A hacker using the alias CamelliaBtw has claimed responsibility for a major data breach involving Max Messenger, according to a post published yesterday on the DarkForums cybercrime marketplace and hacker forum.
The forum thread, titled “ Max Messenger – Full User Infrastructure & SQL Dump,” alleges that the attacker gained complete access to the messaging platform’s production systems exactly one year after its public launch. The post describes what would amount to a total compromise of user data, backend infrastructure, and proprietary source code.
What is Max Messenger
Max is a cross-platform messaging and multifunction app released on March 26, 2025, by the tech company VK through its subsidiary, Communication Platform LLC. It has been heavily promoted within Russia as a “national messenger” alternative to foreign services like WhatsApp and Telegram and has seen growth in registered users, reportedly reaching millions across Russia and neighboring countries.
The service provides messaging, voice, and video calls, file sharing, and is intended to integrate digital identity and service features for government and commerce. In many cases, devices sold in Russia and Belarus have been required to ship with Max pre-installed under government policy.
Max is positioned as more than a simple chat app, aiming to combine messaging with state services and additional tools, similar to China’s WeChat model. Critics and independent analysts have previously raised concerns about privacy and the potential for state access to metadata and user information, given Max’s structural integration with the Russian government’s digital infrastructure
Details of the breach claim
In the DarkForums post, CamelliaBtw claims to have exfiltrated the entire production database, estimating the total compressed data size at 142 GB. The hacker states that the stolen data includes:
- Approximately 15.4 million user records containing full names, usernames, and verified phone numbers.
- Active authentication tokens capable of bypassing two-factor authentication.
- Bcrypt hashed passwords.
- Complete communication metadata, including timestamps and sender and receiver identifiers, dating back to the platform’s launch.
- Internal infrastructure assets such as SSH keys, API documentation, and Amazon S3 bucket configurations.
- Unencrypted media files stored in cloud storage.
- Backend source code, including what the attacker claims are hardcoded backdoors inside the platform’s encryption module.
The post alleges that access was achieved through a previously unknown remote code execution vulnerability in Max Messenger’s media processing engine. According to the attacker, the flaw could be triggered by injecting a malformed payload into sticker pack metadata, allowing persistent backend access. The hacker claims the vulnerability existed since the beta phase in early 2025 and was never patched.
Extortion threat
The post includes a direct ultimatum to Max Messenger’s developers. CamelliaBtw claims the company has already been notified privately, but has not responded. The attacker states they have verified accounts belonging to politicians and corporate executives who joined the platform during its early growth period.
If a financial settlement described as a “bug bounty” is not negotiated within 24 hours, the hacker threatens to release the first 5 GB of raw SQL database files across more than ten public torrent trackers.
No confirmation yet
As of publication, Max Messenger has not issued a public statement confirming or denying the breach. No sample data has yet been released publicly to independently verify the claims. Cybersecurity experts note that while some breach announcements on underground forums are exaggerated, the level of technical detail provided in this post suggests the claims warrant serious scrutiny.
If confirmed, the incident would represent one of the most severe messaging platform breaches in recent years, with long term implications for user privacy, account security, and trust in encrypted communication services.