A Short External Note on the April 2025 CNSS Leak Timeline

I originally shared a short Darija note on LinkedIn here. This version keeps the same scope: it is only an outside observation based on publicly circulated material and timestamp patterns. It is not based on access to CNSS systems, any decrypted internal evidence, or private investigative data.

Publicly, the leak surfaced on April 8, 2025, when stolen CNSS files were posted on Telegram. CNSS later said its systems had been targeted by cyberattacks and cautioned that some circulated documents were false, inaccurate, or incomplete. On April 10, 2025, the CNDP warned against unlawful use of leaked personal data, and on April 11, 2025, the Moroccan government said the matter had been referred to judicial authorities. Public anchors: AP, Maroc.ma, and Medias24 on the CNDP notice.

One timing detail that stands out

From the outside, one pattern looks interesting. In the larger leaked batch, the file timeline appears unusually regular:

• files seem to come out every few seconds
• the sequence appears to run for about ten days, from November 19 to November 29, 2024
• that rhythm looks more like scripted or automated extraction than normal activity from tens of thousands of unrelated users

A smaller subset that circulated separately on Telegram appears to carry different timestamps from the main bulk. One possible reading is that those were earlier test pulls through the same weakness before the larger extraction window. That is only a hypothesis, not proof.

Limits

This note does not identify the attacker, the intrusion path, or any responsible company or institution. It is a personal analytical pointer about timing and extraction pattern, nothing more. Morocco has institutions and qualified professionals who can do the formal work, and only CNSS together with the competent Moroccan cybersecurity, data-protection, and judicial authorities can produce the official analysis and final incident report.