Back

PII Belonging To Indian

Citizens, Including Their
Aadhaar IDs, Offered For Sale
On The Dark Web
CYBER THREAT LANDSCAPE

15 OCT 2023
INDIA, PERSONAL DATA PROTECTION, PII, DATA LEAK, DIGITAL
IDENTITY, IDENTITY PROTECTION, CYBERCRIME, DARK WEB

In early October, Resecurity’s HUNTER

(HUMINT) unit identified millions of personally
identifiable information (PII) records, including
Aadhaar cards, belonging to Indian residents
being offered for sale on the Dark Web. The
total number of the affected citizens is a matter
of in-depth investigation by authorities, but the
concerning fact that the data is valid and
sensitive.

Updated (October 31, 2023 - 20:29 PM

PST): Following the public disclosure by
Resecurity, the threat actor since removed the
post. However, a cached version of the content
still remains accessible through the Wayback
Machine:
https://web.archive.org/web/20231031073546/http
815-Million-Indian-Citizen...

What Is Aadhaar?
An Aadhaar is a unique, 12-digit individual
identification number “issued by the Unique
Identification Authority of India on behalf of the
Government of India,” according to the UIDAI
website. Aadhaar enrollment is strictly
voluntary and only proves residence in India,
not Indian citizenship. Beyond the PII found on
traditional ID documents, Aadhaars include
“core biometrics,” including 10 fingerprints and
two iris scans, according to a September 2023
UIDAI brochure.

With roughly 1.4 billion Aadhaars issued by the

UIDAI since this ID service launched in 2009,
this system represents one of the largest
biometric ID programs on the planet, according
to a 2022 report published by think tank
Brookings Institution. In a 2017 interview with
Bloomberg, World Bank chief economist Paul
Romer described the Aadhaar ID system as "the
most sophisticated that I’ve seen."

myAadhaar landing page, source:

https://www.uidai.gov.in/

Powered by these biometric markers, Aadhaars

function as digital IDs, facilitating electronic
payments, online Know Your Customer (e-KYC)
verification, and compatibility with various
Indian financial platforms. Beyond digital
payments, Aadhaars also enable e-tax filing, bill
payments, and financial assets management,
per the UIDAI brochure. Furthermore, Aadhaar
has been “credited with making it easier for
Indians to access subsidies and pension
payments,” according to the Brookings report.

The Brookings report also noted that the

“Election Commission of India wants to link
their voter registration database with Aadhaar, a
move that would have profound consequences
not only for the privacy of Indian citizens but for
the future of biometric databases worldwide.”
The Election Laws Amendment Bill, passed by
the Lok Sabha, the lower house of India’s
bicameral Parliament, in December 2021,
created a legal framework to integrate Aadhaar
and Election Commission databases.

As of February 2023, 60% of India’s eligible

voters, or 945 million people, had linked their
Aadhaar card to their voter IDs, according to
local media reports. Nevertheless, critics and
activists have warned that this measure could
disenfranchise some electors in states that
make Aadhaar linkage to voter rolls mandatory.
The Brookings report also flagged the risk of
fraud and how “political microtargeting could
result in a loss of privacy and exposure to
selective information, providing fertile ground
for mis- and dis-information to spread and
polarization to increase.”

Indian citizens can voluntarily obtain Aadhaar

credentialing. Non-resident Indians (NRIs) can
also obtain an Aadhaar, provided they have
spent 182 days or more in India over the twelve-
month period immediately preceding the date
of application for enrollment. Aadhaar
enrollment data is collected by the UIDAI. First
established in 2009, the UIDAI became a
statutory authority in 2016, under the
jurisdiction of the Ministry of Electronics and
Information Technology, following the
provisions of the Aadhaar (Targeted Delivery Of
Financial And Other Subsidies, Benefits and
Services) Act, that was passed the same year.

Over a year before Moody’s raised concerns

about the reliability of Aadhaar’s biometric
authentication controls, the 2022 Brookings
report cited the digital ID program’s “insecure
ecosystem, lack of data standards, and the
UIDAI’s lack of transparency and accountability.”
Specifically, the Comptroller and Auditor
General (CAG) of India probed the UIDAI in April
2022 and found that the authority “had failed to
properly regulate its client vendors and ensure
the security of their data vaults,” according to
the Brookings report.

