Threat Research

For sale, identity documents stolen from Italian hotels

Italy-Cert-agid
For sale, identity documents stolen from Italian hotels

Illegal activity involving the sale of stolen identity documents from Italian hotels has been detected, with tens of thousands of high-resolution scans of passports and ID cards compromised. These documents were taken via unauthorized access to three hotel facilities between June and July 2025 and are used for sophisticated fraud schemes. #mydocs #ItalianHotels #IdentityTheft

Keypoints

  • A malicious actor named “mydocs” sold tens of thousands of stolen identity documents on an underground forum.
  • The documents were stolen from three Italian hotels through unauthorized access between June and July 2025.
  • Stolen identity documents enable criminals to create fake IDs, open fraudulent bank accounts or credit lines, and conduct social engineering attacks.
  • There has been a notable increase in illegal sales of identity documents since May 2025, highlighting the urgency of better protection measures.
  • Organizations managing identity data need strict security measures to prevent unauthorized access and secure their digital systems.
  • Citizens should regularly monitor their personal data for unauthorized use and avoid sharing identity documents over insecure channels.
  • Suspected identity theft should be promptly reported to the appropriate authorities for action.

MITRE Techniques

  • [T1078] Valid Accounts – Unauthorized access to hotel systems was used to steal identity document scans (“…unauthorized access…”).
  • [T1086] PowerShell – Although not explicitly mentioned, unauthorized system access often involves scripting or automation tools typical in such breaches.
  • [T1566] Phishing – Identified as a common method to acquire identity documents besides direct system compromise (“…most commonly through phishing activities…”).

Indicators of Compromise

  • [File Types] Stolen documents – high-resolution scans of passports, ID cards, and other identity documents.
  • [Threat Actor] mydocs – alias used by the malicious actor selling stolen identity documents on underground forums.
  • [Affected Organizations] Italian hotels – three hotel structures compromised for unauthorized data access between June and July 2025.

Read more: https://cert-agid.gov.it/news/in-vendita-documenti-di-identita-trafugati-da-hotel-italiani/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint