Skip to main content
LesMRE
Join
LesMRE
DirectoryGuidesNews
Our Services

Join the Directory

Register as a professional

Become a Partner

Firms, institutions and associations

Talents & Startups

Present your project to our ecosystem

AboutContact
Sign inJoin
HomeNewsInstitutions
Institutions

Alleged 340 GB Moroccan Banking Data Leak: 9 MRE Actions to Protect Yourself

·8 min read
Alleged 340 GB Moroccan Banking Data Leak: 9 MRE Actions to Protect Yourself
© LesMRE

The BlackH4t group claims 340 GB of Moroccan banking data on May 23, 2026, demanding USD 3,000 ransom. Authenticity unconfirmed but 5th major claim in 30 days (CNSS, Al Barid, SDTM, Watiqa). Here are 9 concrete actions for any MRE: balance check, SMS alerts, 2FA, anti-SIM swap, anti-phishing, Law 09-08 rights, CNDP / Bank Al-Maghrib / DGSSI contacts.

TL;DR

On May 23, 2026, a group calling itself BlackH4t published a sample on its Telegram channel claiming to hold over 340 GB of data from Moroccan banks and financial institutions. The group is demanding a USD 3,000 ransom.

The authenticity of the data is, to date, neither confirmed nor denied by the institutions mentioned or by Moroccan authorities. But this claim fits a series of cybersecurity incidents hitting the Moroccan financial and administrative sector since April 2026.

Whether or not you are affected, here are the 9 concrete actions any MRE can implement in under an hour to secure their Moroccan bank accounts.

Context: a series of incidents in 30 days

DateClaimed incidentAnnounced volume
April 2026CNSS Morocco~54,000 files, ~2M people
April 2026Al Barid Bank (alleged)Database financial logs
May 2026SDTM (Barid Al-Maghrib logistics arm)129 CSV files from SAGE ERP
May 19, 2026Watiqa.ma (alleged)695,402 civil status records
May 23, 2026BlackH4t — Moroccan banks (alleged)340 GB financial documents

Sources: Resecurity, Dark Reading, Brinztech, Telquel, CybelAngel, Telemetr.io.

Observed pattern: exploitation of third-party providers (supply chain) rather than direct intrusion into central systems. Attackers extract logs, balances, transactions, phone numbers via weak links.

Your rights under Moroccan Law 09-08

Law No. 09-08 on the protection of individuals regarding personal data processing frames your rights:

  • Article 7: right to access your data held by your bank
  • Article 8: right to rectify or delete inaccurate data
  • Article 9: right to object for legitimate reasons
  • Article 22: sanctions for unsecured processing (up to 2 years prison + MAD 300,000 fine)

Reference authority: CNDP (Commission Nationale de contrôle de la Protection des Données à caractère personnel) — cndp.ma. You can file a complaint if you notice fraudulent use of your data.

The 9 immediate actions to take tonight

Action 1: Review the last 30 days of statements

Log in to your Moroccan bank's online portal (Attijariwafa Bank, BCP, BMCE BOA, CIH, Société Générale, Crédit du Maroc, Al Barid Bank, Crédit Agricole, BMCI).

Review every transaction. Look for:

  • Small unrecognized debits (1-50 MAD)
  • Transfers to unknown beneficiaries
  • Online payments on sites you haven't visited
  • Unusual bank fees

Fraudsters often test with small amounts before larger operations.

Action 2: Enable SMS alerts on every transaction

Most Moroccan banks offer this for free or for a small fee (MAD 5-15/month). Request:

  • SMS on every debit transaction
  • SMS on each online portal login
  • SMS on beneficiary IBAN change
  • SMS on email or phone change

This is the most effective protection: real-time alerts let you act within the contestation window.

