Latin America and the Caribbean (LAC) is one of the fastest-growing regions in the world in terms of digitalization and adoption of new technologies. But with the rapid adoption of new technologies, the risk of cyberattacks is also increasing. Digitalization opens new opportunities for cybercriminals eager to exploit vulnerabilities in security systems.

Cyberattacks pose a serious threat to organizations and individuals alike. The damage can range from the theft of an individual user's personal information to the shutdown of a factory. 

The key findings of the study include the following:

• In 2023-2024, government institutions (21%) and financial organizations (13%) in LAC countries faced the highest number of cyberattacks. These entities are of the greatest interest to cybercriminals because they store valuable information and run critical processes.
• During the period under review, the majority of cyberattacks targeted organizations in Brazil (19%) and Mexico (16%). This may be attributed to the higher level of digitalization in these countries within the region, leading to the active implementation of web services and applications that expand the attack surface.
• Typically, social engineering and malware were used together as part of a single cyberattack (whether targeting organizations or individuals). The attackers used social engineering to gain access to IT systems, bypassing technical defenses and remaining undetected. Malware enabled further malicious actions within the compromised system.
• Ransomware was used in 49% of successful attacks on organizations. The greatest interest for ransomware attackers was in government institutions (25%), retail (11%), finance (9%), and education (9%).
• Successful cyberattacks on organizations most often resulted in data breaches (53%) and business disruptions (35%), similar to last year. More than half of the total volume of data stolen from organizations consisted of personal data (32%) and account credentials (21%).
• Cyberattacks on individuals resulted in data breaches (72%) and direct financial losses (19%).
• A significant portion of posts on dark web forums is related to databases (47%) containing personal data, account credentials, and payment card data. Confidential information is often shared for free: either because it has little value to the attackers or with the intention of boosting their reputation in the dark web community.

Level of digitalization

In Latin America and the Caribbean, the level of digitalization and technology adoption is uneven. It depends on several factors, including the availability of internet and digital services (e-government, e-commerce) and legislative initiatives for digital transformation.

Digitalization involves active integration of new technologies into various aspects of citizens' lives: online stores are emerging, e-government services are being introduced, and industries are becoming more automated. In particular, e-government systems are actively proliferating, and national e-government strategies are being developed. To date, at least 14 countries in the region have adopted them. E-commerce is also developing rapidly in LAC: expert predict that the e-commerce market volume in Brazil, Mexico, and Argentina will grow by 58%, 52%, and 90% respectively, by 2027. In 2024, the e-commerce market was dominated by Brazil (29% of the total e-commerce market size in LAC) and Mexico (26%).

Financial technology is a promising direction for the development of the region. According to Distrito, a consulting firm, the volume of investment in fintech companies in Latin America and the Caribbean is increasing every year. In just the first half of 2024, 83 deals worth $800 million were closed, representing 80% of all investments in fintech companies made in 2023. Over the past 10 years, 66.7% of the total investment has gone to Brazilian companies. A significant portion of this investment was in digital services: e-wallets, e-accounts, and digital banks.

New technologies are being actively adopted: in 2024, Latin America became the second fastest growing cryptocurrency market in the world, with an annual growth rate of 42.5%. Moreover, Brazil (ranked 10th), Venezuela (13th), Mexico (14th), and Argentina (15th) entered the top 20 of the Global Cryptocurrency Adoption Index in 2024. Cryptocurrency is a legal payment method in Brazil. In addition, Brazil was one of the first countries in the world to enact legislation regulating the cryptocurrency and virtual assets market. In Argentina and Mexico, cryptocurrencies are not recognized as legal tender, but they are allowed to be used and traded.

However, there are still countries where the level of digitalization remains low. According to Surfshark, the Digital Quality of Life Index¹ in Honduras and Guatemala is 0.29 and 0.31 respectively, as opposed to Brazil (0.51) and Chile (0.55). There is a digitalization gap between different countries in the region, and the laggards will have to make significant efforts to implement modern technological solutions and ensure their security in the future. 
 

1. The Global Cybersecurity Index measures countries' commitment to cybersecurity using 20 indicators across five key pillars: legal, technical, organizational, capacity development, and cooperation. Countries are ranked within five performance tiers: role-modelling, advancing, establishing, evolving, and building. 

