New data from Intel 471 shows ransomware, fraud and state-linked operations are increasingly overlapping across Latin America, heightening risk for regional organizations and global enterprises with exposure there. Over 450 ransomware-related breach events were recorded across Latin America between January and December 2025, an increase of over 78% compared to 2024. Over the same period, more than 200 initial access brokers targeted organizations in the region, with Brazil identified as the most affected country.
This comes as the threat landscape features APT (advanced persistent threat) clusters believed to be operating from China and North Korea, in addition to groups based in Latin America. In addition, researchers documented at least 119 hacktivist attacks across 15 countries in 2025, again with Brazil experiencing the highest level of activity. Common threats impacting Latin America include ransomware and extortion, compromised data vendors, compromised access vendors, hacktivism, financial fraud, banking trojans, and phishing.
Intel 471 reported that the cyber threat landscape in Latin America escalated sharply in 2025, fueled by the combined activity of financially motivated groups and state-sponsored actors. The region now shows the fastest global growth in disclosed cyber incidents, with reported activity rising at an average annual rate of roughly 25% over the past decade. The surge intensified in early 2025, when the first quarter alone posted a 108% year-over-year increase, signaling a decisive shift in the regional risk environment.
Organizations across Latin America are facing an average of 2,640 cyberattacks per week, about 35% higher than the global average of 1,955. Annual losses tied to this activity exceed US $90 million. Analysts attribute the spike to rapid digital transformation, persistent weaknesses in cloud security and the expanding use of artificial intelligence to automate, scale and refine attack operations.
Extortion and ransomware remain a dominant threat to both private enterprises and government entities across Latin America. Intel 471 recorded an increase in regional cyberattacks from more than 250 in 2024 to over 450 in 2025. The number of active ransomware variants also climbed from 48 to 79, with the most disruptive groups identified as Qilin, The Gentlemen, SafePay, Akira, and Inc.
The sectors most frequently targeted, in descending order, were consumer and industrial products; energy, resources and agriculture; and professional services and consulting. By industry impact, retail, wholesale and distribution ranked highest, followed by agriculture and food and beverage production, and health care providers and services. Brazil accounted for roughly 30% of identified victims, with Mexico at approximately 14% and Argentina at about 13%.
An assessment by the Organization of American States found that although countries across Latin America have improved their cybersecurity maturity since 2020, significant gaps remain in software assurance, critical infrastructure protection, innovation, market development and cyber insurance adoption.
The report observed that “While the region has made measurable progress in cybersecurity maturity since 2020, significant variability remains among member states, particularly in areas such as software assurance, protection of critical infrastructure, innovation, market development and cyber insurance adoption.”
The assessment used the Cybersecurity Capacity Maturity Model for Nations to measure national capabilities across five core domains: policy and strategy, cyber culture and society, education and skills, legal and regulatory frameworks, and technology and standards. These areas evaluate whether countries have national cybersecurity strategies, critical infrastructure protections, incident reporting mechanisms, workforce development programs, public awareness efforts, enforcement capacity and alignment with international standards.
Based on performance, countries are placed into one of five maturity levels: startup, formative, established, strategic or dynamic. A comparison of assessments conducted in 2020 and 2025 shows that while relatively few countries advanced beyond the second stage, many recorded measurable progress across multiple domains.
At the same time, rapid digitalization is expanding the attack surface faster than governance frameworks, workforce development and security controls can keep pace. Financially motivated groups, state-aligned actors and organized fraud networks are escalating operational disruption and supply chain risk, affecting both regional organizations and global companies that depend on local vendors, infrastructure and customers. Intel 471’s latest report analyzes how the threat landscape evolved in 2025, how adversaries are operating and where defenders should concentrate their efforts.
The report highlights uneven cybersecurity maturity across Latin America, with countries pursuing divergent priorities and approaches in their national cybersecurity strategies. In the absence of unified regional guidelines, states across the region have increasingly pursued developing independent national contingency and cybersecurity frameworks to address evolving cyber threats.
“Brazil, Colombia, Chile and Uruguay currently maintain the most advanced strategies, while Argentina and Peru have also made notable progress in recent years,” Intel 471 reported. “Across the region, national strategies commonly prioritize the protection of critical infrastructure, the establishment of data protection and cybersecurity legislation, the mitigation of cybercrime and enhanced public-private cooperation. This collaboration often materializes through joint incident response mechanisms, information sharing initiatives and public cybersecurity awareness campaigns.”
Intel 471 reported that access vendors play a crucial role in the cybercrime ecosystem, enabling intrusions to a vast spectrum of adversaries through various methods and technologies. “We observed over 200 instances of access offers impacting 17 countries in Latin America from January 2025 to December 2025. The most targeted country was Brazil with over 70 victims, followed by Mexico with over 30 and Argentina with over 20. The most impacted sectors in descending order were public, energy, resources and agriculture; and technology, media and telecommunications, while the most impacted industries were national government, agriculture and food and beverage production and education.”
