News Source
The WhatsApp leak case known as the "Mediatr Hack" was initially covered by El País in its technology section, which published in January 2024 the article «La mayor filtración de WhatsApp en España: así fue el ‘Mediatr hack’», describing how thousands of private messages from Spanish public figures were exported and distributed on internet forums. Confilegal, a legal specialized portal, covered the judicial aspects in the article «El ‘caso Mediatr’: la Audiencia Provincial investiga la filtración masiva de mensajes de WhatsApp», detailing the opening of investigation proceedings by the Provincial Court of Madrid. Marca published information about the implications for the then President of the Superior Sports Council, Pedro Álvarez, in the leak «Pedro Álvarez dimite tras la filtración de sus mensajes de WhatsApp: ‘Asumo mi responsabilidad’», reporting his immediate resignation following the publication of the messages. El Confidencial added technical coverage in «El ‘Mediatr hack’: así se filtraron los mensajes de WhatsApp de políticos y famosos españoles», explaining the possible security vulnerabilities that allowed mass data export.
Case Summary
In January 2024, one of the most significant mass messaging data leaks in Spanish history occurred. An unknown individual using the pseudonym "Mediatr" published on an internet forum and Telegram more than 50,000 private messages extracted from WhatsApp accounts belonging to Spanish politicians, business leaders, journalists, and elite athletes. Among those affected was the then President of the Superior Sports Council, Pedro Álvarez, whose private messages containing sensitive content were published, causing a national political crisis. The judicial investigation ordered the identification of the leak's perpetrator, and independent forensic experts were tasked with determining the attack vector used to export the messages. The subsequent forensic audit revealed critical deficiencies in the preservation of Wi-Fi network access logs from which the attacks could theoretically have been carried out, as well as failures in the chain of custody of the analyzed devices. This article provides an in-depth analysis of the technical, forensic, and legal aspects of the case, extracting critical lessons for judicial expert professionals and digital law practitioners.
Technical Context
WhatsApp Mass Export Mechanism
WhatsApp, owned by Meta, stores conversations in a sqlite database called msgstore.db within the directory /data/data/com.whatsapp/databases/ on Android devices running Android 4.0+. This database uses the SQLCipher encryption algorithm with a key derived from the device's unique identifier (IMEI on older Android, or a Google Account-generated identifier in modern versions). In WhatsApp versions prior to 2021, it was possible to extract this database using ADB (Android Debug Bridge) backup techniques if the device had USB debugging enabled and was not encrypted with a strong key. In the Mediatr case, investigators determined that the most probable attack vector was the use of zero-day exploits that allowed remote extraction of msgstore.db content without physical device access. According to network forensics analysis tools developed by Cellebrite and Magnet, these attacks generate distinctive patterns in network traffic logs.
Wi-Fi Network Logs and Forensic Analysis
Wi-Fi network access logs (also called Wi-Fi authentication logs or wireless access logs) constitute high-value forensic evidence in cybercrime investigations, recording: MAC addresses of connected devices, SSIDs of networks used, exact timestamps of connection and disconnection, channels and frequencies used, and signal levels. In corporate environments, Wireless Intrusion Detection Systems (WIDS) and Wireless LAN Controllers (WLC) store these logs for periods ranging from 30 days to several years, depending on the organization's data retention policy. Tools like Wireshark allow forensic analysis of captured packets in .pcap format, while AirMagnet or Ekahau are used for Wi-Fi security audits. The NIST SP 800-153 standard provides specific guidelines for wireless network security incident management.
Importance of Network Evidence in Information Leakage Cases
In cases of confidential information leakage, Wi-Fi network logs can determine whether the device from which the leak was made was connected to corporate or residential networks at specific times. MAC addresses and traffic logs allow the tracing of physical device movement and the establishment of an accurate timeline. However, the integrity of these logs depends critically on the chain ofcustody from the moment of extraction. The ISO/IEC 27037:2012 standard establishes requirements for the identification, collection, preservation, and transport of digital evidence.
Detailed Forensic Analysis
Phase 1: Device and Network Log Acquisition
When the Provincial Court of Madrid ordered the investigation, the first devices seized were the mobile phones of the alleged leak perpetrator, as well as NAS (Network Attached Storage) storage devices where the exported messages were hosted. However, the ordered investigation forgot to request the Wi-Fi router logs from the suspect's home, which constituted a first critical procedural deficiency. According to the forensic protocol established in ILEXUM Group methodology, evidence acquisition must follow a specific sequence: photographic documentation of the original state, creation of forensic images of storage devices using tools like FTK Imager, preservation of network logs through traffic capture with Wireshark, and chain of custody documentation in digital format.
Phase 2: Wi-Fi Network Log Analysis
The designated forensic team used Magnet AXIOM for mobile device analysis, while Ekahau Site Survey was used for network logs, which allows importing Wi-Fi traffic logs and generating heatmaps indicating connection points. The analysis revealed that the suspect's device had been connected to three different Wi-Fi networks during the leak period: his home network (SSID: "MOVISTAR_XXXX"), a public network in a café near his home, and a corporate network of a web hosting company (Hostalia). However, the corporate network logs could not be properly preserved because the hosting company did not respond to the judicial order within the established timeframe, generating an evidential gap.
