Eighteen Doors, One Key
Confirmed - Breach Data
At Armenia's Bavra border checkpoint -- the primary crossing between Armenia and Georgia -- every single customs officer account is protected by the same password: 123456. Not one account. Not a handful. All eighteen.
This is the gateway through which goods, people, and contraband enter Armenia from Georgia. The digital locks on this border are functionally open. Anyone with a username could walk through.
We discovered this through analysis of publicly leaked credential databases. The pattern was unmistakable: account after account at the same checkpoint, the same six digits.
| Account | Domain | Password | Sector |
|---|---|---|---|
| bavra-customs-01 through 18 | customs.am (Bavra checkpoint) | 123456 | Border Security |
| info@betconstruct.com | betconstruct.com | 123456 | Gambling (Badalyan) |
| Bjni-84@mail.ru | mail.ru | 123456 | Mining/Water (Sukiasyan) |
| nk@vodohod.ru | vodohod.ru | 123456 | Russian Cruise (Trotsenko) |
| dorothy@mirelis.com | mirelis.com | 123456 | Cyprus Offshore (Sukiasyan) |
| a@amr.ru | amr.ru | 123456 | Moscow Company |
| arameart@arminco.com | arminco.com | 123456 | Armenian ISP |
| armeniatv@mail.ru | mail.ru | 123456 | National Television |
| banana-am@mail.ru | mail.ru | 123456 | Banana Import (Cocaine link) |
The Pattern: From Borders to Boardrooms
Pattern Analysis
What makes this finding significant is not just the password itself. It is the map it draws. When you trace 123456 across Armenian institutions, you see the skeleton of how power actually operates in this country.
The border checkpoint controls what enters the country. The offshore shell -- Mirelis in Cyprus -- controls where money leaves. The mining company extracts national resources. The TV channel controls what the public sees. The ISP controls what the public accesses. And the banana import company? That account connects to what Armenian prosecutors have called the largest cocaine smuggling operation in the country's history.
One password. One thread. Customs to offshore to mining to media to narcotics.
The Bavra Gateway
Confirmed - Breach Data
Bavra is not a minor crossing. It is Armenia's primary land border with Georgia, which is itself Armenia's primary overland route to Europe and the outside world. Every truck, every container, every cargo manifest passes through systems protected by 123456.
The 18 accounts we identified all share the same password. This means that any single compromised credential gives access to all of them. There is no compartmentalization. There is no security hierarchy. The border, digitally speaking, is open.
For context: Georgia has been repeatedly flagged as a transit corridor for sanctioned goods heading to Russia. Armenian customs is the gatekeeper. And the gate has no lock.
The Oligarch Connection
Confirmed - Breach Data Confirmed - DNS Records
The password 123456 does not only appear in government systems. It appears in the private infrastructure of Armenia's most powerful business figures.
BetConstruct (Badalyan) -- One of Armenia's largest tech companies and the backbone of its gambling industry. The info@ account -- typically the primary public-facing email -- used 123456.
Bjni Mineral Water (Sukiasyan) -- The Bjni-84@mail.ru account links to the Bjni mineral water brand, owned by the Sukiasyan family -- one of Armenia's wealthiest oligarch clans with deep roots in mining, real estate, and finance.
Mirelis Cyprus (Sukiasyan) -- The dorothy@mirelis.com account connects to a Cyprus-registered shell company. Mirelis is part of a network of offshore entities linked to the Sukiasyan family that appears across multiple international investigations into money laundering.
Vodohod (Trotsenko) -- The nk@vodohod.ru account belongs to Russia's largest river cruise operator, owned by Roman Trotsenko -- a Russian oligarch with extensive business interests in Armenia, including the country's largest airport.
Media and Infrastructure
Confirmed - Breach Data
The same password protects accounts at institutions that control information flow and digital infrastructure in Armenia.
Armenia TV -- armeniatv@mail.ru belongs to the country's largest television channel. This is the broadcaster that shapes public opinion for millions. Its email credentials were 123456.
Arminco -- arameart@arminco.com connects to one of Armenia's pioneering internet service providers. The company that helped build the country's digital backbone used the world's most common password.
The implications are severe. If these are the passwords for primary accounts, what protects the internal systems? The admin panels? The content management systems? The broadcast infrastructure?
The Banana Connection
Confirmed - Breach Data Pattern Analysis
Perhaps the most alarming entry in this dataset is banana-am@mail.ru. This account connects to the banana import business that Armenian law enforcement has linked to what became known as the largest cocaine smuggling case in Armenian history.
The scheme used banana shipments from Ecuador as cover for cocaine imports. The company importing the bananas -- and apparently protecting its communications with 123456 -- operated at the intersection of customs, import logistics, and organized crime.
The same password that protects the border checkpoint also protects the import company that allegedly smuggled narcotics through that same border system.
What This Means
This is not a story about weak passwords. Every security expert will tell you 123456 is the most commonly breached password on earth. What this investigation reveals is something deeper.
The same negligence -- the same institutional indifference to basic security -- connects Armenia's border security, its offshore financial architecture, its oligarch-controlled enterprises, its national media, and its narcotics pipeline. They are not separate failures. They are one failure.
If 123456 protects the border, what protects the nation?
If the institutions tasked with guarding a country's sovereignty cannot be bothered to change a default password, the vulnerability is not technical. It is structural.
Methodology
This investigation is based on analysis of publicly available breach databases, DNS registration records, corporate registry filings, and open-source intelligence. No systems were accessed, penetrated, or tested. All credentials referenced were already publicly exposed at the time of analysis. OWL does not encourage unauthorized access to any system.