-
A cybercriminal, aka MDGhost, claims stealing 30 gigabytes of data belonging to a UAE investor platform and this includes documentation related to Dubai Golden Visa.
-
The UAE’s cybercrime laws prohibit individuals from accessing data without proper authorization, and violators can expect to find themselves facing large fines.
-
The compromised data is for several investors from different countries and there has also been a full sampling released as proof, which is standard practice in a ransomware use case.
MDGhost, an online threat actor, claims they have hacked into an investor platform in the United Arab Emirates. They further claim to have accessed 30GB+ of highly sensitive information.
The reportedly compromised data includes: account holder information, visa documentation (including Dubai Golden Visa applications), records of financial transactions, and documentation related directly to people’s identity.
The information purportedly covers investors from multiple countries, and the hacker has already released a full sample to prove the breach occurred.
The dark web is used for many types of criminal activity. A US court recently sentenced a man to 14 years in a major dark web child exploitation case, illustrating that law enforcement is actively investigating and prosecuting criminals who operate in these hidden online spaces, whether they are stealing investment data or exploiting children.
Hacker Leaks 30GB of Investor Data, Including Golden Visa Documents
MDGhost, also tracked by security researchers as BlackH4t MD-Ghost, announced the breach on dark web forums on April 23, 2026. The cybercriminal claims to have extracted a massive 30-gigabyte data set from an unnamed investor platform operating within the UAE.
Allegedly, the leaked documents contain some of the most sensitive information that an individual can possess. This is because the Golden Visa application process in Dubai requires a significant amount of sensitive personally identifiable information, including identity verification documents, as well as financial disclosures. The hacker provided an example of what they stole to the public to potentially encourage U.S. Residents as well as others, to pay their ransom demands.
In Dubai, the Golden Visa program allows qualifying entrepreneurs and investors to apply for 10-year renewable residency in exchange for meeting specific investment criteria. Typically, the process requires investors to invest in property worth up to $545,000 or greater. As the Dubai Golden Visa program continues to increase in popularity, there were 158,000 Golden Visas issued in Dubai during 2023.
The exposure of Golden Visa documents creates risks for affected investors. It could lead to criminals committing identity theft and financial crimes, or obtaining loans and opening bank accounts using someone else’s identity.
UAE Cybercrime Laws Carry Severe Penalties for Data Theft
In the UAE, there are serious consequences for breaking internet law through the theft of information and data. Legislation called the United Arab Emirates Federal Decree-Law No.34 of 2021 on Combating Rumors & Cybercrime comprises rules about acts of illegally obtaining or sharing the electronic data of another party, including personal electronic data.
According to Article 6 of the Law, individuals who acquire, possess, or disclose another person’s personal electronic data without authorization risk a minimum of 6 months of imprisonment.
The individual may further face a monetary fine of 20,000 to 100,000 Dirham (UAE currency). In addition, the monetary fines become significantly higher when the personal electronic data relates to a bank account or payment information, i.e., credit or debit cards.
The UAE government has established procedures to report cyber incidents. Organizations that suffer security breaches must report through designated channels, including the eCrimes platform on the Ministry of Interior app or by calling the unified call center at 901.
Specialists from the Cybercrime section of the Dubai Police’s Criminal Investigation Department will contact the complainants for the final legal process of reporting the incident.
Data Breach Notification Rules Require Companies to Report Incidents
UAE data protection regulations impose specific obligations on organizations that experience security breaches. The UAE Data Office is the entity that was created via Federal Decree-Law No. 44 of 2021 to monitor the compliance of the National Personal Data Protection Framework within the country.
The Personal Data Protection Law states that following the discovery of any type of data breach on their systems, a Data Controller must notify the Data Office of any and all data breaches.
Also, the Data Controller must provide the Data Office with additional information, such as:
- How the data breach occurred
- How many data records were affected
- The estimated effect of exposure to the data breach
- The actions taken to correct and prevent any further data breaches from occurring.
If the data controller fails to provide notice, then they can potentially face huge penalties.
The data protection laws in the UAE cover all parts of the country. The laws also apply to UAE financial free zones like DIFC and ADGM.
The legal framework ensures organizations protect personal data and properly respond to security incidents.
Dubai’s Golden Visa system has centralized all residency applications under GDRFA Dubai, creating a single platform for property-linked visas. This consolidation also makes it a more attractive target for cybercriminals seeking sensitive data.
Security researchers note that threat actors increasingly target platforms holding immigration and investment data. The MDGhost breach follows a pattern of attacks against organizations that process high-value visa applications. Investors affected by this breach should monitor their financial accounts closely. They may consider credit freezes to prevent identity theft.
