ANTS data breach 2026: how to spot the fake ID-renewal phishing wave
Up to 19 million French citizens' data leaked. Now the scam texts know your real name and address. Here is the one tell that still works.
Verdict
An ANTS SMS or email with a link and a deadline is almost certainly a scam. The real ANTS only operates on ants.gouv.fr and never asks for card details or a fee by message. After the April 2026 breach, scam messages may quote your real name, address, and date of birth. That data was leaked, not proof of legitimacy. Treat any message that already knows your details as more suspicious, not less. To report a scam SMS in France, forward it free to 33700.
What happened: the ANTS breach
ANTS, the Agence Nationale des Titres Securises, is the French agency that issues the country's secure identity documents: the carte nationale d'identite (CNI), the passeport, the permis de conduire, and the carte grise (certificat d'immatriculation) for vehicles. If you have renewed an ID card or registered a car in France, you have used ANTS. Its only official portal is ants.gouv.fr.
On 15 April 2026, the ants.gouv.fr portal was breached through an IDOR flaw (Insecure Direct Object Reference) in its API. In plain terms: by changing a single parameter in a request, an attacker could read another user's record. There was no need to guess passwords or break encryption. The application simply handed back whatever record number was asked for, with no check that the requester owned it.
The exposure was large. Up to roughly 19 million French citizens' personal data was affected: full names, postal addresses, email addresses, phone numbers, dates and places of birth, and login identifiers. That puts it among the largest French public-sector data breaches on record. On 16 April 2026, a person using the handle "breach3d" claimed the data on a criminal forum. French authorities notified the CNIL (the national data-protection regulator), the public prosecutor, and ANSSI (the national cybersecurity agency).
Why a breach turns into a phishing wave
This is the part that matters for everyday users, and it is our niche. A breach is not just a privacy headline. It is fuel. The combination of your real name, real address, real phone number, and real date of birth is exactly the toolkit a criminal needs to write a phishing message that does not look like spam. It looks like a real letter from a government agency.
Expect a wave of fake "your identity document must be renewed or re-verified" messages. They arrive as SMS (smishing) and as email, and they impersonate ANTS. The hook is personalisation: the message quotes your genuine name, your genuine postal address, sometimes your genuine date of birth, so it reads as authentic. The body claims your CNI, your passeport, your permis de conduire, or your carte grise needs urgent re-verification or renewal.
The link goes to a lookalike ANTS page. From there the attacker harvests more data, asks for a small "renewal fee" on a card form, or pushes you to log in with FranceConnect so they can steal those credentials. The leaked data is the bait; the fake page is the trap.
The single reliable tell: the .gouv.fr suffix
Everything else about a fake ANTS message can be faked. The sender name can say "ANTS". The page can copy the real logo pixel for pixel. The message can quote your correct address. The one thing the attacker cannot fake is the domain.
The real ANTS lives only on ants.gouv.fr. The .gouv.fr suffix is reserved for genuine French government services. No .com, no creative .fr variant with extra words, no .net or .xyz is the real ANTS. FranceConnect, the single sign-on for French public services, lives only at franceconnect.gouv.fr. If the domain in the link is not a plain .gouv.fr address, stop.
Lookalike domains seen impersonating ANTS use exactly the patterns you would expect: ants-renouvellement[.]com, mon-ants[.]net, and chained tricks like ants.gouv.fr.verify[.]xyz where the real domain is dropped in as a fake subdomain. In that last example the page does not live on gouv.fr at all. It lives on verify.xyz, and "ants.gouv.fr" is just a label glued to the front to trick the eye. Read a URL from right to left: the real domain is the last two labels before the first single slash.
Test a suspicious link right now
Got a phishing email or text? Paste the suspicious link below. Our 3-layer engine (Local + APIs + AI) returns a verdict in ~3 seconds. Free, no signup.
What the real ANTS never does
Two rules cover almost every fake ANTS message. First, the real ANTS never asks for full bank-card numbers or a "renewal fee" by SMS or email. Official document fees in France are paid through the official portal using the standard secure payment system, after you have logged in yourself. There is no link-and-pay flow pushed to you by text. Second, the real ANTS does not create artificial deadlines over SMS. A message that says you have "24 hours", that your "rights" or "title" will "expire", or that a "penalty" applies is manufacturing pressure so you click before you think.
Combine those with the domain rule and you have a fast filter. If a message claims to be ANTS, contains a link, sets a deadline, or mentions a payment, and the link is not a plain ants.gouv.fr address, it is a scam. Open ants.gouv.fr yourself in the browser by typing it in. Never use the link in the message.
Red flags: what to check in 10 seconds
- The domain is not .gouv.fr. Real ANTS is ants.gouv.fr. Anything on .com, .net, .xyz, or a .fr address with extra words is fake.
- "ants.gouv.fr" appears as a subdomain. In ants.gouv.fr.verify[.]xyz the real domain is verify.xyz, not gouv.fr. The brand label glued to the front is bait.
- It quotes your real details. After the breach, your name, address, and date of birth are leaked. A message knowing them is not proof it is genuine. It is the opposite.
