APT73 Claims Ransomware Attack on Armenia’s Electoral Systems
On June 2, 2026, the ransomware group APT73 (also known as Bashe) listed elections.mia.gov.am the elections subdomain of Armenia’s Ministry of Internal Affairs as a victim on its leak site. The breach reportedly exposed critical electoral infrastructure, including voter registration databases, polling place management systems, and electoral administration records, raising concerns over potential intelligence exploitation.
Armenia’s Ministry of Internal Affairs oversees the country’s voter registration and electoral processes, making the compromised data highly sensitive. Given Armenia’s geopolitical position amid tensions involving Russia, Turkey, and Western-aligned states, the breach holds strategic value for state actors monitoring regional dynamics.
APT73, which emerged in April 2024 under the Bashe alias, operates as a ransomware-as-a-service (RaaS) group but self-identifies as an Advanced Persistent Threat (APT) a term typically reserved for state-sponsored espionage. Intelligence suggests the group may have absorbed former LockBit affiliates or infrastructure following law enforcement disruptions targeting LockBit.
The attack follows APT73’s May 22 victim listing of Turkey’s National Land Registry (tkgm.gov.tr), indicating a regional targeting pattern in the Caucasus and surrounding areas. Notably, the group’s attack velocity had declined by 86% in the month leading up to the Armenia breach, suggesting a deliberate, high-value selection rather than opportunistic targeting.
As of the latest reports, no data has been publicly released, but the group’s double-extortion model leaves open the possibility of future leaks if ransom demands are unmet. The incident underscores the intersection of financially motivated cybercrime and state-level intelligence interests, particularly when electoral systems containing verified population data are involved. The exact motivations behind the attack remain unclear.
Ministry of Internal Affairs of Armenia TPRM report: https://www.rankiteo.com/company/ministry-of-economy-of-the-republic-of-armenia
"id": "min1780490373",
"linkid": "ministry-of-economy-of-the-republic-of-armenia",
"type": "Ransomware",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Voters and electoral '
'stakeholders',
'industry': 'Public Administration',
'location': 'Armenia',
'name': 'Ministry of Internal Affairs of Armenia',
'type': 'Government'}],
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Voter registration databases',
'Polling place management '
'systems',
'Electoral administration '
'records']},
'date_detected': '2026-06-02',
'date_publicly_disclosed': '2026-06-02',
'description': 'On June 2, 2026, the ransomware group APT73 (also known as '
'Bashe) listed elections.mia.gov.am, the elections subdomain '
'of Armenia’s Ministry of Internal Affairs, as a victim on its '
'leak site. The breach reportedly exposed critical electoral '
'infrastructure, including voter registration databases, '
'polling place management systems, and electoral '
'administration records, raising concerns over potential '
'intelligence exploitation.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Voter registration databases, polling place '
'management systems, electoral administration '
'records',
'identity_theft_risk': 'High',
'operational_impact': 'Potential disruption to electoral processes',
'systems_affected': 'Electoral infrastructure '
'(elections.mia.gov.am)'},
'investigation_status': 'Ongoing',
'motivation': ['Financial gain',
'Potential state-level intelligence interests'],
'ransomware': {'data_exfiltration': 'Possible (double-extortion model)'},
'references': [{'date_accessed': '2026-06-02', 'source': 'APT73 leak site'}],
'threat_actor': 'APT73 (Bashe)',
'title': 'APT73 Claims Ransomware Attack on Armenia’s Electoral Systems',
'type': 'Ransomware'}