Philippine Savings Bank Allegedly Named by Qilin Ransomware Group on Dark Web Leak Site
Philippine Savings Bank (PSBank), a subsidiary of the Metrobank Group, has been allegedly identified as a ransomware victim by the threat actor known as the Qilin Ransomware Group, following the appearance of the bank’s name on the group’s dark web data leak site.
According to the leak page, Qilin claims to have compromised systems associated with Philippine Savings Bank and categorized the organization under the banking sector. The listing includes a countdown timer indicating an upcoming data publication date, a common pressure tactic used by ransomware operators to force victims into ransom negotiations by threatening public disclosure of stolen information.
The threat actor alleges possession of approximately 55,000 files, along with several preview images purportedly taken from internal systems. The screenshots shown on the leak site appear to depict spreadsheet-style records and structured tabular data, suggesting potential access to internal operational or administrative information. However, the content and sensitivity of the alleged data have not yet been independently verified.
The entry on the leak site is dated January 28, 2026, with the presence of a scheduled release window indicating that negotiations may be ongoing or have failed. At the time of writing, no confirmation has been issued by Philippine Savings Bank or its parent company, the Metrobank Group, regarding a ransomware attack or data breach.
Qilin Ransomware operates as a Ransomware-as-a-Service group and has been observed targeting organizations across multiple sectors, including finance, healthcare, and government-linked institutions. The group is known for employing double extortion techniques, which involve exfiltrating data prior to encryption and threatening to publish the stolen information if ransom demands are not met. Its operations typically include maintaining a public leak site on the dark web to showcase victims and apply additional pressure.
If confirmed, an incident affecting a financial institution could carry serious implications, including potential exposure of internal documents, increased regulatory scrutiny, and heightened risks of secondary attacks such as phishing or social engineering campaigns leveraging leaked data. Financial institutions remain prime targets for ransomware groups due to the sensitivity of the data they manage and the reputational consequences associated with security incidents.
As of this report, there have been no publicly reported service disruptions involving Philippine Savings Bank, and no advisories have been released by regulatory or supervisory bodies. Cybersecurity experts caution that claims made by ransomware groups should be treated as allegations until validated through official disclosures or forensic investigation.
The situation remains under observation as the publication deadline displayed on the Qilin leak site approaches. Further updates are expected should additional evidence emerge or should the affected organization issue an official statement regarding the alleged incident.
