Online account hack at the Federal Employment Agency: eight suspects identified
Criminals wanted to divert benefits by changing account data in hacked online accounts. Now eight suspects have been identified.
(Image: Bundesagentur fĂĽr Arbeit)
At the end of March this year, the Federal Employment Agency (BA) detected unauthorized access to around 1000 user accounts on its online portal. The attackers' goal was to fraudulently obtain benefits by changing bank details.
The Central Office for Cybercrime Bavaria (ZCB), together with the "Cybercrime Investigations" (ECC) department of the Nuremberg Criminal Police, has now identified eight suspects. Two of the suspects have been taken into custody, but for alleged drug dealing and not for the hack. The financial damage incurred was relatively low.
Access via compromised end devices
According to a press release from the Bamberg Public Prosecutor General's Office dated today, Monday, the suspects are strongly suspected of having "attempted to illegally log into over 20,000 user accounts at the Federal Employment Agency between January 30, 2025, and March 19, 2025". This was successful in around 1000 cases, and in more than 150 cases, they are alleged to have changed account details.
In the worst-case scenario, the suspects would have been "able to have a five-figure sum paid out monthly" through their manipulations. However, the BA's intervention limited the actual damage to just under 1000 Euros.
Videos by heise
The incidents were first noticed by a job center employee in North Rhine-Westphalia: she noticed discrepancies in the account of a deceased customer. The BA then conducted a comprehensive review, noticed the unauthorized logins, and filed a report with the ZCB in Bamberg. As a consequence, numerous online functions of the BA, such as applications for financial benefits or changing IBAN account numbers, were temporarily unavailable at the end of March.
In mid-May, the federal government confirmed the cyberattack at the request of the AfD parliamentary group. It stated that the access data had been obtained using compromised private end devices and not through BA systems. Furthermore, the government announced that since April 29, 2025, all online accounts have been required to use a second factor for logging into the agency's portal. The Nuremberg authority had previously only recommended multi-factor authentication.
House searches and arrests
According to the Public Prosecutor General's Office, the eight identified suspects are between 36 and 61 years old. During house searches in ten locations in several federal states on October 8, 2025, data carriers, as well as weapons and narcotics, and several thousand euros in cash were seized. Investigators are said to have found clear indications connecting the accused to the cyberattack on the Federal Employment Agency during the initial review of the evidence.
The charge against the suspects includes commercial computer fraud, for which the law provides for a prison sentence of six months to ten years. According to the Public Prosecutor General's Office, investigations are ongoing.
(ovw)
