Latin American Cybercriminals Hoover Up Government Data TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityFeeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub ReposFeeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub ReposbyRob WrightMay 26, 20264 Min ReadApplication SecurityShai-Hulud Hackers TeamPCP: Lucky or Skilled?Shai-Hulud Hackers TeamPCP: Lucky or Skilled?byAlexander CulafiMay 26, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite PapersHeard It From a CISOReporters' NotebookPartner PerspectivesMeet the EditorsAdvertise With Us About UsDark Reading Resource LibraryCyberattacks & Data BreachesCyber RiskCybersecurity OperationsThreat IntelligenceNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificLatin American Cybercriminals Hoover Up Government DataA purported leak exposing 5.8 million records of Uruguayan citizens is the latest incident where cybercriminals targeted government agencies to monetize citizen data.Robert Lemos,Contributing WriterMay 27, 20264 Min ReadSource: jhonny marcell oportus via ShutterstockCyber threat groups in Latin and South America have increasingly targeted government agencies and contractors, stealing and monetizing citizen data at a rate that has made the public-administration sector in the region the most-breached in the past year.In mid-May, a group known as La Pampa Leaks claimed to have compromised Uruguay's government-sponsored identity service managed by telecommunications provider Antel, reportedly monetizing the information as a citizen-data lookup service. In February, a hacking collective known as the Chronus Group claimed to have stolen data from 25 different Mexican government agencies and groups. And, in Colombia, cyberattackers targeted the nation's health ministry with more than 23 million attempted attacks during the month of March.The region has spawned its own cybercriminal ecosystem, with local cybercriminal groups targeting government agencies and municipal infrastructure in nations such as Chile, Colombia, Mexico, and Uruguay, says Fabio Assolini, lead security researcher at Kaspersky's Global Research and Analysis Team (GReAT).Related:China's 'FamousSparrow' APT Nests in South Caucasus Energy Firm"Unlike global cartels that cast a wide net, these actors intimately understand the regional geopolitical landscape," he tells Dark Reading, adding that they have their own playbooks as well: "Moving away from traditional operational models, these groups are pivoting to 'pure extortion' attacks, bypassing the encryption phase entirely to focus solely on high-volume data exfiltration." Also on attackers' radar in the past year: organizations in Peru, Mexico, and Brazil, which have suffered at least 90 data breaches each, placing them in the top 10 most-targeted nations, according to data from Bitsight, a cyber-risk platform provider. In addition, "public administration" topped the list of industry sectors for breach victims, accounting for 21%, or 543, breaches in the past 12 months, according to the company's data. Public administration has dominated as the economic sector most targeted by cybercriminals. Source: BitsightWhile cyber-threat actors may be finding fertile fields for attacks in the region, the geopolitical environment in Latin America adds another layer to the cyber threat landscape, says Emma Stevens, a threat intelligence researcher at Bitsight."Elections, political differences, economic instability, and foreign influence concerns can make government institutions more attractive to hacktivists, state-aligned actors, and financially motivated groups," she says. "Recent activity across Uruguay, Paraguay, Argentina, and Mexico suggests repeated targeting of public-sector and citizen-adjacent systems, not just isolated incidents."Related:Middle East Cyber Battle Field Broadens — Especially in UAELatAm Cybercriminals Lean Toward Different Attack PlaybooksLike other threat actors, those targeting the Latin American threat landscape tend to focus on hacktivism, financial gain, or nation-state activity. Yet, in many ways, they also have their own playbooks. While regional threat actors utilize the same initial access and lateral movement strategies as major ransomware groups, their post-exploitation behavior differs significantly, says Kaspersky's Assolini."Instead of deploying encryptors, they quietly siphon governmental databases," he says. "Their strategy relies on psychological and public pressure, mirroring the modus operandi of groups like ShinyHunters."In late May, for example, the ransomware group Bashe, also known as APT73, claimed a compromise of Grupo Petersen, an engineering and construction company that works on many public-works projects in Argentina. The group is one of the regional groups known for often fabricating data breach claims using publicly accessible data, or reusing data from previous breaches. Antel, for example, downplayed La Pampa Leaks' claims of a breach by saying (via Google Translate) that "passwords, signature PINS, private keys associated with digital certificates, or credentials were not compromised, so the operation or authentication mechanisms currently used by the platform have not been affected."Related:Chinese APT Abuses Multiple Cloud Tools to Spy on MongoliaRansomware groups in other regions have used broad claims to put pressure on victims, but the technique is especially prevalent in Latin America, says Kaspersky's Assolini."A significant portion of these 'new' announcements are elaborate deceptions," he says. "Cybercriminal groups frequently recycle historical, publicly available data — from older, well-known breaches — mix it with auto-generated records, and falsely attribute it to a new corporate target. "More Regional Regulations Attract Extortion AttemptsOne reason attacks on governments in the region have grown so quickly: when faced with a ransom demand, public agencies will often weigh the cost against the potential legal and political consequences of a public leak, says Assolini. More nations in the region are adopting strict cybersecurity rules and requiring that agencies and contractors comply."Cybercriminals have realized that regulatory compliance can be weaponized," he says. "By threatening to publish sensitive citizen data, attackers leverage the victims' fear of massive government fines, political fallout, and severe reputational damage."Organizations should build resilience in the areas that cyber threat actors continue to focus, such as exposed services, weak identity controls, unpatched vulnerabilities, and open ports, says Bitsight's Stevens."For LatAm CERTs specifically, identity security and exposed infrastructure should come first, because those are the areas that can turn a single weak point into a much larger public-sector incident," she adds.Read more about:DR Global Latin AmericaAbout the AuthorRobert LemosContributing WriterRob is an award-winning, veteran technology journalist of more than 30 years, reporting on global cybersecurity issues, the latest offensive and defensive technologies, malware incidents, cyber conflict, and AI's impact on software and cybersecurity. A former research engineer, Rob has written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. He has received five awards for journalism, including Best Deadline Journalism (Online) in 2003 for his coverage of the Blaster worm. Rob also analyzes data on various trends using Python and R for both his reporting and his clients. Recent reports include analyses of the shortage in cybersecurity workers, annual vulnerability trends, and annual threat reports.Rob holds degrees from Cornell University in Electrical Engineering and Computer Science (double major).See more from Robert LemosWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyEssential News & Insights from Black Hat USA 2025How Enterprises Are Harnessing Emerging Technologies in CybersecurityAccess More ResearchWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureAI-Powered Cybersecurity for Resource-Constrained OrganizationsMore WebinarsEditor's ChoiceCybersecurity Operations20 Leaders Who Built the CISO Era: 2 Decades of Change20 Leaders Who Built the CISO Era: 2 Decades of ChangebyDark Reading Editorial TeamMay 12, 202641 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Cybercriminals in Latin America are actively targeting government agencies and contractors to monetize citizen data, marking the region's public administration sector as the most breached in the past year. Threat groups in Latin and South America have developed a distinct cybercriminal ecosystem, with local groups focusing on government agencies and municipal infrastructure across nations such as Chile, Colombia, Mexico, and Uruguay, according to Fabio Assolini of Kaspersky's Global Research and Analysis Team. Specific incidents illustrate this trend, such as the La Pampa Leaks group claiming compromise of Uruguay's government identity service, reportedly for a citizen-data lookup service, and the Chronus Group stealing data from twenty-five Mexican government agencies.

