Romania’s land registry hit by cyber attack, data allegedly for sale
Romania’s National Agency for Cadastre and Land Registration (ANCPI) suffered a major disruption on Tuesday, July 14, when its e-Terra cadastre and land registry app became unavailable to users.
What was first declared to be a “major technical incident” has now been confirmed as a cyber attack. While the circumstances are still being investigated by the competent state institutions, ANCPI stated that the data administered through its IT systems has not been compromised as a result of this incident.
Property transactions caught in the outage
“From the information we have at this time, we estimate that, most likely, the e-Terra application will not be available until the end of the current week,” the agency added in a Facebook post published on Wednesday, July 15.
“We regret the situation created and assure you that our technical teams are making every effort to restore the functioning of the systems under safe conditions for all users, as soon as possible.”
ANCPI promised to release updates as they continue the investigation, but in the meantime, the outage has stalled real estate transactions already in progress.
Adrian Vascu, Senior Partner at Romanian business advisory firm Veridio, argued in a LinkedIn post that the disruption exposes a deeper problem: digitalized systems built without backup provisions for when they fail.
“A failure can happen at any time, but it is mandatory to ensure continuity or an alternative,” he wrote. “Digitalization quickly creates dependency, but it must also ensure trust.”
Threat actor claims data theft and ransomware deployment
Dark Web Informer flagged that a threat actor who goes by “ByteToBreach” is trying to sell on a dark web forum data allegedly stolen from ANCPI.
They claim to have compromised data of Romanian citizens and various ANCPI databases, made a copy of the agency’s GitLab servers and the source code contained within, and deployed ransomware.
The threat actor provided as proof screenshots made during the intrusion.
ByteToBreach is known for selling on DarkForums data stolen from a variety of organizations around the world.
“Based on ByteToBreach posts, he uses a mix of multiple technical approaches: Exploiting known vulnerabilities in cloud and corporate infrastructure, reusing stolen credentials harvested from infostealers and phishing, and at times resorting to brute force or misconfiguration based access to gain footholds. Once inside, the focus is data exfiltration – employee records, databases, backups, and sensitive documents that are later sold or leaked publicly to prove claims,” says cyber threat intelligence company KELA Cyber.
“Several incidents included datasets that were later corroborated by affected organizations or contained verifiable technical artifacts, underscoring that many of the actor’s claims were not mere bluff.”
Given that track record, ByteToBreach’s claim may well be substantiated, but for now it remains unverified.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
