A hacker known as “CoreInjection” has claimed responsibility for breaching the systems of Check Point, an Israeli cybersecurity firm, asserting that they have gained access to sensitive internal information and network infrastructure. This announcement was made on Breach Forums on March 30, 2025, where CoreInjection offered to sell the stolen data for 5 Bitcoin, equivalent to approximately $434,570. The hacker stated that this price is non-negotiable and that payments will only be accepted in cryptocurrency, directing interested parties to contact them via the TOX messaging platform.
The hacker’s listing indicated that the compromised data includes a variety of sensitive materials. This comprises internal project documentation, user credentials in both hashed and plaintext formats, internal network maps alongside architecture diagrams, source code and compiled binaries of proprietary applications, as well as employee contact information, which includes phone numbers and email addresses.
In response to these claims, Check Point has strongly denied that any significant breach has occurred, describing the situation as related to an “old, known and very pinpointed event” that impacted a limited number of entities and did not penetrate their core systems. The company stated that this issue was resolved months ago, asserting that it does not correspond to the information detailed in CoreInjection’s forum post. According to Check Point, there was no real threat posed to its customers or infrastructure, clarifying that the affected portal did not involve sensitive production environments.
CoreInjection, a relatively new participant in the cybercrime landscape, has quickly gained notoriety for targeting critical infrastructure in Israel. Their initial post on Breach Forums dates back to March 15, 2025, offering access to various companies, including a U.S.-based industrial firm for a hefty sum of $100,000. A pattern has emerged where the hacker appears particularly focused on Israeli entities, as evidenced by their subsequent listings targeting Israeli firms.
Notably, CoreInjection’s claims for access to an Israeli international car company’s network, for $50,000, suggest they could gain substantial control over the company’s infrastructure. A later offering for access to a prominent digital screen company’s central server—priced at $100,000—raises alarms among cybersecurity professionals. Such access would enable real-time control over public display systems, potentially mirroring past attacks by groups linked to Iranian and Palestinian hackers, who have targeted public-facing screens for political messaging.
The sequence of CoreInjection’s posts indicates a targeted campaign aiming at critical infrastructure sectors, with high-value data as the objective. Their activities demand scrutiny within both underground forums and the cybersecurity field, particularly given the unique focus on Israeli infrastructure.
Despite Check Point’s reassurances, CoreInjection’s detailed inventory of alleged stolen items poses significant concerns. The presence of internal network diagrams and plaintext credentials suggests a level of access that hinges on security vulnerabilities not fully disclosed by Check Point. Unanswered questions remain, such as why this previously reported incident was not made public at the time of occurrence. Transparency is crucial for a cybersecurity vendor of Check Point’s stature, reminiscent of wider industry vulnerabilities.
As the cybercriminal landscape evolves, recent events highlight the urgency for vigilance, especially since cybercriminals increasingly target cybersecurity vendors themselves. The claims made by CoreInjection illustrate that even those dedicated to cybersecurity are not invulnerable, underscoring the necessity for continued vigilance in safeguarding sensitive data and infrastructure.
From a tactical perspective, techniques within the MITRE ATT&CK framework applicable to this investigation may include initial access methods such as exploiting vulnerabilities, credential dumping, and lateral movement within networks. Given the nature of the data claimed to be compromised, further analysis is essential to ascertain the precise methods exploited by the attackers. This incident compels business owners to scrutinize their cybersecurity robustness continually and adapt to the evolving threat landscape.
