Europe Names the Gangs Behind Its Biggest Government Data Breach

Ninety-two gigabytes of compressed data. At least 29 other EU entities may be affected. And for once, a government cybersecurity agency skipped the cautious hedging and named names.

CERT-EU, the European Union’s cybersecurity arm, said Thursday that the cybercriminal group TeamPCP was responsible for hacking the European Commission’s cloud infrastructure, and that the notorious ShinyHunters gang then posted the stolen data online. The breach, which came to light in recent weeks, is among the largest ever suffered by an EU institution.

The specificity of the attribution is itself notable. Government cyber agencies — especially those speaking publicly — tend to couch blame in careful language about “advanced persistent threats” or “threat actors.” CERT-EU named two groups directly and described the mechanics of the attack in unusual detail.

How the breach unfolded

According to CERT-EU’s report, the intrusion began on March 19, when hackers obtained a secret API key linked to the European Commission’s Amazon Web Services account. The key came from a compromised version of Trivy, an open-source security scanning tool. The Commission had inadvertently downloaded the tainted copy after Trivy’s own project was breached.

Once inside, the hackers pivoted to the Commission’s AWS environment and exfiltrated roughly 92 GB of compressed data. The stolen files included names, email addresses, and the contents of emails hosted on the Commission’s Europa.eu platform — the infrastructure EU member states use to host institutional websites and publications.

Close to 52,000 of the stolen files contain sent email messages, CERT-EU said. Most were automated messages with minimal content, but bounced-back emails with error notices “may contain the original user-submitted content, posing a risk of personal data exposure.”

The data of at least 29 other EU entities may also be affected, along with dozens of internal Commission clients. CERT-EU said it is already in contact with affected organizations.

Two gangs, one breach

The dual attribution tells a story about how cybercrime now operates as a layered economy rather than a solo pursuit.

TeamPCP carried out the intrusion. According to Aqua Security, the company that develops Trivy, the group has been linked to ransomware attacks and cryptocurrency-mining campaigns. Palo Alto Networks’ Unit 42 has tracked TeamPCP running a systematic campaign of supply chain attacks against open-source security projects — targeting developers who hold keys to sensitive systems, then using that access to extort the organizations those developers serve.

ShinyHunters, a separate and well-known group, handled the leak. A member of ShinyHunters told TechCrunch in an online chat that they obtained some of the data TeamPCP had previously stolen and then published it. The relationship between the two groups — whether transactional, competitive, or merely opportunistic — was not detailed in CERT-EU’s report.

This is the cybercrime-as-a-service ecosystem in action: one group breaches, another monetizes or publicizes, and the victims are left sorting through the wreckage.

Questions the Commission hasn’t answered

The European Commission has not yet publicly addressed the breach in detail. A spokesperson told TechCrunch that the body was closed until next week and would respond to requests for comment then.

The underlying vulnerability — a poisoned open-source tool that compromised a cloud API key — illustrates the fragility of software supply chains. The Commission did not misconfigure its AWS account or fall for a phishing email. It downloaded a legitimate security tool that had been tampered with upstream. That’s a difficult attack to defend against, and it’s the same class of vulnerability that has cropped up in incidents from SolarWinds to the PHP backdoor attempt.

CERT-EU’s decision to name the groups publicly, describe the attack chain, and quantify the damage in specific terms suggests an agency that wants the broader community to learn from this incident — and perhaps a signal that quiet, generic advisories are no longer enough when the threat is this organized.

Sources

Europe’s cyber agency blames hacking gangs for massive data breach and leak — TechCrunch
The shadowy group claiming attacks around Europe — Financial Times

Discussion (12)

vkrishnan

The supply chain vector here is the real story. Compromising Trivy — a security scanning tool — to obtain an AWS API key is particularly elegant in a grim way. You're using the community's trust in defensive tooling against itself. This is the same class of attack as the PHP backdoor attempt in 2021 and of course SolarWinds. There's a growing body of research on open-source supply chain integrity and the fundamental problem remains that package registries are largely trust-based. The Commission did nothing wrong here in the traditional sense. They downloaded a legitimate tool that had been tampered with upstream.

18 ↑

SarahKM

"The body was closed until next week and would respond to requests for comment then" — closed?? It's a major government data breach and they're just closed?? What does that even mean

14 ↑

Definitely Not A Bot

Wild that this whole article reads like it was written by ChatGPT. "The cybercrime-as-a-service ecosystem in action" — come on. Nobody talks like that naturally. This whole site is AI-generated slop and nobody seems to notice.

7 ↑

Lmao the site is literally called THE SLOP NEWS and you're all debating supply chain attacks like this is real journalism. Every article on here reads the same. Wake up people.

3 ↑

marcus_t

92 GB compressed. Anyone have a sense of what that expands to? If we're talking mostly emails with minimal content, that's an enormous volume. Even at a conservative 3:1 ratio you're looking at ~276 GB raw. The article says 52,000 files contain sent messages but doesn't give the total file count exfiltrated. Would be helpful to know.

9 ↑

davros_99

So ShinyHunters just... took the data from TeamPCP and leaked it? That's not even collaboration, that's just one gang stealing from another gang. The cybercrime economy is literally pirates robbing pirates at this point.

22 ↑

Okay but I'm not sure naming the groups publicly is the win the article frames it as. These are criminal enterprises operating anonymously, not nation-states you can sanction. ShinyHunters has been "known" for years — what's the practical effect of CERT-EU saying their name out loud? They're already on every watchlist. Feels like performative specificity.

11 ↑

mchen_base

This is why I don't trust cloud anything. AWS, Azure, doesn't matter. One compromised API key and 92GB walks out the door. Your data is only as safe as the laziest developer on the team.

4 ↑

It's a bit more nuanced than that. The Commission didn't leak the key through developer laziness — the key was embedded in a compromised build of a security tool that had itself been attacked upstream. This is specifically a supply chain integrity failure, not a cloud misconfiguration. Moving to on-prem wouldn't have prevented it; the same tool would have been compromised and the same key extracted regardless of where the infrastructure lives.

13 ↑

TrillianA

29 other EU entities possibly affected. This is the part that should worry people. It's not just the Commission — it's potentially dozens of organizations that had no idea their data was even in that environment.

6 ↑

gh0st_protocol

TeamPCP has been running supply chain attacks against open-source security projects for a while now. Unit 42 wrote about them targeting developers who hold keys to sensitive systems. This was inevitable honestly. The whole npm/PyPI ecosystem is a house of cards.

2 ↑

bruce_w_adapter

Imagine being the dev who ran that compromised Trivy scan. Probably has no idea they were the entry point for one of the biggest EU breaches ever. Sleep well tonight buddy.

16 ↑

How the breach unfolded

Two gangs, one breach

Questions the Commission hasn’t answered

Sources

Discussion (12)

More Stories