How the level of digitalization influences cybercriminals' targeting choices

Below, we examine the countries that play a key role in the economic and technological development of the region and are also subjected to the highest number of cyberattacks. Among the five most targeted countries in Latin America and the Caribbean are Brazil, Mexico, Colombia, Chile, and Argentina. Let's briefly analyze the relationship between the level of digital development in these countries and the nature of the cyberthreats they face.

Brazil

Brazil stands out for its dynamic growth in the information technology sector. The country boasts over 12,000 startups across various sectors, including traditional industries: for example, a digital platform has been created for soybean and wheat growers that provides fungicide application recommendations using research data and artificial intelligence.

Internationally, Brazil ranks 12th in the information technology market, representing a significant share of the Latin American market (36.5%). At the G20 summit in November 2024 Brazil presented an AI development plan, with an investment of around $4 billion. The plan aims to expand infrastructure for AI development, introduce new educational programs in the field, and apply technology to improve service delivery. E-commerce has also had a significant impact on the country's digital development, contributing 13% to the GDP.

Brazil's industrial sector covers a wide range of industries, including automotive, petrochemical, metals, steel, processing, construction, and food. Brazil is currently the world's 10th largest crude steel producer, with an annual output of 34 million metric tons.

The rapid advancement of digital technologies in sectors such as finance, retail, and manufacturing has become the primary factor shaping the trajectory of cyberattacks. As in most countries, cybercriminals primarily target the public sector, which accounts for a quarter of all cyberattacks (26%). The adoption of new technologies creates attractive opportunities for cybercriminal groups, as evidenced by cyberattacks on financial institutions, IT companies, and retailers.

Mexico

Mexico is one of the most economically developed countries in the region, with a high GDP, second only to Brazil. The country's banking sector is one of the most advanced in Latin America, driven by the rapid development of the fintech ecosystem. According to Forbes, Mexico is the second-largest fintech market in Latin America: as of early 2024, 773 fintech companies were registered, which is a 19% increase compared to the previous year.

With an e-commerce sector that accounts for 26% of the regional e-commerce market, Mexico ranks second in online sales revenue in Latin America, competing with Brazil for leadership. Mexico's industrial sector—in particular, mining, mechanical engineering, chemicals, and food—is also growing. Mexico ranks 11th globally in terms of the food industry and 3rd in the Americas, after the U.S. and Brazil.

The dynamic growth of the financial, industrial, and retail sectors makes them prime targets for cybercriminals, as evidenced by the high proportion of cyberattacks on organizations in these sectors. Although government organizations remain the most attractive target for cybercriminals in the region, successful cyberattacks on this sector in Mexico rank only fourth (6%). The decrease in the number of successful cyberattacks on government entities can be attributed in part to the cyberincident response measures implemented by the government. In particular, after the incident that resulted in the breach of classified data from the Mexican Secretariat of National Defense, a series of strategies and initiatives were implemented to improve the overall cybersecurity posture.

Colombia

In recent years, Colombia has emerged as a leading player in the LAC digital market: the country is home to 12.8% of the region's digital companies (a figure surpassed only by Brazil and Mexico).

In 2024, Colombia ranked 61st in the Global Innovation Index, driven by government support for the IT sector and investment in educational programs. In 2019, the Colombian government passed a law to modernize the information and communication technology sector, which aims to reduce digital inequality in Colombia, increase IT investment, and develop innovative projects. This approach has resulted in the creation of more than 3,950 research groups and innovative startups.

As far as the telecommunications sector is concerned, Colombia has a leading position in Latin America. The internet affordability in Colombia is 77%, which is 9% higher than the global average. This creates favorable conditions for digital development and the adoption of technological innovations.

Healthcare and science also play a vital role in the economic and social life of Colombia. Young scientists are supported by several organizations, such as the Corporation for Biological Research (Corporación para Investigaciones Biológicas, CIB).

The rapid development of these sectors attracts the attention of malicious actors, as evidenced by the statistics of successful cyberattacks in 2023–2024. Among the primary targets were scientific and educational institutions, medical organizations, and telecommunications companies.

Chile

According to the Global Competitiveness Report, Chile had the highest level of digitalization in the region in 2024. Cloud computing and the Internet of Things (IoT) have played a critical role in the country's digital transformation. According to Grand View Research, the cloud database market in Chile will grow at a compound annual growth rate of 21.6% from 2024 to 2030.

