A hacker using the alias CamelliaBtw has claimed responsibility for a major data breach involving Max Messenger, according to a post published yesterday on the DarkForums cybercrime marketplace and hacker forum.

The forum thread, titled “Max Messenger – Full User Infrastructure & SQL Dump,” alleges that the attacker gained complete access to the messaging platform’s production systems exactly one year after its public launch. The post describes what would amount to a total compromise of user data, backend infrastructure, and proprietary source code.

What is Max Messenger

Max is a cross‑platform messaging and multifunction app released on March 26 2025 by the tech company VK through its subsidiary Communication Platform LLC. It has been heavily promoted within Russia as a “national messenger” alternative to foreign services like WhatsApp and Telegram and has reportedly reached millions of registered users across Russia and neighboring countries.

The service provides messaging, voice and video calls, file sharing, and is intended to integrate digital identity and service features for government and commerce. In many cases, devices sold in Russia and Belarus have been required to ship with Max pre‑installed under government policy.

Max is positioned as more than a simple chat app, aiming to combine messaging with state services and additional tools, similar to China’s WeChat model. Critics and independent analysts have previously raised concerns about privacy and the potential for state access to metadata and user information, given Max’s structural integration with the Russian government’s digital infrastructure.

Details of the breach claim

In the DarkForums post, CamelliaBtw claims to have exfiltrated the entire production database, estimating the total compressed data size at 142 GB. The hacker states that the stolen data includes:

• ≈ 15.4 million user records containing full names, usernames, and verified phone numbers.

• Active authentication tokens capable of bypassing two‑factor authentication.

• Bcrypt‑hashed passwords.

• Complete communication metadata, including timestamps and sender/receiver identifiers, dating back to the platform’s launch.

• Internal infrastructure assets such as SSH keys, API documentation, and Amazon S3 bucket configurations.

• Unencrypted media files stored in cloud storage.

• Backend source code, including what the attacker claims are hard‑coded backdoors inside the platform’s encryption module.

The post alleges that access was achieved through a previously unknown remote code execution vulnerability in Max Messenger’s media‑processing engine. According to the attacker, the flaw could be triggered by injecting a malformed payload into sticker‑pack metadata, allowing persistent backend access. The hacker claims the vulnerability existed since the beta phase in early 2025 and was never patched.

Extortion threat

The post includes a direct ultimatum to Max Messenger’s developers. CamelliaBtw claims the company has already been notified privately but has not responded. The attacker states they have verified accounts belonging to politicians and corporate executives who joined the platform during its early growth period.

If a financial settlement described as a “bug bounty” is not negotiated within 24 hours, the hacker threatens to release the first 5 GB of raw SQL database files across more than ten public torrent trackers.

No confirmation yet

As of publication, Max Messenger has not issued a public statement confirming or denying the breach. No sample data has yet been released publicly to independently verify the claims. Cybersecurity experts note that while some breach announcements on underground forums are exaggerated, the level of technical detail provided in this post suggests the claims warrant serious scrutiny.

If confirmed, the incident would represent one of the most severe messaging‑platform breaches in recent years, with long‑term implications for user privacy, account security, and trust in encrypted communication services.

---

About the author

Waqas is a UK‑based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and the tech world. He also writes about gaming, reading, and investigative journalism.