A hacker known as CamelliaBtw has claimed responsibility for a significant data breach impacting Max Messenger, a messaging platform developed by VK and launched on March 26, 2025. The announcement was made in a post yesterday on the DarkForums cybercrime marketplace, revealing the extent of the compromise.
The forum thread, titled “Max Messenger – Full User Infrastructure & SQL Dump,” suggests that the attacker successfully gained full access to the platform’s production systems one year post-launch. The post details a complete breach of user data, backend infrastructure, and proprietary source code, raising alarm regarding the security of sensitive information.
Max Messenger operates as a cross-platform app, heavily endorsed in Russia as a homegrown alternative to foreign messaging services like WhatsApp and Telegram. It offers features such as messaging, voice and video calls, and file sharing, while also integrating government services in a manner reminiscent of China’s WeChat. The app has reportedly attracted millions of users across Russia and nearby regions, with mandatory pre-installation on many devices sold in Russia and Belarus, underlining its perceived national importance.
Concerns about user privacy have been raised, particularly given the app’s structural ties with Russian government data systems, which could imply state access to user metadata. The latest breach claims add to these worries, with the hacker alleging that they exfiltrated a total of 142 GB of data, including approximately 15.4 million user records with sensitive information such as full names, usernames, verified phone numbers, and active authentication tokens. They also claimed access to backend source code containing alleged hardcoded backdoors.
The approach reportedly involved exploiting an unknown remote code execution vulnerability within Max Messenger’s media processing engine. According to the hacker, this vulnerability was initiated by injecting malicious payloads into sticker pack metadata, allowing persistent backend access. The exploit, they state, has been present since the beta phase in early 2025 without any mitigation applied.
In an alarming development, CamelliaBtw issued a clear ultimatum to the developers of Max Messenger, claiming that the company had been privately informed of the breach without any response. The hacker asserted that they have identified accounts belonging to prominent politicians and corporate executives who joined the platform during its initial growth phase. They have demanded a financial settlement described as a “bug bounty” within 24 hours or threaten to publish the first 5 GB of their stolen SQL database on public torrent sites.
As of now, Max Messenger has not released a statement to confirm or deny the breach, and no sample data has emerged to allow for independent verification of the hacker’s claims. Cybersecurity experts caution that while some claims on underground platforms can be exaggerated, the technical detail provided in this instance appears credible and merits serious attention.
If validated, this incident would mark one of the most severe breaches of a messaging platform in recent history, with substantial implications for user privacy, account security, and trust in encrypted communication services. It underscores the need for businesses to reassess their cybersecurity measures and the potential risks associated with integrating messaging platforms within their operations.
