Telegram: Himiko Data Bot exposes personal data of Peruvians

Telegram: Himiko Data Bot exposes personal data of Peruvians

Following ASBANC’s complaint about a metasearch engine that was accessing sensitive data of Peruvians to sell them through a bot from Telegram baptized as ‘Zorrito Run Run’, that data remained exposed. Once this fraudulent system was breached, it was inevitable that clones would use the same file extracted with the private information of Peruvians to create accounts “as a service” to share the address, photo and even signature of compatriots. Now, we are faced with ‘Himiko Data’. A new bot on Telegram.


According to a report shared on the METADATA technology podcast, a product of Grupo RPP, a user shared the existence of this new bot that accesses that previously filtered data and, with just a search, allows access to the data stored in the file of the National Registry of Identity and Civil Status (RENIEC).

In the results consulted by RPP, different levels of access were exposed, such as DNI searches up to the photo and signature appearing on the national identity card. These searches, unlike “Zorrito Trun Run” at the time, do not require payment.

As can be seen, it is sufficient to access via the /cmds command to display the bot options menu:

DNI (includes additional verification number), full names and surnames, sex, date of birth and age, department, province, district, grade of education. Marital status, height, date of registration, parents’ names, date of issue and expiration of the current document, as well as restrictions.

Along with this information, the complete address, including interior number, is presented. Depending on the search level, we can make a DNI query, the status of the document, consult the RENIEC file, do a name search, consult the verification number and issue DNI information without photographs.

Zorrito Run Run, ASBANC and our data.

In May 2022, the presidency of the Association of Peruvian Banks (ASBANC) asked the authorities for an exhaustive investigation into the scope and magnitude of the leak of private data of Peruvians, which covered various public entities such as RENIEC, SUNARP, SUNAT, AFPs system and others. In this case, access was much greater due to the fact that several of these entities have rigorous processes in place to safeguard the data.

After this event, a multisectoral roundtable was formed, headed by the PCM and supported by entities related to the subject: operators, ASBANC, Ministry of the Interior and others. After some months of work, the control measures to avoid the appearance of new systems with the same data seem to be working.

During the writing of this note, the bot appears as inactive. However, it remained functioning until last Wednesday when the report was made in the METALIVE section, an interaction with NIUSGEEK followers on Telegram.

What’s the problem? Well, we can close every bot or system that eme4rges from dark sides of the internet, but our data is still exposed. Unlike a Facebook password or the activation of multiple 2FA – two-step verification – systems, we cannot go to RENIEC to get a new DNI number, or modify the RUC at SUNAT in minutes. Our personal information is exposed, and we need to contain the appearance of these criminal systems, but also begin to reduce the availability of this information. Unfortunately, we are a long way from that happening.

What can we do? For the time being, share the information we have. This will allow an issue that is not very sensitive, such as computer security, to be assumed as an issue similar to the custody of our physical goods. Just as you take care of your house and your car, you should take care of your data.

Another measure is to start reinforcing our security in digital services with two-step verification in systems that allow it. This adds an extra layer of protection against attempts to impersonate our identity in social networks, for example.

On the other hand, we need to know our status in the financial system: our total amount of debt, our installments to be paid, our situation in credit bureaus, our recent consumptions, the trace of our packages ordered by e-commerce. Everything. This review will ensure that an impersonator does not take you by surprise.

Try also not to share card passwords, CVVs or full numbers in private messaging on social networks like Instagram, Facebook or others. If a criminal impersonates you and enters one of them, they can check your inbox and get data from there. Delete sensitive data from those inboxes and make a copy on a device or cloud system with an additional password.

Daniel Chapman