Hacker Claims Theft of 890GB Data from Iranian Nuclear Facility After Bushehr Attack

A threat actor who goes by the pseudonym “Jondata1” is offering a huge dataset that supposedly came from a ‘top secret’ Iranian nuclear facility for sale on the dark web.

They described the alleged breach as a “Tier 1” strategic threat. It could expose personnel and operations to hostile forces.

The timing couldn’t be more explosive. It follows a recent physical attack on the Bushehr plant and an escalation of cyber-skirmishes between Iran-linked groups and Western targets.

Strategic Blueprint of Iran’s Nuclear Power for Sale

According to intelligence gathered from hacker forums between March 10 and 18, the actor claims to have stolen a staggering 890GB of data. The information isn’t just a collection of files; it paints a complete picture of the facility’s inner workings.

Reports indicate that the breach of the facility’s surveillance system allowed the hacker access to over 60 of the facility’s internal security cameras. The stolen visual data includes 340GB of footage, covering five years of continuous activity inside the site.

On top of the video, the actor claims to have exfiltrated 550GB of technical documents. This cache supposedly contains over 20,000 classified files pulled from internal devices. Experts worry this could include blueprints, centrifuge data, and safety protocols.

Physical Strike on Iran’s Busher Nuclear Power Plant 

Apparently, this digital break-in didn’t pop out of nowhere. A day before the threat actor advertised the data breach, the Atomic Energy Organization of Iran (AEOI) announced that on March 17 an ‘enemy projectile’ hit the outer perimeter of the Bushehr Nuclear Power Plant. Luckily, there was no damage and no radiation leak occurred.

Similarly, pro-Iranian hacktivist groups are increasing their own operations. Groups like Handala have claimed responsibility for major attacks on US medical device giant Stryker and payment processor Verifone. Handala described these hacks as retaliation for military strikes on Iran.

This has led analysts to believe the nuclear leak might be a direct counter-strike. It could be an attempt to gather intelligence that can be used for kinetic targeting or to identify individuals for recruitment or assassination.

Why This Breach Bodes Badly for Security

• The Dangers of Lived-In Footage: Having access to years of security footage is a goldmine for bad actors. They can study the daily routines of scientists and security personnel. This “visual intelligence” allows them to identify the weakest moments for a physical attack or pinpoint high-value individuals for targeting.
• Reverse-Engineering State Secrets: The 550GB of technical documents the threat actor claimed they took could contain details of Iran’s enrichment levels and centrifuge performance. In the event that non-governmental players acquire this kind of intelligence, they may be able to exploit it as a guide for damage to others via means comparable to the Stuxnet worm, which interfered with the centrifuges operated by the Iranians several years ago.
• Real Time Damage Assessment: If military action is taken against the facility, having access to the live camera feeds would be an incredible advantage. It would allow an adversary to see exactly where their bombs land and assess the damage instantly.
• A Diplomatic Time Bomb: If those leaked files include private messages between Iran and the IAEA, that information can be twisted to mess with diplomatic talks. It might expose disagreements or activities that Iran has not declared, further complicating the already stalled nuclear talks at the U.N.

The exposure of sensitive data isn’t limited to nuclear facilities; a separate breach of an Iranian health platform leaked the personal information of 700,000 citizens, proving that when state secrets are targeted, ordinary people’s data becomes collateral damage in the cyber war.

Steps to Take to Prevent Such Risks

This leak really shakes up the world of critical infrastructure. Security experts everywhere are calling on facilities to act now. They recommend facility admins run a full “physical-to-digital” audit. The priority is to sever any hidden links between surveillance networks and internal document storage.

Old security methods just won’t cut it anymore. Passwords are no longer enough. Experts are calling for hardware-based multi-factor authentication. This is the only reliable way to protect admin accounts in today’s threat landscape.

Teams also need to assume the worst. They need to quickly check for any hidden backdoors or sleeper accounts. If someone made changes to VPNs or SSH keys after February 2026, that needs to be looked into right away.

Personnel must adopt a zero-trust mindset. Attackers who have five years of footage can create perfect impersonations. Staff should be highly suspicious of any unsolicited messages about “emergency maintenance.”