Indian Data For Sale In Dark

Web
On October 9th, a threat actor going by the alias
‘pwn0001’ posted a thread on Breach Forums
brokering access to 815 million “Indian Citizen
Aadhaar & Passport” records. To put this victim
group in perspective, India’s entire population is
just over 1.486 billion people.

Threat actor pwn0001 claims to have over 815

million Aadhaar records, source: Breach Forums

HUNTER investigators established contact with

the threat actor and learned they were willing to
sell the entire Aadhaar and Indian passport
dataset for $80,000.

DateOfleak:2023-09
CountryOfleak:India
NumberOfData:815M+unique
Size:90GB
FormatType:ZIP-CSV

Price:$80k(Negotiableonlyforinterestedbuyers)12:40PM
FrancisChacon
didvousellthedata?
notvet
12:40PM

HUNTER Telegram interaction with threat actor

pwn001

The data set offered by pwn0001 contains

multiple fields related to the PII of Indian
citizens, including but not limited to:

- name
- fathersName
- phoneNumber
- otherNumber
- passportNumber
- aadharNumber
- age
- gender
- address
- district
- pincode
- state

Pwn0001 declined to specify how they

obtained the data. Without the threat actor
disclosing the source of the data leak any effort
to diagnose the cause of the beach will be
speculative.

Concurrently, pwn0001 shared spreadsheets

containing four large leak samples with
fragments of Aadhaar data as a proof. One of
the leaked samples contains 100,000 records
of PII related to Indian residents. In this sample
leak, HUNTER analysts identified valid Aadhaar
Card IDs, which were corroborated via a
government portal that provides a "Verify
Aadhaar" feature. This feature allows people to
validate the authenticity of Aadhaar credentials.

sample_1.1.csv-LibreOfficeCalc

File EditViewinsertFormal StylesSheetData window Help

...w
A A R

Emperationsens TOOt BIU. A-1. .00.00 •E.

F1:F1048576 padharNumber
чиідтрейфоноитит

851946073 416390120803 33FAmNA

SANDIP 527132233077
KANAKARUBA BAGHAVENOBA BAR SUBRAHMANYAM

S60080! CUISANSA NO

956683253700
PRABHANATI. DEV
ARORA 9324383161 697321445757
7303899392 21Male MATHUPUB
SNUE HAQUE 519798736800
7569072427 571504410121

Maccat
9720648967 7029
KANB
20 ARPUTHASANY, 519712763736 ASMA

YADBY
7694536833
620605445516
3089 SUBODH 273623807006
ZOISAMASSE

869955166117

7498158788
Yecabaksbioxi
9366026804 979338899 26Male
RALANCHAS
ANISEMNSA

Macesa 802863083245
Sal
878638580610 70Female
AMADSAT 246667327556
BOURA 740955403669
0:69376553
35Femwe
VINAYAS CHAVAN
CHIEFTA KARAJASKASSORBAROST:
CHIBAG GADIA 258463915596 21Male
MASONAS

546978200623 SAFAMSA

SHABERNA SEBRIGA
SRISHON. AROBA
RAD 8767327952
31MAlA KULDEEP

Narayanas
PRIYANKA 41677513140 38Femste
FOLLAR

pwn0001 shares spreadsheet with 4 large leak

samples containing fragments of Aadhaar data

On October 9th, The threat actor shared a

sample containing 100,000 records.

Then, on October 10th and 11th, additional

samples were leaked by the actor as proof,
making a total of 300,000 records exposed.

10-10-2023,01.43PM
pwn0001 Sample2:100K
https://gofile.lo/d/iMhBY6

Bresched

MEMBER
Poces

Sep2023
6Repi)

10-11-2023,05.40AM
pwn0001

Breached

MEMBER

10-11-2023,05.55PM
pwn0001
Sample3:100K
https://gofile.lo/d/gJWx5z

The actor then shared their last sample on

October 13th. In total the actor leaked 400,000
records containing AADHAAR details.

