ALLEGED DATA BREACH HITS PHILIPPINE DEPARTMENTS OF DEFENSE AND MIGRANT WORKERS
June 17, 2025 – Press Konek / Deep Web Konek Exclusive Report
A alleged data breach has allegedly compromised thousands of sensitive and confidential documents from two key Philippine government agencies—the Department of National Defense (DND) and the Department of Migrant Workers (DMW). The attackers identified these agencies by their former or alternate names: the Ministry of Defense and the Overseas Employment Administration (OEA).
A member of the monitoring team was among the first to be alerted to the breach through cybercrime-related Telegram groups, where screenshots began circulating last week. These early indicators suggested a compromise—particularly of the email inboxes of key government officials, rather than centralized government databases or server infrastructures.
The files were listed for sale by the threat actor who goes by the alias, ARES, who priced access to those set at $35,000 USD. The materials were offered as exclusive to only two buyers per dataset. According to the attacker, the breach exposed internal communications, sensitive email threads, and restricted documents.
Ministry of Defense (DND):
Size: 16.5 GB
Contents: Over 18,000 .eml email files
Overseas Employment Administration (DMW):
Size: 12.8 GB
Contents: Over 8,300 .eml email files
https://iili.io/Fn9lME7.jpg
The attacker also shared sample documents from both sets, some of which were dated from December 2024 to May 2025—with other files reportedly containing plans for the upcoming months, raising concerns about the exposure of forward-looking strategies and sensitive future operations.
The threat actor behind the incident is not new to targeting Philippine government entities. They were previously linked to past incident involving leaked files from the Armed Forces of the Philippines (AFP), where internal military documents were posted for sale and some samples shared publicly to prove legitimacy.
https://iili.io/Fn9V6vt.jpg
Their modus operandi appears consistent: infiltrate email accounts or poorly secured cloud storage, extract sensitive communications, and monetize the information through private dark web forums or direct sale listings.
The Deep Web Konek Team has analyzed metadata and non-sensitive samples and can confirm that the breach appears limited to email inbox contents, such as:
From the Department of National Defense (DND):
1. Emails discussing defense policies and confidential defense attaché events
2. Communications with foreign military partners
3. Applications for research positions in defense technology
4. Discussions about foreign aircraft access, military exercises, and logistics
5. Drafted internal memos and multi-agency coordination letters
From the Department of Migrant Workers (DMW/OEA):
1. Overseas labor deployment documentation
2. Email coordination with foreign embassies and consulates
3. Personnel and administrative discussions
4. Confidential memoranda on labor negotiations and overseas contract approvals
5. Invitations and scheduling of high-level bilateral meetings
Some emails also contain attached official documents, PDFs, and scanned letters—many of which bear headers from DND and OEA, including personal names, ranks, job titles, and policy discussion threads.
If verified, the breach has grave implications for both national security and diplomatic relations:
Operational Security Risks: Ongoing and upcoming defense strategies may now be in the hands of unknown foreign entities.
Diplomatic Fallout: Leaked communications involving embassies and foreign labor discussions could strain bilateral relationships.
Personnel Risk: Exposure of government personnel identities, contact details, and interdepartmental correspondence could lead to spear-phishing or retaliation campaigns.
Initial findings suggest the attackers did not breach core infrastructure. Instead, they likely exploited weak credentials, insecure remote email access, or even insider access. The .eml file format suggests that entire email inboxes or folders were exported manually or via automated exfiltration tools.
This technique is consistent with credential-stuffing or phishing attacks targeting specific officials using government-provided or self-managed devices.
As of June 17, 2025, no formal acknowledgment has been issued by the DND, DMW, or the Department of Information and Communications Technology (DICT). The Deep Web Konek Team has formally reached out to the concerned agencies and is assisting in the verification and containment process.
Deep Web Konek will continue to monitor the situation and release further updates as the investigation develops.
