Threat Actor Claims to Sell Admin Access to Bolivian Government GitLab for $1,000

Someone on a cybercrime forum is selling administrator access allegedly connected to a government organization in Bolivia. The seller says the access includes full GitLab administrative privileges. That means visibility into more than 200 software projects.

The threat actor wants around $1,000 for this access. They also shared contact information for interested buyers. But here is the catch. No one has independently verified the claim. There is also no public confirmation that the GitLab environment actually belongs to a Bolivian government agency.

So treat these claims as unverified for now. More proof needs to come out before anyone knows for sure. Even so, this alleged sale highlights a real problem. The market for stolen government and corporate access keeps growing.

Why GitLab Access Packs a Punch

Developers use GitLab to store their source code and manage their software projects; teams use GitLab to track changes and automate the release of new software. Many government agencies use GitLab as their single source of truth for development.

If an attacker had administrator-level access, they would have access to all of the confidential information (source code, internal documents, etc.) that an organization stores on GitLab.

This would include any configuration settings for deployment, project roadmaps, and many other types of information that are also necessary for the overall development and operation of the system.

An attacker with this level of access would also have access to the associated credentials for all of the infrastructure configurations that support these projects.

This would result in damage beyond a single application, since development platforms are the centrepiece of the technology operations of all organizations.

An attacker with access to a development platform could gain access to a cloud, database or some other type of infrastructure, as well as access to an organization’s internal network and any related critical infrastructure.

Organizations developing software to support the delivery or operation of public services are much more vulnerable. Why? Because their projects may be supporting functions that are either a direct connection to a specific internal operation or are related to national infrastructure.

Supply Chain Risks Raise the Alarm

One of the biggest worries is software supply chain attacks. Instead of targeting users directly, hackers tamper with the development process itself.

With enough privileges, an attacker could modify code. They could change software deployment settings. Creating hidden user accounts would be possible too. They might even insert malicious components into future software releases.

These attacks are hard to spot. They happen inside trusted development environments. We’ve witnessed several supply chain attacks in the past few years, making this area a major focus for security teams.

Both criminal groups and state-backed actors increasingly target software vendors and development platforms. This helps them reach more victims at once.

Right now, no evidence suggests any of this has happened in this case. But the risk helps explain why these listings attract security researchers.

A Low Price for Potentially High Value

The reported price of $1,000 seems low. The access could be worth much more. But low prices are common in underground cybercrime markets.

Threat actors want to sell access quickly. They try to do it before the victim finds out and shuts them down. Speed often matters more than getting top dollar.

This listing also shows the rise of so-called “initial access brokers.” These actors specialize in breaking into networks. Then they sell that access to other criminals instead of launching attacks themselves.

The market for stolen access is global. A Pakistani manufacturer’s VPN and admin access ware recently listed for sale on the dark web, another example of this growing criminal enterprise.

Buyers come from all over. Ransomware groups need access to internal company data. Data thieves aren’t an exception. Such access is also valuable to financial fraudsters as well as espionage actors hunting for entry points into target organizations. That means even an unverified access sale can draw serious interest.

But despite how dreadful this listing is, many uncertainties remain. There’s been no confirmation of where the actor obtained the alleged access from. The seller has not publicly proven they own the environment. They only made claims in the advertisement.

It is also unclear if the access still works. Maybe the victim already revoked it. The advertised privileges might not match what the seller actually controls. Cybercrime forums mix legitimate listings with fake ones. Some sellers exaggerate their claims. Others run scams by selling access they do not have.

Without independent proof, no one can say which category this listing falls into.

A Warning for Every Organization

Whether this claim turns out to be true or not, that such a listing even existed in the first place is a wake-up call to everyone. Organizations need to secure their development platforms.

Security teams should use multi-factor authentication for privileged accounts. They need to monitor administrator activity closely. Regularly reviewing user permissions helps too. Rotating sensitive credentials stored in development environments is also smart.

Development platforms make attractive targets. They hold valuable information. And they provide access to many parts of an organization’s technology infrastructure.

For now, this alleged Bolivia-linked GitLab sale remains unverified. But if the access is real, the consequences could reach far beyond one account. Software projects, internal systems, and critical government development resources could all end up exposed.