Threat Actors Targeting Miami Businesses and Infrastructure

Miami's position as a gateway between North America, Latin America, and the Caribbean creates a concentrated attack surface that draws threat actors operating across financial fraud, ransomware, espionage, and critical infrastructure disruption. This page catalogs the major threat actor categories targeting Miami-area organizations, explains the mechanics behind their operations, and maps classification boundaries relevant to defense planning. Understanding who initiates attacks—and why Miami specifically attracts them—is foundational to any serious risk posture.

Definition and scope

A threat actor, as defined by the NIST Computer Security Resource Center glossary, is "an individual or a group that is capable of carrying out a particular threat." In the Miami context, scope extends beyond the city limits to encompass Miami-Dade County's 2.7 million residents, PortMiami (the world's busiest cruise port by passenger volume), Miami International Airport, the Brickell financial district, and the dense cluster of healthcare systems including Jackson Health System.

The relevant threat population includes nation-state actors, financially motivated cybercriminal organizations, hacktivists, insider threats, and opportunistic attackers who specifically leverage Miami's cross-border commerce density. The FBI Miami Field Office has publicly identified South Florida as a persistent concentration point for business email compromise (BEC) schemes, which accounted for over $2.9 billion in reported losses nationally in 2023 (FBI Internet Crime Complaint Center, IC3 2023 Annual Report).

The broader Miami cybersecurity landscape page provides sectoral context that explains why these actors cluster their targeting around specific industries.

Core mechanics or structure

Threat actors operating against Miami targets typically execute through five operational phases derived from the MITRE ATT&CK framework:

  1. Reconnaissance — Passive and active collection of target data. For Miami financial firms, this often involves scraping LinkedIn for CFO and treasury staff to build BEC target lists. For port-adjacent logistics firms, actors map vendor relationships.
  2. Initial access — Phishing emails, credential stuffing against VPN portals, and exploitation of internet-exposed assets. The Cybersecurity and Infrastructure Security Agency (CISA) Alert AA22-040A documented credential-based intrusions as the dominant initial access vector across critical infrastructure sectors.
  3. Persistence and lateral movement — Actors establish footholds using legitimate remote administration tools (RATs), then traverse internal networks toward high-value data repositories or operational technology (OT) environments.
  4. Exfiltration or impact — Data is staged and exfiltrated for sale, ransomware is deployed to encrypt systems, or OT disruption is triggered. Healthcare networks face all three simultaneously in dual-extortion ransomware campaigns.
  5. Monetization or exploitation — Financial actors route proceeds through Miami's real estate market, shell company networks, or cryptocurrency exchanges. Law enforcement reports from the U.S. Department of Justice have identified South Florida real estate as a documented money laundering channel linked to cybercrime proceeds.

Regulatory obligations tied to these attack vectors determine notification timelines and documentation requirements when incidents materialize.

Causal relationships or drivers

Four structural conditions explain why Miami draws disproportionate threat actor attention relative to its population size.

Gateway geography. PortMiami processes over 1 million TEUs (twenty-foot equivalent units) of cargo annually. Logistics companies managing that cargo operate IT and OT systems that, if compromised, create cascading supply chain disruptions—an outcome valued by both criminal ransomware groups and nation-state actors.

Financial sector density. Brickell hosts the regional headquarters of more than 100 multinational banks and financial institutions. BEC actors specifically target organizations with frequent international wire transfers, and Miami's cross-border transaction volume is among the highest of any U.S. metropolitan area.

Healthcare system concentration. South Florida's large elderly population supports a dense healthcare ecosystem. The HHS Office for Civil Rights (OCR Breach Portal) shows Florida consistently ranked among the top 5 states for reported HIPAA breaches. Ransomware groups targeting healthcare calculate that patient safety pressure accelerates ransom payment decisions.

Latin America nexus. Miami-based companies routinely transact with counterparts in Brazil, Colombia, Venezuela, and Mexico—jurisdictions where cybercriminal networks are well-established. Threat actors exploit shared language, cultural familiarity, and established financial corridors.

Classification boundaries

Threat actors are meaningfully distinguished along two axes: motivation and capability tier.

By motivation:
- Financial — Organized crime groups, ransomware-as-a-service (RaaS) affiliates, BEC operators, carding networks
- Espionage — Nation-state and state-sponsored actors targeting trade secrets, government contracts, port logistics data
- Ideological — Hacktivist collectives targeting perceived political or corporate targets; historically low volume but capable of significant reputational damage
- Disruptive — Actors seeking to degrade infrastructure availability without clear financial motive; overlap with nation-state objectives

By capability tier (MITRE ATT&CK-informed):
- Tier 1 (Opportunistic) — Script-kiddie and commodity malware operators exploiting unpatched systems; no custom tooling
- Tier 2 (Capable) — Criminal organizations deploying proven RaaS platforms (LockBit, BlackCat/ALPHV) with affiliate networks and negotiation infrastructure
- Tier 3 (Advanced) — Nation-state groups (e.g., Chinese APT41, Russian Sandworm, Iranian APT33/34) deploying zero-day exploits and custom implants against critical infrastructure

The distinction matters operationally: Tier 1 actors are neutralized by patch management and multi-factor authentication; Tier 3 actors require network segmentation, deception technology, and threat intelligence integration to detect.