Resecurity acquired all 400,000 records and

contacted multiple victims to validate the
information, as well as used "Verify Aadhaar"
feature available via o%icial government WEB-
resource in India. •8https://pixeldrain.com/u/QFDvreit

€pixeldrain600GBINDATASAMPLE2.xls
Views

126 source.MSISDN,_source.Name,_source.DateofBirth,_source.Fatherlame,_source.LocalAddress,_source.PermanentAddress,_source.AlternateNo,_Source.EmailId,_source.Gender,_source.Nationa
Downloads 9632543921,Annapurna,-311299200,Gangaramu,"NO15,KEMPAIAHLAYOUT,BANGALORENORTH(ADDL),BBMP,Bangalore,BANGALORE,KARNATAKA,560032","NO15,KEMPAIAHLAYOUT,BANGALORENORTH

The contacted victims from the acquired data

(ADDL),BBMP,Bangalore,BANGALORE,KARNATAKA,560032",.,Female,INDIAN,PREPAID,1356652800,,"VOTERID,SOH391375,09/12/2008,HEBBAL,ERO","VOTERID,SOH0391375,09/12/2008,HEBBAL,ERO*
167

size 9900384250,RajeshR,670550400,RameGowda,"NO00,KasturiBadavaneRajagopalaNagara,Peenya2BdStage,Bangalore,bangalore,Karnataka,560058","NO00,KasturiBadavaneRajagopala
98.4kB
Nagara,Peenya2BdStage,Bangalore,bangalore,KARNATAKA,560058",.Male,INDIAN,PREPAID,1356393600,,"DRIVINGLICENCE,ka0220090007897,20/08/2009,bangalore,rto","DRIVINGLICENCE,ka02
§Download 20090007897,20/08/2009,bangalore,rto"

set confirmed the validity of their data, and

9986737464,VinayKumar,659577600,ChikkalingaiahM,™1816JudicialLayoutkvkBangaloreKarnataka560065-NO1816,JudicialLayout,Gkvk,Bangalore,BANGALORE,KARNATAKA,560065*,"NO
OCopylink 1816,JudicialLayout,Gkvk,Bangalore,BANGALORE,KARNATAKA,560065*,.,Male,INDIAN,PREPAID,1358553600,,*DRIVINGLICENCE,239/09-10,09/04/2009,BANGALORE,RTO","DRIVING
LICENCE,239/09-10,09/04/2009,BANGALORE,RTO"
<Share 9611358532,Loksh,497059200,SundarSingh,"NO206,BazzarStreetMariyammaTemple,NeezasaWore,Bangalore,Bangalore,Karnataka,560047","NO206,BazzarStreetMariyammaTemple,Neezasa
Wore,Bangalore,Bangalore,KARNATAKA,560047",Male,INDIAN,PREPAID,1355529600,,"DRIVINGLICENCE,Ka0120100009331,29/07/2010,bangalore,rto","DRIVINGLICENCE,ka0120100009331,29/07
89QRcode
•Details stated they have never been notified about it
/2010,bangalore,rto"
9008092111,LokeshMG,350265600,TKGangappa,s/oTKGangappaNO49/356thYBCrossVenkatapuraSarjapurRoadBangaloresouthBangaloreBangaloreKarnataka560034,/oTK
GangappaNO49/356thYBCrossVenkatapuraSarjapurRoadBangaloresouthBangaloreBangaloreKarnataka560034,9611698408,M,Indian,PREPAID,1486771200,,*UidCard(Adhaar
<>Embed Card),723203513265,06-12-2011,Bangalore,UniqueIdentificationAuthorityOfIndia",*UidCard(AdhaarCard),723203513265,06-12-2011,Bangalore,UniqueIdentificationAuthorityOf

before. It is not clear, if the affected (breached)

ndia"

