THREATNOIR
Subscribe
Back to Feed
BreachesMay 14, 2026

mutreasury Allegedly Breached: Admin Credentials and API Keys Exposed From the Egyptian University Payment Gateway Covering 28+ Universities, Sold With a Zero-Day Vulnerability

mutreasury payment gateway breach exposes admin credentials, API keys, and student data from 28+ Egyptian universities;

Read at source

Summary

A threat actor claiming the handle INT3X has breached mutreasury, Egypt's centralized university payment gateway serving 28+ institutions, and is selling the stolen database along with an unauthenticated-access zero-day vulnerability. The dump includes administrative credentials, ERP integration API tokens, transaction records linking student PII to payments, and credentials for national payment processors (e-Finance, Khales, Fawry). The actor is using a public preview of 4 major universities as proof-of-concept and claims the zero-day enables full persistence and real-time data extraction from the remaining 24+ connected institutions.

Full text

Breach Report · Egypt mutreasury Allegedly Breached: Admin Credentials and API Keys Exposed From the Egyptian University Payment Gateway Covering 28+ Universities, Sold With a Zero-Day Vulnerability A threat actor is selling a database from mutreasury, the centralized payment gateway connecting more than 28 Egyptian universities for tuition, application fees, and other student payments. The dump contains administrative credentials, ERP integration API tokens, and the full transaction ledger linking student PII to fee payments through Fawry, e-Finance, and Khales. The seller is also marketing an unauthenticated-access zero-day vulnerability used to dump the data, which they say allows full persistence and real-time data extraction from the remaining 24+ universities not yet included in the public preview. The current public leak covers 4 major university targets as a proof of concept, with the complete dataset covering 28+ Egyptian universities connected to the same centralized infrastructure. Post details Actor(s)INT3X (with credits to quellostanco, CrowStealer, @bigF) SectorEducation / Government / Payment Gateway TypeData Sale + Zero-Day Vulnerability Sale FormatCSV (multiple tables) Records28+ Egyptian universities (4 included in public preview) CountryEgypt Date14/05/2026 Compromised data sysusers.csv Identity & Access ID, f1 through f14, isAdmin flag, isLocal flag, item_type Administrative credentials, internal employee data, access levels Encrypted and plaintext authentication strings Job titles and workplace affiliations erpapis.csv Integration Layer scope_id, account_id, connectType erp_api_url, erp_api_token, erp_api_profile, erp_company_name Live API tokens and endpoint URLs bridging the payment gateway with internal university ERP systems Direct server-to-server communication credentials efinance_service.csv Financial Routing id, sender_id, foundation_id, fees, type, is_active sender_name, service_url, service_code, service_name sender_password, settlement_code, confirmation_url, settlement_amount payment_gateway_url, sender_request_number, sender_user_identifier confirmation_redirect_url Logic and credentials for connecting to national payment providers (e-Finance and Khales) Settlement codes, service passwords, and redirect flows paymentgetway.csv Transaction Master UnivId, user_id, order_id, FacultyId, SessionId, CustomerId UniqueInvoiceId, item, Email, Mobile, RefNum, Service, Merchant UnivName, Result, Status, feesName, fawryFees notifyurl, PaidAmount, ConfirmedAt, ConfirmedBy, ConfirmedIP EnquiryDate, FacultyName, CustomerCode, CustomerName triedConfirm, PaymentMethod, description, SuccessIndicator Primary ledger for all student payments, logs PII, transaction status, reference numbers (Fawry/Bank), and total amounts across various university faculties paymentgetwaydetails.csv Transaction Details feeId, UniqueInvoiceId, item, Amount, feeName Granular breakdown of fees associated with each UniqueInvoiceId Payment nature specified (Application fees, Tuition, etc.) Zero-Day Vulnerability For Sale Unauthenticated access exploit Allows full persistence on the gateway Enables real-time data extraction from the remaining 24+ Egyptian universities not in the public preview Screenshots 01 02 03 Want the non-blurred screenshots? Subscribe and check out the threat feed section. darkwebinformer.com/pricing

Indicators of Compromise

  • malware — CrowStealer

Entities

mutreasury (product)ERP integration API (technology)Fawry payment processor (technology)e-Finance payment processor (technology)Khales payment processor (technology)INT3X (threat_actor)