The level of digitalization also depends on the affordability of the internet, and Chile is a leader in the region in this respect (94%). Moreover, as of August 2024, Chile ranks among the top 5 countries with the fastest fixed broadband internet access in the world, with an average download speed of 265.62 Mbps.

The public sector is also embracing digitalization. In June 2023, it was announced that a loan had been approved to support Chile's digital government program. This initiative is focused on enhancing the efficiency of public services for citizens through digital transformation at all levels: central, regional, and municipal.

The country is also making progress in the field of financial technologies. In January 2023, the so called Fintech Law was enacted. It establishes the regulatory framework for fintech companies, including the regulation of open finance in Chile.

In addition to modern technologies, Chile also has a well-developed industrial sector, particularly in mining, agriculture, and food production.

The rapid development of network services, IT infrastructure, and financial technologies in both public and private sectors makes these areas prime targets for cybercriminals.

Argentina

Argentina has vast natural resources essential to the energy and agriculture sectors. The country has fertile land, natural gas and lithium reserves, and significant potential for renewable energy. Argentina also has a well-developed pharmaceutical industry, ranking as the third largest market among the LAC countries. Approximately 65 biotech companies reside here and contribute to the healthcare sector. More than ten of them export their products to other LAC countries and to Asia.

Innovative high-tech services, including e-commerce, are also showing dynamic growth. Argentina is home to one of the largest e-commerce platforms in the region—MercadoLibre.

Over the past five years, the local fintech sector has expanded significantly: the number of fintech companies has grown from 158 in 2019 to 432 in 2024. Over 80% of Argentinians used digital wallets in 2023, which introduced additional security risks for users' financial data and other confidential information.

As a leader in various industries, Argentina is not only a strategic player on the international stage, but also a target for cybercriminals. Financial and industrial organizations were among the top targets of cyberattacks during the period studied. A significant portion of cyberattacks were not targeted at specific organizations. Instead, attackers hit a wide range of companies across multiple industries worldwide, and detailed information about the broader picture is not available. However, it is reasonable to assume that the majority of these attacks targeted industrial and financial organizations.

Cybersecurity

According to the Global Cybersecurity Index 2024 report, Brazil and Uruguay are the top cybersecurity performers among the LAC countries. There are still some countries in the region with relatively poor cybersecurity postures. However, in recent years, we have seen an increase in the number of nations demonstrating positive changes in this area. In 2024, Ecuador and Panama joined the ranks of countries whose cybersecurity posture is above the global average. According to experts, the lowest scores are found in the island nations of Grenada and Antigua and Barbuda. Below, we examine the key factors that influence a country's cybersecurity posture.

Laws and regulations

One of the key factors influencing a country's cybersecurity posture is the presence of dedicated government institutions along with cybersecurity laws and regulations. For example, Brazil developed a national cybersecurity strategy (E-Ciber) in 2020. In 2023, the country also established a national cybersecurity policy (PNCiber) and a national cybersecurity committee (CNCiber).

Educational programs

Another crucial step in advancing cybersecurity in the region is the establishment of national and international educational programs to train a skilled cybersecurity workforce and the organization of events aimed at increasing the digital literacy of the population. Ecuador launched its national cybersecurity strategy in 2022. It was developed with the participation of more than 170 representatives from government, the academia, and the private sector, as well as cybersecurity experts, including specialists from Cyber4Dev².
 

2. Cyber4Dev is an EU project designed to help public and private enterprises in various countries boost their cyber resilience.

Economic environment

The economic strength of nations also contributes to enhancing their cybersecurity. It is often measured by the gross domestic product (GDP), which reflects the total value of goods and services produced in a country over a specific period. The region's highest GDP per capita is concentrated in Brazil and Mexico. Despite Chile's role as a technology hub, its GDP per capita remains lower than that of Brazil and Mexico. This is because the latter two countries have more diversified economies, are rich in natural resources, actively attract foreign investment, and have high export potential. Thus, technological superiority alone is not enough to offset these factors and ensure a higher GDP.

The chart below illustrates the correlation between the cybersecurity posture and the GDP of countries in the region. The cybersecurity posture is highly dependent on economic capabilities: the higher a country's GDP, the more resources it can allocate to developing and strengthening its cybersecurity. This makes cybersecurity investments more accessible to high-income countries, which in turn makes them more resilient to cyberthreats.
 

