LAC Cybercrime Ecosystem Matures with RaaS, Crypto Fraud Surge

Executive Summary

Latin America and the Caribbean (LAC) cybercrime ecosystem has matured significantly in 2025, shifting from opportunistic attacks to a professionalized, service-based model, according to a new report from Recorded Future's Insikt Group. Ransomware-as-a-service (RaaS) affiliates, crypto fraud operations, and targeted phishing campaigns now dominate the threat landscape, with Brazil and Mexico serving as primary operational hubs. The report highlights that financial institutions, government agencies, and retail sectors remain the most targeted, while cybercriminal collaboration across borders has increased.

Technical Analysis

Insikt Group's analysis, based on open-source intelligence and proprietary telemetry, identifies several key trends. RaaS groups such as LockBit and BlackCat have established affiliates within the region, leveraging local infrastructure and Portuguese/Spanish-language lures to evade detection. Crypto fraud has surged, with threat actors deploying fake investment platforms and social engineering campaigns via WhatsApp and Telegram to steal credentials and funds. Phishing kits tailored to LAC banks and government portals are now commercially available on underground forums, often for as little as $50. The report also notes an uptick in SIM-swapping attacks targeting high-net-worth individuals, particularly in Brazil and Argentina. Technical indicators include the use of bulletproof hosting providers in Colombia and Panama, and the abuse of legitimate cloud services for command-and-control infrastructure.

Mitigations & Recommendations

Organizations operating in LAC should prioritize multi-factor authentication (MFA) for all customer-facing and internal systems, especially in financial and government sectors. Deploying anti-phishing training tailored to regional language and cultural contexts is critical. Insikt Group recommends monitoring for indicators of compromise (IOCs) associated with known RaaS groups and crypto fraud campaigns, and implementing SIM-swap detection protocols for high-value accounts. Regular patching of internet-facing systems and use of endpoint detection and response (EDR) tools remain foundational defenses.