Moroccan Hackers Retaliate with Cyberattack on Algerian Institutions Amid Rising Tensions

Phantom Atlas Targets Algerian Ministry and MGPTT in Response to CNSS Breach

Washington, D.C. – On April 10, 2025, a Moroccan hacker group known as Phantom Atlas launched a significant cyberattack on Algerian institutions, leaking over 13 gigabytes of sensitive data in retaliation for a prior attack on Morocco’s National Social Security Fund (CNSS). The targets included the Algerian Ministry of Labor, Employment, and Social Security, as well as the Mutuelle Générale des Postes et Télécommunications (MGPTT), with the stolen data being published on Telegram. This escalation, rooted in geopolitical tensions, particularly over the Western Sahara conflict, underscores the growing cyberwarfare between Morocco and Algeria, yet no official response from Algerian authorities has been recorded as of 1:04 PM PDT.

Details of the Cyberattack

عاجل : جانب من الوثائق المسربة من وزارة العمل الجزائرية ?? بعدما تم اختراقها من طرف مجموعة هاكرز مغاربة??.
يلاحظ اعتماد الجزائر على تقنيات قديمة في حفظ البيانات. pic.twitter.com/RDnDrsbEs1 — Defense Atlas - المرصد الأطلسي للدفاع و التسليح (@DefenseAtlas009) April 10, 2025

Phantom Atlas, also operating under aliases like Phantom Morocco and Moroccan Cyber Forces, claimed responsibility for the attack, which occurred overnight between April 9 and 10, 2025. The group stated they infiltrated the systems of the MGPTT and the Algerian Ministry of Labor within 24 hours, extracting a trove of sensitive information. According to reports from Yabiladi and La Releve, the leaked data includes:

• National ID numbers of Algerian citizens.
• Bank transfer orders.
• Internal administrative documents, some classified as strategic and sensitive.

The hackers published this data on Telegram, framing the operation as a direct response to a cyberattack on April 8, 2025, attributed to the Algerian group JabaRoot DZ. That earlier attack targeted the CNSS and Morocco’s Ministry of Employment, exposing the personal data of nearly 2 million Moroccan employees across 500,000 companies, including salary declarations and employee lists from high-profile entities like the royal holding SIGER and the Israeli Liaison Office in Morocco.

Context and Geopolitical Motivations

The cyberattack by Phantom Atlas is not merely a technical assault but a politically charged act, reflecting the deep-seated rivalry between Morocco and Algeria. In their manifesto, published in Arabic and English, Phantom Atlas declared, “This is a direct and calculated response to the CNSS breach. Any future provocation will be met with a targeted and disproportionate response.” They also emphasized that “the Moroccan Sahara is not open to debate,” directly linking their actions to the Western Sahara conflict, a longstanding point of contention between the two nations.

The initial attack by JabaRoot DZ was itself framed as retaliation for alleged Moroccan cyberattacks, specifically the hacking of the Algerian Press Service (APS) Twitter account after its suspension by the platform. This tit-for-tat dynamic highlights how cyberwarfare has become an extension of geopolitical disputes, with the Western Sahara issue—where Morocco claims sovereignty and Algeria supports the Polisario Front’s push for independence—serving as a central flashpoint. The broader context includes severed diplomatic ties between Morocco and Algeria since August 2021, exacerbated by Morocco’s normalization of relations with Israel in 2020 and Algeria’s accusations of Moroccan support for Kabyle separatists.

Impact of the Data Breach

The 13 gigabytes of leaked data from the Algerian Ministry of Labor and MGPTT expose significant vulnerabilities in Algeria’s digital infrastructure. Cybersecurity expert Saxx, quoted in La Releve, noted that the breach was facilitated by easily exploitable login credentials, pointing to structural weaknesses in Algerian systems. The leaked documents, which include personal identifiers and financial records, pose risks of identity theft and fraud for affected individuals. Phantom Atlas claimed the data reveals “deep structural flaws and chronic mismanagement” within Algerian institutions, though these assertions require independent verification.

The scale of the breach is notable, with some estimates suggesting the total data extracted could reach 20 gigabytes. However, the authenticity and full extent of the leaked information remain uncertain, as no official Algerian response has been identified to confirm or refute the claims. This lack of transparency leaves room for speculation about the true impact on Algerian citizens and government operations.

Absence of Official Algerian Response

As of 1:04 PM PDT on April 10, 2025, no public statements from the Algerian government, the Ministry of Labor, or the MGPTT have been reported in response to the cyberattack. This silence could indicate several possibilities: a deliberate choice to handle the crisis internally, a delay in formulating a public response, or a lack of readiness to address the breach. The absence of an official reaction contrasts with Morocco’s response to the CNSS attack, where the institution acknowledged the breach, downplayed its severity by claiming many leaked documents were falsified, and initiated an investigation. The lack of an Algerian response raises questions about the government’s cybersecurity preparedness and its strategy for managing public perception during such crises.

Broader Implications and Critical Analysis

This cyberattack is part of a broader pattern of digital hostilities between Morocco and Algeria, often mirroring their offline conflicts. The Western Sahara dispute, cited explicitly by Phantom Atlas, remains a core driver of tension, as evidenced by recent developments like the U.S. withdrawal of confidence in UN envoy Staffan de Mistura, reported earlier today. The cyber dimension adds a new layer of complexity, with non-state actors like Phantom Atlas and JabaRoot DZ acting as proxies for national interests, though their true affiliations remain murky. For instance, some investigations into JabaRoot DZ suggest the group’s leader might be a Tunisian engineer based in Germany, not Algerian, raising questions about the attribution of these attacks and the potential for false flags in cyberwarfare.

Critically, the narrative of a straightforward Morocco-Algeria cyber conflict may oversimplify the situation. The involvement of a possible Tunisian actor, as reported by H24info, suggests that external parties could be exploiting regional rivalries for their own ends, a possibility that warrants further investigation. Additionally, the lack of an Algerian response could be strategic, aimed at avoiding escalation, but it also risks fueling speculation and undermining public trust in the government’s ability to protect sensitive data.

The impact on ordinary citizens is a significant concern. The leaked data from both the CNSS and MGPTT breaches exposes millions to potential exploitation, yet neither government has provided clear guidance on protective measures. This highlights a broader failure in regional cybersecurity governance, where geopolitical rivalries overshadow the need for cooperative defense mechanisms against cyber threats.

Conclusion: A Digital Front in a Geopolitical War

The Phantom Atlas cyberattack on Algerian institutions marks a significant escalation in the digital conflict between Morocco and Algeria, driven by longstanding geopolitical tensions over the Western Sahara and other issues. The breach of the Algerian Ministry of Labor and MGPTT, resulting in the leak of over 13 gigabytes of sensitive data, exposes vulnerabilities in Algeria’s digital infrastructure and poses risks to its citizens. However, the absence of an official Algerian response as of April 10, 2025, leaves many questions unanswered about the full scope and consequences of the attack. As cyberwarfare becomes an increasingly prominent arena for regional rivalries, both nations must prioritize robust cybersecurity measures and consider diplomatic channels to de-escalate tensions, lest their citizens continue to bear the brunt of these digital battles.