Two Hacking Groups Behind Major European Commission Data Breach, Cyber Agency Confirms

Europe's Cybersecurity Agency Points Finger at Two Criminal Groups

The European Union's cybersecurity watchdog, CERT-EU, has officially attributed a significant data breach targeting the European Commission to two separate cybercriminal organizations — TeamPCP and the well-known ShinyHunters gang.

In a detailed report released Thursday, CERT-EU confirmed that TeamPCP carried out the initial intrusion, while ShinyHunters took responsibility for publishing the stolen information publicly online.

What Was Stolen — and How Much

According to CERT-EU's findings, the attackers successfully extracted approximately 92 gigabytes of compressed data from an Amazon Web Services (AWS) account operated by the European Commission. The stolen information included sensitive personal data such as full names, email addresses, and the actual contents of email communications.

The breach compromised the Commission's Europa.eu cloud infrastructure — a platform widely used by EU member states to host official websites and publications for various bloc institutions and agencies.

CERT-EU further warned that data belonging to at least 29 additional EU entities may also have been exposed, along with information from dozens of internal European Commission clients.

How the Hackers Pulled It Off

The attack chain began on March 19, when threat actors obtained a secret API key linked to the European Commission's AWS environment. The entry point, however, traced back even further — to a prior compromise of Trivy, a widely used open source security scanning tool.

After Trivy's project was breached, the European Commission unknowingly downloaded a tampered version of the tool. That compromised copy allowed the attackers to harvest the Commission's secret API key and use it as a springboard to access and exfiltrate data stored within the AWS account.

A Dangerous Supply Chain Weak Point

The Trivy connection underscores a broader and increasingly alarming cybersecurity threat: supply chain attacks. By infiltrating trusted open source tools used by developers, hackers gain privileged access to the systems of unsuspecting organizations downstream.

Cybersecurity firm Aqua Security, which develops Trivy, has linked TeamPCP to ransomware campaigns and crypto-mining operations. Threat intelligence researchers at Palo Alto Networks Unit 42 have also identified the group as a key player behind a systematic effort to compromise multiple open source security projects.

"By targeting developers with keys to access sensitive systems, the hackers then have the ability to hold compromised organizations for ransom, demanding extortion payments," Unit 42 noted in its assessment.

The Scale of the Leaked Data

While CERT-EU continues to analyze the full scope of the published data, investigators have already identified nearly 52,000 files containing outbound email messages. The agency noted that the majority of these emails are automated in nature and largely devoid of meaningful content.

However, bounced or undeliverable emails are of particular concern, as they may contain original user-submitted content — creating a tangible risk of personal data exposure for individuals whose information passed through the Commission's systems.

A Growing Trend: Collaborative Cybercrime

Perhaps the most significant takeaway from this incident is not simply the scale of the breach, but what it reveals about the evolving tactics of cybercriminals. The collaboration between TeamPCP, which conducted the breach, and ShinyHunters, which handled the public leak, reflects a troubling trend of criminal groups working in tandem to maximize pressure on victims through extortion.

This division of labor — one group stealing, another leaking — allows hackers to operate more efficiently and amplify their leverage against targeted organizations.

Official Response

CERT-EU confirmed it has already reached out to organizations potentially impacted by the breach. A spokesperson for the European Commission indicated the body was closed for the period in question and would address media inquiries upon resuming operations. ShinyHunters has not responded to requests for comment.