Europol looks to have been hit for some sensitive and classified information as a moderator with one of the biggest underground data trading forums claimed an attack and posted samples, only to see an FBI raid hit the forum days later. The data breach is still not officially confirmed, but between statements to the media seemingly confirming the authenticity of some samples and the follow-up law enforcement action, it seems a safe bet that it is real.
Classified information on Europol employees, internal procedures claimed by hacker
The data breach is the work of “IntelBroker,” a moderator of popular underground site BreachForum and a figure that has now been involved in several breaches of government servers dating back through 2023. This includes a breach of a contractor that handles sensitive information for the “Five Eyes” intelligence alliance just last month, something that also likely contributed to the sudden and swift raid of the site.
BreachForums now displays a message saying it has been seized by the FBI, but IntelBroker was claiming to have sold the stolen classified information days before this happened. This would also not be the first time the hacking forum has been raided, existing as RaidForums for nearly a decade until 2022 and then rebranding and surviving raids in both 2022 and 2023.
Those prior raids all ended with the arrest of some sort of administrator or central figure, who then passed the torch on to a follower to spin the forum up again. It remains to be seen if InfoBroker will be brought to justice, but all indications are that the classified information from Europol has already moved on to other hands, and it has been confirmed that the stolen Five Eyes information was previously leaked.
Europol still investigating data breach, but confirms some sample pieces are legitimate
In terms of classified information, the fallout from the data breach appears to consist of some amount of employee information and internal emails as well as documents that describe how certain procedures and investigations are conducted. The hacker also claims to have stolen source code for unspecified tools.
The hacker claimed breaches of the European Cybercrime Centre (EC3) and the Europol Platform for Experts (EPE), but the supporting evidence appears to indicate that the evidence platform SIRIUS was the central point of focus. This platform is used as a central gathering place for storing data retrieved from social media platforms and other public sources. One of the screenshots that InfoBroker posted as evidence of the data breach shows law enforcement officers discussing means to request data from the Telegram messaging app.
For its part, Europol has not yet fully confirmed the data breach but has told media sources that screenshots of tools used by several agencies were legitimate. However, the organization said that the shots came from a test environment only accessed by a closed user group and that they would not indicate access to classified information or sensitive data.
The results of the internal investigation are still pending, but InfoBroker claimed to have already sold off the stolen data to an unnamed private buyer for an undisclosed sum of Monero.