Image: ZDNet

The database of Bulgaria's National Revenue Agency (NRA), which was hacked over the weekend and sent to local reporters, is now being shared on hacking forums, ZDNet has learned from sources in the threat intelligence community.

Download links to the hacked database have been shared by a hacked data trader known as Instakilla, believed to be operating out of Bulgaria.

ZDNet obtained a copy of the database and verified its authenticity with local sources, and this is a copy of the same database sent to local media over the weekend.

The database contains 57 folders, 10.7 GB in size, and holds personal and financial information consistent with what Bulgarian newspapers reported receiving over the weekend.

This includes personally identifiable information, tax information, from both the NRA, and from other government agencies who shared their data.

Image: ZDNet

ZDNet reached out to Instakilla before this article's publication. Asked from where he acquired the data, the data trader blamed it on a local TV station's goof.

"One of our media outlets covered the topic early on and in the video from what I believe they showed the link to the file," Instakilla told us.

"The file was password-protected, and they didn't believe any harm would come from showing the link. Neither they nor anyone had the password.

"A friend of mine saw this video and decided to hit met up with the link from the video asking if I could crack it, so I took the file on [redacted] so someone would crack it for me, telling them there was valuable information inside, which there is, because that's how the game works," Instakilla said.

And the members of the hacking forum where Instakilla shared the data didn't disappoint, breaking the archive's password within hours. Now, both the archive and the password are available for download to anyone.

Asked why he shared the data of Bulgarian citizens online, even if he's a citizen of Bulgaria himself, and could be very easily detained, Instakilla told ZDNet that "I'm not the original hacker, I do not feel accountable for anything."

Suspected hacker arrested and then released

In the meantime, the investigation into the NRA hack has advanced in Bulgaria. In a statement on its website, the agency said the hack took place 20 days ago, not years before, as the hacker claimed; and the hacker only accessed 3% of its systems.

Local media initially reported that the hacker stole the data of five million citizens, around 70% of the country's population. These numbers were later downgraded, as reports said the data also included the details of foreigners and deceased persons.

Bulgarian police arrested a 20-year-old suspect on Wednesday, July 17, but he was released earlier today.

According to a Dnevnik report, the suspect, a computer expert from the city of Plovdiv, had illegally copied data from the NRA's servers, but not the data that was involved in the recent hack. Either way, he still faces between five to eight years in prison, along with a fine.

In the meantime, Bulgarian Interior Minister Mladen Marinov continues to push the idea that Russian hackers are behind the security breach, as the NRA database was hacked after Bulgarian authorities announced the purchase of US-made F-16 fighter jets.

Article updated on July 19, 5:20am ET with comments from Instakilla.

Related government coverage:

