European Commission: TeamPCP and ShinyHunters Cloud Breach

The European Union's executive body has been hit by a coordinated cyberattack involving two distinct cybercriminal collectives, TeamPCP and ShinyHunters, who exfiltrated more than 92 gigabytes of compressed data from the Commission's cloud infrastructure. The breach extends beyond the Commission itself, touching at least 29 other EU entities and dozens of internal Commission clients, marking one of the most significant intrusions against an EU institution in recent memory.

What Happened

Two separate threat actor groups, TeamPCP and ShinyHunters, executed a coordinated intrusion against the European Commission's cloud environment. The attackers gained access through a compromised API key, then proceeded to harvest data from the Commission's systems before publishing portions of the stolen archive online. The collaboration between the two groups is itself notable: TeamPCP brings a background in ransomware and crypto-mining operations, while ShinyHunters has a long track record of large-scale data theft and leak-site monetization. The combined operation suggests an emerging model in which financially motivated crews pool capabilities to hit high-value government targets.

What Was Taken

The exfiltrated dataset totals over 92 gigabytes of compressed material drawn from Commission cloud assets. Confirmed data types include:

• Names of EU staff and correspondents
• Email addresses tied to Commission and partner organizations
• Email content, including both automated system messages and human correspondence
• Bounced error messages containing personal identifiers and internal routing data

While the majority of captured emails appear to be machine-generated notifications, the inclusion of bounce traffic and direct correspondence creates meaningful exposure for individuals named in those threads. The blast radius extends to at least 29 additional EU entities and an unspecified number of internal Commission clients whose data was processed through the affected infrastructure.

Why It Matters

This incident is a clear signal that European institutions are now firmly in the crosshairs of profit-driven cybercrime collectives, not just state-aligned actors. The use of a single compromised API key to pivot into a multi-tenant cloud footprint demonstrates how identity and secrets management failures translate directly into cross-organizational breaches. For defenders, the most important takeaway is the supply chain dimension: a compromise at the Commission level cascades into the 29-plus downstream entities that share the same cloud surface. The collaboration between TeamPCP and ShinyHunters also matters strategically. When ransomware operators and data extortion crews share access, victims face simultaneous encryption, leak, and resale pressure, complicating both negotiation and incident response.

The Attack Technique

The intrusion centered on a compromised API key associated with the Commission's cloud infrastructure. With valid programmatic credentials in hand, the attackers were able to authenticate as a trusted identity and pull data at scale without triggering the user-facing controls that protect interactive logins. TeamPCP has historically targeted developers and personnel with elevated access to source code and CI/CD systems, a pattern consistent with how an API key of this scope would have been acquired or scraped. Once inside, the actors moved through connected tenants and downstream client environments, taking advantage of trust relationships between Commission systems and partner EU bodies to broaden the haul before staging exfiltration and publication.

What Organizations Should Do

1. Inventory and rotate all API keys, service account tokens, and long-lived credentials, prioritizing any keys with cross-tenant or administrative scope.
2. Enforce short-lived credentials and workload identity federation in place of static API keys, and require hardware-backed MFA for all human accounts that can mint or manage secrets.
3. Deploy secrets scanning across source repositories, CI/CD pipelines, container images, and developer workstations to catch leaked keys before adversaries do.
4. Instrument cloud audit logs for anomalous API usage patterns, including bulk read operations, off-hours activity, and access from new geographies or user agents, and route those signals to a 24/7 detection capability.
5. Segment trust between parent organizations and downstream tenants or clients so that a single compromised credential cannot pivot across the full federation.
6. Run a tabletop exercise modeling combined ransomware and data extortion pressure, including legal, communications, and regulator notification workflows under GDPR.

Sources: European Commission Hacked: Massive Data Breach by Cybercriminal Gangs (2026)