Hackers have targeted GlobalX Air, one of the main airlines the Trump administration is using as part of its deportation efforts, and stolen what they say are flight records and passenger manifests of all of its flights, including those for deportation, 404 Media has learned.

The data, which the hackers contacted 404 Media and other journalists about unprompted, could provide granular insight into who exactly has been deported on GlobalX flights, when, and to where, with GlobalX being the charter company that facilitated the deportation of hundreds of Venezuelans to El Salvador.

“Anonymous has decided to enforce the Judge’s order since you and your sycophant staff ignore lawful orders that go against your fascist plans,” a defacement message posted to GlobalX’s website reads. Anonymous, well-known for its use of the Guy Fawkes mask, is an umbrella some hackers operate under when performing what they see as hacktivism.

The hacker says the data includes flight records and passenger lists. The hacker sent 404 Media a copy of the data, which is sorted into folders dated everyday from January 19 through May 1.

💡Do you know anything else about this incident? We would love to hear from you. Using a non-work device, you can message Joseph securely on Signal at signalaccount.05 or send an email to [email protected]. You can Signal Jason at jason.404 or email [email protected].

404 Media cross-checked known information about ICE deportation flights that come from official and confirmable sources with information contained on the flight manifests and flight details obtained by the hacker. Information about Kilmar Abrego Garcia’s flight is in the hacked data.

For example, the hackers obtained what appears to be detailed flight information about GlobalX flights 6143, 6145, and 6122 that left from Harlingen, Texas’s Valley International Airport on March 15. These flights are at the center of a class-action lawsuit filed by five pseudonymous Venezuelan men against the Trump administration (which eventually went to the Supreme Court) and which took off during and immediately following a court proceeding in which their lawyers were trying to get a restraining order to prevent the flights from taking off.

During a District Court proceeding in Washington D.C., the federal government argued that it had no flight information to share with the court: “the Government surprisingly represented that it still had no flight details to share,” during the hearing, the judge’s opinion in that case reads. “When pressed, Government counsel stated that the ‘operational details’ he had learned during the recess ‘raised potential national security issues,’ so they could not be shared while the public and press listened.”

Image: A screenshot of the defacement.

“Although the Government has refused to provide the particular details, all evidence suggests that during the short window that the Court was adjourned, two removal flights took off from Harlingen—one around 5:25 pm and the other at about 5:45 pm,” court records say, noting that these were GlobalX flights 6143 and 6145; a third referenced flight left immediately following the hearing. These details closely match the timing of the flights and other details in the hacked data.

Also included in the data is a record mentioning the name Heymar Padilla Moyetones, a 24-year-old woman who was flown from Texas to Honduras, then from Honduras to El Salvador by mistake, and then was returned to Texas. The data obtained by the hackers says that GlobalX flew her from Valley International Airport in Texas to Honduras on March 15 on Flight 6143, then was flown from Comayagua International Airport in Honduras to El Salvador International on flight 6144 later that day. She then was flown directly from El Salvador International back to Valley International Airport in Texas on March 15. The information in the hacked data lines up with what Moyetones told NBC.

404 Media was also able to cross-check the names on larger published lists of people who have previously been reported to be deported, finding their names in the hacked data with the specific flights that they were purportedly on.

404 Media is not publishing the full list of passengers at this time as we work to verify which passengers were specifically on deportation flights and to protect peoples’ privacy because the manifests contain personally sensitive information like passport details. We will continue to analyze the data for information in the public interest and explore what we’re able to publish.

Neither GlobalX nor ICE responded to requests for comment.

The Trump administration contracts with a company called CSI Aviation as part of its deportation flights. On February 28, ICE posted a notice saying it would award $128 million to the company for its work. In turn, CSI Aviation subcontracts some of its work to GlobalX, which said it expects to make $65 million per year from the deal. In 2024, 74 percent of ICE’s more than 1,500 removal flights were on GlobalX plans, the Project on Government Oversight reported in March.

ProPublica previously reported on what it is like for flight attendants working on GlobalX, also known as Global Crossing Airlines. Sources in that piece said they were worried what would happen in an emergency, in part because the passengers were shackled.

“They never taught us anything regarding the immigration flights,” ProPublica quoted one flight attendant as saying. “They didn’t tell us these people were going to be shackled, wrists to fucking ankles.”

The hacker told 404 Media they managed to find a token belonging to a GlobalX developer. They then used that to find access and secret keys for GlobalX’s AWS instances which contained the data. They said they also sent a copy of the defacement message to GlobalX’s employees, and then deleted company data. 404 Media does not know the identity of the hacker, and the hacker said they sent the data to other journalists

The hacker said they also sent the message to GlobalX pilots and crew members through the company’s NAVBLUE account. NAVBLUE is a flight operations platform made by Airbus which pilots use for flight planning, among other things.

404 Media was unable to verify whether pilots or crew members received this message. But the hacker provided screenshots which appear to show them logged into the platform. They also provided a screenshot purporting to show access to GlobalX’s GitHub.

The website defacement quotes a May 1 ruling from US District Judge Fernando Rodriguez which said that the president unlawfully invoked the Alien Enemies Act and blocked the administration from deporting more alleged Venezuelan gang members without due process.

The defacement adds: “You lose again Donnie.”

From 404 Media via this RSS feed