3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
L0stex

L0stex

ID: 264cf1620528fc9f070f4332f529394545444
Cybercrime Cybercriminal Hacktivist
Threat types: Hacktivism, Defacement, Intrusion, Data Leak
Mexico ARG, MEX
Updated: 2026-04-14
Created: 2026-03-26
Progress: 95% Completeness: 93% Freshness: 100%
Operation zone: Argentina, Mexico
Aliases Limited alias preview
CORTEX L0stex L0stex_ofc
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

L0stex is a Chronus Team-linked operator/persona with probable founder-level or leadership relevance, associated with both public-sector defacements and leak-oriented activity across Mexico and Argentina.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2026-03-30 — Municipal and public-sector defacement/leak victimology is consistent with exploit of public-facing applications. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2026-03-30 — INFERENCE (confidence: medium): some leak cases may have involved weak or compromised credentials rather than direct exploitation alone. · ref
T1491.001 Internal Defacement TA0040
  • 2025-01-01 — Multiple Mexican municipal portal incidents attributed to L0stex fit a defacement-driven impact pattern consistent with public-facing site compromise and attacker-controlled messaging. · ref
T1005 Data from Local System TA0009
  • 2025-09-13 — The SAFESA case attributed to L0stex and Z1k3n involved a high-volume record exposure, consistent with collection from local systems prior to release. · ref
  • 2026-03-30 — Fresh Argentina cases linked to L0stex involve security, police, and health-related data exposure, consistent with collection from local institutional systems. · ref
T1567 Exfiltration Over Web Service TA0010
  • 2026-03-30 — INFERENCE (confidence: medium): the actor’s public-release behavior is consistent with exfiltration and redistribution over web-based services or publication channels. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-30T21:40:11+00:00
L0stex — Chronus Team-linked operator and apparent founder-level figure

Classification: Unclassified / Open Source Intelligence (OSINT) + Limited Human Intelligence (HUMINT) — TLP:WHITE

Category: Cybercrime / Hacktivism-adjacent intrusion, leak, and defacement activity - Origin: Mexico (assessed, not confirmed)

Author: iQBlack CTI Team


Executive Summary

L0stex is assessed as one of the most operationally and symbolically important personas inside the Chronus Team ecosystem. Available reporting and internal context do not support treating the alias as a standalone organization. Instead, L0stex is best modeled as a Chronus Team-linked operator with probable founder-level or leadership significance inside a wider semi-decentralized LATAM leak-and-disruption cluster. The strongest current analytical treatment is “apparent founder / leader-level figure,” not a formally confirmed founder in the legal or documentary sense.


Confidence is high that L0stex is a real and active actor/persona with repeated visibility across Chronus-linked incidents. Public reporting ties the alias to multiple defacements and leak cases in Mexico and Argentina, while fresh internal reporting materially expands the actor’s Argentina footprint through data-leak events involving SIMES, Revisión Técnica Obligatoria (RTO), the Ministry of Security of Salta, Police of Entre Ríos, Salud Federal Salta (SAFESA), and the Ministry of Health of Misiones. The repetition of L0stex’s name across high-sensitivity targets and across both defacement and leak activity materially increases the actor’s weight inside the ecosystem.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — L0stex

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — L0stex / Chronus Team-linked Activity


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-30T21:42:30+00:00

IOC Appendix — L0stex

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-30T21:42:59+00:00

OSINT Library — L0stex


2026-03-27 — iQBlack — “Chronus Team: an emerging intrusion-and-leak actor focused on Mexico, with signs of expansion toward Argentina”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/7
Address Verification SOCMINT
x.com/L0s******* Restricted Not integrated
Address Verification SOCMINT
t.me/L0s*** Restricted Not integrated
t.me/cib************ Restricted Not integrated
t.me/dat******* Restricted Not integrated
t.me/L0s******* Restricted Not integrated
Address Verification SOCMINT
telegra.ph/L0s********* Restricted Not integrated
www.reddit.com/use******** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
X account Free Preview
X account