France Arrests 15-Year-Old "breach3d" for Hacking ANTS National ID Agency — 11.7 Million Accounts Exposed

A 15-year-old operating as "breach3d" has been arrested after breaching France's national ID agency ANTS — exposing up to 11.7 million accounts containing passport, ID card, and driver's license data — and listing the data for sale on criminal forums.

PARIS — The Paris Public Prosecutor's Office announced Thursday that a 15-year-old suspect was detained on April 25 and placed under judicial supervision following a breach of France's Agence Nationale des Titres Sécurisés (ANTS) — the government agency responsible for issuing and managing passports, national ID cards, driver's licenses, and vehicle registrations. The suspect, operating under the alias "breach3d," listed between 12 and 18 million lines of stolen data on criminal forums beginning April 16, 2026. ANTS confirmed unusual activity on its network on April 13, confirmed the breach on April 24, and acknowledged that the data being circulated appeared authentic. Charges carry up to seven years in prison and a €300,000 ($350,000) fine under French cybercrime law.

Breach profile

What was accessed and why it matters

ANTS is not a routine government database — it is the centralized repository for France's most sensitive identity infrastructure. The agency manages the issuance of every passport, every national ID card, every driver's license, and every vehicle registration in France. The confirmed exposed data includes names, dates of birth, email addresses, postal addresses, phone numbers, and unique account identifiers from the ants.gouv.fr portal. ANTS confirmed that no passwords and no documents uploaded during administrative procedures — such as application attachments — were included in the breach. But the personally identifiable data that was exposed is precisely the information needed to construct convincing identity fraud: names linked to birth dates linked to addresses linked to phone numbers, all tied to individuals who hold French government-issued identity documents.

The breach3d persona and France's wave of teenage cybercrime

The breach3d posting on April 16 taunted ANTS: "It seems the French government would do better to stick to the culinary arts: their digital defenses are as crumbly as their croissants." The OFAC (France's anti-cybercrime office) led the technical investigation and identified the suspect within nine days of the criminal forum posting. French authorities have now detained three suspects aged 15 to 21 in separate cybercrime cases within the first four months of 2026: an 18-year-old in January suspected of leaking data from the French Shooting Federation; a 21-year-old known as HexDex arrested April 20 suspected of conducting approximately 100 data breaches since late 2025 targeting 15 sports federations, the Ministry of Education, and police systems; and now the 15-year-old behind the ANTS breach. France is grappling with a significant youth cybercrime problem alongside a documented vulnerability in centralized government digital infrastructure. For context on data breaches: risks, response, and prevention

, and all data breach coverage

is tracked on The CyberSignal.

The GDPR notification question

ANTS detected unusual activity on April 13. The agency notified France's CNIL data protection authority under GDPR Article 33 — but sent citizen notifications on April 22, nine days after the breach. GDPR Article 33 requires notification to supervisory authorities within 72 hours of breach discovery. The nine-day citizen notification gap raises questions about compliance with Article 34's requirement to notify affected individuals "without undue delay" when a breach is likely to result in high risk. With 11.7 million affected individuals and identity document data confirmed authentic on criminal forums, the risk threshold for individual notification appears clearly met.

What to do now

French citizens who have registered on the ants.gouv.fr portal should be highly vigilant for phishing attempts referencing passport renewals, ID card applications, or driver's license updates — the exposed data provides attackers with the specific personal details needed to make such communications convincing. Do not click links in emails claiming to be from ANTS; navigate directly to ants.gouv.fr. Monitor your email and phone for social engineering attempts and report suspicious contact to cybermalveillance.gouv.fr. If you have experienced any suspicious activity linked to your identity documents, contact the CNIL at cnil.fr.

The CyberSignal Analysis

Signal 01 — Centralizing national identity infrastructure creates single-point catastrophic risk

The ANTS breach has ignited a debate in France about whether centralizing all identity document data in a single government portal creates unacceptable concentration risk. When a 15-year-old can access 11.7 million identity records from a single agency breach, the architectural question is as important as the security hygiene question. Data minimization and decentralization — controversial in efficiency-focused government digital transformation programs — become compelling risk management arguments when the alternative is this scale of exposure from a single intrusion.

Signal 02 — ANTS manages France's age-verification infrastructure

The least-reported element of this story is the most structurally significant: ANTS is also the agency responsible for France's age-verification application intended to prevent children under 15 from accessing social networks. A breach of ANTS is therefore not just an identity data incident — it is a breach of the infrastructure designed to protect children online. The irony of a 15-year-old breaching the agency that manages child protection systems is not lost on French commentators.

Signal 03 — Youth cybercrime in France reflects a structural recruitment pipeline

Three suspects aged 15 to 21, all arrested within four months in France, represent a pattern that mirrors what law enforcement has documented in the UK with groups like Scattered Spider and in the Netherlands with the booter service ecosystem: young people with technical skill but without criminal record or international exposure finding low-friction entry points into cybercrime. France's response — judicial supervision for a 15-year-old facing 7-year maximum charges — will test how the French juvenile cybercrime framework balances deterrence with rehabilitation for technically skilled minors.

Sources