Pemex

Key Points

• Cyberattack in 2019: Pemex, Mexico’s state-owned oil company, was targeted by a ransomware attack (DoppelPaymer) demanding $5 million in bitcoin, affecting less than 5% of its computers but disrupting administrative systems for weeks.

• Financial Struggles: Pemex is the world’s most indebted oil company, with over $100 billion in debt (8% of Mexico’s GDP), facing declining oil production and credit rating downgrade risks.

• Fuel Theft and Organized Crime: The Cártel Jalisco Nueva Generación (CJNG) is implicated in a multimillion-dollar fuel theft scheme, smuggling stolen Pemex crude to the U.S. as used oil, facilitated by bribes and pipeline perforations.

• Safety Incident: A 2024 hydrogen sulfide release at Pemex’s Deer Park, Texas refinery killed two contract workers and injured 13, prompting a U.S. Chemical Safety Board (CSB) investigation.

• Operational Challenges: Despite claims of normal operations post-cyberattack, employees reported limited internet access, inaccessible files, and manual payment processing, highlighting vulnerabilities.

Overview

Petróleos Mexicanos (Pemex), Mexico’s state-owned oil and gas company, is one of the largest petroleum companies globally, producing approximately 2.5 million barrels of oil and over 170,000 cubic meters of natural gas daily. Headquartered in Mexico City, Pemex operates six refineries, eight petrochemical complexes, nine gas processing complexes, 83 land and sea terminals, oil and gas pipelines, ocean-going vessels, and a ground transportation fleet supplying over 10,000 service stations across Mexico. Pemex is a major revenue source for the Mexican government but has faced significant challenges, including declining production, heavy debt, and increasing cyber and physical security threats. The company conducts exploration, production, refining, and distribution, playing a critical role in Mexico’s economy and energy sector.

Allegations and Concerns

• 2019 Ransomware Attack: Hackers using DoppelPaymer ransomware demanded 565 bitcoins (approximately $5 million) to decrypt affected systems, with a 48-hour deadline. Pemex refused to pay, claiming only 5% of computers were impacted and operations were unaffected, but employees reported significant disruptions.

• Fuel Theft by Organized Crime: The CJNG is accused of orchestrating a multimillion-dollar fuel theft operation, perforating Pemex pipelines and smuggling crude to the U.S. disguised as used oil, facilitated by bribes and threats. The U.S. Department of the Treasury sanctioned two Mexican companies and three individuals involved in 2025.

• Safety Violations: A fatal hydrogen sulfide release at Pemex’s Deer Park refinery on October 10, 2024, killed two workers and injured 13, raising concerns about safety protocols and community risks. The CSB is investigating.

• Corruption and Mismanagement: Posts on X and media reports criticize Pemex for mismanagement, with claims that the government has downplayed fuel theft while enabling organized crime. One post alleges Pemex’s complicity in delivering hydrocarbons to CJNG for illegal U.S. sales.

• Environmental and Operational Risks: Declining production and aging infrastructure increase the risk of environmental incidents and operational inefficiencies, compounded by cyberattacks targeting critical infrastructure.

Customer Feedback

As a state-owned entity, Pemex does not have traditional consumer reviews, but public and employee feedback provides insight:

• Positive Feedback: Pemex is praised for its role in Mexico’s energy sovereignty and supplying fuel to over 10,000 service stations. The company’s refusal to pay the 2019 ransomware demand was seen as principled, with a press release stating, “As a serious company, it will not finance gangsters.”

• Negative Feedback: Employees reported significant disruptions post-2019 cyberattack, contradicting Pemex’s claim of minimal impact. A Bloomberg report cited workers saying, “Internet access is limited, some computer files aren’t accessible, and they are having difficulty receiving external emails.” Public sentiment on X criticizes Pemex’s debt and alleged complicity in fuel theft, with @beltrandelrio stating, “The government has assured for years that there is no more huachicol. Today we know they lied.” Another post by @DiogenesCinico2 alleges, “To hide the theft of hydrocarbons from Pemex… the government distracts with other issues.”

Risk Considerations

• Financial Risks: Pemex’s $100 billion debt, equivalent to 8% of Mexico’s GDP, threatens financial stability. Declining oil production and potential credit rating downgrades exacerbate fiscal pressures.

