Infostealer Malware Triggers Major Database Breach at the Argentine Football Association
When the Argentine Football Association (AFA) suffered a significant cyberattack, media outlets were quick to cover the fallout. The breach resulted in sensitive database leaks and unauthorized communications originating from official AFA domains, causing severe reputational and operational damage.
The incident was also widely reported on X, including from accounts like Polymarket with tens of thousands of likes.
While the headlines focused on the aftermath, the crucial question remained: How did the threat actors gain access? At Hudson Rock, our threat intelligence analysts dove into the data, tracing the incident back to its highly likely root cause. The findings highlight a pervasive and often overlooked threat in the cybersecurity landscape: Infostealer infections.
The Patient Zero: A Dormant Infection
Our investigation indicates it is highly likely that the intrusion was not the result of a zero-day exploit or a sophisticated, multi-layered APT operation. Instead, it was likely facilitated by a compromised computer belonging to an individual with administrative access to various AFA systems. Based on a Facebook and X account our researchers were able to locate, this infected computer belongs to a person employed as a software developer at AFA for almost a decade.
As the data shows, this individual’s machine was infected by an Infostealer on September 8th, 2025. Hudson Rock’s cybercrime intelligence API detected and added this compromised machine to our database the very next day, on September 9th, 2025.
This timeline is critical. It underscores a common tactic among modern threat actors: data hoarding. The compromised credentials were not used immediately. They sat dormant, likely sold on illicit dark web markets or held in private logs until a capable threat actor decided to monetize them. This hack was easily avoidable. Had the organization proactively monitored for compromised employee credentials via threat intelligence feeds, they could have forced a password reset months before the actual intrusion took place.
The Scope of Access:
Once the threat actor decided to act, they didn’t just have standard user access, they highly likely had profound administrative control. The infostealer had vacuumed up credentials that bypassed standard web application interfaces entirely.
By analyzing the recovered logs from the infected machine, we identified exactly how the database was likely exfiltrated. The compromised user had saved administrative credentials for several critical AFA subdomains in their browser.
The logs revealed direct access to phpMyAdmin panels, a web-based database management tool. Specifically, the hacker likely gained root-level access to databases hosted on afa05-new.afa.org.ar or acreditaciones.afa.com.ar (both of which are currently down). Additionally, the logs contained credentials for afasistemas.com.ar, which likely enabled the threat actor to subsequently send out the malicious mass emails.
A closer look at the credentials data reveals an even broader scope of potential compromise. The logs contained access to ezeiza.afasistemas.com.ar, the internal sports management portal for AFA’s national training headquarters. Furthermore, the infected machine held stored access to the AFA media portal (media.afa.org.ar) and the competition management system (comet.afa.org.ar). Alarmingly, the data shows that a very weak, guessable password was reused across several of these critical internal portals.
With valid credentials for phpMyAdmin and these internal systems, the hacker didn’t need to find a SQL injection vulnerability or bypass a Web Application Firewall. They simply logged in as an administrator, viewed the raw database tables, and exported whatever they wanted, including credentials, user data, and accreditation details.
The Fallout: Extortion and Leaked Samples
This direct DB access is highly likely what allowed the hacker to post samples of the database online. The hacker’s motives went beyond just stealing data, they wanted to make a statement and maximize disruption.
A close examination of the database snippet provided by the threat actor reveals the severe nature of the leak. The dumped tables contain highly sensitive information belonging to internal AFA staff, affiliated clubs, and external media partners, including prominent international sports networks and local newspapers. The compromised records expose internal email addresses, phone numbers, user roles, registration timestamps, and password data. While many passwords appear to be securely hashed, the presence of highly insecure plaintext passwords among the records highlights a significant security oversight. This exposure leaves these individuals highly vulnerable to credential stuffing and secondary targeted attacks.
Beyond the data leak itself, intelligence indicates that the threat actor is reportedly actively selling control to subdomains associated with the AFA on illicit forums. This demonstrates a multifaceted approach to monetizing the breach, posing an ongoing risk to the organization’s web infrastructure.
Adding Insult to Injury: Hijacking Official Comms
The stolen logs also included credentials for afasistemas.com.ar. This domain is the internal sports management portal used by the AFA. By hijacking this system, the attacker was able to weaponize the AFA’s own infrastructure.
Using the compromised access, the hacker highly likely sent out mass emails originating from legitimate AFA servers. Because these emails came from the authentic afasistemas.com.ar domain, they bypassed standard anti-spoofing protections like SPF and DKIM, landing directly in recipients’ inboxes and amplifying the chaos of the incident.
The Verdict
The AFA breach is a textbook example of how devastating a single, unmitigated infostealer infection can be. A compromised machine belonging to a developer with high-level access highly likely handed a threat actor direct database administration rights and the ability to send authenticated internal emails. Because the stolen credentials sat dormant for months, the organization was lulled into a false sense of security, completely unaware of the ticking time bomb in their network infrastructure.
To learn more about how Hudson Rock protects companies from imminent intrusions caused by info-stealer infections of employees, partners, and users, as well as how we enrich existing cybersecurity solutions with our cybercrime intelligence API, please schedule a call with us, here:
https://www.hudsonrock.com/schedule-demo
We also provide access to various free cybercrime intelligence tools that you can find here:
www.hudsonrock.com/free-tools
Thanks for reading, Rock Hudson Rock!
Follow us on LinkedIn: https://www.linkedin.com/company/hudson-rock
Follow us on Twitter: https://www.twitter.com/RockHudsonRock
The post Infostealer Malware Triggers Major Database Breach at the Argentine Football Association appeared first on InfoStealers.