Cyber Incident Victim: Deutsche Bahn AG

On March 15, 2023, an unknown actor using the pseudonym “Alliswell” advertised 60GB of purported Deutsche Bank data for auction on BreachForums, a known cybercriminal platform. The post claimed the dataset contained source code from the bank’s applications, frontend and backend systems, employee data, SQL databases, and Interpol inquiry department files. As proof, the actor provided five “lockbitfile” links categorizing the data into API source code, employee records, general files, Interpol-related information, and SQL records. Cybernews researchers accessed some linked content but found no explicit references to Deutsche Bank in the sampled material—instead observing mentions of Citibank accounts in Zurich and accounts linked to HSBC executives. The actor’s forum profile indicated they joined in March 2023, had no prior activity, and held an unranked reputation status, raising questions about credibility. Forum users expressed skepticism, with one questioning the claimed data volume by noting visible content appeared limited to banking tables.

BreachForums administrators intervened in the thread, admonishing Alliswell for violating forum rules prohibiting commercial sales in a database-sharing section and warning of potential sanctions. Deutsche Bank had not issued a public statement by the time Cybernews reported the incident, despite media inquiries directed at Deutsche Bank America. This allegation followed an earlier November 2022 incident where another threat actor attempted to sell 16TB of data allegedly stolen from the bank on Telegram for 7.5 bitcoin—a claim Deutsche Bank had previously denied. The March 2023 offer did not specify pricing or buyer conditions, and Alliswell provided only an encrypted email contact. No evidence of data dissemination beyond the sample links was confirmed, leaving the authenticity and scope of the alleged breach unresolved at the time of reporting.