors such as the extradition or death of a cartel boss, the number of cartels in an area, and political polarization were insignificant, meaning they do not act as statistical predictors of mayoral assassinations. The insignificance of these three variables could be due to the changing environment in Mexico. As seen in Figure 6 above, most states house multiple armed groups. At the same time, the process of leadership decapitation that started in 2006 has turned the criminal landscape into several independent cells and loose affiliations that are becoming more immune to the arrest of leaders. These two factors, present throughout most of Mexico in the last few years, do not go nearly as far in predicting mayoral assassinations as a state’s natural resource wealth.

Overall, what this model shows is that a mayoral politician of a town experiencing inter- or intra-cartel conflict but whose municipality is not rich in lootable natural resources, or sources of extortion, is in a relatively safer position than a mayoral politician suffering from the same predicament, but also finding themselves in charge of an area with high amounts of lootable natural resource wealth and points of extortion. In addition, it reveals that the assassination of these mayors is concentrated in states that rank lower in terms of socio-economic status. In other words, the criminal and socio-economic environment may lead to initial vulnerabilities, but the economic incentives provide the drivers for political violence.

Our Assessment:

Using the above findings, Overwatch analysts assess that if trends in criminal fragmentation and diversification of illicit revenue streams continue, there will be a surge in political violence in Mexico starting in late 2023 and culminating around Mexico’s 2024 election. This would follow trends seen during the 2018 and 2021 election seasons. If the above model is correct, political violence in 2024 will likely concentrate in states and municipalities that are rich in lootable natural resources and targets for extortion. In addition, political violence will likely concentrate lower socio-economic areas surrounding the 2024 election.

Additionally, Overwatch analysts assess that much of business surrounding local resources in Mexico will continue to involve cartels and criminal actors moving forward, likely leading to the fluctuation in prices of key natural resource markets and previously agreed upon business contracts.

These problems will likely be exacerbated as the Mexican government attempts to “decapitate” the Jalisco Cartel or other large cartels still operating in Mexico. This will probably increase the violence aimed at local citizens and politicians, as groups like the CU disintegrate without an external enemy to fight against. In addition, splinter cells of the now headless cartels turn towards their local economies and surrounding territories to supplement their affected revenue streams.