During April 2026, Guatemala has faced a series of cyber attacks and alerts aimed at public institutions and higher education center platforms. The incidents, attributed to different actors, included data leaks and unauthorized access.
Three actors have been linked to these attacks: “Gordon Freeman“, related to the violation of Digecam, the Your Employment portal of the Ministry of Labor and actions in other Latin American countries; “MrGoblinciano”, reported for the leak of data from the Rafael Landívar University and the University of San Carlos of Guatemala; and “NemorisHacking”, who takes credit for the April 30 attacks against other institutions.
First attack: Digecam and the emergence of “Gordon Freeman”
The first case occurred on April 7, when the General Directorate of Arms and Ammunition Control (Digecam) was the target of an attack which allowed access to information of about 18 thousand users. The authorities indicated that the intrusion was limited to the website and that they would issue new licenses to carry and possess weapons to avoid inconveniences.
On April 21, 2026, Otto Rosito, director of Digecam, indicated that they identified the hacker as “Gordon Freeman”, who would have carried out similar actions in other Latin American countries.
Ignored warnings: structural failures in state systems
In the midst of these events, an analysis released on April 15 by journalist and researcher Luis Assardo warned about the conditions that facilitate this type of incidents.
The publication indicated that 134 Guatemalan Government websites were evaluated and that most lacked basic security measures:
- 64% obtained a D grade
- 87% lack security policies
- 92% allow access without encryption
Your Job: massive leak and basic failures
Seven days later, on April 27, the Your Employment portal, of the Ministry of Labor and Social Security (Mintrab), was the target of an attack that would have allowed the extraction of more than 200 thousand records and 40 GB of information.
The data would include resumes, IPR, contacts, and employment and salary history. This fact was also attributed to “Gordon Freeman.”
“The job portal server still accepted connections with TLS 1.0 and TLS 1.1, protocols that the industry declared obsolete in 2020. It did not support TLS 1.3, the current standard. None of the ministry’s 14 subdomains implemented Content-Security-Policy or HSTS, the two most basic defenses that a web server can have,” wrote Luis Assardo on April 27, 2026.
The Mintrab confirmed the incident and attributed to the use of a programming interface (API) old, which, according to the institution, has already been corrected.
After these attacks, “Gordon Freeman” would have demanded payment of 2 bitcoin, about Q1.2 million, in exchange for not selling information allegedly stolen from several cyber attacks on Guatemalan institutions.T
You could also read: Hackers demand Q1.2 million to stop attacks and prevent disclosure of data of Guatemalans
Universities: financial data and students exposed
That same day, violations were also reported at two universities in the country. The hacker identified as “MrGoblinciano” claimed responsibility for the theft of information.
At the University of San Carlos of Guatemala (Usac), there was an alert about the exposure of financial data from the Integrated Financial Information System (SIIF), which would include payrolls, CUI and banking information.
“It was determined that a cyber attack was registered; likewise, it was established that the systems, services and databases were not altered or manipulated,” said Marco Fuentes, head of the Data Processing Department of the USAC, on April 27, 2026.
You might be interested in: Simultaneous hacking of the USAC and the URL would have exposed payrolls, bank accounts and photographs of students
In parallel, the leak of 84,620 photographs and personal data of students and teachers at the Rafael Landívar University (URL) was reported.
“The University confirms that it had timely knowledge… and immediately activated its internal protocols,” the URL reported on April 28, 2026.
In a statement, the institution indicated that there is no evidence of structured, massive or systematic access to sensitive data.
Official reactions: denials and monitoring
On April 28, 2026, the alerts continued. “Gordon Freeman” claimed responsibility for the theft of information from the Superintendency of Tax Administration (SAT) and the National Registry of Persons (Renap); However, both institutions ruled out having been victims of attacks, although they confirmed that they reinforced their systems.
“The SAT maintains permanent monitoring… they do not present any incident,” the entity reported.
While Renap indicated that there are no critical alerts that show an impact.
April 30: another hacker in action
On April 30, 2026, a new actor, identified as “NemorisHacking”, linked to the JXLLTEAM group and the alias “KeyBreaker”, took responsibility for the attacks on platforms of the Attorney General’s Office (PGN) and the Telecommunications Superintendency (SIT).
According to alerts spread on social networks, this group would:
- Filtered administrative credentials
- Defaced institutional portals
- Broadcast accesses on Telegram
PGN rejects infringement
The Attorney General’s Office denied having been hacked and stated that there is no evidence of theft or loss of information.
“Cybersecurity protocols have been intensified,” added the PGN.
Government activates protocols after hacks
On April 29, after the attacks against different institutions, the Government of Guatemala issued a statement in which it indicated that response protocols were activated to contain the impact, protect information and reinforce the security of the affected systems.
“The competent authorities maintain permanent monitoring and inter-institutional coordination aimed at identifying, containing and mitigating any malicious activity, without currently registering a direct impact on essential public services,” he explained.
In addition, he indicated that instructions have been issued to all public entities to strengthen their security controls, reduce exposure and strengthen their incident response capabilities.
“Strategic actions are being implemented with international support, within the framework of cooperation alliances with partner countries such as Spain, the United States and the Republic of China (Taiwan), aimed at the sustained strengthening of national capabilities in cybersecurity, thus consolidating a comprehensive approach to protecting the State’s digital infrastructure,” he commented.
“Guatemala has specialized personnel and the support of international allies, which allows us to face this situation in a comprehensive manner, strengthening the country’s digital resilience and preserving institutional stability,” the statement stated.