Latin American Cybercriminals Hoover Up Government Data
Dark ReadingArchived May 27, 2026✓ Full text saved
A purported leak exposing 5.8 million records of Uruguayan citizens is the latest incident where cybercriminals targeted government agencies to monetize citizen data.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBER RISK
CYBERSECURITY OPERATIONS
THREAT INTELLIGENCE
NEWS
Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
Latin American Cybercriminals Hoover Up Government Data
A purported leak exposing 5.8 million records of Uruguayan citizens is the latest incident where cybercriminals targeted government agencies to monetize citizen data.
Robert Lemos,Contributing Writer
May 27, 2026
4 Min Read
SOURCE: JHONNY MARCELL OPORTUS VIA SHUTTERSTOCK
Cyber threat groups in Latin and South America have increasingly targeted government agencies and contractors, stealing and monetizing citizen data at a rate that has made the public-administration sector in the region the most-breached in the past year.
In mid-May, a group known as La Pampa Leaks claimed to have compromised Uruguay's government-sponsored identity service managed by telecommunications provider Antel, reportedly monetizing the information as a citizen-data lookup service. In February, a hacking collective known as the Chronus Group claimed to have stolen data from 25 different Mexican government agencies and groups. And, in Colombia, cyberattackers targeted the nation's health ministry with more than 23 million attempted attacks during the month of March.
The region has spawned its own cybercriminal ecosystem, with local cybercriminal groups targeting government agencies and municipal infrastructure in nations such as Chile, Colombia, Mexico, and Uruguay, says Fabio Assolini, lead security researcher at Kaspersky's Global Research and Analysis Team (GReAT).
Related:China's 'FamousSparrow' APT Nests in South Caucasus Energy Firm
"Unlike global cartels that cast a wide net, these actors intimately understand the regional geopolitical landscape," he tells Dark Reading, adding that they have their own playbooks as well: "Moving away from traditional operational models, these groups are pivoting to 'pure extortion' attacks, bypassing the encryption phase entirely to focus solely on high-volume data exfiltration."
Also on attackers' radar in the past year: organizations in Peru, Mexico, and Brazil, which have suffered at least 90 data breaches each, placing them in the top 10 most-targeted nations, according to data from Bitsight, a cyber-risk platform provider. In addition, "public administration" topped the list of industry sectors for breach victims, accounting for 21%, or 543, breaches in the past 12 months, according to the company's data.
Public administration has dominated as the economic sector most targeted by cybercriminals. Source: Bitsight
While cyber threat actors may be finding fertile fields for attacks in the region, the geopolitical environment in Latin America adds another layer to the cyber threat landscape, says Emma Stevens, a threat intelligence researcher at Bitsight.
"Elections, political differences, economic instability, and foreign influence concerns can make government institutions more attractive to hacktivists, state-aligned actors, and financially motivated groups," she says. "Recent activity across Uruguay, Paraguay, Argentina, and Mexico suggests repeated targeting of public-sector and citizen-adjacent systems, not just isolated incidents."
Related:Middle East Cyber Battle Field Broadens — Especially in UAE
LatAm Cybercriminals Lean Toward Different Attack Playbooks
Like other threat actors, those targeting the Latin American threat landscape tend to focus on hacktivism, financial gain, or nation-state activity. Yet, in many ways, they also have their own playbooks. While regional threat actors utilize the same initial access and lateral movement strategies as major ransomware groups, their post-exploitation behavior differs significantly, says Kaspersky's Assolini.
"Instead of deploying encryptors, they quietly siphon governmental databases," he says. "Their strategy relies on psychological and public pressure, mirroring the modus operandi of groups like ShinyHunters."
In late May, for example, the ransomware group Bashe, also known as APT73, claimed a compromise of Grupo Petersen, an engineering and construction company that works on many public-works projects in Argentina. The group is one of the regional groups known for often fabricating data breach claims using publicly accessible data, or reusing data from previous breaches. Antel, for example, downplayed La Pampa Leaks' claims of a breach by saying (via Google Translate) that "passwords, signature PINS, private keys associated with digital certificates, or credentials were not compromised, so the operation or authentication mechanisms currently used by the platform have not been affected."
Related:Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia
Ransomware groups in other regions have used broad claims to put pressure on victims, but the technique is especially prevalent in Latin America, says Kaspersky's Assolini.
"A significant portion of these 'new' announcements are elaborate deceptions," he says. "Cybercriminal groups frequently recycle historical, publicly available data — from older, well-known breaches — mix it with auto-generated records, and falsely attribute it to a new corporate target. "
More Regional Regulations Attract Extortion Attempts
One reason attacks on governments in the region have grown so quickly: When faced with a ransom demand, public agencies will often weigh the cost against the potential legal and political consequences of a public leak, says Assolini. More nations in the region are adopting strict cybersecurity rules and requiring that agencies and contractors comply.
"Cybercriminals have realized that regulatory compliance can be weaponized," he says. "By threatening to publish sensitive citizen data, attackers leverage the victims' fear of massive government fines, political fallout, and severe reputational damage."
Organizations should build resilience in the areas that cyber threat actors continue to focus, such as exposed services, weak identity controls, unpatched vulnerabilities, and open ports, says Bitsight's Stevens.
"For LatAm CERTs specifically," she adds, "identity security and exposed infrastructure should come first, because those are the areas that can turn a single weak point into a much larger public-sector incident."
Read more about:
DR Global Latin America
About the Author
Robert Lemos
Contributing Writer
Rob is an award-winning, veteran technology journalist of more than 30 years, reporting on global cybersecurity issues, the latest offensive and defensive technologies, malware incidents, cyber conflict, and AI's impact on software and cybersecurity.
A former research engineer, Rob has written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. He has received five awards for journalism, including Best Deadline Journalism (Online) in 2003 for his coverage of the Blaster worm. Rob also analyzes data on various trends using Python and R for both his reporting and his clients. Recent reports include analyses of the shortage in cybersecurity workers, annual vulnerability trends, and annual threat reports.
Rob holds degrees from Cornell University in Electrical Engineering and Computer Science (double major).
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Cybersecurity for Resource-Constrained Organizations
AI-Powered Credential Security: Intelligence Without Exposure
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
AI-Powered Cybersecurity for Resource-Constrained Organizations
THURS, JUNE 18, 2026, AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS