French Interior Ministry Targeted in Major Cyberattack

By : Benny Morgan Benny Morgan Reviewed By: Karla Spencer Karla Spencer
Hours Updated

Key Takeaway: French hackers breached Interior Ministry systems, accessing criminal records databases with millions of suspect and victim files during December 2025 incident.

French Interior Ministry Targeted in Major Cyberattack

A Critical Moment for French National Security

France’s Interior Ministry has confirmed it fell victim to a serious cyberattack that compromised sensitive police databases containing critical criminal justice information. Interior Minister Laurent Nuñez made the disclosure on Wednesday, December 17, 2025, revealing that attackers successfully accessed email systems and breached the ministry’s most confidential law enforcement records. This incident represents a significant security failure affecting one of France’s most important government institutions—one that oversees nearly 300,000 personnel and manages the nation’s law enforcement operations.​

The breach occurred over several days, beginning the night of December 11-12, 2025. Attackers gained entry through compromised employee email accounts, where they discovered passwords that had been carelessly shared in plain text between colleagues. Using these stolen credentials, the hackers navigated into the ministry’s internal CHEOPS portal—a critical system that serves as the gateway to multiple police applications, information databases, and sensitive security tools.​

How the Attack Unfolded: A Breakdown

The attack followed a remarkably straightforward path that exposed vulnerabilities in basic cybersecurity hygiene. According to investigations, employees at the ministry had exchanged passwords through unencrypted email—a practice explicitly prohibited in most security protocols but apparently still common within the organization. Once attackers gained access to these email accounts, they discovered the keys to the kingdom.​

The criminals then used the stolen credentials to penetrate CHEOPS, the internal communication and access platform that French police officers use daily. Minister Nuñez attributed the breach to widespread carelessness among staff members, stating that “all it takes is a few individuals who don’t respect these rules” for security measures to fail.​

From CHEOPS, attackers accessed two highly sensitive databases: the Criminal Records Processing System (TAJ) and the Wanted Persons File (FPR). The TAJ contains approximately 17 million individual files on criminal suspects and victims from ongoing and past judicial proceedings. The FPR, equally sensitive, includes information on wanted individuals, including controversial “S-files” that track people considered threats to national security.​

What Was Actually Compromised: Separating Fact from Fiction

Here’s where the story becomes complicated. While attackers claimed to have stolen data on over 16.4 million people—nearly a quarter of France’s entire population—Minister Nuñez and cybersecurity experts have disputed these assertions with significant skepticism.​

According to Nuñez’s official statements, only “a few dozen files” were actually extracted from the systems as of December 17. He emphasized that despite accessing databases containing millions of records, evidence does not support the attackers’ claims of large-scale data exfiltration. “We don’t yet know the extent of the compromise. To date, a few dozen files have been removed from the system, but we are talking about millions of data,” Nuñez explained to media outlets.​

Baptiste Robert, a prominent French cybersecurity researcher and CEO of Predicta Labs, reinforced this skepticism. Despite attackers posting screenshots allegedly showing system access, they provided no actual data samples to verify their claims. Robert’s assessment suggests that while attackers definitely gained system access and consulted sensitive files, there is “currently no indication that attackers have managed to exfiltrate large amounts of personal and sensitive data.” The security expert’s conclusion: “Sample, or it didn’t exist, bro.”​

The Attackers’ Claims and Demands

The attackers announced their breach through Breachforums, a dark web marketplace for stolen data. They claimed the attack was revenge against French authorities for arresting members of the “ShinnyHunters/hollow” cybercriminal gang. The message included an ultimatum: they gave the French government one week to pay for the stolen data, which would supposedly be deleted following payment. If negotiations failed, they threatened to sell the information to other cybercriminal organizations.​

The attackers also uploaded a screenshot displaying the CHEOPS portal’s login page with “WE ARE STILL HERE” written where the password field should appear. Additionally, a blurred image of what appeared to be a police officer’s identification card suggested some access to personnel documents. However, cybersecurity experts emphasized these items prove system access, not successful data theft.​

Timeline of Discovery and Response

French authorities detected suspicious activity targeting the ministry’s email servers on December 12. Initial assessments suggested limited compromise. However, subsequent investigation revealed the breach was more serious than initially assessed. By December 16-17, the ministry and Interior Minister confirmed that sensitive police databases had indeed been accessed.​

In response, the ministry implemented immediate protective measures. These included strengthening access controls for ministry computer systems, implementing additional security protocols for personnel, and formally notifying France’s National Commission for Information Technology and Civil Liberties (CNIL) as legally required. France’s Anti-Cybercrime Office (OFAC) was assigned to lead the investigation.​

Interior Minister Nuñez stated that investigators are examining multiple possibilities, including foreign interference from nation-state actors, activist hacktivists seeking to expose government vulnerabilities, or simple cybercrime for financial gain. As of mid-December, French authorities had not identified the perpetrators with certainty.​