Tradeoffs and tensions

Attribution vs. response speed. Attributing an attack to a specific nation-state or criminal group takes weeks of forensic work and threat intelligence correlation. Organizations face the operational tension of needing to respond and recover within hours while definitive attribution may take months. CISA's guidance consistently prioritizes containment and recovery over attribution for most private-sector entities.

Information sharing vs. competitive sensitivity. The Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Health Information Sharing and Analysis Center (H-ISAC) enable sector-level threat intelligence exchange. Miami firms in competitive markets often resist disclosing attack indicators that might reveal operational vulnerabilities to competitors—slowing the collective defense ecosystem.

Law enforcement engagement vs. operational continuity. Engaging the FBI Miami Field Office during an active ransomware incident provides access to decryption keys (when available) and threat intelligence, but may extend the operational disruption timeline and trigger regulatory notification obligations under Florida's Florida Information Protection Act (FIPA), Fla. Stat. § 501.171.

Common misconceptions

Misconception: Small Miami businesses are not targeted.
Correction: The IC3's 2023 report documents that businesses with fewer than 50 employees represent the largest victim category by count in BEC and ransomware campaigns. Small businesses lack dedicated security staff and often hold valuable financial data or serve as supply chain entry points to larger targets. Miami small business cybersecurity addresses this exposure specifically.

Misconception: Nation-state actors only target government systems.
Correction: CISA's 2023 Joint Cybersecurity Advisory on Volt Typhoon documented Chinese state-sponsored actors pre-positioning in U.S. critical infrastructure including communications, transportation, and energy sectors—all of which have significant Miami exposure through PortMiami and Florida Power & Light infrastructure.

Misconception: Paying ransom resolves the incident.
Correction: CISA and the FBI explicitly advise against ransom payment, noting that payment does not guarantee data recovery or prevent re-attack. The Office of Foreign Assets Control (OFAC) has issued guidance that paying ransom to sanctioned entities may itself constitute a sanctions violation, introducing legal liability on top of operational damage.

Misconception: Cybersecurity frameworks are optional for private firms.
Correction: Florida's FIPA mandates breach notification within 30 days of determining a breach occurred. PCI DSS contractual obligations apply to any entity processing payment cards. HIPAA applies to covered entities and business associates regardless of size. Compliance obligations operate independently of whether an organization has voluntarily adopted a framework.

Checklist or steps (non-advisory)

Threat actor exposure assessment — documented steps:

  1. Identify all internet-exposed assets using a network enumeration tool or third-party attack surface management platform.
  2. Map organizational relationships with Latin American vendors, partners, and subsidiaries that create cross-border data flows.
  3. Review sector membership eligibility for relevant ISACs (FS-ISAC, H-ISAC, Maritime and Port Security ISAC for port-adjacent firms).
  4. Cross-reference critical vendor list against OFAC's Specially Designated Nationals list and CISA's Known Exploited Vulnerabilities (KEV Catalog).
  5. Document which threat actor categories (financial, espionage, disruptive) are most relevant given organizational sector and data assets.
  6. Align incident response playbooks to the specific actor category most likely to target the organization—ransomware playbooks differ structurally from BEC response playbooks.
  7. Confirm notification timelines under applicable regulations: 30 days under FIPA, 60 days under HIPAA Breach Notification Rule (45 CFR §164.412), and immediate if critical infrastructure is involved per CISA's Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) framework.
  8. Review cyber insurance policy language for exclusions related to nation-state attacks, which are contested in ongoing litigation across the insurance industry.

Reference table or matrix

Threat Actor Category Primary Miami Targets Typical TTPs Relevant Framework Reference
BEC / Financial Fraud Banks, real estate firms, law offices Phishing, account takeover, wire fraud FBI IC3 BEC PSA
Ransomware (RaaS) Hospitals, logistics, SMBs Credential stuffing, lateral movement, double extortion CISA Ransomware Guide
Nation-State (APT) Port operations, energy, telecom Zero-day exploits, supply chain compromise MITRE ATT&CK Groups
Carding / Fraud Networks Hospitality, retail, tourism POS malware, skimming, card-not-present fraud PCI SSC Resources
Insider Threats Healthcare, financial services Privilege abuse, data exfiltration CISA Insider Threat Mitigation
Hacktivist Collectives Infrastructure, corporate targets DDoS, defacement, data leaks MITRE ATT&CK

The main Miami Security Authority index provides an entry point to sector-specific pages covering each threat category in operational depth.

References

Read Next

Social Engineering and Phishing Trends Targeting Miami Organizations Next in Threats, Risks & Industry Sectors Miami Security: Frequently Asked Questions Previous in Foundations & Local Context