Read this story in Nepali: साइबर सुरक्षा फितलो, संवेदनशील डेटा जोखिममा
One after another, government websites have been hacked, leading to the theft of government and citizen data. Worse yet, hacker groups have put this sensitive information up for sale, leaving both government and citizen data at risk.
Before we get into the details, let’s understand some of the key terms in this story:
Hacking - Hacking is the unauthorized access and manipulation of a computer system, network, or data.
Hacker - A hacker is an individual or group that gains unauthorized access to a computer system, network, or data and takes control of its contents.
Ethical Hacker - An ethical hacker is a person who gets permission to hack a computer system, network, or data to find security weaknesses. By identifying these vulnerabilities, they help improve data security.
... ...
On February 13, 2025, a major cyberattack sent shockwaves through Nepal's digital infrastructure: the hacking of 21 subdomains belonging to the Koshi Provincial Government.
A hacking group identifying itself as ‘YNR’ hacked 21 subdomains registered under the koshi.gov.np domain and publicized them on the Zone-H portal.
Just one month after the Koshi Province website hack, on March 26, 2025, the ‘Hello Sarkar’ website, which operates under the Office of the Prime Minister and Council of Ministers, was also hacked. The hack was revealed after a hacker group named ‘Ghudra’ put the data up for sale on a platform called ‘Bridge Forum’. In the post offering the Hello Sarkar data for sale, the Ghudra group wrote, “We are selling this data because the government of Nepal refused to contact us.”
Less than a month after the Hello Sarkar hack, on April 23, 2025, the website of the Nepal Police Headquarters was compromised. A hacker group calling itself ‘Kazu’ hacked the Nepal Police website and put two million citizenship cards up for sale, setting a price of 7,000 U.S. dollars for the data. The citizenship cards, which were submitted for police recruitment or character certificates, were seized and put up for sale by the hacker group.
These recent incidents of government website hacks confirm that private data belonging to both the government and the general public has been stolen. As hackers are publicizing one piece of confidential information after another, cybersecurity experts say that sensitive government and citizen data is now at risk.
“It is a serious challenge when government websites that hold the personal data of the general public, like the Nepal Police or the Department of Passports, get hacked,” said Naresh Lamgade, a cybersecurity expert and ethical hacker. “The frequent attacks on government websites are raising questions about the state's entire cybersecurity apparatus.”
Even though the government’s cybersecurity system has been called into question, government bodies don’t seem to be taking the issue very seriously. To find out why Koshi Province’s government websites were hacked, we contacted the Information Officer of the Department of Information Technology, Prakash Duwadi. He said he had no information about how the hack occurred. It’s important to note that this department, which falls under the federal Ministry of Communications and Information Technology, manages all government websites.
“We created a new system and trained them on it,” said Prakash. “The Chief Minister's Office said they would investigate, and we haven’t received any information since.”
Next, we asked the Chief Minister’s Office’s computer officer, Bishwo Rajbanshi, for an update on the hacking investigation. He also said he had no information. “We had received a letter from the Ministry of Forests, and we updated the new system through the Department of Information Technology,” said Bishwo. “We don't know anything about the investigation; the Ministry of Forests might.”
After the Chief Minister’s Office directed us to the Ministry of Tourism, Forests and Environment, we contacted the ministry’s spokesperson, Akhilesh Kumar Gupta. He told us that no investigation had been conducted. When we spoke with him, five months had passed since the hack.
“We are still in the process of recovering the data, and data entry into the new system is ongoing,” said Akhilesh Kumar, the spokesperson for the Ministry of Tourism, Forests and Environment of Koshi Province. “Once that work is finished, we will conduct an investigation.”
The reason for the Koshi Province government website hacks has not been discovered. However, according to Prem Prasad Acharya, a joint secretary at the Prime Minister's Office, the Hello Sarkar system was compromised while it was being updated. “The system is weak during updates,” he said. “That’s why we concluded the problem occurred.”
The same ‘Kazu’ group that hacked the Nepal Police website also hacked the Lumbini Province Public Service Commission website last May.
Claiming to have access to over 900,000 of the commission’s files, the hacking group put more than 300,000 user data files up for sale on the dark web. The dark web is a collection of thousands of websites that use anonymous tools like Tor and I2P to hide their IP addresses.
