A Breach in Uzbekistan’s Digital Infrastructure Exposes the Risks of Rapid E-Government Expansion

Executive Summary In late January 2026, three government information systems in Uzbekistan were targeted by cyberattacks over a four-day period (January 27–30), resulting in the exposure of approximately 60,000 unique data records [15]. Initial claims circulating on social media and Reddit suggested that up to 15 million citizen records had been compromised through a breach of the central OAuth server of the e-government (E-Gov) platform [1][3]. However, following an official investigation, Digital Technologies Minister Sherzod Shermatov confirmed on February 12 that the actual scope was significantly smaller[15]. [15] [1][3] 15] The Government of Uzbekistan responded promptly, launching an investigation through its Cybersecurity Center and establishing an operational task force [1][2]. In the days following the initial disclosure, online microcredit issuance was temporarily suspended as a precautionary measure, and banks reinforced their security postures [9]. [1][2] [9] This incident occurs against a backdrop of escalating cyber threats — with over 7 million cyber threats prevented in 2024 and 107 million in 2025 [15], and a 68-fold increase in cybercrime over the past five years (from 863 crimes in 2019 to 58,800 in 2024) [16]. Separate research from Group-IB and Kaspersky has documented an active advanced persistent threat group known as Bloody Wolf (also tracked as Stan Ghouls) that has been conducting targeted operations against government agencies and financial institutions across Central Asia, including Uzbekistan [4][5]. While no direct attribution has been made between Bloody Wolf and this specific breach, the group's sustained focus on the region underscores the increasingly sophisticated threat environment facing Uzbekistan's digital infrastructure. Bloody Wolf Stan Ghouls [4][5] 1. What Happened Between January 27 and 30, 2026, information systems of three government agencies in Uzbekistan were targeted by cyberattacks [15]. On or around February 1–2, links to several resources, including darknet platforms, were shared on social media and Reddit claiming that data from Uzbekistan's government information systems had been posted online [1]. The data was allegedly sourced from government information systems, with the central OAuth authentication server of the e-government (E-Gov) platform identified as the potential point of compromise [1][3]. [1] [1][3] The OAuth server serves as a trusted single sign-on gateway, enabling citizens and institutions to authenticate across a wide range of government and non-government services. Because of its centralized role, any compromise of this system has the potential to cascade across connected platforms. Confirmed Scope (February 12 Update) According to Digital Technologies Minister Sherzod Shermatov's press conference on February 12, 2026 [15]: Approximately 60,000 unique data records were exposed (individual data units, not 60,000 citizens) The initial claim of 15 million citizen records was rejected as inaccurate C7 Cybersecurity specialists confirmed the attacker's sample contained only 5,522 records, along with 24 photographs of Interior Ministry employees, 15,874 records of medical workers from the National Social Protection Agency, and 446 mortgage records from the Mortgage Refinancing Company Further unauthorized access attempts were blocked and technical security measures reinforced Additional safeguards were implemented in the Unified Identification System (OneID) Approximately 60,000 unique data records were exposed (individual data units, not 60,000 citizens) 60,000 unique data records The initial claim of 15 million citizen records was rejected as inaccurate C7 Cybersecurity specialists confirmed the attacker's sample contained only 5,522 records, along with 24 photographs of Interior Ministry employees, 15,874 records of medical workers from the National Social Protection Agency, and 446 mortgage records from the Mortgage Refinancing