Infostealer Malware Triggers Major Database Breach at the Argentine Football Association

When the Argentine Football Association (AFA) suffered a significant cyberattack, media outlets were quick to cover the fallout. The breach resulted in sensitive database leaks and unauthorized communications originating from official AFA domains, causing severe reputational and operational damage.

Media coverage of the AFA Hack
Media coverage highlighting the fallout of the AFA cyberattack.

The incident was also widely reported on X, including from accounts like Polymarket with tens of thousands of likes.

Polymarket X post covering the hack
An X post from Polymarket demonstrating the viral reach of the news.

While the headlines focused on the aftermath, the crucial question remained: How did the threat actors gain access? At Hudson Rock, our threat intelligence analysts dove into the data, tracing the incident back to its highly likely root cause. The findings highlight a pervasive and often overlooked threat in the cybersecurity landscape: Infostealer infections.

The Patient Zero: A Dormant Infection

Our investigation indicates it is highly likely that the intrusion was not the result of a zero-day exploit or a sophisticated, multi-layered APT operation. Instead, it was likely facilitated by a compromised computer belonging to an individual with administrative access to various AFA systems. Based on a Facebook and X account our researchers were able to locate, this infected computer belongs to a person employed as a software developer at AFA for almost a decade.

Details of the Infostealer Infection from Hudson Rock's database
Hudson Rock’s database showing the initial Infostealer infection occurring on September 8th, 2025.

As the data shows, this individual’s machine was infected by an Infostealer on September 8th, 2025. Hudson Rock’s cybercrime intelligence API detected and added this compromised machine to our database the very next day, on September 9th, 2025.

This timeline is critical. It underscores a common tactic among modern threat actors: data hoarding. The compromised credentials were not used immediately. They sat dormant, likely sold on illicit dark web markets or held in private logs until a capable threat actor decided to monetize them. This hack was easily avoidable. Had the organization proactively monitored for compromised employee credentials via threat intelligence feeds, they could have forced a password reset months before the actual intrusion took place.

The Scope of Access:

Once the threat actor decided to act, they didn’t just have standard user access, they highly likely had profound administrative control. The infostealer had vacuumed up credentials that bypassed standard web application interfaces entirely.

By analyzing the recovered logs from the infected machine, we identified exactly how the database was likely exfiltrated. The compromised user had saved administrative credentials for several critical AFA subdomains in their browser.

phpMyAdmin credentials for afa05-new.afa.org.ar and afasistemas.com.ar
Compromised credentials granting direct administrative access to AFA phpMyAdmin panels.

The logs revealed direct access to phpMyAdmin panels, a web-based database management tool. Specifically, the hacker likely gained root-level access to databases hosted on afa05-new.afa.org.ar or acreditaciones.afa.com.ar (both of which are currently down). Additionally, the logs contained credentials for afasistemas.com.ar, which likely enabled the threat actor to subsequently send out the malicious mass emails.

Additional phpMyAdmin credentials for acreditaciones.afa.com.ar
Additional leaked credentials providing direct database access to AFA subdomains.

A closer look at the credentials data reveals an even broader scope of potential compromise. The logs contained access to ezeiza.afasistemas.com.ar, the internal sports management portal for AFA’s national training headquarters. Furthermore, the infected machine held stored access to the AFA media portal (media.afa.org.ar) and the competition management system (comet.afa.org.ar). Alarmingly, the data shows that a very weak, guessable password was reused across several of these critical internal portals.

With valid credentials for phpMyAdmin and these internal systems, the hacker didn’t need to find a SQL injection vulnerability or bypass a Web Application Firewall. They simply logged in as an administrator, viewed the raw database tables, and exported whatever they wanted, including credentials, user data, and accreditation details.

The Fallout: Extortion and Leaked Samples

This direct DB access is highly likely what allowed the hacker to post samples of the database online. The hacker’s motives went beyond just stealing data, they wanted to make a statement and maximize disruption.

Hacker thread discussing the AFA breach
A post from the threat actor claiming responsibility and attempting to monetize the breach.

A close examination of the database snippet provided by the threat actor reveals the severe nature of the leak. The dumped tables contain highly sensitive information belonging to internal AFA staff, affiliated clubs, and external media partners, including prominent international sports networks and local newspapers. The compromised records expose internal email addresses, phone numbers, user roles, registration timestamps, and password data. While many passwords appear to be securely hashed, the presence of highly insecure plaintext passwords among the records highlights a significant security oversight. This exposure leaves these individuals highly vulnerable to credential stuffing and secondary targeted attacks.

Hacker providing a sample of the stolen AFA database
A threat actor providing a leaked sample of the compromised AFA database on a dark web forum.

Beyond the data leak itself, intelligence indicates that the threat actor is reportedly actively selling control to subdomains associated with the AFA on illicit forums. This demonstrates a multifaceted approach to monetizing the breach, posing an ongoing risk to the organization’s web infrastructure.

Threat actor selling access to AFA subdomains
A dark web forum post indicating the sale of AFA subdomain access, as reported by Dark Web Informer on X.

Adding Insult to Injury: Hijacking Official Comms

Email sent by the hacker originating from afasistemas.com.ar
A malicious mass email successfully sent using the legitimate, compromised afasistemas.com.ar domain.

The stolen logs also included credentials for afasistemas.com.ar. This domain is the internal sports management portal used by the AFA. By hijacking this system, the attacker was able to weaponize the AFA’s own infrastructure.

Using the compromised access, the hacker highly likely sent out mass emails originating from legitimate AFA servers. Because these emails came from the authentic afasistemas.com.ar domain, they bypassed standard anti-spoofing protections like SPF and DKIM, landing directly in recipients’ inboxes and amplifying the chaos of the incident.

The message conveyed by the hacker
Media coverage illustrating the disruptive message the threat actor intended to broadcast.

The Verdict

The AFA breach is a textbook example of how devastating a single, unmitigated infostealer infection can be. A compromised machine belonging to a developer with high-level access highly likely handed a threat actor direct database administration rights and the ability to send authenticated internal emails. Because the stolen credentials sat dormant for months, the organization was lulled into a false sense of security, completely unaware of the ticking time bomb in their network infrastructure.

To learn more about how Hudson Rock protects companies from imminent intrusions caused by info-stealer infections of employees, partners, and users, as well as how we enrich existing cybersecurity solutions with our cybercrime intelligence API, please schedule a call with us, here:
https://www.hudsonrock.com/schedule-demo

We also provide access to various free cybercrime intelligence tools that you can find here:
www.hudsonrock.com/free-tools

Thanks for reading, Rock Hudson Rock!

Follow us on LinkedIn: https://www.linkedin.com/company/hudson-rock
Follow us on Twitter: https://www.twitter.com/RockHudsonRock

The post Infostealer Malware Triggers Major Database Breach at the Argentine Football Association appeared first on InfoStealers.