This week’s Cyber Intelligence House, Leak of the Week highlights a breach involving Cnss.ma (Caisse Nationale de Sécurité Sociale, Morocco). CNSS is Morocco’s national social security fund, based in Casablanca, administering benefits and social contributions.
Incident Overview
In August 2025, a dataset was posted on DarkForums by “Knee_Grow,” described as a “second breach sample” after an earlier CNSS breach claimed by “Jabaroot.” Our archive contains 18,393 files (one folder): 10,000 PDFs and 8,393 JSON records. Filenames indicate the PDFs hold individual records and the JSON files store family data. The actor mocked CNSS’s two-factor authentication as “bypassable,” and threatened to sell a larger trove:
220,000 family records and 750,000 individual CNSS documents, sharing TOX-only contact and advertising sample archives on biteblob[.]com.
Observed Data:
– “_individual.pdf” (10,000 files)
– “_family.json” (8,393 files)
– Field names present in records: “nationalIdentityNumber”
– Field names present in records: “birthDate”
– Field names present in records: “registrationNumber” and “personalNumber”
Threat Actor Context
The DarkForums post credits the “main breach” to Jabaroot and positions this leak as a follow-on by Knee_Grow. We found no evidence in the dataset tying the two handles together beyond this reference. “Knee_Grow” provides TOX-only contact and sample archives while “Jabaroot” is cited by the community for the earlier CNSS incident.
Implications for Individuals
Identity theft and long-tail fraud using national identifiers and dates of birth. Targeted phishing and social-engineering leveraging authentic-looking CNSS documents. Loss of privacy due to exposure of immutable identifiers.
Implications for CNSS
Regulatory exposure and notification obligations. Credential-stuffing and impersonation risk across citizen and partner portals. Operational disruption from takedowns, investigations, and fraud remediation.
Supply Chain Risks
Employers, payroll processors, health-care/insurance partners, and government services that rely on CNSS identifiers face downstream phishing, benefits fraud, and account-recovery abuse.
Cyber Intelligence House Recommendations
Validate the sample by cross-matching against CNSS holdings and review access logs for abused endpoints. Rotate any exposed keys to prevent further misuse. Harden portals with enforced MFA, rate-limits, and anomaly detection. Deploy rules to flag CNSS-themed lures and leaked-document fingerprints. Monitor DarkForums and TOX channels for resale activity. Pursue takedowns of mirrors hosting the samples to limit further exposure.