Cyber Threat Actor: @GOV.ETH

The threat actor operating under the alias @GOV.ETH (also referenced as Gov.eth) is a hacktivist group primarily active against targets in Argentina, with additional operations affecting Uruguayan entities. This actor consistently focuses on media organizations and government platforms, as evidenced by compromises impacting outlets including Ámbito en Argentina, La Unión Digital, Perfil.com, and government domains such as Argentina.gob.ar and the San Juan Social Action Fund’s website. Their operations demonstrate a clear pattern of targeting digital platforms to propagate ideological messages through disruptive defacement rather than financial gain or data exfiltration. The group’s activities center on replacing legitimate content with politically charged statements, often accompanied by skull imagery and hashtags, to amplify their ideological agenda and undermine institutional credibility.

Technical patterns indicate a reliance on web-based compromises exploiting vulnerabilities and weak credentials, with incidents involving unauthorized content alterations through basic defacement techniques. The actor has demonstrated capabilities in accessing and retrieving sensitive personal information from government databases, as observed in breaches where they claimed access to national ID systems. Their operations frequently incorporate cryptocurrency references and Telegram channels for communication or data dissemination, alongside the use of AI-generated explicit imagery in targeted harassment campaigns. While lacking references to advanced malware tooling, their tactics include credential exploitation, vulnerability abuse, and public intimidation through stolen data leaks—methods aligned with disruptive hacktivist objectives rather than sophisticated cybercrime or espionage.

Notable campaigns include the June 2025 synchronized attacks against Ámbito en Argentina and La Unión Digital, where the group replaced news content with political slogans and disruptive imagery, mirroring prior defacements of Perfil.com and government sites. A separate April 2025 operation against Uruguayan media involved deploying AI-generated explicit content of officials alongside threats referencing accessed government databases, escalating beyond typical defacement to include personal data exposure and harassment. The group publicly justifies attacks as ideological opposition to specific governments or institutions, citing grievances against ruling coalitions and alleging systemic corruption. These operations consistently disrupt service availability and content integrity while amplifying fear through psychological manipulation and reputational damage to targeted entities.