The fact that not only domestic but also foreign hacker groups are hacking government websites raises further questions about Nepal's cybersecurity. The ‘Ghudra’ group, which hacked the Hello Sarkar website, claimed to be part of ‘Fancy Bear APT 28’, a group believed to be linked to Russian military intelligence.
“Hacking in itself is a scary thing; a compromised system is never a good thing,” says cybersecurity expert Suman Dhungel. “Foreign hackers are a greater threat than domestic ones.” He explains that foreign hackers don’t just steal data; they can also gain unauthorized access to sites to cause extensive damage.
Suman argues that these repeated hacking incidents pose a security threat and tarnish the state's reputation. “Hacking means a system has been compromised, which is harmful from many perspectives,” he said. “This is also a matter related to the state’s reputation, but the state doesn’t seem to be taking it seriously.”
Hacking to express dissatisfaction with the state
Hacking also seems to be a way for people to express their dissatisfaction with the state. On June 13, 2025, a hacking group called ‘MidNight Ops Nepal’ took control of the Department of Hydrology and Meteorology’s website and altered its content. The group replaced the homepage with a new page titled ‘...HAHAHA UR SECURITY S***S!!!’ and displayed the message, ‘This site has been hacked by MidNight Ops Nepal... Your Democracy has been hacked /... Security is just an illusion.’
Two months earlier, on April 11, 2025, a group calling itself ‘1800 Hackers’ hacked the Division Forest Office’s website in Sunsari. They posted an AI-generated video of former Prime Minister KP Sharma Oli dancing, an audio clip with an obscene song, and other offensive messages.
Just one day later, on April 12, 2025, a group identifying itself as ‘Hactivist Nepal’ hacked the Department of Survey’s website, dos.gov.np. They replaced the homepage with a photo of the late King Birendra and the slogan, ‘King, come, save the country.’
The hacking group wrote on the Department of Survey’s website: “In Nepal, democracy has pushed corruption to its highest point. Political instability and party interests have prioritized personal gain over the welfare of the people.” The group added, “Hactivist Nepal is in favor of restoring the monarchy, which could open the possibility of national unity, long-term stability, and corruption-free governance, and ensure Nepal's proper guidance.”
Cybersecurity experts say that hackers are not just expressing dissatisfaction with the government but are also warning the state. “Hackers are not just venting their dissatisfaction; they are also alerting the government that its security system is weak,” said cybersecurity expert Suman. “However, the government doesn’t seem to be showing much interest in security.”
Narayana Koirala, a cybersecurity expert at NAS-IT, states that despite repeated government website hacks, the state has not taken any steps or shown any enthusiasm to address the issue.
According to cybersecurity expert Suraj Dhungel, hacking also happens to expose weaknesses in government systems and steal data.
In the experience of Rajkumar Maharjan, Director of the National Cybersecurity Center, hackers also target government websites to display their ego.
Hackers, however, offer a different perspective on hacking. “We don’t hack for fun; we hack to alert the state,” one hacker we contacted via Telegram said. “Instead of cursing us, the state should strengthen its system!”
We then asked him why they publicized private citizen information and put data up for sale on the dark web if their goal was to raise awareness. He did not answer.
What is hacking?
Hacking is the act of gaining unauthorized access to any system and manipulating or corrupting its contents. According to Rajkumar Maharjan, Director of the National Cybersecurity Center, “In some cases, hacking is also done to steal the data within that system.”
Generally, three aspects are considered important in a cyber system: confidentiality, integrity, and availability. According to cybersecurity expert Suraj Dhungel, a compromise in any of these three areas constitutes a hack.
“If we’ve stored any data, it should be secure, which is called confidentiality. The data should not be manipulated or tampered with by anyone, which we call integrity. The system should be available at all times, which is called availability,” he explained. "If these things are not guaranteed, it's considered hacking."
Sensitive information at risk
Government websites contain the personal information and data of ordinary citizens. Therefore, cybersecurity experts argue that when these sites are hacked, the information they hold is put at risk. “When there’s a problem with government websites that contain public information, it means that data is at risk,” said ethical hacker Naresh Lamgade. “Having someone’s information on a dark forum after a hack is a very frightening thing.”
