The noise on cybersecurity networks and forums has once again revolved around a alleged hacking of the Tax AgencyA group called Qilin claims to have obtained 60 GB of information that, according to its version, belongs to the Treasury and is already circulating in spaces on the dark web.
The alert came from the specialized account Hackmanac on X, which spread the existence of the material and the authorship attributed to Qilin, although did not provide verifiable technical details regarding the scope or exact origin of the data. The publication cites 238.799 files and the dissemination of a small sample.
What is known about the incident
According to the screenshots and messages posted on X, Qilin would have published an offer on a dark web forum with “60 GB of information and 238.799 files”, accompanied by 16 sample documents to support her claim. The dark web, accessible through specific software and networks, makes it easy to operate anonymously and complicates the traceability of these exchanges.
A relevant nuance is that, unlike other ransomware episodes, a bailout has not been considered addressed to the Spanish Government or the AEAT. The alleged database would have been put up for sale, which fits with monetization models where attackers trade information for phishing, fraud, or identity theft campaigns.
Institutional response and signs pointing to a third party
Sources from the Tax Agency told the newspaper El Debate that, after initial analysis, the episode is similar to what happened at the end of 2024 and that “would have affected a management company”, disconnecting the incident from the AEAT systems. If confirmed, we would be facing a breach at a supplier or intermediary that handles tax data for clients and SMEs.
In parallel, several analysts and users on X have pointed out that the samples published by Qilin appear to correspond to an accounting or consulting firmOne of the viral messages even pointed out that the company's website only responds via HTTP (without encryption), an indicator of bad practices that could facilitate intrusions or exfiltrations if other flaws occur.
Who is Qilin and how do they operate?
Qilin is a group with a history in the cybercrime ecosystem to which they attribute extortion campaigns and data salesIn this case, the pattern described publicly does not include a ransom negotiation with the AEAT, but rather the direct marketing of the alleged loot on closed forums, an increasingly common tactic when attackers seek quick liquidity or maximize value with multiple buyers.
If the information comes from a third party linked to the tax and labor field, the entry vector could be in compromised credentials, exposure of services without encryption, configuration errors, or unpatched vulnerabilities. Without independent expertise, the exact point of compromise cannot yet be determined.
Recent precedent: the Trinity case
At the end of 2024, another alleged massive attack was reported: the Trinity group claimed to have stolen 560 GB of confidential data and claimed $38 million under threat of disclosure. The AEAT then indicated that its services were operating normally and, after a preliminary investigation, it was concluded that the affected party was a private entity in the field of tax and labor consulting, not the Agency itself.
This precedent reinforces the hypothesis that intermediaries and suppliers Tax authorities have become a high-value target for attackers, concentrating sensitive information from multiple clients without always having the same security standards as public bodies.
Risks for citizens and recommendations
If some of the leaked information were authentic and reusable, the most likely impact would be a spike in hacking attempts. phishing and fraud Targeting taxpayers. Criminals often impersonate communications from the Treasury to trick victims into providing credentials, bank details, or making unauthorized payments.
- Be wary of text messages, emails, or calls requesting urgent information, immediate payments, or file installations.
- Check senders and domains; access the Electronic Office by typing the official URL into your browser.
- Don't click on shortened links or unexpected attachments; check timestamps and electronic signatures.
- Activate two-factor where available (Cl@ve, banking) and periodically review transactions and notifications.
- If you suspect fraud, save evidence and report it; consult INCIBE and law enforcement resources.
What remains to be clarified
Key points remain to be verified: the real origin of the files, the authenticity of the published samples, the scope of the affected individuals and companies, the timeline of the incident, and the intrusion vector. It is also pending to determine whether the entity identified as a possible source will take public action and notify data subjects, as required by law.
At the moment, the pieces fit more with one gap in a management or service company This directly compromises the AEAT's systems. In a context of high exposure to attempted fraud, it is advisable to exercise extreme caution with any communication using the Hacienda brand and to follow good digital practices while investigations progress.
