Dutch police say they have uncovered strong indications that local criminals were involved in the cyberattack against telecommunications provider Odido, which exposed personal information belonging to millions of customers.
The Dutch National Police investigation centers partly on a telephone call made shortly before the February 2026 breach. During the call, a Dutch-speaking man allegedly posed as an Odido IT employee while speaking with the company’s customer service department.
Police said Odido was subsequently misled through phishing, after which the attackers gained access and stole customer information. Authorities are still working to identify the caller and any other people involved in the operation.
The breach began after attackers accessed an Odido customer contact system on February 7. The company disclosed the incident on February 12 and later said it affected approximately 6.2 million customers.
Depending on the customer, the exposed information may have included names, residential addresses, mobile numbers, email addresses, customer numbers, dates of birth, IBAN bank account numbers, and limited identification document details such as passport or driver’s license numbers and validity dates.
Odido said call records, location data, billing information, identity document scans, and Mijn Odido account passwords were not exposed during the attack.
During the early stages of the investigation, Dutch police successfully took multiple servers used to distribute the stolen data offline. Investigators said they have preserved evidence at several points throughout the case and are continuing to analyze the traces left behind by the attackers.
The ShinyHunters extortion group claimed responsibility for the breach and later published an 88GB archive containing more than 15 million records. However, Odido has not officially attributed the attack to ShinyHunters, and Dutch authorities have not publicly confirmed that the group was responsible.
Police believe the perpetrators may have discussed the attack online or within their personal circles. Investigators are asking people within the cybercriminal community or others with knowledge of the operation to provide information.
Authorities have also urged the Dutch-speaking caller to come forward voluntarily. Police said they may eventually release a recording of the caller’s voice to the public if it becomes necessary to identify him.
The investigation is expected to continue for several more months. Dutch police and prosecutors said the ultimate outcome remains uncertain, but the newly identified local connection could help investigators move closer to identifying those responsible.