Philippine Drug Enforcement Agency Data Breached; Threat Actor Issues 48-Hour Ultimatum
Manila, Philippines — April 23, 2026
A threat actor group identifying itself as “FemboySec” has claimed responsibility for a large-scale data breach involving the Philippine Drug Enforcement Agency (PDEA), alleging the exfiltration of a massive volume of sensitive data and issuing a 48-hour ultimatum to the government. In a statement released online, the group announced what it described as the release of “Batch-1,” warning that if authorities fail to act, the remaining data will be leaked or sold, stressing that “if the government wishes to ensure the safety of its citizens’ data, we will refrain from releasing or selling it to others,” while declaring this as a direct warning to “choose to settle, or the data will be leaked.”
According to the group, the breach dated April 18, 2026 resulted in the compromise of a dataset estimated at around 400GB in compressed form, containing over 100,000 personally identifiable information (PII) records with attached documents, alongside approximately 40,000 passwords, emails, and other credentials. The haul reportedly includes company records, pharmaceutical drug certificates, payment transactions, and a wide range of internal and regulatory datasets, with the actors further claiming that even recently generated documents remain within their control, reinforcing their assertion that “shutting down your website now is a futile gesture.”
https://iili.io/B4jukvI.png
The DWK Team has validated portions of the leaked materials, confirming that the files originated from PDEA systems. The team's assessment was based on document structure, metadata, and consistency with known regulatory formats. These datasets show directories containing thousands of files, one folder alone listing over 4,600 documents totaling nearly 4GB, and another with more than 4,200 files exceeding 3.5GB, indicating that the exposed samples are only fragments of a larger archive.
https://iili.io/B4juUjn.png
The file listings suggest the presence of highly sensitive materials, including export permits, licensing records, drug test results, pharmaceutical certifications, identification documents, and internal acknowledgments. Notably, several application documents submitted to PDEA were also reportedly obtained, many of which contain detailed personal and corporate information tied to regulated activities, further amplifying concerns over the potential scope of exposure should the full dataset be released.
https://iili.io/B4juvpt.png
FemboySec also pushed back against assumptions that the breach stemmed from basic vulnerabilities, stating that the agency “believed we were merely performing IDORs or scraping their website,” but asserting that such assumptions were incorrect, implying a deeper or more sophisticated level of system compromise.
As of press time, PDEA has yet to issue an official statement confirming or denying the incident, leaving the situation unresolved as the attackers’ 48-hour deadline continues to run.