Action 3: Change your online portal password

  • Minimum 12 characters
  • Uppercase, lowercase, numbers, symbols
  • No reuse of a password used elsewhere
  • No date of birth, name, hometown

If your bank offers it, enable two-factor authentication (2FA) via app (Google Authenticator, Microsoft Authenticator) rather than SMS (less secure against SIM swap).

Action 4: Check your registered beneficiaries list

In your online portal, go to "Beneficiaries" or "Transfers". Delete any beneficiary you don't recognize or no longer use.

A fraudster with account access can add a beneficiary in their name and initiate a direct transfer.

Action 5: Watch your phone number (SIM swap risk)

The claim mentions phone numbers among recovered data. Fraudsters may attempt a SIM swap: convince your operator (IAM, Orange, Inwi) to transfer your number to a new SIM in their possession, then intercept your banking SMS.

Actions:

  • Contact your operator and request a secret PIN code for any SIM or card modification
  • Watch for any sudden signal loss without technical reason
  • If SIM swap suspected: immediately call operator and bank

Action 6: Spot personalized phishing emails and SMS

Leaked data (name, phone, bank, balances) is used to build highly credible phishing messages. Beware:

  • Emails impersonating your bank, tax authority (DGI), CNDP, Ministry of Interior
  • SMS asking to click a link to "secure your account" or "validate an operation"
  • Phone calls pretending to be your bank advisor asking for codes
  • WhatsApp messages allegedly from your bank

Absolute rule: no Moroccan bank will ever ask for your password, 2FA code, or validation code by phone, email or SMS.

Action 7: Check your European and other foreign bank accounts

If you are an MRE with accounts also in France, Belgium, Spain, Italy, Netherlands, Germany, UK, Canada, UAE, etc., check those too. Fraudsters cross-reference data to target the most permissive account.

Action 8: Preserve evidence and report if fraud occurs

If you notice fraudulent activity:

  1. Call your bank immediately (legal opposition window: 48h card, 13 months account)
  2. Keep screenshots of contested operations
  3. File a complaint at Moroccan police (if in Morocco) or via your consular portal in your country of residence
  4. File with CNDP: cndp.ma, contact@cndp.ma
  5. Report to Bank Al-Maghrib if fraud involves your bank: bkam.ma

Action 9: Enable continuous monitoring

Useful free tools:

ServiceUse
haveibeenpwned.comCheck if your email has been exposed in known leaks
Google AlertsCreate alert with your name + "Morocco" to spot public mentions
Bitwarden / 1PasswordPassword manager + alert if any of your passwords appears in a leak
Monthly manual reviewFirst of each month: 30 min review of all bank accounts

Recognizing a post-leak phishing email

Warning signWhat to do
Sender shows official name but actual address isn't in .ma or doesn't match official domainMark as spam
Email mentions your full name, phone, or exact bank balanceMaximum caution, this is exactly what leaks produce
Urgent request to click to "verify identity" or "avoid account suspension"Never click, open official site directly
Link URL on hover points to unknown or suspicious domainDon't click
Unexpected attachment (PDF, ZIP, XLSX)Don't open

Official resources and contacts

BodyContactFor
CNDPcndp.ma, contact@cndp.maComplaint in case of fraud, Law 09-08 rights
Bank Al-Maghribbkam.maReport bank fraud, check bank status
Moroccan Consulatesconsulat.maAdministrative assistance from abroad
DGSSI (Cybersecurity Directorate)dgssi.gov.maMorocco cybersecurity authority
haveibeenpwned.comhaveibeenpwned.comCheck email exposure in leaks

Frequently asked questions

Is the BlackH4t leak confirmed?

To date, no. The group published a sample and claims 340 GB, but no Moroccan institution has confirmed being affected, and the full authenticity of the data has not been verified by an independent third party. Treat the information as an elevated risk signal, not as certainty.

Should I close my Moroccan bank account as a precaution?

No, that would be disproportionate. The 9 actions above cover 99% of cases. Closing the account doesn't remove your already-leaked data and deprives you of an essential financial tool.