Company 5,522 records 24 photographs 15,874 records 446 mortgage records Further unauthorized access attempts were blocked and technical security measures reinforced Additional safeguards were implemented in the Unified Identification System (OneID) Systems Identified as Potentially Impacted Based on reports from multiple credible Uzbek news outlets including Gazeta.uz, UzDaily.uz, and Zamin.uz [1][2][3]: [1][2][3] National Social Protection Agency (IHMA.UZ) — medical records and social protection data State Statistics Committee (STAT.UZ) — demographic and census-related data Mortgage Refinancing Company (UZMRC.UZ) — financial and housing records Ministry of Internal Affairs systems — law enforcement-related citizen data University and educational institution portals — student and faculty records Banking and commercial organization portals — financial authentication data National Social Protection Agency (IHMA.UZ) — medical records and social protection data National Social Protection Agency (IHMA.UZ) State Statistics Committee (STAT.UZ) — demographic and census-related data State Statistics Committee (STAT.UZ) Mortgage Refinancing Company (UZMRC.UZ) — financial and housing records Mortgage Refinancing Company (UZMRC.UZ) Ministry of Internal Affairs systems — law enforcement-related citizen data Ministry of Internal Affairs systems University and educational institution portals — student and faculty records University and educational institution portals Banking and commercial organization portals — financial authentication data Banking and commercial organization portals Data Types Potentially Exposed Data Category Details Personal Identifiers Full name, date of birth, internal user ID Contact Information Phone number, email address, residential address Identity Documents Passport number and related details Authentication Data Logins, passwords, user photographs Sensitive Records Workplace details, medical histories, government service records Data Category Details Personal Identifiers Full name, date of birth, internal user ID Contact Information Phone number, email address, residential address Identity Documents Passport number and related details Authentication Data Logins, passwords, user photographs Sensitive Records Workplace details, medical histories, government service records Data Category Details Data Category Data Category Details Details Personal Identifiers Full name, date of birth, internal user ID Personal Identifiers Personal Identifiers Full name, date of birth, internal user ID Full name, date of birth, internal user ID Contact Information Phone number, email address, residential address Contact Information Contact Information Phone number, email address, residential address Phone number, email address, residential address Identity Documents Passport number and related details Identity Documents Identity Documents Passport number and related details Passport number and related details Authentication Data Logins, passwords, user photographs Authentication Data Authentication Data Logins, passwords, user photographs Logins, passwords, user photographs Sensitive Records Workplace details, medical histories, government service records Sensitive Records Sensitive Records Workplace details, medical histories, government service records Workplace details, medical histories, government service records 2. How It Happened While the official investigation by Uzbekistan's Cybersecurity Center is still underway, cybersecurity experts have offered preliminary assessments of the likely attack vectors. The Central OAuth Server as a Single Point of Entry The e-government OAuth server functions as the authentication backbone for dozens of interconnected services. OAuth 2.0 is an industry-standard authorization framework widely used around the world. However, as noted by security researchers globally, OAuth implementations are inherently prone to misconfiguration if not continuously audited and hardened. In centralized deployments, compromising the OAuth provider grants cascading access to all relying