France is now dealing with one of its most serious public sector cybersecurity incidents in recent years, after the Interior Ministry confirmed that attackers breached internal email systems and accessed internal files.
However, what initially looked like a contained incident took on a very different tone once the newly relaunched BreachForums administrator, using the alias Indra, stepped forward, claimed responsibility, and publicly accused the government of downplaying how deep the intrusion really went.
First Details and Official Response
Originally, the breach was detected overnight between December 11 and 12, according to Interior Minister Laurent Nuñez, who said attackers accessed several internal documents but stopped short of confirming any data theft.
Speaking publicly, he acknowledged unauthorised access to ministry email servers while stressing that no evidence showed files were seriously compromised. Security procedures were tightened across government systems while a judicial investigation was launched.
BreachForums Claims Retaliation and Wider Access
Behind the scenes, however, a very different version of events surfaced on BreachForums, a well-known cybercrime platform that recently reappeared after months offline on a new domain.
Its administrator, Indra, published a lengthy post claiming direct responsibility for the attack and accusing French authorities of withholding the truth. The post framed the attack as retaliation for the arrests of members, especially ShinyHunters, linked to earlier BreachForums operations.
Claims of Access to TAJ, FPR, and More
According to Indra, the breach went further than just email servers. The forum post alleged access to multiple sensitive law enforcement and government databases, including TAJ, the French criminal records processing system, FPR, the national wanted persons database, and systems linked to Interpol.
Additional claims referenced access to tax, pensions, and vehicle registration platforms. Indra asserted that more than 16 million individual records were accessible, a figure far exceeding standard query limits.
Screenshots and an Ultimatum
To support these claims, the post included screenshots said to show internal search results and interfaces tied to French police systems. One image displayed a results counter exceeding 16 million entries, while others appeared to show identity records and internal tools. French authorities have not publicly confirmed the authenticity of these screenshots or the extent of any data exposure.
The forum post also issued an explicit ultimatum. Indra gave the French government one week to initiate contact via XMPP to negotiate the fate of the alleged data. The message laid out two options: deletion of the data following payment or sale of the information to the BreachForums community. No ransom amount was publicly specified.
Arrest Made, Identity Still Unconfirmed
French prosecutors moved quickly. On December 17, authorities arrested a 22-year-old suspect as part of the investigation led by the cybercrime unit of the Paris public prosecutor’s office.
According to a press release (PDF) from the Paris Public Prosecutor’s Office, the individual, born in 2003, was taken into custody on charges related to unauthorised access to a state-operated automated data processing system carried out by an organised group. Prosecutors confirmed the suspect had prior convictions for similar offences earlier in 2025.
Investigators from OFAC, France’s central office for combating cybercrime, continue to analyse the breach. Officials said further communication will follow once the custody period concludes. At this stage, authorities have not confirmed whether the arrested individual is Indra or whether additional suspects are involved.