Parliament Wide Open — Albania OSINT Audit

Campaign Statistics

A two-phase OSINT investigation — passive reconnaissance in January 2026, followed by active API enumeration and data collection on February 25, 2026 — targeting Albanian government digital infrastructure produced the following findings.

251 MB Total Data Collected

1,309 Files Recovered

236 MP Records (Full PII)

54,545 Parliament Documents

7 Open API Endpoints

59 Open Data Portal Endpoints

110 AKSHI Subdomains Mapped

832 Albanian .gov.al Domains

Context: Albania’s Ambitious Digital State

Albania has spent the last decade building one of Eastern Europe’s most ambitious digital government infrastructures. The National Agency for Information Society — AKSHI (Agjencia Kombëtare e Shoqërisë së Informacionit) — manages a network connecting 220 government institutions, hosts 380 government websites, powers 600+ electronic services for citizens, and maintains a dedicated CSIRT for cybersecurity operations. Albania was ranked 14th globally in the GovTech Maturity Index 2025 and received UN recognition as a model for digital transformation.

The country is also a NATO member actively pursuing EU membership, with a target accession date of 2030. Brussels has consistently identified corruption as the primary obstacle. Albania’s response, in September 2025, was to appoint the world’s first AI minister.

Diella — named from the Albanian word for “sun” — is an AI system developed by AKSHI using Microsoft Azure and OpenAI. Prime Minister Edi Rama appointed her as Minister of State for Artificial Intelligence with a stated mission: “Public tenders will be 100 percent free of corruption.” In October 2025, Rama announced Diella was “pregnant with 83 digital assistants” that would be assigned to each ruling-party Member of Parliament to monitor legislative sessions.

“The agency that built Albania’s anti-corruption AI was itself a criminal enterprise. Its director general and deputy were arrested three months after Diella’s appointment, charged with operating a structured criminal group to manipulate government tenders.”

The Story

This investigation began in January 2026 as passive reconnaissance: mapping AKSHI and Diella’s infrastructure, identifying subdomains via certificate transparency, probing public-facing systems. The initial conclusion was straightforward — Albanian government infrastructure was, by regional standards, well-secured. WAFs on the main domains, WordPress API requiring authentication, no exposed credentials in Diella’s frontend JavaScript bundle.

The assessment changed completely in February 2026. When enumeration turned to the Albanian Parliament — the institution Diella’s 83 AI “children” were supposed to monitor — a different picture emerged. The Parliament (parlament.al) serves a React single-page application that, on the surface, appeared to be a dead end: it returns HTTP 200 for all paths, a classic SPA catch-all. But the main JavaScript bundle told a different story.

Pulling the 355 KB JS bundle and running string extraction revealed a hardcoded API base URL: https://kuvendiapi.azurewebsites.net/api. Further extraction from minified webpack variables produced seven OData entity names. Every endpoint responded to unauthenticated GET requests. No tokens, no rate limiting, no access controls of any kind.

The Albanian Parliament’s entire backend API was wide open.

The irony runs deep. AKSHI’s Director General Mirlinda Karçanaj and her deputy were arrested in December 2025 — just three months after Diella’s appointment — charged with running a structured criminal group inside the very agency that built the AI anti-corruption minister. SPAK (Albania’s Special Anti-Corruption Structure) identified 12 tender procedures that had been systematically manipulated. The Parliament API had been open since at least January 2022. And Diella — integrated into the e-Albania platform, with access to 36,000+ government documents — saw none of it.

Critical Finding 1 — Albanian Parliament: Unauthenticated API

kuvendiapi.azurewebsites.net — Parliament OData API CRITICAL — HIGH

Authentication: None required Total documents: 54,545 MP PII records: 236 Status: Open Azure endpoint

The Albanian Parliament backend runs on an ASP.NET OData API hosted on Azure. The React frontend (parlament.al) exposes the API base URL and entity names in its minified JavaScript bundle. All endpoints respond to unauthenticated GET requests. The single protected endpoint is /abonimet (subscriptions), which returns 401. Everything else — MPs, committees, legislation, meetings, documents — is publicly accessible.

