Israel’s Ministry of Justice

This week’s Leak of the Week by Cyber Intelligence House highlights a breach affecting Justice.gov.il, Israel’s Ministry of Justice, a critical institution managing national legal affairs, case documentation, and court administration.

On July 1, 2025, a 139.4 GB data dump was released on DarkForums by the alias CLOBELSECTEAM. However, the breach was openly claimed by notorious threat actor ClayOxtymus1337. The leaked dataset spans over 1.7 million files across 276 folders and includes a wide array of file types; HTML, PDF, DOC, PNG, and especially EML emails. This breach exposes internal court documents, invoices, legal correspondence, and files containing credentials pointing to a severe system compromise.

Some of the most revealing filenames include:
– “557697_Privileged and confidential – Memorandum on risks _00061845.pdf”
– “691590_Proforma Invoice Feb 2018 to May 2019 (final).pdf”
– “774834_150105 Israel Ministry – NDA Revised.doc”
– “Abramovici Diamonds Invoice 1.docx” and “Invoice 19.docx”

The actor behind this breach, ClayOxtymus1337, has a track record of releasing high impact leaks on DarkForums and operates under various handles including CLOBELSECTEAM.

This individual is also linked to:
Epsilor.com (June 2025 – 37.9 GB)
– Agencia Nacional de Hidrocarburos, Colombia (~58 GB)
– Israel Police (~16.9 GB)

Based on their language and activity, their motivations appear to be a mix of financially driven extortion and ideological targeting of Israeli state institutions.

The Justice.gov.il leak also includes a trove of internal email data. Of the 78 EML files, 8 contain attachments and 16 contain sensitive terms like “confidential”, “vpn”, “admin panel”, or “NDA”. Email timestamps indicate sustained access between 2015 and 2019, with activity peaks during mid-2015 and mid-2019.

While the Epsilor.com breach is also significant, containing admin panel tokens, customer billing data, and SQL dumps – it is overshadowed in both scale and sensitivity by the Ministry of Justice compromise.

What does this mean?
For individuals: exposure of legal documents and personal information may lead to reputational harm, coercion, or fraud. Invoices and legal memos also suggest financial and case-sensitive risks. The inclusion of NDA files further underscores the privacy threat.

For the Ministry: internal memoranda and NDAs demonstrate a serious loss of confidentiality. Exposed invoices may reveal financial structures and relationships. Overall, the breach shakes public trust and opens the Ministry up to legal and diplomatic consequences.

Supply chain risk is evident, leaked invoices and contracts tie private law firms, vendors, and service providers to the compromised data, potentially widening the attack surface.

Cyber Intelligence House recommends immediate action: revoke exposed credentials, isolate compromised email accounts, conduct forensic audits, and enforce DLP with Zero Trust controls.