The Ministry of Finance is keeping a close eye on a possible cyberattack against your computer systems which would have compromised the confidentiality of the personal, banking, and tax data of up to 47,3 million citizens. Although, for now, no actual intrusion has been technically proven, the mere announcement of the alleged leak has set off alarm bells within the government.
The warning has come from the private sector of cybersecurity: a specialized firm has detected in the Dark web a message in which a user, under the alias "HaciendaSec"They claim to have an updated database from the Ministry containing extremely sensitive information on virtually the entire population residing in Spain. Authorities are working against the clock to determine whether this is a real attack or just another bluff circulating on underground forums.
The origin of the alert and Hackmanac's role
The first public signal came from the threat monitoring platform HackmaniacSpecializing in early warnings of cyberattacksThrough the social network X (formerly Twitter), this firm reported the appearance of an advertisement on a well-known dark web forum offering for sale an alleged database from the Treasury with the claim of affecting 47,3 million citizens.
According to Hackmanac's initial analysis, the message was signed by an actor calling himself "HaciendaSec" and claimed to have gained access to the Ministry's systems. In that ad, the user detailed that he was selling an "updated database" that would include everything from identifying information to financial and tax data, a combination of enormous value in the black market for data.
The private firm emphasized that the alleged intrusion was still ongoing. "pending verification"This means that, although the announcement exists, there are no guarantees that the databases offered are real, up-to-date, or actually originate from the Tax Agency. However, the number of people affected and the nature of the information described were sufficient to trigger the [unclear/unclear - possibly "tax authorities"]. official protocols.
Sources familiar with the forum's content indicate that, along with the sales message, the alleged hacker also disseminated a «sample» or a sample of data to demonstrate that you actually have that information. Analysts who have reviewed that example point out that there are elements that don't quite fit together.This fuels suspicion that the magnitude of the alleged theft may be inflated or even false.
Who is "HaciendaSec" and what is known about him
The alias used, "HaciendaSec"The nickname has caught the attention of researchers due to its obvious reference to the organization itself and its possible allusion to other known cases in Spain. The nickname is reminiscent of "Alcasec", the young hacker who a few years ago put various public bodies in check, such as the General Directorate of Traffic or the Judicial Neutral Point of the CGPJ, among other targets.
In this case, the alleged cybercriminal reportedly posted an advertisement in English on January 31st in a forum specializing in the buying and selling of stolen databases, where leaks from companies and government agencies worldwide often appear. In the message, the user claimed to have the "updated tax database" and that the scope of the alleged theft would reach... 47,3 million citizens.
The data he claimed to offer included full names, identity documents (DNI and NIF), Contact information such as postal addresses, telephone numbers, and email addresses, plus IBAN codes and associated bank information and tax records. A set of information that, if authentic, would allow everything from targeted financial fraud to massive identity theft attempts.
By the time authorities and specialists began tracking this post, the forum thread in which it appeared was already had been eliminatedThis disappearance opens up several scenarios: that the portal administrators decided to remove it upon suspecting that the content was false; that the seller himself deleted it; or that it was the result of some intervention by the security services, although none of these possibilities has been officially confirmed.
Spanish intelligence and cybersecurity teams are now working to identify who is hiding behind that pseudonym. The most widespread hypothesis is that the alias was created specifically for this announcement.This complicates traceability but also suggests that it could be a group or individual without a previous public history under that name.
What data would have been compromised, according to the offer
If the attack is confirmed, the theoretical scope of the incident would be extraordinary. The description released by Hackmanac suggests that the alleged database would include personal, banking and tax information of millions of citizensThis would make this case one of the biggest privacy risk incidents recorded in Spain.
Among the types of data mentioned in the offer, several particularly sensitive blocks stand out. On the one hand, the personal identification, with ID or tax identification number and full names and surnames; on the other hand, contact information, with physical addresses, telephone numbers and emails, which facilitate massive fraud campaigns or Phishing directed.
Furthermore, the seller claims to have financial datasuch as account numbers and IBANs, which would open the door to bank fraud attempts, unauthorized charges, or social engineering using the user's real information. All of this would be compounded by tax data linked to the relationships of citizens with the Tax Agency, a particularly sensitive material due to the level of economic and asset detail it may contain.
The combination of these elements makes the alleged leak a highly attractive target on the black market for data. For many cybercriminals, having access to massive lists that cross-reference identity, contact, banking, and tax information is a ticket to highly personalized fraud campaigns, and therefore, a greater likelihood of success.
Apart from this specific case, the Spanish Data Protection Agency reminds us that In 2025, more than 2.700 personal data breaches were reported. These incidents would have affected more than 200 million users, illustrating the sheer volume of information that is moved and exposed each year. This upward trend reinforces concerns about any incident affecting large public databases.
The Treasury's reaction: an open investigation, but no evidence of a breach
In response to the publication of this alert, the Ministry of Finance has opted for a message of caution. Official sources insist that, so far, no technical indication has been detected. that confirms that the systems have actually been compromised. In other words, for now there is no conclusive evidence of unauthorized access or a massive data breach.
That doesn't mean the matter is settled. The department he heads MarÃa Jesús Montero It has activated its security protocols and has its technical teams analyzing activity logs and control systems. The order is clear: thoroughly review the IT infrastructure to rule out, or if necessary confirm, any attempt at intrusion.
