January 2026 Security Issues in Korean & Global Financial Sector

The report analyzes a range of cyber threats against the financial sector, including database leaks, sales of access rights on dark web forums, phishing campaigns, and ransomware incidents affecting major financial organizations. It highlights specific cases involving leaked credentials and datasets (H***, V***, T***), threat actors claiming access (PanchoVilla, Solonik, CLOP), and published MD5 hashes linked to incidents. #CLOP #Solonik

Keypoints

Access credentials (FTP, SSH, RDP) for a Mexican insurance company (h***.mx) were leaked and offered for sale on the LeakBase forum, with claims of backdoor access and potential for ransomware deployment.
A dataset allegedly containing ~22.5 million customer records from The V***, Inc. (v***.com) was posted for sale on DarkForums by actor “Solonik,” including sample records and an additional ~34,000-record sample.
Ransomware groups including CLOP, Eraleig (APT73), and Everest publicly listed financial-sector victims on Dedicated Leak Sites; CLOP listed a global payment processor (t***.com) as a claimed victim.
The report documents phishing email campaigns targeting financial institutions and summarizes statistics on malware targeting the financial sector and leaked domestic account industries via Telegram.
Threat actors demonstrated data exposure by posting dumped database samples via external file-sharing links and offering access rights for sale, increasing risk of follow-on attacks (impersonation, phishing, financial fraud).
Several MD5 file hashes were published in relation to incidents, indicating shared artifacts or samples tied to these compromises.
The deep web and dark web remain active marketplaces for selling stolen financial data and access, amplifying potential impact and requiring continuous monitoring.

MITRE Techniques

[T1078 ] Valid Accounts – Used to gain persistent access to the H*** network via an already authorized user account (‘compromised backdoor access to the H*** insurance network through an already authorized user account, mentioning that the deployment of a C2 server is possible’).
[T1021 ] Remote Services – Leaked credentials for remote services were traded, facilitating access (‘Access credentials (FTP, SSH, RDP) to the internal network of the Mexican insurance company H*** have been leaked on the cybercrime forum Leakbase.’).
[T1071 ] Application Layer Protocol – Threat actors referenced the potential deployment of command-and-control infrastructure (‘mentioning that the deployment of a C2 server is possible’).
[T1486 ] Data Encrypted for Impact (Ransomware) – Ransomware groups (CLOP, Eraleig, Everest) compromised and listed financial victims, indicating ransomware operations targeting financial firms (‘CL0P, Eraleig (APT73), and Everest ransomware groups have compromised numerous financial-related companies and publicly disclosed the victims on their Dedicated Leak Sites’).
[T1567 ] Exfiltration Over Web Service – Stolen database samples and datasets were shared via external file-sharing links and sold on forums (‘They presented some samples of the dumped database via an external file sharing link.’).
[T1566 ] Phishing – Phishing emails targeting the financial sector were observed and summarized in the report (‘It also details cases of phishing emails targeting the financial sector.’).

Indicators of Compromise

[File Hash ] Ransomware/malware sample MD5s published in the report – 0e945218340f80377d777f43a86bdd57, 539fe169480ffd66765c1693f8ed0d7d, and 3 more hashes.
[Domain / Hostname ] Affected organizations referenced (masked) – h***.mx (Mexican insurance company), v***.com (The V***, Inc. asset manager), t***.com (payment/card processor).
[Credentials ] Leaked access credentials for internal network access – examples include FTP, SSH, RDP credentials offered for sale on LeakBase (no specific username/passwords published in report).
[Leak Site / Forum ] Dark web venues used to sell data and access – LeakBase (sale of H*** access), DarkForums (sale of V*** dataset).
[Threat Actor ] Actor handles named in incidents – PanchoVilla (claims H*** access), Solonik (selling V*** data), CLOP/CLOP DLS listings (ransomware victim announcements).