Threat Actor Selling Email Credentials for Israeli Government Agencies, Organizations, and International Targets Including Israel Police, Ministry of Justice, and Quebec Education Board

Summary

A threat actor known as 'swag' is selling stolen email credentials from Israeli government agencies including Israel Police, Ministry of Justice, and Ministry of Labor, plus international targets like Quebec's education board. The breach exposes sensitive .gov.il and .co.il domains across law enforcement, healthcare, social services, and education sectors, creating significant risks for spear phishing, network pivoting, and unauthorized access to internal communications. The credentials represent a substantial national security concern given the targets' critical institutional roles.

Full text

Dark Web Informer - Cyber Threat Intelligence Threat Actor Selling Email Credentials for Israeli Government Agencies, Organizations, and International Targets Including Israel Police, Ministry of Justice, and Quebec Education Board March 31, 2026 - 2:36:48 PM UTC Israel Government / Multi-Sector Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-03-31 14:36:48 UTC Threat Actor swag Victims Multiple (.gov.il / .co.il) Industry Government / Multi-Sector Category Credential Sale Gov Agencies 6 Organizations 2 Israeli + 2 International Data Type Email Credentials Price Contact Seller Network Open Web Country Israel Severity High Incident Overview A threat actor going by swag is selling compromised email credentials from multiple Israeli government agencies, Israeli organizations, and international targets. The listing organizes the affected entities into three categories, with the bulk of the targets being Israeli .gov.il government domains. This represents a significant credential exposure across some of Israel's most sensitive public institutions. The affected entities are organized as follows: Israeli Government (.gov.il): Israel Police (Mishteret Yisrael), Ministry of Labor, Social Affairs and Social Services (MOLSA), Ministry of Justice (Misrad HaMishpat), Survey of Israel (the official mapping and cadastre authority), Israel Land Authority, and Ziv Medical Center (a government hospital located in Safed). Israeli Organizations (.co.il): Beny Cohen and Co. (a private law firm), and the Ashalim Association (a major organization for planning and developing services for people with disabilities in Israel). International / Other Domains: The Quebec Central Board of Education in Canada (education sector), and Yahoo email accounts (described as a generic email provider, not a government target). The inclusion of Israel Police, Ministry of Justice, and Ministry of Labor credentials is particularly concerning from a national security perspective, as compromised government email accounts can be used for spear phishing against other government employees, accessing internal communications, pivoting deeper into government networks, or conducting social engineering against citizens who trust official government correspondence. The Ziv Medical Center credentials add a healthcare dimension, potentially exposing patient communications or internal hospital systems. Affected Entities Israel Police Ministry of Labor & Social Services Ministry of Justice Survey of Israel Israel Land Authority Ziv Medical Center Beny Cohen & Co. (Law Firm) Ashalim Association Quebec Central Board of Education Yahoo Email Accounts Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe Subscriber Access View the original listing URL and unredacted claim images on the feeds below. Threat Feed Ransomware Feed MITRE ATT&CK Mapping T1078 Valid Accounts Compromised email credentials for government agencies and organizations that can be used to authenticate as legitimate users and access internal systems and communications. T1589.001 Gather Victim Identity: Credentials Harvests email credentials from multiple Israeli government agencies and organizations across law enforcement, justice, healthcare, and social services sectors for resale. T1566.002 Phishing: Spearphishing Link Compromised government email accounts can be weaponized for highly credible spear phishing campaigns targeting other officials, citizens, or partner organizations who trust official .gov.il correspondence. T1114 Email Collection Access to government email accounts enables collection of internal communications, sensitive documents, contact lists, and intelligence across police, justice, healthcare, and land administration systems. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com

Indicators of Compromise

• email — israel.police@mishteret.yisrael
• domain — gov.il
• domain — co.il
• mitre_attack — T1078
• mitre_attack — T1589.001
• mitre_attack — T1566.002
• mitre_attack — T1114