France's ID Agency Breach: 11.7M Citizens' Identity Records Now for Sale

France Titres (ANTS) was established to digitise France's administrative document ecosystem and currently processes approximately 20 million identity document requests per year. Every French national's interaction with ants.gouv.fr — whether applying for a passport, renewing a driver's licence, requesting a vehicle registration card, or checking an application status — creates or updates an account record on the agency's backend systems. Professional accounts used by agents who process applications on behalf of businesses are also held in the same infrastructure, meaning the breach has both consumer and enterprise dimensions.

What distinguishes this dataset from a typical commercial breach is the authentication source. ANTS accounts are linked to government-verified identity: birthdates are validated against civil registry records, addresses are verified through the document issuance process, and names are taken directly from official identity documents. Unlike consumer breach data — where records may be incomplete, synthesised from multiple sources, or inaccurate — an ANTS account record carries implicit government validation. Fraud operators pay significant premiums for data with this provenance because it can be used directly to pass identity verification checks at financial institutions, mobile carriers, and government portals without additional enrichment.

This premium-value characteristic distinguishes the ANTS breach from even large-scale commercial incidents. The [Infutor/Verisk breach exposing 676 million US SSN records](/blog/infutor-verisk-676-million-ssn-dark-web-breach) commanded significant dark web prices specifically because of its government-adjacent data quality — the ANTS dataset, carrying official French Ministry of the Interior validation, occupies an even higher tier.

The dataset posted for sale on April 16 by EvilDump, crediting ExtaseHunters and breach3d, includes eight data categories per record per the sample published with the listing: login IDs, full legal names, email addresses, dates of birth, places of birth, residential postal addresses, telephone numbers, and civil status data including gender and marital status. The presence of sequential internal database IDs in the exposed sample is the key forensic signal distinguishing this from a web-scraping incident.

Sequential database IDs are almost never exposed through surface-level portal scraping, which returns only UI-presented data and typically lacks internal primary keys. Their presence strongly implies the attacker obtained a direct database dump, accessed a backend API returning raw database objects, or exploited a vulnerability exposing internal record structures. ANTS has not disclosed the attack vector; the investigation remains active under ANSSI and OFAC.

The claimed dataset size — 18 to 19 million records against 11.7 million confirmed active accounts — suggests the extracted database contains historical entries, inactive accounts, or duplicate records from users who created profiles across multiple document application workflows. The distinction matters for scope assessment but not for risk: any record with valid name, date of birth, and address is immediately actionable for fraud operators regardless of whether the underlying portal account is still active. ANTS confirmed that the dataset also includes professional account data — agents who process document applications on behalf of clients — adding an enterprise intelligence dimension beyond consumer identity theft.

ANTS confirmed the breach occurred prior to April 15 — when the agency detected the incident — but has not disclosed the specific attack vector, and the technical investigation under ANSSI remains active. The forensic signals available from the threat actor's public sample point toward a specific attack class. Three scenarios are consistent with the sequential-ID evidence: a compromised administrative or API credential providing direct database access; a SQL injection or insecure direct object reference (IDOR) vulnerability in the ants.gouv.fr backend enabling unauthorised data enumeration; or a compromise of a third-party integration partner with backend database access.

The inclusion of professional account data alongside citizen records strengthens the third-party vector hypothesis — a system-to-system integration used by professional document agents would require backend database access, creating a potential supply-chain entry point that bypasses public-facing portal security controls. No ransomware group has claimed responsibility, no encryption event has been reported, and no demands have been publicised — indicating this is a pure exfiltration-and-sell operation. OFAC, France's dedicated cybercrime police unit within the National Gendarmerie, is leading the criminal attribution investigation alongside ANSSI.

ANTS published an update on April 24 confirming 11.7 million accounts were impacted — nine days after detection. The agency began direct notification of affected account holders on April 22. The seven-day gap between detection and public acknowledgement drew scrutiny under GDPR Article 34, which requires communication to data subjects without undue delay when a breach is likely to result in high risk to their rights and freedoms. CNIL has been formally notified under Article 33 and can open a formal enforcement inquiry.

At 11.7 million confirmed records, the ANTS breach is larger than every major French data breach on public record — surpassing the 33 million French health insurance record breach disclosed in 2024. If EvilDump's 19 million figure is validated, it would represent France's single largest data breach and one of the ten largest government identity breaches globally. The Ministry of the Interior has filed a criminal referral with the Paris Public Prosecutor under Article 40 of the Code of Criminal Procedure, and ANSSI is coordinating across all response workstreams.

