“TalibLeaks”: Massive Taliban data leak offers few real insights

On 5 February 2025, a group calling themselves “TalibLeaks” on X announced that they had accessed the computer systems of the Taliban, and subsequently posted thousands of alleged internal Taliban documents on the website talibleaks.io [Warning: Potentially unsafe website].

The documents are arranged by folders corresponding to different Taliban ministries and state bodies, in total containing over 50GB of uncompressed data. TalibLeaks has previously claimed to have leaked Taliban data from the IEA in 2023 and 2024, although AW’s internal analysis of those data dumps revealed little of significance, as they mainly consisted of generic internal documents or decrees that had already been made public.

The table below details the state bodies included in the leak and the amount of data from each body (in total, 20.5 GB of data while compressed). Most data comes from the Ministry of Foreign Affairs, and the least from the Ministry of Industry and Commerce.

Due to the high number of documents leaked, AW focused its initial analysis on the data allegedly from the Supreme Court, the Ministry for the Propagation of Virtue and the Prevention of Vice (MPVPV), the Office of Prison Affairs (OPA), and the Ministry of Justice (MoJ).

The folders each contain several hundreds or thousands of files, including images, PDFs, videos, and spreadsheets. The metadata has been completely removed from all files, removing any identifying information from the files themselves. Filenames have also been replaced with a random hexadecimal string.

These modifications to the metadata means that file creation dates are likely to be misrepresentative. Many PDFs within the leaked files, however, appear to be scans of paper documents (memos and other administrative communications) that are dated. From an analysis of these documents, AW was able to determine that the leaked data comes exclusively from 2024. The oldest files appear in the Supreme Court folder, while the most recent files appear in the Ministry of Justice folder (dated December 2024).

The content of the documents mainly contain standard bureaucratic and internal communication from within the de facto Taliban administration. The Supreme Court and MoJ files, for example, included notes on prison populations as well as achievements and work of courts throughout the country. Similarly, the MPVPV files contained requests and instructions from the Ministry to its provincial departments about issues including procurement, the use of vehicles, or the need to implement the PVPV Law announced in August 2024.

The images seem to indicate that the files have been taken from various breached accounts of staff at the ministries. For example, they include images that were apparently screengrabs taken from social media sites, as well as personal information such as scanned copies of Afghan ID cards (unclear of whom, but possibly ministry staff members).

All of the folders — irrespective of ministry — also contain application forms for trainings organised at the National Institute of Secretariat Training & Development in New Delhi. This cannot be immediately explained from the available material.

On 14 February, Afghanistan International published an interview with “TalibLeaks”, although without revealing more about their identities or how many people were interviewed. In the article, “TalibLeaks” claimed that infiltrating the Taliban computer systems was a trivial matter for anyone with experience in cybersecurity. For example, the group claimed that the password for the Taliban cybersecurity chief’s email is “12345678”.

They also said that cybersecurity standards vary considerably between Taliban factions. For example, Haqqani Network members have relatively robust cybersecurity protocols, while the Kandahari faction around the Supreme Leader is harder to breach, since they still mainly rely on paper-based communication.

In response, the Taliban Ministry of Communications and Technology acknowledged that data had been leaked, but claimed that their central databases had not been breached. Instead, the Ministry alleged that the documents had been accessed from “individual computers” without proper security measures, which is in line with our initial assessment.

A second hack targeting the Taliban Ministry of Defence

A week after the data breach from “TalibLeaks”, on 11 February another group of hackers calling themselves the “Cyber soldiers of the Persian Tajik” claimed to have hacked the website of the Taliban Ministry of Defence (MoD). The group defaced the website by adding its logo to the homepage, but have so far not published any data they may have obtained.

A link to the Telegram channel H373_Team (127,000+ subscribers) was also added to the MoD website as part of the hack. The channel’s admin released a statement saying that the group called “Cyber soldiers of the Persian Tajik” actually doesn’t exist, and that he had defaced the website to stand in solidarity with “Persians and Tajiks” of Afghanistan. Based on the channel’s content, the admin appears to be based in Iran. The account is also linked to a phone number with the Iranian country code of +98.