The Ministry of Public Finance (Minfin) was the target of a new cyber attack attributed to actors “LAT4MFUCK3RS.” and “Gordon Freeman”, 16 days after the Superintendence of Tax Administration (SAT) and the National Registry of Persons (Renap) denied having been violated, despite alerts disseminated by a vulnerability analysis account.
The specialized cybersecurity account VECERT Analyzer warned of an alleged computer attack against the General Registry of State Acquisitions (RGAE), of the Ministry of the Minfin, which would have compromised thousands of sensitive files and records.
According to the publication attributed to the attackers, 130 thousand records corresponding to the period 2020-2026 were exfiltrated, in addition to 235 thousand PDF files, equivalent to 324.5 GB of information.
Among the exposed data would be full names, Tax Identification Number (NIT), Unique Identification Code (CUI), addresses, telephone numbers, emails and financial and legal documentation, including bank account statements, administrative contracts, notarial deeds and tax certificates.
The attackers also described alleged flaws in the technological infrastructure of the portal, including “IDOR/BOLA” type vulnerabilities in programming interfaces (API), as well as access without authentication linked to SAT systems.
Alert about vulnerability in Minfin since 2024
Luis Assardo, digital security expert and investigative journalist, indicated that the systems linked to the Minfin have had vulnerabilities that could facilitate attacks for more than two years.
“All of these are Minfin subdomains. They have an infrastructure with several vulnerabilities that are easy to exploit. An example of this is that there are several batches of credentials and data for sale,” he stated in January 2024.
He added that the institution could restore services through backups in other infrastructure.
“The reasonable thing is that in hours or days they could create a backup in another instance even if they used another domain. It seems like ineptitude and negligence, but that will only be known after an audit,” he said.
You might be interested in: The chronology of the hacks in Guatemala: three hackers allegedly violated the sites of state institutions
Other attacks on state institutions
The new incident occurs after a chain of attacks and alerts registered during April 2026 against public institutions and universities in the country.
The first case occurred on April 7, when the General Directorate of Arms and Ammunition Control (Digecam) reported unauthorized access that compromised information of about 18 thousand users.
Otto Rosito, director of Digecam, indicated that they identified the actor known as “Gordon Freeman”, linked to similar attacks in Latin America.
On April 13, the Ministry of Public Health and Social Assistance confirmed a computer security incident that partially affected equipment at the National Health Laboratory.
The ministry indicated that the event was contained after the activation of institutional protocols and that there was no evidence of unauthorized access to sensitive data.
According to the technical evaluation, the incident was limited to the encryption of internal files, which were recovered through backups.
The authorities added that there was no breach of patient or user information and that they reinforced security controls, updating systems and reviewing access.
On April 27, the Your Employment portal, of the Ministry of Labor and Social Security (Mintrab), suffered a violation which would have allowed the extraction of more than 200 thousand records and 40 GB of information.
That same day, leaks were also reported at the University of San Carlos de Guatemala (Usac) and the Rafael Landívar University (URL).
You could also read: Hackers demand Q1.2 million to stop attacks and prevent disclosure of data of Guatemalans
State institutions with little protection
In the midst of these incidents, Assardo released on April 15 an analysis of 134 websites of the Government of Guatemala.
The report warned that 64% of the platforms evaluated obtained a D rating; 87% lacked security policies and 92% allowed access without encryption.
On April 28, “Gordon Freeman” claimed to have obtained information from the SAT and Renp; However, both institutions ruled out any effects and indicated that they maintained permanent monitoring and reinforcement of protocols.
Two days later, on April 30, the Ministry of Education (Mineduc) also reported technical analysis after another attack attributed to the same actor.
“Until this moment, no failures of this nature have been identified in the institutional electronic systems,” indicated the Mineduc on that occasion.
That same day, the group “NemorisHacking”, linked to JXLLTEAM and the alias “KeyBreaker”, claimed responsibility for attacks against platforms of the Attorney General’s Office (PGN) and the Telecommunications Superintendence (SIT). Both institutions also denied a hack.
On April 29, the Government of Guatemala reported that it activated response protocols to contain incidents, protect information and reinforce the security of state systems.
Institutions identified in attacks, leaks or cyber alerts
These are the institutions that have confirmed incidents, activated protocols or denied violations following cyber attack alerts registered since April 2026.
- Digecam (confirmed by authorities)
- Your Employment Portal, from the Mintrab (confirmed by Mintrab)
- University of San Carlos of Guatemala (Usac) (confirmed attack, but denied system alterations)
- Rafael Landívar University (URL) (confirmed incident and activation of protocols)
- SAT (denied infringement)
- Renap (denied infringement)
- Ministry of Education (Mineduc) (denied faults)
- Attorney General’s Office (PGN) (denied hacking)
- Telecommunications Superintendency (SIT) (denied hacking)
- Ministry of Public Health and Social Assistance (confirmed computer security incident)
- Ministry of Public Finance (Minfin) (new attack attributed by cyber actors; official position pending)