Telefónica Hellcat infostealer-to-Jira breach (Spain, 2025)

Infostealer malware on the endpoints of 15+ Telefónica employees gave the Hellcat ransomware group credentials into the company's internal Jira ticketing system. Social-engineering escalated the access to SSH. The group did not extort — it publicly published 2.3 GB including 24,000 employee emails, 470,000 internal Jira tickets, and 5,000 internal documents.

In January 2025, the Spanish telecommunications giant Telefónica disclosed that the Hellcat ransomware group had breached its internal Jira ticketing system using credentials originally captured by infostealer malware running on the endpoints of more than 15 employees. Unusually for a 2025 incident, Hellcat did not attempt extortion — they simply published 2.3 GB of stolen data on a hacking forum.

What happened

Infostealer malware — the Lumma/Redline/Vidar lineage that has become the dominant credential-harvesting tooling across the underground — had been quietly operating on more than 15 Telefónica employee endpoints. The compromised credentials included logins for Telefónica's internal Jira ticketing system, the kind of system that holds operational tickets, customer support exchanges, and unredacted internal data.

On 8–9 January 2025, Hellcat actors authenticated to the internal Jira using the harvested credentials. They identified two Jira administrators and, in a textbook social-engineering escalation, tricked the admins into revealing the correct server for SSH access. From there they brute-forced SSH credentials and got a shell.

On 10 January, Hellcat published the haul on a hacking forum — not on a ransomware leak site, and without prior extortion attempt. The data set:

Approximately 24,000 Telefónica employee names and email addresses.
Approximately 470,000 internal Jira tickets.
Approximately 5,000 internal documents in formats including CSV, PPTX, XLSX, DOCX, PDF, and MSG.
An additional pool of customer-related ticket information running to hundreds of thousands of lines.

The "humiliation publishing" tactic — publishing rather than extorting — was a deliberate signature of Hellcat's early operations and has been replicated by other emerging crews since.

Impact

~24,000 employee emails exposed.
~470,000 internal Jira tickets exposed.
~5,000 internal documents exposed.
~236,493 lines of customer information surfaced in the dump.
No extortion attempt — data was simply published.

Why it matters

Telefónica is the canonical European case for infostealer-to-internal-ticketing-system breaches. The chain — infostealer on personal endpoints → corporate Jira credentials → social-engineering of admins → SSH escalation → public dump — has become a template for how attackers monetise harvested credentials when targets are too large to easily extort. The choice to publish without ransom also previewed a "humiliation publishing" tactic now seen across multiple new ransomware brands.

Timeline

2024-2025-early

Infostealer malware (Lumma, Redline, Vidar family) infects the endpoints of 15+ Telefónica employees, capturing credentials including those for the internal Jira ticketing system.

January 8, 2025

Hellcat actors authenticate to Telefónica's internal Jira using harvested credentials and begin enumeration.

January 9, 2025

Attackers identify two Jira administrators, social-engineer them into revealing the correct server for SSH access, then brute-force SSH credentials to escalate.

January 10, 2025

Hellcat publishes 2.3 GB of stolen Telefónica data on a hacking forum without extortion attempt: ~24,000 employee names and emails, ~470,000 internal Jira tickets, ~5,000 internal documents.

January 1, 2025

Telefónica confirms the breach, attributes it to the Hellcat group, and confirms the Jira ticketing system as the compromised internal asset.

Sources

hackread.comhttps://hackread.com/hackers-breach-telefonica-network-leak-data-online/

dailysecurityreview.comhttps://dailysecurityreview.com/security-spotlight/telefonica-breach-exposes-20000-employees-data-and-jira-details-hellcat-ransomwares-infostealer-malware-at-play/

securityweek.comhttps://www.securityweek.com/infostealer-infections-lead-to-telefonica-internal-ticketing-system-breach/

darkreading.comhttps://www.darkreading.com/cyberattacks-data-breaches/telefonica-breach-exposes-jira-tickets-customer-data

infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/hellcat-ransomware-humiliation/

Related incidents

Data breachUnknownMarch 30, 2026

Iliad (Free): new cyberattack with leaked network data

The Iliad group, parent company of Free, has been listed on the data leak site of a cybercriminal group called ALP-001. The attackers claim

Victim: Iliad (Free)

Data breachUnknownJanuary 25, 2026

508,276 Coriolis Télécom customers affected by a data leak

Coriolis Télécom customers are affected by a confirmed leak impacting mobile and internet subscribers. Nearly 508,000 rows of customer-related data have been made public, the…

Victim: Coriolis Télécom
Records: 508.3K

Data breachUnknownJanuary 8, 2026

23,920 Corse GSM customers affected by a data leak

Corse GSM customers are affected by a confirmed leak that exposes nearly 24,000 accounts tied to the telecom service. The leak comes from a file made public and concerns information…

Victim: Corse GSM (2025)
Records: 23.9K

Data breachUnknownJanuary 6, 2026

Claimed leak at L'Orange Bleue Fitness Club

Managers and operators of about 600 L'Orange Bleue clubs are reportedly affected by an internal data leak dating back to June 2025, according to the claim. A public sample analyzed includes…

Victim: L'Orange Bleue Fitness Club