Recorded Future Maps Latin America's Maturing Cybercrime Ecosystem
Insikt Group report details how LAC cybercrime evolved in 2025: RaaS adoption, crypto fraud, and phishing-as-a-service expand across the region.
Executive Summary
Latin America and the Caribbean (LAC) cybercrime ecosystem has matured significantly in 2025, according to a new report from Recorded Future's Insikt Group. The region is no longer just a staging ground for attacks targeting North America or Europe — local criminal networks now operate sophisticated ransomware-as-a-service (RaaS) programs, crypto fraud rings, and phishing-as-a-service platforms that primarily victimize regional businesses and citizens. The report, published in Spanish as "Panorama del cibercrimen en América Latina y el Caribe," highlights how economic instability and uneven cybersecurity capacity have created fertile ground for homegrown cybercrime.
Technical Analysis
Insikt Group's analysis, based on dark web monitoring, open-source intelligence, and direct engagement with regional CERTs, identifies several key trends. RaaS affiliates based in Brazil, Mexico, and Colombia now offer localized ransomware variants with Spanish-language negotiation portals and customer support in regional currencies. The report notes a 40% increase in crypto fraud schemes targeting LAC users, including fake investment platforms and romance scams using regional payment systems like PIX in Brazil and SPEI in Mexico. Phishing-as-a-service platforms have lowered the barrier to entry, offering pre-built lures mimicking local banks and government agencies. The report also documents the rise of "guarantee markets" on Telegram and WhatsApp, where stolen credentials, SIM-swap services, and money laundering are brokered with escrow-like protections.
Specific threat actors named in the report include the Brazilian ransomware group CryptoLocker BR (unrelated to the 2013 CryptoLocker) and the Mexican phishing operation PhishMX, which targets tax authorities and utility companies. The report attributes the growth partly to weak enforcement of cybercrime laws in several LAC nations and the availability of cheap bulletproof hosting in the region.
Mitigations & Recommendations
Defenders in LAC should prioritize multi-factor authentication for all customer-facing and internal systems, especially those handling financial transactions. Organizations should monitor for phishing lures that mimic local government portals and financial institutions, and train employees to recognize social engineering tactics in Spanish and Portuguese. Regional CERTs and financial regulators should collaborate on takedown operations against Telegram-based fraud markets and phishing-as-a-service platforms. The report advises that patch management remains critical, as many LAC organizations run outdated software vulnerable to known exploits used by RaaS affiliates.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
