Inside the ANCPI Breach: An interview with ByteToBreach, the Hacker Behind Romania’s Biggest Land Registry Outage

Romania’s National Agency for Cadastre and Land Registration (ANCPI) has been crippled since Tuesday, July 14, 2026, in what the institution itself describes as the most severe technical disruption in its history. Every system ANCPI operates — including the e-Terra
cadastre and land registry platform and the agency’s own email infrastructure — has been offline, leaving notaries unable to authenticate real estate transactions and citizens unable to obtain land registry extracts, either online or at local offices.

ANCPI initially described the outage as a “major technical incident” before confirming a day later that it was, in fact, a cyberattack. The agency maintains that the data it manages is safe and was not compromised, and says the circumstances of the attack are under investigation by the competent state authorities. It estimated e-Terra would remain unavailable through the end of that week.

Against this backdrop, SecurityPatch.ro reached out directly to the individual claiming responsibility for the ANCPI breach, who uses the alias ByteToBreach. What follows is a lightly edited transcript of that written interview, conducted over a messaging app and granted on condition of full anonymity.

The interview

SecurityPatch.ro: Could you walk me through how you gained access to ANCPI’s infrastructure? What vulnerability or misconfiguration made this possible?
ByteToBreach: The foothold was a simple vulnerability, extremely surprised to see it still around, let alone on government infrastructure. The rest is simply pivoting and finding similar vulnerabilities and misconfigurations. ANCPI network is huge, with a lot of subnets.

SecurityPatch.ro: Could you be more specific on the vulnerability? Is it widely known, or something custom for this case?

ByteToBreach: There is no 0day involved or anything sophisticated.

SecurityPatch.ro: Did you modify, alter, or delete any records within the system, or was your activity limited to access and exfiltration? This matters a lot given that a compromised land registry can affect citizens’ legal ownership.

ByteToBreach: The data was copied from diverse sources in the network. There was no modification done, except the modification done by the encryption. A lot of files were encrypted, but the main databases were not encrypted — they were just exfiltrated.

Asked directly whether the attack carried any political motive or was connected to a state-linked group, he was unambiguous:
ByteToBreach: There is nothing political in here, and it wasn’t done by the “Russians.” I hope my explanation was clear.

SecurityPatch.ro: What led you to this particular institution? Was it a deliberate target, or more of an opportunity you came across while looking elsewhere?

ByteToBreach: It wasn’t as secured as it should have been, considering its vital role. What attracts attacks is weakness, to put it bluntly.

SecurityPatch.ro: Did you reach out to ANCPI before this became public? Was there any negotiation or ransom discussion?

ByteToBreach: My ransomware drops a small note, but I do not insist a lot or force them.

SecurityPatch.ro: Are you operating independently, or is this connected to a wider group or collective?

ByteToBreach: I am too old for being in groups 🙂 For 16 years, I spent most of my time reversing malware or doing labs on HackTheBox.

SecurityPatch.ro: Do you have any financial expectations tied to this, given that the target was a public institution?

ByteToBreach: Yes. I can offer my assistance in decrypting the files, provided ANCPI gives me a salary.

SecurityPatch.ro: I understand — so if ANCPI requests help to restore the files, will you provide the necessary knowledge or tools? And what amount do you consider appropriate?

ByteToBreach: Yes, that is the main objective. This can be negotiated with the representatives of ANCPI.

SecurityPatch.ro: How do you think about the impact of your actions on the people whose property records are held in this system?

ByteToBreach: That is very unfortunate. And I regret also the position that the IT staff are put in, because of my actions. But the responsibilities are also shared by the government.

SecurityPatch.ro: Where do you see this heading for you personally — continuing this kind of work, moving toward legitimate security research like bug bounty or pentesting, or something else entirely?

ByteToBreach: I will keep doing it, as long as I am passionate about cybersecurity.SecurityPatch.ro: What do you think about the risk of being identified, especially now that you’re in the spotlight?

ByteToBreach: I am very fast on my feet. But let’s hope it doesn’t come to that 🙂

SecurityPatch.ro: Considering this will be published, do you have any message to transmit to anyone?

ByteToBreach: Stay true to Jesus. ❤️ Was good talking to you.
The conversation closed there, with ByteToBreach adding a final note: he remains “always open for discussions, within the limit of my abilities and my limited knowledge.”

Conclusion

Stripped of the bravado, ByteToBreach’s account lines up with an uncomfortably familiar pattern in critical-infrastructure breaches: not a sophisticated nation-state operation, but a years-old, publicly documented vulnerability sitting unpatched inside a sprawling government network. If accurate, that detail alone raises hard questions for ANCPI about patch management and network segmentation practices that go well beyond this single incident.

What’s left is a familiar and unsettling gap: a public institution responsible for the legal backbone of property ownership in Romania, reportedly brought down by a known, patchable flaw, with tens of thousands of citizens and notaries caught in the middle while the
negotiation — if it happens — plays out largely out of public view. Until ANCPI and Romanian cybersecurity authorities publish a post-incident report, the extent of the damage, and whether any ransom is paid, remain open questions.

Ultimele articole

Articole similare