Cyber Incident Victim: Deutsche Bank
Date:
Mar 2023
Location:
Germany
Summary
An unknown hacker using the alias "Alliswell" offered approximately 60GB of data purportedly stolen from Deutsche Bank on a dark web forum, claiming it included employee information, banking application source code, API components, SQL data, and Interpol-related files. The post provided five categorized "lockbitfile" links as proof, though initial analysis of sample data revealed references to Citibank and HSBC accounts rather than the bank in question. Forum members questioned the legitimacy of the data volume and the seller's credibility, noting the user's recent registration and lack of reputation, while an administrator cautioned against improper sale postings. This follows prior unverified claims of a breach involving the LockBit ransomware group, which the institution had previously denied.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 15, 2023, an unknown threat actor using the pseudonym "Alliswell" advertised a 60GB cache of data allegedly stolen from Deutsche Bank on Breached, a dark web hacker forum. The post claimed the dataset contained sensitive information, including employee data and source code from the bank’s website, mobile applications, and backend systems. To substantiate the claim, the actor provided five "lockbitfile" links categorizing the data into segments: API source code, general files, employee records, Interpol enquiry department data, and SQL databases. The Cybernews research team verified partial accessibility of these links but found no direct references to Deutsche Bank in the samples examined. Instead, the visible data included mentions of a Citibank account in Zurich and accounts belonging to two HSBC executives, raising questions about the dataset’s origin and scope. The seller specified they would entertain offers exclusively from serious buyers and provided an encrypted email address for inquiries. Alliswell’s forum profile indicated no prior activity, having joined Breached in March 2023 with an unranked reputation, suggesting a new or previously unknown actor.
Forum users reacted inconsistently to the post, with some praising the leak while others questioned its authenticity, noting discrepancies between the advertised data volume and visible content. A Breached administrator intervened to reprimand Alliswell for violating forum rules by listing the data for sale in a section designated for free sharing. Deutsche Bank had not issued a public statement or confirmation regarding the incident at the time of Cybernews’ reporting, though the outlet had contacted Deutsche Bank America for comment. This incident followed a November 2022 claim by another threat actor alleging possession of 16TB of Deutsche Bank data offered for sale on Telegram, which the bank had previously denied as a legitimate breach. The March 2023 post did not explicitly attribute the attack to the LockBit ransomware group despite Cybernews’ initial reference to the gang, and no ransom demands or extortion tactics were detailed in the available evidence.