Shaparak Data Breach Exposes 168 Million Iranian Banking Records

The Shaparak data breach marks one of the largest and most severe cybersecurity incidents in Iran’s history. Shaparak, the Iranian government’s centralized electronic payment network, has reportedly been compromised, exposing sensitive data on nearly 168 million citizens. The leaked database, totaling 55.36 GB, includes full names, national identification numbers, financial details, and login credentials from major banks including Bank Mellat and Bank Saderat.

This attack goes far beyond a financial crime. It represents a compromise of Iran’s core financial infrastructure. The leaked data is being offered for sale on a dark web marketplace, where verified samples confirm that the breach originated from Shaparak’s central payment switch, which processes nearly all domestic transactions. The scale and precision of the attack suggest a sophisticated actor, likely operating with state-level resources.

Background

Shaparak, short for the Electronic Payment Card Network Company of Iran, functions as the national switch that connects all of Iran’s banks, merchants, and payment service providers. Every card swipe, transfer, and transaction between Iranian banks routes through its systems. Because of its central role, Shaparak is classified as part of Iran’s critical financial infrastructure and is managed under the supervision of the Central Bank of Iran (CBI).

The attacker claims to have full administrative access to Shaparak’s internal data environment and provided sample records that include both live and historical data. Threat intelligence analysts who reviewed the samples confirmed that field formats match authentic Iranian banking and identity records. The dataset appears to contain nearly every citizen who has ever owned a payment card or bank account in the country.

• Data size: 55.36 GB
• Total records: Approximately 168 million
• Sources affected: Shaparak central payment switch, Bank Mellat, Bank Saderat, and additional state-linked institutions
• Data type: Personal, financial, and credential data
• Attack type: Nation-state or advanced persistent threat (APT) operation

Data Exposed in the Shaparak Breach

The Shaparak data breach includes highly sensitive personal and financial information that could be weaponized for identity theft, fraud, or espionage. Each entry contains multiple identifying fields, forming complete digital identity profiles for Iranian citizens.

• Personal Data: Full names, phone numbers, addresses, birth dates, and email addresses
• National Identification: Iranian Melli Codes (کد ملّی) tied to individuals and government records
• Banking Data: Card numbers, account numbers, IBANs, and related financial metadata
• Credentials: Usernames and password hints linked to online banking portals
• Transaction Data: Time-stamped payment activity, merchant IDs, and switching logs

The presence of password hints and partially encrypted credentials indicates that this was not a passive data exfiltration from backups but a direct breach of live systems. The scope of the leak could enable attackers to impersonate Iranian citizens, steal funds, or monitor government and defense employees through financial activity.

Attack Analysis

Cybersecurity researchers suggest that the attack involved the compromise of internal Shaparak infrastructure, likely through an administrative credential chain or insecure API. The breach demonstrates deep persistence and technical understanding of Iran’s payment architecture. Because Shaparak processes transactions for every domestic bank, a compromise at this level effectively exposes the entire financial ecosystem.

Analysts also noted that this incident may have geopolitical motives rather than financial ones. The sophistication of the intrusion and the subsequent public leak indicate that the attacker’s objective could have been to destabilize Iran’s financial credibility and undermine public trust in government-managed digital systems. The sale of the data appears to serve as both an act of humiliation and an attempt to monetize an intelligence operation.

Key Cybersecurity Implications

1. Total National Identity Exposure

The most immediate consequence of the Shaparak data breach is the exposure of nearly every Iranian citizen’s identity information. The combination of names, national codes, and contact details allows attackers to impersonate citizens in both financial and governmental transactions. This loss of identity control poses long-term challenges for Iran’s internal security, particularly for those in sensitive positions.

2. Financial Fraud and Exploitation

The breach also provides a full toolkit for systemic financial fraud. The inclusion of card and account details enables mass unauthorized transactions and social engineering attacks that appear authentic. With national IDs and partial passwords exposed, criminals can convincingly contact victims posing as banks, government offices, or law enforcement to extract more data or money.

