Dark Web Seller Claims Sale of 20 Million Romanian Citizen Records

On May 19, a dark web seller reportedly announced the sale of approximately 20 million records about Romanian citizens. The threat actor noted that payments are only in Monero, a cryptocurrency designed to be anonymous.

The alleged database reportedly contains sensitive data, including full names, birth dates, home addresses, phone numbers, email addresses, and national identification numbers. Romania’s population stands at roughly 19 million people; this means a dataset of 20 million records would approach nationwide coverage if the seller’s claims prove accurate.

Independent researchers have not yet verified the database’s authenticity. Currently, the Romanian National Cyber Security Directorate, or Romania’s data protection authority, has not released any confirmatory message regarding the exposure of this information.

Security experts advise treating this as an alleged exposure rather than a confirmed compromise of any government registry.

Monero Payment Request Adds Privacy Complications

The seller insists on receiving payment only in Monero, which cybercriminals frequently favor for illicit transactions – Monero transactions are much harder to trace than those on transparent ledgers like Bitcoin or Ethereum. The dark web listing also requires escrow arrangements and proof of funds before disclosing the data source.

The advertisement markets the dataset for cyber threat intelligence, phishing operations, and security research purposes. The listing also offers moderator samples for vouching, a common practice to prove the data’s authenticity to potential buyers. However, this framing does not reduce the risk to ordinary Romanian citizens.

If these documents are legit, the criminals could utilize the records to craft extremely believable phishing emails for the general public. The records include all personal names and their respective addresses, as well as phone numbers, e-mail addresses, and their respective national identifiers.

Utilizing this type of personal information, a criminal can disrupt the normal flow of business by opening phony accounts, circumventing very low-level identity verification processes, and sending victims visibly legitimate alerts regarding taxes, bank activity, courier services, or government services. 

Romanian identity data holds particular sensitivity because the national identifier, known as the CNP, is a 13-digit personal numeric code. Citizens use this code across identity verification, taxation, and numerous administrative processes. Romania’s personal records authority operates within the Ministry of Internal Affairs structure.

Dataset Could Come from Multiple Sources

A dataset of this massive scale could originate from several different types of sources. There are different possible origins of such a volume of records, including a state system database, a government-linked service, a tax or identity verification workflow, or a private-sector data aggregator. The information could also combine multiple previous leaks or consist of fabricated and recycled records repackaged as a fresh national breach.

Romanian digital access to government services relies on identity-linked systems such as ROeID. The dark web listing does not provide any proof that these specific systems suffered compromise.

Security researchers emphasize that a verified breach would require independent confirmation of the dataset’s authenticity, the source system, the collection date, the number of unique individuals affected, and whether the data includes active CNP records.

This case differs from typical crypto-linked crime stories. Many such incidents begin with an onchain exploit or stolen cryptocurrency funds. Here, the crypto element merely serves as the requested payment method, while the central risk involves alleged identity data exposure at a national scale.

Citizens Should Remain Vigilant Against Phishing

Romanian citizens should be extremely cautious of any unsolicited emails until officials confirm or deny the extent of the breach. Phishing scams that ask for personal identification documents, tax payments, banking information confirmation, shipping or handling fees, and name verification will be particularly vulnerable if they are using real personal data (such as name, address, telephone number, etc.) to create a sense of legitimacy. 

Many criminals use the information they obtain from data breaches to lend validity to their phishing attempts. Voice phishing is another threat to watch for. A Romanian national was charged in the US for a vishing operation, reminding citizens to be cautious of unsolicited phone calls as well as emails.

A potential victim receiving a phishing email containing their correct name, address, phone number, and CNP will view the email as far more credible than a generic email that contains no specific personal identifiers. The greater credibility of the phishing email creates a greater likelihood that the recipient will fulfill the fraudulent phishing request.

Security professionals suggest that all citizens should maintain regular monitoring of their financial accounts for any unauthorized transactions. In addition, the placement of fraud alerts and credit alerts with the major credit bureaus will assist in protecting against identity theft.

In situations where there is a legitimate expectation for a communication to occur, verify the legitimacy of the communication using established business processes rather than by clicking on any links found within the communication. 

To date, Romanian authorities have not developed any investigative activity related to the claims on the dark web regarding the data breach; the situation is still an ongoing process as security researchers continue to monitor for any indication of the compromised data on underground forums.