Cybercriminals Expose Masses of Personal Data in Dark Web ‘Free Leaksmas’ 

Rate our article

Over Christmas, cybercriminals released 50 million stolen consumer records, including personally identifiable information (PII) and credit card data, in what is being called the ‘Free Leaksmas’ gift. The event marks a continuation of last year’s data leaks over Christmas. On December 20, 2022, hacker groups leaked over 226 million individuals’ personally identifiable information (PII) on the darknet.

Key Takeaways

  • Over the Christmas period, cybercriminals released a staggering 50 million stolen consumer records. This wasn’t a one-off event, as it followed a trend from the previous year, where over 226 million PII records were leaked.
  • Groups SiegedSec and the Five Families were the key players in this year’s Leaksmas, though others joined.
  • From CPF numbers of Brazilian taxpayers to databases from games like Counter-Strike: Global Offense and personal information from various companies and government institutions. It wasn’t focused on one area.
  • Five Families leaked over one million records from a Chinese clothing store, indicating their focus on entities connected to controversial labor practices and the Chinese government.
  • This years Christmas period, saw widespread discounting of stolen credit cards, with cuts up to 50%

The data leak contained the CPF numbers of Brazilian citizens, which are ID numbers for Brazilian taxpayers. Similarly, hackers also leaked the database of Counter-Strike: Global Offense. Gaming statistics indicate that the database had an average of 500,000 – 1,000,000 instantaneous players over the period.

In 2023, researchers from Resecurity, a cybersecurity vendor, reported numerous data leaks. Hacker groups such as SiegedSec, Allies of GhostSec, Five Families, and other international groups collaborated this year under the ‘Free Leaksmas’ tag to promote stolen data on the dark web. 

Cybercriminals Expose Masses of Personal Data in Dark Web ‘Free Leaksmas

Researchers described the recent leaks of cybercriminals as displaying “a form of mutual gratitude” amongst each other. The leaked data forms part of information stolen through data and network intrusions from various companies and government institutions.  

Leaksmass Data

Just under three-quarters of the 50 million leaked records were sourced from three countries, including Peru (34%), the United States (22%), and the Philippines (18%). Other countries such as Australia, France, India, Italy, Mexico, Russia, Switzerland, South Africa, and Vietnam, were also impacted.

What We Know About ‘Free Leaksmas’

Leaksmas Event Goes Live

On December 27, Resecurity released a press release indicating that multiple actors on darknet forums had released large dumps of data. The largest ‘Leaksmas’ dump involved the release of more than 22 million PII records stolen from Peruvian telecommunications provider Movistar’s data set.

The stolen data set contained customers’ phone numbers and DNI (Documento Nacional de Identidad) numbers. DNI numbers are essentially the only identity card the Peruvian government recognizes “for all civil, commercial, administrative, and judicial activities.”

Researchers from Resecurity stated that the exposure of DNI on the dark web is a “serious threat, potentially leading to widespread identity theft and fraud. This incident underscores the critical need for robust Digital Identity Protection programs.”

Additionally, over 2.5 million stolen records were freely shared from a Vietnam-based fashion store. The clothing store’s database is valuable to illegal affiliate marketing specialists and spammers.

More than 2 million stolen records from Mexico’s second-largest bank, Citibanamex, 1.5 million records from a French company, Mobbiz, and 15.77 GB of data involving one of the leading credit services in the Philippines were also posted.

One of the smaller but “noteworthy” leaks reported was from the Italian online military and outdoor clothing store Italia Militare. The store’s database only contained 2,000 records, but the nature of the audience made it particularly attractive.

Prominent Figures Involved in ‘Free Leaksmas’

Numerous hacker groups were involved in the ‘Leaksmas’ activity. The most prominent figure was SiegedSec, a hacker group that gained popularity from the Idaho National Labs data breach involving stolen data relating to 45,000 individuals. 

SiegedSec made public claims about successfully breaching government resources and celebrated an attack on Shufersal, Israel’s largest supermarket chain. The group referred to the attack as a “Christmas Gift” in support of Palestine. Other hacker groups have since distanced themselves from SiegeSec due to its stance.

The hacker group’s Christmas message referred to the “exfiltration of citizen data” and “All I want for Christmas is the destruction of the government.” The suggestion implies that users on the dark web can anticipate more unexpected actions from the group in the coming year.

SiegedSec wasn’t the only hacker group in the Christmas mood of sharing. An alliance of several hacktivist groups, known as the “Five Families,” leaked 1 million records from a Chinese clothing store’s database that was connected to abusive labor and the CCP.

The post read:

Our organization has a lot planned and coming up we are very proud to present all that in the very near future, especially moving forward into 2024 where we have a lot of ideas, planned out and hopefully a successful year with all of you <3

Coming today though we present a FREE leak, YES you heard that right a FREE leak that has over 1 million lines affecting a bigger Chinese clothing store. Connected both to abusive labor and the

ССР. – Chinese clothing store

Over 1 million lines, includes info like internal system logs, employee PIl and Much more


Five Families

A week before Christmas, the group established a marketplace for trading compromised data leaks and other data from regions including Canada, the U.S., Russia, Iran, China, UAE, India, Brazil, and the EU.

The “Five Families” indicated their intentions to release more leaks in the upcoming year. The collective group also carried out leaks involving a South African medico-legal association and an Indian resource. 

Allies of Ghost Sec, another hacker group affiliated with Stormous (a ransomware group), added to the “Leaksmas” campaign by releasing 500,000 stolen records from an online computer shop in Uzbekistan. 

Cybercriminals and Darknet Markets dealing with stolen credit cards jumped on the Christmas festivities by offering discounts of up to 50% to attract new customers. Additionally, the prospect of a new year approaching meant that cybercriminals rushed to sell stolen credit cards before the expiration dates lapsed.

Significance of ‘Free Leaksmas’

In just a few days over the Christmas period, hacker groups released over 50 million records containing customers’ personal information on the darknet. The approach of the Christmas holidays has a significant impact on the darknet economy.

During this period, there is an increase in financial fraud. Malicious actors take advantage of the season to upscale their operations. The FBI’s Internet Crime Complaint Center (IC3) reported, “Texas residents lost over $763 million to fraudsters just in 2022, including nearly $20 million in phishing and non-delivery scams.” 

Digital identity continues to be a target for hackers. These groups seek out personally identifiable information (PII) from government and financial institutions by targeting vulnerabilities in networks.

While North America is a primary target, hacker groups are focusing on other regions, such as Asia-Pacific and Latin America. Resecurity suggests that the widespread global distribution of data leaks highlights the extent and impact of cybercriminal activities.

The potential damage of ‘Free Leakmas’ could amount to millions of dollars. Victims of the event will “inevitably face adverse effects,” such as identity theft, financial fraud, account takeovers (ATO), and business email compromises (BEC).