Latin America and the Caribbean Cybercrime Landscape

In 2025, Latin America and the Caribbean (LAC) faced escalating cybercrime threats, with 452 ransomware incidents recorded—a significant increase across healthcare, manufacturing, government, IT, and education sectors. Financially motivated threat actors predominantly operate through Telegram and criminal forums like DarkForums, leveraging phishing, social engineering, and mobile malware including banking trojans in targeted smishing campaigns. Insikt Group identified LummaC2 and Vidar as the most prolific infostealers affecting LAC organizations. The region's rapid digital transformation, combined with economic instability and reliance on legacy systems, has created vulnerabilities particularly in financial services where instant payment systems like Brazil's PIX face elevated fraud levels. Organizations are urged to implement multi-factor authentication, strengthen access controls, and enhance security maturity to mitigate risks.

This report provides an overview of trends and developments in the cybercriminal ecosystem of Latin America and the Caribbean (LAC) in 2025.

In 2025, Latin America and the Caribbean (LAC) faced escalating cybercrime threats, with 452 ransomware incidents recorded—a significant increase across healthcare, manufacturing, government, IT, and education sectors. Financially motivated threat actors predominantly operate through Telegram and criminal forums like DarkForums, leveraging phishing, social engineering, and mobile malware including banking trojans in targeted smishing campaigns. Insikt Group identified LummaC2 and Vidar as the most prolific infostealers affecting LAC organizations. The region's rapid digital transformation, combined with economic instability and reliance on legacy systems, has created vulnerabilities particularly in financial services where instant payment systems like Brazil's PIX face elevated fraud levels. Organizations are urged to implement multi-factor authentication, strengthen access controls, and enhance security maturity to mitigate risks. This report provides an overview of trends and developments in the cybercriminal ecosystem of Latin America and the Caribbean (LAC) in 2025. Executive Summary This report provides an overview of trends and developments in the cybercriminal ecosystem of Latin America and the Caribbean (LAC) in 2025. Insikt Group found that threat actors operating in or targeting the LAC region predominantly use client-server applications and end-to-end encrypted messaging platforms such as Telegram, as well as established English- or Russian-speaking dark web and special-access forums, to communicate and conduct activities. Threat actors demonstrate increased sophistication in their operations, adapting their tactics, techniques, and procedures (TTPs) over time, while still relying primarily on traditional methods such as phishing and social engineering, malware distribution, and ransomware. Based on our analysis, we have determined that Brazil, Mexico, and Argentina were the countries most targeted by financially motivated cybercriminals, likely because they are LAC's largest economies. Additionally, based on this research, Insikt Group found that threat actors often targeted critical industries such as healthcare, finance, and government because they hold high-value data, face operational urgency, and, at times, rely on legacy systems that may be vulnerable. Key Findings Insikt Group assesses that criminal forum DarkForums and the messaging platform Telegram are the primary special-access forums and communications platforms used by threat actors operating in or targeting the LAC region. Threat actors operating in or targeting LAC are typically financially motivated and frequently leverage social engineering, ransomware, and various forms of mobile malware to gain initial access to government, healthcare, and financial institutions. In 2025, Insikt Group recorded 452 ransomware incidents impacting the LAC region. The top five industries affected were healthcare, manufacturing, government, information technology, and education, all of which observed a noticeable increase in attacks compared to the previous year. Insikt Group continued to identify banking trojans being leveraged by threat actors, with established variants being the most widely used. Specifically, threat actors used banking trojans in targeted smishing campaigns targeting WhatsApp users to gain access to financial data and steal credentials. Insikt Group identified LummaC2 as the most prolific information stealer (infostealer) affecting organizations in LAC in the first half of 2025 and Vidar in the second half, following law enforcement disruption of LummaC2. Background In the aftermath of the COVID-19 pandemic, the LAC region underwent rapid digital development that outpaced security maturity, leading to asymmetrical cloud adoption, reliance on legacy infrastructure, and the introduction of remote work across all verticals. Many organizations adopted software-as-a-service (SaaS) platforms without effectively implementing strong access controls or multi-factor authentication (MFA) methods, leaving them exposed to ransomware and data theft, among other cyberattacks. Economic instability (inflation and currency controls) in LAC countries has created incentives for cybercrime while weakening institutional defenses. Political volatility, social protests, and corruption have created new opportunities for financially and politically motivated threat actors. Compounded factors such as high youth unemployment, income inequality, and the influence of informal economies have driven individuals to seek alternative sources of income, which in turn fuels much of the cybercrime we see today. According to a World Economic Forum report, 13% of respondents in the LAC region expressed low confidence in their country’s preparedness to respond to significant cyber incidents. Despite significant progress in digital government, regulatory advancements, and investments in the region, many countries still lack the technical competence in their workforce...