Peruvian data exposed and free: new Telegram bot delivers ID, address, photo, signature and fingerprints

Through a complaint on the METADATA podcast , RPP was able to verify the existence of ‘Himiko Data’ on Telegram .


After the ASBANC complaint about a metasearch engine that accessed sensitive data of Peruvians to sell them through a Telegram bot named ´Zorrito Run Run´, that data remained exposed. Once released in that fraudulent system, it was inevitable that clones would use the same file extracted with the private information of Peruvians to create accounts “as a service” to share the address, photo and even signature of compatriots. Now, we come across ‘Himiko Data’. A new bot on Telegram.

According to a complaint shared in the METADATA technology podcast, a product of Grupo RPP, a user shared the existence of this new bot that accesses that previously filtered data and that, with just a search, allows access to the data stored in the file of the National Registry of Identity and Civil Status (RENIEC).

In the results consulted by RPP, different levels of access were exposed, such as ID searches up to the photo and the signature that appears on the national identity document. These searches, unlike “Zorrito Trun Run” at the time, do not require payment.

As can be seen, it is enough to access through the /cmds command to display the bot options menu:

DNI (includes the additional verification number), full names and surnames, sex, date of birth and age, department, province, district, educational level. Marital status, height, registration date, names of the parents, date of issue and expiration of the current document, in addition to the restrictions.

Along with this information, the complete address is presented, including the interior number. Depending on the search level, we can make a DNI query, the status of the document, consult the RENIEC file, make a name search, consult the verification number and issue DNI information without photographs.

Little Fox Run Run, ASBANC and our data

In May 2022, the presidency of the Association of Banks of Peru (ASBANC) asked the authorities for an exhaustive investigation into the scope and magnitude of the leak of private data of Peruvians , which included various public entities such as RENIEC, SUNARP , SUNAT, AFP system and others. In this case, access was much greater because several of these instances have rigorous processes to safeguard the data.

After this event, a multi-sector table was formed headed by the PCM and supported by entities related to the subject: operators, ASBANC, Ministry of the Interior and others. After a few months of work, the control measures to prevent the appearance of new systems with the same data seem to be working.

At the time of writing this note, the bot is listed as inactive. However, it kept working until last Wednesday when the complaint was made in the METALIVE section, an interaction with NIUSGEEK followers on Telegram.

What is the problem? Well, we can shut down every bot or system that emerges from the dark sides of the internet, but our data is still exposed. Unlike a Facebook password or the activation of multiple 2FA systems – two-step verification -, we cannot go to RENIEC to get a new DNI number, or modify the RUC in SUNAT in minutes. Our personal information is exposed, and we need to contain the rise of these criminal systems, but also start reducing the availability of this information. Unfortunately, we are a long way from that happening.

PCM responds about ‘Himiko Data’ to RPP

After the publication of the note, RPP contacted the PCM Secretary of Government and Digital Transformation.”From the Presidency of the Council of Ministers, through the Secretariat of Government and Digital Transformation, they have been working with public and private entities to deploy the necessary measures to prevent, mitigate and stop threats generated by cybercrime. Likewise, the National Center for Digital Security, permanently coordinates with DIVINDAT, the National Data Protection Authority and International Cooperation in order to act immediately when complaints of access to personal data or other cybercrimes are received.In this line, public entities come implementing internal prevention measures and, in turn, public awareness campaigns to prevent access to these pages and fraudulent practices,” he said.Marushka Chocobar, head of the entity.

What can we do? For now, share the information we have. This will allow an insensitive topic, such as computer security, to be assumed as a topic similar to the custody of our physical assets. Just as you take care of your house and your car, you must take care of your data.

Another measure is to begin to strengthen our security in digital services with two-step verification in systems that allow it. This adds an extra layer of protection against attempts to impersonate our identity on social networks, for example.

On the other hand, we need to know our status in the financial system: our total amount of debt, our installments payable, our situation in risk centers, our recent consumption, the trace of our packages requested by electronic commerce. All. That review will prevent an impersonator from taking you by surprise.

Also try not to share card codes, CVVs or full numbers in private messages on social networks such as Instagram, Facebook or others. If a criminal impersonates you and enters one of them, they can check your inbox and get data from there. Delete sensitive data from those trays and make a copy on a device or cloud system with additional password.