Mexican scam loan apps will edit your face onto X-rated photos and send them to your family

Getting a bank loan as a working-class Mexican is virtually impossible. So, when María needed money, she downloaded SolPeso, one of the growing numbers of instant lending apps. To grant her the loan, the app asked not only for her personal and financial data, it also requested access to her phone’s data, including her contacts list.

Even though SolPeso transferred less money than promised, María, who asked to be identified by her first name only to protect her identity for fear of being further targeted by her scammers, said the app demanded the original amount plus interest be repaid in a few days. When she couldn’t pay, the lender called and messaged her with threats.

She downloaded a second lending app to pay off that first debt, and then even more, including Rápikrédito, Super Peso, LoanLaLa, Money Flash, and iFectivo in the following few weeks. Many of those lending apps joined SolPeso in the harassment. Sometimes she received more than 50 calls and messages daily, containing threats that ranged from saying the lenders would distribute photoshopped photos of María as a thief to threatening to rape and kill her family if she didn’t repay.

“It’s terrifying and depressing,” María said. “They send you extremely aggressive messages that fill you with fear.”

According to the Mexican government’s official financial fraud report platform, María is one of hundreds of users to be doxxed by fraudulent loan apps in Mexico. “It never crosses your mind that [lending apps] will use all that information to psychologically attack you,” María said. 

Rest of World identified 94 loan apps listed as possibly related to doxxing activities across various Mexican cyberpolice departments; 35 of these are available on Google’s Play store, the app store on Android devices, which account for 80.87% of mobile internet traffic in Mexico. According to victims, government officials, digital rights activists, and platforms, gaps in Mexican law allow these lenders to continue to push scams on app stores and leave victims with no clear avenue to restitution or justice. Consumer education and criminal investigations that come after a crime has occurred are the only ways to currently combat this new type of digital financial fraud, but none of these efforts has stopped the apps from appearing in app stores, according to digital security experts who spoke to Rest of World.

“This type of fraud must be regulated more adequately, since the damage doesn’t only affect users but people around them as well,” said Paul Aguilar, a security expert at SocialTic, a social rights organization that analyzes Play store apps for security or privacy issues. 

Mexico’s dereliction of responsibility to loan app victims is particularly glaring given international precedent in resolving this issue. In 2021 and early 2022, Google removed scam instant-credit apps and implemented stricter policies on its app store after the Reserve Bank of India flagged 600 such apps to the company. 

Meanwhile, Jesús Chávez Ugalde, the director of analysis and statistics of financial services and products for Mexico’s National Commission for the Protection and Defense of Users of Financial Services (CONDUSEF) told Rest of World that the agency can intervene only in situations involving registered financial institutions. This means that unregistered apps are out of regulators’ reach, he said. 

The legal gap left for lending apps leads to uncertainty as to who is in charge of protecting people’s rights, Fiorentina García, cofounder of Tec-Check, a digital consumer protection watchdog, told Rest of World. “I think that it’s clearly CONDUSEF’s responsibility. The agency isn’t assuming it and is excusing itself,” she said.

María told Rest of World that, as lenders escalated their threats, iFectivo sent her 13-year-old daughter, her cousin, her nieces, and 17 more of her contacts a photoshopped picture of a naked woman with María’s face, claiming she’d become a prostitute to pay her debts. María’s cousin advised her, in the absence of other legal channels for protection, to call 911.

While scam loan apps may not be regulated, their collection methods through harassment and threats constitute illegal activity. In Mexico, threats and e-commerce fraud are among the most common cybercrimes reported to the national cyberpolice, the government agency tasked with preventing criminal activity on the internet. The cyberpolice’s publicly available records don’t show crimes committed by lending apps agents, but they are a good indicator of how much of a problem doxxing has become in the country.

Apart from the national cyberpolice, every Mexican security agency has a cybersecurity department, three of which have been fighting scam lending apps since 2021. Their job is to alert the public about apps’ modus operandi and to use citizens’ claims against doxxing loan apps and “virtual patrolling” to ask platforms to take down the loan scams from their app stores. 

And yet, the number of victims continues to rise. In late 2021, Mexico City’s local cyberpolice reported receiving more complaints about instant loan apps doxxing users, despite its earlier report of risks associated with these apps.

Of the 35 apps that Rest of World found to be currently available in the Play store, 24 were flagged — often multiple times — as platforms for doxxers by the Mexican government’s official financial fraud report. OKrédito and Tala Mobile, which are regulated apps, appear on Mexico’s consumer protection agency as having received consumer complaints for fraudulent practices. Spokespeople from both companies denied wrongdoing when contacted by Rest of World.

Rest of World reached out for comment from all the 35 express loan apps available in the Play store, but only OKrédito and Tala answered.

Since May, the rise in loan app scam victims has prompted authorities to act. Mexico City’s local congress asked the local cyberpolice to investigate the 130 lending apps identified by NGO Citizen Council for Security and Justice of Mexico City. A journalist from the newspaper Publimetro confronted President Andrés Manuel López Obrador, who went on to publicly condemn the people behind doxxing loan apps and ordered an investigation into digital financial fraud. 

But advocacy organizations told Rest of World this is too little, too late. 

For now, Mexican authorities take the investigations abroad when foreign loan apps dox Mexicans and only when they can get information from the platforms that house the apps, meaning fraudsters can use “the Play store as an intermediary,” said Aguilar, the security expert at SocialTic. Platforms rarely disclose sufficient information to the cyberpolice or local prosecutors. According to its own policy guidelines, Google may take action if it discovers a discrepancy between an app’s data safety declaration and its behavior on the Play store.

“Google has a great responsibility to have stricter guidelines and oversight over its apps because, in the end, it’s this company that makes it possible for them to be published,” Aguilar said.

While the Mexican government can do little and the tech companies platforming scam loan apps won’t take responsibility, the onus has fallen onto civil society. In the same article brought to the Mexican president’s attention, Publimetro also exposed harassment on loan apps promoted through Facebook accounts; the social platform’s parent company, Meta, took down lender user accounts within days.

However, most activism is limited to educating Mexicans about the risks posed by scam loan apps. For María, who was desperate for cash two months ago, this is easier said than done. Nevertheless, she feels she’s slowly making her way out of the debt trap of her own volition. Lending app doxxers have not stopped harassing her, but María is no longer afraid of them. “I now feel indebted but not under so much pressure,” she said. “I’ll look for a better job and teach my daughter to make a living without getting loans.”