Cyber Incident Victim: Niazpardaz
Date:
Apr 2020
Location:
Iran
Summary
The personal data of tens of thousands of Iranians, including national ID cards, selfies, birth certificates, passports, and debit card details, was sold on dark web and hacking forums. The breach originated from multiple sources, including an online advertising and utility platform, with data volumes reaching 8.17 GB across over 45,000 files. Cybercriminals offered the information for cryptocurrency, enabling risks of identity theft, financial fraud, blackmail, and other criminal exploitation against affected individuals during a period of heightened vulnerability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early April 2020, a significant data breach involving Iranian citizens' personal information was identified, with data actively marketed on dark web platforms and hacking forums. On April 7, 2020, or shortly before, a threat actor advertised 45,221 files totaling 8.17 GB of sensitive Iranian documents for sale at $200 in Bitcoin, restricting purchases to a maximum of three buyers. The dataset included Iranian national ID cards, birth certificates, passports, debit cards, and selfies of individuals holding their ID cards. Security researcher Mohammad Jorjandi (@s7az2mm) traced the data's origin to multiple Iranian platforms, including Niazpardaz[.]ir—an online advertising and utility service—and Arzi24[.]com, a cryptocurrency exchange site operated by Farhad Exchange. Concurrently, a separate listing emerged on a prominent hacking forum offering 52,000 Iranian ID cards with corresponding selfies for 0.2 Bitcoin (~$1,463), indicating either an expanded dataset or overlapping records. This forum had previously hosted sales of 42 million Iranian phone numbers and large volumes of OnlyFans data, suggesting a pattern of high-volume data trafficking.
The breach exposed victims to severe privacy and security risks, including identity theft, financial fraud, blackmail, and physical threats, exacerbated by Iran's concurrent COVID-19 crisis. Attackers leveraged stolen credentials and document scans to bypass identity verification systems, enabling unauthorized access to financial accounts or government services. No containment efforts or victim remediation actions were documented in available sources. The data’s availability across multiple illicit platforms increased its dissemination potential, with pricing strategies reflecting bulk sale incentives. The incident underscored systemic vulnerabilities in Iranian online platforms’ data protection measures, particularly at Niazpardaz[.]ir and Arzi24[.]com, which served as primary data sources. Financial and reputational impacts on affected individuals remained unquantified, though the inclusion of selfies with ID documents significantly elevated risks of targeted social engineering or impersonation attacks.