Fraud Management & Cybercrime
,
Ransomware
7.2 Million Individuals’ Personal Data Being Held to Ransom by Threat Actor
A data-leak extortion group is shaking down the government of Paraguay for a ransom payment worth $7.4 million, or $1 for every one of the country’s citizens.
See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility
The group, calling itself Brigada Cyber PMC, claimed in a Sunday post to its dark web leak site that it stole personally identifiable information on citizens from three different Paraguay government systems, including data on 7.2 million citizens from the government system that stores civil information, including registered voters.
Cyber PMC Brigade demanded the ransom be paid by June 13 and threatened to otherwise leak all of the stolen civil registry as well as other data.
On Thursday, the brigade’s Onion site address stopped resolving to the data-leak site, instead displayed a “welcome to nginx message” stating: “If you see this page, the nginx web server is successfully installed and working. Further configuration is required.”
Who the Cyber PMC Brigade might be or where it’s based isn’t clear. “Who are we?” asks the group’s data leak site. “You don’t need to know.”
“It is unclear whether a foreign state sponsors the actors and if cybercriminal motives purely drive their activity,” said Resecurity in a blog post.
The cybersecurity firm said the first signs of the breach appeared on May 28, when a threat actor using the handle “Gatito_FBI_Nz” on the Darkforums cybercrime site offered for sale two SQL databases totaling 1.2 gigabytes, comprising what was advertised as being “7.4 Million Citizens of Paraguay – Leak 2025,” together with 940,000 records as a sample. Gatito listed a Telegram address with “LeakBolivia” in its name – suggesting a South America focus – and previously used “LeakBolivia” and “penepinga154” handles, Resecurity said.
“Based on collected intelligence, the actor is responsible for cyberattacks against major government systems not only in Paraguay but also in multiple countries across South America,” said Resecurity. It alerted CERT-PY, Paraguay’s national computer emergency response team.
The allegedly breached government site, for the National Agency for Transit and Road Safety, went offline on May 29, before being restored on May 30.
Samples of the allegedly stolen data appear to trace to that agency, and include an individual’s name, sex, nationality, profession, ID card number, date of birth, and marital status, Resecurity said.
A separate incident came to light on May 31, when an attacker with the handle “el_farado” listed for sale on a dark web cybercrime forum a database containing the data of every Paraguayan citizen, allegedly stolen from government systems in the state of Cordillera. Resecurity said the threat actor appears to have ties to FunkSec – a ransomware group that launched in December 2024 – and that a sample of the stolen data includes files dated March 24. The data structure differs from the other breach, meaning the leak may result from a separate intrusion.
These aren’t the first cases involving hackers breaching Paraguayan government networks. A stolen civil registry database was also stolen and leaked two years ago, Resecurity said. Whether that set of data is now being reused by the Cyber PMC Brigade isn’t clear.
Beyond data leaks, in November 2024, the Paraguayan Ministry of Information and Communication Technologies and the U.S. Embassy in Asunción said a joint review conducted with U.S. Southern Command, which oversees U.S. military activities in Latin America and the Caribbean, found that the country’s critical infrastructure was infiltrated by a Beijing-backed hacking group.
Resecurity said the attacks have been attributed to the Chinese hacking group tracked as Flax Typhoon, also tracked as Ethereal Panda and RedJuliett. “No data has been leaked for that event, and no victim organizations have been officially named as compromised,” it said (see: US Sanctions Beijing Company for Flax Typhoon Hacking).