PaReport 8746038612,Ajaykumar,-233366400,MadhavanNair,014thCross7thMainBangaloreNearRamaTempleBangaloreBangaloreKarnataka560076,282Thalapali2AnakayamAnakayamErnad
Kerala681120,9341330725,,M,Indian,PREPAID,1487721600,,,*VoterIdCard,K/05/034/186087,11/11/1997,Ernad,ElectoralRegistrationOffice","VoterIdCard,Kl/05/034/186087,11
/11/1997,Ernad,ElectoralRegistrationOffice
9000501124,AnandVelpula,702518400,Ramachandra,109thCrossPragathiLayoutMarathahalliBangaloreKarnataka560037,9/25VadepalleH0SomavaramBoyapativandlapalliKadapa

parties are aware about the incident and will be

KadapaKadapaAndraPradesh517424,7899680005,,M,Indian,PREPAID,1487721600,,"VoterIdCard,Zok0588087,02/02/2012,Rajampet,ElectoralRegistrationOffice","VoterId
Card,Zok0588087,02/02/2012,Rajampet,ElectoralRegistrationOffice"
9440431003,PampapathiB,771724800,GujulaUchappa,106thCrossHongasandraBommanahalliNewLayoutBangaloreBangaloreKarnataka560068,2144MarakattuAlurAlurKurnoolKurnool
AndhraPradesh518395,9306216227,M,Indian,PREPAID,1487376000,,*UidCard(AdhaarCard),255453241524,01/01/1900,Kurnool,UniqueIdentificationAuthorityOfIndia",*UidCard(Adhaar

disclosing it responsibly to notify victims of the

Card),255453241524,01-01-1900,Kurnool,UniqueIdentificationAuthorityOfIndia"
10.9108609527,PrakashE,777945600,elumai,2SthCrossJBNagarBangaloreBangaloreBangaloreKarnataka560033,25thCrossJBNagarBangaloreBangaloreBangaloreKarnataka
560033,M,Indian,PREPAID,1486339200,,"VoterIdCard,Zui5936414,11-08-2015,Sarvagnanagar,ElectoralRegistrationOffice","VoterId
Card,Zu15936414,11-08-2015Sarvagnanagar,ElectoralRegistrationOffice*
9611931458,BabuS,386553600,Subramanyam,369VasanthapuraMainRoadVadalamnagarKudluBangaloreBangaloreKarnataka560068,369VasanthapuraMainRoadVadalamnagarKudlu

data breach and the Indian government.

BangaloreBangaloreKarnataka560068,9620718950,M,Indian,PREPAID,1488153600,,,*IncomeTaxPanCard,Btwpb0898г,14/08/2013,Pune,IncomeTaxDepartment","Driving
License,Ka0520170061673,24/01/2017,BengaluruS,RegionalTransportOffice"
9731727186,NagarathnaYh,897955200,Honnaiah,10HuliyurdurgaHobliKunigalTalukYelekadakaluTumkurTumkurKarnataka572123,0HullyurdurgaHobliKunigalTalukYelekadakalu
Pixeldrainisonthefediverse!Andonlegacymediatoo
•MastodonaLemmyaTwitteraReddit

