On November 11, 2025, a mysterious group calling itself Tekir APT surfaced on dark web forums and social media claiming to have hacked the Attorney General’s Office of Guanajuato (FGEG). According to their statement, they had encrypted the institution’s internal systems and stolen 250 gigabytes of sensitive data, including court files, personal IDs, and confidential databases.
At first glance, it appeared to be another ransomware case: stolen data, disrupted operations, and threats to leak the information unless a ransom was paid. But once cybersecurity analysts began reviewing the so-called evidence, the story began to fall apart.
Tekir APT claimed the attack started on November 8, causing a complete shutdown of the prosecutor’s office. Employees, according to their narrative, were forced to work manually while the attackers demanded ransom before November 20.
However, cybersecurity experts found serious inconsistencies. The FGEG’s systems continued functioning normally, there were no operational disruptions, and no other organization confirmed the authenticity of the attack.
The entire story stemmed from a single source: Hackmanac, an international cyber threat monitoring company. On their X (formerly Twitter) account, @H4ckmanac, they posted alleged screenshots from the dark web and a Tor-accessible onion link where the stolen data was supposedly hosted.
The problem? None of this evidence was verified by any other company or cybersecurity outlet. Worse still, Hackmanac stated that full details of the attack were only available through their paid subscription service, Hackrisk.io.
From there, the story snowballed. Digital media, cybersecurity influencers, and even AI platforms began repeating Hackmanac’s version without proper validation.
Read more: Ransomware in Mexico: Cyberattacks Cause Major IT Sector Losses
To assess how real the threat was, the SILIKN research unit, led by cybersecurity expert Víctor Ruiz, conducted an exhaustive search through major threat intelligence databases such as:
Result: Tekir APT is nowhere to be found in any of them. Nor are there traces of its activities in well-known underground forums like Dread, XSS, BreachForums, or Exploit.in, where ransomware groups typically post proof of their leaks or share tools.
Unlike real actors like LockBit, Clop, or Medusa, who maintain active leak sites, Tekir APT has no documented or historical presence. All signs point to a fictional group—or, at best, an attempt at informational fraud.
One of the most worrying aspects is how the Tekir APT story became accepted as truth through media repetition and artificial intelligence tools.
Platforms like ChatGPT, Grok, and Perplexity began responding to queries by affirming that Tekir APT did indeed carry out an attack. But upon reviewing their sources, they all traced back to Hackmanac’s reports.
In short, AI tools were citing media outlets that were themselves citing AI-generated summaries, creating a loop of unverified information.
This reveals how unsupervised AI can unintentionally amplify false narratives and lend legitimacy to unfounded claims.
Inconsistencies go beyond a lack of evidence. Some observers suspect the incident may be a distraction or internal maneuver.
Several FGEG employees stated there were no service suspensions or data loss. In fact, some departments continued working online during the alleged ransomware period.
Others suggest the ransomware story could serve as a cover-up—perhaps to hide data manipulation or deletion. Framing the situation as an “external cyberattack” could help avoid audits or accountability in sensitive cases.
So far, the Guanajuato Prosecutor’s Office has not released any technical reports or forensic evidence, something that would be mandatory for a breach of this level.
Beyond the mystery surrounding Tekir APT, this case offers an essential reminder: cybersecurity stories must be investigated with independence and rigor.
Many outlets rush to publish unverified claims, and when primary sources are companies offering paid subscriptions for “exclusive access”, the conflict of interest is clear.
Cybersecurity isn’t just about defending systems—it’s also about defending the truth. Unverified information creates an environment of confusion that ultimately benefits real threat actors.
You might also be interested in: Mexico at a Crossroads: Build a Strong Cybersecurity Strategy
In short, this alleged “hack” seems to rely more on speculation than fact.
At TecnetOne, we believe real cyberattacks must be handled transparently and responsibly. The Tekir APT case shows how disinformation can be as damaging as an actual breach.
If false or exaggerated stories spread:
The solution lies in clear communication, evidence-based reporting, and expert validation.
The Tekir APT saga is, in itself, a warning. Today, any fictional group can become the protagonist of a fake cyberattack.
Was it a real breach or a smokescreen? We still don’t know. But what’s clear is this: cybersecurity isn’t just defended with firewalls, but with critical thinking and information integrity.
Until technical evidence or an official statement is released, Tekir APT remains nothing more than a digital ghost.