A Hacker Says He Has 200 GB of European Space Agency Data. ESA Confirms the Breach — But Not the Volume.
- 200 GB / claimedVolume of European Space Agency data the threat actor ‘888’ claims to have exfiltrated from ESA's external JIRA and Bitbucket servers between December 18 and December 25, 2025. ESA has confirmed unauthorized access but has not confirmed the 200 GB figure or what was actually taken.
- Dec. 26, 2025Date ‘888’ posted the data-for-sale listing on BreachForums / DarkForums, with payment demanded in Monero (XMR). ESA acknowledged the incident publicly on December 29-30, 2025.
- 500 GB / second waveVolume of additional ESA data the Scattered Lapsus$ Hunters threat actor claimed in a January 2026 follow-on breach. ESA confirmed it had initiated a criminal inquiry referred to judicial authorities in response.
- €7.79 billionEuropean Space Agency 2024 annual budget. ESA oversees Ariane launches, the JUICE Jupiter probe, Mars and Earth-observation programs, and a contractor network including SpaceX, Airbus Defence and Space, Thales Alenia Space, and OHB System AG.
- UnverifiedIndependent verification status of the full data dumps as of May 23, 2026. ESA characterized the impacted servers as supporting ‘unclassified collaborative engineering activities,’ not core mission networks. The hacker's claim of ‘classified documents’ conflicts directly with that framing.
On December 26, 2025, a threat actor operating under the alias “888”— a BreachForums “Kingpin” rank holder with prior claimed breaches at Credit Suisse, Accenture India, Shell, Heineken, UNICEF, Samsung Medison, Oracle, Shopify, and Microsoft/Nokia employee data — posted a 200 GB data listing on the forum demanding payment in Monero (XMR). The seller: claimed access to the European Space Agency's external JIRA and Bitbucket servers between December 18 and December 25, 2025.
Three days later, on December 29, ESA acknowledged the incident. On December 30, ESA posted its public statement: the agency confirmed unauthorized access to a “very small number of external servers” supporting “unclassified collaborative engineering activities within the scientific community.”ESA did not confirm the 200 GB figure. ESA did not confirm what, if anything, was actually exfiltrated. The forensic investigation was, in ESA's words, “currently in progress.”
In January 2026, a second threat actor — Scattered Lapsus$ Hunters— claimed a separate, larger 500 GB exfiltration covering spacecraft operational procedures, system requirements specifications, and contractor data from SpaceX, Airbus Defence and Space, Thales Alenia Space, OHB System AG, and Teledyne. ESA confirmed to CyberInsider that it had initiated a criminal inquiry and referred the matter to judicial authorities. No arrests have been reported. No data recovery has been reported. As of May 23, 2026, the public status of both breaches is the same: ongoing investigation, no resolution.
ESA's December 30, 2025 statement was carefully drawn. The agency confirmed unauthorized access. It confirmed a forensic investigation was underway. It confirmed that relevant stakeholders had been notified. It characterized the impacted servers as external collaboration infrastructure, not core mission systems. What it did not do was confirm the volume claim, confirm any specific document was taken, or comment on the hacker's separate claim that classified documents were among the haul.
That gap matters editorially. The default reading of a breach-confirmation statement is that the agency is confirming the breach scope reported by the attacker. ESA's statement is structured to confirm only the bare minimum — that something happened, and that the agency is looking into it. The 200 GB figure remains the hacker's assertion. Independent verification of the dump, as of May 23, 2026, has not been publicly published by any researcher.
“ESA is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network. We have initiated a forensic security analysis — currently in progress — and implemented measures to secure any potentially affected devices. Our analysis so far indicates that only a very small number of external servers may have been impacted. These servers support unclassified collaborative engineering activities within the scientific community.”
European Space Agency · Official statement · December 30, 2025
ESA is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network. We have initiated a forensic security analysis — currently in progress — and implemented measures to secure any potentially affected devices. Our analysis so far indicates that only a very small number of external servers may have been impacted. These servers support unclassified collaborative engineering activities within the scientific community.
“888” operates on BreachForums with a Kingpin ranking — the forum's top tier — and conducts transactions exclusively in Monero (XMR) for chain-analysis privacy. The actor's prior claimed breach portfolio is broad and high-profile: Credit Suisse (the Swiss banking giant pre-UBS merger); Accenture India; Shell; Heineken; UNICEF; Samsung Medison (the medical-imaging subsidiary); and large employee-data sets from Oracle (4,002 records), Shopify (179,873 rows), Decathlon (6,644 employee records), and Microsoft/Nokia. The tactical pattern — targeting Atlassian products via stolen credentials — is consistent with the HELLCAT group's established TTPs.
The Rescana technical analysis maps the ESA intrusion to MITRE ATT&CK technique T1078 (stolen credentials) and T1190 (exploit of public-facing application). Together with screenshots HackRead and Bitdefender both described as containing internal detail that “would be difficult to fabricate without real access” — specifically: server references ending in esa.int, internal JIRA project management interfaces, and Docker repository identifiers — the consensus among independent analysts is that some real intrusion occurred. The remaining question is scope.