International initiatives

Another way to enhance the national security posture is through international cooperation and joint cybersecurity initiatives. The LAC countries are actively involved: the Cybersecurity Competence Center for Latin America and the Caribbean (LAC4) regularly hosts events to support their digital transformation and combat cyberthreats. For example, Uruguay hosted a LAC4 workshop on November 20, 2024, where experts shared their knowledge and discussed tools for integrating robust security features in the early stages of designing digital products and services.

Regional incident response centers

The cybersecurity posture of the region is also shaped by incident response centers (CERTs, CSIRTs, CIRTs), which are capable of promptly detecting and neutralizing cybersecurity threats. More than 200 such organizations have been established in Latin America and the Caribbean. One-fifth of all cybersecurity incident response centers are located in Brazil (22%), followed by Mexico (18%). Some countries in the region (12%) have no such response centers yet.

Incident response center teams collaborate to improve operational efficiency. An example of such collaboration is the Forum of Incident Response and Security Teams (FIRST). It provides a platform for incident response centers around the world, enabling them to share knowledge and practices. Over the year, the number of companies from Latin America and the Caribbean collaborating with FIRST has increased by 26%. For instance, the Apura CSIRT team from Brazil joined FIRST on January 29, 2024.

Cyberattacks on organizations

During the period under review, the majority of cyberattacks targeted organizations in Brazil (19%) and Mexico (16%).

The majority of successful cyberattacks on organizations in the region impacted the public sector (21%) and the financial sector (13%). Government institutions worldwide remain the most attractive targets for cybercriminals, as they potentially provide access to a vast amount of information and resources. Moreover, government organizations are among the primary targets of both hacktivists and APT groups. For example, following the presidential elections in Venezuela in July 2024, the hacktivist group Anonymous launched a series of DDoS attacks, affecting over 45 government websites.

Despite the fact that a significant portion of cyberattacks targeted government institutions, their share compared to the data from 2022–2023 has decreased by 10 percentage points. At the same time, cyberattacks on financial organizations increased by 4 percentage points, indicating a growing interest from malicious actors. Given the heightened focus on cybersecurity in such organizations and the specific nature of working with valuable data, successful cyberattacks on such entities can provide malicious actors with both financial and reputational gains. In May 2024, a massive cyberattack on Brazilian banking institutions was revealed. The attackers targeted the Brazilian Central Bank and the State Savings Bank, as well as other major banking institutions in the country.

As e-commerce grows rapidly in the region, it also attracts increasing attention from cybercriminals: cyberattacks on this sector have risen to third place, accounting for 9%. June 2023 saw a large-scale campaign targeting online stores worldwide, including Brazil and Peru. Cybercriminals used web skimmers to steal users' personal information and payment card data by injecting malicious scripts into vulnerable e-commerce websites that accept bank cards.

Industrial companies are also a regular target for cybercriminals. In Brazil, Mexico, Chile, and Argentina, they are among the top 5 categories of organizations suffering from cyberattacks, likely due to the presence of Latin America's largest companies in these countries. For example, Mexico, Brazil, and Argentina hold leading positions in the region's mining industry. These countries also have well-developed mechanical engineering and chemical processing industries. As for Chile, it is the world's leading producer of copper. In February 2024, for example, the ransomware group LockBit 3.0 announced on a dark web forum that it had successfully carried out a cyberattack on an industrial company in Chile that manufactures structural components for the mining industry.
 

Target objects of cyberattacks

Successful cyberattacks on organizations were predominantly linked to the compromise of computers, servers, and network equipment (76%), as well as interactions with company employees (52%). Typically, these two vectors were frequently combined: attackers employed social engineering techniques to manipulate individuals, thereby gaining access to company infrastructure and the ability to deploy malware. For example, in February 2024, experts identified a campaign targeting the industrial and transportation sectors, during which the Timbre Stealer malware was delivered via phishing emails. In this way, the attackers tricked employees into taking actions that resulted in the installation of malware.

Nearly one in five successful cyberattacks on organizations (18%) target web resources. Compared to the previous year, this number increased by 3 percentage points.

Attacks on individuals

The share of successful cyberattacks on individuals in the region was 22%, which is 4 percentage points higher than the global average for the period under review. The highest number of cyberattacks on individuals occurred in Argentina (35%), Brazil (33%), and Mexico (22%). This may be attributed to the higher level of digitalization in these countries compared to other parts of the region.

