Brinztech Alert: “Code Red” National Security Breach: Iran’s Entire National Payment Network (Shaparak) Hacked; “Full Kits” (National ID, Card #) for 168M Leaked

Dark Web News Analysis

The dark web news reports a “Code Red,” national-security-level breach of Shaparak (شاپَرَک), the Iranian government’s central electronic card payment network. This is not a breach of a single bank; it is a breach of the “bank of banks”—the core, state-sponsored switch that processes all national card transactions.

An attacker is advertising a massive 55.36 GB database for sale, containing 168 million customer records. Given Iran’s population (~88M), this is a “full-citizen” database, likely containing all historical and active records of every citizen with a bank card.

This is not a criminal act; it is a geopolitical act. A breach of this scale, targeting national critical infrastructure, is the hallmark of a Nation-State Actor (APT) (e.g., from a rival state). The “sale” is merely a punitive act to humiliate, create chaos, and monetize an espionage operation.

The leaked data is the “master key” to Iran’s entire civil and financial population:

• Full PII: full names, emails, phone numbers, birth dates.
• National ID (The “ID Kit”): national codes (کد ملّی – Melli Code).
• Financial Data (The “Fraud Kit”):S
  • card numbers (full or partial)
  • account numbers (IBANs)
• Credentials: username and (critically) password hints (a sign of gross negligence).
• Scope: Includes data from Saderat and Mellat Banks, confirming this is a centralized breach at the switch (Shaparak).

Key Cybersecurity Insights

This is a high-severity, “Code Red” national security incident for Iran. The implications are not just “phishing”; they are geopolitical and systemic.

1. “National-Level ID Theft Goldmine” (The #1 Threat): (As noted). This is the most immediate and dangerous threat. An attacker (or the buyer) now has the Name + National Code + DOB + Phone for every citizen.
   • The Result: They can impersonate any Iranian citizen to the government, to banks, to utility companies, or for surveillance. This is a total loss of identity control for the entire nation.
2. “Systemic Financial Fraud Goldmine” (The #2 Threat): (As noted). The attacker has the Name + National Code + Account Number + Card Number.
   • The Attack: This is a “full kit” for mass, systemic financial fraud, including draining accounts, social engineering banks, and creating fraudulent identities. The password hints make “breach-aware” phishing scams lethally effective.
3. “THE REAL THREAT”: Nation-State (APT) Attack / Espionage: (As noted). This is the real purpose. A foreign intelligence agency now has the “master database” of the entire Iranian population.
   • The Threat: They can track the entire financial activity of every citizen.
   • The Goal: This is an espionage goldmine. They can identify, track, profile, and blackmail (or recruit) any government official, IRGC member, or scientist by following their money. This is a catastrophic counter-intelligence failure.
4. “Critical Infrastructure Breach” (The ‘Why’): (As noted). This is a full-scale compromise of National Critical Information Infrastructure (NCII).
   • Regulator: This is a “Code Red” for the Central Bank of Iran (CBI), the Ministry of Intelligence (VAJA), and the IRGC Cyber Command. This is a state failure, not a “compliance issue.”

Mitigation Strategies

This is a “Code Red,” “Assume Breach” incident. This is a full-scale counter-intelligence operation, not an IT problem.

For the Govt. of Iran / CBI (The “Victim”):

• MANDATORY (Priority 1): Activate “Assume Breach” / Counter-Intelligence IR: (As suggested). This is a “Code Red.” Engage all national-level resources (CBI, VAJA, IRGC Cyber) immediately.
• MANDATORY (Priority 2): Hunt for the APT NOW! (As suggested). This is not a “patch” drill; it is a full-scale, 24/7 hunt to find the APT’s active persistence (backdoors, C2 channels, compromised admin accounts). The server must be rebuilt from scratch (“scorched earth”).
• MANDATORY (Priority 3): National Card Re-Issuance: (Our insight). This breach is so severe that the only real mitigation is to invalidate and re-issue all 168M bank cards in the country. This is a “reset the entire system” level event.
• MANDATORY (Priority 4): National Fraud Alert: (As suggested). Immediately warn all citizens (via national SMS/TV) that all banks are on “high alert” and that all unsolicited calls/texts from “their bank” are SCAMS, even if they know their National Code.

For Affected Iranians (The Real Victims):

• CRITICAL (Priority 1): Phishing/Vishing Alert: TRUST NO ONE. (As suggested). Assume all calls/texts/emails (from “Bank Mellat,” “Bank Saderat,” the “Govt”) are SCAMS, even if they know your National Code, Account Number, and Password Hint. HANG UP.
• CRITICAL (Priority 2): Monitor Accounts 24/7: (As suggested). This is the only defense. Check your bank account daily for fraud.
• CRITICAL (Priority 3): Change All Passwords NOW! (As suggested). The password hints mean all your passwords are compromised.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? This analysis is based on threat intelligence from a dark web forum. A breach of a national payment switch (like Shaparak) is one of the most severe, systemic, and catastrophic data breaches possible, short of a central bank itself. It is a geopolitical event with devastating fraud and espionage implications. Brinztech provides cybersecurity services worldwide and do not endorse or guarantee the accuracy of external claims. For any inquiries or to report this post, please email: contact@brinshtech.com