Alleged Airport Code Database Leak on Dark Web

image

Overview

On 22 June 2025, cyber threat researchers identified a claim by a group calling itself “Weewoo” that they had successfully exfiltrated and leaked data from airportcodes.aero — a public-facing site that aggregates IATA and ICAO airport code information.

The attackers shared the announcement on a dark web forum and linked Telegram channel, stating that they have obtained a database of historical and recent flight codes from the past year to the present. While the nature of the data is not classified, its misuse for spoofing, impersonation, or disruption of operational awareness cannot be ignored in an aviation security context.

What Happened?

A dark web post monitored by our Cyber Threat Intelligence team and other intelligence sources claims that the threat group “Weewoo” has breached the backend of the airportcodes.aero website. The group has published a teaser (image: LXGB.jpg) and a public Telegram channel where the alleged data is now being distributed.

The data is described as containing global IATA and ICAO flight codes, spanning the past 12 months up to the present. While these codes are typically publicly available, the context and format of the dataset, particularly if correlated with timeframes or specific operators, may have operational security implications.

Key concerns include:

  • Data aggregation of flight patterns, enabling predictive analysis of routes or carrier behavior
  • Use in phishing or social engineering attacks, posing as official sources using accurate data
  • Spoofed system inputs or automation abuse, if any API keys, tokens, or admin data were also accessed (not yet confirmed)

No confirmation of breach or public statement has been issued by the operator of airportcodes.aero at this time.

Why This Matters for Aviation

While the data leaked is not classified, the format, timing, and exposure channel give it risk weight in aviation security. When attackers share route-related information, even public data can be weaponized:

  • For impersonation of airlines or airfield staff
  • To support phishing emails using valid flight codes or airport identifiers
  • As inputs for fake portals or system spoofing, targeting ground handling, crew scheduling, or flight planning interfaces

Moreover, the use of a Telegram leak channel and the group’s messaging style signals intent to sustain the campaign and gain visibility — suggesting this may not be a one-off incident.

Recommended Actions 

A. Monitor and Investigate  

  • Search dark web channels and Telegram groups for signs your airport, airline, or region is being discussed alongside leaked code data.
  • Validate any internal dependency on airportcodes.aero for automated routing, code lookups, or data feeds.

B. Defensive Measures  

  • Alert staff to increased phishing risk tied to this incident. Leaked IATA/ICAO codes could be used to make fraudulent communications seem more legitimate.
  • Harden input validation in flight planning tools or dashboards that rely on airport code inputs from open-source datasets.

C. Authentication and Access Security  

  • If any API credentials or admin interfaces were shared with or derived from the affected platform, immediately rotate keys and review access logs.
  • Enforce MFA and password rotation on any accounts tied to aviation information services, including airfield databases, scheduling tools, or maintenance logs.

D. Supply Chain and Indirect Impact Assessment  

  • If airportcodes.aero is embedded in third-party aviation software or vendor tools, validate with those suppliers whether any cached or dynamic datasets were exposed or manipulated.

In Summary    

The alleged breach of airportcodes.aero is a reminder that even publicly indexed aviation data can be aggregated, manipulated, and reused for hostile purposes. While not a direct breach of a regulated operator, the downstream risks to aviation safety culture and operational trust are real.

Organisations should:

  • Monitor for exploitation of leaked airport data in phishing, fraud, or spoofing
  • Review any reliance on third-party routing code platforms
  • Reinforce awareness around social engineering using operational identifiers

This incident underscores the importance of threat intelligence, supply chain risk awareness, and information hygiene in aviation cybersecurity — all of which are embedded in EASA Part-IS expectations.

Share this Notice:

Related Posts

About Part-IS.eu

Part-IS.eu is a website operated by RainingBits LTD. This is not an official EU Commission or Government resource. The europa.eu webpage concerning Part-IS can be found here. Nothing found in this portal constitutes legal advice.

Part-IS
© Copyright 2025 NERD.aero by RainingBits LTD

Download our Free Gap Analysis Checklist

  • Easy to track Regulation references
  • Start your implementation journey
  • See where you are wil Part-IS compliance
  • Still have questions? We are always here for you!
Receive it in your inbox!