Hackers put the data they’ve stolen from websites up for sale on ‘dark forums’. According to Superintendent of Police (SP) Deepakraj Awasthi, who works for the Cyber Bureau, there is a high risk that this data will be used for illegal purposes. “Data gets stolen through hacking, and the stolen data includes citizenship cards and other personal information of ordinary people,” he said. “Those citizenship cards and details have been used to scam people.”
Why are government websites at risk?
On July 9, 2024, the website of the Immigration Office at Tribhuvan International Airport experienced an issue. The problem grounded flights for about an hour, causing inconvenience for travelers.
Similarly, on November 22, 2024, the Department of Passports suspended its services, citing a problem with its data management. Two days later, on November 24, the department issued a notice stating that its system was infected with a virus. Although the notice promised an immediate return to service, the server remained down for two weeks.
The frequent problems at service-oriented bodies like the airport and the Department of Passports, combined with recurring government website hacks, indicate that the government’s cyber system is weak. Ethical hacker Naresh Lamgade says that these problems persist due to flaws in system development and the government’s failure to allocate sufficient funds. “There’s a fundamental problem with how our systems are built. The contract is given to whoever offers the cheapest price,” he said. “Such a sensitive issue cannot be handled cheaply, but we try to do it for as little as possible.”
According to Naresh, in addition to building cheap websites, government websites are also weak because they are not properly tested before being put into use. “After a system is built, a VAPT (Vulnerability Assessment and Penetration Test) should be conducted. This work should be given to a third party, a different vendor than the one who built the system. But here, the same people who build the system also conduct the tests,” Naresh said. “How can you expect someone to reveal their own flaws? That’s what’s happening here. How can you identify all the system flaws just by running it through a simple website scanner?”
How to Protect?
Cybersecurity has become a global challenge, not just in Nepal. To mitigate these challenges, various frameworks must be adopted. “After extensive discussions and debates, different frameworks have been issued. If we work within those frameworks, we can strengthen our security,” said cybersecurity expert Suraj. “The government of Nepal must also pay attention to what international practices are, how to implement which technology, how to optimize processes, and how to raise public awareness.”
Naresh adds that users and the state must also be responsible. He emphasizes that the state should not compromise on cybersecurity.
According to Rajkumar Maharjan, the director of the National Cybersecurity Center, the government is already working on cybersecurity. The center has even issued a cybersecurity advisory for users of government information technology systems.
“Just a few days ago, we conducted a ‘cyber drill’ with engineers from 30 different agencies. We discussed how to respond in case of a cybersecurity incident,” said Director Rajkumar. “In addition, we have been working on awareness programs.”
In the process of drafting a law
Director Rajkumar stated that a law is being drafted to reduce the risk of hacking. The government has already registered the Information Technology and Cybersecurity Bill in parliament to control cybercrime.
This bill, which will replace the Electronic Transactions Act, 2008, defines various forms of cybercrime and proposes different penalties depending on the nature of the offense. Section 80 of the bill proposes that any act that creates an obstruction or has an adverse effect on the country’s cybersecurity and data system will be considered a serious offense, punishable by up to five years in prison, a fine of up to 1 million rupees, or both.
The bill categorizes unauthorized access (hacking) and tampering with computer systems into various levels and provides for penalties. Under the bill, the manipulation, deletion, or concealment of electronic information for financial gain is punishable by up to three years in prison and a fine of up to 500,000 rupees.
“Lack of general awareness is causing cyber-incidents.”
Rajkumar Maharjan - Director, Cybersecurity Center
Why do Nepali government websites get hacked so often?
The use of information technology is increasing not just in Nepal, but all over the world. It makes life easier and helps us complete difficult and complex tasks more quickly and efficiently.
Just as information technology was once considered important, its subcategories are now becoming equally vital. The importance of Artificial Intelligence (AI), blockchain technology, cloud computing, and big data storage is growing rapidly.
At this point, whether we want to or not, we have entered the world of information technology, and there may be no going back. The use of social media is also on the rise, especially since mobile devices have become more affordable. The Nepali government is also now starting to focus on faceless, cashless, and paperless governance.
Are you talking about e-governance?
Yes, we’re working to implement these kinds of things through e-governance. Many agencies have started rapidly building their own systems. For example, the Department of Transport Management has its own system and provides transport-related services online. Technology has brought convenience, there’s no doubt about that.
