A 29-year-old Polish man has been charged in reference to an information breach that uncovered the private particulars of round 2.5 million clients of the favored Polish e-commerce web site Morele.web.
Poland’s Central Cybercrime Bureau (CBZC) introduced that fees have been filed on 30 January 2026, following years of investigation into the 2018 breach of Morele.web, that specialises in electronics, pc tools and residential home equipment.
The high-profile breach of Morele.web, whose worldwide equivalents embody the likes of Finest Purchase, Newegg, and Amazon, despatched shockwaves by way of Poland’s on-line retail sector.
The investigation into the information breach had initially been shelved after police didn’t establish a suspect, however authorities declare that the path by no means went solely chilly.
Over time investigators recognized the assault vector, reconstructed the sequence of occasions, and traced digital breadcrumbs again to the alleged hacker – demonstrating their dedication in a YouTube video.
In keeping with a CBZC press launch, the suspect has admitted duty for the hack.
The cyber assault uncovered names, e-mail addresses, telephone numbers, residence addresses, and md5crypt-hashed passwords. Though fee card particulars weren’t compromised within the breach, it was reported that some 35,000 clients did have notably delicate info stolen, together with nationwide ID numbers, monetary particulars, schooling info, revenue, and marital standing.
Morele.web refused to pay a ransom, and the breached database was printed on-line.
Sadly for the positioning’s customers who had their info breached, fraudsters weaponised the stolen information instantly. Victims reported receiving SMS messages demanding fee of 1 Polish zloty to “full” their orders, accompanied by phishing hyperlinks that stole banking credentials.
In 2019, in what was one of many nation’s largest GDPR-related fines on the time, Poland’s information safety authority regulator hit Morele.web to the tune of €645,000, claiming that had didn’t detect and reply to uncommon community visitors.
Morele.web contested the nice, arguing that its safety measures have been cheap even when they finally proved inadequate in opposition to a decided attacker, and ultimately Poland’s Supreme Administrative Courtroom annulled the penalty, saying it had discovering deficiencies within the regulator’s justification and calculation of the nice.
Now, nevertheless, it’s the alleged hacker who will likely be hoping he can escape receiving a heavy punishment.
If something, this case serves as a well timed reminder to cybercriminals that they need to not assume that they’ve evaded justice simply because years have handed since their offence. Digital forensics strategies proceed to enhance, and regulation enforcement businesses are more and more prepared to pursue chilly instances when new leads emerge.
