Brinztech Alert: “Smishing & Vishing Goldmine”: High-Value Haitian Phone Number List For Sale

Dark Web News Analysis

The dark web news reports the alleged sale of a phone number database from Haiti. An attacker is advertising the data for sale on a hacker forum.

This is not a “big data” breach, but that is what makes it dangerous. The file is 730.1 KB. A CSV file of this size contains an estimated 60,000 to 70,000 phone numbers. This is not a random “dump”; this is a curated, high-value “target list.”

This is not a simple PII breach; it is a “Smishing & Vishing Goldmine.”

The source of this data is the critical, unanswered question. A “clean” list of 60,000+ numbers from a single country strongly implies a systemic, breach of a single, high-value target, such as:

1. A major Telecommunications Provider (e.g., Digicel, Natcom).
2. A major Digital Wallet / Bank (e.g., MonCash, a top-tier bank).
3. A popular local app (e.g., ride-sharing, delivery, or e-commerce) that requires phone verification.

This data is the “golden key” for direct-contact fraud.

Key Cybersecurity Insights

This is a high-severity, “Code Red” incident for the 60,000+ victims. The threat is not if fraud will occur, but how fast.

1. “The Smishing/Vishing Goldmine” (The #1 Threat): (As noted). This is the most immediate, automated, and dangerous threat.
   • The Attack: Attackers (and their bots) will immediately send mass Smishing (SMS) and Vishing (Voice) scams to all 60,000+ numbers.
   • The Scam: “Bonjou, this is MonCash / Digicel. Your account has been locked for security. You must click [phishing link] immediately to re-verify…”
   • The Result: This is a “dragnet.” They will successfully drain the digital wallets and bank accounts of thousands of victims.
2. “The ‘Seed’ for SIM-Swaps” (The #2 Threat): (As noted). This is the concurrent, high-value threat. The attacker has the Phone Number (Step 1).
   • The Attack: They will now use public (e.g., Facebook) or other breached data to find the Name + DOB for these numbers (Step 2).
   • The Social Engineering: They call the telco (Digicel/Natcom) call center, impersonate the victim, and pass the (weak) security questions.
   • “Game Over”: They “SIM-swap” the victim’s phone number to an attacker-controlled SIM, bypass SMS-based 2FA, and drain the victim’s real bank accounts unchallenged.
3. “The Physical ‘Hit List'” (The #3 Threat): (Our insight). In a region with security challenges, a verified list of 60,000+ active phone numbers (and the PII that will be linked to them) is a “hit list” for physical crime, including targeted robbery, extortion, and kidnapping-for-ransom.
4. Regulatory Failure (Haiti – DPL / CNPD): (Our insight). This is a severe data breach under Haiti’s new Data Protection Law (published in 2023).
   • Regulator: The source company (the telco/bank/app) is legally required to report this breach to the CNPD (National Personal Data Protection Commission).
   • Fines: This is a clear-cut “failure to protect data” and will trigger massive fines for the source.

Mitigation Strategies

This is a “Code Red” incident for the victims and a regulatory emergency for the company.

For ALL Haitian Telcos, Banks, & Apps (The “Victims”):

• MANDATORY (Priority 1): Harden ID Verification: (As suggested). Phone number is public data now. It cannot be used as a “secret” verification question for account recovery or high-value transactions.
• MANDATORY (Priority 2): Harden Call Center Verification: (Our insight). This is the only way to stop the SIM-swaps. All call center staff (Digicel, Natcom) must be warned today that they are about to be mass-targeted by social engineers. Require a “verbal password” / “PIN” for all SIM-swap requests.
• MANDATORY (Priority 3): Report to CNPD: (As I identified). Report this potential supply-chain breach to the CNPD immediately.

For Affected Haitians (The Real Victims):

• CRITICAL (Priority 1): Phishing/Smishing/Vishing Alert: TRUST NO ONE. (As suggested). Assume all calls/texts/emails (from “Digicel,” “MonCash,” your “bank,” a “relative”) are SCAMS, especially if they ask for money, a login, or a password. HANG UP.
• CRITICAL (Priority 2): Secure Your SIM NOW! (Our specific advice). Call your mobile carrier (Digicel, Natcom) immediately and add a high-security verbal password or PIN to your account to prevent unauthorized, “call center” SIM-swaps.
• CRITICAL (Priority 3): Switch to App-Based 2FA: (As suggested). Log in to your bank/financial accounts (if possible) and switch your 2FA away from SMS to an Authenticator App (like Google/Microsoft). This defeats the SIM-swap attack.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? This analysis is based on threat intelligence from a dark web forum. A “phone number only” leak is a severe event, as it is the “golden key” for mass Smishing campaigns and targeted, high-impact SIM-swap attacks to bypass 2FA. Brinztech provides cybersecurity services worldwide and do not endorse or guarantee the accuracy of external claims. For any inquiries or to report this post, please email: contact@brinztech.com