Open API Endpoints

Endpoint	Records	Size	Content
/anetaret	236	138 KB	MP records — full PII
/strukturat	—	274 KB	Parliamentary committees
/aktet	—	3.1 MB	Legislative acts, interpellations
/lajmet	—	19.8 MB	Parliamentary news articles
/mbledhjet	—	2.2 MB	Session and meeting records
/dokumentet	54,545 URLs	30.2 MB	Document catalog with direct Azure Blob URLs
/YouTube/search	—	8 KB	YouTube video search proxy
/abonimet	—	401	Only protected endpoint

MP PII Exposed — 236 Records

Each of the 236 member-of-parliament records in the /anetaret response contains the following personally identifiable information:

Full legal name (first name, father’s name, surname)
Date of birth and place of birth
Official email address (@parlament.al)
Political party affiliation and electoral district
Profile photo URL (hosted on Azure Blob Storage)
Social media links (Facebook, Twitter/X, LinkedIn)
Active / inactive parliamentary status

This constitutes a complete, structured dossier on every person serving in the Albanian legislature — including personal identifiers, contact information, and political affiliations. The data was collected without any authentication or access control being bypassed.

GET https://kuvendiapi.azurewebsites.net/api/anetaret HTTP/1.1 200 OK Content-Type: application/json { "Emri": "[NAME REDACTED]", "Atesia": "[FATHER NAME REDACTED]", "Mbiemri": "[SURNAME REDACTED]", "Datelindja": "1970-XX-XX", "Vendlindja": "Tiranë", "Email": "[REDACTED]@parlament.al", "Partia": "Partia Socialiste", "Zona": "Tiranë", "Aktiv": true }

Azure Blob Storage — 54,545 Public Documents

The /dokumentet endpoint returns a 30.2 MB JSON catalog listing every document in the parliamentary archive. Container listing on kuvendiwebfiles.blob.core.windows.net/webfiles/ is disabled — but every URL is directly enumerable through the API response, and all individual blobs have public read access enabled.

File Type	Count
PDF	32,627
JPEG / JPG	18,289
JFIF	1,768
DOCX	885
DOC	397
XLSX	392
PNG	208
XLS	117

Among the documents recovered: MP salary spreadsheets (PAGA DEPUTETE) and MP benefits records (PERFITIME DEPUTETE) covering 2018–2020 on a monthly basis; the Lobbyist Registry (Regjistri elektronik i Lobisteve); FOIA request and response logs spanning 2018–2021; budget expenditure tables and public reserve fund data; the Albanian Constitution, Electoral Code, and Deputy Status Law; and parliamentary annual reports from 2013 through 2019.

The JavaScript bundle also contains a hardcoded internal API reference at http://134.0.63.165:5000/public — an internal IP address unreachable from the public internet, confirming additional backend infrastructure exists beyond what is publicly exposed.

Full Technical Report

Critical Finding 2 — AKSHI Corruption Scandal

AKSHI Director General & Deputy — Arrested for Corruption CRITICAL

Date: December 2025 Charged by: SPAK (Special Anti-Corruption Structure) Tenders investigated: 12

Mirlinda Karçanaj, Director General of AKSHI, and her deputy were placed under house arrest in December 2025, three months after Diella’s appointment as Minister of State for AI. Charges: participation in a structured criminal group, tender manipulation, and abuse of office. AKSHI — the agency responsible for Albania’s entire digital government infrastructure and the creator of the anti-corruption AI — was itself a criminal enterprise. BIRN reported that the capture of AKSHI by criminal interests “endangers national security.”

Full Report

The Irony in Numbers

Diella’s Stated Purpose	Reality
“Public tenders will be 100% free of corruption”	AKSHI leadership arrested for tender manipulation
AI Minister to fight corruption for EU accession	Agency director arrested 3 months after appointment
AI children to monitor each MP’s legislative activity	Parliament API open, zero auth, all MPs’ data exposed
Integrated into 36,000+ government documents	Documents accessed by this investigation without credentials

Finding 3 — Diella AI Frontend Analysis

proud-coast-026495803.4.azurestaticapps.net — Diella Frontend LOW SEVERITY

Framework: Vue.js 3.5 / Quasar Bundle size: 229 KB Credentials found: None

The Diella frontend JavaScript bundle was fully analyzed. No API keys, no backend endpoint URLs, no hardcoded credentials were found. All sensitive configuration is injected at runtime via Azure backend. The Azure Static Web App authentication endpoints respond normally: /.auth/me returns a null clientPrincipal; /.auth/login/aad redirects to Azure AD. AKSHI’s internal backend infrastructure (dc-hasura, dc-keycloak, dc-hapi, dc-rest) resolves only on internal DNS — no public access.

