A financially motivated extortion group claims to have exfiltrated 2.2 terabytes of data across 52 AWS S3 buckets belonging to Prospector Portal, an AI-powered mining intelligence platform and subsidiary of Analog Gold Inc. The alleged haul includes what the group describes as the complete operational database of the Guyana Geology and Mines Commission (GGMC), the agency responsible for administering every mining permit in the country — stored, according to the claim, not on government infrastructure but inside a commercial US-based AWS account belonging to the startup.
A Government Database in a Startup’s Cloud Account
The most significant element of the alleged breach is not Prospector’s own data. It is Guyana’s. According to the group’s disclosure, the GGMC’s IMAPS database was colocated in Prospector’s AWS environment under a Snowflake instance. The dataset allegedly contains 12,532 Guyanese citizens and mining company records, each including full names, Tax Identification Numbers, National Identification Numbers, passport numbers, dates of birth, phone numbers, email addresses, and physical addresses. A separate MSSQL backup reportedly adds 12,987 mineral licence records tied to named individuals, plus GPS polygon coordinates for every active, pending, and cancelled mining claim in the country.
Also allegedly exposed: 250 Amerindian indigenous land titles and, more critically, 41 proposed Amerindian land extensions totalling over 3.6 million acres of unreleased government planning data. Overlaid against active mineral licence polygons, the dataset would reveal exactly which mining claims fall within proposed indigenous territory.
Additional geodata allegedly includes all 7 of Guyana’s mining district boundaries, 69 government reserved areas, and historical geological survey records dating back to the 1920s, including drill logs from the Demerara Bauxite Company and Reynolds Metal Company exploration records from the 1950s and 1960s. The group describes these as national patrimony stored with, in their words, the security posture of a developer’s side project.
The Prospector Platform and Its Commercial Exposure
Beyond the Guyanese government data, the alleged exfiltration covers Prospector Portal’s core commercial product. The group claims access to complete database dumps, approximately 1,886 proprietary NI 43-101 technical mining reports sourced from FactSet and TMX Datalinx, daily data pipeline exports dating back to 2021, and the complete source code and machine learning models powering the platform’s AI capabilities. FactSet and TMX Datalinx reportedly resell access to Prospector’s database to institutional clients.
The group also claims to have obtained plaintext credentials including AWS access keys, a Snowflake RSA private key for direct JWT authentication to the GGMC data warehouse, Auth0 client credentials, and a .env file containing API keys for SendGrid, Stripe, Algolia, HubSpot, Firebase, and Elasticsearch. Terraform state files, CI/CD artifacts, and 35 gigabytes of application logs were allegedly included in the pull.
M&A Timing and the Group Behind the Claim
The disclosure arrives at an acutely sensitive moment for Analog Gold. The company is mid-transaction on a $28 million asset sale to Exter Gold Corp. (CSE: XGOL), with a binding letter of intent signed in December 2025 and CSE approval still pending as of March 2026. The group explicitly referenced the deal in its post and framed publication as a consequence of Analog Gold declining to negotiate.
The group responsible, which publicly identifies itself using the alias FulcrumSec, is a financially motivated extortion actor that has been active since approximately September 2025. The group operates on a data exfiltration and extortion model without deploying ransomware, targeting cloud-hosted environments and focusing specifically on AWS, Azure, and Databricks infrastructure. FulcrumSec previously claimed breaches of Hatica and MyComplianceOffice, and separately claimed a breach of LexisNexis Legal & Professional, which LexisNexis confirmed in March 2026. Their targeting pattern consistently involves exploiting exposed credentials, unrotated API keys, and misconfigured cloud permissions.
The group’s disclosure states that Analog Gold was contacted prior to publication and declined to engage.
No Response From Either Party
Analog Gold had not issued any public statement at time of publication. The Guyana Geology and Mines Commission had not issued any public statement at time of publication. FactSet and TMX Datalinx had not issued any public statements at time of publication.
If you have received a data breach notification, visit our guide on how to respond.
