Menu
Browse

Cyber Threat Actor: FocaLeaks

Actor Type Location Known Incidents
 Icon
Activist
Brazil
1 incident
Profile

FocaLeaks is a hacktivist collective operating under that singular alias, reportedly based in Brazil. The group publicly positions itself as targeting governmental structures perceived as authoritarian, explicitly stating strategic objectives centered on exposing institutional abuses and applying pressure through data leaks rather than pursuing financial gain or infrastructure disruption. Their sole publicly documented operation involved compromising El Salvador's National Police (PNC) in September 2021 by exploiting vulnerabilities in a police mobile application. This breach enabled the exfiltration of highly sensitive records, including data on approximately 37,000 police agents, civilian information, and criminal investigations. FocaLeaks claimed access to the "Imperium" platform, described as containing comprehensive civil and criminal records, though Salvadoran authorities acknowledged the breach without confirming the specific validity of the leaked data. The group collaborated with the transparency collective DDoSecrets to publicly release redacted portions of the stolen information, maintaining a stated focus on accountability over operational sabotage.

FocaLeaks demonstrated a specific initial access vector by exploiting flaws in a government mobile application, though no malware families or additional tooling were referenced in their sole attributed campaign. Their operational theme emphasized careful data exfiltration without destructive payloads or infrastructure degradation, aligning with their declared intent to avoid collateral damage while amplifying exposure of alleged abuses. The group has not been publicly linked to state-sponsored activity or criminal consortiums, with their actions consistently framed within a hacktivist context targeting a single Central American law enforcement entity. No further campaigns or expansions in targeting scope have been verifiably documented beyond the 2021 PNC breach, which remains their defining operation.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source