The majority of cyberattacks on individual users are carried out not via technical vulnerabilities of IT systems, but via social engineering (82%). People are typically the initial vector of a cyberattack, with computers, servers, and network devices serving as the subsequent attack vector in 57% of cases. For example, in March 2024, it was revealed that a large-scale campaign targeted individuals and organizations across Latin America. Cybercriminals impersonated Colombian government agencies and sent out infected PDF documents, accusing recipients of road traffic violations and other offenses. As soon as the user opened the document, a remote access trojan (RAT) was downloaded onto their computer, giving cybercriminals access to the victim's system. One such PDF file was published on X (formerly Twitter) by ANY.RUN, a company that offers services for interactive malware analysis.

One in every four successful cyberattacks targeted mobile devices (26%). This is easy to explain: with each passing year, smartphones are playing an increasingly important role in people's lives, becoming an indispensable assistant that allows us to stay connected and perform a variety of tasks. This opens broader opportunities for attackers who use malicious applications to infect victims' devices. For example, a new Android banking trojan called Zanubis was discovered in September 2023. The trojan disguised itself as applications providing government services to residents of Peru. The malware captures keystrokes and records the screen to obtain confidential information. According to Canalys, demand for mobile phones has increased in the region by 20% over the year, and the e-commerce sector has also seen significant development. Therefore, it can be assumed that the number of cyberattacks on individuals via smartphones will increase in the future.

Cyberattack methods

The primary cyberattack methods in LAC, as well as globally, remain social engineering (57% of attacks on organizations and 96% of attacks on individuals) and malware (67% of attacks on organizations and 79% of attacks on individuals). In addition, these methods are most often combined in a single cyberattack: 48% of successful cyberattacks on organizations and 71% against individuals. For example, a global phishing campaign started in July 2024, also affecting residents of Mexico. It used Gigabud, a kind of malware that was distributed via phishing websites disguised as Google Play or mimicking websites of government agencies or various banks, such as the Mexican bank Hey Banco.

In 28% of successful cyberattacks, attackers exploit vulnerabilities. In May 2024, news of the CatDDoS botnet³  surfaced. The botnet exploited over 80 known vulnerabilities in various software, affecting routers, network equipment, and other devices from vendors such as Apache (ActiveMQ, Hadoop, Log4j, and RocketMQ), Cisco, and D-Link. The botnet was intended to be used for distributed denial-of-service (DDoS) attacks.⁴  The cyberattacks primarily targeted Brazil, the United States, France, Germany, and China.

3. A botnet is a network of devices infected with malware, used by cybercriminals to achieve their goals.
4. A DDoS attack is a cyberattack in which multiple devices simultaneously send requests to a server in order to disable it or make it less accessible to normal users.

Malware use

Ransomware was used in 49% of successful attacks on organizations. Among the prevalent ransomware groups in the region are BlackCat, Cl0p, LockBit 3.0, BlackByte, Medusa, and 8Base.

The most common malware types were spyware (39%) and banking trojans (35%). To conduct successful cyberattacks, malicious actors are constantly modifying and developing new versions of malware to evade current defenses. In October 2024, a new banking trojan dubbed Silver Oryx Blade was discovered, primarily targeting residents of Brazil. The infection chain includes two main stages: a phishing campaign and the download of malicious ZIP archives along with MSI and DLL files. The Silver Oryx Blade trojan harvests credentials and payment card data (associated with more than 50 banks and financial institutions), and then sends the extracted data to C2 servers controlled by cybercriminals.

Remote administration tools (RATs) are also actively used in cyberattacks on organizations and individuals: 32% of successful cyberattacks on organizations and 30% on individuals involve RATs.

Activity of ransomware operators

The primary victims of ransomware cyberattacks among organizations during the observed period were government institutions (25%), retail businesses (11%), financial organizations (9%), and educational institutions (9%). The public sector is particularly attractive to cybercriminals, as such cyberattacks can lead to large-scale non-tolerable events.⁵ For example, the website of the municipal government of Jacarezinho, Brazil, fell victim to a ransomware cyberattack in July 2023. As a result, municipal databases were encrypted, making it impossible for government services to function. This disruption affected a variety of services provided to residents, including billing, tax filing, and payroll processing. It took the government institution nearly two weeks to fully restore its operations.

