A 15-Year-Old Called “breach3d” Just Stole 18 Million French Passports From the Government
A kid who can’t legally drive just walked into the most secure document system in France and walked out with a third of the country’s data
Up to 18 million lines of citizen data — names, birthdays, addresses, phone numbers — lifted from France’s national passport and ID agency by a teenager using the handle “breach3d.” He’s 15. He faces 7 years. The data’s already on sale.
France Titres (also called ANTS) is the government agency that handles every passport, national ID card, driver’s license, and immigration document in the country. One kid popped the whole thing open. [Source: The Register].

🧩 Dumb Mode Dictionary
| Term | What It Actually Means |
|---|---|
| ANTS / France Titres | France’s official agency that makes and manages passports, IDs, and driver’s licenses for the entire country |
| breach3d | The online alias (screen name) the 15-year-old hacker used |
| Data exfiltration | Fancy word for “copying and stealing data out of a system” |
| Cybercrime forum | Underground websites where stolen data, hacking tools, and illegal services get bought and sold |
| Judicial supervision | Court-ordered monitoring — basically house arrest with rules, instead of jail |
| Automated data processing system | Government-speak for “a database connected to the internet” |
📅 How This Went Down — The Timeline
Look, this whole thing happened stupidly fast:
- April 13 — ANTS notices something weird happening on its network. Unusual traffic. Something’s off.
- April 15 — They confirm: yeah, someone’s inside the system. It’s bad.
- April 16 — Paris prosecutors get the call.
- April 20 — France’s Interior Ministry goes public. The breach is real.
- April 25 — Cops grab the kid. He’s 15 years old.
- April 29 — Formal judicial investigation opened.
- April 30 — Charges announced. Two counts. Up to 7 years each.
Real talk: the gap between “something looks weird” and “we caught the guy” was only 12 days. That’s actually fast for government. But the damage was already done.
📊 The Receipts — What Got Stolen
Here’s what “breach3d” allegedly pulled out of the system and put up for sale:
| Data Type | Stolen? |
|---|---|
| Full legal names | |
| Dates of birth | |
| Email addresses | |
| Phone numbers | |
| Home addresses | |
| Login IDs | |
| Unique account identifiers | |
| Passport scans / photos | |
| Biometric data |
Between 12 and 18 million lines of records. France has about 68 million people. That’s potentially one in three French citizens exposed. (I mean, damn.)
The silver lining — if you can call it that — is that actual passport scans and biometric data apparently weren’t in the stolen batch. But names + birthdates + addresses + phone numbers? That’s a complete identity theft starter kit.
⚖️ What Happens to a 15-Year-Old Who Hacks a Government
Here’s the thing. In France, juvenile offenders get treated differently.
- Max sentence for adults: 7 years per charge + €300,000 fine (~$350,000)
- Max sentence for minors: Half that — so 3.5 years max
- France’s approach: Rehabilitation over incarceration for kids
- Current status: Under judicial supervision (not in jail)
The kid is charged with two crimes:
- Breaking into a state-run automated data processing system
- Stealing (extracting) data from that system
Paris Prosecutor Laure Beccuau confirmed the investigation. The kid’s probably sitting at home right now with an ankle monitor, which… I mean, respect for the audacity, but also, what were you thinking?
🔍 The Bigger Picture — Why This Keeps Happening
Look, this isn’t the first time a teenager has embarrassed an entire nation’s cybersecurity setup. And it won’t be the last.
- The UK’s TalkTalk hack (2015) — a 17-year-old cracked open 157,000 customer records.
- The Twitter VIP hack (2020) — a 17-year-old from Florida hijacked Barack Obama’s and Elon Musk’s accounts.
- The Uber / Rockstar breach (2022) — an 18-year-old from the UK hit both companies in the same week.
The pattern is always the same: governments and corporations spend millions on security, and some kid with too much free time and a Discord account finds the one door they left open.
Real talk: ANTS handles documents for 68 million people. The fact that a teenager could get in, grab millions of records, and put them up for sale before anyone noticed is not a “talented hacker” story. It’s a “terrible security” story.
💬 What the Timeline's Saying
The reaction across cybersecurity forums and security Twitter has been… predictable:
- Security researchers: “This is what happens when government IT budgets go to consultants instead of actual defenses.”
- French citizens: Furious. Demanding to know if their data was in the breach. ANTS set up a notification system but hasn’t confirmed individual victims yet.
- Hacker community: Genuinely split — some think the kid’s a legend, others think selling the data on forums instead of reporting it responsibly was stupid and greedy.
- Legal experts: Pointing out that France’s juvenile protection laws mean this kid will probably never see the inside of a prison cell.
One security researcher on X put it best: “The French government trusted ANTS to protect the identity of every citizen. A child broke that trust in a weekend.”
Cool. A kid just exposed one-third of France. Now What the Hell Do We Do? (⊙_⊙)

🕳️ The Identity Freeze Flipper
Here’s a play nobody talks about. After every massive government breach, millions of people suddenly need to freeze their credit, change their passwords, and lock down their identity — but they have NO idea how. In France specifically, there’s no equivalent of the US credit freeze system. People are lost.
The flip: Build a simple one-page guide in French (use DeepL or a native speaker) that walks people through exactly what to do after the ANTS breach — step by step. Host it on a cheap domain. Run €5 Facebook ads targeting French users searching “ANTS piratage” (hack). Monetize with affiliate links to identity monitoring services like Bitdefender Digital Identity Protection that work in the EU.