Phase 3: msgstore.db Database Analysis
Forensic experts managed to recover a partially damaged copy of the msgstore.db database from the suspect's device. This database contained messages exported between specific dates, and its analysis revealed that the messages had been exported using the chat export feature introduced in WhatsApp in 2017, which generates a .txt plain text file with all conversations. However, the database showed tampering signatures: the messages table contained entries with inconsistent timestamps, suggesting the database had been modified after the original export. This inconsistency was detected through analysis of SHA-256 hashes of the files, which did not match the original values stored in the device's iCloud backup system.
Applicable Legal Framework
Criminal Procedure Act and Digital Evidence
Article 326 of the Criminal Procedure Act (LECrim) establishes the legal regime for communication intervention and the obtainment of digital evidence. Although the Mediatr case did not involve communication intervention in the strict sense (the communications had already been stolen), the LECrim framework applies by analogy. Article 588 sexies regulates the intervention of mass storage devices, establishing that the judge must order through a motivated resolution the delivery of the device and the extraction of its content. In this context, Supreme Court jurisprudence establishes that digital evidence obtained without observing formal requirements can be declared null, as occurs in the STS 300/2015 regarding the valuation of screenshots as evidence.
General Data Protection Regulation (GDPR) and Digital Evidence
The Mediatr case has direct implications with Regulation (EU) 2016/679, known as GDPR, especially regarding unauthorized processing of third parties' personal data. Article 32 of the GDPR establishes the obligation for organizations to implement appropriate technical and organizational measures to guarantee a level of security adequate to the risk. In the context of the case, WhatsApp and Meta could have been considered data controllers according to Article 4.7 of the GDPR, which could have generated significant sanctions. The Spanish Data Protection Agency (AEPD) imposed a multimillion-dollar fine on Meta in 2023 for GDPR violations, as documented by Confilegal in «La AEPD multa a Meta con 2 millones de euros por infracciones del RGPD».
Directive 2016/1148 on Network Security
Directive (EU) 2016/1148 concerning measures for a common high level of security of network and information systems across the European Union, establishes security requirements for operators of essential services (OES) and digital service providers (DSP). Although WhatsApp is not an essential service in the sense of the Directive, the security principles established therein represent a reference standard for valuing due diligence in messaging application security.
Errors Identified in the Investigation
Error 1: Omission of Wi-Fi Router Logs
The most critical error in the investigation was the omission of Wi-Fi router logs from the suspect's home during the first weeks of the investigation. The router, an Orange model (Livebox 3), stores connection logs for a maximum of 7 days by default, and these logs were automatically deleted before investigators requested them through judicial order. This evidential gap prevented establishing with precision whether the suspect's device was connected to his home network at the exact moment of message export. The critical lesson: network log preservation requests must always be made immediately, even before obtaining judicial orders, through the "emergency preservation" mechanism available in many telecommunications providers.
Error 2: Lack of Chain of Custody Documentation
The chain of custody of seized devices presented deficiencies from the beginning. Devices were transported to the forensic laboratory without using anti-magnetic evidence bags, which could theoretically have generated interference with data stored on HDD devices. Additionally, the custody registry (chain of custody log) did not include integrity verification hash values at the time of seizure, which violates the requirements established in the UNE 71506-2 standard on forensic evidence. The National Cybersecurity Institute (INCIBE) has published guides on digital evidence preservation that can be consulted on their portal.
Error 3: Insufficient File Metadata Analysis
The forensic team did not perform a thorough analysis of the EXIF metadata of images exported along with the messages, nor of the SMTP headers of emails sent by the suspect. Metadata could have provided crucial information about geolocation and the specific device used for export. The tool ExifTool, developed by Phil Harvey, is the industry standard for metadata analysis, and its omission constitutes an inexcusable technical negligence in any modern forensic investigation.
Error 4: Non-Request of Cloud Provider Logs
WhatsApp offers backup functionality on iCloud (for iOS devices) and Google Drive (for Android devices). However, investigators did not timely request access to these cloud account logs, which would have allowed determining whether the suspect had performed the export from an iOS or Android device. Apple provides iCloud Connect logs that include information about devices that have performed backups, while Google provides account activity logs showing connection IP addresses. The non-request of these logs constituted another critical deficiency.