The Ministry emphasizes that any significant anomalies detected will be reported through the appropriate official channels. The priority is to avoid unwarranted alarm, but also to ensure transparency should a genuine security breach affecting taxpayer data ultimately be confirmed.
Meanwhile, the message from the Treasury is that it is working in close coordination with the national cybersecurity agencies and with other government departments involved in the protection of critical infrastructure. The technical complexity of this type of investigation suggests that the analysis will not be immediate.
The very nature of the alert's origin—an advertisement on the dark web—requires caution when considering any claim. In many cases, cybercriminals They exaggerate their achievements or outright lie about the origin and quality of the databases they offer, with the aim of attracting buyers and obtaining profits before the deception is discovered.
The State's cybersecurity network in action
The potential intrusion into the Treasury has activated the State's cyber defense structure, which operates at various levels depending on the type of target affected. In the field of public administrationsThe key body is the CCN-CERT, which reports to the National Intelligence Center (CNI), responsible for monitoring and responding to incidents in the systems of institutions.
Along with this specialized center, the Spanish protection scheme includes the incibe (National Cybersecurity Institute), which deals with the protection of companies and citizens, and to Joint Cyber ​​Command (JCC)responsible for the military aspect and threats that may involve other states. In a case like that of the Treasury, the leadership falls mainly to the CCN-CERT, although coordination with the other actors is constant.
Security sources indicate that intensive monitoring is being carried out on both the Ministry's systems and the environments where stolen databases are traded, with the aim of locate possible copies of the information provided and analyze its true origin. Any match with authentic records would allow us to narrow down the problem and determine its scope.
The case has also led various ministries to maintain permanent contacts to share information on the progress of the investigation and coordinate public messages. The priority is to avoid confusion and respond in a unified manner to an incident that, if confirmed, would have major political, economic, and social implications.
This is not the first time an announcement of this kind has forced the Administration to review its defenses. Experts point out that Early detection in underground forums is a key tool to anticipate potential leaks and minimize their effects, even when, as in this case, it is still unclear whether the attack has actually materialized.
Doubts about the figures and recent precedents
One of the elements that generates the most apprehension among specialists is the figure of 47,3 million citizens affectedAnalysts point out that this number, which is practically equivalent to the entire resident population of Spain, is suspicious for several reasons, starting with the volume of taxpayers and the actual structure of the tax databases.
Some experts recall recent episodes in which the perpetrators of cyberattacks They clearly inflated the number of those affected to achieve greater media impact. One example cited is the case of e-commerce PcComponentes, also mentioned at the time by Hackmanac: the attacker claimed to have data from 16 million accounts, but later the company itself clarified that its customer base was much smaller and that the incident had been amplified by the reuse of passwords from other services.
In the corporate sphere, the potential incident at the Tax Office comes after several security breaches that have shaken major companies. Among them, the breach of [company name missing] stands out. Endesawhere a security breach allegedly affected the personal data of up to 20 million customers, or the attack suffered by Iberia in recent months. Each of these leaks increases the volume of information circulating on the network and, with it, the ability of criminals to combine data from different sources.
This context explains why posting an ad on the dark web, even without solid evidence, is taken so seriously. The accumulation of stolen databases It allows attackers to cross-reference information and mount increasingly sophisticated campaigns, in which a single false or outdated piece of data is mixed with completely real data to give the appearance of truth.
Therefore, many experts do not rule out the possibility that the alleged tax leak is actually a mix of files from different previous breaches, packaged and sold as if they were a single massive theft from the Tax Agency. If this were the case, it would still pose a security problem for citizens, but its origin and true scope would be very different from what the announcement suggests.
The Treasury is in the spotlight amid escalating cyberattacks
Regardless of whether this specific case is confirmed or not, what seems beyond doubt is that Public administrations have become a priority target for cybercrime groups. Large state databases contain information of enormous economic and strategic value, and attackers are aware of this.
In the case of the Treasury, the interest is multiplied by its central role in tax management and by the amount of financial details it handles from citizens and companies. Unauthorized access to their systems would allow for the creation of complete economic profiles., something extremely sensitive for both individuals and companies.
Meanwhile, the Hackmanac firm has also pointed to the existence of a possible attack on the Ministry of ScienceThe alert, supposedly the work of a hacker who goes by the name "GordonFreeman," is also "pending verification," reinforcing the perception that Spanish government ministries are among the recurring targets of threat groups.
Authorities insist that the number of reported incidents in the public sector has been growing year after year, in line with the trend observed in the private sector. The increase in teleworking, the mass digitization of procedures, and the interconnection of systems have expanded the available attack surface, forcing agencies to constantly strengthen their protection measures.
In this scenario, experts recommend that citizens be especially vigilant against potential fraud attempts that use references to the Tax Agency or other official bodies as bait. Even without confirmation of a breach, Cybercriminals often take advantage of the media attention surrounding these cases. to launch campaigns Phishing who rely on fear to get victims to provide passwords or bank details.
This whole episode reflects the extent to which the digital security of large public databases has become a matter of general interest. The suspicion of an attack on the Treasury, even without conclusive evidence, has been enough to mobilize the State's cybersecurity machinery., to reignite the debate on the protection of tax information and remind companies, institutions and citizens that the risk of massive cyberattacks is far from being a distant hypothesis.
