Espionage Claim Shaken: Data Against İmamoğlu Linked to Old Leaks
imamoğlu
A technical expert’s opinion submitted to the court has challenged the core evidence cited in the indictment accusing Istanbul Metropolitan Municipality (IMM) Mayor Ekrem İmamoğlu of “political espionage.” According to the report, the email addresses and password data presented as evidence were not leaked from IMM’s information systems but instead originated from global internet data breaches that occurred between 2008 and 2016. The findings suggest that the data in question had circulated for years on the Dark Web and appeared in large, publicly known breach datasets affecting users worldwide.
Technical Expert Opinion Enters the Case File
The expert report was commissioned by Necati Özkan’s lawyer, İmamoğlu’s detained political adviser, and prepared by a digital forensics specialist. The analysis was formally submitted to the case file as a technical opinion. The expert emphasized that the assessment was conducted using open-source intelligence (OSINT) methods, including examinations of Dark Web marketplaces, forums, and publicly available technical datasets.
The report underlined that its conclusions are based solely on publicly available digital traces and that the findings reflect the technical situation as of the date of analysis, without making legal judgments.
No Evidence of Data Leakage from IMM Systems
One of the report’s central conclusions is that no technical evidence supports the claim that the disputed email addresses or passwords were obtained through unauthorized access to IMM’s infrastructure. Instead, the data appears to pertain to IMM employees who previously used their institutional email addresses to register on unrelated websites that subsequently suffered large-scale security breaches.
The same compromised datasets, the report notes, include email addresses linked not only to IMM but also to numerous other public institutions. These include the Turkish Grand National Assembly, the Ministry of Justice, the Ministry of National Education, the General Directorate of Security, and TÜBİTAK, among others. This overlap strongly indicates that the data source was global and individual-based rather than institutional.
Breaches Date Back More Than a Decade
According to the expert analysis, most of the data breaches referenced in the indictment occurred between 2008 and 2016. These datasets were later aggregated and uploaded to Dark Web platforms in 2017 and 2019, where they became widely accessible to researchers, cybersecurity analysts, and malicious actors alike.
Crucially, the report states that these breaches are unrelated to IMM’s administration, internal networks, or any form of coordinated institutional access. The reuse of old data from historical breaches is a common phenomenon in cybercrime investigations and does not, on its own, indicate recent or targeted hacking activity.
Background of the Espionage Investigation
The investigation expanded following the arrest of Hüseyin Gün on July 4, 2025, on espionage charges. After Gün provided a statement under the “effective remorse” provision, prosecutors broadened the scope of the case. As a result, a new indictment was prepared accusing Ekrem İmamoğlu, journalist Merdan Yanardağ, and adviser Necati Özkan of “political espionage.”
The technical expert’s opinion was submitted in response to this indictment, specifically to evaluate the digital evidence cited as proof of unauthorized access to municipal data.
What OSINT and the Dark Web Mean in Practice
The report also clarified key technical concepts referenced in the indictment. OSINT, or open-source intelligence, is defined as the lawful collection and analysis of information from publicly accessible sources. The expert stressed that OSINT does not involve hacking, unauthorized access, or intrusion into protected systems.
The Dark Web, meanwhile, was described as a network accessible through specialized software that enables anonymous communication. While not illegal in itself, the Dark Web often hosts forums and marketplaces where leaked data is shared. The presence of information on the Dark Web alone, the report noted, does not establish criminal conduct.
Claims About IMM Data in Police Statements
In Hüseyin Gün’s police statement, some materials were described as IMM-related data. However, the expert report clarified that these materials consisted solely of @ibb.gov.tr email addresses displayed via web-based search tools that scan large datasets. Such tools commonly index historical breach data and do not indicate direct access to institutional servers.
The expert found that these records fully matched previously known breach datasets rather than any proprietary or internal IMM database.
MySpace and Other Historical Breach Sources
The report cited specific examples to support its conclusions. One notable case involved the MySpace data breach, originally exposed in 2008 and later offered for sale on the Dark Web in 2016. Millions of user credentials from that breach included email addresses ending in @ibb.gov.tr. Similar patterns were identified in breaches associated with platforms such as sanalmuze.org and turkeyforyou.com, in which individuals had registered using their institutional email accounts.
These findings reinforce the conclusion that the data resulted from personal account compromises, not from systemic infiltration of public institutions.
Thousands of Public Officials Affected Across Institutions
The expert opinion revealed that the same datasets contained email and password credentials for more than 27,000 public officials across 57 government institutions. This scale, the report argues, makes it technically implausible to claim a targeted breach of IMM alone and instead points to widespread reuse of compromised credentials from unrelated websites.
The Real Cybersecurity Risk: Password Reuse
According to the report, the most significant security risk identified is the reuse of the same password across multiple platforms. While this practice can expose an individual’s email account, the expert emphasized that it does not allow mass or institutional access to IMM’s internal systems. Any access would be strictly limited to the individual account involved.
Wickr and ByLock Are Not Comparable
The expert also addressed claims regarding the presence of the Wickr messaging application on Hüseyin Gün’s phone. Wickr was described as a commercially available messaging application available for download from official app stores and used by individuals and corporations worldwide.
By contrast, Turkish high court rulings have defined ByLock as a closed-circuit communication tool designed exclusively for organizational use. The report concluded that equating Wickr with ByLock is technically incorrect and lacks a factual basis.
