How Hackers Brought Down Government Networks in the Dutch Caribbean

Cybercriminals cripple tax and court systems in Curaçao, Aruba, and Sint Maarten using sophisticated multi-vector ransomware; experts say outdated defenses made critical systems vulnerable.

A wave of highly coordinated cyberattacks has paralyzed government services across the Dutch Caribbean, disabling tax systems, court operations, and public communication channels in Curaçao, Aruba, and Sint Maarten. Authorities say the ransomware campaign, which began in late July, was likely triggered by a sophisticated intrusion that leveraged multiple vulnerabilities across legacy IT infrastructure.

The breach first came to light on July 24, when Curaçao’s Tax Office issued a public alert about a ransomware attack affecting its internal servers and public-facing portals. The Ministry of Finance confirmed the attack extended into systems jointly operated with the Dutch Tax and Customs Administration, warning residents of prolonged outages.

“This attack was not opportunistic; it was calculated, well-timed, and designed to cause maximum disruption,” said Curaçao’s Finance Minister Javier Silvania. “We’ve seen signs that our networks were infiltrated well before the malware was activated.”

How the Attack Unfolded: A Technical Breakdown

Preliminary forensic investigations—led by Dutch cybersecurity experts and international incident response teams—suggest the attackers employed a multi-stage intrusion strategy:

1. Initial Access via Phishing or VPN Exploits:
   Investigators suspect the attackers initially gained access through a spear-phishing email campaign targeting finance department employees in Curaçao. Alternatively, unpatched VPN concentrators were identified as possible access points—particularly those running outdated firmware, exposing CVE-listed vulnerabilities.
2. Privilege Escalation and Lateral Movement:
   Once inside the network, attackers moved laterally using stolen credentials and leveraged misconfigured Active Directory trusts to access domain controllers and critical file servers. Security logs show the use of PowerShell scripts and tools like Mimikatz to extract passwords and escalate privileges.
3. Payload Deployment – Ransomware Triggered:
   After achieving full domain compromise, attackers deployed a customized ransomware strain, likely a modified version of LockBit or BlackCat, according to indicators found by analysts from the Dutch National Cyber Security Centre (NCSC). The ransomware encrypted both user files and system configurations, locking agencies out of tax databases, case management systems, and public portals.
4. Destruction of Backups:
   In a final step, the attackers appear to have targeted backup servers, either wiping them or encrypting them using the same ransomware key. This has significantly slowed down recovery efforts and raised concerns over the integrity of historical data.

Scope of the Damage and Human Toll

In Curaçao, the attack caused a complete halt to tax collections, vehicle registration renewals, and public inquiries. Citizens attempting to file returns or seek legal documentation were met with offline websites and unresponsive phone lines.

“I had to delay my business license renewal and can’t pay my employee taxes,” said Anika Rodriguez, a small business owner in Willemstad. “Everything is frozen. It’s a bureaucratic blackout.”

In Sint Maarten, the court system was forced to adjourn hearings indefinitely due to data unavailability. Judiciary staff, already operating on limited resources, described the situation as “the worst digital disruption in the island’s legal history.”

Aruba’s authorities acted swiftly, isolating key systems as soon as anomalies were detected, but their financial reporting systems and internal document workflow have still been affected. Authorities there confirmed “indicators of compromise” tied to the same ransomware strain found in Curaçao, suggesting a coordinated attack by a single group or cybercriminal consortium.

Who Is Behind the Attack?

While no ransomware gang has claimed responsibility publicly, cybersecurity analysts point to tactics consistent with Eastern European threat actors, particularly groups known to operate ransomware-as-a-service (RaaS) platforms.

“From the use of domain-wide encryption to the evasion of endpoint detection, this was the work of experienced, well-funded cybercriminals,” said Dr. André van Dalen, a digital forensics expert at Leiden University. “Their aim was not only ransom but a demonstration of power—showing that even Dutch-administered networks can be breached.”

Some local officials hinted that the attackers may have demanded a ransom in Bitcoin, but no government source has confirmed negotiations or payment.

Restoration Efforts and Lessons Ahead

Dutch authorities dispatched cybersecurity experts from The Hague and the NCSC to assess the breach and help coordinate island-wide recovery efforts. Initial priorities include:

• Restoring critical tax databases from offline or cloud-based backups.
• Rebuilding identity management systems (e.g., Active Directory).
• Deploying endpoint detection and response (EDR) across government networks.
• Training staff on phishing detection and access hygiene.

Curaçao’s Parliament is now debating an emergency cyber modernization package, which includes funding for firewall upgrades, email encryption, and mandatory multi-factor authentication (MFA) across all public departments.

“This was a wake-up call,” said Aruba’s Minister of Public Innovation Xiomara Maduro. “Our digital sovereignty is only as strong as our weakest link. Cybersecurity must now be a national priority.”