The dark web sale listing was posted by a threat actor operating as EvilDump, explicitly crediting ExtaseHunters and breach3d as collaborators in the breach operation. This three-actor structure — a primary poster crediting technical collaborators — is characteristic of organised criminal groups operating on dedicated leak forums rather than ransomware gangs or state-sponsored APTs. breach3d has been observed in prior data sales on BreachForums and its successor forums; ExtaseHunters is a newer alias with limited prior attribution in public threat intelligence reporting.

No nation-state indicators — command-and-control infrastructure reuse, tradecraft signatures, or victimology patterns consistent with intelligence collection — have been identified in the ANTS breach. The motivation appears straightforwardly financial: government ID data sells at a premium to fraud networks, SIM-swap operators, and identity verification bypass services. Historical dark web sales of comparable government identity datasets have achieved prices in the range of $50,000 to $500,000 depending on uniqueness and volume, though EvilDump's listing has not publicly disclosed an asking price.

The breach is the latest in a series of high-profile French data exposures following the 2024 health insurance breach and the 2025 Education Ministry incident — raising questions about centralised identity infrastructure security standards across French government digital services and whether ANSSI's National Cybersecurity Strategy has adequately addressed government portal backend security.

France Titres has not published technical IOCs from the intrusion, and the ANSSI investigation is ongoing. However, the following observables and fraud vectors should be operationalised immediately by defenders and security teams supporting French-language organisations.

Phishing impersonation of ANTS and France Titres will emerge using stolen personalised data — defenders should update email gateway rules to flag messages referencing ants.gouv.fr, France Titres, the Ministry of the Interior, and document renewal processes. SIM-swap risk is elevated for affected French nationals — alert telecom security teams to increase verification friction on SIM-related requests from customers in the exposed population. FranceConnect — France's government SSO platform used across tax, healthcare, and benefits portals — uses identity verification aligned with the stolen data fields and should be treated as a high-risk downstream target.

The exposed email addresses also enable credential-stuffing enrichment: while passwords were not stolen, attackers knowing a victim's email, full name, and date of birth can use this combination to pass account recovery flows on many consumer platforms. Prior dark web data sales — including the [ShinyHunters McGraw Hill breach affecting 45 million accounts](/blog/shinyhunters-mcgraw-hill-salesforce-breach-45-million) — demonstrated that government-adjacent identity data remains actively monetised for 12 to 18 months after initial listing. The ANTS dataset should be treated as operationally live throughout 2026 and into 2027.

ANTS has confirmed that portal account passwords were not included in the stolen data and that the exposed records do not provide direct portal access. However, the combination of government-verified personal data now in criminal hands creates immediate and durable downstream risk requiring active defensive steps.

For enterprise defenders, treat any employee population with French nationality or ants.gouv.fr accounts as a high-risk phishing target. Update email filtering to flag ANTS and France Titres impersonation patterns. Include the breach in employee security awareness communications. Flag French-national employees for priority MFA enrollment if not already enrolled. Review FranceConnect integrations for identity verification bypass scenarios — a motivated attacker with full name, DOB, and address can attempt account registration or recovery on FranceConnect-integrated portals. The [ShinyHunters Amtrak breach affecting 9 million customer records](/blog/amtrak-shinyhunters-salesforce-breach-9-million-records) demonstrated that large-scale government-adjacent breach data creates sustained fraud campaigns lasting months; the ANTS dataset should be treated as live threat fuel throughout 2026.

The France Titres ANTS data breach is not a consumer website spill — it is a confirmed exfiltration of 11.7 million government-validated identity records that EvilDump, ExtaseHunters, and breach3d are actively selling on criminal forums. This dataset carries government authenticity that makes it premium fraud fuel: the records are accurate, complete, and they won't degrade. French nationals should immediately reset ants.gouv.fr credentials, alert banks and mobile carriers, and monitor FranceConnect for unrecognised activity. Security teams must deploy ANTS impersonation email filters, flag French-national employees as elevated phishing targets, and audit FranceConnect integrations for identity bypass scenarios. Monitor ANSSI and CNIL advisories as the OFAC criminal attribution investigation advances.