Sensitive European Space Agency Data Leaked to the Dark Web by String of Cyberattacks

The European Space Agency (ESA) has confirmed that a series of cyberattacks has led to the leak of sensitive data — including staff email credentials — on dark web forums, prompting concerns across the international space community.

The incidents, which began in mid-December 2025 with breaches of external servers, have exposed hundreds of gigabytes of data. Hackers claim to be selling the information on underground internet marketplaces, raising questions about the robustness of ESA's cyber defences amid increasing digital threats.

Read More: Amazon's AI Hypocrisy: Suing Others for Scraping While Listing Small Businesses Without Consent

Read More: Rainbow Six Siege Hacked: Shutdown Sparks Player Panic as Fans Ask When Will It Be Back Up

Data Exfiltration and Dark Web Exposure

According to cybersecurity reports and ESA's own statements, several external servers used for collaborative engineering activities were infiltrated by unknown attackers, who remained undetected for approximately one week. These systems, though separate from the agency's core internal network, contained data that threat actors allege includes source code, access tokens, CI/CD pipeline details, configuration files, and hardcoded credentials.

A threat actor using the alias '888' boasted on BreachForums that they had exfiltrated roughly 200 gigabytes of data and made parts of it available for purchase in exchange for the cryptocurrency Monero. ESA has not independently verified the full extent of the leaked contents but said the impacted servers supported unclassified scientific collaborations.

Cybersecurity researcher Clémence Poirier of the Centre for Security Studies at ETH Zurich told Space.com that the discovery of email credentials linked to ESA employees circulating on dark net platforms has also caught their attention. The appearance of such personal data raises the spectre of credential reuse and potential follow-on attacks against other systems if the compromised information is combined with breaches from other sources.

Initial Responses and Ongoing Investigations

ESA has publicly acknowledged the breaches and stated that a forensic analysis is underway to determine the full scope of the compromise. In messages posted on the social media platform X, the agency said it began a comprehensive security assessment soon after detecting unusual activity on the external servers in December.

It has since taken steps to secure potentially affected devices and isolate the compromised infrastructure.

The agency maintains that its core mission systems were not directly affected, and that no classified or highly sensitive operations have been exposed. Nevertheless, the disclosure of internal credentials and software configurations has sparked debate over the classification of so-called 'unclassified' data and its potential value to sophisticated adversaries.

ESA officials have emphasised cooperation with law enforcement and cybersecurity partners as the investigation continues. The evolving situation underscores how even data on seemingly peripheral systems can have strategic implications when it finds its way onto the dark web.

Wider Cybersecurity Concerns

Experts have warned that the space sector is increasingly targeted by cybercriminals and that agencies must adapt their security practices accordingly. Malware designed to harvest credentials — such as infostealers — remains a prevalent threat, with attackers leveraging everything from malicious adverts to seemingly benign web links to capture sensitive information.

Although ESA has invested in cyber resilience policies in recent years, the latest breaches highlight the difficulty of defending complex, interconnected systems where third-party tools and external servers can become weak points in an organisation's digital armoury.

As investigations proceed and ESA works to reassure the public and its partners, the incident serves as a stark reminder that cyber threats to critical scientific organisations are not just hypothetical; they are an ongoing reality.