Cyber Incident Victim: European Union Agency for Law Enforcement Cooperation
Date:
Sep 2023
Location:
Netherlands
Summary
A threat actor known as IntelBroker breached Europol's Platform for Experts (EPE) portal, claiming theft of For Official Use Only documents containing classified data, including personnel records of senior officials, source code, and materials from specialized law enforcement communities like EC3 SPACE and SIRIUS. The agency confirmed the incident but stated no operational data or core systems were compromised, adding that the affected portal was a closed user group for sharing non-personal crime-related information. The attacker attempted to sell the allegedly stolen data—which included sensitive law enforcement and cybercrime expert details—exclusively for Monero cryptocurrency on hacking forums, while the EPE service remained offline for maintenance. IntelBroker has previously targeted multiple government agencies and corporations, including recent breaches at Zscaler and U.S. health care plans.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Europol confirmed a security breach affecting its Europol Platform for Experts (EPE) portal, an online platform used by law enforcement professionals to share non-operational knowledge and best practices. The incident came to light after a threat actor known as IntelBroker claimed responsibility for stealing For Official Use Only (FOUO) documents containing classified data. Europol stated that initial actions had been taken to assess the situation, emphasizing that no operational data or core systems were compromised. The EPE portal was taken offline for maintenance following the breach. IntelBroker leaked screenshots of the EPE interface and a sample database from the EC3 SPACE community—a sub-platform within EPE hosting cybercrime materials for over 6,000 accredited experts worldwide. The sample contained 9,128 records, including personal information of law enforcement agents and cybercrime experts. IntelBroker also claimed unauthorized access to the SIRIUS platform, a cross-border electronic evidence system used by judicial authorities across 47 countries. Europol did not immediately confirm whether FOUO or classified documents were stolen or specify the breach timeline. This incident followed an earlier September 2023 disclosure of missing personal paper files belonging to Europol Executive Director Catherine De Bolle and other senior staff, which the agency classified as a serious security and data breach.
IntelBroker, active since at least December 2023, has been linked to multiple high-profile breaches, including attacks on U.S. entities like DC Health Link, the Department of Defense, and ICE/USCIS, as well as private companies such as Hewlett Packard Enterprise and Home Depot. The threat actor advertised the sale of the allegedly stolen Europol data on hacking forums, demanding Monero (XMR) payments and requiring proof of funds from buyers. Europol’s investigation remained ongoing, with no public confirmation of the data’s authenticity or further details about containment measures beyond the EPE portal’s temporary shutdown. The breach raised concerns due to EPE’s role in facilitating collaboration among law enforcement, judicial authorities, academia, and private sector partners. IntelBroker’s history included the Five Eyes data leak allegations in April 2024 and a separate claim involving Zscaler’s isolated test environment, though Zscaler confirmed no impact on production systems. Europol reiterated that the compromised platform did not process operational information, limiting potential damage to non-core data and user credentials within the EPE ecosystem.