Guacamaya (hacktivist group)

Guacamaya (Spanish for 'macaw') is an international group of hackers that has published anonymous reports and leaked sensitive files in the public interest through Distributed Denial of Secrets and Enlace Hacktivista. It operates mainly in Central and Latin America and to date has hacked major corporations and the governments of Chile, Colombia, El Salvador, Guatemala, Mexico and Peru.

Motivation
The group says they're motivated by anti-imperialism and environmentalism, and that they fight against transnational corporations and external intervention in Latin America, singling out extractivism and the armed forces and the defense of natural resources and native communities.

The group said they wanted to expose companies and governments, "so that everyone knows their way of operating, their actions, their profits and the interest that is clearly to profit no matter the damage they cause." Guacamaya told Motherboard in an email. "These hacks are another form of struggle and resistance, they are the continuation of an ancestral legacy; taking care of life. We hope to cause more people to join, to leak, sabotage, and hack these sources of oppression and injustice, so that the truth be known and that it is the people who decide to end it." They told Cyberscoop that they target "anything that represents oppressive states, multinational corporations and, in short, anything that supports this system of death."

Attacks on transnational companies
In 2022, the group said they were responsible for a series of cyberattacks aimed at large mining companies in Latin America, including the Colombian oil company New Granada Energy Corporation, the Brazilian mining company Tejucana, the Venezuelan oil company Oryx Resources, the Ecuadorian state-owned mining company ENAMI EP, and the Chilean boric acid producer Quiborax.

2022 Guatemalan Nickel Company Hack
In March 2022, Guacamaya first became known by hacking the mining company Compañía Guatemalteca de Níquel (CGN), a subsidiary of Solway Investment Group. The leaked documents reveal payments to Guatemalan Police who persecuted and detained activists and journalists who opposed the "Fénix" mining project in El Estor, Guatemala.

Operation Fuerzas Represivas
In mid-2022, the group announced Operation Fuerzas Represivas, a series of cyberattacks aimed at the armed forces of Chile, Colombia, Mexico, Peru, and El Salvador.

Hacking of the Joint Chiefs of Staff of Chile in 2022
In 2022, the Chilean press reported on the hacking of the Chilean Joint Chiefs of Staff (EMCO), a massive leak of national security data. The leak was made up of emails sent and received between 2012 and May 2022 by EMCO, the agency in charge of intelligence, operations and logistics for national defence purposes. General Guillermo Paiva Hernández, head of the country’s Joint Chiefs of Staff, resigned in response to the leak.

Hacking of Mexico's National Defense Ministry (SEDENA) in 2022
On September 29, 2022, Mexican journalist Carlos Loret de Mola announced on his newscast that he had received six terabytes of hacked data from the Mexican Ministry of National Defense. The leak, which contains internal communications and documents from the army's email servers from 2010 to 2022, is considered the largest in the history of Mexico. Citing privacy concerns, the Guacamaya group categorized the data set as limited distribution. Journalists and organizations seeking access must provide credentials and agree to reproduce the records responsibly.

Known as the "SEDENA Leaks" or the "Guacamaya Leaks," the data set reveals the Mexican military's links to criminal organizations and the army's surveillance of opposition groups, politicians, journalists, and activists. Among the revelations, the leaks demonstrate widespread sexual abuse within the army and the targeting of feminists groups as subversive organizations that pose a threat equal to cartels. They also show the military's use of the Pegasus spyware and its deployment against journalists, human rights activists, and government officials. The leak reveals new details of the army's role in the Ayotzinapa case where forty-three students were forcibly disappeared. Information on the health of President Andrés Manuel López Obrador, army contracts for the construction of the Mayan train, and the military's development of a tourist business, including parks, a national airline, museums, and hotels are also included in the leaked data.

The Mexican government's response to the hack has attempted to minimize and even deny the revelations. López Obrador, whose presidential campaign promised to end state surveillance of private citizens, continues to insist that his administration "does not spy."

Hacking of the Joint Command of the Armed Forces of Peru in 2022
In October 2022, a report in La Encerrona revealed a massive leak of military intelligence data Joint Command of the Armed Forces of Peru (CCFFAA). The report gave special focus to the Southern Operational Command of the Army. The leaks revealed the military was monitoring reporters, left-wing parties and figures, and that they labeled civil organizations as a threat because they "infiltrate and advise the population against mining." The Peruvian military threatened to bring treason charges against a journalist with the independent Peruvian news outlet La Encerrona for reporting on the leak.

NarcoFiles
In November 2023, the Organized Crime and Corruption Reporting Project joined with more than 40 media partners including Cerosetenta / 070, Vorágine, the Centro Latinoamericano de Investigación Periodística (CLIP) and Distributed Denial of Secrets and journalists in 23 countries and territories for the largest investigative project on organized crime to originate in Latin America, producing the 'NarcoFiles' report. The investigation was based on more than seven million emails from the Colombian prosecutor’s office which had been hacked by Guacamaya, including correspondence with embassies and authorities around the world. The files dated from 2001-2022 and included audio clips, PDFs, spreadsheets, and calendars. The investigation revealed new details about the global drug trade and over 44 tons of "controlled deliveries" carried out to infiltrate the drug trade and how criminals corrupt politicians, bankers, accountants, lawyers, law enforcement agents, hackers, logistics experts, and journalists in order to use logistical, financial, and digital infrastructures.