3. Espionage and Counterintelligence Threat

From a geopolitical perspective, the breach has far-reaching consequences. Foreign intelligence agencies could use this dataset to map the financial and personal networks of Iranian officials, scientists, and defense personnel. By cross-referencing transactions and account activity, adversaries can identify individuals involved in strategic industries, monitor government funding flows, and exploit weaknesses for blackmail or recruitment.

4. Centralized Infrastructure Weakness

The incident also exposes how centralization can amplify systemic risk. Because Shaparak acts as the single switching hub for Iran’s banking system, a single compromise results in a cascading loss of security across every connected institution. The breach reinforces the need for network segmentation, independent transaction verification, and external auditing of state financial systems.

Possible Attribution

While no official actor has claimed responsibility, the nature and precision of the attack align with nation-state operations seen in previous cyber conflicts involving Iran. Analysts note similarities between this breach and past incidents where foreign intelligence units targeted Iran’s nuclear, industrial, or banking infrastructure. Some experts suggest that this could be part of a wider campaign aimed at disrupting Iranian digital sovereignty and economic resilience.

Iranian authorities have not publicly confirmed the details, but internal sources report that the Central Bank of Iran (CBI), the Ministry of Intelligence (VAJA), and the IRGC Cyber Command have begun a joint investigation. National media coverage remains limited, and users have reported increased security checks and login issues with several domestic banking applications.

Impact on Iranian Citizens

For Iranian citizens, the Shaparak data breach represents a critical loss of financial and personal privacy. Every adult who owns or has owned a bank card is likely affected. The data could circulate for years across criminal marketplaces and be reused for targeted phishing, identity theft, and surveillance. Victims are already reporting phishing messages and fake customer support calls referencing their real card details and bank names.

Without swift government intervention, this breach could lead to large-scale fraud, disrupted financial services, and erosion of public confidence in Iran’s banking sector. The exposure of national identification numbers also increases the risk of long-term identity manipulation, affecting credit systems and employment verification.

Government and Institutional Response

• Incident Response: Iran’s financial regulators have reportedly activated emergency cybersecurity protocols to isolate affected systems and investigate the intrusion.
• Infrastructure Review: Security analysts recommend rebuilding compromised environments from clean backups and reviewing API access controls.
• Citizen Notification: Banks should notify all affected customers, urge them to change passwords, and warn against unsolicited calls or messages claiming to represent financial institutions.
• Monitoring and Alerts: Implement continuous fraud monitoring and SMS alerts for suspicious transactions to help mitigate damage.

Recommended Mitigation Strategies

For the Central Bank of Iran and Shaparak

• Conduct a complete forensic review with external cybersecurity specialists to trace the breach vector and remove all persistence mechanisms.
• Rebuild authentication systems and revoke all existing digital certificates associated with the breached infrastructure.
• Issue new banking credentials and cards for all affected users to prevent unauthorized use.
• Deploy real-time monitoring and automated alerting across all connected banks and processors.

For Iranian Citizens

• Be cautious of any emails, calls, or messages claiming to be from your bank or government agencies, even if they reference accurate personal data.
• Monitor your bank accounts daily for unauthorized transactions and report anomalies immediately.
• Change all banking and online service passwords, and avoid reusing the same credentials across multiple platforms.
• Scan devices using Malwarebytes to detect potential malware or spyware infections linked to phishing attempts.

Long-Term Outlook

The Shaparak data breach underscores the growing risk of cyber warfare targeting national payment systems. As digital financial infrastructure becomes more interconnected, a single breach can cripple entire economies and expose citizens to long-term identity exploitation. Iran now faces the challenge of rebuilding not only its systems but also public confidence in its digital economy.

This incident will likely prompt international discussion on financial cybersecurity, data protection, and state-sponsored cyber operations. The breach also serves as a warning to other nations that depend heavily on centralized transaction processors without layered segmentation or external oversight.

For more verified reports on global data breaches and ongoing cybersecurity investigations, visit Botcrawl for continuous updates and in-depth analysis.