Dark Web Alert: Massive Data Leak from Russian SMS Aggregators Threatens Global Accounts
An advertisement has surfaced on the dark web offering three terabytes of data allegedly stolen from two major Russian SMS aggregators. The individual behind the post, using the pseudonym ByteToBreach, claims that the leak includes names, phone numbers, IP addresses, banking messages, activation codes, and other sensitive information.
The description notes that “a portion of the data was deleted prior to exfiltration,” suggesting that the companies’ infrastructures may experience operational disruptions. To substantiate the claim, the author provided a link to a file-sharing service and contact information on Telegram, Signal, and email. The authenticity of this information has yet to be officially confirmed.
According to cybersecurity expert Alexey Lukatsky, this incident represents a supply chain attack, targeting the SMS channels used by thousands of online services to transmit one-time passwords, PIN codes, password reset links, and notifications. The potential repercussions of such a compromise could be far-reaching.
Firstly, the interception or manipulation of 2FA codes and password recovery links could enable mass account takeovers—affecting everything from email and banking services to messaging platforms, cryptocurrency wallets, and social networks. For reference, in 2022, the breach of Twilio impacted 163 companies, including Signal, where nearly 1,900 accounts were exposed.
Secondly, gaining access to an SMS aggregator’s control panel would allow attackers to send messages from trusted sender IDs and short codes, bypassing spam filters and creating a perfect channel for phishing, fraud, and business email compromise (BEC) campaigns.
Thirdly, databases of phone numbers, message contents, and metadata (including timestamps, recipients, and message text) hold immense value for targeted phishing, extortion, and surveillance. A similar situation arose during the Syniverse router compromise, which placed billions of messages at risk.
Fourthly, access to a provider’s infrastructure can facilitate user tracking, as demonstrated by the scandal involving Mitto, whose services were exploited for surveillance operations.
Fifthly, the compromise of SMS channels poses a serious threat to administrative and corporate systems, enabling attackers to intercept MFA communications and gain access to email accounts, cloud environments, and CI/CD pipelines. The publication references the Authy incident of 2024, in which data from 33 million users was exposed via an unauthenticated endpoint.
Beyond technical risks, the potential reputational and financial fallout is considerable: unexpected costs from fraudulent message distributions, regulatory fines under GDPR, CCPA, and Russia’s Federal Law No. 152, and a loss of trust in mass notification systems.
As of this writing, there has been no official confirmation from the affected aggregators, telecom operators, or regulatory authorities regarding the authenticity of the alleged breach.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
