Back to Blog
high severity May 05, 2026 · scope unconfirmed

Cazh.id Listed by Icarus Ransomware Group

- User DB: 300,000 Users (Email, Hash, Phone, Address, DOB) for https://bkdp.cazh.id/. - KYC Vault: 7,800 Government IDs + 4,200 Selfies (including "Hold-to-Face" ID selfies). - 34 SQL Databases for associated schools (Students/Parents/Staff). - Corporate/Financial: Full Investor Database + partner documents - Collateral documents (Vehicle Registration Documents & Property Deeds) - Billing Proofs - Full src code of their services Data stolen: PII, SOURCE CODE, KYC

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed May 05, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On May 5, 2026, the Indonesian fintech platform Cazh.id appeared on the leak site of the Icarus ransomware group. Public reporting indicates that attackers exfiltrated internal files containing personal data on roughly 300,000 users, government-issued IDs, selfies, school records, investor documents, property deeds, vehicle registrations, and the company’s full source code.

Confirmed Details of the Breach

Available reporting describes a ransomware attack that resulted in the theft of multiple databases. The exposed user database for bkdp.cazh.id holds email addresses, password hashes, phone numbers, physical addresses, and dates of birth for 300,000 individuals. A separate KYC vault contains 7,800 government IDs and 4,200 selfies, including “hold-to-face” verification images. Thirty-four SQL databases linked to associated schools include records for students, parents, and staff. Corporate files encompass a full investor database, partner agreements, billing proofs, collateral documents such as vehicle registration papers and property deeds, plus the complete source code of Cazh.id’s services.

At the time of publication, the exact number of uniquely affected people remains unclear because of overlap between the user database, school records, and KYC materials. No evidence has surfaced that the attackers used the data for further extortion against individual victims, but the files remain publicly listed on the Icarus leak portal.

Why This Matters for You and Your Family

When a single breach combines email addresses, phone numbers, home addresses, dates of birth, government IDs, and photographs, the risk extends beyond one account. Criminals can use this information to impersonate you at banks, apply for loans in your name, or target your family members. Children’s school records linked to parent addresses create additional exposure that can follow them for years. If you or anyone in your household has used Cazh.id, had a child in one of the affected schools, or shared documents with an investor or partner connected to the platform, your family’s private information is now in the open.

Password hashes, government IDs, and selfies are especially dangerous because they enable both automated fraud and targeted identity theft that feels personal.

The Doxxing and Identity-Chain Risks

Once core personal details leak, attackers often chain them with information found on social media, gaming platforms, and data-broker sites. A phone number from the Cazh.id breach can be linked to a child’s Roblox or Minecraft account, revealing an address that was never supposed to be public. This creates doxxing chains that lead to harassment, swatting, or further extortion. Credential leaks like this one frequently cascade into account takeovers across unrelated services where the same email and password were reused.

Icarus Ransomware Group’s Known Track Record

Public reporting attributes the attack to the Icarus ransomware group. The group emerged in late 2024 and has since listed dozens of victims on its leak site. Notable prior targets include mid-sized companies in healthcare, education, and financial technology sectors. Their typical playbook involves initial access through phishing or exploited remote desktop services, followed by exfiltration of sensitive files, encryption of systems, and publication of stolen data when ransom demands are not met. Icarus usually sets short payment deadlines and escalates by releasing samples of the data before dumping entire archives.

What to Do

  • Run a DoxxScan to map every link between your emails, phone numbers, addresses, and online handles so you can see the full identity chain created by this breach.
  • Rotate any password you used on Cazh.id or bkdp.cazh.id everywhere else it appears, then enable two-factor authentication through an authenticator app rather than SMS.
  • Enable continuous DoxxScan monitoring across 15.4 billion breach records and more than 100 platforms so the next leak exposing you or your family is caught in hours instead of months.
  • Cover the household with DoxxScan family protection, which includes children’s gaming accounts that often chain back to the same addresses and parent emails now circulating from this incident.
  • Let DoxxScan remediation specialists handle takedown requests for your exposed documents and broker listings while you focus on securing accounts.

The Cazh.id breach shows how quickly personal documents and family records can move from a single company’s servers into the hands of organized criminals. Taking concrete steps now limits how far attackers can travel down the identity chain that this leak created. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4B+ breach records and 100+ platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that explicitly includes children’s gaming accounts. Start your DoxxScan trial today to regain control of your exposed information.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.