parties. Supply Chain Attack Hypothesis Dmitry Paleyev, Director of the corporate cybersecurity firm ONESEC, suggested this may not have been a single isolated breach but rather a supply chain attack [1]. In such scenarios, compromising one component within a connected infrastructure can grant lateral access to other systems in the same network. This is a well-documented tactic used by advanced threat actors globally. [1] Contributing Factors in Context Uzbekistan has been undergoing rapid digital transformation, with significant investment in e-government services. The country aims to digitize 70% of public services and expand its IT services exports to $5 billion by 2030 as part of the Uzbekistan–2030 Strategy [17]. Over 760 public services have already been digitized, with approximately 10 million citizens using digital platforms annually [18]. The incident highlights a universal challenge: the need for cybersecurity maturity to scale in lockstep with digital adoption. [17]. [18] Expert Perspective: "The actual threat may be greatly exaggerated and may not correspond to reality. As experience shows, this data is often greatly exaggerated and compiled from various sources, including old data and data collected from various systems." — Dmitry Paleyev, Director, ONESEC [1] Expert Perspective: "The actual threat may be greatly exaggerated and may not correspond to reality. As experience shows, this data is often greatly exaggerated and compiled from various sources, including old data and data collected from various systems." — Dmitry Paleyev, Director, ONESEC [1] Expert Perspective: Expert Perspective: "The actual threat may be greatly exaggerated and may not correspond to reality. As experience shows, this data is often greatly exaggerated and compiled from various sources, including old data and data collected from various systems." — Dmitry Paleyev, Director, ONESEC [1] 3. Government Response The Government of Uzbekistan demonstrated a proactive and organized response. Multiple agencies acted swiftly to address public concerns, initiate investigations, and issue guidance to citizens [1][2]. [1][2] Response Timeline Date Action Jan 27–30 Three government information systems targeted by cyberattacks [15] Feb 1–2 Links to darknet resources shared on Reddit and social media [1] Feb 3 Cybersecurity Center confirmed investigation launch; issued public guidance [1] Feb 3 National Social Protection Agency confirmed cyberattack on archival database; task force established [2] Feb 3 Statistics Committee confirmed census data stored encrypted on separate servers [1] Feb 3–4 Tax Committee and Interior Ministry denied breaches; systems functioning normally [1] Feb 5–6 Online microcredit issuance suspended; Central Bank reinforced oversight [9] Feb 12 Minister Shermatov confirmed ~60,000 records exposed; additional OneID safeguards [15] Date Action Jan 27–30 Three government information systems targeted by cyberattacks [15] Feb 1–2 Links to darknet resources shared on Reddit and social media [1] Feb 3 Cybersecurity Center confirmed investigation launch; issued public guidance [1] Feb 3 National Social Protection Agency confirmed cyberattack on archival database; task force established [2] Feb 3 Statistics Committee confirmed census data stored encrypted on separate servers [1] Feb 3–4 Tax Committee and Interior Ministry denied breaches; systems functioning normally [1] Feb 5–6 Online microcredit issuance suspended; Central Bank reinforced oversight [9] Feb 12 Minister Shermatov confirmed ~60,000 records exposed; additional OneID safeguards [15] Date Action Date Date Action Action Jan 27–30 Three government information systems targeted by cyberattacks [15] Jan 27–30 Jan 27–30 Three government information systems targeted by cyberattacks [15] Three government information systems targeted by cyberattacks [15] Feb 1–2 Links to darknet resources shared on Reddit and social media [1] Feb 1–2 Feb 1–2 Links to darknet resources shared on Reddit and social media [1] Links to darknet resources shared on Reddit and social