• Reputational Risks: Allegations of enabling fuel theft by organized crime and downplaying the 2019 cyberattack’s impact damage Pemex’s credibility. Public distrust is amplified by posts on X accusing the government of lying about fuel theft.

• Legal Risks: The CSB investigation into the 2024 Deer Park incident could lead to fines or regulatory actions. Sanctions by the U.S. Treasury against individuals and companies involved in Pemex fuel theft signal potential international legal scrutiny.

• Operational Risks: Aging infrastructure, cyberattacks, and fuel theft via pipeline perforations threaten operational continuity. The 2019 cyberattack exposed vulnerabilities in administrative systems, and future attacks could target critical operational technology (OT) networks.

• Environmental and Safety Risks: The Deer Park incident highlights safety lapses, with potential for environmental damage and community harm. Ongoing fuel theft increases risks of pipeline leaks and explosions.

Business Relations and Associations

• Government Ties: Pemex is closely aligned with the Mexican government, with Energy Minister Rocío Nahle (also Pemex board chair) overseeing responses to the 2019 cyberattack. Security Minister Alfonso Durazo also commented on the incident.

• Criminal Associations: The CJNG is implicated in fuel theft, with U.S. Treasury sanctions targeting two Mexican companies and three individuals linked to smuggling Pemex crude.

• Cybersecurity Partners: Post-2019 cyberattack, Pemex collaborated with cybersecurity firms like CrowdStrike, which identified DoppelPaymer as the ransomware strain.

• Employee and Union Relations: Pemex employs thousands across its exploration, production, and refining divisions. Employee reports of system disruptions in 2019 suggest internal communication challenges.

• International Exposure: Pemex’s Deer Park refinery in Texas ties it to U.S. regulatory oversight, as seen with the CSB investigation.

Legal and Financial Concerns

• 2019 Cyberattack: Hackers demanded $5 million in bitcoin, which Pemex refused to pay. No lawsuits stemmed directly from the attack, but it exposed cybersecurity weaknesses.

• Debt Crisis: Pemex’s debt exceeds $100 billion, making it the world’s most indebted oil company. No bankruptcy records exist, but financial strain is a major concern.

• Fuel Theft Sanctions: In 2025, the U.S. Treasury sanctioned two companies and three individuals for smuggling stolen Pemex fuel, indicating legal repercussions for associated parties but not Pemex directly.

• Deer Park Incident: The 2024 hydrogen sulfide release prompted a CSB investigation, which may result in legal penalties or mandated safety improvements.

• Historical Security Incident: In 2018, a Pemex security official was killed in Tamaulipas while combating fuel theft, highlighting ongoing security challenges costing Pemex over $1 billion annually.

Risk Assessment Table

Expert Opinion

Pemex is a cornerstone of Mexico’s economy, supplying critical energy resources and generating significant government revenue. Its extensive infrastructure and production capacity are strengths, and its refusal to pay the 2019 ransomware demand reflects a commitment to not funding criminal enterprises. However, Pemex faces severe challenges that threaten its stability and public trust.

Pros:

• Critical role in Mexico’s energy sector, with vast operational infrastructure.

• Strong government backing, ensuring continued support despite financial woes.

• Resilient response to 2019 cyberattack by refusing ransom and restoring systems via backups.

Cons:

• Crippling $100 billion debt burdens operations and limits investment in modernization.

• Fuel theft by organized crime, allegedly enabled by corruption, erodes credibility and revenue.

• Safety failures, like the 2024 Deer Park incident, expose workers and communities to risk.

• Cybersecurity vulnerabilities, as seen in 2019, threaten administrative and potentially operational systems.

Cautionary Advice: Engaging with Pemex requires careful consideration of its financial instability and exposure to criminal activities. Businesses should conduct thorough due diligence on supply chain partners to avoid entanglement with sanctioned entities involved in fuel theft. Investors should be wary of Pemex’s debt and declining production, which may limit returns. Regulatory compliance, especially in the U.S., is critical given ongoing investigations like the CSB’s. Pemex must prioritize cybersecurity upgrades, transparent reporting, and anti-corruption measures to mitigate risks and rebuild trust.

Key Citations

• Cybercriminal Investigation : https://cybercriminal.com/investigation/pemex