What is the bank's liability in case of confirmed fraud?

Per your bank's terms and Article 22 of Law 09-08, the bank must refund unauthorized fraudulent operations, provided you reported within 48h (card) or 13 months (account). Keep ALL evidence.

Is there a risk for my MRE international transfers?

Transfers from abroad (SWIFT, Wise, MoneyGram, Western Union) are not directly affected. Moroccan destination accounts remain operational. The risk is solely on the credentials and access to these accounts.

How long can leaked data be exploited?

Once published on the dark web or Telegram, it circulates for years. First exploitation (personalized phishing) occurs within 30-90 days. Stay vigilant for at least 6-12 months after any confirmed leak.

How do I know if my email appears in the leak?

Currently, no reliable way. The BlackH4t claim has not been added to haveibeenpwned.com or mainstream monitoring services. If the leak is confirmed and indexed, these services will alert you. Subscribe your email on haveibeenpwned.com for automatic alerts.

Conclusion

A massive leak claim only becomes operational reality if verified. Without official confirmation, the correct attitude is neither panic nor indifference: it's preventive digital hygiene. The 9 actions above take under an hour and protect you against this claim and all the ones that will follow.

Our previous coverage of the Watiqa.ma leak (civil status, 695,402 records) remains relevant: Watiqa.ma Data Leak: 7 Actions to Take if You Are an Affected MRE.

LesMRE follows the situation and will publish an update if the BlackH4t leak is officially confirmed by authorities or affected banks.

Sources

  • Telemetr.io — BlackH4t Telegram channel analytics
  • Resecurity — Cybercriminals Attacked National Social Security Fund of Morocco
  • Dark Reading — Morocco Investigates Social Security Agency Data Leak
  • Brinztech — Alleged comprehensive operational and financial leak SDTM-Groupe Barid Al-Maghrib
  • Telquel — What we know about the alleged Al Barid Bank leak
  • CybelAngel — Investigation of the CNSS Data Leak
  • Law No. 09-08 on personal data protection, Moroccan Official Bulletin No. 5714, 2009
  • CNDP (cndp.ma), Bank Al-Maghrib (bkam.ma), DGSSI (dgssi.gov.ma)

Share this article

Related articles

Hantavirus 2026: What MRE Should Know Before Marhaba

Hantavirus 2026: What MRE Should Know Before Marhaba

Hantavirus 2026 and Operation Marhaba: zero confirmed cases in Morocco, reinforced surveillance. The 5 essential prevention actions for MRE opening a family home closed for months, the health kit to pack, and what to do if symptoms appear.

Watiqa.ma Data Leak: 7 Actions to Take if You Are an Affected MRE

Watiqa.ma Data Leak: 7 Actions to Take if You Are an Affected MRE

A leak of 695,402 records related to the Watiqa.ma platform has circulated since May 19, 2026. If you are an MRE who used this service for civil status documents, here are the 7 immediate actions to take to protect yourself.

Daam Sakane 2026: MRE Eligible for Morocco's Direct Housing Aid of MAD 70,000 to 100,000

Daam Sakane 2026: MRE Eligible for Morocco's Direct Housing Aid of MAD 70,000 to 100,000

The Daam Sakane programme pays direct aid of MAD 70,000 to 100,000 to buy a primary residence in Morocco. First-time MRE buyers are eligible under conditions tailored to the diaspora. Here is the full procedure and pitfalls to avoid.

Related practical guides

Accommodation Certificate and Invitation Letter for Schengen Visa: Complete MRE Guide8 min2026 legislative elections in Morocco: voting rights and eligibility for Moroccans abroad9 minLeaving France for Morocco: cancelling contracts, recovering your deposit and closing accounts12 min

Are you an MRE?

Join the platform and access 131 verified professionals in Morocco. Free.

Create my free account

Have a project in Morocco?

Find a LesMRE-verified expert to guide you through your steps.

Find an expert →