The report documents major financial-sector incidents including a 3-million-record database leak from Indonesia’s largest bank sold on DarkForums by the actor BreachLaboratory and a ransomware breach by INC Ransom that published roughly 100GB of stolen data. It additionally analyzes a phishing email campaign targeting financial institutions, lists top malware strains affecting the industry, and provides MD5 hashes and other indicators for investigators. #BreachLaboratory #INC_Ransom
Keypoints
- Database of Bank***.id containing ~3 million records (480MB) was advertised for sale on DarkForums by BreachLaboratory, exposing high-risk financial and KYC-related fields.
- INC Ransom claimed a ransomware attack against *** Finance Group, publishing roughly 100GB of internal data and operational documents after December 10, 2025.
- The leaked bank data includes transaction-relevant details such as account types, SWIFT codes, balance thresholds, phone numbers, and emails, increasing risk of fraud and fund-transfer abuse.
- The report includes a focused analysis of a phishing email campaign targeting financial institutions, indicating targeted social-engineering efforts against finance sector personnel and customers.
- Top malware strains and statistics on Korean account leaks on Telegram are cataloged, alongside dark web cases of credit card breaches and database leaks impacting the financial sector.
- Investigative artifacts provided include MD5 file hashes from the ransomware incident and contextual details to support proactive defensive measures across banks, fintechs, and payment operators.
MITRE Techniques
- [T1566 ] Phishing – Used to target financial institutions through malicious email campaigns (‘a detailed analysis of a phishing email campaign targeting financial institutions is also included’)
- [T1041 ] Exfiltration Over C2 Channel (Data Exfiltration) – Data theft and transfer of customer records and datasets were claimed by threat actors (‘claims to have stolen a total of 480MB, approximately 3 million records of sensitive financial data.’,’claims to have stolen 100GB of fresh data accumulated over the past three years’)
- [T1486 ] Data Encrypted for Impact – Ransomware group disrupted and published victim data as part of extortion and impact operations (‘ransomware group INC Ransom claimed responsibility for an attack … and published the victim company’s data on the group’s leak site’)
Indicators of Compromise
- [Domain ] Affected organizations and victim domains – bank***.id (leaked customer database), ***-finance.com (ransomware victim)
- [Threat Actor ] Actors and leak platforms – BreachLaboratory (seller of bank data), INC Ransom (ransomware group), DarkForums (sales/platform context)
- [MD5 ] File hashes from the ransomware incident – 02ec920f0e4d4e2df98bb523f5a90d4c, 12c541f80f6a563f3ce4b9a665cb610f, and 3 more hashes
Read more: https://asec.ahnlab.com/en/92207/