Cyber Incident Victim: Deutsche Bank

On November 11, 2022, an initial access broker (IAB) publicly claimed to have compromised Deutsche Bank's internal network, advertising access for sale on Telegram. Security researcher Dominic Alvieri identified the announcement, which detailed extensive network access allegedly obtained by the threat actor. The IAB asserted control over approximately 21,000 machines within the bank's infrastructure, predominantly Windows systems protected by Symantec endpoint detection and response (EDR) solutions. The advertisement specified compromised assets including FTP servers, shell access, root privileges, SQL injection points, databases, and file servers containing over 16 terabytes of internal data. This data reportedly included shared folders for every network user and Flexcube database systems. The broker additionally claimed administrative domain access through compromised domain administrator (DA) credentials and control over internal communication channels such as employee chat services.

The threat actor priced network access at 7.5 Bitcoin (approximately $156,274 at the time) and required proof of funds from potential buyers to filter unserious inquiries. The advertisement emphasized access to virtual desktop infrastructure (VDI), VPN credentials, and full domain password dumps. While the IAB described internal network traffic filtering for TCP, UDP, HTTP, and HTTPS protocols, no specific data exfiltration or operational disruption was confirmed. Alvieri noted similarities between this incident and the broker's prior attempt to sell access to Australian insurer Medibank's systems. The announcement generated significant buyer interest according to the seller's claims, though Deutsche Bank's official response and independent verification of the breach claims were not documented in available reporting.