Max Messenger Suffers Major Data Breach: Hacker Claims Full Infrastructure Compromise
A hacker operating under the alias CamelliaBtw has claimed responsibility for a severe data breach targeting Max Messenger, a state-backed Russian messaging platform. The breach, announced on the DarkForums cybercrime marketplace, alleges a complete compromise of the app’s production systems, user data, and backend infrastructure exactly one year after its public launch on March 26, 2025.
About Max Messenger
Developed by VK’s subsidiary Communication Platform LLC, Max Messenger was introduced as a "national" alternative to platforms like WhatsApp and Telegram, integrating messaging, voice/video calls, file sharing, and government-linked digital identity services. Pre-installed on devices in Russia and Belarus under government policy, the app has amassed millions of users. Critics have long raised concerns over its privacy implications, given its deep ties to Russia’s digital infrastructure.
Breach Details
According to the hacker’s post, the attack exploited an unpatched remote code execution (RCE) vulnerability in Max’s media processing engine, present since the app’s 2025 beta phase. The flaw, triggered by malformed sticker pack metadata, allowed persistent access to the platform’s backend. The stolen data totaling 142 GB includes:
- 15.4 million user records (full names, usernames, verified phone numbers)
- Active authentication tokens (capable of bypassing 2FA)
- Bcrypt-hashed passwords
- Complete metadata (timestamps, sender/receiver IDs)
- Internal assets (SSH keys, API docs, S3 bucket configs)
- Unencrypted media files
- Backend source code, including alleged hardcoded backdoors in the encryption module
Extortion Threat
CamelliaBtw claims to have privately notified Max Messenger’s developers but received no response. The hacker has issued a 24-hour ultimatum, demanding a financial settlement labeled a "bug bounty." Failure to comply would result in the release of 5 GB of raw SQL data across public torrent trackers. The post highlights verified accounts belonging to politicians and corporate executives as potential targets.
Current Status
As of now, Max Messenger has not confirmed or denied the breach, and no sample data has been publicly verified. Cybersecurity experts note the technical specificity of the claims suggests credibility, though the incident remains unconfirmed. If validated, this would rank among the most severe messaging platform breaches in recent years, with significant implications for user privacy and trust in encrypted services.
Source: https://hackread.com/hacker-russia-max-messenger-breach-data-leak/
VK TPRM report: https://www.rankiteo.com/company/vkcom
"id": "vkc1768408393",
"linkid": "vkcom",
"type": "Breach",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Approximately 15.4 million '
'users',
'industry': 'Technology/Communications',
'location': 'Russia',
'name': 'Max Messenger',
'size': 'Millions of registered users',
'type': 'Messaging Platform'}],
'attack_vector': 'Remote Code Execution (RCE) via malformed sticker pack '
'metadata',
'data_breach': {'data_encryption': 'Partial (hashed passwords, but '
'unencrypted media files and metadata)',
'data_exfiltration': 'Yes (142 GB of compressed data)',
'file_types_exposed': ['SQL database files',
'Media files',
'Source code',
'Configuration files'],
'number_of_records_exposed': '15.4 million user records',
'personally_identifiable_information': 'Full names, '
'usernames, verified '
'phone numbers, '
'authentication tokens',
'sensitivity_of_data': 'High (includes personally '
'identifiable information, '
'authentication tokens, and '
'government-related communications)',
'type_of_data_compromised': ['User records (full names, '
'usernames, verified phone '
'numbers)',
'Authentication tokens',
'Bcrypt hashed passwords',
'Communication metadata',
'Internal infrastructure assets '
'(SSH keys, API documentation, '
'S3 bucket configurations)',
'Unencrypted media files',
'Backend source code']},
'date_publicly_disclosed': '2026-03-26',
'description': 'A hacker using the alias CamelliaBtw claimed responsibility '
'for a major data breach involving Max Messenger, alleging '
'complete access to the messaging platform’s production '
'systems, user data, backend infrastructure, and proprietary '
'source code. The breach includes approximately 15.4 million '
'user records, authentication tokens, hashed passwords, '
'communication metadata, internal infrastructure assets, and '
'backend source code. The attacker threatens to release the '
'data publicly if a financial settlement is not negotiated.',
'impact': {'brand_reputation_impact': 'Severe, given the platform’s '
'integration with government services '
'and digital identity features',
'data_compromised': '142 GB of compressed data, including user '
'records, authentication tokens, hashed '
'passwords, communication metadata, internal '
'infrastructure assets, and backend source '
'code',
'identity_theft_risk': 'High, due to exposure of full names, phone '
'numbers, and authentication tokens',
'legal_liabilities': 'Potential regulatory violations and legal '
'actions due to exposure of user data and '
'government-related communications',
'operational_impact': 'Potential compromise of user accounts, loss '
'of trust in platform security, and exposure '
'of sensitive communication metadata',
'systems_affected': 'Max Messenger’s production systems, backend '
'infrastructure, and cloud storage'},
'initial_access_broker': {'backdoors_established': 'Claimed hardcoded '
'backdoors in encryption '
'module',
'entry_point': 'Remote Code Execution via malformed '
'sticker pack metadata',
'high_value_targets': 'Politicians and corporate '
'executives'},
'investigation_status': 'Unconfirmed (no public statement from Max Messenger)',
'motivation': "Extortion (financial settlement described as a 'bug bounty')",
'post_incident_analysis': {'root_causes': 'Unpatched RCE vulnerability in '
'media processing engine, existing '
'since beta phase'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': "Financial settlement described as a 'bug "
"bounty'"},
'references': [{'date_accessed': '2026-03-26',
'source': 'DarkForums (cybercrime marketplace)'},
{'date_accessed': '2026-03-26', 'source': 'Hackread.com'}],
'threat_actor': 'CamelliaBtw',
'title': 'Max Messenger Data Breach by CamelliaBtw',
'type': 'Data Breach',
'vulnerability_exploited': 'Previously unknown RCE vulnerability in Max '
'Messenger’s media processing engine, existing '
'since the beta phase in early 2025'}