Politie Points at Dutch Hackers in the 88GB Odido Leak
Dutch National Police say strong indications point at Dutch attackers behind February's Odido breach: a Dutch-speaking vishing call to customer service, then 6.2M records leaked.
The Dutch National Police told the country today that they now have “strong indications” the people who breached telecom Odido in February were Dutch. Not, as first assumed from ShinyHunters’ extortion post, an English-speaking crew who bought or brokered access from abroad — Dutch, native, on the phone. Stan Duijf, head of operations at the National Investigation and Interventions Unit, tied it to a specific detail: a phone call to Odido’s customer service line, shortly before the intrusion, in which a Dutch-speaking man posed as an internal IT employee, per BleepingComputer’s write-up of the Politie statement on 2026-07-10.
The breach itself is not new. Odido — the KPN-independent rebrand of what used to be T-Mobile Netherlands after the Deutsche Telekom sale — confirmed the intrusion on 2026-02-12, five days after it happened. ShinyHunters posted an 88GB archive claiming 15 million records not long after; Odido put the actual affected-subscriber count at 6.2 million. The exposed fields were the ones that hurt: full name, address, mobile number, customer number, email, IBAN, date of birth, and identification document details. Odido said call records, location data, billing history, ID scans, and passwords were not in the set.
What’s new today is who the police think did it and how.
The mechanism, restated
The vishing call came in first. A Dutch-speaking man rang Odido’s own customer service line, presenting himself as one of the company’s IT employees. Whatever he got from that call — helpdesk conventions, an internal name, a phrasing pattern, a specific ticket ID — then fed a phishing round aimed at the actual customer-contact system. That is what the Politie is describing when they say the attackers “compromised the customer contact system” via subsequent phishing.
None of this requires a novel exploit. It requires being able to sound like the person you are pretending to be, over a company’s own switchboard, on the first try. The reason the language now matters as an evidentiary detail is that a fluent Dutch pretext, delivered at Dutch cadence to a Dutch helpdesk agent, does not sound like a call — it sounds like an internal call. The uncanny-valley cues that flag most vishing attempts are absent when the caller grew up on the same schoolyard as the receptionist.
ShinyHunters, still a brand more than a group
ShinyHunters took credit and posted the data. Their extortion branding does not, on its own, contradict the Politie’s finding. The name has been used as an umbrella since 2020 by shifting sets of operators — some overlapping, some just adopting the label because it moves data faster on the leak sites. A Dutch crew running the front end of a job and posting under a familiar English-language extortion brand at the back end fits the pattern of how these ecosystems have been organized for years, not a contradiction of it.
The helpdesk-vishing tradecraft is not confined to any one region or brand, and neither is the willingness to launder attribution through a well-known label. What is worth registering is that the Netherlands has its own long history here — from KPN’s 2012 intrusion through the country’s outsized share of security research and the reciprocal set of people who took the same skills the other direction. That history does not tell us who did this. It tells us that when the police say “strong indications the attackers are Dutch,” they are speaking about a domestic ecosystem they know well, not a distant one they are guessing at.
What we do not know
The Politie has not named suspects, confirmed arrests, or specified how many people they believe were involved. Odido has not disclosed what changed in the customer-contact system’s access controls since February. The number of Odido subscribers whose data has been misused downstream — SIM-swap attempts, IBAN fraud, targeted phishing off the exposed dates of birth — has not been published.
Nor is there any reason to expect ShinyHunters to disappear because of a Politie press conference. The name will keep appearing on leak sites; the question is whether the human beings behind this specific case get named, and whether that naming disciplines the rest of the ecosystem or just sends the label to a different set of hands. Both have happened before.
For anyone who was in the file
If you were an Odido customer on the affected date and haven’t yet: change any password that used your date of birth or address as a hint answer, treat any inbound call claiming to be from Odido — or from your bank, invoking Odido — as untrusted until you call the number on the back of your card, and watch for IBAN-based fraud attempts that will land on the strength of the exposed identity fields rather than any credential you gave away. None of that is new advice. It is only more likely to matter for the 6.2 million people whose file the police now say was opened by a phone call in their own language.
Six months on, the interesting thing is not that the data got out. It is that the door it walked through was a helpdesk conversation, and the language it walked through in was the language spoken on both ends of the line.
Found this useful? Share it.