media [1] Feb 3 Cybersecurity Center confirmed investigation launch; issued public guidance [1] Feb 3 Feb 3 Cybersecurity Center confirmed investigation launch; issued public guidance [1] Cybersecurity Center confirmed investigation launch; issued public guidance [1] Feb 3 National Social Protection Agency confirmed cyberattack on archival database; task force established [2] Feb 3 Feb 3 National Social Protection Agency confirmed cyberattack on archival database; task force established [2] National Social Protection Agency confirmed cyberattack on archival database; task force established [2] Feb 3 Statistics Committee confirmed census data stored encrypted on separate servers [1] Feb 3 Feb 3 Statistics Committee confirmed census data stored encrypted on separate servers [1] Statistics Committee confirmed census data stored encrypted on separate servers [1] Feb 3–4 Tax Committee and Interior Ministry denied breaches; systems functioning normally [1] Feb 3–4 Feb 3–4 Tax Committee and Interior Ministry denied breaches; systems functioning normally [1] Tax Committee and Interior Ministry denied breaches; systems functioning normally [1] Feb 5–6 Online microcredit issuance suspended; Central Bank reinforced oversight [9] Feb 5–6 Feb 5–6 Online microcredit issuance suspended; Central Bank reinforced oversight [9] Online microcredit issuance suspended; Central Bank reinforced oversight [9] Feb 12 Minister Shermatov confirmed ~60,000 records exposed; additional OneID safeguards [15] Feb 12 Feb 12 Minister Shermatov confirmed ~60,000 records exposed; additional OneID safeguards [15] Minister Shermatov confirmed ~60,000 records exposed; additional OneID safeguards [15] 4. Impact on the Financial Sector Microcredit Suspension Uzbekistan temporarily suspended online microcredit issuance following reports that compromised citizen data could be used to fraudulently obtain microloans [9]. This action, while disruptive, reflects a responsible approach to protecting citizens from secondary exploitation. [9] Banking Sector Response Multiple banks reinforced their authentication and monitoring systems. The Central Bank maintained that core banking infrastructure had not been directly compromised [2]. Voluntary Credit Ban Service Uzbekistan introduced a voluntary credit ban service in June 2025, allowing citizens to prohibit loan issuance without personal authorization (Law No. ZRU-1043) [19]. By October 2025, approximately 150,000 citizens had enrolled [20]. By January 1, 2026, enrollment had risen to over 438,000 [21]. The breach is expected to further accelerate adoption. [19] [20] [21] Cybercrime Growth Context According to the Interior Ministry's Cybercrime Center, Uzbekistan experienced a 68-fold increase in cybercrime between 2019 and 2024 — from 863 crimes in 18 categories to 58,800 in 62 categories [16]. Between 2021 and 2024, cybercrimes resulted in the theft of over 1.9 trillion soums ($148.9 million) from citizens [16]. [16] [16] 5. Active Threat Landscape: Bloody Wolf Independent of this breach, published research from leading cybersecurity firms has documented sustained threat activity targeting the region. Threat Actor Overview A threat group tracked as Bloody Wolf — also identified by Kaspersky as Stan Ghouls [5] — has been conducting targeted operations against organizations in Central Asia since at least late 2023. The group primarily targets government agencies, financial institutions, and IT companies [4]. According to Kaspersky, the primary motivation appears to be financial gain, though their methods also suggest cyberespionage capabilities [5]. Bloody Wolf Stan Ghouls [5] [4] [5] Activity Timeline Period Activity Late 2023 Group first identified, targeting Kazakhstan and Russia [5] May 2025 Kaspersky first flags NetSupport RAT config [5] Jun 2025 Campaign in Kyrgyzstan targeting government, financial, IT sectors [4] Oct 2025 Operations expand to Uzbekistan [4] Nov 2025 Group-IB / UKUK publish joint advisory [4] Feb 5, 2026 Kaspersky identifies ~50 victims in Uzbekistan, 60+ total [5] Period