A significant data leak targeting Ants.gouv.fr (Agence nationale des titres sécurisés) has been detected on the dark web. A threat actor known as Wildpistol has advertised a massive dataset containing approximately 13.2 million records.

This breach represents a high-severity risk to French citizens, as the exposed data aggregates highly sensitive Personal Identifiable Information (PII) including full physical addresses, birth details, and multiple contact methods.

🏛️ Victim Profile: Who is Ants.gouv.fr?

The Agence nationale des titres sécurisés (ANTS) is a critical French government agency operating under the Ministry of the Interior. It acts as the central hub for secure identity documents in France.

Key Responsibilities:

• Issuing National Identity Cards (CNI).
• Managing Biometric Passports.
• Processing Driving Licences.
• Handling Vehicle Registrations (Carte Grise).

Why this target matters: Compromising ANTS does not just expose user activity; it potentially exposes the root of identity for millions of citizens.

🔍 The Breach: Technical Details & IOCs

The leak was identified on DarkForums and has been circulating via Telegram channels. The threat actor provided a sample and technical specifications of the stolen data.

Indicators of Compromise (IOCs)

• Threat Actor Handle: Wildpistol
• Source Platform: DarkForums / Telegram
• File Name: ANTS.json (often cited in leak notes)
• File Size: ~3.09 GB
• Total Row Count: 13,187,563
• Data Format: JSON (JavaScript Object Notation)

Tactics, Techniques, and Procedures (TTPs)

• Exfiltration: Likely unauthorized database dump or API scraping resulting in a structured JSON export.
• Distribution: The actor is utilizing dark web marketplaces to auction/sell the data, leveraging the high volume (13M+) as a selling point.
• Data Aggregation: The data appears to be a “Master File,” aggregating various contact points (work, personal) into single identity profiles.

📊 Visualizing the Leaked Data

To understand the severity of this leak, we must look at the composition of a single record. This is not just email/password data; this is Full Identity Context.

Detailed Field Analysis

The dataset is extraordinarily granular. Based on the JSON schema analysis, here is what is exposed:

1. Civil Status (The “Golden” Data):
   • nom, prenom, Civilité, Sexe: Full legal names and gender.
   • datenaissance, Lieu de naissance: The foundations of KYC (Know Your Customer) fraud.
   • Décédé(e) le: Indication of deceased status, which can be used for “Ghosting” identity theft.
2. Location Data:
   • adresse_complete: Not just a zip code, but the full line.
   • Code postal, ville, Pays: Specific geo-location data.
   • Bureau distributeur: Precise delivery routing info.
3. The “Pivot” Points (Contact Info):
   • Emails: Fields like Email, Email2, and Email principal suggest users linked multiple accounts.
   • Phones: Fields ranging from Phone1 to Phone5, plus Mobile travail (Work Mobile). This allows attackers to pivot from attacking a personal life to a professional environment.

⚠️ Impact Assessment

The diagram below illustrates the attack vectors enabled by this specific combination of data fields.

For the Individual

• High-Fidelity Social Engineering: Scammers can call a victim on their work mobile, recite their home address and date of birth, and claim to be from the police or tax authority. The trust verification gap is eliminated.
• Long-Term Exposure: Unlike a password, you cannot change your Place of Birth or Date of Birth. This leak has a permanent shelf-life.

For the Organization (ANTS/Gov)

• Erosion of Trust: A breach in the issuer of “Secure Titles” undermines confidence in the state’s ability to protect citizens.
• Regulatory Scrutiny: With 13 million records involved, this will likely trigger massive investigations under GDPR and French national security protocols.

🛡️ Recommendations & Mitigation

For Security Teams & MSSPs

1. Monitor Specific Fields: Set up alerts for the specific combination of French POB (Place of Birth) and Email addresses appearing in credential stuffing logs.
2. Harden Authentication: If you rely on “knowledge-based authentication” (e.g., asking a user “What is your date of birth?” to verify them), stop immediately. This data is now public knowledge for 13 million people.
3. Watch the “Wildpistol” Actor: Monitor DarkForums for further samples or price drops, which usually indicate wider distribution.

For ANTS & Government Bodies

1. Forensic Verification: Confirm if the data is a direct database dump (indicating an SQL injection or Insider Threat) or an API scrape (indicating broken access controls).
2. Rate Limiting: Review all systems capable of exporting bulk identity data. Mass extraction should trigger an immediate “circuit breaker” lockdown.
3. Public Communication: Provide clear, honest guidance to citizens. Instruct them on how to spot scams leveraging this specific data (e.g., “We will never ask for your password via phone”).

This report is based on raw intelligence regarding the “DATABASE ANTS (FRANCE)” leak. Information is subject to change as forensic analysis continues.