Leak of data belonging to 7.4 million Paraguayans traced back to infostealers

Troves of data on effectively every Paraguayan citizen were stolen by hackers who infected a government employee’s device with infostealer malware, according to two security firms who examined the data. 

Multiple dark web postings over the last month have offered for sale the personal information of 7.4 million Paraguayans following alleged breaches at several government agencies. 

The data was initially discovered by researchers at the cybersecurity firm Resecurity, who said the hackers — known as Brigada Cyber PMC — were selling the information for $7.4 million. Paraguay refused to pay the ransom and the data was published on June 13. 

Resecurity theorized that one or several government IT employees were infected with  malware, allowing the threat actor to maintain their access and slowly steal the data. The researchers used evidence from the data to determine that it came from at least two different sources: the National Agency for Transit and Road Safety and the Ministry of Public Health and Social Welfare.

Experts at Hudson Rock explained Tuesday that its tools traced the breach back to an infostealer infection on a government employee’s device with access to a domain attached to Paraguay’s Ministry of Public Health and Social Welfare. 

“This infected employee’s credentials were harvested by Redline Infostealer all the way back in April 2023. Armed with these stolen credentials, Brigada Cyber PMC gained unauthorized access to critical systems, enabling them to siphon off the massive dataset,” Hudson Rock researchers said. 

“In this case, the compromised credentials provided a backdoor to Paraguay’s government infrastructure, highlighting the devastating potential of infostealers when they infiltrate high-privilege accounts.”

In October, the U.S. Justice Department charged Russian national Maxim Rudometov for his role in developing and administering Redline infostealer malware. 

Redline was one of the most widely used tools by cybercriminals until the takedown last year, allowing hackers to steal usernames, browser information, passwords, credit cards, VPN logins and more from infected devices. 

Infostealers are typically spread through phishing emails, malicious downloads, or compromised websites, and quietly collect login credentials, cookies and other sensitive data from infected devices, which are then sold or exploited on the dark web. 

Hudson Rock warned that infostealers are increasingly being used in attacks targeting the government and healthcare sectors across Latin America, with Paraguay being a prime target “due to its rapid digitization and geopolitical significance.”

Paraguay’s data

Resecurity said the leaks contained information “about the entire population” of nearly 7 million — including names, ID card numbers, dates of birth, professions, certificates, and more. The company spoke directly with multiple victims who confirmed their data was accurate. 

The datasets likely include some duplicates, records on people who have died and information on people who are not citizens, Resecurity said. Other screenshots shared by the hackers were tied to a url for the government portal that held data for COVID-19 vaccinations.  

The researchers said the data came from at least two different breaches. Several tranches of data appear to be from this year despite evidence that government systems were accessed in 2024. At least one of the dark web posts boasted that the hackers still had access to multiple government systems. 

The government did not respond to requests for comment on the legitimacy of the leaked data. Paraguayan officials claimed to the Organized Crime and Corruption Reporting Project (OCCRP) that the data may have been stolen years ago and recirculated. 

The Computer Emergency Response Team for Paraguay (CERT-PY) was notified about the dark web posts by Resecurity, which added in its blog post that the hacker who posted the data claims to be responsible for cyberattacks on government systems in Bolivia, Venezuela and Ecuador. 

Resecurity theorized that the relatively low price of the data could be an effort by foreign intelligence operations to mask espionage operations. 

While Brigada Cyber PMC’s motives are unclear, Resecurity suggested the incident may have geopolitical motives considering Paraguay’s deep economic and political ties to Taiwan. 

In November, Paraguay and the U.S. published a joint statement accusing the Chinese hacking group Flax Typhoon of using malware to infiltrate government systems, steal information and maintain their access over an undetermined length of time. 

Two weeks ago, President Santiago Peña’s social media account was hacked, and two other data breaches were discovered earlier this year affecting the country’s Superior Tribunal of Electoral Justice, the Ministry of Finance, and the Central Bank of Paraguay. 

Peña announced in a speech last week that his government planned to create a National Cybersecurity Strategy in response to the attacks.

“The state must be a shield, not a risk. My idea as president is that every state institution protects citizens' data and rights with the same seriousness with which it protects its physical resources,” he said. 

On Sunday, CERT-PY warned the government had “detected” two other cyber incidents affecting the Ministry of Public Health and Social Welfare as well as a judicial department. CERT-PY claimed the incidents are “contained” and analysis is ongoing to “fully restore normal operations.”