A threat actor leaked the personally identifiable information (PII) of over five million citizens from El Salvador on the Dark Web, impacting more than 80% of the country’s population. The threat actor, going by the alias ‘CiberinteligenciaSV,’ posted the 144 GB data dump to Breach Forums, writing that the leak included 5,129,518 high-definition photos, each labeled with the corresponding Salvadorian’s document identification (DUI) number.
Additionally, the leaked database features Salvadorian citizens’ first names, last names, birthdates, telephone numbers, email addresses, and residential addresses. The most significant aspect of this breach is the biometric element, with the leak offering over five million headshots indexed with the corresponding PII of the victims. This biometric data dump has thus introduced significant fraud and identity theft risks for the majority of El Salvador’s citizens.
Attribution for this attack is uncertain, as the entities that initially posted and later recycled this data leak seem to be insinuating the involvement of an infamous hacking collective. At the same time, the leak posters have previously stated they are not affiliated with the group they continue to promote. For example, the threat actor who posted this data leak invoked the same handle as a Telegram group that originally published the Salvadorean PII dump over a year ago and which superficially appears to be linked to the Guacamaya (Macaw) group.
This notorious hacktivist collective targets public and private-sector organizations in Latin America (LATAM). A brief blurb about the group published by the leak and hacktivist resource site Enlance Hacktivista, which has previously published data the Guacamaya have hacked, says that they are “a group of hackers that seeks the liberation of the towns and territory of Abya Yala, until now focusing on hacking extractive companies and repressive forces (police and military)” and that they “will never have accounts on social networks.” This hacktivist group is responsible for a string of high-profile attacks targeting governments and corporations in Mexico, Chile, Colombia, Guatemala, and Peru. Echoing Enlance Hacktivista’s blurb, the Telegram channel alluded to in the handle used by the Breach Forums poster has previously claimed to be unaffiliated with the hacktivist collective, according to an announcement published by the group’s administrators in December 2022.
A translation of the Telegram message, which was written in Spanish, reads: “Heads-up, We are not part of the activist group, we are only forwarding PUBLIC INFORMATION, it has already been published on the internet BY THE GUACAMAYA LEAKS GROUP, so it is PUBLIC INFORMATION.” Despite these explicit denials, the Telegram channel uses the ‘https://t.me/guacamayal’ link to direct people to their group, creating the impression of association with the hacktivist collective. Resecurity nevertheless assumes that the operator(s) behind the Breach Forums account and the Telegram group are the same entities. Based on the channel admin’s past statements and the Enlance Hacktivista blurb, Resecurity assesses that the threat actor behind the CiberinteligenciaSV Breach Forums account is not affiliated with the Guacamaya group either. Also, given that the Guacamaya claim to exclusively target “extractive companies and repressive forces (police and military),” the compromise and dump of everyday Salvadoreans’ PII doesn’t align with the stated mission agenda of the group.
Resecurity assesses that the real intellectual authors of this breach appear to have an interest in obscuring their involvement, using the background specter of the Guacamaya group and its unofficial proxies to form a cloud of uncertainty surrounding the real threat actors and attack chain that caused the data leak. Also uncertain is the ultimate source of the leaked data. After the Breach Forums posting, rumors circulated on Twitter (X) that the data exposed in the dump matches the total userbase and related identifiers associated with the Chivo Wallet, “The official Bitcoin and Dollar wallet of the Government of El Salvador.” However, on April 17, 2024, the Ciberinteligencia SV Telegram channel seemed to dismiss those rumors, writing that “we have not made such statements.”
Ultimately, this data leak is significant because it marks one of the first instances in cybercrime history where virtually the entire population of a country has been affected by a compromise of biometric data.
A Federal Trade Commission advisory published last year states, “Biometric information refers to data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body.” Beyond the massive scale of Salvadorian PII records, threat actors also obtained a headshot of each victim, which represents a crucial biometric data marker – particularly in the golden age of generative AI. Notably, the vast scale of this biometric and PII data breach places most of El Salvador’s population at significant risk for identity theft and fraud.
Armed with modern deep fake technology, threat actors can leverage victim headshots and related PII to stage more convincing frauds across a broad universe of digital-first financial, merchant, and government portals.