5. A non-tolerable event is an event that results from a cyberattack and prevents an organization from achieving its operational and strategic goals or leads to a significant disruption of its core business. 
    

APT attacks

The region is also experiencing targeted cyberattacks carried out by advanced persistent threat (APT) groups (6%). Despite the relatively small percentage, APT groups pose a distinct threat. With extensive resources and cutting-edge techniques, they can successfully target well-protected entities such as large commercial companies and government facilities. Here is an overview of the most active APT groups.

TA558

Year of detection. The APT group was first detected in 2018.

Targets. The group is targeting various countries around the world, but Latin America is their primary focus.

Methods. The threat intelligence team of PT ESC notes that the group employs long attack chains, involving the use of various tools and techniques.

Cybercriminal activity. In the first quarter of 2024, the primary targets of the group were industrial companies (22%), service providers (16%), and government institutions (16%). In April 2024, a large-scale phishing campaign targeting a wide range of industries in Latin America was reported. The victims included companies in the service, retail, and financial sectors, as well as industrial and government facilities in Mexico, Colombia, Brazil, the Dominican Republic, and Argentina.

Blind Eagle

Year of detection. Cyberattacks by Blind Eagle became known in 2018.

Targets. The APT group generally targets the government, financial, and industrial sectors in Colombia, Ecuador, Panama, and Chile.

Methods. The attackers sent phishing emails with malicious links and attachments.

Cybercriminal activity. Quasar RAT, a remote access trojan, was discovered in June 2024. The APT group delivered it via phishing emails sent on behalf of the Colombian tax authorities. Various Colombian insurance organizations were affected by this campaign.

APT15

Year of detection. The APT group has been active since at least 2010.

Targets. The groups typically targets government institutions in various countries, including those in Latin America.

Methods. The group employs a variety of methods and tools, including social engineering, RATs, and spyware.

Cybercriminal activity. In June 2023, Symantec's threat intelligence team published a study on a campaign that targeted the foreign ministries of countries in North and South America in late 2022 and early 2023. To execute the cyberattacks, APT15 employed more than a dozen tools, including the new Graphican backdoor for executing commands and stealing files from victims' computers.

Astaroth

Year of detection. The APT group was first detected in 2017.

Targets. The APT group generally targets organizations and users in Latin America (primarily in Brazil) and Europe.

Methods. To distribute its own trojan tool, the group typically uses fake emails, posing as an official organization such as the federal tax service, urgently requesting the submission of an income declaration.

Cybercriminal activity. In October 2024, Trend Micro presented the results of an investigation into a phishing campaign targeting various organizations in Brazil. The primary victims of the cyberattack were manufacturing companies, retail firms, and government agencies.

Successful cyberattacks on organizations most often resulted in data breaches (53%) and disruption of core activity (35%). In most cases, cyberattacks on individuals, much like those on organizations, resulted in the theft of confidential information (72%). In 19% of cyberattacks, the victims suffered financial losses.

Data breaches are an extremely serious consequence of cyberattacks, which can have a devastating impact on an organization's operations. First of all, a leak of confidential information negatively impacts the company's reputation, which in turn can lead to the loss of clients and partners. And if a government institution is targeted, the consequences can be even more dire, as such attacks can lead to the exposure of state secrets and strategic plans, thereby threatening national security. For example, as a result of the Rhysida ransomware cyberattack in May 2023, around 360,000 confidential documents of the Chilean Army were published on the attackers' website. According to Rhysida, this represented only 30% of the stolen data.

Personal data (32%) and account credentials (21%) accounted for more than half of the total volume of data stolen from organizations as a result of cyberattacks. On October 30, 2024, a data breach at one of Peru's leading financial institutions, Interbank, was reported. The attacker claimed to possess information on more than 3 million clients of the bank, including their full names, account IDs, dates of birth, addresses, and phone numbers, as well as credit card details and CVVs. According to the attacker, the total volume of stolen data exceeded 3.7 TB.

In cyberattacks targeting individuals, attackers typically stole account credentials (41%), personal data (23%), and payment card data (23%).

During the study, the researchers analyzed 2,458 LAC-related posts published on various dark web forums and Telegram channels in 2023–2024.

