A threat actor operating under the alias INF GRUPA has claimed responsibility for a major data breach targeting Meridianbet, one of the larger international online gambling operators. According to listings on underground cybercrime forums, the actor is offering a database of approximately 3.7 million customer records spanning 2019 through 2026, with exposure potentially impacting users across Europe, Africa, and Latin America. While the claims remain unverified by Meridianbet, the alleged scope places this incident among the most significant gambling sector data exposures of recent years.
What Happened
INF GRUPA surfaced on a dark web cybercrime forum advertising what they describe as an exclusive, never-before-leaked Meridianbet customer database. The actor asserts that access was obtained through internal employee tools, suggesting either credential theft, insider access, or compromise of an administrative panel rather than a perimeter exploit. The advertisement claims that every customer account created during the seven year window from 2019 to 2026 is included, implying the threat actor reached a centralized customer datastore rather than a partial slice. The post has triggered immediate concern from researchers monitoring gambling sector threat activity, given the regulatory sensitivity of player data and the cross-jurisdictional footprint of Meridianbet's operations.
What Was Taken
The alleged dataset contains a deep stack of personally identifiable information that, if authentic, is exceptionally damaging. The actor lists full names, email addresses, telephone numbers, residential addresses, and dates of birth as core fields. Beyond standard PII, the records reportedly include passport information, government-issued identification details, customer account identifiers, and geographic data including country and city of residence. The combination is sufficient to construct complete digital identities suitable for synthetic fraud, account takeover, and impersonation campaigns. Most notable is the inclusion of internal operational annotations: analyst notes flagging high-value players, responsible gambling observations, account abuse investigations, and internal customer risk assessments. This category of data is rarely seen in public breach advertisements and indicates access well beyond a standard customer-facing database.
Why It Matters
Gambling operators sit at the intersection of strict KYC obligations and high-value financial relationships, making their customer datastores uniquely attractive to fraud and extortion actors. A leak of this scope would expose Meridianbet to regulatory consequences under GDPR and multiple national gambling authorities across its operating regions. The internal analyst notes carry their own risk profile: high-value player tags create a target list for social engineering and physical extortion, while responsible gambling observations and abuse investigations involve sensitive behavioral data that could be weaponized against individuals. For the broader sector, the alleged use of internal employee tools as the access vector reinforces a pattern seen across recent gambling and fintech breaches in which back office tooling, not customer facing infrastructure, becomes the soft underbelly.
The Attack Technique
INF GRUPA's claim points to access via internal employee tools rather than external application exploitation. This phrasing typically maps to one of several scenarios: compromise of a customer service or risk operations console through phished or info-stealer harvested credentials, exploitation of weak authentication on internal administrative portals, or abuse of legitimate access by a compromised or malicious insider. The depth of internal annotations in the dataset is consistent with access to a CRM, risk operations, or analyst workbench rather than the raw production database. Info-stealer ecosystems continue to flood criminal markets with corporate credentials, and gambling operators with large customer support and risk operations footprints present a wide attack surface for credential reuse and session token theft.
What Organizations Should Do
- Audit all internal administrative and analyst tooling for MFA enforcement, session lifetime limits, and IP or device binding, prioritizing CRM, risk operations, and customer support consoles.
- Sweep info-stealer logs and credential marketplaces for corporate domain exposure, and force credential rotation plus session invalidation for any matched accounts.
- Apply strict role based access controls and data minimization to internal consoles so that no single operator account can export bulk customer datasets without elevated approval and logging.
- Deploy or tune data loss prevention controls around customer datastores, with alerting on bulk reads, anomalous query patterns, and unusual export volumes from analyst tooling.
- Validate KYC document storage architecture, ensuring passport and ID images sit behind separate access controls and encryption keys from baseline customer records.
- Prepare regulatory notification workflows in advance for multi-jurisdiction gambling operators, since fragmented disclosure timelines amplify legal exposure once a breach is confirmed.