FFBT Hit Again: Credential and Admin Access Data Breach by NormalLeVrai

Event Overview

VECERT intelligence warned in May 2026 that threat actor “NormalLeVrai” targeted the Fédération Française de Ball‑Trap (FFBT) to steal credentials and administrative access, and listed the data for sale on dark‑web forums. The incident remains under investigation with no official comment.

FFBT’s member‑management system stores athlete qualifications, contact information, admin accounts and event registration data, making it a high‑value target.

NormalLeVrai: High‑Volume Dark‑Web Data Vendor

NormalLeVrai was among the most active threat actors in 2025‑2026, focusing on French organisations and selling large‑scale data at low prices.

Attack Characteristics

Initial Intrusion Path

Credential theft is the primary entry point, using brute‑force, credential stuffing or phishing to obtain admin privileges.

Special interest in email systems, often achieving full mailbox takeover.

Data Ransom and Sale

Stolen data is typically listed for sale on dark‑web forums rather than publicly released.

Typical price is low (e.g., $2,200 for a French telecom dataset containing 2.83 million records, 16 GB source code and email backups), indicating a volume‑driven model.

If a sale fails, the data may be released for free, as observed with the Meetic breach tagged #freebreach3d.

Target Preference

Primary focus on French domestic companies, with secondary targets in Switzerland and the United Kingdom.

Industries include telecom, energy, government, finance/insurance and internet platforms.

Impact Assessment

Compromised data: member credentials, admin accounts, athlete registration details, contact information.

Potential misuse: phishing, identity impersonation, manipulation of competition data.

Status: investigation ongoing, no official confirmation.

Sale status: pending verification according to VECERT alert.

Mitigation and Detection Recommendations

Immediate actions:

Force reset of all member and admin passwords and enable multi‑factor authentication.

Check FFBT website and member system for unauthorized logins.

Review server access logs for suspicious IP activity.

Alert members to beware of phishing emails or SMS appearing to come from FFBT.

Continuous monitoring: monitor dark‑web breach feeds, set up brand‑keyword alerts, compare leaked emails against Have I Been Pwned, and coordinate with ANSSI and CNIL.

Confidence and Sources

Confidence: medium‑high (based on NormalLeVrai’s historical behavior; investigation still ongoing).

Sources: VECERT Radar (X/Twitter), DarkWebInformer.

First reported: 9 May 2026.