Cyber Incident Victim: TV Ciudad
Date:
Apr 2025
Location:
Uruguay
Summary
TV Ciudad’s website was compromised ina cyberattack that displayed AI‑generated fake images of politicians such as Yamandú Orsi, Carolina Cosse and a manipulated nude torso of Martín Lema, accompanied by intimidating messages and threats toward the Chamber of Commerce. The attackers, identified by the handle GO.ETH and linked to previous intrusions on Brecha and El País, left statements claiming they would continue targeting institutions they perceive as oppressive. Although the outlet filed a police report and is working to restore the service, investigators have not yet determined any additional participants and confirmed that no sensitive data were accessed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On Thursday, April 24, 2025, the official website of TV Ciudad was compromised in a cyberattack that resulted in the defacement of its web pages. Visitors to the site encountered a visual intervention that displayed false images generated by artificial intelligence depicting prominent political figures such as Yamandú Orsi, Carolina Cosse and Martín Lema. The altered photograph of Martín Lema showed his torso without clothing, intended to ridicule the politician. Accompanying the images were intimidating messages and politically manipulated content, including warnings directed at the Cámara de Comercio. One of the texts displayed read, “Dejaron la puerta abierta y nosotros no solo entramos, nos sentamos, tomamos café y revisamos los cajones. Y no, no vamos a parar”. Another message warned the Cámara de Comercio, stating, “Si sigue queriendo oprimirnos a los uruguayos, van a ser nuestro siguiente objetivo”. The attack was confined to the public-facing website and did not, according to the outlet, involve access to sensitive internal data.
The responsibility for the defacement was claimed by a user identified as GO.ETH, who has been linked in the past to similar interventions on the websites of the semanario Brecha and the diario El País. Investigators noted that GO.ETH’s signature tactics include the use of AI‑generated imagery and politically charged threats. In addition to GO.ETH, the article mentions that other participants involved in the attack have not yet been determined. No further details about the attackers’ infrastructure, motives beyond the expressed political statements, or any potential affiliations were provided in the source material. The immediate impact of the incident was the disruption of normal access to TV Ciudad’s online content, as users were presented with the defacement instead of the usual news programming and information. The dissemination of falsified images and threatening language posed reputational risks for the media outlet and could have contributed to political tension by targeting specific public figures and institutions. The explicit warning to the Cámara de Comercio indicated an intention to extend the campaign beyond the media outlet, suggesting a broader agenda of intimidation. Despite the visual and textual alterations, TV Ciudad confirmed that no breach of sensitive data, such as internal communications, subscriber information or editorial assets, had been detected. In response to the attack, TV Ciudad filed a formal complaint with the relevant authorities and began working to restore the website to its original state. The outlet’s technical team undertook measures to remove the defaced content, verify the integrity of the server and restore legitimate functionality. As of the time of the report, the restoration process was ongoing and no further unauthorized activity had been observed. The outlet emphasized that it would continue to cooperate with law‑enforcement investigations to identify the responsible parties and prevent recurrence.