A group of cybercriminals identified as Gordon Freeman and L4TAMFUCKERS demands the payment of two bitcoins, about Q1.2 million, in exchange for not selling information allegedly stolen as a result of several cyber attacks on Guatemalan institutions.
The threat was spread in the dark webwhere the attackers claim to have compromised systems and warn of an escalation of actions if contact is not established in the coming days.
“If you do not contact me in the next few days and do not reach a monetary agreement of 2 bitcoins, we will put the entire country’s data up for sale. In addition, we will launch a wave of targeted attacks against your systems. Do not try to clean your infrastructure; we have established persistence on all vulnerable sites,” wrote hacker Gordon Freeman.
According to what was disclosed by the attackers, the stolen information would include massive records from several institutions, although the Superintendence of Tax Administration (SAT) and the National Registry of Persons (Renap) affirm that they have not been victims of cyber attacks.
The Renap data mentions about 18 million records, which would cover birth, marriage and death certificates, as well as biometric data and other sensitive information of the population.
In the case of the SAT, it would be approximately 5.6 million vehicle registrationswhich would contain ownership data, Tax Identification Numbers (NIT), names, tax addresses, chassis numbers, engine numbers, plates and electronic certificates.
In addition, he posted some photographs of the digital documents stolen from Renap that, according to the hacker, correspond to the registration of more than 18 million Guatemalans, a fact that the institution denied.
The analysis of the case was carried out by Isaac Sosa, Threat Intelligence Analyst and OSINT Researcherwho has followed the activity of this group in clandestine online spaces.
He added that he was able to establish that three other hackers identified as Izanagi, cantpwn and YoSoyGroot, members of the L4TAMFUCKERS group, operate alongside Gordon Freeman.
According to Sosa, attackers operate by exploiting vulnerabilities and misconfigurations on websites, mainly those of public institutions.
“Yes, Gordon Freeman is an attacker who is dedicated to exploiting vulnerabilities and bad configurations in various Central American countries. In recent months he has focused on Guatemala,” he explained.
You might be interested in: Mintrab investigates incident on the Your Employment portal after reports of possible hacking and data theftyes
He indicated that the group is recent and that its formation responds to initial attacks attributed to the same actor.
“He has begun to integrate a group of four cybercriminals to be able to come and exploit all the public and sometimes private infrastructure here in Guatemala,” he commented.
Sosa also warns that, unlike previous actions, in this case the attackers demand payment to not disclose the information.
“For the first time it has been detected that he is demanding a ransom of two bitcoins so as not to sell the information of the entire country,” he told Free press.
The analysis details that the concept of “persistence”, mentioned in the threat, implies that attackers could maintain active access to compromised systems.
Sosa commented that one of the main weaknesses lies in the lack of maintenance and updating of institutional digital systems.
“Public institutions are not maintaining their web pages. They are using obsolete services that they are not updating,” he said.
The specialist recommends carrying out security audits, correcting vulnerabilities immediately and strengthening the legal framework regarding cybersecurity.
Not confirmed: doubts about alleged hacking
Journalist and researcher Luis Assardo pointed out that, so far, a hack into the Renap or SAT systems has not been confirmed.
This April 28, Gordon Freeman claimed to have violated both institutions and supported his publication with “proof” files.
The material includes 30 PDF documents and 23 screenshots which were analyzed individually, according to Assardo.
In the case of the SAT, documents such as circulation cards and ownership certificates were generated on April 28, 2026, which indicates that they are not old files.
The metadata of these documents reveal the use of obsolete software, such as Apache Tomcat 7, unsupported since 2021, a reporting engine from 2014, and a PDF generation library from 2009.
Assardo said that this shows vulnerabilities in the systems, but does not confirm mass access or the extraction of entire databases.
He added that some documents were generated minutes apart for the same taxpayer, which suggests active queries within the system, not necessarily a massive leak.
According to their analysis, there was access to the public document generation system, but there is no evidence of possession of a complete database of 5.6 million records.
As for Renap, the certificates analyzed are authentic documents, with verifiable elements such as codes and valid correlatives.
“However, all documents have the “RENAPPORTAL” mark at the bottom, a timestamp, and a Gmail email address. This indicates that they were generated through user sessions of the RENAP web portal — the same system that any citizen uses to download their own certificates. The proof of concept contains approximately 25 individual certificates. The claim is 18 million records,” he wrote.