Hackers Leak 7.4 Million Paraguayan Citizen Records, Demand $1 Per Person Ransom

In one of the most audacious cyberattacks to ever target a sovereign nation, threat actors have leaked the personal data of nearly every citizen of Paraguay — a staggering 7.4 million records — onto the dark web, demanding a symbolic ransom of $7.4 million, or $1 per citizen.

“A ransomware group is extorting the entire country in what is probably one of the most significant cybersecurity incidents in the nation’s history,” said cybersecurity firm Resecurity in its investigation released on June 13, 2025.

The actors behind the attack, operating under aliases such as Gatito_FBI_Nz and el_farado, have published the stolen data using torrent files — a tactic borrowed from notorious ransomware gangs like LockBit 3.0 — effectively turning anyone who downloads the data into a peer distributor. According to Resecurity: “Once downloaded, users in possession of these files automatically begin seeding them… Stopping this activity poses a significant challenge.”

The breach includes sensitive PII (personally identifiable information) such as ID numbers, names, birthdates, addresses, and even healthcare records, some of which came from Paraguay’s Ministry of Public Health and the National Transit Agency.

Resecurity confirmed at least two separate breaches, possibly more:

Agencia Nacional de Tránsito y Seguridad Vial de Paraguay – leaked in MySQL dump format.
Ministerio de Salud Pública y Bienestar Social – leaked in CSV files, including data tied to COVID-19 vaccination systems.

An analysis of the records revealed fields like “documento,” “servicio_salud,” and “etnia,” raising grave concerns about misuse for identity theft, fraud, or even disinformation and electoral interference.

“Paraguay has lost data about the entire population,” the report warns, “and the government has not notified the victims.”

Contrary to assumptions of high-tech exploits, Resecurity’s analysis indicates the likely culprit is infostealer malware, specifically Lumma Stealer, which compromised IT staff credentials.

“Such a leak could occur without exploiting any specific vulnerability, but rather by leveraging exposed access credentials,” Resecurity noted, suggesting the attackers used stolen credentials to navigate internal systems undetected for months.

The group has positioned itself as a “Cyber PMC” (Private Military Contractor), but its true motivations remain murky. While extortion is the most visible motive, Resecurity hints at geopolitical undercurrents:

“It is unlikely that the actors behind the incident are just traditional cybercriminals… such tactics could be employed by foreign intelligence… masking targeted espionage operations under the guise of possible cybercrime.”

Paraguay’s cyber landscape has long been turbulent. Just last year, the U.S. and Paraguayan governments jointly accused Flax Typhoon, a Chinese state-linked APT group, of infiltrating national networks — though no leaks followed that event.

Despite the scale, no official statement has clarified how the data was stolen or how the government intends to respond. Resecurity observed:

“The Government of Paraguay declined to pay the ransom… offering only vague comments.”

Even the President’s official Twitter (X) account was hacked days before the leak, used to promote a cryptocurrency scam.

The implications of this data breach go far beyond Paraguay’s borders. The threat actor behind this leak has also been linked to prior attacks across Bolivia, Ecuador, Venezuela, and El Salvador, signaling a pattern of systemic, cross-border targeting.

As geopolitical tensions and cyber capabilities collide, Resecurity cautions:

“Cyberattacks targeting Paraguay are expected to increase, underscoring the need for cybersecurity leaders to accelerate their defenses.”

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply