In recent days, a story has circulated that caught the attention of media outlets, analysts, and even artificial intelligence tools: a supposed Turkish group named Tekir APT allegedly breached the critical infrastructure of Guanajuato’s State Prosecutor’s Office (FGE Guanajuato), exfiltrating over 250 GB of sensitive information.
At first glance, the case was presented as a sophisticated foreign operation. However, when reviewing the technical evidence, the attackers’ behavior, and even the linguistic details of the statement, the picture changes entirely. At TecnetOne, we see clear signs that this attack has nothing to do with Turkey—and everything to do with Mexico.
Everything points to one thing: Mexican insiders—or at least local actors with internal access—disguising the operation under an exotic name to mislead investigators.
The group claims to have stolen:
They reported exfiltrating over 250 GB of data—something difficult for an external attacker without privileged and sustained access. Ironically, they repeatedly stated they weren’t insiders, which is one of the clearest signs that they probably were.
The screenshots shared by “Tekir APT” show:
To exfiltrate 250 GB without triggering alerts, saturating connections, or disabling services, you need more than a remote exploit—you need internal credentials, trusted access, or a shared password from employees.
One alarming detail: some internal passwords were literally “12345678” and “123456789.” In 2025. That’s less “Turkish APT” and more like someone inside exploiting poorly secured infrastructure.
Learn more: Is the Mexican Government Being Hacked by Its Own Employees?
The attackers said they would publish the information on a Tor-based site. But:
This is atypical for professional actors. Groups like LockBit, Medusa, Black Basta, or even Latin American collectives like Guacamaya always maintain redundant systems. Tekir didn’t.
A legitimate Turkish group would have had solid infrastructure, prior repositories, and clear communication channels. Tekir APT had none.
When tracking the alias in threat intelligence platforms, something very interesting happens: Tekir APT is nowhere to be found.
They don’t show up in:
No history, reputation, prior activity, or structure. It’s as if the name was invented the same week of the attack. That doesn’t happen with real international groups—but it does when a local actor tries to create a smokescreen.
The statement released by “Tekir APT” was in English but contained errors inconsistent with Turkish speakers. On the contrary, they match literal translations from Mexican Spanish.
Examples:
These don’t align with Turkish syntax, common Turkish-English errors, or the nationalist narrative typical of Turkish cyber groups. But they do match the tone and humor of self-styled “anti-corruption” Mexican collectives—similar to Lapsus$ (Mexican branch).
The structure, tone, and humor suggest the original may have sounded like this:
“Los datos que robamos incluyen todos los expedientes penales de la Fiscalía, datos personales de funcionarios, grabaciones municipales y todas las bases SQL. Las autoridades lo negaron todo. No hay de otra: esto beneficia a alguien dentro del gobierno. No hay explicación para contraseñas como 12345678 o que VEEAM y Security Center estén en el mismo dominio. Si hubieran cooperado, habríamos borrado todo. Somos gatitos lindos.”
That’s classic Mexican phrasing—not Turkish.
Similar titles: Mexican Water Infrastructure Under Fire: Rising Cyberattacks
When compared with known actors:
The attack patterns resemble:
There’s no geopolitical motivation, Turkish symbols, or regional narrative typical of foreign APTs.
Three clear reasons:
After analyzing:
Everything points to the same conclusion: the attack did happen, but it was carried out by Mexican insiders, not a professional Turkish group.
The name “Tekir APT” was just a mask. And their repeated claim of not being insiders is exactly what gives them away.
At TecnetOne, we always remind our partners: the enemy isn’t always outside. Sometimes, it’s already inside your system.