Activity Late 2023 Group first identified, targeting Kazakhstan and Russia [5] May 2025 Kaspersky first flags NetSupport RAT config [5] Jun 2025 Campaign in Kyrgyzstan targeting government, financial, IT sectors [4] Oct 2025 Operations expand to Uzbekistan [4] Nov 2025 Group-IB / UKUK publish joint advisory [4] Feb 5, 2026 Kaspersky identifies ~50 victims in Uzbekistan, 60+ total [5] Period Activity Period Period Activity Activity Late 2023 Group first identified, targeting Kazakhstan and Russia [5] Late 2023 Late 2023 Group first identified, targeting Kazakhstan and Russia [5] Group first identified, targeting Kazakhstan and Russia [5] May 2025 Kaspersky first flags NetSupport RAT config [5] May 2025 May 2025 Kaspersky first flags NetSupport RAT config [5] Kaspersky first flags NetSupport RAT config [5] Jun 2025 Campaign in Kyrgyzstan targeting government, financial, IT sectors [4] Jun 2025 Jun 2025 Campaign in Kyrgyzstan targeting government, financial, IT sectors [4] Campaign in Kyrgyzstan targeting government, financial, IT sectors [4] Oct 2025 Operations expand to Uzbekistan [4] Oct 2025 Oct 2025 Operations expand to Uzbekistan [4] Operations expand to Uzbekistan [4] Nov 2025 Group-IB / UKUK publish joint advisory [4] Nov 2025 Nov 2025 Group-IB / UKUK publish joint advisory [4] Group-IB / UKUK publish joint advisory [4] Feb 5, 2026 Kaspersky identifies ~50 victims in Uzbekistan, 60+ total [5] Feb 5, 2026 Feb 5, 2026 Kaspersky identifies ~50 victims in Uzbekistan, 60+ total [5] Kaspersky identifies ~50 victims in Uzbekistan, 60+ total [5] Key Findings Group-IB / UKUK (November 2025): Documented a sustained campaign by Bloody Wolf targeting government structures and financial systems in Kyrgyzstan and Uzbekistan, employing sophisticated social engineering and impersonating government ministries [4][3]. Group-IB / UKUK (November 2025): [4][3] Kaspersky Securelist (February 5, 2026): Identified ~50 compromised organizations in Uzbekistan across manufacturing, finance, and IT. About 10 devices in Russia also impacted. The group used spear-phishing emails in Russian and Uzbek. Infrastructure was also hosting Mirai IoT malware, suggesting potential toolkit expansion (assessed with low confidence) [5]. Kaspersky Securelist (February 5, 2026): [5] Media Coverage: Campaigns covered by The Hacker News [6], Infosecurity Magazine [7], SC Media, and Cyberpress. Media Coverage: [6] [7], ⚠ Important Note on Attribution There is no publicly confirmed direct attribution between Bloody Wolf / Stan Ghouls and the January 2026 government agency breach. However, the group's documented targeting of Uzbek government systems illustrates the advanced and persistent nature of threats facing the country's digital infrastructure. 6. Prior Cybersecurity Incidents Date Incident Source 2023 Over 11.2 million cyberattacks on web resources [22] 2024 Over 7 million cyber threats prevented [15] 2025 Over 107 million cyber threats prevented [15] Jul 2025 Hacker forum listing: 21M citizen records for sale [10] Aug 2025 Uzbekistan Airways data breach — passports, system credentials [10] Date Incident Source 2023 Over 11.2 million cyberattacks on web resources [22] 2024 Over 7 million cyber threats prevented [15] 2025 Over 107 million cyber threats prevented [15] Jul 2025 Hacker forum listing: 21M citizen records for sale [10] Aug 2025 Uzbekistan Airways data breach — passports, system credentials [10] Date Incident Source Date Date Incident Incident Source Source 2023 Over 11.2 million cyberattacks on web resources [22] 2023 2023 Over 11.2 million cyberattacks on web resources Over 11.2 million cyberattacks on web resources [22] [22] 2024 Over 7 million cyber threats prevented [15] 2024 2024 Over 7 million cyber threats prevented Over 7 million cyber threats prevented [15] [15] 2025 Over 107 million cyber threats prevented [15] 2025 2025 Over 107 million cyber threats prevented Over 107 million cyber threats prevented [15] [15] Jul 2025 Hacker forum listing: 21M citizen records for sale [10] Jul 2025 Jul 2025 Hacker forum listing: 