Data leaked on a dark website, allegedly from a Moldovan portal, does not support the hackers’ claims about how they obtained it. It also raises questions about the government’s May 2025 claim that its network had not been compromised.
In Part 1, DataBreaches described a data exposure incident involving Moldova’s job applicant portal, cariere.gov[.]md. In this part, DataBreaches investigated a dark web listing involving data from a second government portal, compensatii.gov[.]md (Compensatii)
The Compensatii platform enables residents to register and apply for compensation for energy bills, including heating, natural gas, and electricity, during the colder months. To register, applicants need to provide:
- The name, surname, and IDNP of all persons residing in the declared household;
- Data from energy consumption invoices;
- Mortgage loan amount and cadastral number (if applicable);
- The monthly income of each member for the months of April–September;
- Personal IBAN account for transferring the compensation. Individuals without bank accounts can collect compensation at any post office nationwide.
The Identificatorul Numeric Personal (IDNP) in Moldova is a unique 13-digit personal identification number assigned to every citizen, resident, and legal entity for accessing government, financial, medical, and educational services. It serves as the primary, unchanging identifier on identity cards, passports, and residence permits. The cadastral number is a unique, official alphanumeric code assigned to a specific parcel of real estate and serves as an identifier for tax, legal, and mapping purposes.
May, 2025: Claims circulate that access to Compensatii was sold on the darknet
On May 27, 2025, Moldova Live reported that the government had launched an investigation after learning of claims that access credentials for the Compensatii platform were offered for sale on the darknet.
In response to the claims, the government reported that it had checked its network for any signs of compromise and found none. Moldova Live reported on the government’s statement:
“The platform is developed to the highest cybersecurity standards,” the Government’s press office stated. “It is hosted and protected by STISC (Information Technology and Cyber Security Service), operates in an isolated and monitored environment, and is accessible only to authorized personnel.”
According to the statement, administrator access requires a qualified electronic signature—a secure, non-transferable authentication method that ensures only authorized users can access sensitive data.
Minister Alexei Buzu emphasized that strict data protection protocols are in place to safeguard citizens’ personal information. He dismissed the circulating reports as “smoke and mirrors,” suggesting the claims lack substance or credibility.
But could the “smoke and mirrors” have been a real fire that wasn’t detected and extinguished quickly?
January, 2026: Breach claimed by the Bashe Team
On January 30, 2026, the Bashe Team, formerly known as Eraleign (APT73), listed Compensatii on its dark web leak site. They subsequently posted a .csv file as proof of claims.
DataBreaches emailed the contact email for Compensatii on February 16 to ask whether the government had investigated the claimed breach and what they found. At that time, DataBreaches had not yet attempted to verify the data in the .csv.
Compensatii did not reply. Attempting to validate the data in the .csv file was challenging because it contained only usernames, email addresses, and plaintext passwords. There were no dates or timestamps, and nothing to indicate whether this was old data or even data from Compensatii.
As we would later learn, the data was old.
DataBreaches was aware of serious criticisms of Bashe by CloudSek in January 2025. Cloudsek had written that Bashe might be fabricating breach claims, and in some cases, re-packaging old data and claiming it as a new breach:
Their strategy of taking credit for attacks they didn’t commit is nothing but a desperate attempt to inflate their relevance to attract legitimate ransomware affiliates. Instead of showcasing genuine technical prowess, Bashe relies on deception, smoke screens, and manipulates their samples by masking PII, making it more challenging to validate their claims. Beneath the facade, their lack of authenticity makes them a prime example of cybercriminal incompetence and overblown theatrics.
DataBreaches contacted Bashe on Tox to request additional details and proof of claims. At first, Bashe appeared responsive, though verifying their claims remained difficult. In response to one question, they stated that they had first gained access in September 2025. When asked about the May 2025 claims, they answered,
We didn’t hear about any credentials being sold in May. We gained access much later, in September, and extracted the latest data. It’s posted on our blog. You can check it to make sure it’s up-to-date. We gained access by compromising an employee’s account.
We checked it, and it wasn’t up to date, as we explain later.
They also claimed their presence in the network was never detected and that they remain in the Compensatii network. “During this time, none of the employees through whom we got access changed the password and closed the door in front of us,” the spokesperson informed DataBreaches.
Because Compensatii support did not respond to this site’s inquiries, DataBreaches contacted half a dozen individuals whose email addresses and plaintext passwords were in the .csv file. DataBreaches asked whether they had used that email address and password on the Compensatii site and alerted them that, if they had, they should change their password across all accounts.
None of those who were emailed replied, and none of the emails bounced back.
Because there were very few fields in the .csv file, DataBreaches sought additional proof of claims to verify. DataBreaches asked Bashe to provide one or two fuller records as proof that the Compensatii database had been accessed. Bashe responded that we could purchase two lines of records for $1200. They reportedly also told SuspectFile that he could purchase data to see additional evidence when he requested more proof of claims while investigating a different listing.
It is one thing for sellers to ask people to pay for data if they suspect them of acting in bad faith in a sales negotiation. But most ethical journalists would never buy stolen data — not even for one dime. The Bashe Team’s suggestion to buy stolen data was in bad faith, and their refusal to provide more data for verification made DataBreaches increasingly suspicious that Cloudsek had been correct in their assessment.
Because DataBreaches had been communicating with Ionatan Andronachi on the vulnerability he had reported to the Moldovan government, DataBreaches asked him to look at the publicly leaked .csv to help this site determine whether the data was real or fake. Within minutes, Andronachi reported that the data were real, but old. And by “old,” he meant before May 27, 2025.
Had the Moldovan government erred in its earlier denials of any breach, or had a breach of the data occurred after they concluded their investigation?
It seemed unlikely that Bashe gained access in September 2025 and ended up with outdated data he claimed was “up-to-date.” It also seemed unlikely that Bashe was still in their network, given that the most recent data they had was from May 2025.
Had Bashe bought old data from a seller and re-packaged it as a new breach, or is there some other explanation?
CloudSek’s January 2025 analysis seemed spot on.
Moldovan Citizens at Risk of Identity Theft and Fraud
After extending interview invitations to SuspectFile and DataBreaches, the Bashe Team destroyed its reputation with SuspectFile and DataBreaches. However, old data remains valuable and poses risks. In reviewing the .csv data, Andronachi found that login credentials remained active in many cases, and entire files could be accessed.
As we had done with the data exposure vulnerability, DataBreaches emailed the government twice in recent days. No reply was received.
DataBreaches hopes that Compensatii or STISC responds to inquiries and explains how and when these data were accessed and exfiltrated, how many people and families have been affected, and what the government is doing to mitigate harm to its citizens.
Ideally, any government response will include a forced password reset for everyone. Still, to be safe, anyone who has used that portal, especially before May 2025, should immediately reset their password and change it on any sites where it may have been reused. People should also be more vigilant in checking their banking and other accounts and be careful not to fall for phishing or vishing attacks.
The Bashe Team claims to have data on more than 50,000 unique individuals. Moldova needs to be transparent about what may have happened, what people need to do to protect themselves, and what the government is doing to protect them and mitigate any harm.