Fiscalía General del Estado de Guanajuato Data Breach Leaks Confidential Case Files and CCTV Footage

The Fiscalía General del Estado de Guanajuato data breach has emerged as one of the most serious cybersecurity incidents to affect a Mexican state level justice institution in recent years. A threat actor identifying as Tekir APT claims to have infiltrated the complete internal infrastructure of the Fiscalía General del Estado de Guanajuato, compromising multiple subdomains, SQL Server databases, internal communication systems, surveillance footage repositories, and confidential criminal investigative records. As proof of the intrusion, the attackers have publicly released more than 70 GB of criminal data and have announced possession of over 250 GB of additional files. The group has also shared screenshots of server listings, internal file structures, SQL database tables, forensic images, and surveillance camera recordings to validate the scale of the breach.

The attackers state that they gained domain controller level access to multiple internal subdomains, deleted backups, disabled security products, and extracted a massive collection of sensitive information. According to the leak site post, the compromised infrastructure includes criminal case files, investigative records, forensic analysis data, personal information of officials, municipal camera footage, internal emails, and databases tied to law enforcement operations. The initial evidence archive, titled RAW.zip, is more than 10 GB and contains SQL databases, surveillance footage, internal documentation, and case related data.

Background on the Fiscalía General del Estado de Guanajuato

The Fiscalía General del Estado de Guanajuato is responsible for criminal investigations, prosecutorial actions, forensic analysis, detention management, and coordination with municipal and federal justice entities across the state of Guanajuato. The institution processes vast amounts of sensitive information including criminal complaints, investigative reports, ballistic and forensic evidence, detention records, prosecution files, police intelligence, and confidential officer data. Any compromise of this type of information can directly endanger ongoing investigations, expose vulnerable witnesses, reveal operational intelligence, and compromise the integrity of law enforcement agencies across multiple jurisdictions.

The alleged Fiscalía General del Estado de Guanajuato data breach is especially concerning because the attackers claim to have gained elevated administrative access over critical infrastructure, including VEEAM servers, security center systems, and domain controller environments. Screenshots and file listings shared by the attackers appear to show a complete internal server architecture, with shared folders labeled for criminal case management, forensic divisions, investigative units, municipal camera systems, autopsy data, confiscated property, internal communications, and personnel related information.

What the Attackers Claim to Have Compromised

The group behind the Fiscalía General del Estado de Guanajuato data breach published extensive evidence portraying a full compromise. The exposed materials include SQL Server databases, configuration files, surveillance footage, and internal access documentation. Some of the compromised directory names reveal the departments and functions whose data may have been leaked.

• Criminal case files from the Chief Public Prosecutor’s Office
• Investigative units such as PGJ, AIC, DGA, and QlikView Forense
• SQL Server databases labeled CAERGAS, CERESO, MAND_BUS, RNAE_BUS, VEHI_BUS, and numerous log and MDF files
• Municipal camera footage showing individuals inside state facilities
• Case evidence folders for homicides, robberies, narcotics investigations, detentions, and necropsies
• Internal communication channels, including email structures and operational planning files
• Forensic laboratory data, chain of custody logs, and investigative system files
• Database server directories with files as large as 74 GB
• Registry data, administrative files, and documents from multiple internal subdomains

Screenshots posted by the attackers depict dozens of shared directories, many marked as Compartido, which appear to correspond to departments including Investigaciones, Bienes Inmuebles, Parcheo Radios, Professionalización Civil, Control de Acceso, Citas PGJ, Fondo DGA, Necropsia, AIC Drones, QV Detenidos, QSIC, GSIC, LSIC, and numerous investigative divisions. Several SQL Server files shown in the evidence listing have time stamps aligning with early November, suggesting that the exfiltration occurred recently and involved active database systems.

Risks Associated With the Compromised Data

The nature of the information contained in the Fiscalía General del Estado de Guanajuato data breach poses severe risks to public safety, justice system integrity, investigative operations, and personal privacy. The attackers claim to have gained access to criminal records dating back multiple years, including homicide investigations, organized crime intelligence, vehicle theft files, forensic records, surveillance footage, and sensitive municipal data. If the leaked material is accurate, the breach could jeopardize ongoing investigations and expose intelligence that criminal groups may attempt to exploit.

• Exposure of criminal investigative data risks allowing suspects to evade arrest, destroy evidence, intimidate witnesses, or identify undercover operations.
• Release of forensic and autopsy information can compromise sensitive judicial processes and violate the privacy of victims and families.
• Leaked surveillance footage may reveal investigative patterns, security weaknesses, or the identities of individuals visiting sensitive state facilities.
• Internal communication leaks can expose operational planning, internal disputes, procedural strategies, and privileged prosecutorial discussions.
• Database leaks containing personal data increase the risk of identity theft, targeted extortion, and spear phishing attacks.

