The National Bureau of Investigation (NBI) in the Philippines suffered a data breach that compromised its highly sensitive information. Reportedly over 3.6 GB in size, the leaked data set contains more than 45 million rows of data spanning eight years.
A hacker operating under the Zodiac Killer alias has claimed responsibility for compromising NBI’s systems and leaking highly sensitive information. According to preliminary investigations, the exposed records appear to originate from NBI clearance applications or financial transactions between 2016 and 2024.Â
The information stolen from the premier investigative agency in the Philippines reportedly includes full names, addresses (street, barangay, city, province), transaction IDs and dates, contact information, and purpose of clearance applications.
The threat actor shared password-protected files via cloud-sharing platforms, including notable sites like Mega.nz, to disseminate the compromised information. These files may contain even more sensitive data, potentially exposing high-stakes NBI records.Â
The hacker reportedly compressed the extracted data and made it available via multiple downloadable links on file-sharing platforms. Claims shared in their post imply extensive access to parts of the NBI’s clearance database system and potentially linked financial applications.
Files have already surfaced on forums across the dark web, amplifying the risks for affected individuals.
The hacker is a newcomer to cybercrime, having created an account on a dark web forum as recently as January 2025. This is their first thread, indicating that the attack was specifically orchestrated to target the NBI.Â
While motivational factors remain unclear, experts suggest the breach could be financially or politically motivated. The NBI Director said the breach originated from a third-party provider handling clearance applications.
In December, hackers published MOVEit-linked data belonging to 760,000 employees of Xerox, Nokia, Bank of America, Morgan Stanley, and more on a dark web forum. The leak is apparently connected to Russian-affiliated Cl0p Ransomware and the Nam3L3ss dark web forum user.