A dark web actor using the alias XrOOT01 has surfaced with claims of a large-scale credential dump affecting Moroccan financial institutions and government platforms. The post, made just hours ago on a darkweb forum, states that thousands of credentials have been intercepted, including administrator logins and email addresses. The actor hinted that a full leak is still on the way, suggesting that what’s been shared so far is only a partial reveal.
This is XrOOT01’s first post on the forum, and they’ve also shared two Telegram links believed to be the primary drop points for the data. While it’s unclear how the credentials were obtained, the mention of admin access is alarming, particularly for the banking and public sectors in Morocco.
If verified, this breach could expose critical infrastructure to significant risks, including unauthorized access, service disruption, financial fraud, and data manipulation. It also puts affected institutions at risk of reputational damage and regulatory scrutiny.
At this stage, Moroccan banks and government agencies need to urgently review access logs, reset credentials, and activate additional security layers. Cybersecurity teams across the region should monitor for any overlap with previously leaked credentials and track the Telegram channels involved.