Hackers say they have pulled off a huge theft of data from the European Space Agency, claiming access to material tied to major aerospace collaborations and sensitive research. The European Space Agency has acknowledged a breach affecting external systems and hundreds of gigabytes of information, but officials have not confirmed any compromise of specific Airbus or SpaceX documents, leaving key parts of the attackers’ story unverified based on available sources.
What is clear is that the incident caps a run of security failures around the European Space Agency’s networks, raising uncomfortable questions about how a flagship space institution protects data that often flows between government agencies, contractors and international partners.
The 200 GB claim and what ESA has confirmed
The starting point for the current crisis is a boast from a hacker who said they had taken roughly 200 G of internal material from the European Space Agency, including code and project files. The European Space Agency, often referred to as ESA, later confirmed that a cyber incident had affected some of its infrastructure and that a dump of private Bitbucket repositories was involved, but it framed the exposed content as unclassified technical data rather than crown‑jewel secrets. In its initial response, the agency stressed that the affected servers were external collaboration systems and that core mission operations remained intact, even as it acknowledged that the scale of the theft was still being assessed.
According to one detailed account, the breach traces back to a post on a criminal forum by an individual using the alias 888, who advertised access to ESA resources and claimed to have siphoned off the 200 G archive. The European Space Agency’s own confirmation of a cybersecurity breach followed that forum post, with officials saying they had isolated potentially affected machines and were working to understand which projects and partners might be implicated. Separate reporting on the same episode notes that the European Space Agency (ESA) acknowledged a cyber security incident after a hacker claimed to have stolen 200 GB of data and published a dump of private Bitbucket repositories, a description that aligns with the attacker’s narrative even as the agency maintains that the files themselves were not classified, a point reflected in the way the European Space Agency has characterized the incident.
A pattern of repeated breaches and criminal probes
The 200 G theft allegation did not emerge in isolation, it landed on top of a pattern of security problems that had already put the European Space Agency under scrutiny. The European Space Agency (ESA) had recently confirmed yet another cybersecurity breach affecting external servers used in collaboration with international partners, saying that those systems held unclassified information but still warranted a full investigation and tighter controls. In that earlier case, The European Space Agency said it was working with national authorities and promised to share more as additional information becomes available, a pledge that underscored how seriously it viewed the compromise of external collaboration tools even if the data was not formally labeled secret, as reflected in the agency’s own statements.
Within weeks, the European Space Agency found itself confronting what one report described as Two weeks, two major data leaks, not a good look for the European Space Agency, language that captured the sense of mounting pressure on the agency’s leadership. Journalist Jessica Lyons reported that the European Space Agency had initiated a criminal investigation into the latest breach, with officials working alongside law enforcement to trace the intruders and verify their claims about the volume and sensitivity of the stolen material, a move that highlighted how seriously ESA now treats cyber intrusions after repeated incidents, as detailed in coverage by Jessica Lyons.
Dark‑web auctions and the Scattered Lapsus$ Hunters angle
As the European Space Agency tried to contain the fallout, the story took a darker turn with claims that the stolen data was being offered for sale on underground markets. A group calling itself Scattered Lapsus$ Hunters surfaced in reporting as having promoted or amplified the ESA data breach, suggesting that the information might be auctioned to the highest bidder rather than simply leaked for notoriety. Analysts noted that this kind of monetization, where attackers dangle access to sensitive archives in front of rival states or commercial competitors, raises the stakes for any organization whose research and industrial partnerships depend on trust, a concern that is particularly acute for an agency like ESA that sits at the intersection of government, academia and industry, as described in assessments of the Scattered Lapsus claims.
Further analysis pointed out that the European Space Agency had already been breached again in a separate incident, reinforcing the impression that attackers now see it as a repeat target rather than a one‑off score. According to one account that cited The Register, the European Space Agency’s leadership tried to emphasize that the compromised servers held unclassified information, yet outside experts warned that even unclassified technical data can be highly valuable when aggregated, especially if it includes schematics, configuration files or internal documentation that could be weaponized in future attacks, a tension captured in reporting that described how ESA breached again while still insisting the data was unclassified.
Hundreds of gigabytes, dark‑web credentials and sector‑wide risk
While the 200 G figure has grabbed headlines, other reports suggest the total volume of exposed information could be even larger when multiple incidents are taken together. One account described how ESA was hit by a cyberattack in which hundreds of GBs of data were leaked, prompting the agency to open a criminal investigation into this incident and to warn that the full scope of the compromise might not be known for some time. That same reporting noted that ESA is opening criminal investigation to look into the details of leaked data, a step that reflects both the potential scale of the breach and the sensitivity of the projects that rely on the affected systems, as highlighted in coverage that said ESA is opening a criminal investigation.
Separate analysis of the same wave of attacks noted that ESA email credentials had appeared on dark‑web marketplaces, suggesting that the attackers may have used stolen usernames and passwords as an initial foothold. ESA quickly minimized the breach, saying its impact was limited, but only a week after that statement was made, The Register revealed that the attackers had claimed to have stolen hundreds of gigabytes of data, a discrepancy that fueled criticism of the agency’s communication strategy. Commentators pointed out that space agencies are not isolated incidents in the broader cyber landscape, and that the appearance of ESA email credentials on the dark web should be a wake‑up call for any organization that still relies heavily on passwords without strong multifactor authentication, a point underscored in reporting that noted ESA quickly minimized the breach even as new details emerged.
What the ESA breaches reveal about aerospace cybersecurity
From my perspective, the most worrying aspect of the European Space Agency’s recent troubles is not any single data dump but the pattern that has emerged across multiple incidents. A year‑end review of cyber events noted that as 2025 came to an end, the last major cyber breach of the year involved ESA and a 200GB data breach, with analysts warning that the exposed material appeared to include more than a few leaked schematics and could offer insights into how ESA structures its projects and secures its infrastructure. That same review, titled Beyond the final frontier, argued that the ESA case shows how attackers are increasingly targeting the connective tissue of space programs, such as shared repositories and collaboration platforms, rather than only going after mission control systems, a theme that resonates with the way Beyond the report framed the breach.
