An FBI audit shared how a drug cartel hacker exploited UTS to track down and even kill possible 'persons of interest', sparking concerns about the UTS cybersecurity threat.
On June 26, 2025, the Federal Bureau of Investigations (FBI) released an audit from the Office of the Inspector General (OIG) with the goal of assessing “the sufficiency and effectiveness of the: (1) actions the Federal Bureau of Investigation (FBI) is taking to protect sensitive investigations and operations from technological compromise and whether those steps have been taken at the enterprise level, and (2) training the FBI provides to its personnel to increase the work force's resiliency against technological compromise.”
The audit hinges on the potential dangers of Ubiquitous Technical Surveillance (UTS), as seen in a 2018 incident, while the FBI was developing a case against the “El Chapo” drug cartel case. The Sinaloa cartel was founded by Juaquin “El Chapo” Guzman, and is especially notorious for their brutal tactics and wide influence in the drug trade. This year, the State Department named the “Cártel de Sinaloa” a foreign terrorist organization (FTO) and a Specially Designated Global Terrorist (SDGT) for being “one of the largest producers and traffickers of fentanyl and other illicit drugs to the United States”, and their use of violence “to murder, kidnap, and intimidate civilians, government officials, and journalists.”
In the audit, the FBI shares that an informant in the cartel reported that the syndicate had hired a hacker. The hacker could exploit phones and electronic devices, and identified “people of interest” to the cartel who frequented the US Embassy in Mexico City - like the FBI Assistant Legal Attaché (ALAT) who may have helped conduct and coordinate investigations between Mexico and the US. The hacker accessed sensitive information from the ALAT’s phone, including call logs and geolocation data. This, coupled with the hackers' use of Mexico City’s camera system, exposed the ALAT to thorough monitoring from the cartel. The cartel was able to follow the FBI agent through Mexico’s capital and track the people they connected with. This valuable information was then used to threaten, and even kill in some cases, possible sources and witnesses that could have aided the FBI’s investigation.
UTS, defined by the FBI as “the widespread collection of data and application of analytic methodologies for the purpose of connecting people to things, events, or locations”, occurs over five vectors: visual and physical (like physical surveillance and cameras), electronic signals (consider phones), financial (transactions can contain specific information connecting to a specific account), travel (information about lodging, transit, etc), and online (like marketing data and social media usage). This surveillance can capture a lot of critical information about an individual, and following the 2018 incident, the FBI formed a “Red Team” to find UTS vulnerabilities.
In this audit, however, the OIG found the Red Team’s first efforts to build a mitigation plan “not comprehensive, potentially leaving many UTS vulnerabilities unaddressed.” Additionally, the devised UTS strategic plan was not specific enough to be operational, and advanced UTS training was not being given to the staff who required it most. Officials in the FBI and the Central Intelligence Agency (CIA) expressed the UTS threat as “existential” to how the FBI operates, and agreed that “if not adequately addressed, UTS can lead to unacceptable outcomes such as significant national security and criminal operations and investigations being compromised”. As the audit was redacted for public release, not all of the “unacceptable outcomes” are known, but it’s reasonable to believe they could still be disastrous.
The audit concludes with a series of recommendations:
Looking at the OGI’s audit, it’s apparent that the FBI has some work to do to secure UTS vulnerabilities. That isn’t to say the agency hasn’t been active in the fight against cybercrime, however. On July 8, 2025, the US Attorney’s Office in the Southern District of Texas announced the arrest of Xu Zewei, a Chinese state-sponsored hacker. Xu was charged alongside another People’s Republic of China (PRC) national, Zhang Yu. Both allegedly were directed by the PRC’s Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB) to hack into research universities in early 2020 and operate the HAFNIUM campaign in late 2020.
In the press release, FBI Houston Special Agent in Charge Douglas Williams, commented on the irony behind the motives for the university hacks: “While the world was reeling from a virus that originated in China, the Chinese government plotted to steal U.S. research critical to vaccine development. Xu Zewei, an alleged hacker acting on behalf of China's primary spy agency, targeted COVID-19 data using sophisticated cyber techniques and tradecraft. His landmark arrest by FBI Houston agents in Italy proves that we will scour the ends of the Earth to hold criminal foreign adversaries accountable.”
Xu’s arrest is also a “landmark” development because of the impact of the HAFNIUM intrusions. Xu and Zhang exploited vulnerabilities in the Microsoft Exchange Server, which allowed them to target “thousands of computers worldwide” by downloading web shells on them for remote access. The victims of this Microsoft exploitation included a university in the Southern District of Texas and a global law firm. The hackers accessed the law firm;s network and mailboxes, and looked for information around US policy.
While Zhang is still uncaptured, Xu faces up to 20 years in federal prison and a potential fine of up to $250,000 for wire fraud, conspiracy to cause damage to and obtain information by unauthorized access to protected computers, committing identity theft, and obtaining information by unauthorized access to protected computers. The FBI’s Houston Field Office is still conducting the investigation, so any relevant information about Zhang’s location can be reported to their number: FBI 1-800-CALL-FBI (1-800-225-5324).