Our Investigation of the ANCFCC Data Leak [Flash Report]
Table of contents
On June 2, 2025, the threat actor known as Jabaroot claimed responsibility for a data leak from Morocco’s National Agency for Land Conservation (ANCFCC). This incident, announced on the Dark Web forum DarkForums, appears to be politically motivated, stemming from regional tensions. This attack is part of a broader wave of targeted cyberattacks against Moroccan entities observed recently.
Interested in this developing story? Check out our previous April flash report on the leak involving Morocco’s national social security fund.
What happened?
Jabaroot, a known malicious actor with a history of targeting Moroccan entities, created a thread on DarkForums titled “MOROCCO – National Agency for Land Conservation (ANCFCC) – FULL DATABASES.” The actor asserted that this action was a direct response to perceived “anti-Algerian propaganda” by Moroccan media. This event occurred amidst a period of heightened geopolitical strain and a surge of cyberattacks against Moroccan organizations.
What data was leaked by Jabaroot?
According to Jabaroot’s claims on DarkForums, the leaked data from the ANCFCC is alleged to contain:
- A folder with samples of over 10,000 property certificates in PDF format, purportedly from a database of over 10 million.
- A folder containing samples of 20,000 various documents, including deeds of sale/purchase, civil status documents, ID cards/passports, and banking documents. The actor claims the full database holds over 4 million documents and exceeds 4 TB of data.
- A folder with highly sensitive documents of senior Moroccan officials and VIPs, specifically mentioning Mohammed Yassine Mansouri, Head of Foreign Intelligence services.
Initially, Jabaroot provided links to two samples, “VIPs” and “Documents,” on a document-sharing site. These files were subsequently removed by the hosting service. Following user comments, Jabaroot shared a new link for the “VIPs” sample only. This sample contained four folders named “fouzi lekjaa,” “Mohammed Yassine Mansouri,” “nasser bourita,” and “raghib amin,” containing copies of identity documents, certificates, and property transaction records.
The actor is also active on a new Telegram channel (t[.]me/jabarootdz2), created after their original channel was deleted. As of this report, 24 documents have been shared on this channel, reiterated as a response to perceived “opportunistic propaganda” against Algeria.
Attempts by Jabaroot to share the full “ANCFCC – CERTIFICATS DE PROPRIETE.zip” and “ANCFCC_DOCUMENTS” folders via other file-sharing sites were also met with removals or incomplete downloads. We did manage to acquire an incomplete 4.8 GB zip file of the “Documents” folder, which appears to contain nearly 20,000 PDF files. Further analysis of its contents is ongoing.
What is the legitimacy of the Jabaroot leak?
The legitimacy of the full leak, as claimed by Jabaroot, has been questioned by users on DarkForums. The actor initially titled the thread “Full Database” but failed to share the complete dataset. This has led some users to suggest that Jabaroot may only have access to a limited number of documents rather than an entire database. One user also commented that the leak might not be directly from ANCFCC. Our analysis found no high-alert malicious files within the “VIPs” sample, although a VirusTotal screenshot shared by a forum user indicated a Trojan in a file from the second sample, which we could not access. The DarkForums thread itself was eventually removed from the “Databases” section by a moderator due to the broken links. Further investigation is required to fully assess these claims and the extent of the breach attributed to Jabaroot.
Context analysis: Recent cyber attacks on Morocco
The incident involving Jabaroot is not isolated. Between June 1 and June 3, 2025, our services detected 21 publications and attacks targeting Morocco by various actors, including the group Keymous+. The majority of these were DDoS attacks and initial access attempts, primarily by Keymous+, against Moroccan government entities.
These attacks occur in a complex geopolitical landscape, with Keymous+’s anti-Zionist activities coinciding with closer ties between Morocco and Israel. Simultaneously, actors like Jabaroot exploit tensions between Morocco and Algeria over the Western Sahara issue as grounds for their attacks.
The key Moroccan entities targeted during this period include:
| Victim | Type of Attack | Industries | Threat Actors | Date |
|---|---|---|---|---|
| Fédération royale Marocaine de Football | Data Leak | Sport | B4baYega | 01/06/2025 |
| Ministère de la Santé et de la Protection sociale | DDoS Attack | Government Administration | Keymous+ | 02/06/2025 |
| Agence Nationale de la Conservation Foncière, du Cadastre et de la Cartographie | Data Leak | Government And Public Sector | Jabaroot DZ | 02/06/2025 |
| Banque Al-Maghrib | DDoS Attack | Financial Services | Keymous+ | 02/06/2025 |
| Maroc Telecom | DDoS Attack | Network And Telecom | Keymous+ | 02/06/2025 |
| Ministère de l’Agriculture, de la Pêche maritime, du Développement rural et des Eaux et forêt | Initial Access | Government Administration | Keymous+ | 02/06/2025 |
| Ibn Tofail University | Initial Access | Education | Keymous+ | 02/06/2025 |
| TelQuel Média | Defacement | Media | Keymous+ | 03/06/2025 |
| Fste Université Moulay Ismaïl | Data Leak | Research | r3i | 03/06/2025 |
Threat actor profiles
What other threat intelligence titbits do you need to know? Here is a sum up of associated profiles who have been garnering attention in relation to this attack.
- Keymous+: A hacktivist group specializing in DDoS attacks, targeting pro-Ukraine and pro-Zionist countries. They are known for recruiting programming talent and exploiting vulnerabilities.
- r3i: A new actor, account created in June 2025, specializing in data leaks.
- Jabaroot: Also known as Jabaroot DZ, this actor primarily focuses on data leaks and has a history of targeting Morocco, including the CNSS in April 2025, affecting approximately 2 million individuals. Their potential origin is Algeria.
- B4baYega: A new actor, account created in May 2025, specializing in data leaks.
While direct links between Keymous+ and other actors like Jabaroot cannot be confirmed, the sharing of Jabaroot‘s attack by Ghost Algeria, also reposted by Keymous+, suggests potential coordination, albeit with differing motives.
Wrapping up
The recent activity of Jabaroot against ANCFCC underscores a persistent and politically charged cyber threat landscape targeting Morocco. The cyclical nature of these attacks, following the CNSS incident, necessitates continuous monitoring and robust defensive postures for organizations operating within this region. We will continue to track these evolving threats to provide our clients with cutting edge threat intelligence.