Full OSINT Report

The technical security of Diella’s own frontend infrastructure is, in isolation, competent. Azure Static Web Apps, runtime-injected configuration, proper IAM via Keycloak, segmented internal infrastructure. But the security questions raised by Diella are not primarily technical: they are institutional. The agency that controls Diella’s training data, system access, and operational parameters was compromised by Iranian state hackers in 2022 and was operating as a criminal enterprise until December 2025. How was Diella built with data from compromised systems? Who monitored the anti-corruption AI while its creators were manipulating tenders?

Finding 4 — Open Data Portal

opendata.gov.al — 59-Endpoint ASP.NET API MEDIUM

API Endpoints: 59 OpenAPI Spec: 200 KB, publicly accessible Access control: None (public by design)

Albania’s national open data portal exposes a fully documented ASP.NET API with a 200 KB OpenAPI specification at /api/specification.json. Datasets include: 400 health centers with locations (AKSHI), 2,289 pharmaceutical records, full business registries for 2025–2026 (by legal form, ownership, and region), national debt registry, 900 daily treasury distributions, public investment data, and e-Albania platform statistics from 2013 to 2024. All government institution contact directories are included, including addresses, phone numbers, and emails for AKSHI, Finance Ministry, and Education Ministry. The API is publicly intended, but the comprehensive OpenAPI specification and the depth of government financial data warrants attention.

Datasets Available

Dataset	Source	Volume
Health Centers	AKSHI	400 centers with GPS
Pharmacies & Medicines	AKSHI	2,289 records
Business Registry (Legal Form)	QKB	2025 + 2026 data
Business Registry (Ownership)	QKB	2025 + 2026 data
Business Registry (Region)	QKB	2025 + 2026 data
National Debt Registry 2024	Finance Ministry	4 quarterly files
Treasury Data	Finance Ministry	900 daily distributions
Public Investments	Finance Ministry	Monthly data
e-Albania Statistics 2023	AKSHI	12 monthly reports
e-Albania Users 2013–2024	AKSHI	Annual registration stats
Airport Mail Flow 2025	Civil Aviation	Monthly statistics

Broader Albanian Government Scan

Seventeen Albanian government domains were probed during the February 2026 phase. The majority are hardened: Incapsula WAF, 403/404 responses, no accessible admin panels. A certificate transparency enumeration of the .gov.al domain space via crt.sh produced 832 domains and expanded AKSHI’s known subdomain count from 50 (January) to 110 (February), revealing Jira, Rancher, Wiki, and internal test environments — all behind internal-only DNS, not accessible from the public internet.

Domain	Result	Entity
e-albania.al	200 (hardened)	Main e-government platform
akshi.gov.al	WordPress, WAF	National IT Agency
parlament.al	React SPA — API OPEN	Albanian Parliament
kryeministria.al	Incapsula WAF	Prime Minister's Office
president.al	403 Forbidden	President's Office
bankofalbania.org	403 Forbidden	Central Bank
klsh.org.al	WordPress, 401 hardened	Supreme Audit Institution
pp.gov.al	DOWN	General Prosecution
policia.al	DOWN	State Police
mbrojtja.gov.al	DOWN	Ministry of Defence
financat.gov.al	DOWN	Ministry of Finance
drejtesia.gov.al	Incapsula WAF	Ministry of Justice
arsimi.gov.al	Incapsula WAF	Ministry of Education
tatime.gov.al	DOWN	Tax Authority
dogana.gov.al	DOWN	Customs Authority
dpshtrr.gov.al	415 (vehicle registry)	Driver Licensing
instat.gov.al	404 (clean)	Statistics Institute

Four GIS portals were discovered through crt.sh enumeration: geoportal.asig.gov.al (national geoportal), instatgis.gov.al (statistics WebGIS), webgis.arrsh.gov.al (Road Authority), and webgis.atp.gov.al (Territorial Planning). None expose accessible GeoServer or WFS data endpoints — all are frontend-only applications.