1name,fathersName,phoneNumber,otherNumber,passportNumber,aadharNumber,age,gender,address,district,pincode
21 MAHESHWARI,,8851946073,,,,416390120804,33,Female,HNOD36GALINO3MAJUPURDELHI110053,NORTH
EAST,110053,DELHI,
,,9652497816,,,844681044300,32,Female,Govindampalli,YSR,516108,ANDHRA
PRADESH,Obulavaripalle
GAVD,,9721065795,,,527132233077,19,Male,SPEEZANDHERIMUMBAIMAHARASHTRA400093,MUMBAI,
400093,MAHARASHTRA,
5 •SUBRAHMANYAM,,9611871144,,,521439084817,49,Male,341 5THCROSSRAJIV
GANDHINAGAR NTILAYOUT2NDPHASE BANGALORE,BENGALURUURBAN,560097,KARNATAKA,
.,9992803990,,,273736145068,29,Male,VPOJHAZGHAR,JHAJJAR,124103,HARYANA,
,Sudhakar,9884100674,,,268051131772,30,Female,NO8DEVANBUSTREETREDHILLS,THIRUVALLUR,
600052,TAMILNADU,
8 altaf,7006409509,,,603890541701,33,Female,SKCOLONYANANTNAG,ANANTNAG,,JAMMUANDKASHMIR,
99 Rao,,9666628414,,,956683253700,31,Male,SujathaNagar,PRAKASAM,523001,ANDHRA
PRADESH,Ongole
10 DEVI,,8292506230,,,996215060425,57,Female,WARDNO-10VILLAGEPOST-ITARHIBUXAR,BUXAR,
802123,BIHAR,
11 ARORAL7B11,,9324383161,,,697321445757,68,Male,906VASTULABHJIJAMATAROADPUMPHOUSEANDHERI
EASTMUMBAIMAHARASHTRA-400093,MUMBAI,400093,MAHARASHTRA,
12Ш 1,7095221679,,,808514679014,45,Male,Nandamuru,KRISHNA,521311,ANDHRAPRADESH,Unguturu
13
1,7303899392,,,523783163439,21,Male,NATHUPURUBLOCKGURUGRAM,GURUGRAM,,HARYANA,
14I
E:HAQUE,,6297320643,,1,519798736800,79,Male,SARSWATHIMANDIRKENDEWAKULTI,PASCHIM
BARDHAMAN,WESTBENGAL,
15 ,,7569072427,1,571504410121,16,Female,Kothapalli,KURNOOL,518422,ANDHRAPRADESH,Kothapalle
16 KHAN,,9589046650,,,380920755085,52,Male,MAHAVIRNAGARRATLAM,RATLAM,457001,MADHYAPRADESH,
17 Mahesh,,9676066070,,,741594207040,36,Male,58-1-2294F-2KARASAROADNAD
VSP-530009,VISAKHAPATANAM,530009,ANDHRAPRADESH,Urban
18 •Kini,,9920548967,,,702928737580,58,Male,3DCHarborHeightsColabaMumbai400005,MUMBAI,
400005,MAHARASHTRA,
19 •KAUR,,6280628855,,,631083339512,37,Female,HN5E11BPNIT5FARIDABADHR,FARIDABAD,
121001,HARYANA,
20 ARPUTHASAMY,9790112329,,,519712763736,48,Male,NO652NDSTNEARINFANTJESUSCHRUCH
ASHTALAKASHMINAGARELLAKUDYTRICHY,TIRUCHIRAPPALLI,,TAMILNADU,Urban
21[m 1YADAV,,7351477772,,,,411546873561,24,Male,CLEMENTOWNDEHRADUN,DEHRADUN,248002,UTTARAKHAND,
22Mma-hSingh,,7894536833,,,620605443676,50,Male,JAISORSUNDARGARHODISHA,SUNDARGARH,770014,ODISHA,Urban
23H
14,9989436293,,,760021935775,46,Female,Nakkapalli,VISAKHAPATANAM,531081,ANDHRA
PRADESH,Nakkapalle
24 SUBODH,,9763704833,,,273623807006,22,Male,PLOTNO370AHATMASOCIETKOTHRUD,PUNE,
411038,MAHARASHTRA,

On August 30th, another threat actor going by

Lucius’ posted a thread on Breach
the alias ‘Lucius’
Forums promoting a 1.8 terabyte data leak
impacting an unnamed “India internal law
enforcement organization.”

Lucius promotes access to 1.8 TB database

India law enforcement records, source: Breach
Forums

This data set contained an even more extensive

array of PII data than pwn0001
pwn0001's.. Beyond
Aadhaar IDs, Lucius
Lucius’ leak contained Voter IDs
and driving license records. The threat actor
may be referencing law enforcement to plant a
red herring and conceal the real intrusion
vector that enabled them to acquire the data.
Lucius may also just be trying to generate
hype around their offering.

Highlighting the first breach scenario, HUNTER

analysts identified multiple records with the
signature "PREPAID." This signature may be
related to the leak from one of the
telecommunication carriers that offer pre-paid
SIM cards and similar services using such
information for KYC (Know Your Customer).
These service offerings also entail the collection
of PII data to validate customers prior to the
activation of mobile services.

In any case, the mass-leakage of Indian PII data

on the Dark Web creates a significant risk for
digital identity theft. By exploiting these stolen
credentials, cybercriminals targeting India can
perform a range of financially motivated scams
like online-banking theft and e-tax refund
frauds.

