A hacker under the alias “888” has reportedly claimed responsibility for a significant data breach impacting the European Space Agency (ESA). The hacker alleges that more than 200 GB of internal data was stolen during an attack on December 18, 2025. This breach reportedly resulted in the complete exfiltration of private development documents and sensitive assets.
The hacker has taken to DarkForums to offer the stolen material as a one-time package, demanding payment solely in Monero (XMR). According to the hacker’s post, the data encompasses private Bitbucket repositories, internal documentation, infrastructure configurations, and sensitive credentials.
Details from Shared Screenshots
In screenshots provided by the hacker, there appear to be details from internal ESA environments. One particular image displays a build.properties.dev configuration file that references PSA ingestion workflows alongside internal host addresses ending in esa.int. It also includes SMTP settings and database connection information.
While certain fields have been redacted, visible information includes directory paths and variable naming conventions, indicating that the data may have been extracted directly from the agency’s development or integration systems. Another screenshot features internal technical documentation marked as proprietary, which includes notices from Thales Alenia Space and branding from Airbus Defence and Space.
The documents revealed in these screenshots appear to contain spacecraft reference frames, subsystem descriptions, and engineering diagrams that are typically restricted to internal teams and partners. Each document is formatted like official deliverables, complete with reference numbers and issue dates.
Additional images showcase an internal project management tool used at ESA. A Jira instance displayed lists subsystem requirements for the Security Operations Centre (SOC) as well as the Operations Control and Command System (OCCS). The structured format suggests these documents pertain to live operational programs rather than archived projects.
Another screenshot illustrates a Bitbucket project view that includes repositories related to deployment pipelines, Docker images, orchestration services, and data processing chains. The naming conventions reveal projects linked to CI/CD pipelines and service gateways, supporting the hacker’s claims of access to automation workflows and infrastructure logic.
Potential Implications
If the claims are verified, the breach could have severe ramifications. The exposure of source code, CI/CD pipelines, API tokens, and other sensitive files represents a comprehensive attack surface that could facilitate further breaches, supply chain exploitation, or long-term espionage focused on ESA initiatives and its partners.
As of the current reporting, the European Space Agency has not publicly confirmed or denied the incident. The legitimacy of the hacker’s dataset remains unverified, although the technical intricacies depicted in the screenshots suggest a level of internal access that would be challenging to fabricate. Hackread.com is attempting to reach the ESA for potential updates on the situation.
A History of Breaches Associated with 888
The alias “888” has been linked to several other high-profile breaches prior to the one involving the ESA. Notably, the hacker previously targeted Samsung Medison, claiming to have accessed sensitive information through a compromised third-party service. This breach, unlike the current one, focused on internal and customer-related data rather than core infrastructure, indicating an attack vector reliant on less secure external dependencies. Ultimately, the data was leaked online.
Another incident attributed to the same hacker involved the online leak of data belonging to Microsoft and Nokia employees, which included internal contact information and corporate documents.
