Cyber Threat Actor: LaPampaLeaks

LaPampaLeaksis the alias used by a threat actor that has been publicly associated with activities originating from Argentina. The actor operates under this name and has also been observed using the tags BogotaLeaks and Uruguayo1337 in conjunction with its operations. Open‑source reporting does not provide any information about the actor’s size, internal structure, funding, or sponsorship. Consequently, the only confirmed attribute of LaPampaLeaks is its alias and its geographic association with Argentina.

On 17 March 2025, LaPampaLeaks defaced the website of the Dirección Nacional de Aviación Civil e Infraestructura Aeronáutica, replacing the legitimate content with a photograph of Uruguayan President Yamandú Orsi alongside his mobile phone number. The defacement page included a statement claiming that the attackers had obtained access to all addresses, SGSP police records, secrets and dossiers of politicians and public officials, and it featured an image of an Agesic director. The message, signed with the aliases LaPampaLeaks, BogotaLeaks and Uruguayo1337, denounced progressivism, political corruption and mafias and declared that those responsible would be made to pay for their actions against Uruguay. The actors asserted that they would make the targeted individuals answer for what they described as hostile actions toward Uruguay. The defacement took place on the same day as the anniversary ceremony of the Uruguayan Air Force that President Orsi was scheduled to attend.

Public sources do not mention any specific malware families, initial access vectors, or tooling employed by LaPampaLeaks in this incident, so no technical tactics, techniques, or procedures can be confirmed. Likewise, there is no publicly available evidence linking the actor to a state sponsor, a criminal consortium, or any broader affiliate network. As a result, the defacement of the Uruguayan aviation authority website remains the sole publicly documented operation attributed to LaPampaLeaks. No additional campaigns, data leaks, or other intrusions have been reported in open sources that can be tied to this alias. Therefore, the profile of LaPampaLeaks is currently limited to this single website defacement and the associated statements.