One of the biggest players in the data extortion game is claiming to have breached several of Europol’s agencies, extracting classified information about its internal procedures and some amount of personal information and private emails. There is not yet any official confirmation that the data breach is real, but a number of security analysts that have viewed the samples from it say that it looks legitimate.
Europol investigating potential data breach
For its part, Europol has told the media that it is aware of the incident and is investigating internally. The data breach was claimed by an underground forum user named “IntelBroker,” a moderator of one of the biggest dark web forums used for exchange of stolen information and someone that has been involved in high-profile data thefts in the past.
IntelBroker claims that the data breach took place sometime this month and that both classified information and internal “for official use only” (FOUO) materials were taken. This includes Alliance employee information, source code for internal tools, documents outlining internal procedures for certain aspects of criminal investigations, and e-mails.
The hacker claims that the data breach includes classified information from Europol’s evidence platform SIRIUS as well as several different agencies, such as the European Cybercrime Centre (EC3) and the Europol Platform for Experts (EPE). There is not yet any indication as to how the data breach might have happened, but IntelBroker has offered samples as proof that include a portion of an EC3 database and screenshots of an EPE interface.
Europol did seem to confirm that the EPE interface screenshots were legitimate, but told the media that the particular tool was only available to a “closed user group” and that it was not possible for operational data to be compromised in that way. Some of the screenshots show law enforcement officers using the SIRIUS platform to discuss how to submit cross-border requests for information from certain social media platforms and messaging apps, Telegram specifically in the sample that InfoBroker opted to share.
As to the fate of the stolen data, if it is indeed legitimate, InfoBroker very recently updated their post to indicate it was sold to a private buyer for an undisclosed amount of Monero. The negotiations and sale apparently took place via direct message on the dark web.
Full scope of classified information stolen still unknown as data breach claims are investigated
The data breach needs to at least be assumed as fully legitimate and involving classified information, particularly as IntelBroker has been on a tear of selling and dumping stolen government data as of late. In early April, the hacker leaked data allegedly stolen from the “Five Eyes” intelligence partnership that appears to have been obtained from a third party consulting firm. Security researchers note that some of the sample data from Europol appears to also have been present in that earlier leaked data, suggesting a possible connection between the incidents. There is not yet any connection to the physical break-in at Europol that happened in March of this year, which resulted in thieves carting off some amount of files containing the personal information of the agency’s high-level executives.
Europol has experienced a string of concerning document security lapses that dates back as far as 2016, when the organization left 700 pages of internal notes on terrorist group investigations available to the open internet with no protection. Another fairly recent incident involving classified information took place in September of 2023, when sensitive personnel papers that are supposed to be stored in a safe in a secure storage area turned up missing.
IntelBroker’s streak of attacking government agencies (and their attendant contractors) now goes back over a year. In March of 2023 the hacker broke into DC Health Link, an insurance provider for members of Congress and staffers, and offered personal information on about 170,000 people. The hacker re-emerged in the news in November of that year claiming to have stolen sensitive classified information from government contractor General Electric. And just last month IntelBroker claimed to have breached security firm Zscaler, which provides cloud services and zero trust solutions to a variety of federal government agencies; however, Zscaler has disputed that any sensitive data or classified information was lost and claims that only a test environment was penetrated.
The drama has thus far played out on Breachforums, which was just seized by the FBI on Wednesday, likely in response to this string of government breaches. This is at least the second time the cybercrime forum has been seized, with a raid in 2023 leading to an arrest of one of the operators. Breachforums grew out of previous cybercrime hub Raidforums, which was taken down in 2022 and saw the arrest of a Portuguese administrator that had been living in the United Kingdom.