Between December 11 and 16, the Interior Ministry confirmed that it had been the target of a cyberattack. Initially presented as an attack on messaging servers, the intrusion turned out to be more complex with proven access to business applications. If the judicial and technical investigation is still ongoing, the official communication leaves several gray areas, detailed feedback on the events, what we know at this stage, and what remains uncertain.
Before the alert, the hypothesis of a prepared intrusion
The elements appearing in the cybercriminal claims suggest an intrusion which would not have been limited to one-off access, the hackers evoking a prolonged presence in the information system, with circulation capacity and knowledge of certain technical environments of the ministry.
If none of these points is confirmed by the authorities, they nevertheless raise the hypothesis of a compromise prior to official detection, with a prior recognition phase. At this stage, these are indirect clues, not validated, but consistent with operating methods observed during targeted attacks against public institutions.
December 11: detection of suspicious activities on messaging services
On Thursday, December 11, the Interior Ministry detected what it internally described as “suspicious activities” targeting its email servers. The information was confirmed to our colleagues at BFMTV, but no public communication was made immediately.
This posture can be considered classic at this stage, corresponding to an analysis and qualification phase, during which the teams seek to determine whether it is a technical incident, an attempted intrusion or a proven compromise. Neither the exact nature of the signals detected nor their seriousness are then made public.
December 12: confirmation of a cyberattack targeting messaging
Guest on RTL on Friday December 12, the Minister of the Interior, Laurent Nuñez, officially confirmed the existence of a cyberattack. He then specifies that this targeted the ministry’s messaging services and indicates that the usual protection procedures have been implemented.
The minister also mentions access to “a certain number of files”, while affirming that he has, at this stage, no trace of serious compromise.
This communication marks a first public framing, deliberately restricted, which places the incident within a precise technical perimeter and limits the perceived scale of the attack.
The weekend of December 14/15: more disruptive signals
The case took on another dimension over the weekend, notably with the sending of an email announcing the reopening of BreachForums from a legitimate domain “interieur.gouv.fr”. Two hypotheses are then considered: either a particularly credible spoofing, or the actual compromise of an account or a ministry messaging service.
No official clarification has been provided on this point, although it is central to assessing the depth of the intrusion. At the same time, a claim appears on a cybercriminal forum. The perpetrators claim to be behind the attack and refer to an ultimatum addressed to the French authorities. They also refer to the hacker group ShinyHunters, before the historic members of this group, arrested in June 2025, publicly disassociated themselves from the operation.
Here again, the authorities neither formally confirm nor deny the claim or the existence of an ultimatum.
December 16: recognition of access to business applications
Tuesday, December 16 marks a turning point. According to BFMTV, and in particular the information reported by journalist Raphaël Grably, the Beauvau teams confirmed that the attackers had had access to “business applications”, that is to say internal tools used by the ministry’s services.
This semantic change is significant: we are no longer talking only about communication tools, but about internal operational software, potentially connected to databases or critical systems. However, no details are provided on the exact nature of the applications concerned, their level of sensitivity or the rights available to the attackers.
Hacking of the Ministry of the Interior: with BFMTV, the Beauvau teams confirm that the hackers had access to “business applications”.
In other words, internal tools and software, potentially with access to databases.
— Raphaël Grably, December 15, 2025
December 17: an arrest
The Paris prosecutor’s office announced, on December 17, the arrest of a suspect in the investigation opened after the cyberattack targeting the Ministry of the Interior, facts described as an attack on an automated processing system of personal data of the State, committed by an organized gang, an offense punishable by ten years of imprisonment according to the press release signed by the public prosecutor Laure Beccuau. Born in 2003 and already convicted in 2025 for similar acts, the individual was arrested in Limoges and placed in police custody by the anti-cybercrime section of the Paris public prosecutor’s office and the Anti-Cybercrime Office, a measure that could last up to forty-eight hours, after which a new communication is expected. The criminal qualification retained excludes the hypothesis of isolated fraudulent access and establishes intrusion into a state system processing personal data, with an aggravating circumstance linked to a coordinated action, involving the effective consultation of sensitive data, the scope of which remains to be specified. These elements were partially corroborated by the Minister of the Interior, Laurent Nuñez, who confirmed on December 17 on franceinfo a “malicious intrusion” described as a “serious act”, part of compromised professional messaging, with access to sensitive internal files, in particular the Processing of criminal records and the File of wanted persons, while recognizing that the exact extent of the compromises has not yet been established. The ministry also contacted the CNIL and opened an internal administrative investigation, in accordance with legal obligations.
What the authorities say at this stage (UPDATE December 18, 6 a.m.)
The official position has become clearer without removing all the uncertainties. The authorities maintain that investigations are still underway under the authority of the Paris prosecutor’s office and recall having immediately tightened the terms of access to the information system, while deploying additional security measures. The criminal classification retained by the prosecution, which targets an attack on an automated processing system of State personal data committed by an organized gang, however marks a notable change in the initial discourse and establishes that the intrusion is not limited to opportunistic access, but concerns a State system processing sensitive data, with prior coordination.
However, several gray areas remain. The exact scope of the “business applications” concerned is still not specified: are they peripheral administrative tools or systems directly linked to the ministry’s sovereign missions? The claim of access to the national police CHEOPS portal, illustrated by a screenshot published by the suspected cybercriminals, has not been confirmed by the authorities and remains unverifiable at this stage. Regarding data, the ministry now recognizes access to sensitive internal files, including the Processing of criminal records and the Wanted Persons File, while indicating that “the extent of the compromises” is not yet known. However, no information is communicated on a possible exfiltration: volumes of data consulted or transferred, outgoing flows detected, or signs of leak. This silence, understandable in view of operational and judicial imperatives, nevertheless maintains questions about the real scope of the attack.
What are the main databases of the Ministry of the Interior?
The Ministry of the Interior operates and supervises several national databases, used by security forces, prefectures and certain state services.
The TAJ (Processing of criminal records) brings together information from legal proceedings, in particular data relating to the persons accused, victims or witnesses, as well as to the offenses observed. It is consulted daily by law enforcement in the context of investigations, administrative controls or legal proceedings.
The FPR (Wanted Persons File) centralizes information concerning people subject to search or surveillance measures: missing people, individuals wanted by the courts, people subject to an administrative or judicial ban. It is consulted in real time during identity checks or border crossings.
The SIV (Vehicle Registration System) lists all vehicles registered in France and their owners. It is used by law enforcement, prefectures, as well as by authorized actors such as automobile professionals or insurers.
The FNAEG (Automated National Genetic Fingerprint File) contains genetic profiles collected as part of legal investigations. Access to it is extremely regulated and reserved for specialized services.
The FAED (Automated Fingerprint File) centralizes fingerprints used for judicial and administrative identification. It is widely used by law enforcement, with access strictly controlled and traced.
Beyond these emblematic bases, the ministry relies on numerous intermediate business systems, used by prefectures, the police, the gendarmerie and central services, serving as application layers between agents and national bases.
