Ausweitung von Cyber-Feindseligkeiten in Nordafrika [A CNSS Breach Update]
Table of contents
On April 8, 2025, a Telegram user claiming the alias “Jabaroot” posted a new message on BreachForums, reigniting concerns over state-linked hacktivism in North Africa. The actor declared responsibility for a massive breach of Morocco’s National Social Security Fund (CNSS), marking a shift from financial motivation to politically charged cyberwarfare. This breach wasn’t an isolated event.
Rather it has been the ignition point for a chain reaction of retaliation and escalating regional cyberattacks. Our latest Threat Note report covers this fallout in the region.
We’ve covered this attack from the beginning, read our initial flash report here.
Who was impacted?
The leaked CNSS data includes over 50,000 PDF files and more than a million rows across two CSV files containing detailed financial and personal data of Moroccan companies and employees. Exposed entities include the Mohammed VI Investment Fund, major banks such as Crédit du Maroc and Banque Centrale Populaire, Moroccan media outlets, and even the Israeli liaison office in Rabat.
Sensitive data tied to high-ranking individuals, like the King’s private secretary, was disclosed, increasing the reputational and political stakes of the breach.
The CNSS breach timeline: From April to today
The April 2025 CNSS breach was not just a data leak. It was a turning point in cyber tensions across North Africa. On April 8, the threat actor Jabaroot claimed responsibility for exfiltrating and leaking massive volumes of sensitive data from Morocco’s National Social Security Fund (CNSS). The leak exposed more than 50,000 PDF documents and over one million data records, including financial, payroll, and identity details tied to Moroccan companies, civil servants, and even high-level officials.
In the 10 weeks following the breach, CybelAngel observed a 312% increase in leaked data volumes attributed to Moroccan entities. This surge translated to more than 5 terabytes of stolen data published on clear and dark web platforms between April 8 and June 15, compared to 1.61 terabytes during the entire year of 2024.
Attack frequency mirrored the data surge. Prior to April, CybelAngel tracked 63 public claims of cyberattacks targeting Moroccan assets between January 2024 and early April 2025. In just two and a half months after the breach, that number jumped to 88, a 43% increase in incident volume. These attacks targeted critical infrastructure, particularly finance, government, and education sectors, with a mix of DDoS campaigns and additional data leaks.
Importantly, these actions appear devoid of financial motivation. No ransom demands or resale efforts were detected. Instead, the campaigns seem politically driven, aimed at destabilizing institutions and signaling regional grievances. This transition from opportunistic to strategic disruption marks a significant evolution in North African cyber operations.
Who is Jabaroot and why are they back?
Jabaroot first gained notoriety on April 8, 2025, when the group published a post on BreachForums claiming responsibility for the CNSS breach. Since then, they have become a recurring player in North Africa’s cyber conflict, symbolizing the convergence of hacktivism, nationalism, and regional power struggles.
Originally suspected to be of Algerian origin, further investigation reveals that Jabaroot may be a loosely affiliated collective drawing members from Western Sahara, Mauritania, Tunisia, Libya, Egypt, and Algeria. This multinational composition is supported by posts linked to multiple campaigns, including one against Morocco’s Ministry of Energy, Mines, and Environment (MIEPEEC).
Their activities go beyond data leaks. On June 2, 2025, Jabaroot claimed a second high-profile attack, this time targeting Morocco’s National Agency for Land Registry (ANCFCC). According to the actor’s post on DarkForums, this breach included over 10,000 property certificates, 20,000 civil records, and samples involving high-level officials such as Mohammed Yassine Mansouri, head of Morocco’s foreign intelligence services. The total dataset reportedly exceeds 4 million documents and 4 terabytes of data.
Jabaroot’s tactics rely on publicly staged data leaks through forums and Telegram channels. Their approach mixes high-volume data exposure with targeted symbolic messaging. Notably, the group’s rhetoric often includes nationalist and retaliatory tones, explicitly citing Moroccan media narratives as provocations for their attacks.
As the report outlines, these attacks are politically motivated rather than financially driven. There are no indications of ransom demands or resale attempts. Instead, the aim appears to be destabilization of state institutions, psychological operations, and amplification of regional grievances through public data disclosures and symbolic targets.
What we cover in the full report
Our full threat note covers the following areas of intelligence:
- A full timeline of the April 2025 breach
- Geopolitical analysis of escalating digital hostilities between North African states
- Threat actor profiling and analysis of the Jabaroot collective
- Monitoring insights on exposed financial and governmental entities
- Tactical intelligence on how threat vectors shifted post-CNSS incident
- Recommendations for proactive monitoring and defense
The report also outlines risk vectors exacerbated by third-party relationships, clear-text credential exposure, and lack of cyber hygiene.
Get in touch to access the full Threat Note
CybelAngel continues to monitor the North African threat environment closely. If your operations involve the region or intersect with affected sectors, now is the time to assess third-party exposure, monitor clear/dark web chatter, and harden your external digital footprint. To request this note as a non CybelAngel client, get in touch.
