A 29-year-old Polish man has been charged in reference to an information breach that uncovered the private particulars of round 2.5 million clients of the favored Polish e-commerce web site Morele.web.
Poland’s Central Cybercrime Bureau (CBZC) introduced that costs had been filed on 30 January 2026, following years of investigation into the 2018 breach of Morele.web, that specialises in electronics, laptop tools and residential home equipment.
The high-profile breach of Morele.web, whose worldwide equivalents embrace the likes of Greatest Purchase, Newegg, and Amazon, despatched shockwaves by Poland’s on-line retail sector.
The investigation into the info breach had initially been cabinets after police didn’t determine a suspect, however authorities declare that the path by no means went solely chilly.
Over time investigators recognized the assault vector, reconstructed the sequence of occasions, and traced digital breadcrumbs again to the alleged hacker – demonstrating their dedication in a YouTube video.
In line with a CBZC press launch, the suspect has admitted accountability for the hack.
The cyber assault uncovered names, e-mail addresses, cellphone numbers, residence addresses, and md5crypt-hashed passwords. Though cost card particulars weren’t compromised within the breach, it was reported that some 35,000 clients did have significantly delicate info stolen, together with nationwide ID numbers, monetary particulars, training info, revenue, and marital standing.
Morele.web refused to pay a ransom, and the breached database was revealed on-line.
Sadly for the positioning’s customers who had their info breached, fraudsters weaponised the stolen knowledge instantly. Victims reported receiving SMS messages demanding cost of 1 Polish zloty to “full” their orders, accompanied by phishing hyperlinks that stole banking credentials.
In 2019, in what was one of many nation’s largest GDPR-related fines on the time, Poland’s knowledge safety authority regulator hit Morele.web to the tune of €645,000, claiming that had didn’t detect and reply to uncommon community visitors.
Morele.web contested the wonderful, arguing that its safety measures had been affordable even when they in the end proved inadequate in opposition to a decided attacker, and finally Poland’s Supreme Administrative Courtroom annulled the penalty, saying it had discovering deficiencies within the regulator’s justification and calculation of the wonderful.
Now, nevertheless, it’s the alleged hacker who might be hoping he can escape receiving a heavy punishment.
If something, this case serves as a well timed reminder to cybercriminals that they need to not assume that they’ve evaded justice simply because years have handed since their offence. Digital forensics strategies proceed to enhance, and legislation enforcement companies are more and more keen to pursue chilly instances when new leads emerge.
