The cybercriminal organization known as Hellcat has claimed responsibility for a significant security breach targeting Spanish telecommunications giant Telefónica. Through their representative using the alias “Rey,” the group alleges they have successfully exfiltrated 106 gigabytes of sensitive corporate data and are threatening full public disclosure unless their demands are met.
Attack Timeline and Initial Claims
According to statements from the threat actor Rey, the alleged breach occurred on May 30, 2025. The attacker claims to have maintained unauthorized access to Telefónica’s internal systems for over 12 hours before security administrators detected the intrusion and blocked further access.
As evidence of their claims, Rey released a 2.6 GB archive containing approximately 5 gigabytes of data and over 20,000 files when extracted. The cybercriminal asserts that the complete stolen dataset comprises 385,311 files totaling 106.3 GB in size.
Scope of Compromised Information
Analysis of the sample data reveals that the potential breach encompasses several categories of critical corporate information:
The leaked materials reportedly include internal communications such as service tickets and employee email correspondence, commercial documents including supplier orders and business client invoices, system logs from internal information systems, and personal data containing customer records and employee information.
The geographic scope of the compromised data spans Telefónica operations across Spain, Germany, Hungary, Chile, Peru, and Argentina, indicating the potentially extensive scale of this security incident.
Attack Vector and Security Vulnerabilities
This incident marks the second reported attack by the Hellcat group against Telefónica in 2025. In January, the same threat actors allegedly compromised an internal development and ticket processing server based on the Jira platform.
Rey claims that this latest attack was also executed through a misconfigured Jira system, suggesting persistent security configuration issues within the company’s enterprise applications. This pattern highlights the critical importance of proper security hardening for project management and ticketing systems.
Company Response and Data Verification
Telefónica representatives have categorically denied the occurrence of any new cyberattack, characterizing the situation as an extortion attempt using outdated information from previous incidents.
Independent verification conducted by cybersecurity journalists partially supports the company’s position. The most recent files in the provided samples are dated from 2021, casting doubt on claims of a recent breach. However, some email addresses from the leak belong to current Telefónica employees, confirming the authenticity of at least portions of the compromised data.
Threat Escalation and Data Distribution
Despite the company’s denial, Rey continues to escalate the situation by distributing data through various file-sharing services. Initially using PixelDrain, the data was subsequently removed following legal requests. The threat actor then migrated to the Kotizada platform, which Google Chrome flags as potentially dangerous.
The persistent distribution efforts demonstrate the threat actor’s commitment to maintaining pressure on the target organization, regardless of official denials or legal countermeasures.
Security Implications and Recommendations
This incident underscores several critical cybersecurity considerations for enterprise organizations. The repeated targeting of Jira systems highlights the need for comprehensive security audits of project management platforms and proper configuration management protocols.
Organizations should implement regular vulnerability assessments, ensure proper access controls for development and ticketing systems, and maintain robust incident response procedures. The multi-country scope of the alleged breach also emphasizes the importance of consistent security standards across international operations.
Whether this represents a new attack or repurposed historical data, the Hellcat-Telefónica incidents serve as a crucial reminder that enterprise collaboration tools require the same rigorous security attention as customer-facing systems. Companies must prioritize regular security audits, proper system configuration, and comprehensive employee training to prevent similar incidents and protect sensitive corporate and customer information from cybercriminal exploitation.