Hacked Iraqi Voter Information Found for Sale Online

A team of researchers this month uncovered the sale of voter data stolen in an apparent hack against Iraq’s Independent High Electoral Commission (IHEC) — yet incident in a pattern of increased malicious activity targeting elections in the Middle East and beyond.

Resecurity unearthed a 21.58GB database containing Iraqi voter cards and personally identifiable information, as well as a customized software client designed for IHEC's "Operations & Data Management Department."

Election cyber threats — which surged from 10% in 2015 to 26% in 2022 — are jeopardizing the integrity of democratic processes worldwide, the researchers say. Threats against elections include leaks of voters data, incidents driving influence campaigns, and attacks that deem election systems unavailable.

Resecurity's team said they worked with "sources familiar with these digital record repositories" to confirm that the leak occurred around 2019. Resecurity also uncovered a similar Dark Web posting from 2022, though this data was found to be corrupt.

The latest illicit tranche, by contrast, is the real deal.

"The acquired data is valid and contains valid information what was validated with our law enforcement partners in Iraq," says Gene Yoo, chief executive of Resecurity.

Translation from Arabic of the key fields confirmed that the database contains voting information with details about voters (names, dates of birth), polling stations, and registration centers to collect votes, among other information.

"The data leak from the Independent High Electoral Commission IHEC [of Iraq] includes not only a database but related software likely developed by an IT contractor," Yoo explains.

"Based on the connection settings defined in software, [the leaked software] package was installed locally on workstations of IT administrators managing databases," he says.

Supply Chain Compromise

Resecurity believes the breach was most likely the result of an IT supply chain compromise involving technology from third-party suppliers that the threat actors hacked. Alternatively, the leak may have come from an insider with access to IHEC infrastructure, they say. Election infrastructure systems are typically isolated from the internet — so a remote hack is less likely.

Iraqis are next due to go to the polls for parliamentary elections scheduled in October 2025.

Miscreants could employ the leaked voter data to craft targeted propaganda and campaigns on specific segments of voters. Unlike compromised payment card data or passwords — both of which can be changed in response to a hack — leaked voter data remains exploitable years after the initial leak.

"Cyberespionage groups, operating under the direction of nation-state actors, are targeting voter PII, plotting to use it as a long-term weapon for electoral interference," according to Resecurity's report. "This data reveals crucial demographic insights and context about target populations during both pre-election and post-election stages."

Who's Behind the Voter Data Theft?

Potential suspects in the attack include nation-state actors interested in the destabilization of Iraq or a domestic actor involved in protest activity. Iran and dissident Kurd nationalists are the two most likely suspects with some evidence pointing at the latter, according to Resecurity.

"Several threat actors involved in this campaign are believed to originate from the Kurdistan region and speak Sorani, a Kurdish dialect," Resecurity explained. "Our investigators traced some threat actor IP addresses back to Kirkuk, a city in Northern Iraq."

Leaked voter information and electoral interference has occurred across many countries, including the US, Iraq, Indonesia, Israel, Turkey and African nations, as detailed last week in a Resecurity blog post on its findings.

Cyber threats range from attacks on election infrastructure to influence campaigns aimed at shaping public opinion and policymaker decisions.

For example, a group known as R00Tk1T CYBER TEAM recently targeted Qatar and Malaysia before a January 2024 release of a JSON dump with 90,000 voters from the past Parliamentary Elections in Lebanon.

"This data was never published earlier on the Dark Web and was likely released with the intention of triggering social uncertainty in the upcoming elections scheduled for 2026," according to Resecurity.

Analysts from Resecurity's Hunter unit previously identified a data leak of 6.4 million Israeli voter records on the Eleaks cybercriminal forum.

The data leak, which was first flagged around 2021, has been reused multiple times, including at the start of the latest Israel-Gaza conflict, with bad actors weaponizing it to target specific individuals, including the family of Israeli military personnel. Resecurity traced this leak back to a breach of Elector, an Israeli software application used to manage political campaigns.

Remain Vigilant

Since threat actors are actively trying to acquire and exploit voter data, nations must both bolster their defenses, and remain vigilant, Resecurity researchers advise.

"It is vital for organizations and individuals to monitor their Dark Web data footprint," they said. "It is also important to secure IT supply chain of elections — including contractors involved in system administration and related vendors."