These regional threat actors operate outside traditional global cartel models, favoring different attack playbooks that involve focusing on psychological and public pressure rather than deploying encryption. Instead of ransomware, some groups focus on high-volume data exfiltration, bypassing encryption entirely, and employing sophisticated deception techniques. Cybercriminal groups frequently recycle historical, publicly available data from older breaches, mix it with auto-generated records, and falsely attribute the stolen information to new corporate targets. For instance, organizations like Antel have sometimes downplayed breach claims by asserting that credentials or keys were not compromised, suggesting that many public leak announcements are elaborate fabrications designed to exert pressure.

The growth of these attacks is reinforced by the region's volatile geopolitical landscape. Factors such as elections, political differences, economic instability, and concerns over foreign influence make government institutions highly attractive targets for hacktivists, state-aligned actors, and financially motivated groups, as noted by Emma Stevens of Bitsight. Furthermore, research indicates that public administration consistently tops the list of industry sectors for breach victims, accounting for twenty-one percent of breaches in the last twelve months, and is the sector most targeted by cybercriminals overall.

Cybercriminals have learned to weaponize regulatory compliance to amplify extortion. When facing ransom demands, public agencies are compelled to weigh the financial cost against the potential legal and political fallout of a public data leak. Attackers leverage this fear by threatening to publish sensitive citizen data, exploiting the victims' anxiety regarding massive government fines, political repercussions, and reputational damage. Therefore, organizations must prioritize building resilience in areas where threat actors concentrate their efforts, including exposed services, weak identity controls, unpatched vulnerabilities, and open ports. For Latin American Computer Emergency Response Teams, identity security and exposed infrastructure are paramount, as these vulnerabilities can rapidly escalate a single weak point into a major public-sector incident.