Published April 17, 2026
Read Time Mins
Latin America’s telecom operators are managing a risk environment that has no precedent in the region’s history. Cyberattacks are accelerating faster than security maturity. Ransomware breach events rose 78 per cent in 2025. Mobile fraud is surging across Brazil, Mexico, Colombia and Argentina. It’s driven by SIM-swap attacks, mobile malware and sophisticated social engineering chains that move from voice scam to account takeover to fraudulent transfer in a single session. State-sponsored threat actors are systematically targeting telecom infrastructure. The regulatory environment, led by Brazil’s ANATEL and the region’s growing body of data protection legislation, is moving to hold operators accountable as critical infrastructure providers. This is the operating reality for Latin American telecoms in 2026. It is also the commercial opportunity.
Here, we set out the case for AI-powered, network-edge cybersecurity built on behavioural intelligence. We organise the case around BlackDice’s three strategic pillars: Confidence while connected, Security of experience and Security of economics. They draw on the specific threat data, regulatory context and market dynamics of Latin America. We conclude with a seven-point action framework that operators can apply immediately.
Latin America is in the middle of a digital transformation that is reshaping every sector of its economy. Mobile-first populations across Brazil, Mexico, Colombia, Chile, Argentina and Peru are moving financial services, commerce, healthcare and public administration onto connected platforms at pace. Digital bank accounts now reach populations that were outside the formal financial system a decade ago. 5G network rollout is gathering momentum. IoT adoption in industrial, agricultural and consumer settings is expanding the connected device estate at a rate that no security framework was originally designed to manage.
This transformation creates an extraordinary opportunity for telecom operators. Businesses across the region are projected to spend 10 per cent of revenues on digital transformation annually through to 2030. Connectivity sits at the foundation of every initiative in that spending. Operators are the infrastructure layer on which Latin America’s digital economy is being built.
But the same transformation has dramatically expanded the attack surface. Latin American organisations now face an average of 3,100 cyber threats per week, significantly above the global average. The region faces twice as many cyberattacks as the United States. In the first half of 2025, cyberattacks across the region surged a further 39 per cent. Ransomware breach events rose 78 per cent over 2024, with more than 450 confirmed incidents. The telecommunications and technology sector is among the most targeted. The consequences of a breach are measured not just in recovery costs, but in subscriber trust, regulatory exposure and competitive position.
The cyber threat environment in Latin America is distinctive. It combines the sophistication of state-sponsored campaigns with the high volume and adaptability of organised criminal groups. And it is accelerating faster than the region’s cybersecurity maturity can currently match. Most countries in the region score between 2 and 3 on a 5-point cybersecurity maturity scale. While attacker innovation continues at a pace that outstrips policy and investment.
Ransomware is the defining threat across the region. Brazil recorded more than 70 confirmed breach victims in 2025, the highest in Latin America. Mexico and Argentina follow with 30 and 20 confirmed victims respectively. Though both figures are widely considered to undercount incidents where victims paid quietly. Organised groups including Qilin and Nova are actively targeting Brazilian industrial companies, Argentine energy firms and Mexican organisations. The model has shifted from encryption-and-ransom to data-leak extortion, with attackers exfiltrating sensitive data before triggering any visible disruption. Meaning detection after the fact rarely prevents the worst consequences.
Latin America’s rapid mobile banking adoption has created a fraud environment with no parallel in other regions. Mobile devices now account for 88 per cent of all fraudulent sessions across the region. This represents a 13 per cent increase on the previous year. Social engineering attacks rose 155 per cent in 2025, with attackers chaining techniques together. A voice scam establishes initial access. Mobile malware or SIM-swap completes the account takeover. A fraudulent transfer moves the funds before any detection event occurs. Four out of every five SIM-swap attempts in the region succeed. The countries most severely affected are Argentina, Colombia and Mexico.
