Skip to content
Tips? Soon
Support
Sign In Subscribe
Leaks

Alleged GOV.CO Colombia Leak Claims 4.3 Million Records, but the Posted Sample Is German Taxpayer Data

 and  Dark Web Informer
10 min read
Breach Report Colombia flagColombia (claim) Germany flagGermany (data) Mismatch

Alleged GOV.CO Colombia Leak Claims 4.3 Million Records, but the Posted Sample Is German Taxpayer Data

A threat actor using the alias NormalLeVrai has posted a “comeback” teaser headlined as a leak of GOV.CO, the official digital platform of the Colombian government, claiming 4,300,002 records. However, the post's contents do not match that label: the sample shown is German, consisting of what appear to be German taxpayer records (tax IDs, full names, dates of birth, postal addresses, and phone numbers), and the download is titled to indicate roughly 4.2 million German tax records. Separately, the actor claims to have accessed the email inboxes of a Colombian state hospital and includes an Outlook screenshot. The mismatch between the Colombian GOV.CO headline and the German data shown, together with the teaser framing, makes the listing's true target and authenticity unclear and unverified.

Data4.3M claimed
SampleGerman PII
CountryCO / DE (unclear)
ActorNormalLeVrai

Post details

Claimed targetGOV.CO (Colombia digital platform)
Sample dataGerman taxpayer records
Inbox claimColombian state hospital email
Claimed volume4,300,002 (headline); ~4.2M (file)
CountriesColombia (claim) / Germany (data)
FormatCSV download
ObservedJun 25, 2026
ActorNormalLeVrai

!Shown / claimed

  • ~4.3M records (headline claim)
  • German tax IDs (sample)
  • Full names & dates of birth
  • German postal addresses
  • Phone numbers
  • Claimed hospital inbox access
  • CSV download (German tax file)
  • Target / authenticity disputed

Screenshot

GOV.CO Germany mismatched leak post Screenshot 1 Screenshot 1 Redacted preview

Potential impact

The challenge in assessing this post is its internal inconsistency, which is itself the key finding. If the German data is genuine, it would be a large and sensitive exposure: German tax identification numbers are permanent identifiers, and pairing them with names, dates of birth, home addresses, and phone numbers for millions of people would enable identity theft and fraud at scale. Separately, if the actor truly accessed a Colombian state hospital's email inboxes, that would be a serious intrusion exposing healthcare correspondence and patient identifiers. However, the headline claim of a 4.3 million record Colombian GOV.CO breach is not supported by the evidence shown, which is German rather than Colombian. Mislabeled, recycled, or exaggerated “comeback” posts are common, so the true target, scale, and authenticity should be treated as unverified. No sample records, identifiers, inbox contents, download links, or actor contact details are reproduced here.

iStatus

Unverified / disputed

The post mixes a Colombian GOV.CO headline with a German taxpayer-data sample and a claimed Colombian hospital inbox screenshot, and is framed as a “comeback” teaser. The sample records, the inbox contents and patient identifiers, the download link, and the actor's contact channels are not reproduced here. Given the contradictions, the listing's real target and authenticity are unclear, and neither GOV.CO nor the named hospital has publicly addressed it.

Want the non-redacted screenshots? Paid subscribers get all of the claim details and unredacted screenshots. Check out the threat feed or ransomware feed (whichever applies to this post), then after subscribing, search there for this alert to view the unredacted version. View pricing →

DARK WEB INFORMER - THREAT INTELLIGENCE

Related

Latest