After months of silence, four Telegram channels serving the so-called “Homeland Justice” group went live on Tuesday morning. In a familiar scheme that begins with a message about warnings and “approaching zero hour,” the hackers claimed to have attacked and taken control of the servers of the Albanian Parliament and possessed the correspondence of members of parliament.
The first message containing a photo with a list of emails and an email entry from the parlament.al domain was published at 11:44 on Tuesday.
"All conversations and correspondence of corrupt members of Parliament over the past few months are in the hands of Homeland Justice. We are much closer to you than you think," the message said.
At 14:11, hackers published a folder with 815 megabytes of material from emails exchanged at the official addresses of MPs Belinda Balluku, Gazmend Bardhi, Damian Gjiknuri and Edi Paloka.
A video released that same day showed that the group had access to the virtual servers of the Albanian Parliament, while evidence showed the deletion of materials from these servers.
In an official response on Tuesday, the Albanian Parliament described the incident as a "sophisticated attack" and claimed that "the main work infrastructure was not affected."
But independent information security experts paint a very different picture and raise questions about repeated institutional negligence.
IT expert Erion Demiri told BIRN that hackers accessed critical infrastructure and were inside the system for a long time, while the alarms did not work.
After analyzing the published data, Besmir Semanaj also points out that the passwords in the system have not been renewed for years, proving negligence and a lack of protective measures.
The attack on the Parliament's digital infrastructure is the third successful attack by the so-called Homeland Justice group, after the one that targeted "e-Albania" in 2022 and the attack on the digital infrastructure of the Municipality of Tirana in June last year.
Access to in-depth infrastructure
The hacking group began publishing the data on March 10, 2026, in four active channels on the Telegram application, which are followed by about 22 thousand users. The publications are still ongoing and include massive archives of emails of the Assembly staff (of the domain @parlament.al), as well as videos showing deep access to systems and deletion of data from servers.
Footage released by Homeland Justice shows free movement within the Parliament network. IT expert Erion Demiri points out that the videos show accessing the hard drives of various servers and deleting virtual machines from a VDI (Virtual Desktop Infrastructure).
“The actions taken are destructive and result in downtime and significant data loss on the affected machines,” Demiri explains. According to him, although the data deletion is dated March 10, 2026, unauthorized access to the systems “could have been carried out a long time ago,” giving attackers time to replicate and monitor the network before committing the destructive action.
The fact that the attack was made public by the hackers themselves and not by the institution's monitoring systems indicates a worrying lack of systems to detect foreign intrusions into the network.
"What is certain from the manner of behavior is that it was not the institution's staff who detected the authorized access, but the malicious force itself that published the attack," said Demiri.
Failure of basic measures
The main concern raised by experts is not the attack itself, but the ease with which it was carried out, which suggests the failure to take any measures after the long history of cyberattacks in Albania.
Besmir Semanaj, a cybersecurity expert, notes that the compromise was not simply a document leak, but a "real access to the Parliament's IT infrastructure", with the hackers having administrative privileges (access to the VMWare vCenter).
More alarming, according to Semanaj, is the fact that the published lists of users and mailboxes suggest that the accounts have remained active and without changing their passwords even after previous attacks.
“This shows a lack of minimal response measures such as mass password resets, session revocations, and access auditing,” Semanaj points out. He warns that publishing the internal structure of servers increases the risk of further attacks and proves that “institutions have not implemented even basic security measures after previous incidents.”
The same concern is shared by Orkidea Xhaferraj, an expert at the Center for Science and Innovation for Development, SCiDEV, who says that repeated successful attacks on key Albanian institutions "raise a major question mark" about the measures taken to guarantee the security of digital infrastructure, despite the expenses incurred.
"The high vulnerability of institutions, the Assembly in this case, is no longer simply a technical issue, it is a systemic issue. Repeatedly, after each attack we hear that work is being done to address it, it is being investigated, it is being collaborated with third parties, but what is fundamentally changing?!", Xhaferraj asks rhetorically.
Experts raise doubts about the ease with which these attacks occur and suggest, in the absence of full transparency, that they may also be internal organizations to draw attention away from other problems in the country.
"Every time there is internal conflict, we have revenge," says Semanaj, who calls for more transparency about how money for cybersecurity has been used.
The parliament downplayed the damage from the attack. In a media release on Tuesday, the parliament claimed that the unauthorized access was noticed on Monday evening at around 9:00 p.m.
The institution stated that “from the initial analysis it results that the main work infrastructure has not been affected” and that the official website continues to function. The Assembly announced the establishment of a joint technical and investigative team with the National Authority for Cyber Security (AKSK), the State Police, the Cyber Command and international partners.
However, according to experts, the official claim that “core infrastructure was not affected” is contradicted by visual evidence of access to the central virtual server management platform (vCenter), which represents the core of a modern institution’s digital infrastructure. Also, the designation of the attack as “sophisticated” is questioned by the fact that the hackers appear to have used old, unchanged credentials to access the system.
Currently, the institution is facing the challenge of rebuilding the infrastructure from scratch. As expert Demiri warns, this process must be done with extreme caution through backups, as "along with the backup, the vulnerability usually returns," leaving the door open again for similar attacks in the future.
Meanwhile, the seriousness with which Albania treats digital infrastructure was questioned at the end of last year after investigations by the Special Prosecution Office raised allegations of the involvement of criminal groups in the awarding of tenders by the National Agency for the Information Society, AKSHI./BIRN