21M citizen records for sale Hacker forum listing: 21M citizen records for sale [10] [10] Aug 2025 Uzbekistan Airways data breach — passports, system credentials [10] Aug 2025 Aug 2025 Uzbekistan Airways data breach — passports, system credentials Uzbekistan Airways data breach — passports, system credentials [10] [10] 7. Legal and Regulatory Framework Law on Personal Data (No. ZRU-547): Effective October 2019, governs processing and protection of personal data [12] Law on Cybersecurity (No. ZRU-764): Enacted April 2022, establishing the national cybersecurity framework [13] Law on Credit Information Exchange (No. ZRU-1043): Signed March 2025, introducing voluntary credit ban services [19] Presidential Decree No. PP-153 (April 2025): Compulsory breach notifications and legal liability for data incidents [14] Law on Personal Data (No. ZRU-547): Effective October 2019, governs processing and protection of personal data [12] Law on Personal Data (No. ZRU-547): [12] Law on Cybersecurity (No. ZRU-764): Enacted April 2022, establishing the national cybersecurity framework [13] Law on Cybersecurity (No. ZRU-764): [13] Law on Credit Information Exchange (No. ZRU-1043): Signed March 2025, introducing voluntary credit ban services [19] Law on Credit Information Exchange (No. ZRU-1043): [19] Presidential Decree No. PP-153 (April 2025): Compulsory breach notifications and legal liability for data incidents [14] Presidential Decree No. PP-153 (April 2025): [14] 8. Remediation Framework Based on NIST CSF 2.0, ISO 27001:2022, and CIS Controls v8 [11]: [11] Phase 1: Immediate Containment Isolate and audit the OAuth server — full forensic audit including token issuance logs, session records, API access patterns Mandatory credential reset — enforce password reset; invalidate all OAuth tokens and session cookies Enable MFA — across all government portals and relying party applications Revoke and rotate all API keys — all shared secrets and client secrets in the OAuth ecosystem Dark web monitoring — engage threat intelligence services to track compromised data distribution Isolate and audit the OAuth server — full forensic audit including token issuance logs, session records, API access patterns Isolate and audit the OAuth server Mandatory credential reset — enforce password reset; invalidate all OAuth tokens and session cookies Mandatory credential reset Enable MFA — across all government portals and relying party applications Enable MFA Revoke and rotate all API keys — all shared secrets and client secrets in the OAuth ecosystem Revoke and rotate all API keys Dark web monitoring — engage threat intelligence services to track compromised data distribution Dark web monitoring Phase 2: Structural Hardening Zero Trust Architecture — verify every access request; implement micro-segmentation Deploy SIEM and EDR — continuous monitoring and rapid threat detection Privileged Access Management — control and audit privileged access to authentication infrastructure Network segmentation — isolate critical authentication systems from general traffic Regular penetration testing — periodic red team exercises on government-facing systems Zero Trust Architecture — verify every access request; implement micro-segmentation Zero Trust Architecture Deploy SIEM and EDR — continuous monitoring and rapid threat detection Deploy SIEM and EDR Privileged Access Management — control and audit privileged access to authentication infrastructure Privileged Access Management Network segmentation — isolate critical authentication systems from general traffic Network segmentation Regular penetration testing — periodic red team exercises on government-facing systems Regular penetration testing Phase 3: Long-Term Resilience National cybersecurity workforce development Incident response planning — develop and regularly test comprehensive IR plans Supply chain security audits — ongoing assessments of third-party vendors Public awareness campaigns — citizen education on password hygiene, phishing, data protection National cybersecurity workforce development