How the Cuban State Hacks Accounts of Targeted Activists

raul-medina-orama
Raúl Medina Orama

13 de mayo de 2026 a las 09:58 a. m.

Gasta menos datos recibiendo nuestro contenido en WhatsApp o Telegram

On the phone of Yamilka Lafita, the activist known on social media as “Lara Crofs,” applications began closing one by one without her touching anything. WhatsApp first, then Gmail. Two accounts linked to Cuban phone numbers disappeared within minutes.

The day before, the State Security officer who identifies himself as “Luisito” — whose real name is Ariel Arnau Grillet — had sent her an SMS: “Good afternoon, I’m informing you there’s no trip to Santiago de Cuba, I’m watching you, ok?” The threat against Lafita, who independently assists people in need, was the prelude to the attack on her communication channels.

On May 4, 2026, two weeks later, the activist reported that a second WhatsApp account and her Telegram account had been shut down.

“I lost countless photos of my deceased mother, contact information, and almost the entire aid project since 2021,” Lafita told elTOQUE. She was unable to recover any of the accounts. The computer specialists helping her explained that the safest option was to obtain phone numbers from outside the country, disconnected from the state telecommunications monopoly Etecsa.

It is not an isolated case. On April 28, 2026, activist Raymar Aguado reported that since the middle of that month his WhatsApp account had been forcibly shut down twice, his mobile Internet access had been blocked for several days, and attempts had been made to compromise his Facebook and Instagram accounts.

The digital harassment against Aguado escalated over several weeks and included pressure on people in his circle through irregular police summonses.

“I’ve been receiving harassing phone calls from the State Security Department for two weeks. They call from private numbers. Behind this pattern is the thug who calls himself Camilo,” Aguado told elTOQUE.

The young activist explained that the agent identified as Camilo described over the phone every step of his journey through the Antonio Maceo Airport in Santiago de Cuba and José Martí Airport in Havana, during a trip in which Aguado was distributing aid to communities affected by Hurricane Melissa.

His personal phone numbers were also posted in buying-and-selling groups on social media to generate a flood of contact attempts and overload his communications. The deactivation of WhatsApp came at the end, as the final blow.

“I have no right to communication or information, which limits every aspect of my life. It’s a repressive strategy of tremendous vileness,” Aguado said.

Raymar Aguado says he will continue his work despite the harassment. “This campaign of political violence against me is due to the activism I carry out. My activism will not stop, much less the acts of solidarity and aid.”

Historian and defender of civil and political rights Alina Barbara Lopez Hernandez reported on Facebook on May 3, 2026, that her identity on WhatsApp had been impersonated. “Anyone receiving WhatsApp messages from the number 58682862 should know it’s not me, but rather the ‘fifth best police force in the world,’” she warned ironically.

Other recently reported cases include independent journalist Yania Suárez, who lost access to her Telegram account. The leader of the Ladies in White, Berta Soler, had her cell phone service blocked. Social media content creator Anna Sofía Benitez Silvente — known as Anna Bensi — and her mother simultaneously lost access to WhatsApp and Telegram after their Etecsa phone lines were deactivated.

What happened to Anna Sofía was described by the Cuban Institute for Freedom of Expression and Press (Iclep): the telecommunications company simultaneously deactivated the phone lines of Anna Bensi and her mother, and that cutoff served as the necessary prelude for the theft of their digital identities. By controlling the network infrastructure, whoever carried out the attack facilitated access to the verification codes for the applications.

Meanwhile, Yamilka Lafita says she has strengthened the security of her accounts following the recent attacks. “I changed everything: authentication numbers, emails, and activated two-step verification on all my accounts,” she said.

Every one of the recent cases shares a common denominator: the victims are activists or independent journalists with an active public presence and involvement in denunciations, community aid work, or the dissemination of information contrary to official doctrine.

A Hack No One Sees

Several of the victims have said their WhatsApp was “hacked,” even though the application uses end-to-end encryption. The cyberattack may have occurred one layer lower: in the telecommunications infrastructure that allows the messaging application to function.

