-
The personal data of 4.7 million users of the “Istanbul is Yours” app was leaked to the dark web.
-
An indictment alleges the data was sent to U.S. and German analytics firms without user consent.
-
This breach is part of a larger plot to steal info on more than 11 million people.
A huge data leak hit Turkey, exposing the personal info of millions of citizens. Voting details were part of it, too. Many suspect the “Istanbul is Yours” app, run by the Istanbul Metropolitan Municipality, is the source of the leak.
The latest reports say the theft might be tied to an organized crime group, supposedly led by ex-Mayor Ekrem İmamoğlu. The stolen data has now appeared for sale on the dark web under a provocative name. This move places the stolen information squarely within the dark web’s criminal ecosystem, a realm that global law enforcement is constantly working to dismantle, as we recently saw when German authorities busted a dark web hitman platform and arrested a suspect.
The Data Theft Supposedly Part of a Political Game
So, word on the street is that this data theft might be part of a political game. The Istanbul prosecutor’s office looked into the Imamoğlu crime group and put together the indictment. The former Mayor of Istanbul, İmamoğlu, himself was removed from office and arrested.
The document claims the group’s core philosophy was “personal enrichment” and “financing politics.” They allegedly used illicit income to build political power.
The group’s aims were quite large and included transferring İmamoğlu to the IMM, gaining control of the CHP party, and preparing him as a candidate for president. It is alleged that the app “Istanbul’s is Yours” was a tool to carry out this plan, as the bad actors allegedly used it to create a public image of innovation. But its real purpose was to acquire citizens’ personal and ballot data. The organization combined this with real-time location information.
The stolen data then allegedly made its way abroad and to private companies. The group even used individuals who were not Turkish citizens in these activities.
How the Hackers Collected and Shared the Data
A technical report from Turkey’s National Cyber Incident Response Center (USOM) confirmed the breach. It found that cyber attackers acquired data from 4.7 million app users.
The stolen data included names, surnames, ID numbers, and GSM information. Real-time location data, like latitude and longitude, was also compromised. This information was then shared and sold on illegal platforms.
The indictment explains how the app secretly collected this data. It sent user information to analytical websites based in the United States. These sites, including Mixpanel, Sentry, and Adjust, specialize in user behavior tracking.
All of this data transfer happened without the users’ knowledge or consent. The company did not consult Turkey’s Personal Data Protection Authority (KVKK) at any point—a serious contravention of the law.
A Second, Even Larger Data Cache
The investigation uncovered an even more extensive data haul. The investigation also examined ‘İBB Hanem,’ a separate municipal project that field teams used to collect citizen complaints.
The server for this application contained a vast volume of data, which included the personal details for 11,360,412 individuals.
This dataset was incredibly detailed. It included full identity information like ID numbers and parents’ names. It also contained full home addresses, phone numbers, and critically, ballot information.
The indictment states that this entire dataset was sent via email to a private company on November 8, 2023. This act further demonstrated the alleged group’s disregard for data privacy laws.
Advanced Tracking and Voter Manipulation
The indictment also reveals more sophisticated tactics. It mentions a company named “Reklamist,” allegedly owned by group leader Murat Ongun.
The plan was to use this company for advanced citizen tracking. They aimed to monitor habits, daily routines, and conduct behavioral profiling of voters—a strategy that mirrors the advanced social media monitoring tools and techniques redefining cybersecurity and political campaigns today.
One scheme involved placing “impression pixels” on news site ads. This would collect data from users reading negative news about İmamoğlu. A “Lemon Campaign” specifically targeted this audience for manipulative content.
There was even a plan to use cameras in public squares. The goal was to record citizens’ real-time reactions to İmamoğlu’s ads. The system would record and analyze reactions like turning their heads or laughing to create a political map.
