A threat actor has posted an alleged 3.5TB “NATO database” for sale on an underground cybercrime forum, triggering fears that sensitive defense-linked contact data across multiple allied institutions may have been exposed.
A threat actor is advertising on underground cybercrime forums what they describe as a massive “NATO Database + Confidential Documents” archive totaling approximately 3.5TB.
At this stage, there is no independent verification confirming the dataset's authenticity, origin, or full scope. However, the size and content of the alleged dataset are raising concerns about potential exposure involving defense personnel and organizations tied to multiple allied countries.
According to the forum post, the alleged dataset references a broad network of NATO-affiliated military, aerospace, research, and government institutions.
The threat actor also claims the dataset contains sensitive contact and organizational data tied to individuals working across the defense sector.
If the data proves to be legitimate, this could cause multiple security risks. Cybernews has reached out to NATO for comment, but has yet to receive a response.
What data was allegedly exposed?
Cybernews researchers reviewed sample files published by the attackers. The samples contained 9 records exposing personally identifiable information, including:
- Full names
- Nationalities
- Work email addresses
- Phone numbers
- Physical workplace addresses
- Employer information
- Job titles and position details
While the forum listing heavily references NATO, researchers found that only 2 of the visible records appeared to be directly tied to NATO officials.
The remaining records allegedly belonged to individuals connected to organizations, including:
- KTH Royal Institute of Technology in Sweden
- Norwegian Defense Research Establishment (FFI)
- SINTEF, Norway’s independent research organization
- Turkish government-linked entities
Our researchers say the data's structure suggests the source may not be a direct NATO breach.
“The numbers or whether this dataset actually came from NATO could not be confirmed at this stage,” they noted.
“There is a possibility this originated from a third-party service breach instead.”
Defense-related leaks create intelligence risks
Even if the dataset contains mostly contact and organizational information rather than classified military material, our researchers warn that such data can still become highly valuable for intelligence gathering and cyber operations.
They say the exposed information could present a particularly high risk of targeted phishing attacks against the named individuals and institutions.
“There’s a particularly high risk of spear-phishing for the mentioned individuals and the institutions they work in,” our researchers warned.
Unlike commercial data leaks, defense-related datasets can carry significant intelligence and counterintelligence value. Even basic personnel records may help attackers launch highly targeted spear-phishing campaigns against government officials, military contractors, and researchers.
Such information can also support broader intelligence collection efforts and social engineering operations by revealing how allied institutions are interconnected.
Attackers selling alleged NATO data for just $5,000?
One unusual detail in the listing is the relatively low asking price. The threat actor is reportedly seeking only around $5,000 for the entire alleged 3.5TB archive.
Our researchers say that could indicate a lack of authenticity in the data.
“Yes, it could be a clue,” they explained.
“But it may say more about the origin of the breach than about whether the data itself is valuable.”
The relatively low price may suggest:
- Large amounts of duplicate data
- Unverified or partially aggregated records
- Third-party collected information
- Stealer-log sourced data
- Low confidence from the seller regarding exclusivity
The researchers also observed that the threat actor behind the listing appears relatively new to the underground forum ecosystem.
According to Cybernews analysis, the account joined the forum only several weeks ago but has already published at least 13 separate listings.
The Cybernews community is talking about this. Be a part of the conversation.
“All of them follow a similar pattern. Big claims, small samples,” our researchers noted.
The samples themselves vary significantly in format. Some resemble traditional database exports such as CSV or JSON files, while others appear structurally similar to stealer logs collected from infected devices.
“So if they are not simply recycling other breaches, they likely have multiple methods of collecting data,” the researchers added.
APT persistently targeting NATO partners
Cyberattacks have become a political tool of cyber warfare. This has become extremely visible during Russia’s war in Ukraine.
Last year, during the NATO Summit in the Hague, Netherlands, Russian hacktivists NoName057(16) carried out a DDoS attack against NotuBiz, a company that provides IT solutions to municipalities and other political institutions. Multiple governmental websites were knocked out and temporarily unavailable.
This year, the Chinese espionage group TA416 reportedly resumed operations targeting EU and NATO entities. According to Proofpoint, the latest wave of attacks began just one day after the 25th EU-China summit.
The activity comes amid a broader surge in China-linked cyber operations targeting Europe, particularly campaigns aimed at critical infrastructure. While another China-affiliated group was reportedly discovered embedded within European telecommunications.
In March, threat actors leaked more than 350GB of data purportedly stolen from the European Commission.
Your email address will not be published. Required fields are markedmarked