ShinyHunters' Odido (NL telecom) breach: Dutch police voice analysis points to Dutch-national involvement; same vishing-into-spoofed-portal playbook, now against an EU telco
Dutch National Police (Team High Tech Crime) announced on 9 July that its investigation into the February 2026 breach of Dutch telecom operator Odido — and its Ben brand — has produced strong indications of Dutch-national involvement, based on forensic voice analysis of a call recorded at the time of the intrusion; police assess the caller as very likely a genuine human speaker (while not fully ruling out synthetic voice) and are publicly appealing for the caller to come forward before the recording is released (Politie, 2026-07-09; NOS, 2026-07-09).
This extends the ShinyHunters vishing-to-spoofed-portal playbook (registry: actor:shinyhunters) already covered in this store to a new victim class — an EU telecommunications operator. The mechanism, confirmed on-record by Odido CEO Tisha van Lammeren, is the same one documented previously: a caller impersonating Odido IT-department staff (T1656) used a voice-phishing pretext (T1566.004) to persuade a customer-service employee to log into a spoofed copy of the corporate work environment, harvesting that employee's real credentials (T1078) for the customer-contact system (NOS, 2026-05-12). Odido blocked the account within an hour of noticing the intrusion (NOS, 2026-05-12), but the operators had already bulk-exported 6.2 million customer records (name, address, contact details, customer number, bank account number, date of birth, and passport/driver's-licence numbers) (NOS, 2026-02-12) — the CEO's Dutch quote via NOS: "De hacker wist deze medewerker over te halen om in te loggen op een valse versie van de werkomgeving. Zo heeft hij de inloggegevens van die persoon gestolen" ("the hacker persuaded this employee to log into a fake version of the work environment, and so stole that person's login credentials") (T1213). The Dutch Data Protection Authority has two open investigations — into the adequacy of Odido's customer-system security and into whether it retained former-customer data longer than permitted.
In het onderzoek heeft de politie sterke aanwijzingen gevonden dat Nederlandse criminelen betrokken zijn bij de Odido-hack.
De hacker wist deze medewerker over te halen om in te loggen op een valse versie van de werkomgeving. Zo heeft hij de inloggegevens van die persoon gestolen.
Defender actions
- Reinforce helpdesk/customer-service verification: require out-of-band callback confirmation before any staff member authenticates in response to an inbound call claiming to be internal IT — the control that would have stopped both the Odido and the earlier tracked ShinyHunters vishing intrusions.
- Alert on a single account performing a bulk export from a customer-contact or CRM repository shortly after an interactive sign-in from an unusual location; Odido's operators bulk-downloaded 6.2M records before the account was blocked within the hour.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.