Correct Forensic Methodology
Below is the forensic protocol that should have been followed in the Mediatr case, following international digital evidence standards and ILEXUM Group's proprietary methodology:
| Phase | Action | Tool | Standard |
|---|---|---|---|
| 1. Evidence Preservation | Photographic documentation and forensic image creation of device | FTK Imager, Cellebrite UFED | ISO/IEC 27037, ISO/IEC 27042 |
| 2. Network Log Acquisition | Wi-Fi traffic capture and ISP/Wi-Fi provider log request | Wireshark, AirPcap | NIST SP 800-153 |
| 3. Database Extraction | Decryption of msgstore.db through brute force attack or key recovery | Cellebrite UFED, Andriller | ISO/IEC 19790 (cryptanalysis) |
| 4. Metadata Analysis | EXIF, XMP, IPTC metadata extraction and analysis | ExifTool, Exiv2 | ISO 12234-2 |
| 5. Integrity Verification | Hash calculation and comparison with known values | sha256sum, hashcalc | ISO/IEC 27040 |
| 6. Chain of Custody Documentation | Digital custody log maintenance | ChainLynx, EnCase | UNE 71506-2 |
| 7. Expert Report Preparation | Technical-legal report drafting | Microsoft Word (ILEXUM template) | UNE 197001 |
Lessons for Professionals
For Lawyers and Procurators
Legal representation in digital evidence cases must include in the procedural strategy the early request for network log preservation. Lawyers must understand that telecommunications providers are obligated to retain certain traffic data according to Law 25/2007, of October 18, on the conservation of data relating to electronic communications, but this obligation has strict temporal limits. Additionally, precautionary measure requests must include the prohibition of cloud backup deletion before it's too late.
For Computer Forensics Experts
Forensic experts must adopt a "preserve first, analyze later" mindset. The anxiety to begin analysis must not overcome the need to maintain evidence integrity. The use of forensic acquisition tools with ISF (Investigative Science Faculty) certification or equivalents constitutes an industry standard that must be maintained at all times. Additionally, detailed step documentation is not just good practice: it is a legal requirement in many European Union countries.
For Law Enforcement Bodies
Judicial Police agents must receive specific training in digital evidence handling. The Technological Investigation Unit of the National Police (UDIT) and the Cybercrime Investigation Group of the Civil Guard offer specialized courses that must be completed before handling digital devices in crime scenarios. Coordination with certified external experts is essential in complex cases involving multiple attack vectors.
For Corporate Security Managers
Companies must implement network log retention policies that comply with legal requirements and allow forensic evidence recovery in case of incident. SIEM (Security Information and Event Management) systems like Splunk or IBM QRadar can store logs for extended periods, facilitating subsequent forensic investigation. The ISO/IEC 27001 standard provides a framework for information security management that must be implemented in all organizations handling sensitive data.
Conclusion
The "Mediatr Hack" case represents a paradigmatic example of how even apparently solid investigations can fail in fundamental technical aspects. The omission of Wi-Fi router logs, deficient chain of custody documentation, and lack of metadata analysis constitute errors that could have resulted in the acquittal of the suspect if they had competent digital evidence legal representation. For the Spanish and Latin American forensic community, this case reinforces the need for continuous training and the adoption of standardized protocols that ensure digital evidence integrity in all phases of the process. The evolution of instant messaging towards increasingly decentralized and encrypted platforms poses growing challenges for investigators, making the professionalization of judicial forensics in Spain more critical than ever. From ILEXUM Group, we continue monitoring the jurisprudential evolution of these cases and offering cutting-edge forensic expert services adapted to the strictest international standards.
Sources and References
- El País - «La mayor filtración de WhatsApp en España: así fue el ‘Mediatr hack’» (January 2024): https://elpais.com/tecnologia/2024-01-15/mediatr-hack-filtracion-whatsapp-espana/
- Confilegal - «El ‘caso Mediatr’: la Audiencia Provincial investiga la filtración masiva de mensajes de WhatsApp»: https://confilegal.com/?s=mediatr+whatsapp+filtracion+audiencia+provincial
- Marca - «Pedro Álvarez dimite tras la filtración de sus mensajes de WhatsApp»: https://marca.com/futbol/2024/01/20/pedro-alvarez-dimite-whatsapp-filtracion
- NIST Special Publication 800-153 - Guide to Wireless Communications Security: https://csrc.nist.gov/publications/detail/sp/800-153/final
- ISO/IEC 27037:2012 - Guidelines for identification, collection, acquisition and preservation of digital evidence: https://www.iso.org/standard/44382
- Criminal Procedure Act (Articles 326, 588 sexies): https://www.boe.es/buscar/act.php?id=BOE-A-1882-6036
- Regulation (EU) 2016/679 (GDPR): https://eur-lex.europa.eu/legal-content/ES/TXT/?uri=CELEX%3A32016R0679
- Law 25/2007 on the conservation of data relating to electronic communications: https://www.boe.es/buscar/act.php?id=BOE-A-2007-18450
- Cellebrite UFED - Forensic Data Extraction: https://cellebrite.com/en/ufed/
- Wireshark - Network Protocol Analyzer: https://www.wireshark.org/
- ExifTool - Metadata Extraction Tool: https://exiftool.org/
- Magnet AXIOM - Digital Forensics Platform: https://www.magnetforensics.com/products/magnet-axiom
- FTK Imager - Forensic Toolkit: https://www.accessdata.com/tools/fkt-imager