- A fee or card form. ANTS never asks for a renewal fee or card number by SMS or email.
- A deadline. "Sous 24h", "votre titre expire", "penalite" all manufacture urgency. Real ANTS does not chase you by text.
- A FranceConnect login on the page. Real FranceConnect is only at franceconnect.gouv.fr. A login box on any other domain is a credential trap.
What to do when a suspicious ANTS message lands
Do not tap the link, do not reply, do not call any number it lists. If you genuinely have a document to renew, type ants.gouv.fr into your browser yourself and check from there. If your account shows no pending action, the message was fake.
For verified scam texts, forward the message free to 33700, the official French SMS spam reporting line operated by the four mobile carriers. Report phishing emails and pages at signal-spam.fr. For victim support and guidance, use cybermalveillance.gouv.fr. If you actually entered your data or paid, file a police complaint (porter plainte) so you have a recorded reference number for any account later opened in your name.
What to do if you fell for it
Speed matters. Order of operations:
- If you entered card details, call your bank using the number on the back of your physical card, not any number from the message. Freeze the card and request a new one. French banks process this same-day.
- Dispute any charge under PSD2. The European Payment Services Directive 2 protects French consumers against unauthorised card transactions. Keep screenshots of the message and the fake page as evidence.
- If you entered FranceConnect or any login, change that password immediately, and any other account where you reused it. Turn on two-factor authentication where available.
- If you uploaded an ID document, declare identity theft at cybermalveillance.gouv.fr and file a police complaint to obtain a reference number. That number helps you contest any fraudulent account opened later.
- Watch for follow-up calls. After a successful phish, attackers often call back pretending to be the bank or the police, asking you to "secure" your money. That second stage is where the largest losses happen.
How SafeBrowz flags fake ANTS pages
SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. For an impersonation like this, the work happens at the domain level, which is the one thing the attacker cannot disguise.
- Brand-on-non-official-domain rule: SafeBrowz flags any page posing as ANTS that is not on the genuine
.gouv.frdomain. It catches lookalikes like ants-renouvellement[.]com content-free, meaning it does not even need to read the page to judge it. The brand name appearing on a domain that is not the official one is the signal. - Subdomain-chain detection: tricks like ants.gouv.fr.verify[.]xyz, where the real domain is dropped in as a fake subdomain, are caught by parsing the actual registrable domain (here, verify.xyz) rather than the label the eye lands on first.
- API and AI layers: known malicious domains are checked against aggregated threat feeds, and the AI layer reads page content in French and other languages to catch fresh variants the moment they go live.
Detection signatures come from threat-intelligence research and a brand database, not from user browsing data. No per-user browsing history is stored. The single reliable tell remains the .gouv.fr suffix, and SafeBrowz encodes exactly that logic.
Updated
Last updated June 15, 2026. We refresh the lookalike-domain examples and reporting channels as French authorities publish new takedown patterns following the ANTS breach.
Block fake ANTS and FranceConnect pages before you tap
SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that blocks pages impersonating French government services automatically. It recognises 550+ brands plus French government domains, and flags any page posing as ANTS that is not on the genuine ants.gouv.fr domain. AI content analysis works in French and other languages and spots new phishing domains the moment they go live. Free forever, no account needed.
Add to Chrome
Add to Firefox
Add to EdgeFrequently asked questions
What was exposed in the ANTS data breach?
An IDOR flaw in the ants.gouv.fr API, discovered on 15 April 2026, let an attacker read other users' records by changing a request parameter. Up to roughly 19 million French citizens' data was exposed: full names, postal addresses, emails, phone numbers, dates and places of birth, and login identifiers. French authorities notified the CNIL, the prosecutor, and ANSSI.
Is an ANTS text or email asking me to re-verify my ID real?
Almost certainly not. The real ANTS never asks you to re-verify or renew a document by SMS or email with a link, never sets a deadline by message, and never asks for a fee or card details that way. If you have a real document to renew, type ants.gouv.fr into your browser yourself and check there.
What is the real ANTS website address?
The only real ANTS portal is ants.gouv.fr. The .gouv.fr suffix is reserved for genuine French government services. Any other domain (.com, .net, .xyz, or a .fr address with extra words) is fake. FranceConnect login is only at franceconnect.gouv.fr.
The message knew my name and address. Doesn't that make it real?
No. After the ANTS breach, your name, address, date of birth, phone, and email may be in the hands of criminals. A message quoting those details is using leaked data, not proving legitimacy. Treat a message that already knows your details as more suspicious, not less.
What does ants.gouv.fr.verify.xyz actually point to?
It points to verify.xyz, not to the government. The real registrable domain is the last two labels before the first single slash, here "verify.xyz". The "ants.gouv.fr" part is just a fake subdomain glued to the front to trick the eye. SafeBrowz subdomain-chain detection parses the real domain and flags this pattern.
How do I report a fake ANTS message in France?
Forward a scam SMS free to 33700, the official French SMS spam line operated by the four mobile carriers. Report phishing emails and pages at signal-spam.fr. Get victim support at cybermalveillance.gouv.fr. If you entered data or paid, file a police complaint to obtain a recorded reference number.