Polish hacker charged seven years after massive Morele.net data breach

A 29-year-old Polish man has been charged in connection with a data breach that exposed the personal details of around 2.5 million customers of the popular Polish e-commerce website Morele.net.

Poland's Central Cybercrime Bureau (CBZC) announced that charges were filed on 30 January 2026, following years of investigation into the 2018 breach of Morele.net, that specialises in electronics, computer equipment and home appliances.

The high-profile breach of Morele.net, whose international equivalents include the likes of Best Buy, Newegg, and Amazon, sent shockwaves through Poland's online retail sector.

The investigation into the data breach had originally been shelves after police failed to identify a suspect, but authorities claim that the trail never went entirely cold.

Over time investigators identified the attack vector, reconstructed the sequence of events, and traced digital breadcrumbs back to the alleged hacker - demonstrating their determination in a YouTube video.

According to a CBZC press release, the suspect has admitted responsibility for the hack.

The cyber attack exposed names, email addresses, phone numbers, home addresses, and md5crypt-hashed passwords. Although payment card details were not compromised in the breach, it was reported that some 35,000 customers did have particularly sensitive information stolen, including national ID numbers, financial details, education information, income, and marital status.

Morele.net refused to pay a ransom, and the breached database was published online.

Unfortunately for the site's users who had their information breached, fraudsters weaponised the stolen data immediately. Victims reported receiving SMS messages demanding payment of 1 Polish zloty to "complete" their orders, accompanied by phishing links that stole banking credentials.

In 2019, in what was one of the country's largest GDPR-related fines at the time, Poland's data protection authority regulator hit Morele.net to the tune of €645,000, claiming that had failed to detect and respond to unusual network traffic.

Morele.net contested the fine, arguing that its security measures were reasonable even if they ultimately proved insufficient against a determined attacker, and eventually Poland's Supreme Administrative Court annulled the penalty, saying it had finding deficiencies in the regulator's justification and calculation of the fine.

Now, however, it is the alleged hacker who will be hoping he can escape receiving a heavy punishment.

If anything, this case serves as a timely reminder to cybercriminals that they should not assume that they have evaded justice just because years have passed since their offence. Digital forensics techniques continue to improve, and law enforcement agencies are increasingly willing to pursue cold cases when new leads emerge.