Stolen-device fraud spiked 49 per cent in Q1 2025. Remote-access fraud doubled in the same quarter. These are not isolated incidents. They are a coordinated and escalating attack methodology that specifically targets the network layer as the weakest point in the chain. Because it is the layer least equipped to respond in real time.
China-linked threat groups including Vixen Panda, Aquatic Panda, and Liminal Panda are actively targeting government agencies, telecom providers and defence-adjacent organisations across the region. These campaigns share a characteristic that makes them particularly difficult to counter with conventional tooling. They are designed for persistence rather than immediate disruption. Attackers establish long-term access within operator infrastructure, exfiltrating intelligence over extended periods before any detection event occurs. The dwell time between initial compromise and detection in these campaigns is measured in months.
Infostealer malware attacks surged 58 per cent across the region in 2025. These tools operate silently within device and network environments. They harvest credentials, session tokens, banking data and personal information without triggering the visible symptoms that endpoint alerts are calibrated to detect. The combination of infostealer compromise and the subsequent use of stolen credentials to initiate fraudulent sessions is now one of the most common attack chains affecting the region’s financial sector.
Every attack in the landscape above passes through the operator network. SIM swaps require network-layer authentication. Mobile malware sessions traverse operator infrastructure. Infostealer data exfiltration routes through DNS. State-sponsored persistence relies on undetected network traffic. The operator sees all of it, before any other security layer in the stack. The question is whether they have the capability to act on what they see.
The security frameworks deployed across most Latin American organisations were built for a different environment. One with defined perimeters, manageable device populations and attacker behaviour that could be catalogued in signature libraries. None of those conditions describe the operating reality of a Latin American telecom operator in 2026.
The architecture that works for Latin American operators is one that deploys within their infrastructure rather than sitting outside it, covers the full device population without agent dependency, detects patterns rather than signatures and enforces policy at the edge with zero latency impact on subscriber experience.
The most fundamental commitment a telecom operator can make to its subscribers is that connecting to the network is safe. Not conditionally safe, not safe if the subscriber has updated their device or installed the right app. Unconditionally, structurally safe. That guarantee is only possible when protection operates at the network layer, independent of subscriber behaviour and invisible to them.
BlackDice operates at the edge of operator infrastructure, on customer premises equipment, within network gateways and across the access layer. Using deep packet inspection, DNS data and metadata, device fingerprinting, multiple mobile device datapoints through our mobile SDK, the platform builds a continuous, dynamic model of normal behaviour for every connected device, including unmanaged IoT that no endpoint security tool has ever seen.
When a device deviates from its established pattern, a SIM that begins authenticating from two separate locations simultaneously, a router that starts scanning adjacent network segments, or a mobile device displaying session behaviour consistent with a remote-access takeover attempt, BlackDice IQ™ correlates that signal across network and device-layer data, assigns a risk score and triggers a proportionate response before the attack chain reaches completion.
The region’s fraud profile makes network-layer detection not just useful but essential. SIM-swap fraud succeeds 80 per cent of the time in Latin America because the network has no mechanism to identify the anomaly in real time. Mobile malware operates for weeks within device environments before any endpoint tool detects it. Because the behaviour is designed to mimic legitimate traffic. Behavioural intelligence at the network edge identifies both, because it does not need to know what the threat looks like. It only needs to know what normal looks like and then notice when it stops being true.
“Latin America’s mobile-first populations are transacting, banking and communicating on networks that were not built with this level of threat in mind. The operators who build that protection into the infrastructure, rather than leaving it to individual subscribers or financial institutions to solve, will earn a level of subscriber trust that no connectivity-only proposition can replicate.”
The commercial case is inseparable from the protection case. Operators who give subscribers real-time transparency through BlackDice Angel™ that their network is actively protecting them, create a differentiator no over-the-top security product can match. In markets where subscriber churn is high and acquisition is expensive, confidence while connected translates directly into retention metrics.