The attackers allege that they attempted to contact officials but received no response, and they accuse authorities of denying the intrusion despite what they claim is irrefutable technical evidence. The group asserts that administrative credentials were configured with simple numeric passwords and that they were able to compromise critical infrastructure with minimal resistance. The leak site post specifically references domain controller level compromise of multiple subdomains, suggesting broad control over the agency’s network.

Scale of the Data Leak

The initial publicly released archive, RAW.zip, is approximately 10.7 GB and contains SQL databases, surveillance footage, internal system data, and criminal records. Screenshots show that the attackers hold more than 250 GB of files, including:

• Investigative case files spanning several years
• Full SQL Server directory structures
• Criminal history and vehicle theft data
• Digital evidence logs and forensic materials
• Detention records and custody tracking data
• Autopsy records and forensic laboratory reports

In addition to the evidence archive, attackers posted screenshots of SQL database contents including structures of tables, storage sizes, modification dates, and log entries for systems associated with PGJ, CERESO, PREVSOC, DBDENUNCIA, MAND_BUS, and various vehicle crime units. Some of the MDF files shown in the evidence listing exceed 60 GB, indicating extremely large data sets tied to law enforcement operations.

Threats to Public Safety and Investigative Integrity

The Fiscalía General del Estado de Guanajuato data breach could significantly undermine public safety. Release of sensitive case information may hinder prosecutions, endanger investigators, or provide criminal groups with insight into ongoing operations. Furthermore, leaked surveillance footage from government installations can reveal investigative patterns, staff identities, and operational vulnerabilities. Exposure of inter departmental communications may allow malicious actors to craft targeted social engineering attacks aimed at law enforcement personnel.

For individuals whose data appears in criminal records, investigative logs, or forensic files, the Fiscalía General del Estado de Guanajuato data breach introduces risks of extortion or retribution. Additionally, leaked autopsy and forensic information may inflict harm on victims’ families by exposing deeply personal and traumatic details. For witnesses and informants, exposure of their names or statements could prove life threatening.

Impact on Government Credibility and Institutional Trust

The attackers explicitly state that authorities denied the breach when initially contacted. Public contradictions between official statements and leaked evidence can erode trust in justice institutions. In cases involving criminal organizations, governmental denial of data breaches may encourage further exploitation of internal weaknesses, as threat actors interpret refusal to acknowledge incidents as an opportunity for continued infiltration.

The attack also raises questions about cybersecurity hygiene within high value government entities. The attackers allege that they discovered extremely weak administrator passwords and misconfigurations that granted them broad access over critical infrastructure. If accurate, this suggests systemic issues within the agency’s IT and cybersecurity frameworks.

Potential Secondary Threats

The fallout from the Fiscalía General del Estado de Guanajuato data breach may extend well beyond the initial exposure. Criminal groups could attempt to use leaked investigative files to intimidate witnesses, disrupt prosecutions, or compromise judicial processes. Personal data leaked from government servers could be used by fraud groups in phishing schemes, impersonation attacks, and targeted cybercrime campaigns.

Partners and collaborating institutions such as municipal governments, forensic laboratories, and police divisions may also be at heightened risk if shared communication channels or joint system integrations were compromised. In some screenshots, references to regional subdomains suggest that the attackers reached interconnected systems that may serve multiple municipalities.

Recommended Mitigation Measures

Organizations associated with the Fiscalía General del Estado de Guanajuato should immediately adopt defensive measures to protect their systems and personnel. These steps include:

• Verifying any communication originating from government domains for authenticity
• Implementing multi factor authentication on all remote or administrative accounts
• Performing full incident response assessments on any interconnected municipal or forensic systems
• Scanning external endpoints using reputable anti malware tools. We recommend scanning with Malwarebytes.
• Rotating all passwords associated with justice sector integrations, municipal systems, and forensic tools
• Conducting external threat monitoring to identify leaked files appearing on open web or dark web platforms
• Alerting all personnel to the possibility of targeted phishing campaigns using leaked internal information
• Reviewing internal forensic data handling procedures to identify accidental leaks introduced by systemic weaknesses

The Fiscalía General del Estado de Guanajuato data breach illustrates the severe consequences that arise when a justice institution’s internal structure is compromised. With attackers claiming control over domain controller environments and releasing SQL databases, criminal intelligence, camera footage, and forensic materials, this incident represents a high risk event for law enforcement, investigators, and civilians throughout the state. The long term impact will depend on how widely the leaked data spreads and whether additional archives are released by the attackers. As more information becomes available, continued monitoring and detailed analysis will be required to assess the full scope of the Fiscalía General del Estado de Guanajuato data breach.

For ongoing coverage of major data breaches and the latest cybersecurity developments, visit Botcrawl for updated investigations and expert analysis.