NARSA Data Breach Exposes 150,000 Moroccan National Road Safety Agency Records

The NARSA data breach has exposed sensitive information belonging to Morocco’s National Road Safety Agency (Agence Nationale de la Sécurité Routière). A hacker operating under the alias anisanas2, in collaboration with another threat actor identified as PKA291, claims to have completely taken over the agency’s internal management system. The attackers published a 150,000-row sample of personal and administrative data as proof of access, describing the leak as an initial warning rather than a full release.

The data includes records of motorcycle inspections, national identification numbers (CINs), full names, license plate numbers, and hidden residential addresses. The attackers stated that they obtained all records of 50cc motorcycle inspections across Morocco, along with internal documents that allegedly contain evidence of bribery and corruption within NARSA. The hackers claimed their motivation was political rather than financial, positioning the breach as a form of protest against government corruption.

Details of the NARSA Data Breach

The incident was first observed on November 8, 2025, when screenshots and text posts began circulating on dark web forums and social media channels frequented by threat actors. The original post, made by anisanas2, stated that PKA291 had successfully breached NARSA’s servers and extracted a full copy of the database. The hackers claimed to have complete administrative control over the agency’s systems, which would allow them to view, alter, or delete records. A 150,000-row sample was shared publicly to verify the authenticity of the compromise.

Cybersecurity researchers monitoring the dark web confirmed that the post contained realistic examples of Moroccan identification numbers, license plate data, and internal inspection details consistent with government recordkeeping formats. Early indicators suggest that the leak is authentic and likely stems from an internal compromise rather than an external scrape or API exposure.

Scope and Nature of the Leaked Data

According to the hackers’ claims and subsequent verification efforts, the exposed data includes the following categories of information:

• Full names of Moroccan citizens with registered vehicles
• National identification numbers (CINs)
• License plate numbers for motorcycles and light vehicles
• Inspection and certification records for 50cc motorcycles
• Residential addresses associated with vehicle owners
• Internal agency notes and system logs
• Documents allegedly showing evidence of internal bribery

The attackers referred to the incident as a “takeover” rather than a simple intrusion, claiming that they had gained full system-level access to NARSA’s management servers. This suggests that the breach may involve compromised administrator credentials, remote access software, or unpatched vulnerabilities in internal applications. The threat actors asserted that the leaked data was only a sample of a much larger archive containing millions of records that remain in their possession.

Hacktivist Motivation and Message

The message attached to the leak identifies the operation as an act of hacktivism rather than a financially motivated attack. The hackers accused NARSA officials of corruption and used the breach to make a political statement. Their post stated: “Stop the fraud. Stop the bribery. Start doing your job: rebuild hospitals, fix schools, and support the youth, not silence them.” The tone of the statement positions the NARSA data breach as an effort to expose perceived systemic corruption within Moroccan government agencies.

While the attackers claim their goal is transparency, cybersecurity analysts warn that even hacktivist-driven breaches can have long-term consequences for citizens whose data becomes publicly available. Exposure of national identification numbers, home addresses, and vehicle registration details can lead to identity theft, phishing, and impersonation attempts.

Verification and Early Analysis

Independent security researchers and organizations monitoring cyber threat activity have begun validating the authenticity of the data. The structure of the leaked information matches official Moroccan database formats used for vehicle registration and inspection systems. The inclusion of CIN numbers, inspection timestamps, and vehicle classifications adds credibility to the attackers’ claims.

Dark web intelligence group Hackmanac listed the incident as “pending verification” shortly after the leak was observed. Early reviews of the data sample have found no inconsistencies with known Moroccan identification schemes, reinforcing the likelihood that the breach is legitimate. As of now, there is no public evidence of the full database being shared or sold, which aligns with the attackers’ assertion that they are withholding most of the information as leverage.

Potential Attack Vectors

The exact method of intrusion remains unknown, but experts suggest several plausible scenarios. The attackers could have exploited a publicly exposed server, a misconfigured database, or reused administrative credentials obtained through phishing. The reference to a “management system takeover” implies deep administrative access, possibly through remote desktop connections, stolen credentials, or compromised VPN gateways.

If confirmed, the incident demonstrates how systemic weaknesses in government IT infrastructure can lead to large-scale data exposure. Given the level of access described, the attackers likely maintained persistence for an extended period before being detected, allowing them to extract and compress sensitive data from multiple systems.

Impact on Citizens and Public Services

The NARSA data breach poses severe privacy risks for affected individuals. The exposure of personal and vehicle information could allow malicious actors to target Moroccan citizens for scams, impersonation, or fraud. Cybersecurity specialists are urging vehicle owners and anyone registered with NARSA to be cautious of unsolicited phone calls, text messages, or emails requesting sensitive information. Data from the breach may also be used to cross-reference other databases, increasing the risk of identity correlation attacks.

For the agency itself, the breach threatens the integrity of official inspection and licensing systems. If the attackers truly maintained administrative access, there is a risk that inspection records, vehicle statuses, or registration data could have been altered or tampered with during the intrusion. Restoring public confidence in NARSA’s systems will require extensive forensic audits and revalidation of affected data.

Government and Agency Response

As of November 10, 2025, NARSA and Moroccan government officials have not issued an official statement addressing the incident. The lack of public acknowledgment may indicate that internal investigations are ongoing. If the breach is verified, it is expected that the Moroccan National Cybersecurity Directorate and the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP) will become involved in assessing the scope and enforcing regulatory compliance.

Under Moroccan law, any organization that collects or processes personal data must notify the CNDP in the event of a confirmed data breach. Failure to comply could result in administrative penalties or further scrutiny from oversight bodies. Analysts note that this incident may also spark new discussions about data security and privacy laws in Morocco, particularly regarding how government institutions safeguard citizen information.

Broader Context and Global Trends

The NARSA data breach is part of a growing trend of politically motivated cyber incidents targeting public-sector organizations across Africa and the Middle East. Similar hacktivist campaigns have targeted government agencies in Tunisia, Algeria, and Egypt, often under the banner of anti-corruption or social justice movements. While these attacks are frequently framed as ethical exposures, they often have unintended consequences for citizens whose data becomes collateral damage.

Experts emphasize that hacktivist operations, even those claiming noble intent, can destabilize trust in national institutions and reveal critical vulnerabilities to more dangerous actors. Once a government database is breached, its contents can circulate indefinitely on underground forums, creating lasting privacy and security risks. The Moroccan government’s response to this incident will likely influence how future attacks are handled both domestically and across the region.

Next Steps and Ongoing Monitoring

Cybersecurity investigators are continuing to monitor the situation for additional data releases or changes in the attackers’ communications. Given the volume of records and the depth of claimed access, further disclosures may occur in phases if the attackers decide to escalate their demands. Agencies responsible for public safety, transportation, and information security in Morocco are expected to strengthen incident response procedures and perform detailed system audits in the aftermath of this event.

The NARSA data breach underscores the need for modern cybersecurity infrastructure, stronger authentication mechanisms, and consistent oversight of government-managed data systems. It also reinforces the importance of transparency and timely reporting when citizens’ personal information is at risk.

For continued updates on the NARSA data breach and other recent security incidents, visit Botcrawl’s data breaches and cybersecurity sections.