The second pillar reflects a commercial and operational reality that Latin American operators are encountering with increasing frequency. Digital-first consumers and enterprises do not distinguish between a network outage and a security incident. If the service is disrupted, the operator is accountable. As digital financial services extend deeper into Latin American society, the tolerance for any disruption to that connectivity, whether caused by infrastructure failure or a security event, is shrinking.
BlackDice’s enforcement model is built around a principle that is non-negotiable in operator environments. Security must not add discernible latency to network traffic. The platform’s pipeline, detect, correlate, decide, enforce, runs in real time within operator infrastructure. No traffic is redirected to external systems. No external cloud dependency introduces variable latency.
Latin America’s enterprise digitisation programme has a key focus on small to medium sized businesses. It represents one of the most significant B2B revenue opportunities available to operators over the next decade. Private 5G networks, industrial IoT integration, multi-cloud connectivity and digital supply chain platforms all require security assurance as a procurement prerequisite. Telecom operators who can demonstrate embedded, real-time security capability, with the audit-ready reporting that enterprise procurement processes demand, are positioned to capture enterprise contracts that connectivity-only operators cannot win.
BlackDice Retina™, the operator-facing visibility and control interface, surfaces threat activity, policy enforcement events and behavioural anomalies across the full subscriber estate in real time. It gives operators the operational intelligence to act on threats before they become incidents. And the reporting evidence to demonstrate their security posture to SMB clients and regulators alike.
Brazil’s ANATEL is among the most active telecoms cybersecurity regulators in the world. Resolution 780/2025 requires data centres within telecom networks to implement robust cybersecurity measures. Act 16.417, active since November 2024, mandates independent security audits for all telecoms equipment and technology suppliers. Brazil’s LGPD imposes data protection obligations with direct architectural implications for how operator systems are designed and secured.
Across the region, GDPR-inspired legislation has followed Brazil’s lead. Mexico, Chile, Ecuador and El Salvador have all introduced data protection frameworks that place new obligations on operators handling subscriber data. Chile’s Framework Cybersecurity Law, active from January 2025, designates telecommunications as a critical infrastructure sector with mandatory security standards enforced by the new National Cybersecurity Agency. Operators who build network-level security capability now will be ahead of regulatory timelines rather than responding to enforcement events.
Business clients across Latin America are introducing cybersecurity requirements into procurement and vendor management processes. They need to see that their connectivity provider has active, measurable security capability, not contractual assurances. BlackDice Retina™ provides the real-time dashboard, policy logs, and risk scoring that converts security posture into a demonstrable, audit-ready commercial asset.
The third pillar reframes cybersecurity from a defensive cost to a commercial opportunity. Latin American operators are under structural pressure. Voice ARPU continues to decline, 5G infrastructure investment is significant and competition in core connectivity is intense. The operators that grow through this environment will find new recurring revenue streams within the infrastructure they already operate. Security is the most structurally compelling of those streams.
Network-level security-as-a-service is structurally different from every other value-added service in the operator portfolio. It addresses a need that is universal across every subscriber segment. Requires no hardware to manufacture or distribute. And operates silently, requiring no change in subscriber behaviour. And it’s delivered from infrastructure the operator already controls and has already paid for.
BlackDice’s platform enables operators to structure this into tiered commercial propositions. A baseline security layer available to all subscribers as part of the core package. A premium managed protection tier for consumers and small businesses who want enhanced coverage and visibility. And an enterprise-grade managed security service for business accounts with compliance reporting and SLA-backed response times. Each tier is built on the same underlying network capability, with no additional infrastructure investment required to move between tiers.
Latin America’s fintech sector is among the fastest growing in the world, and it is built on operator networks. Digital wallets, instant payment platforms, mobile credit services and insurance products all depend on the operator network for the authentication, session management and data transmission that makes those services function. When that network is compromised, the financial consequences extend far beyond the operator. SIM-swap fraud alone costs the region hundreds of millions of dollars annually. And the operator network is both the attack surface and the intervention point.
