A threat actor has surfaced on a dark web marketplace offering what is described as a complete database tied to "EGADGETS PAKISTAN," reportedly containing more than 80 million records and roughly 2 TB of sensitive customer, device, and retail identity data. The listing, amplified by the Dark Web Intelligence monitoring account, links IMEI numbers, CNIC national identifiers, phone numbers, and customer photographs into a single correlated dataset. If authentic, this would rank among the most consequential identity-linked telecom exposures ever reported in South Asia.
What Happened
The listing surfaced via a dark web forum where the seller advertised a bulk dataset attributed to EGADGETS PAKISTAN, an entity operating within Pakistan's mobile device registration and retail distribution ecosystem. Screenshots circulating publicly reference more than 80 million records and approximately 2 TB of structured and unstructured data. The seller paired the listing with sample images suggesting access to customer ID photographs and shop owner imagery, implying compromise of a production database rather than a partial scrape. The intrusion vector has not been disclosed by the actor, and EGADGETS has not yet issued a public confirmation or denial.
What Was Taken
The advertised dataset reportedly fuses device telemetry with foundational identity records, including:
- Device IMEI and serial numbers
- Device brand, model, and category information
- Full customer names
- CNIC (Computerized National Identity Card) numbers
- Mobile phone numbers
- Retail shop owner details and store addresses
- Transaction records and internal notes
- Customer and shopkeeper photographs
The combination of CNIC identifiers with device IMEI data is the most operationally damaging element. In Pakistan, CNIC numbers anchor banking, telecom KYC, mobile wallet verification, and access to government services. Linking them to physical device identifiers creates persistent, hard-to-rotate identity packages.
Why It Matters
CNIC numbers cannot be reissued like a leaked password. Once paired with IMEI, phone number, and a photographic identity reference, the resulting profile is durable and weaponizable for years. This dataset would give criminal operators the inputs needed to script SIM swap campaigns against Pakistani mobile subscribers at industrial scale, to bypass telecom-anchored KYC at banks and fintechs, and to seed AI-driven impersonation fraud using verified photo references. Retail shop data also exposes physical distribution channels, enabling fraud targeting small merchants, device cloning operations, and gray-market resale schemes. For state-aligned threat actors, the dataset offers a baseline for population-scale targeting and surveillance.
The Attack Technique
The threat actor has not described how access was obtained. The breadth of fields and presence of internal notes and unstructured imagery suggest direct database access rather than a frontend scrape. Common vectors for incidents of this profile include exposed administrative panels, compromised third-party vendors with database privileges, leaked cloud storage buckets containing backups, and credential theft against staff with backend access. The inclusion of photographs at scale points to compromise of a storage tier (object storage or attached file shares) in addition to the relational data.
What Organizations Should Do
- Pakistani telecoms, banks, and fintechs should treat CNIC plus phone number plus IMEI as a compromised verification triple and add step-up authentication that does not rely solely on these fields.
- Mobile network operators should accelerate SIM swap fraud controls, including porting cooldowns, in-person verification thresholds, and anomaly monitoring on high-value subscribers.
- Organizations integrating device-bound identity should review whether IMEI is used as a trust signal and rotate to attested device identifiers where feasible.
- EGADGETS partners and vendors with shared API or database access should rotate credentials, audit access logs for the past 12 months, and review third-party data sharing agreements.
- Threat intelligence teams should monitor underground markets for derivative listings, repackaged subsets, or combolists incorporating CNIC fields.
- Pakistani regulators, including the PTA and NADRA-linked oversight bodies, should compel forensic disclosure and coordinate consumer notification given the foundational identity exposure.