The public sector is mentioned in 16% of the posts. Typically, in these cases, cybercriminals are not aiming for financial gain: a significant portion of the posts are intended to share data (59%). In some cases, such posts are the work of hacktivists seeking to draw public attention to their views, or cybercriminals aiming to boost their reputation in the dark web market to promote their services.

Most frequently, the dark web features posts related to the public sectors of Argentina (22%), Brazil (18%), Mexico (15%), Colombia (10%), and Ecuador (8%).

The analysis revealed that the most popular topics on dark web forums are databases (47% of posts) and access credentials (26% of posts). A quarter of the posts are reports of systems being infected by ransomware (20%) or hacked (4%). Other posts included news about executed DDoS attacks and calls to participate in cybercriminal campaigns, as well as ads about purchasing payment card data and detailed information about discovered vulnerabilities.

Databases

Half of the posts on the dark web are related to databases (47%), with only 21% of them being sold and 74% being shared for free. The free-of-charge data is typically offered by hacktivists pursuing their political views, or by cybercriminals who have failed to collect a ransom from their victim.

Confidential information offered by malicious actors was primarily obtained via cyberattacks on Brazilian (22%), Argentine (22%), and Mexican (18%) organizations. Most frequently, dark web forums mention government institutions—a trend observed in all three countries. In addition, retail has made it into the top three sectors mentioned in these posts.

Among posts related to organizations in Argentina, those mentioning educational institutions are quite common (16%). For example, data related to employees of Centro de Investigaciones para la Transformación (CENIT), a research facility, was published on the dark web. The data includes names, phone numbers, email addresses, residential addresses, and other personal data.

In Mexico, cybercriminals are more attracted to the financial sector (16%). One of the reasons why cybercriminals might distribute data for free is data obsolescence. For example, an ad posted in January 2024 offered data from 2020; it was related to the second-largest bank in Mexico—Banco Nacional de México, or Banamex.

Access credentials

One in four ads (26%) involve the sale, sharing, or purchase of credentials to access compromised corporate infrastructures. The majority of ads that offer access credentials ask for a price (88%).

The average price of access credentials in the region is $924, which is 1.5 times higher than last year's figure. However, the dark web also featured an ad offering access to the infrastructure of a steel manufacturer for 3 BTC. Taking this ad into account, the average price of access credentials rises to $1,618.

In the majority of ads (65%) where the selling price was specified, the price ranged from $100 to $1,000. In every third advertisement (31%), the price exceeded $1,000.

Offers priced up to $100 primarily included access to the infrastructures of retail companies.

In every third advertisement (33%), access via RDP and VPN is offered. Dark web marketplaces frequently feature access via remote access programs (13%), such as Citrix and RDWeb, as well as shell interfaces (10%). The types of access offered on the dark web are not determined by the attackers, but depend on the infrastructure of the companies compromised.

Ransomware operators

Dark web forums frequently feature posts related to ransomware (20%). In the majority of these cases, cybercriminals claim to have successfully executed an attack on a particular company (98%). This is usually done to capture public attention and showcase the extent of their cybercriminal activities. Subsequently, they may post an ad to sell or share the stolen data.

Nearly one in every four posts (23%) on the dark web was linked to the ransomware group LockBit 3.0. For instance, in September 2024, the group announced that it had carried out a cyberattack on Oleopalma, a Mexican industrial company.

Latin America and the Caribbean has seen an increase in digitalization in 2023–2024: new national strategies and initiatives to adopt advanced technologies are emerging, e-government and e-commerce systems are proliferating, and the volume of investment in fintech is growing. This, in turn, leads to an increase in both the number and complexity of cyberthreats. At the same time, the region's cybersecurity posture is strengthening due to the emergence of new incident response centers and the development of new cybersecurity regulations.

Cyberattacks in the region primarily target organizations and individuals in Brazil and Mexico. This may be due to their comparatively higher levels of digitalization, as well as a lack of cybersecurity awareness among the population. Government institutions remain the primary target for attacks on organizations. To reduce the number of successful cyberattacks in the future, it is crucial to foster international cooperation in the field of cybersecurity.

Cybercriminals often use social engineering techniques to trick individuals into taking actions that allow cybercriminals to gain access to corporate infrastructure and deploy malware. To prevent such incidents in the future, it is essential to conduct regular cybersecurity awareness activities among citizens.

