Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



40,000 Government User Credentials Found on Dark Web

Researchers from Group-IB have discovered more than 40,000 user accounts on the Dark Web that appear to be compromised credentials for online government websites in 30 countries. 

Researchers from Group-IB have discovered more than 40,000 user accounts on the Dark Web that appear to be compromised credentials for online government websites in 30 countries. 

Most of the victims, the firm says, were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). The researchers also believe the user data might have been sold on underground hacker forums or used in targeted attacks for money theft of information exfiltration.

Official government portals including Poland (, Romania (, Switzerland (, the websites of Italian Ministry of Defense (, Israel Defense Forces (, the Government of Bulgaria (, the Ministry of Finance of Georgia (, Norwegian Directorate of Immigration (, the Ministries of Foreign Affairs of Romania and Italy and many other government agencies were affected by the data compromise.

Additionally, the security researchers say that government employees, military and civilian citizens with accounts on the official government portals of France (, Hungary ( and Croatia ( were also affected by this data compromise. 

The credentials were stolen using special spyware, Group-IB says, including formgrabbers and keyloggers such as Pony Formgrabber, AZORult and Qbot (Qakbot). The attackers sent phishing emails to personal and corporate email accounts and hid malware as attachments disguised as a legitimate file or archive. 

The stolen data, usually sorted by subject (banks’ client data, government portals user accounts, combo lists – email & password) is being sold on underground hacker forums. According to Group-IB, government websites’ user accounts, however, are less common on these forums. 

The researchers note that both cybercriminals and state-sponsored APT-groups that focus on sabotage and espionage are usually interested in such information. Armed with credentials of government websites’ users, hackers can obtain classified information from these portals, or infiltrate government networks. 

Advertisement. Scroll to continue reading.

“The scale and simplicity of government employees’ data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers,” commented Alexandr Kalinin, head of Group-IB’s Computer Emergency Response Team (CERT-GIB).

“Government agencies are easy targets of phishing campaigns because they often publish their employee directories online. They are also highly desired targets because they store sensitive information on state secrets, on new products in the process of approval, including those of the world’s largest companies, and on private citizens. And given budget cuts, many of these agencies rely on large pool of third parties, who are listed in publicly available government sites,” Mike Bittner, Digital Security & Operations Manager of The Media Trust, told SecurityWeek in an emailed comment.

“Since transparency is a government’s responsibility in a democracy, agencies should beef up their security measures. A few key steps include continuously scanning in real time the sites and mobile apps that citizens and companies use to access government services in order to identify any unauthorized activities and nip them in the bud. Second, they should know all who all their third parties are and what activities they have authorized them to conduct. Third, they should use physical devices that generate a new token each time a government employee logs in. Fourth, they should train all staff to be wary of phishing scams and other suspicious events. Finally, since securing sensitive information is key to accomplishing their mission, it should therefore be appropriately funded. These phishing campaigns will only grow in frequency, mainly because they pay off,” Bittner added.

RelatedCredential Stuffing Attacks Are Reaching DDoS Proportions

RelatedCredential Stuffing: a Successful and Growing Attack Methodology

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...