At first glance, the text messages looked innocuous enough. One was a simple "service message," the sort you might get from your cellular provider, with a link to more information.

Another was more serious; the person who sent it said their father had died, and included a link to "dates for the wake."

But had Karla Michelle Salas or David Pena clicked on either of those links, their iPhones would have been directed to a specially crafted webpage designed to silently infect their devices with powerful surveillance software. Once in place, the attackers would have unfettered access to their targets' contacts, messages, phone calls and more.

The spyware was developed by an Israeli company called NSO Group, a secretive dealer of so-called "cyber arms." It was no coincidence that Salas and Pena, both Mexican lawyers, found the spyware attempting to worm its way into their phones.

According to a new report from researchers at the University of Toronto's Citizen Lab, released today, both Salas and Pena appear to have been targeted because of their roles investigating suspicious execution-style killings in Mexico, in what has become a disturbing trend among activists, journalists, lawyers and even scientists who similarly oppose or criticize the country's government.

In recent months, Citizen Lab has publicly identified 21 cases in Mexico where NSO spyware has been used against members of civil society.

Ana Cristina Ruelas, far left, is the director of Mexican digital rights group Article 19. She has been pushing for transparency around what she says is the Mexican government's illegal use of NSO tools. (Alfredo Estrella/AFP/Getty Images)

And while there is still no definitive proof that the Mexican government is behind the attacks, the government — and its attorney general's office in particular — is a known client of the Israeli surveillance firm. The government was sold the software on the condition it only be used during national security and criminal investigations, and has "categorically" denied any accusations of misuse.

"There needs to be accountability; there needs to be institutional reform and institutional consequences for these type of attacks," said Luis Fernando Garcia, executive director of Mexican digital rights group R3D, which has called for an independent investigation free of government interference.

"If we enter an arms race between civil society and government, definitely the government will win."

Murder motive disputed

As the use of surveillance and censorship software by repressive governments draws greater scrutiny, local digital rights groups have played a crucial role in connecting vulnerable groups with security researchers around the globe eager to help document and disrupt such attacks.

"These are the guys who are willing to do the hardest work," says Eva Galperin, director of cybersecurity at the San Francisco-based Electronic Frontier Foundation, referring to day-to-day security tasks, such as teaching people to use two-factor authentication, set up encrypted messaging apps, or how to plan for potential threats.

Sometimes that work yields disturbing discoveries.

In the case of lawyers Salas and Pena, the suspicious messages were identified by R3D, then shared with the Citizen Lab for further analysis. It followed a similar pattern to cases detailed in Citizen Lab's previous reports.

Salas and Pena represented the family of Nadia Vera, an activist executed in Mexico City in July 2015, along with journalist Ruben Espinosa and three other women. Vera and Espinosa had previously spoken out against Javier Duarte, then governor of the state of Veracruz, and fled to Mexico City, believing their safety to be under threat.

An Israeli woman uses her iPhone in front of the building housing the Israeli NSO group, whose spyware has been used by governments in Mexico, Panama and the United Arab Emirates. (Jack Guez/AFP/Getty Images)

Salas and Pena have disputed the findings of the government's official investigation, which concluded the killing was a robbery gone bad. The two lawyers reached out to R3D after seeing a Citizen Lab report on spyware use in Mexico published earlier this year.

Digital rights groups SocialTIC and Article 19 have also worked closely with Citizen Lab on its previous NSO reports.

"As each report gets published, more people become aware of the threat," Garcia said.

'Why did they want this information?'

Citizen Lab's latest investigation comes amid recent reports that U.S. private equity firm Blackstone is in talks to purchase a controlling stake in NSO Group for $400 million US.

Digital rights groups, including Citizen Lab and Access Now, have petitioned Blackstone's board of directors to consider recent reports on misuse of the group's software before agreeing to a sale.

"Each time we find more cases, we think 'this must be the most troubling.' Yet each time we are still surprised," wrote John Scott-Railton, a senior researcher at the Citizen Lab and one of the authors of today's report, in an encrypted chat. "I wonder if the Blackstone team considering the acquisition has phoned NSO to ask: 'What other revelations should we prepare for?'"

"It's our general policy not comment on deal speculation," Matt Anderson, Blackstone's senior vice-president of global public affairs, told CBC News in an email.

Mexico is not the only country known to be using NSO's surveillance tools.

Former Panama president Ricardo Martinelli was accused in court filings of using the spyware to monitor scores of political opponents. And last year, Citizen Lab detailed efforts by the United Arab Emirates government to use NSO spyware against prominent human rights activist Ahmed Mansoor.

"We want to know what they did with the information they gathered," says Ana Ruelas, the Mexican director of Article 19, who has been pushing for transparency around what she says is the Mexican government's illegal use of NSO tools.

"Why did they want that information? What was it used for?"