WhatsApp, like many platforms, allows an account to be transferred to a new device simply by entering the phone number and confirming a six-digit code sent via SMS. If someone intercepts that code at the network level — before it reaches the phone — they gain complete control of the account. The original user is locked out. Their entire history, contacts, and groups pass into the hands of whoever carried out the attack.

That is where the Cuban context becomes decisive. Through Etecsa, the Cuban State controls the infrastructure through which verification SMS messages circulate.

The independent newspaper 14yMedio has documented that in some hacking cases, the code was validated by the attacker “even when the owner’s phone was turned off or without signal, which demonstrates that access is directly from the telephone exchange.”

El Toque could not independently verify the exact technical mechanism used in each case, although specialists consulted considered the allegations plausible.

A former Etecsa employee told El Toque anonymously that “State Security has trusted people [inside the company] whom they turn to in specific situations involving mobile networks and access to physical networks.”

How Do the Attacks Happen?

There are several ways account hijackings can occur, and in the Cuban context several converge at once. One is interception of the verification SMS: the attacker requests registration of the number on a new device, the platform sends the code by SMS, and if there is access to the telecommunications infrastructure, that message can be captured before it reaches the intended recipient.

There is also social engineering: contacting the victim while pretending to be a technician or institution and requesting the code under some pretext. Or physical access to the device: if the phone is confiscated during an interrogation, whoever has it can activate WhatsApp Web or register the number on another device.

Reports from human rights organizations document that confiscation and inspection of devices is standard practice when an activist is detained.

Freedom House documented in its most recent evaluation of Internet freedom in Cuba that the Government harasses and imprisons people who express dissident opinions online.

What has occurred in recent weeks on the island suggests an escalation against activists, independent journalists, and citizens who use digital platforms to denounce abuses, coordinate community aid, or share information outside official channels. Control is no longer limited to the streets or the press: it also extends into private spaces of communication.

Prisoners Defenders stated that digital surveillance in Cuba constitutes “a structural policy of state control,” intensified with the expansion of Internet access and information technologies, without effective guarantees for digital rights protection or independent judicial oversight.

Warning Signs and How to Protect Yourself

Before an account hijacking, warning signs often appear. Recognizing them in time can make the difference: receiving an SMS with a code no one requested, calls from a private number, sudden logouts from an application, notifications of a new login on an unknown device, contacts reporting strange messages sent from your account, or sudden loss of signal or data access.

No measure guarantees absolute protection, especially when the attacker controls the telecommunications infrastructure. But these actions can reduce the risk:

• Activate two-step verification on WhatsApp (Settings/Account/Two-step verification). This adds a PIN required to register the number on any new device, even if the attacker has the SMS code.

• Never share an SMS code you did not request yourself. No legitimate platform will ask for it. If someone does, it is a social engineering attack.

• Check active WhatsApp sessions (Settings/Linked devices) and close any you do not recognize.

• Set up a PIN for your SIM card through your phone settings. This protects the card if the device falls into someone else’s hands.

• Use phone numbers from outside the country as backup for critical accounts, especially lines not linked to Etecsa.

• Switch to Signal for sensitive communications. Signal offers stronger metadata protection and end-to-end encryption with less dependence on the operator’s infrastructure.

• Activate login alerts on Gmail, Facebook, and Instagram so you are notified if someone accesses your account from an unknown device.

• Document any prior threats (screenshots, call logs). Establishing the pattern of harassment before the attack is key evidence.


This article was translated into English from the original in Spanish.
toque-promo
Encuentra la norma legal cubana que buscas
Normativa reciente
Gaceta Oficial No. 61 Extraordinaria de 2026
12 may, 2026
Resolución 17 de 2026 de Ministerio de la Agricultura
Indicaciones y procedimientos relativos a la comercialización de la producción agropecuaria y forestal para el año 2026.
Respuestas a preguntas jurídicas frecuentes
¿Cómo actuar ante una detención?
¿Qué hacer para cambiar de nombre y apellido en Cuba?
¿Qué hacer si usurpan mi casa en Cuba?
¡Ve a Legalis!