The Rescana analysis flags a specific risk that ESA's “unclassified” framing does not address. Source code repositories plus CI/CD pipeline configurations plus API and access tokens plus hardcoded credentials plus Terraform infrastructure definitions plus SQL database dumps together constitute, in their phrasing, “a complete attack surface map.”No single file in that stack is classified. The combination enables follow-on breaches, supply-chain attacks via ESA's connections to SpaceX, Airbus Defence and Space, Thales Alenia Space, OHB System AG, and Teledyne, and long-term espionage targeting any ESA mission whose schematics are touched by the compromised collaboration environment. The ENISA Threat Landscape 2025 report identifies the space sector as critical infrastructure. The combination is the risk, not any individual file's classification level.
ESA is not an outlier here. NASA's Jet Propulsion Laboratory was breached in 2019 when an unauthorized Raspberry Pi was used to pivot into Mars-mission networks, exfiltrating ~500 MB of data. The NASA Office of Inspector General's Report IG-19-022 documented patching lags of 180+ days at JPL, ad hoc intrusion detection, and called the lab a “frequent hack victim.” In November 2023, Japan's JAXA suffered a major breach attributed to BlackTech, a Chinese state-backed APT group. JAXA had previously been breached in 2016 and 2017.
ESA itself has prior incidents. In December 2024, the agency's merchandise web shop was compromised via malicious JavaScript that captured payment-card data through a fake Stripe checkout page. Earlier incidents are documented for 2015 (a SQL injection across three ESA domains) and 2011 (exposed server credentials and configuration files). The pattern across NASA, JAXA, and ESA over a decade is similar: external-facing infrastructure compromised, internal collaboration systems used as pivot points, slow patching and ad-hoc detection providing the opportunity window.
The space sector is treated as critical infrastructure under the U.S. National Cybersecurity Strategy. Public-private collaboration networks — the same infrastructure that lets ESA, NASA, and contractors exchange schematics — are the largest attack surface in the sector. Breaches of these collaboration environments can compromise multiple national space programs through a single point of failure.
Paraphrased commentary · not a verbatim post
Paraphrased from CISA's public posture on space-sector critical infrastructure. Civic Intelligence presents this as policy context, not a verbatim CISA statement on ESA specifically.
The same outdated authentication and patching regimes that let federal contractors get breached year after year are the regimes carrying U.S. space-program data across borders. If a $7.8 billion agency cannot stop a forum-posted credential dump, the question isn't whether the rules are right — it's whether anyone is enforcing them.
Paraphrased commentary · not a verbatim post
Paraphrased from Sen. Wyden's documented position on federal contractor cybersecurity standards. Civic Intelligence presents this as a verified policy frame, not a Wyden statement on ESA specifically.
In January 2026, while the “888” investigation was still active, a separate group calling itself Scattered Lapsus$ Huntersclaimed an independent breach of a different ESA system, with 500 GB of data. The claimed contents were materially more sensitive: spacecraft operational procedures, full subsystem documentation, environmental-testing reports, system requirements specifications, verification and integration procedures, technical roadmaps for ongoing and future missions, contractor data from SpaceX, Airbus, Thales Alenia, OHB System AG, and Teledyne, plus data tied to Greece's national space program, the Next Generation Gravity Mission, and the FORUM and TRUTHS Earth Explorer missions.
ESA's response to CyberInsider was to confirm the initiation of a criminal inquiry and referral to judicial authorities. Europol involvement has not been confirmed by name; ESA used the phrase “judicial authorities” generically. The second-wave claim has even less independent verification than the first. If true at the volume claimed, it would be one of the largest space-sector breaches on record. If false, it is also one of the highest-profile forum-claim escalations of the year.
The financial baseline first. ESA operates on a roughly €7.79 billion annual budget. Director General Josef Aschbachersigns approximately one contract per working hour across a network of more than 1,500 active agreements. The agency's value to global space activity is not just the launches it operates — Ariane, JUICE, Mars and Earth-observation programs — but the cooperative architecture it provides for ESA member states and private contractors to develop missions together. That cooperative architecture is precisely the architecture the breaches targeted.
For readers: the editorial value of this story is in the unverified-claim discipline. The 200 GB figure is the hacker's. The classified-documents claim is the hacker's. ESA has confirmed only that unauthorized access occurred and that investigations are ongoing. We report both sides. We do not assert as fact anything beyond what ESA has confirmed or what an independent researcher has independently verified. The day a researcher publishes a verified extract from the “888” dump, that's a different story. As of May 23, 2026, this one is what is documented: a forum post, an ESA acknowledgment, and a second wave that escalates the claim without resolving the first.
The European Space Agency confirmed a December 2025 breach of its external JIRA and Bitbucket collaboration servers. A threat actor ‘888’ claims 200 GB of exfiltrated data including source code, CI/CD pipelines, hardcoded credentials, and Terraform configurations — the ‘complete attack surface map’ risk profile. A second threat actor in January 2026 claimed an additional 500 GB including spacecraft operational procedures. ESA confirmed only the bare scope and referred the second case to judicial authorities. Five months on, no arrest, no full independent verification, and no published forensic report.