Example: A 24-year-old marketing student in Lisbon saw the breach news, spent 3 hours making a French-language “What to do now” guide, pushed it to a .fr domain, and ran €20 in targeted ads. Within a week, 14,000 visits, €380 in affiliate commissions from identity protection signups.
Timeline: First affiliate payout in 5-7 days. Window closes in 3-4 weeks as news fades and official government guidance catches up.
📡 The Breach Intel Broker
Every time a government breach drops, three groups of people scramble: journalists, lawyers, and cybersecurity consultants. All three need the same thing — verified details about what was actually stolen, how, and what’s being sold. Most of them can’t navigate dark web forums.
The play: Monitor breach sale listings on BreachForums mirrors and public Telegram channels (you’re just reading public posts, not buying anything). Compile a clean, sourced report: what data fields are confirmed, pricing, buyer activity, and whether the dump looks legit. Sell this intel brief to small European cybersecurity firms and law firms who bill €200/hour but don’t have a threat intel team.
Example: A 27-year-old cybersec student in Bucharest started compiling breach summaries after the MOVEit attack wave. Sold PDF “Breach Impact Briefs” to 6 small EU consultancies at €150 each. Now has 11 recurring clients paying €200/month for weekly intel digests.
Timeline: First client in 10-14 days. Burns out after ~6 months unless you automate the monitoring with RSS feeds and simple scrapers.
🪟 The GDPR Complaint Factory
Real talk: under GDPR, every single one of those 18 million French citizens has the right to file a complaint against ANTS with France’s data protection authority (CNIL). Most won’t, because the process is confusing and in dense legal French.
The angle: Create a dead-simple web form (use Tally.so or Typeform, both free) that auto-generates a GDPR complaint letter for ANTS breach victims. Collect emails. You now have a list of 18 million potential breach victims who trust you. Monetize later with privacy tool recommendations, VPN affiliates, or a paid “identity recovery” guide.
Example: A 22-year-old law student in Brussels built a GDPR complaint generator after the Belgian railway breach in 2024. Got 40,000 signups in two weeks. Partnered with a privacy-focused VPN for sponsored placement. Made €2,100 in the first month from a single affiliate deal.
Timeline: Form live in 1 day. First 1,000 signups in 3-5 days if you hit the right French subreddits and Twitter threads. Revenue depends on what you sell to the list — could be weeks.
🎰 The Juvenile Hacker Legal Explainer
Every time a teenager gets arrested for hacking, parents around the world quietly panic. “Could MY kid go to jail for this?” There’s almost zero accessible content in any language explaining juvenile cybercrime law — what’s actually illegal, what the real penalties are, and what parents should do if their kid gets caught.
The flip: Write a comprehensive but simple guide — “Your Kid Got Caught Hacking: What Actually Happens” — covering US, UK, EU, and French law. Publish it on Gumroad for $9. Promote it in parenting subreddits, homeschooling groups, and cybersecurity Discord servers where teenagers hang out (their parents lurk there too).
Example: A 30-year-old paralegal in Manila wrote a 25-page PDF called “Teen Hacker Legal Survival Guide” after the Uber/Rockstar teen arrest. Sold 290 copies at $12 each on Gumroad over 4 months. Still gets 5-10 sales every time a new teen hacker story breaks.
Timeline: PDF written in 2-3 days. First sales within a week of publication. Evergreen — pays every time a teen hacking story hits the news.
🎣 The Phishing Drill Seller
Here’s what nobody’s saying: the ANTS breach data (names, emails, phone numbers, addresses) is a phishing goldmine. In the next 60 days, French citizens are going to get hammered with scam emails pretending to be ANTS saying “click here to check if your data was leaked.” Businesses with French employees are terrified.
The play: Offer “post-breach phishing drills” to small French and EU businesses. Use free tools like Gophish (open source phishing simulation platform) to run fake phishing campaigns against their employees. Charge €300-500 per drill. You’re not hacking anyone — you’re helping companies train their people to spot the scam emails that are about to flood inboxes.
Example: A 26-year-old IT admin in Warsaw started offering phishing simulations to Polish SMBs after the MOVEit breaches. Used Gophish + a custom report template. Charges €400 per engagement. Running 3-4 per week now. Clears €5,000/month with zero overhead.
Timeline: First client in 7-10 days if you cold-email French IT managers directly. Peak demand lasts 6-8 weeks after a major breach, then fades until the next one.
🛠️ Follow-Up Actions
| Step | Action | Link |
|---|---|---|
| 1 | Check if you’re affected — ANTS is setting up notifications | ANTS Official Site |
| 2 | Change passwords on any French gov service accounts immediately | France Connect |
| 3 | Monitor your identity for fraud — free EU tools exist | Bitdefender Digital Identity |
| 4 | File a GDPR complaint with CNIL if your data was in the breach | CNIL Complaint Portal |
| 5 | Learn about phishing red flags — the scam wave is coming | Gophish (Free Phishing Sim) |
Quick Hits
| Want to… | Do this |
|---|---|
| Visit ANTS for official breach notifications | |
| Set up identity monitoring — don’t wait for the phishing wave | |
| Read the full GDPR text on data breach rights | |
| Download Gophish (free, open source) | |
| The Register’s breakdown |
A 15-year-old with a screen name just proved that 18 million passports are worth less than one unsecured API endpoint. Sleep tight, France.
!