The top three most impactful IABs during the reporting period were those using the Pirat-Networks, *Red, and *Blue handles. The most common method that access brokers leveraged to obtain access to organizations in the region was the abuse of compromised login credentials, while the most targeted technology was corporate remote access portals.
APT activity in Latin America reflects sustained, targeted campaigns by highly capable actors, many aligned with state interests and pursuing espionage, intellectual property theft, or sabotage. Activity has intensified amid geopolitical tensions, rapid digital transformation, and the region’s growing role in the China–U.S. rivalry. China-linked groups, widely viewed by cybersecurity experts as advancing Beijing’s economic and diplomatic objectives, have increased both the frequency and sophistication of operations in the region.
Among them, Aquatic Panda, also known as Charcoal Typhoon and associated with the i-Soon contractor, reportedly targeted military entities in Peru, organizations in Brazil and government and telecommunications networks across the region. North Korea-linked actors have conducted financially motivated campaigns, including schemes involving fraudulent IT remote workers.
At the same time, 2025 disclosures pointed to cyber operations originating within Latin America. A reported espionage campaign by Agência Brasileira de Inteligência targeting Paraguayan officials during sensitive negotiations over the Itaipu hydroelectric dam triggered diplomatic tensions between Brazil and Paraguay and raised questions about oversight of Brazil’s intelligence services. Separately, the Latin America-based threat cluster Blind Eagle, active since at least 2018, continued espionage and cybercriminal operations. In 2024 and 2025, it exploited a Microsoft Windows vulnerability to compromise Colombian judicial and government institutions and deploy the Remcos remote access trojan.
Intel 471 observed at least 119 hacktivist attacks across 15 countries of Latin America in 2025, with Brazil being the most targeted country with 34 attacks. Additionally, our monitoring system detected distributed denial-of-service (DDoS) attacks on over 90 entities based in Latin American countries. Colombia was the most targeted country with over 20 victims, followed by Venezuela and Brazil.
The report identified that social engineering remains the primary driver of financial fraud across Latin America, with email and SMS phishing campaigns serving as the most common delivery methods. These campaigns typically use malicious links or attachments to install banking trojans, compromise mobile devices or steal login credentials from personal and corporate accounts.
Beyond phishing, fraudulent call centers are widely used to trick victims into addressing fabricated e-commerce charges, payment disputes or delivery problems. Attackers also rely heavily on WhatsApp and other instant messaging platforms to impersonate banks, logistics providers and trusted contacts, expanding the reach and effectiveness of their schemes.
Intel 471 identified several threat actors targeting or operating from Latin America in recent investigations. A suspected Mexican actor known as Yellow has compromised, exfiltrated and monetized sensitive data, primarily targeting financial, government and telecommunications entities in Mexico while also attacking organizations abroad. The actor has consistently used underground forums to distribute and sell large databases containing financial, operational and personal information, much of it linked to breaches at Mexican public institutions and enterprises.
An Argentine actor referred to as Orange offered for sale the Prysmax Stealer information-stealing malware, designed to extract session data from platforms such as Discord and Telegram, credentials tied to gaming accounts including Minecraft and Valorant, and wallet data from cryptocurrency services such as MetaMask, Phantom and Trust Wallet. The malware was also advertised as capable of harvesting cookies, stored credit card details and browser-saved passwords.
Between early December 2024 and late May 2025, a Spanish-speaking actor known as Pink systematically published and sold hacked databases and internal documents belonging to companies and government entities across Latin America. In September 2025, an actor identified as White offered unauthorized access to a Mexico-based telecommunications provider, claiming to have gained entry through an exposed instance of the open-source monitoring software Zabbix and to have maintained persistence using reverse shell and SSH access.
That same month, a suspected Indonesian actor known as Purple leaked databases from multiple global victims, including an Argentina-based e-commerce platform, with the exposed records reportedly containing academic data, personal details, addresses and phone numbers. In November 2025, an actor referred to as Silver advertised a dataset allegedly stolen from a Brazil-based financial institution. The individual, who claimed to be an insider, initially sought to sell the data but later suggested the possibility of obtaining remote desktop protocol access to the bank’s payment terminals.
Looking ahead, Intel 471 assessed that “meaningful risk reduction is unlikely in the near term. The development, harmonization and enforcement of national cybersecurity policies and legislation remain slow-moving processes, while cybercriminal innovation continues at a faster pace — especially in the era of AI. Absent significant improvements in regulatory enforcement, public-private cooperation and regional information sharing, Latin America is likely to remain both a primary operating environment and an export hub for financially motivated cybercrime over the coming years.”