Regulators across the region are beginning to draw the connection between operator network security and financial fraud liability. Brazil’s BACEN cybersecurity regulations already impose obligations on financial institutions that have direct implications for the operator networks those institutions depend on. As the regulatory model matures, operators who have demonstrated active fraud prevention capability at the network layer will be in a substantially stronger regulatory and commercial position than those who have not.
The full economic impact of a significant security breach on a Latin American operator extends well beyond the direct recovery costs. Subscriber churn following a well-publicised incident can persist for years. And in markets where brand trust is already a competitive differentiator, the damage is compounded. Proactive, network-level threat detection that prevents incidents from occurring is simultaneously a security investment, a subscriber retention investment and a brand investment. Its return is measured across multiple commercial metrics, not just the security budget.
“The operators that define Latin America’s digital decade will not be those with the fastest networks. They will be those with the most trusted networks. Trust is not marketed. It is demonstrated, through protection that works silently, consistently and at scale.”
AI has become an overused claim in the cybersecurity industry. Almost every platform that applies a statistical model to a dataset now describes itself as AI-powered. What distinguishes BlackDice’s approach is specificity. The AI in the platform refers to the continuously learning behavioural models that power BlackDice IQ™. Models that build dynamic baselines for every device and service on the network and detect deviation from those baselines in real time, without requiring prior knowledge of the specific threat.
This distinction matters particularly for Latin America. The attack groups operating in the region, both the criminal organisations and the state-sponsored groups, share a common operating principle. They evolve their techniques continuously to stay ahead of known detection methods. Qilin, Nova, the Golden Mexican Wolf group, and China’s infrastructure targeting campaigns all demonstrate adaptation as a core capability.
Signature-based detection confronts these groups with a permanent structural disadvantage. Every signature must be written after the technique is observed, which means detection is always at least one step behind. Behavioural intelligence removes that disadvantage. A technique that has never been documented before still produces network and device behaviour that deviates from established baselines. BlackDice IQ™ detects that deviation in real time, scores the risk and enforces a response, regardless of whether the specific technique has been seen before.
Most security systems look for threats they already know. BlackDice looks for combinations of behaviour that do not fit. A SIM authentication event from two locations simultaneously. A mobile session initiating a banking transfer immediately after a remote-access connection is established. An IoT device routing DNS queries to domains it has never previously contacted. Each individual signal may be explainable. In combination, they reveal intent. That is behavioural intelligence: risk assessed by context, not catalogue.
The regulatory environment is tightening. The threat landscape is accelerating, and the commercial case for network-level security has never been clearer. What follows is a practical framework for operators across Latin America at any stage of readiness. From initial assessment to full commercial deployment.
Map your active device population against your security tooling coverage. Quantify how many devices on your network are currently unmonitored, including unmanaged IoT and subscriber-owned endpoints. Establish whether your current detection relies on signatures or behavioural patterns. Measure your mean time to detect for recent incidents. Most operators who conduct this audit honestly find their coverage gap is substantially larger than their existing tooling suggests. That gap is where the SIM-swap chains, mobile malware sessions and infostealer traffic are currently moving undetected.
ANATEL Resolution 780/2025 and Act 16.417 represent the most advanced telecoms cybersecurity regulatory framework in the region. They set a standard that regulators across the region are watching. Even operators outside Brazil should treat these requirements as a reference architecture for the compliance obligations that will follow in their own markets. Operators who build to this standard now will not be caught short when equivalent legislation arrives in Mexico, Colombia, Argentina or Peru.
Any security architecture you invest in must operate within your infrastructure rather than outside it. It should cover the full device population without agent dependency, enforce policy at the network edge with no latency impact. And should process data within your sovereign operating environment and produce audit-ready evidence for regulators and enterprise clients. Evaluate every vendor and platform against all five of those requirements before making a commitment.
Security-as-a-service is not yet a standard operator product in Latin America. The operators that define the category first in their markets will establish subscriber expectations, set the commercial benchmark and build a switching cost that later entrants will find difficult to overcome. Structure your proposition in tiers. A baseline security layer for all subscribers. A premium protection tier for individuals and SMEs. And an enterprise-grade managed security offering for business accounts. All three can be built from the same underlying network capability, with incremental commercial packaging rather than separate platforms.
