Cyber Incident Victim: Invest Bank
Date:
Nov 2015
Location:
United Arab Emirates
Summary
A hacker known as Hacker Buba breached a UAE bank's systems, exfiltrated confidential client data, and demanded a $3 million ransom in Bitcoin, threatening to leak information on Twitter unless paid. The attacker released account statements of government entities, businesses, and individuals, directly messaging victims to demand payments and amplifying panic. The institution acknowledged the breach, reported it to national authorities including the Central Bank and aeCERT, and refused to comply with extortion demands despite customer outrage over exposed financial details and inadequate communication. Cybersecurity experts attributed the incident to systemic vulnerabilities and noted the hacker's use of international digital obfuscation tactics to evade tracing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2018, a Sharjah-based bank faced a sustained cyber extortion campaign by an individual using the alias "Hacker Buba." The attacker first leaked confidential client data on Twitter on November 18, posting account statements of government entities, UAE firms, and individuals at regular intervals. Hacker Buba claimed control over customer accounts through SMS and email warnings, demanding direct payments from clients or a Bitcoin ransom from the bank to prevent further disclosures. When the bank secured a suspension of his initial Twitter account on November 23, the hacker created a new profile the next day and escalated his activity by releasing 500 customer account statements in a single tweet attachment. The bank confirmed the data breach and receipt of a ransom note, disclosing that Hacker Buba had accessed customer information but emphasized no financial losses occurred. Senior management refused payment, characterizing the incident as blackmail, and reported the matter to the UAE Central Bank and the Telecommunications Regulatory Authority’s Computer Emergency Response Team (aeCERT) for investigation.
The breach exposed sensitive financial details of numerous businesses and individuals, with many victims unaware their data had been compromised until contacted by media. A Dubai investment firm’s finance officer described the exposure of transactional records and client details as leaving their company "naked," while an Abu Dhabi contractor termed the business damage "irreversible." Affected customers criticized the bank for inadequate cybersecurity and failure to notify them promptly. Hacker Buba privately messaged a journalist via Twitter, revealing a $3 million ransom demand and claiming access to the bank’s database and server backups, while offering a 5% commission for collaboration. Cybersecurity experts cited systemic vulnerabilities in banking architectures and noted the hacker’s use of obfuscation tactics, including a Hungarian Twitter location marker, Indonesian-language posts, and UK-originating SMS messages to mask his identity. The incident remained under active investigation by authorities at the time of reporting, with no confirmation of the attacker’s physical location or methods of initial network infiltration.