600 GB Indian PII data sample (note

highlighted Aadhaar card entry) provided by
Lucius

Resecurity inspected the data set shared by

"Lucious" and based on our assessment the
data may be coming from a breached 3d party
(presumably, telecom/mobile operator,
collecting PII/AADHAAR for KYC). The data set is
different from the one shared by 'pwn0001' and
contains the following fields with reference to
MSISDN and SIM Activation Date relevant to
mobile carrier subscribers:

- _source.MSISDN
- _source.Name,
- _source.DateOfBirth,
- _source.FatherName,
- _source.LocalAddress,
- _source.PermanentAddress,
- _source.AlternateNo,
- _source.EmailId,
- _source.Gender,
- _source.Nationality,
- _source.ConnectionType,
- _source.SIMActivationDate,
- _source.Aadhar,
- _source.PhotoIdProofDetails,
- _source.AddressProofDetails

The sample of data observed by Resecurity

contains multiple references to the Unique
Identification Authority of India and AADHAAR
card, as well as Voter ID cards. It is possible, the
actor successfully breached a 3rd party
aggregating these details. Our analysts
contacted multiple victims independently and
confirmed the validity of data. None of the
victims were aware about the exposure of this
data in Dark Web, and had never received any
notifications with regards to this as of today.

On September 27th, Lucius also posted a

thread on Breach Forums promoting access to
70 GB of data stolen from Pakistan’s army and a
“secret organization” a%iliated with it. Lucius
said this leak impacts over 450 million mobile
subscribers.

Lucius posts 70 GB data leak impacting

Pakistan’s army, source: Breach Forums

COVID-19 Data Leak

Notably, the incidents of leaked AADHAAR data
was new and continues to affect citizens of
India. On June 12th, 2023, multiple reports
surfaced indicating several records from the
CoWin database were leaked by a threat actor,
exposing the personal information of
individuals registered on the CoWin website for
the COVID-19 vaccination. The leaked data
included details such as AADHAAR numbers,
PAN card information, mobile numbers, and
home addresses.

Why Is It Important?
Resecurity’s findings coincide with a global
threat landscape that has seen India emerge as
a top-five geography for cyberattacks,
according to a recent vendor survey. This
survey found that India ranked fourth globally in
online banking malware detection and top-five
globally in all malware detections in the first
half of 2023.

A separate vendor survey of 200 Indian IT

decision-makers published in September
produced similar findings. This report noted
that 45% of Indian businesses experienced
more than a 50% rise in disruptive cyberattacks
last year – the highest in the Asia-Pacific region.
The report also found that 67% of Indian
government and essential services
organizations experienced over a 50% increase
in disruptive cyberattacks.

Fifty-seven percent of IT decision makers at

telecom firms worry about ransomware attacks
the most. To wit, the more recent October
survey found that India bears the highest
ransomware incidence in southern Asia. This
malicious activity also coincides with an era
where India is becoming more geopolitically
and economically significant on the global
stage.

India is one of the fastest-growing economies in

the world, according to the World Bank. With
India’s middle class expanding at a 6.3% clip
between 1995 and 2021, the fastest-growing
segment of the population, it now represents
over 30% of the nation. The enhanced domestic
earning power, smartphone connectivity, and
bank access projected by this demographic
trend all make India a much more appetizing
target for threat actors.

As such, it’s only logical that Indian PII data

would attract proportionally higher interest in
the cybercriminal underground. As for nation-
state-level threats, China has emerged as India’s
greatest regional rival. Despite longstanding
tensions with Pakistan, India’s rivalry with its
Northern neighbor has increasingly escalated.
The United States has “sought to deepen its
security and economic relationship with India
as the U.S.-China rivalry intensifies,” according
to the think tank United States Institute for
Peace.

Highlighting these bilateral tensions is Indian

Prime Minister Narendra Modi's conspicuous
absence from China’s Belt and Road Forum, the
third such event hosted by Beijing to promote
its ambitious, global infrastructure program.
Irrespective of state-sponsored threats, the
more immediate danger facing Indian citizens
and residents is that many are unaware that
their data is being sold online. Furthermore, as
early as last month, the Indian government’s
o%icial press agency was vociferously
defending the reliability and security of Aadhaar
data.

The surge in Aadhaar data breaches has also

been notably attributed to the current unrest in
the Middle East. Hacktivists, capitalizing on the
chaos, have intensified their assaults on online
resources, subsequently profiting from these
infringements by trading the compromised data
within the shadowy recesses of the Dark Web.