A newly released FBI audit reveals shocking operational security failures that should make Cold War veterans cringe if not cry.

In 2018, during the “El Chapo” investigation, the FBI made mistakes so elementary they belong in a what not to do textbook—and many people were tortured and killed.

The Mexico City Disaster

The June 2025 OIG report describes a catastrophic breach where privately funded hackers systematically identified and tracked FBI personnel:

“In 2018, while the FBI was working on the ‘El Chapo’ drug cartel case, an individual connected to the cartel contacted an FBI case agent. This individual said that the cartel had hired a ‘hacker’ who offered a menu of services related to exploiting mobile phones and other electronic devices. According to the individual, the hacker had observed people going in and out of the United States Embassy in Mexico City and identified ‘people of interest’ for the cartel, including the FBI Assistant Legal Attache (ALAT), and then was able to use the ALAT’s mobile phone number to obtain calls made and received, as well as geolocation data, associated with the ALAT’s phone.”

And it gets worse:

“According to the FBI, the hacker also used Mexico City’s camera system to follow the ALAT through the city and identify people the ALAT met with. According to the case agent, the cartel used that information to intimidate and, in some instances, kill potential sources or cooperating witnesses.”

I am reminded of an investigation in 2000 when my flight to Russia was cancelled last minute. My supervisor blocked the work, related to the fact that coordination with the embassy there may have leaked to Russian technology firm executives who would order a hit. I did everything I could to go, but the leaks were considered too dangerous, and I still wonder to this day if I could have made it out alive. That was 25 years ago.

How Could This Happen Now?

This wasn’t some sophisticated hack, and it wasn’t even an exploit. This was a failure of basic tradecraft that any intelligence professional should have known since the early 1980s:

• Never assume embassy visitors aren’t being watched
• Never trust electronic devices in hostile environments
• Never use predictable patterns or meeting locations
• Never underestimate local corruption and surveillance capabilities

The FBI’s own assessment admits this threat has been around for dog years:

“Although the risks posed by UTS to the FBI’s criminal and national security operations have been longstanding, recent advances in commercially available technologies have made it easier than ever for less-sophisticated nations and criminal enterprises to identify and exploit vulnerabilities created by UTS.”

The Real Problem: American Hubris

What makes this even more inexcusable is that the FBI knew about these vulnerabilities. The Counterintelligence Division had conducted an extensive analysis called “Anatomy of a Case” that identified these exact risks. But when the FBI formed a “Red Team” to address the problem, they essentially ignored those findings:

“Although CD presented the results of its findings to the Red Team, we were not provided with evidence that the Red Team incorporated or even considered many of the specific vulnerabilities identified in CD’s analysis. In fact, we were told during the audit that the Red Team opted to keep its gap analysis at a high level with an emphasis on generalized UTS policy and training gaps.”

Mexico: a Comms Storm Obvious From Million Miles Away

Operating in Mexico should have triggered maximum paranoia. Consider the environment:

• Corruption: Wealthy elites have infiltrated government, telecommunications, and security services at every level
• Technical capability: Elites employ sophisticated hackers and have access to commercial surveillance tools
• Stakes: Billions of dollars in private wealth at stake make intelligence gathering worth massive investment
• Ruthlessness: Wealthy elites (e.g. monarchs, cartels, power/transit execs) are known to routinely torture and murder suspected informants

Somehow the FBI thought they would sloppily operate in hostile corrupted foreign environments using the same casual approach they might have thought sufficient in corrupted Texas.

“Existential” Threat

The audit notes that officials from both the FBI and CIA described these technological surveillance threats as “existential.” Yet the FBI’s response was described as:

“disjointed and inconsistent”

The audit found that despite multiple divisions working on the problem, there was no enterprise-wide coordination. Different units were duplicating efforts while leaving massive gaps unaddressed.

Global Pattern of Failure

The Mexico case wasn’t isolated. The audit describes multiple examples of technological surveillance being used against FBI operations:

“The leader of an organized crime family suspected an employee of being an FBI informant. To confirm this suspicion, the leader went through the call logs for the suspected employee’s cell phone looking for phone numbers that may be connected to law enforcement.”

What the FBI refused to admit, despite loss of life, is how dramatically the surveillance landscape has changed. Commercial data brokers, facial recognition systems, cell phone tracking, and financial transaction monitoring have created an environment where:

1. Every electronic device can be compromised
2. Every transaction means a trail
3. Camera systems everywhere: installed, accessed or corrupted
4. Every communications channel may be monitored

In Mexico specifically, where threats have billions to spend and government corruption is endemic (arguably not unlike America under Trump), assuming any electronic security is foolish.

The Human Cost

The audit’s clinical language obscures the human tragedy. When it says the cartel used the information to “intimidate and, in some instances, kill potential sources or cooperating witnesses,” it’s describing torture and murder of people who trusted the FBI to protect them.

These weren’t abstract security failures—they were death sentences handed out through institutionalized safety anti-patterns of incompetence or willful disregard.

Basic Lessons Ignored

The most damning aspect is that this wasn’t a learning experience. The audit, conducted years later, found the FBI still struggling with basic coordination and still making elementary mistakes. As one section notes:

“we do not believe that the initial effort of the Red Team to identify the specific, enterprise-wide risks was adequate, potentially leaving several UTS-related threats unmitigated.”

Basic operational security in Mexico should have included:

• Assuming all electronic devices are compromised
• Using air-gapped, disposable communications
• Meeting sources far from official facilities
• Employing multiple cutouts and intermediaries
• Rotating personnel and patterns constantly
• Treating every interaction as potentially monitored

Instead, the FBI walked sources into obvious embassy surveillance zones while carrying trackable phones as if waving a huge flag that said “target here”.

Broad Implications for American National Securiry

This isn’t just about the FBI. Every law enforcement and intelligence agency faces these same technological threats. The difference is competent agencies adapt tradecraft, which should have been decades ago.

The FBI’s failures in Mexico reveal an institution that was:

• Overconfident
• Underestimating
• Failing to coordinate
• Ignoring internal assessments
• Causing fatal risks through negligence and willful disregard

The Mexico City case represents more than operational security failure—it’s institutional hubris with deadly consequences.

When billion-dollar private entities (e.g. Facebook, Palantir, Anduril) can employ sophisticated hackers and have corrupted entire government systems, operating with pre-WWI tradecraft isn’t just stupid, it’s criminal negligence.

The fact that people died because FBI personnel couldn’t grasp basic concepts that any Cold War operative would have understood should be a career-ending scandal for everyone involved in the operational chain.

Instead, it took years of auditing to even acknowledge the problem, and the FBI’s response has been to form committees and write strategic plans while continuing to make the same fundamental mistakes.

In an environment where wealthy elites pay hackers to compromise the entire foundation of public communications, there is no excuse for this level of operational incompetence.

None.