Cyber Threat Actor: BogotaLeaks
| Actor Type | Location | Known Incidents |
Activist
|
Colombia
|
1 incident |
|---|
Profile
BogotaLeaks is a threat actor that has been identified primarily through a single publicly reported incident. The group uses the alias BogotaLeaks and is believed to operate from Colombia, according to the limited attribution information available. No further details about its size, structure, or funding have been disclosed in open sources. The actor first came to attention in March 2025 when it claimed responsibility for a website defacement.
On March 17, 2025, BogotaLeaks defaced the online portal of the Dirección Nacional de Aviación Civil e Infraestructura Aeronáutica, the civil aviation authority of Uruguay. The altered page displayed a photograph of Uruguayan President Yamandú Orsi alongside his personal mobile phone number. Accompanying the image was a statement in which the actors claimed to possess access to a wide range of sensitive data, including residential addresses, SGSP police records, and dossiers on politicians and public officials. The message also denounced progressivism, political corruption, and mafias, framing the act as a protest against perceived injustices. The defacement was signed with the tags LaPampaLeaks, BogotaLeaks, and Uruguayo1337, indicating a possible connection to other groups using similar monikers. The timing of the attack coincided with the anniversary ceremony of the Uruguayan Air Force, an event that President Orsi was scheduled to attend.
From the content of the message, BogotaLeaks appears to pursue objectives that include political disruption and the signaling of alleged data‑access capabilities. The explicit denunciation of progressivism, corruption, and organized crime suggests an ideological stance rather than a purely financial motive. By asserting that they would make those responsible pay for their actions against Uruguay, the actors signaled an intent to retaliate against perceived adversaries. No publicly available reports describe the use of specific malware, exploit kits, or particular initial‑access vectors associated with BogotaLeaks. Likewise, no state sponsorship or criminal‑consortium links have been confirmed beyond the tags used in the defacement. Consequently, the current public knowledge of BogotaLeaks is limited to this single incident and the associated statements.
