Menu
Browse

Cyber Threat Actor: N13V

Actor Type Location Known Incidents
 Icon
Criminal
0 incidents
Profile

The threat actor known as N13V operates under the alias RedAlert ransomware, a double extortion malware variant targeting organizations in Latin America. This group encrypts victim files—appending the .crypt extension—while exfiltrating data to pressure victims into paying ransoms under the threat of public leaks. Chilean authorities attributed an August 2025 attack on Sernac (Chile’s National Consumer Service) to RedAlert/N13V, which disrupted systems and online services by targeting Windows and VMware ESXi servers. The actor maintains a Tor-based leak site for publishing stolen data, though no Chilean agencies were listed at the time of reporting. N13V’s operations focus on government entities, as evidenced by the Sernac compromise, aligning with broader regional ransomware campaigns against public sector targets like Argentina’s Judiciary of Córdoba and the Dominican Republic’s Agrarian Institute.

N13V employs the RedAlert ransomware strain, which shares characteristics with financially motivated groups leveraging encryption and data theft. The malware’s technical impact includes file encryption and service disruption, though initial access vectors remain unspecified in public reporting. While Chile’s incident represents the only confirmed N13V operation, the group’s emergence coincides with Conti’s dissolution and subsequent ransomware activity against Latin American governments. No direct affiliations with state actors or criminal consortiums have been established for N13V. The absence of victim listings on their leak site during the Sernac attack suggests potential negotiation phases or delayed data publication tactics common among ransomware collectives.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
1 source