Brinztech Alert: Alleged Database of Romania (4 Million Records) is on Sale

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the sale of a massive database allegedly related to Romania, containing approximately 4 million rows of highly sensitive data.

Brinztech Analysis:

• The Source: The listing explicitly attributes this breach to the notorious threat actors IntelBroker and Sanggiero.
  • Context: IntelBroker (Kai West) was reportedly arrested in France in early 2025. Sanggiero is a known collaborator.
  • The Narrative: The seller claims this dataset is “fresh and new to market” specifically because the perpetrators were arrested before they could sell or distribute it. This implies the data has been sitting in a “dormant” state and is now being liquidated by an associate or a third party who gained access to their archives.
• The Data: The dataset is a “Fullz” nightmare. It reportedly includes:
  • National Identifiers: CNP (Cod Numeric Personal), ID Card Data, SSN/PIN.
  • PII: Full Names, Dates of Birth, Physical Addresses, Emails, Phone Numbers.
  • Sensitive Lifestyle Data: Medical Information, Workplace History, and Relatives’ Information.
  • Financials: Budget & Payment data.

This unique combination (Medical + Financial + Relatives) strongly suggests the source is a major government institution (likely related to health insurance, social services, or a large-scale municipal integrator) rather than a private company.

Key Cybersecurity Insights

This alleged data sale presents a critical, nation-scale threat to Romanian citizens:

• “Dead Man’s Switch” or Liquidation: The emergence of “IntelBroker” data months after his reported arrest suggests that the cybercrime ecosystem is efficient at recycling assets. Arrests disrupt the actor, but they rarely destroy the data if it has already been exfiltrated.
• Comprehensive PII & PHI Exposure: The inclusion of Medical Information alongside CNP and Financial Data creates a “trifecta” of risk: Medical Identity Theft, Financial Fraud, and Tax Fraud. The CNP is a lifetime identifier that cannot be changed, making this a permanent security liability for victims.
• Advanced Social Engineering: The inclusion of “Relatives’ Information” and “Workplace History” allows for terrifyingly effective social engineering. Attackers can impersonate family members in distress or use workplace details to launch Business Email Compromise (BEC) attacks against Romanian companies.
• Untapped Exploitation: If the claim that the data is “new to market” is true, it means these 4 million individuals have not yet been targeted using this specific dataset. We can expect a massive wave of phishing, smishing, and fraud attempts targeting this group in the coming weeks.

Mitigation Strategies

In response to this claim, Romanian organizations and citizens must take immediate action:

• Enhanced Identity Verification (IAM): Organizations relying on KBA (Knowledge-Based Authentication) questions like “What is your mother’s maiden name?” or “What is your date of birth?” must stop immediately. This data is compromised. Switch to biometric or hardware-based MFA.
• Proactive Dark Web Monitoring: Corporate security teams should monitor for employee emails appearing in this specific “IntelBroker” dump. If found, force password resets and review recent access logs for anomalous behavior.
• Citizen Alert (ANSPDCP): While official notification comes from the National Supervisory Authority (ANSPDCP), citizens should be proactive. Be extremely skeptical of unsolicited calls referencing medical history or family members.
• Data Minimization Review: This breach highlights the toxicity of data hoarding. Organizations must review why they are storing “relatives’ information” or historical “workplace history” and delete what is not strictly necessary for current operations.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com