The Cybercrime Investigation and Coordinating Center (CICC) has launched a probe into reports of an alleged data breach involving G-Xchange, operator of the popular GCash platform, but early findings suggest that the data circulating online did not originate from GCash’s systems.
In a statement, the CICC said its Cybercrime Investigation Office (CIO), in coordination with GCash, found that the data propagated by a dark Web user appeared to be recycled or previously exposed information, repackaged to look like a new breach.
“Initial assessment indicates that the data sets in question did not come from GCash’s infrastructure,” the CICC said, adding that there was “no evidence of any recent compromise.”
The agency added that GCash has expressed openness to allow CICC and the Department of Information and Communications Technology (DICT) to conduct system checks to confirm the integrity of its infrastructure.
At the same time, investigators are pursuing leads to identify the possible individual or group behind the alleged exposure. The CICC assured the public that all findings will be coordinated with relevant authorities “as part of due process and in accordance with existing cybercrime investigation protocols.”
The CICC’s statement follows a separate announcement from the National Privacy Commission (NPC), which confirmed that it has formally launched an investigation into the reported sale of millions of GCash user records on a dark Web forum.
According to cybersecurity monitoring group Deep Web Konek, the post — made on October 25, 2025, by a user identified as “Oversleep8351” — claims to sell sensitive personal and financial information of 7–8 million GCash users.
The dataset purportedly includes account numbers, linked financial accounts, and verified eKYC (Know Your Customer) records containing government-issued IDs and employment details.
The listing allegedly offered bundles of user data ranging from $700 for 20,000 entries to $25,000 for the full dataset, payable via Monero (XMR), a cryptocurrency known for its anonymity.
The NPC said its Complaints and Investigation Division has issued a Notice to Explain to G-Xchange and scheduled an online clarificatory conference.
In response to the mounting reports, GCash reiterated that its systems remain secure.
“Initial forensic analysis shows no compromise in GCash systems,” the company said. “The data under circulation does not match official customer records and includes individuals who are not GCash users.”
The company explained that the alleged dataset contains incomplete and invalid information, further supporting the conclusion that it did not originate from its servers.
GCash said it continues to coordinate closely with the Bangko Sentral ng Pilipinas (BSP), NPC, and CICC “to validate information and reinforce system defenses.”
The fintech firm also reminded users to report suspicious activity only through its official channels, such as the GCash Help Center, Gigi chatbot in the app, or hotline 2882.
“GCash remains fully committed to safeguarding customer data, strengthening our defenses, and upholding the trust of millions of Filipinos,” the statement concluded.
