%20(1).webp?w=1600&resize=1600,900&ssl=1)
A threat actor known as SkyWave has allegedly exfiltrated 590GB of sensitive Saudi Arabian military and government documents, according to a post on the dark web forum DarkForums.
The data, purportedly stolen from the email accounts of high-ranking officials, includes internal communications, strategic documents, and personnel records.
While Saudi authorities have yet to confirm or deny the breach, cybersecurity analysts warn that the leak could expose vulnerabilities in the Kingdom’s digital infrastructure and embolden adversarial state-sponsored groups.
Scope of the Alleged Breach
SkyWave’s post, first flagged by cybersecurity researcher @h4ckmanac, claims the stolen data spans military operational plans, confidential government correspondence, and technical specifications for critical infrastructure.
The threat actor is reportedly selling the dataset for an undisclosed sum, though no buyers have been publicly identified.
If verified, the breach would mark one of the most significant cyber incidents targeting Saudi Arabia since the 2021 Saudi Aramco breach, which exposed 1 terabyte of employee and corporate data.
The method of infiltration remains unclear. SkyWave has not specified whether the data was obtained through direct hacking, third-party vendor exploits, or phishing campaigns.
However, the targeting of email accounts aligns with recent global trends in state-affiliated cyberespionage.
For example, in February 2023, a misconfigured Microsoft Azure server exposed three terabytes of U.S. Special Operations Command emails, underscoring the risks of inadequate cloud security.
Saudi Arabia’s reliance on third-party contractors—a weakness exploited in the Aramco breach—could similarly be a factor.
Geopolitical Implications and Historical Context
Saudi Arabia’s strategic importance as a global energy leader and regional power makes it a frequent target for cyberattacks.
The Kingdom has faced multiple high-profile breaches, including the Shamoon malware attacks on its central bank in 2012 and a near-catastrophic 2017 incident at a petrochemical plant, where hackers attempted to trigger an explosion.
The latest breach could exacerbate existing tensions with rival states, particularly Iran, which has been linked to previous attacks on Saudi infrastructure.
Notably, SkyWave’s activities mirror those of other threat groups operating in the Middle East.
In February 2025, the same actor leaked a 3TB NATO database containing classified documents from over 15 member states, including technical reports and personnel details.
While NATO has not officially acknowledged that breach, the Saudi incident suggests SkyWave may be escalating efforts to monetize stolen geopolitical data.
Response Challenges and Mitigation Efforts
Saudi Arabia’s National Data Governance Office, established under the Personal Data Protection Law (PDPL), mandates strict breach notification protocols.
However, the lack of an official statement from Riyadh highlights the difficulty of verifying dark web claims in real-time.
The Saudi Data and AI Authority (SDAIA) advises organizations to segregate sensitive data and conduct third-party risk assessments—measures that could have mitigated the Aramco breach.
Globally, the incident reinforces the need for robust email security. The U.S. Department of Defense’s 2023 email server misconfiguration, which exposed 26,000 personnel records, led to widespread reforms in cloud access controls.
Similarly, Saudi entities may need to adopt advanced threat detection systems and zero-trust architectures to safeguard communication channels.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The%20data,%20purportedly%20stolen%20from%20the%20email%20accounts%20of%20high-ranking%20officials,%20includes%20internal%20communications,%20strategic%20documents.){kind=link}