A post published by Daily Dark Web has claimed that a large database linked to Armenia’s government mailing and notification ecosystem is being offered for sale on a cybercrime forum. According to the report, the dataset allegedly contains around 8 million records related to official communications, including notifications from the Compulsory Enforcement Service (DAHK), the Patrol Police, and judicial bodies. The seller has priced the database at USD 2,500 and advertises it as a consolidated collection of government-related mailings. At the time of writing, these claims have not been independently verified and the data is allegedly for sale.
In response, the Government of Armenia publicly denied that its central email infrastructure was compromised.
In an official Facebook statement, authorities stressed that the leak “has no connection to the Government of Armenia’s electronic mail system” and indicated that preliminary analysis suggests the exposed files may have been extracted from the electronic civil proceedings platform, cabinet.armlex.am.
Լրատվամիջոցներում տարածված տեղեկությունը, թե իբրև ՀՀ Կառավարության էլեկտրոնային փոստի համակարգը կոտրվել է, չի համապատասխանում իրականությանը։ Արձանագրված տվյալների արտահոսքը ՀՀ Կառավարության էլեկտրոնային մեյլերի հետ առնչություն չունի։Նախնական ուսումնասիրության արդյունքում, կարելի է եզրակացնել, որ արտահոսք եղած ֆայլերը կորզվել ենէլեկտրոնային քաղաքացիական դատավարությանcabinet.armlex.am հարթակից։Ներկայում աշխատանքներ են տարվում վերը նշվածը հաստատելու, կորզման եղանակը պարզելու նպատակով։
An internal investigation is reportedly underway to confirm the source and method of data extraction.
Regardless of the precise technical origin, the potential consequences for Armenian citizens are significant. Databases tied to official notifications typically include names, contact details, case references, fines, enforcement actions, or court-related information. If such data is exposed, it can be exploited for targeted phishing, fraud, extortion, or disinformation campaigns that appear convincingly “official.”
Threat Actor Profile: dk0m
The individual or group behind this leak, operating under the alias dk0m, is a well-established broker in the cybercrime underground. Since at least 2024, dk0m has maintained a “high-reputation” status on major English-speaking forums, specifically specializing in the curation and sale of government-related data.
Unlike “hacktivists” who leak data for political points, dk0m is a financially motivated actor. Their typical methodology involves harvesting infostealer logs—malware that exfiltrates saved passwords and session cookies from a victim’s browser—which are then filtered to identify high-value access to official government portals. This actor has a documented history of selling credentials and databases belonging to ministries in Argentina, Ukraine, and Brazil, often providing high-fidelity “samples” (official PDFs or database schemas) to prove the validity of their claims to potential buyers.
In screenshots published as early as August 2024 there is evidence that the threat actor possessed Armenian government data and this fresh announcement might be an attempt to monetize data that they already had at hand (see the screenshot below).
Source: ZeroFox Intelligence
The Geopolitical Context
The broader geopolitical and security context makes this incident particularly sensitive. Armenia has been operating in a persistently hostile cyber environment for years, where criminal activity, espionage, and politically motivated operations frequently overlap. While the Government’s statement correctly rejects claims of a breach of its central email infrastructure, it simultaneously acknowledges that an unauthorized data exposure likely occurred elsewhere within the state’s digital ecosystem. From a citizen-impact perspective, this distinction offers little reassurance: data loss remains data loss, regardless of which subsystem failed.
If the dataset advertised by the threat actor is authentic, its value lies not only in the volume of records but in their credibility. Official-looking data tied to courts, enforcement services, or police structures significantly lowers the barrier for social engineering attacks. Citizens could be targeted with convincing scam messages referencing real case numbers, fines, or enforcement actions, increasing the likelihood of compliance or panic-driven responses.
In a country where digital government services are expanding rapidly, such abuse risks undermining public trust in e-governance as a whole.