The primary consequence of successful cyberattacks remains the breach of confidential information, as confirmed by analysis of dark web marketplaces. Therefore, it is critical to pay special attention to the storage of confidential data and the development of cyberattack response plans.

Steps are currently being taken in the region to address emerging cybersecurity issues. However, malicious actors are still able to bypass existing security measures and carry out cyberattacks.

Recommendations for improving cybersecurity in the region

The following actions can strengthen the cybersecurity posture in the LAC countries: 

• Develop the regulatory framework in cybersecurity. Developing a strategic framework does not guarantee complete protection, but it does help chart a course to improve a country's cybersecurity posture. A national cybersecurity strategy should include a threat assessment, as well as goals and an action plan to prevent threats. This is why skilled cybersecurity experts must be involved in the strategy development process.
• Identify non-tolerable events. To understand where to start and how to move forward with cybersecurity, it is essential to analyze the key risks and identify the consequences of cyberattacks that the government and commercial organizations are not willing to tolerate. This step will allow you to identify the most valuable IT assets and focus your protective efforts on them.
• Protect critical IT infrastructure. After analyzing non-tolerable events at the country and sector level, the next step is to identify critical IT infrastructure and develop defensive approaches. The speed of digital transformation and the maturity level of national cybersecurity must also be taken into account. To ensure strong protection against cyberattacks, it is essential to use only the most up-to-date methods and to combine multiple approaches.
• Establish cyberincident response centers. In order to improve cybersecurity in the region, it is essential to establish cooperation between government institutions and the private sector. For example, establishing CERTs, CSIRTs, or CIRTs can enable the consolidation of efforts to resolve cybersecurity incidents. To date, such centers exist only in a few countries in Latin America and the Caribbean, and many of them need to be improved. Within these centers, we recommended forming specialized teams focused on specific industries.
• Use a comprehensive approach to safeguard your IT infrastructure. To better protect IT infrastructures, it is essential to implement advanced comprehensive solutions. Use vulnerability scanners with an extensive and regularly updated vulnerability database, capable of prioritizing vulnerabilities by severity, in combination with NTA solutions that analyze network traffic and detect intrusion attempts. This approach will significantly improve the security posture of organizations in the face of cyberthreats, enabling rapid detection of attackers at all stages of cyberattacks and timely incident response.
• International collaboration. A stronger cooperation with other countries to establish a common regulatory framework and continuously update cyberthreat databases knowledge bases of security measures will enhance overall security in the information age. In addition, participation in international conferences will allow specialists from various fields to exchange information and examine issues from different perspectives to determine the most effective solutions.
• Upskill cybersecurity professionals. To advance cybersecurity in the region and effectively counter cyberattacks, invest in workforce training and the development of educational programs in this field.
• Raise public cybersecurity awareness. In this era of disruptive technology and ongoing digitalization, the basic rules of safe internet usage should be known not only by cybersecurity professionals but also by common users. Since many cyberattacks involve social engineering methods, users of modern technology need to be aware of safe online practices and know how to avoid the tricks of malicious actors. Governments need to invest in public awareness campaigns regarding current threats and how to protect against them.

The report contains information on cybersecurity incidents in Latin American and Caribbean countries: Brazil, Argentina, Mexico, Peru, Chile, Colombia, Paraguay, Uruguay, Venezuela, Cuba, the Dominican Republic, Guatemala, Honduras, El Salvador, Nicaragua, Costa Rica, Panama, Ecuador, Bolivia, the Bahamas, Guyana, Puerto Rico, Trinidad and Tobago. 

The information is based on the expertise of Positive Technologies, findings of numerous incident investigations, and data from reliable sources. Special attention is given to Brazil, Mexico, Colombia, Chile, and Argentina—countries that play a key role in the economic and technological development of the region and are subjected to the highest number of cyberattacks. We analyzed 350 Telegram channels and dark web forums, with a total of 192 million posts (written by 43 million users).

We believe that the majority of cyberattacks are not made public due to reputational risks. The result is that even organizations that investigate incidents and analyze activity of hacker groups are unable to do a precise count of cyberthreats. This report aims to draw the attention of companies and individuals who care about cybersecurity to the key motives and methods of cyberattacks, and to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass cyberattack (for example, phishing emails sent to multiple addresses) as one incident, not several. For the explanation of terms used in this report, please refer to the Positive Technologies glossary.