On May 3 2026 an actor named Cyballz claimed a complete infrastructure breach of the Afghanistan Ministry of Finance on a dark web forum, involving 1.4TB (1447.6GB) of data. The file named Shamshad.tar was already being downloaded when this post surfaced. This is the largest Afghan government data breach claim to date.
Some incidents happen that force the cybersecurity community to pause for a second. On May 3, 2026 at exactly 3:37 am, an actor named “Cyballz” published a post on a dark web hacking forum titled AFGHANISTAN MINISTRY OF FINANCE COMPLETE INFRASTRUCTURE BREACH and wrote 1.4 TB+ i.e. 1447.6 gigabytes of data.
This was not a ransom threat and not was it an extortion demand. This was a direct data dump that was already in live download when researchers discovered it. The forum post showed a file named shamshad.tar whose download progress had reached 32.8 gigabytes and the counter did not stop.
The actors forum badge clearly read Breached and only one thread recorded one post and suggesting that this was not the work of an established cybercrime group but a targeted single operation.
Afghanistan Ministry of Finance is the institution responsible for the countrys entire budget management tax collection, customs revenue and routing of international financial aid. Since the Taliban took power in 2021, this ministry has been under the close scrutiny of the international community, as smuggling routes the drug economy, and undeclared foreign transactions are traced from here.
A genuine breach of the ministrys systems could include not just financial data but also internal communications, employee records, vendor contracts, international financial reporting and potentially foreign government correspondence.
A group called TalibLeaks stole and published 50GB of data from 21 Afghan ministries in 2025 but that operation represented only 3.5 percent of the scale of the claimed breach. 1.4TB is a different level and if verified and it would be the largest breach in Afghan government cybersecurity history.
Shamshad Explained What 1.4TB of Leaked Data Contain
Shamshad is a major media and broadcasting company in Afghanistan, but in this context the file name shamshad.tar is the name of an archive potentially containing compressed ministry server backups, database dumps and file system data.
The TAR format is a Unix standard archiving format often used by attackers to export a complete server filesystem or large database into a single transferable file. 1.4TB could mean roughly 700 million pages of text documents or 14 million typical PDF files or complete database exports containing financial transactions, employee payroll records and the ministrys internal operational data.
This breach claim occurred today May 3, 2026, and has yet to be independently verified. There has been no official statement from the Afghan government, and no major cybersecurity research firm has yet publicly analyzed this specific post. However the pattern is concerning as the actors Breached badge remains established on the forum and the download counter was live when the screenshot was taken.
Both state-sponsored actors and financially motivated groups have historically targeted Afghanistan’s government infrastructure and given the absence of mature cybersecurity controls. According to CSIS Significant Cyber Incidents database multiple nation-state actors have targeted Afghan government networks for ongoing intelligence collection during the Taliban era and the timing and claimed scale of this breach fit that broader pattern.
Organizations and researchers who monitor Afghanistans financial flows should closely monitor this development. If this data is genuinely exfiltrated, potential consequences could include exposing vendor relationships revealing international aid flow details surfacing hawala network transaction records and publicly displaying the Taliban governments internal financial operations.
This is not just a hacking incident it is potentially an intelligence operation with real-world geopolitical consequences. Security researchers should verify this data and follow responsible disclosure principles while governments should establish cyber resilience communication with Afghan financial institutions.