Organizations with Compromises

parlament.al — Albanian Parliament (Kuvendi)

Legislative branch of Albania — Azure OData API (kuvendiapi.azurewebsites.net)

Exposure: Unauthenticated API, zero access controls PII: 236 MPs — full name, DOB, birthplace, email, party, district, photo Documents: 54,545 public Azure Blob files (32K+ PDFs, salary sheets, FOIA logs, budgets) Data collected: 103 MB API data + 137 MB documents

AKSHI — National Agency for Information Society

Albanian government IT agency — Builder of Diella AI, operator of GOVnet & e-Albania

Compromise type: Leadership criminal arrest (Dec 2025) Scope: Director General + Deputy under house arrest for tender manipulation BIRN assessment: “Capture of AKSHI by criminal interests endangers national security” Prior breach: Iranian HomeLand Justice attack (2022) — full AKSHI system compromise

opendata.gov.al — National Open Data Portal

Albanian e-government open data platform

Exposure: 59-endpoint ASP.NET API, published OpenAPI spec Data: Business registries, health center GPS, pharmaceutical records, treasury distributions Note: Publicly intended; the depth and scope warrants monitoring

Historical Context: A Decade of Exposure

The Parliament API exposure does not exist in isolation. Albania has been systematically compromised at every layer of its digital infrastructure for the past five years.

Date	Incident	Scale
April 2021	Voter database leaked	910,000 records (∼33% of population)
December 2021	Salary database leaked (WhatsApp)	637,138 records (22% of population)
May 2021	Iranian HomeLand Justice gains initial access to AKSHI	14 months silent persistence
July 2022	Destructive attack: ROADSWEEP ransomware + ZeroCleare wiper	Albania forces government services offline
September 2022	Albania severs diplomatic ties with Iran	NATO condemns the attack
October 2022	Police suspect database leaked via Telegram	∼100,000 records, 1.7 GB
December 2023	Parliament + One Albania telecom attacked	2 petabytes claimed destroyed
January 2024	INSTAT statistics institute breached	100+ TB claimed exfiltrated
September 2025	Diella appointed AI Minister	—
December 2025	AKSHI Director General arrested for corruption	12 tenders under investigation
February 2026	Parliament API found open — this investigation	54,545 documents, 236 MPs’ PII

The Iranian state-sponsored group HomeLand Justice (MITRE ATT&CK C0038, attributed by FBI, CISA, NATO, and UK NCSC to Iran’s Ministry of Intelligence and Security) breached AKSHI by exploiting CVE-2019-0604 (Microsoft SharePoint). Initial access was established in May 2021 — fourteen months before the destructive attack launched in July 2022. During that window, CHIMNEYSWEEP infostealer exfiltrated data from the agency that would later build Albania’s AI minister.

HomeLand Justice Analysis Full Breach History

Data Inventory

Total collection: 251 MB across 1,309 files, recovered from publicly accessible, unauthenticated endpoints and Azure Blob Storage URLs.

Parliament API — MP Records (anetaret.json)236 members of parliament, full PII, 138 KB

View

Parliament API — Document Catalog (dokumentet.json)54,545 document URLs with metadata, 30 MB

View

Parliament API — Legislative Acts (aktet.json)Full legislative catalog, interpellations, 3.1 MB

View

XLSX Spreadsheets — MP Salaries & Benefits372 spreadsheets, 2018–2020 monthly, 44 MB

View

AKSHI Subdomain List110 enumerated subdomains from crt.sh

View

Open Data Portal API Spec200 KB OpenAPI specification, 59 endpoints

View

OSINT Methodology & Legal Notice

All data in this investigation was recovered through passive and active OSINT techniques applied to publicly accessible, unauthenticated API endpoints and Azure Blob Storage URLs. No authentication was bypassed. No credentials were tested or used. No access controls were circumvented. The Albanian Parliament’s API responded to standard HTTP GET requests without requiring any form of identification or token.

This report follows ODINT’s standard methodology: public-facing infrastructure is enumerated, documented, and reported. PII collected from open APIs is presented in aggregate or redacted form. Raw PII records are held in restricted access and are not published publicly. Access to restricted datasets may be granted to credentialed journalists, researchers, and affected government entities upon request.

Research period: January 25, 2026 (Phase 1: OSINT) — February 25, 2026 (Phase 2: Active Recon & Data Collection). Published: April 17, 2026. ODINT is an independent nonprofit digital infrastructure observatory.