But where there’s convenience, there are certainly difficulties. This isn’t just limited to IT; it happens with every technology. As we become more dependent on systems, individuals or groups with malicious intent have started to exploit them. The misuse of technology by such individuals is also increasing, and this trend isn’t limited to here – it’s a global phenomenon.
There’s no debate that our use of technology is growing. However, regarding the security issue you raised, we ourselves must observe how secure the work we’re doing is.
You shouldn’t just download any application, and you shouldn’t immediately connect to the internet if you find free wi-fi.
This is about the user, isn’t it?
Yes. When it comes to the user, we lack a bit of public awareness. For this, they need to be aware of digital literacy. Similarly, they should have cybersecurity knowledge and be informed about topics like cyber hygiene. It’s natural for us to have limited knowledge about this, as the subject itself is relatively new.
Just because someone is educated doesn’t mean they are knowledgeable about cyber matters. Education is one thing, and this is another.
Small acts of carelessness or errors by people can lead to major incidents. As a cybersecurity student, I would say it’s about ‘people, process, and technology’. Let’s say the technology is very strong and you’ve created an excellent process, but if the people don’t follow it, it won’t work. That’s why in cybersecurity, they say ‘the people are the weakest link’. Our studies also show that current cyber incidents are happening due to a lack of basic cyber awareness.
I asked at the beginning about the reason for government websites being hacked. Are you saying that those who work on government websites lack digital literacy?
It’s not just a problem with Nepali government portals being hacked; this is a global issue. Cyber incidents are increasing everywhere. However, there’s a reason why government portals are hacked more frequently. If someone can demonstrate a vulnerability in a government website or system, they consider it a major achievement.
The hacker thinks, ‘This is my accomplishment.’ And when they can show that kind of impact on government systems, it gets a lot of publicity quickly. It’s also seen as a challenge. These are the reasons they are attracted to government systems. For example, a high school student even hacked the Tribhuvan University system, and the news of the hack was reported. Some hackers even use it for good, informing authorities about specific weaknesses they found.
Are you referring to ethical hackers?
Yes, it has been done by ethical hackers, and some people simply provide this information. But there have also been attacks by non-ethical groups, both Nepali and foreign.
If you don’t lock your house when you go out, it will get robbed. Similarly, if you don’t make your systems strong, there is a risk. Just as there are certain rules for building a house – like how much concrete and rebar to use – there is a standard format for building servers. It’s also important to check whether we have built our systems according to that standard.
Does this mean the process of building government websites is weak?
It’s possible. From a research perspective, we have to consider, ‘Was the initial process of building them flawed?’ or ‘Were the tools we used to build them weak?’ Generally, hardware and software have updated versions coming out every two to three years.
When you design something, you must consider security from the very beginning. In the past, security wasn’t given much importance; getting the job done was the main goal. But now, the focus is on doing the work securely. That’s why when we design, or even just plan, we must consider security. We need to pay attention to where a system might be vulnerable.
The people who run the system also need to know that they shouldn’t share their passwords, they must keep them secure, and they should create strong passwords. Many people still use weak passwords like ‘123456’ or ‘admin admin’. These things require a lot of attention.
Hardware must play a role, too, right?
Yes, hardware plays just as big a role as software and the system itself. We should be using genuine desktops, laptops, and other genuine devices. We often use assembled systems and pirated software, which is extremely risky.
It’s important to understand that if something is very cheap or free, there might be a risk involved. We often download free software and use free VPNs, which also increases the risk.
Nothing is 100% secure. If you think something is completely safe and you become complacent, that’s exactly when an attack can happen. So we need to understand this.
You yourself said that nothing is 100% secure. Human error is also a major factor in the increased risk. But what has the state done to be more secure or to reduce attacks like hacking?
We’ve done a lot of work. The evidence for this is that around 2020, we were at 45% on the Global Cybersecurity Index. Now in 2025, we are at 69.
The ITU (International Telecommunication Union) evaluates and publishes this annually. There are five factors they use for evaluation: legal frameworks, organizational structures, technology, awareness, and whether a system has been compromised.
Please adhere to our republishing policy if you'd like to republish this story. You can find the guidelines here.
