Salvadoran hacktivists disclose personal identity of millions of Salvadorans. While their ethics are put into question, they want to expose Bukele’s government as corrupt and inefficient.
Hackers offer insights in exclusive interview
Originally published on Global Voices
Image by Melissa Vida for Global Voices.
The president of El Salvador Nayib Bukele has become the face of technological progress in Central America, despite relentless cyberattacks against Salvadoran public institutions that have resulted in the data of millions of citizens being compromised.
In 2021, Bukele impressed international onlookers by making Bitcoin legal tender in El Salvador and in 2024, he announced Google’s new office in the country, promising to digitize the educational and healthcare sectors. However, there has been no public acknowledgment of over a dozen data breaches against public infrastructure throughout April and June of 2024 alone.
According to researchers, El Salvador continues to fall short of basic cybersecurity compliance standards and regulations, preventing any affected civilians from mitigating the potential risks they face.
In the beginning of April 2024, local media La Prensa Gráfica reported that two new data breaches occurred within a week. The public release of 5.1 million Salvadoran personal identification numbers was the most significant (as it was previously paywalled), potentially impacting 80 percent of the country’s population. The disclosure of high-definition headshots containing biometric data corresponding to each citizen caused concerns about identity theft and fraud. Along with another hack that impacted the Ministry of Transportation, the breach went unacknowledged.
Screenshot of the hack into the Ministry of Transportation, disclosed on breached.in. Fair use.
Yet another hack impacted the Savings and Credit Society, a private financial institution, where over 400 gigabytes of data were obtained by a ransomware group. The Savings and Credit Society published a public statement in response to the attack, confirming that a security incident had occurred but denying that customer data had been compromised.
A similar statement was issued on May 1 when the entirety of the source code of Chivo Wallet, a company developing the official Bitcoin wallet of the government of El Salvador, was leaked. Stacy Herbert, the wife of American-Salvadoran broadcaster Max Keiser, who is currently employed as an advisor to President Nayib Bukele, dismissed all reports of the hack. However, by this point, several cryptocurrency news outlets had reported and verified the contents of the breach.
The majority of the hacks have been orchestrated by one hacktivist collective, CiberInteligenciaSV. In an exclusive interview between the group’s representative and Global Voices through Telegram, we asked about their motivations and goals.
The hackers say they seek to expose government corruption and challenge state repression. CiberInteligenciaSV, the Salvadoran chapter of the CiberInteligencia collective comprising members from Latin America and Europe, claims that they have been active in the hacker sphere for years. While the group is secretive about their connections, they admitted they are affiliated with several hacktivists, most notably Focaleaks. The group has recently garnered recognition on breachforums for the number of data breaches they produced in a short period of time.
Screenshot of a list of hacks under the official CiberInteligencia profile's threads on breached.in. Fair use.
When asked about the government’s lack of response to cyberattacks, they said, “So far, it has been handled internally and in a cowardly manner,” but regardless of acknowledgement, they recognize that their breaches make the government look incompetent. “They want to maintain their image,” said the group's representative, who asked to remain anonymous.
The ethics of leaking the private data of millions of citizens may be questionable to some, including breachforum members who commented on CiberInteligenciaSV’s leak of medical records. When asked if members of the group ever questioned their actions, they answered, “Does the state ever question itself leaving everyone's information unprotected?”, adding sarcastically, “Sure the state invests in politicians’ salaries and benefits — it's better than people's digital security.”
In previous public statements, the group has expressed a desire to expose the dangers of a modern digital society and the control of information, citing controversial US domestic terrorist and anarchist Ted Kaczynski as a key influence.
Their motivation page states: “We seek to crudely show people the dangers of modern digital society, how a few incompetent people have control over information and use it to control the masses, and how all citizens are guilty of continuing to perpetuate a system of manipulation and control.”
Screenshot of a conversational thread on breached.in about CiberInteligencia's ethics. It mentions Alejandro Muyshondt, a Salvadoran politician who died in custody in February 2024.
A breach of the Ministry of Education’s database caused teachers to urge an investigation on data storage, citing that sensitive data related to underaged children should be a concern. Still, when contacted by La Prensa Gráfica for a statement, the institution did not give a public response.
“We will not stop until the government recognizes their poor infrastructure,” CiberInteligenciaSV said. “Whenever there is a breach or a place we can infiltrate, we will expose it and compromise it.”
On May 2, CiberInteligenciaSV launched a new series of attacks against the government, taking down several government-affiliated news publications such as Diario El Salvador and El Blog. The state immediately responded by altering the security settings on the web security platform Cloudflare, using their Distributed Denial of Service (DDoS) protection services.
On the very same day, CiberInteligenciaSV managed to breach El Salvador’s digital citizen services portal through its login page, causing delays to public services for a few days. Public services did not initially respond to the cyberattack and hearsay attributed the downtime to an update involving data records. An official statement was released the following day, denying reports of a cyberattack.
As the attacks continued throughout May, Carlos Palomo from the Salvadoran non-profit Transparency, Social Oversight, and Open Data Association (TRACODA) urged citizens to file a complaint with the Constitutional Chamber or prosecutor’s office to pressure the government to investigate the data breaches in accordance with the country's Special Law against Computer and Related Crimes.
An editor from the journalistic organization DDoS Secrets, who goes by the alias Lorax Thorne, expressed concern with the ongoing situation due to the amount of compromised data, stating that citizens’ information should be protected and it is ultimately the responsibility of the targeted institutions to secure their infrastructure.
One of CyberInteligencia’s most vocal critics has been Mario Gómez, a software engineer who was arrested in 2021 after criticizing Bitcoin and several of Bukele’s policies. At that time, CiberInteligencia had issued statements calling for Gómez’s release, but in April 2024, Gómez criticized both the tactics and the motives of CiberInteligencia.
In turn, CiberInteligencia responded that they will continue to release data in its entirety, while encouraging researchers and journalists to comb through published leaks. Not even the seizure of BreachForums on May 15 would dissuade CiberInteligenciaSV from their goal; the group simply moved their uploads to various Telegram channels.
Access to Telegram was deliberately restricted by Salvadoran internet service providers (ISPs) in early June, after Nayib Bukele started his second presidential term — a mandate deemed unconstitutional by lawyers and journalists. Salvadoran citizens were trying to access the leaks of a hack into the Supreme Court Justice and Tribunal Ethics Committee and reported not being able to open Telegram through mobile data or Wi-Fi. Instead, they were forced to use Virtual Private Networks (VPNs) or proxies to access it. The Open Observatory of Network Interference’s (OONI) Web Connectivity Test revealed abnormal network activity on June 1.
Internet monitoring non-profit Netblocks later corroborated that access to Telegram was restricted by multiple ISPs in El Salvador. Two of these companies, Movistar and TIGO, were previously impacted by CiberInteligenciaSV’s data breaches.
The head of El Salvador's media association, Angélica Cárcamo, warned that this blocking could lead to censorship, “just like in Russia or China.”
In June, the hacktivist collective continued to leak files. They released various legal documents related to the controversial death of a former security advisor in custody, the secret release of a top rank MS-13 gang leader, and those related to Pegasus spyware, which was previously used to surveil journalists and human rights activists. Later that month, statistics obtained by the group revealed that the National Civil Police had 183 reports of rape from January 1 to March 15 2024, the majority involving children, all of which remain unsolved.
Not only have these revelations raised questions about state corruption, but they have also revealed that the Salvadoran government is incapable of mitigating data breaches or prosecuting hacktivists, even if they wanted to.
Note: This investigation was done under the framework of the Civic Media Observatory at Global Voices.