National cybersecurity workforce development Incident response planning — develop and regularly test comprehensive IR plans Incident response planning Supply chain security audits — ongoing assessments of third-party vendors Supply chain security audits Public awareness campaigns — citizen education on password hygiene, phishing, data protection Public awareness campaigns 9. Recommended Actions for Citizens Per guidance from the Cybersecurity Center and Digital Technologies Ministry [1][15]: [1][15]: Change all passwords immediately, especially for government services Enable two-factor authentication on all accounts Do not share personal information with unknown parties Avoid suspicious websites and links received via email or messaging Use strong, unique passwords for government and financial services Monitor financial accounts — consider activating the voluntary credit ban via my.gov.uz Report suspicious activity to the Cybersecurity Center and law enforcement Be vigilant against social engineering — attackers may pose as bank employees and cite known personal details to request SMS codes [15] Change all passwords immediately, especially for government services Change all passwords Enable two-factor authentication on all accounts Enable two-factor authentication Do not share personal information with unknown parties Do not share personal information Avoid suspicious websites and links received via email or messaging Avoid suspicious websites and links Use strong, unique passwords for government and financial services Use strong, unique passwords Monitor financial accounts — consider activating the voluntary credit ban via my.gov.uz Monitor financial accounts Report suspicious activity to the Cybersecurity Center and law enforcement Report suspicious activity Be vigilant against social engineering — attackers may pose as bank employees and cite known personal details to request SMS codes [15] Be vigilant against social engineering [15] 10. Sources and References [1]Gazeta.uz — "Uzbekistan investigates alleged leak of citizens' personal data on darknet" (Feb 4, 2026)https://www.gazeta.uz/en/2026/02/04/darknet/ [2]UzDaily.uz — "Uzbekistan's National Social Protection Agency Confirms Cyberattack on Archival Data" (Feb 2026)https://www.uzdaily.uz/en/uzbekistans-national-social-protection-agency-confirms-cyberattack-on-archival-data/ [3]Zamin.uz — "It is said that the data of 15 million citizens has been leaked" (Feb 3, 2026)https://zamin.uz/en/society/185508 [4]Group-IB / UKUK — Joint advisory on Bloody Wolf APT operations in Kyrgyzstan and Uzbekistan (Nov 2025) [5]Kaspersky Securelist — "Stan Ghouls attacks in Russia and Uzbekistan: NetSupport RAT and potential IoT interest" (Feb 5, 2026)https://securelist.com/stan-ghouls-in-uzbekistan/118738/ [6]The Hacker News — "Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT" (Feb 2026)https://thehackernews.com/2026/02/bloody-wolf-targets-uzbekistan-russia.html [7]Infosecurity Magazine — "Bloody Wolf Threat Actor Expands Activity Across Central Asia" (Dec 2025) [9]Pressa.uz — Banking sector response and microcredit suspension reporting (Feb 2026) [10]Brinztech — "Data Leak of 21+ Million Uzbekistan Citizens on Sale" (Jul 31, 2025); "Massive Data Breach at Uzbekistan Airways" (Aug 20, 2025)brinztech.com — 21M listing · brinztech.com — Airways breach [11]NIST Cybersecurity Framework (CSF) 2.0, ISO 27001:2022, CIS Controls v8 [12]Uzbekistan Law on Personal Data (No. ZRU-547, Oct 2019) [13]Uzbekistan Law on Cybersecurity (No. ZRU-764, Apr 2022) [14]Presidential Decree No. PP-153 (Apr 2025) [15]Gazeta.uz — "Uzbekistan cyberattack exposed 60,000 records, not data of 15 million citizens" (Feb 13, 2026)https://www.gazeta.uz/en/2026/02/13/data-leak/ [16]Gazeta.uz — "Cybercrimes in Uzbekistan increase 68-fold in five years" (May 31, 2025), citing Interior Ministry Cybercrime Centerhttps://www.gazeta.uz/en/2025/05/31/cybercrime/ [17]UzDaily.uz — Uzbekistan–2030 Strategy, $5B IT export target (Jan 2, 2026)https://www.uzdaily.uz/en/uzbekistan-plans-to-increase-international-internet-capacity... [18]Euronews — "Uzbekistan's ICT Week 2025" (Sep 26, 2025)https://www.euronews.com/next/2025/09/26/uzbekistans-ict-week-2025... [19]Law on Credit Information Exchange (No. ZRU-1043, Mar 4, 2025)yuz.uz — credit ban law [20]Newsline Uzbekistan — 150K credit ban enrollment as of Oct 1, 2025https://newslineuz.com/article/1220891/ [21]Yuz.uz — 438K credit ban enrollment as of Jan 1, 2026yuz.uz — 440K enrollment [22]UzDaily.uz — "Over 11.2 million cyber-attacks were launched against web resources in Uzbekistan" (2024)https://www.uzdaily.uz/en/over-112-million-cyber-attacks... [1]Gazeta.uz — "Uzbekistan investigates alleged leak of citizens' personal data on darknet" (Feb 4, 2026)https://www.gazeta.uz/en/2026/02/04/darknet/ https://www.gazeta.uz/en/2026/02/04/darknet/ [2]UzDaily.uz — "Uzbekistan's National Social Protection Agency Confirms Cyberattack on Archival Data" (Feb 2026)https://www.uzdaily.uz/en/uzbekistans-national-social-protection-agency-confirms-cyberattack-on-archival-data/ https://www.uzdaily.uz/en/uzbekistans-national-social-protection-agency-confirms-cyberattack-on-archival-data/ [3]Zamin.uz — "It is said that the data of 15 million citizens has been leaked" (Feb 3, 2026)https://zamin.uz/en/society/185508 https://zamin.uz/en/society/185508 [4]Group-IB / UKUK — Joint advisory on Bloody Wolf APT operations in Kyrgyzstan and Uzbekistan (Nov 2025) [5]Kaspersky Securelist — "Stan Ghouls attacks in Russia and Uzbekistan: NetSupport RAT and potential IoT interest" (Feb 5, 2026)https://securelist.com/stan-ghouls-in-uzbekistan/118738/ https://securelist.com/stan-ghouls-in-uzbekistan/118738/ [6]The Hacker News — "Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT" (Feb 2026)https://thehackernews.com/2026/02/bloody-wolf-targets-uzbekistan-russia.html https://thehackernews.com/2026/02/bloody-wolf-targets-uzbekistan-russia.html [7]Infosecurity Magazine — "Bloody Wolf Threat Actor Expands Activity Across Central Asia" (Dec 2025) [9]Pressa.uz — Banking sector response and microcredit suspension reporting (Feb 2026) [10]Brinztech — "Data Leak of 21+ Million Uzbekistan Citizens on Sale" (Jul 31, 2025); "Massive Data Breach at Uzbekistan Airways" (Aug 20, 2025)brinztech.com — 21M listing · brinztech.com — Airways breach brinztech.com — 21M listing brinztech.com — Airways breach [11]NIST Cybersecurity Framework (CSF) 2.0, ISO 27001:2022, CIS Controls v8 [12]Uzbekistan Law on Personal Data (No. ZRU-547, Oct 2019) [13]Uzbekistan Law on Cybersecurity (No. ZRU-764, Apr 2022) [14]Presidential Decree No. PP-153 (Apr 2025) [15]Gazeta.uz — "Uzbekistan cyberattack exposed 60,000 records, not data of 15 million citizens" (Feb 13, 2026)https://www.gazeta.uz/en/2026/02/13/data-leak/ https://www.gazeta.uz/en/2026/02/13/data-leak/ [16]Gazeta.uz — "Cybercrimes in Uzbekistan increase 68-fold in five years" (May 31, 2025), citing Interior Ministry Cybercrime Centerhttps://www.gazeta.uz/en/2025/05/31/cybercrime/ https://www.gazeta.uz/en/2025/05/31/cybercrime/ [17]UzDaily.uz — Uzbekistan–2030 Strategy, $5B IT export target (Jan 2, 2026)https://www.uzdaily.uz/en/uzbekistan-plans-to-increase-international-internet-capacity... https://www.uzdaily.uz/en/uzbekistan-plans-to-increase-international-internet-capacity... [18]Euronews — "Uzbekistan's ICT Week 2025" (Sep 26, 2025)https://www.euronews.com/next/2025/09/26/uzbekistans-ict-week-2025... https://www.euronews.com/next/2025/09/26/uzbekistans-ict-week-2025... [19]Law on Credit Information Exchange (No. ZRU-1043, Mar 4, 2025)yuz.uz — credit ban law yuz.uz — credit ban law [20]Newsline Uzbekistan — 150K credit ban enrollment as of Oct 1, 2025https://newslineuz.com/article/1220891/ https://newslineuz.com/article/1220891/ [21]Yuz.uz — 438K credit ban enrollment as of Jan 1, 2026yuz.uz — 440K enrollment yuz.uz — 440K enrollment [22]UzDaily.uz — "Over 11.2 million cyber-attacks were launched against web resources in Uzbekistan" (2024)https://www.uzdaily.uz/en/over-112-million-cyber-attacks... https://www.uzdaily.uz/en/over-112-million-cyber-attacks...