With four out of every five SIM-swap attempts succeeding in the region, and mobile devices accounting for 88 per cent of fraudulent sessions, this is the most immediate and commercially significant risk your network currently carries. Network-edge behavioural detection that identifies anomalous authentication patterns in real time, dual-location SIM authentication, session behaviour inconsistent with subscriber history and post-SIM-change banking access, is the intervention that changes that success rate. It requires no subscriber action and no coordination with financial institutions. It operates at the network layer, where the attack chain can be interrupted before it reaches the banking session.
Security capability only generates commercial value when it is demonstrable. For your operations and network teams, invest in real-time dashboards that surface threat activity, device anomalies and policy enforcement events across the full subscriber estate. BlackDice Retina™ provides this at operator scale. For subscribers, give them the transparency to see that the network is actively protecting them. BlackDice Angel™ provides this at the subscriber level. Both layers are essential to converting security infrastructure into a commercial proposition that subscribers understand, trust and are willing to pay for.
A mature security programme is measured by what it prevents, not by what it monitors. Track mean time to detect, the proportion of your device population under active behavioural monitoring, SIM-swap attempt success rates before and after deployment, fraud incident rates on your network relative to industry benchmarks, and subscriber churn attributable to security incidents or network trust concerns. These metrics give your board a clear picture of security investment value. And they give you the data to demonstrate that value to regulators, enterprise clients and partners.
The transformation available to Latin America’s telecom operators is not a security upgrade. It is a strategic repositioning. The connectivity market across the region is commoditising. Price competition is intense. The operators that grow through this decade will not be those that deliver the fastest pipe. They will be those that deliver the most trusted digital environment and build the commercial models to monetise that trust at every point in the subscriber and enterprise relationship.
Embedding AI-powered, network-edge behavioural intelligence is the mechanism by which that transformation becomes real and defensible. It gives operators a capability that over-the-top security products cannot replicate. Because those products cannot see the network the way the operator can. It gives them a commercial layer that generates recurring, subscription-based revenue. And it gives them a narrative, grounded in demonstrable, specific capability, that differentiates their proposition to subscribers, enterprises and regulators.
Three pillars, one direction of travel.
Confidence while connected: every subscriber protected, regardless of device or behaviour.
Security of experience: threats contained before they disrupt the digital services Latin America’s economy depends on.
Security of economics: new revenue unlocked, fraud losses reduced, and regulatory exposure converted into competitive advantage.
The operators across Brazil, Mexico, Colombia, Chile, Argentina, and Peru that act on this in 2026 are not just responding to a threat. They are building the infrastructure of trust that their markets, their subscribers, and their regulators will depend on for the decade ahead. The network never lies. The question is whether the operator is listening.
BlackDice Cyber is a telecom-native cybersecurity company headquartered in Leeds, United Kingdom. Its platform delivers AI-powered behavioural intelligence and real-time threat detection directly within operator infrastructure, enabling telecommunications providers to protect subscribers, generate new revenue, and meet evolving regulatory requirements. BlackDice operates globally in partnership with leading telecoms operators. §
To learn more, visit blackdice.ai
Sources: Check Point Latin America 2025 Mid-Year Cyber Snapshot; CrowdStrike 2025 LatAm Threat Landscape Report; Industrial Cyber: LatAm Ransomware and Hacktivist Attacks 2025; BioCatch: Fraud Trends in Latin America 2025; Dark Reading: LatAm Faces 2x More Cyberattacks; ANATEL Resolution 780/2025 and Act 16.417; Latin Lawyer: Mitigating Risk in Latin America 2025; TrustArc: Latin America’s Privacy Pivot 2025; GSMA Intelligence ASEAN Digital Industries 2025; Chambers and Partners: Cybersecurity Brazil 2025.