More than 40 million personal data of Ecuadorian citizens are offered for sale on the internet. The leak includes biometric records and access to sensitive systems of the Armed Forces.
The illicit packages contain information from the Weapons Permit Control System. They also expose data from financial entities and state contract documents. Among these are those related to the acquisition of electronic shackles by the SNAI.
The real origin of the stolen files
The Civil Registry denied through its X account that the breach affected its systems. However, the Vecert Analyzer monitor contradicts this official version with precise technical data.
The tool identifies that cybercriminal Gordon Freeman extracted 14.8 million records. He also stole 10.6 million images from the Ministry of Public Health during 2025. The attacker presented these files in 2026, passing them off as Civil Registry data.
The method used combined social engineering and automation techniques. The offender used an infostealer to obtain credentials from browsers of officials and medical personnel. Subsequently, they applied scraping tools to extract clinical histories and facial photographs.
"What we are seeing is a recipe that the State already knows by heart: the doctrine of denial. They already did it with CNT's ransomware in 2021 and with the Novastrat case in 2019." - Spokesperson, Center for Digital Autonomy
This institutional stance recalls previous unresolved incidents. In 2019 a misconfigured state server in Miami allowed the sale of CNT data. That breach also exposed information from the Bank of the Ecuadorian Social Security Institute under the government of Lenin Moreno.
Regulatory silence and immediate risks
The commercialized databases come from multiple public and private sources. The files stolen since mid-2025 belong to companies such as Azzorti EC and Speedycom. They also include information from Ticket Fácil, now Ticketstar365, and Tu Taxi Amigo.
Additionally, on April 29, 2026, documents from ministries and sectional governments were disseminated. These came from a repository of the Quipux system. Despite the magnitude, the Ecucert website of Arconel does not register alerts about these incidents.
The Digital Autonomy Center points to those responsible for operational security. It considers that the Ministry of Telecommunications and the Telecommunications Regulation Agency have omitted their early warning functions. ARCOTEL norm 2018-0652 obliges in its articles 30 and 34 to manage these incidents.
Experts warn about the practical consequences of this massive exposure. Ola Bini indicates that the leak will generate an increase in scams and phishing emails. Cybersecurity analysts fear the use of this information to train artificial intelligence and facilitate identity theft.