Historical Context: France’s Escalating Cyber Threat Landscape

This attack on the Interior Ministry follows a disturbing pattern of increasing cyberattacks against French government infrastructure. In 2024, France experienced a 15% increase in security events according to the National Cybersecurity Agency (ANSSI).​

One of the most concerning past incidents involved the Russian-linked APT28 hacking group (also known as Fancy Bear). In April 2025, French authorities formally attributed a four-year hacking campaign targeting multiple French government entities to APT28, which is publicly linked to Russia’s GRU military intelligence. Since 2021, APT28 has repeatedly targeted French ministerial bodies, local governments, aerospace entities, research organizations, and financial institutions.​

APT28 has specifically focused on compromising Roundcube email servers at French government agencies as part of operations designed to steal strategic intelligence from governmental and diplomatic organizations. This pattern is notably similar to the email server compromise in the current Interior Ministry attack, raising questions about potential attribution.​

In March 2024, approximately 2,000 French government websites—including the Ministry of Justice, Ministry of Culture, and Treasury—suffered distributed denial-of-service (DDoS) attacks of what Prime Minister Gabriel Attal described as “unprecedented intensity.” The hacktivist group Anonymous Sudan claimed responsibility.​

Additionally, France Travail, the national employment platform, suffered a significant breach in July 2025 when the Kairos job platform was compromised, exposing personal information on over 340,000 users.​

About the Attackers: The ShinyHunters History

The attackers referenced the arrest of members from the “ShinnyHunters/hollow” group. ShinyHunters is a criminal hacking collective that emerged around 2020 and has become one of the most prolific cybercrime organizations of the decade, with data breaches affecting over 1 billion users across hundreds of companies.​

The group’s name derives from Pokémon terminology, referencing rare alternate-colored Pokémon variants. ShinyHunters gained infamy for early massive breaches including Tokopedia (91 million users), Wattpad (270 million users), and Microsoft (500 GB of source code).​​

Recent years have seen ShinyHunters evolve from simple data theft operations into sophisticated actors using social engineering, credential compromise, and advanced phishing techniques. Members of the group have been arrested, but operations have continued through decentralized networks. The group claims to combine data theft with cryptocurrency theft and tool sales—profiting multiple ways from each successful attack.​

Latest Developments and Ongoing Investigation

As of December 17, 2025, the investigation remains active with multiple agencies involved. Minister Nuñez emphasized that authorities are prioritizing speed in identifying perpetrators. The judicial investigation by OFAC continues, with the CNIL also formally notified of the breach as required by data protection regulations.​

French authorities have not yet confirmed whether the breach endangered active investigations, though Minister Nuñez stated that the incident “does not endanger the lives of our compatriots.” He also noted that no ransom payment had been received at the time of his statement.​

The ministry has not disclosed detailed technical information about how the attack was ultimately contained or whether attackers maintain any residual access to ministry systems. Ongoing security hardening measures at the Interior Ministry are expected to continue as investigations proceed.

👉 Read Latest Cybersecurity news

Why This Matters: The Bigger Picture

The Interior Ministry breach highlights critical cybersecurity vulnerabilities affecting even the most protected government institutions. The core problem—employees sharing passwords via unencrypted email—represents a basic security failure that training and policy should prevent. Yet it succeeded at one of France’s most critical security agencies.​

The incident demonstrates how nation-state actors, criminal groups, and activist hackers all present simultaneous threats to government infrastructure. France faces sophisticated, persistent targeting from multiple adversaries with different motivations and capabilities. The Interior Ministry’s responsibility for overseeing police forces, immigration services, and internal security makes it an extraordinarily high-value target.​

For French citizens, the key question remains unanswered: exactly what sensitive personal and criminal justice information did attackers access and potentially exfiltrate? Until investigators provide more transparency, both the true scope of the breach and its real impact on national security will remain uncertain.

Sources: Primary Sources: Euronews, Cybernews, and Anadolu Agency.

Benny Morgan
Benny Morgan

I’m Benny Morgan, a digital security expert with a degree in Computer Science from the University of Texas. My background spans cybersecurity consulting, malware research, and risk analysis. I specialize in translating complex online threats into actionable strategies, ensuring individuals and families stay safe in today’s fast-shifting digital environment.

At SecureDetectives, I leverage firsthand testing and evaluation of privacy tools, VPNs, parental control software, and anti-tracking solutions. My expertise lies in identifying weaknesses in consumer products and recommending solutions backed by evidence, not marketing claims. I aim to provide readers with clarity and confidence in their digital safety choices.

With years of hands-on experience addressing phishing schemes, data breaches, and identity theft, I write to empower readers to take proactive control of their privacy. My goal is simple: equip people with practical, proven tools and knowledge to navigate the digital world securely and responsibly.

Similar Posts