15-Year-Old Detained Over France Titres Data Breach

French police (the Direction centrale de la police judiciaire, DCPJ) and the Paris Prosecutor’s Office have detained a 15‑year‑old, known by the alias "M4L", on suspicion of selling personal data stolen from France Titres (ANTS), the government agency that issues national identity cards, passports and driver’s licences. The teen was apprehended in a coordinated operation with the French National Cybersecurity Agency (ANSSI) in the Toulouse metropolitan area after the agency flagged suspicious activity on its internal systems in early February 2026.

Forensic investigators from ANSSI determined that the breach was achieved by exploiting an unauthenticated API endpoint that suffered from a critical SQL‑injection flaw. Using a custom Python script, the attacker exfiltrated a database containing over 2.3 million records, including full names, dates of birth, residential addresses and document identification numbers for French national IDs and passports. The compromised server was running an outdated version of the Apache Struts framework that had not been patched against known vulnerabilities.

The stolen data was advertised for sale on a Tor‑hidden marketplace called "DarkVault", where the seller, operating under the pseudonym "KidHex", offered a sample of 50 000 records for 3 Bitcoin. The listing claimed the dataset contained "verified French identity documents" suitable for identity fraud. Europol supported the French investigators in monitoring the marketplace, and the sales proceeds were traced to a digital wallet linked to the minor.

The incident has raised serious privacy concerns, as the exposed information could be leveraged for sophisticated phishing campaigns, account takeovers and the creation of counterfeit identity documents. ANTS has taken the affected API offline, applied the latest security patches and is working with the Commission nationale de l’informatique et des libertés (CNIL) to notify impacted citizens. The 15‑year‑old suspect faces charges of unauthorized computer access, data theft and fraud, and if convicted could be placed in juvenile detention. The case highlights the growing threat of adolescent cybercriminals targeting critical governmental infrastructure.