Threat Actor "akrust" Leaks Millions of Filipino Banking and KYC Records in Massive Data Breach
https://www.bitsight.com/sites/default/files/styles/16_9_xlarge/public/migration/images/AdobeStock_93365244-min-1_1.webp
Manila, Philippines – Earlier this morning, Deep Web Konek discovered two data breaches involving a banking institution and a KYC Information. Our monitoring of cybercrime forums revealed that a threat actor, known as "akrust," is selling extensive personally identifiable information (PII) and financial data from the bank.
Breach #1: CardBank Philippines Banking Customer Data Leak
https://iili.io/3HRkUP9.png
Our initial findings confirm that an extensive customer/client database from CardBank Philippines has been compromised. The attacker claims to have scraped the data from a banking admin backend, exploiting vulnerabilities before security teams removed their backdoor access.
Compromised Data: Affected Customers: 3 million+
Exposed Information:
1. Username, Customer ID, and Account ID
2. Full Name (First, Middle, Last, Maiden Name)
3.Date of Birth
4. Mobile Number
5. Home Address
6. Account Type, Account Status, and Account Code
7. Full Account Number
8. Client IMEI and Device Model
9. Monthly Financial Value
The threat actor is currently selling this dataset for $2.5K USD, indicating the severity of the breach and the demand for financial information in illicit markets.
Breach #2: KYC Information Leak Under Verification
https://iili.io/3HRkrFe.png
Another data leak posted by the same threat actor involves KYC (Know Your Customer) data, which is critical for identity verification and fraud prevention.
Deep Web Konek’s initial analysis suggests that the affected database belongs to a financial institution, but verification is ongoing to confirm its source.
Compromised Data: Affected Individuals: 7 million+
Exposed Information:
1. Customer ID
2. Username
3. Full Name (First, Middle, Last)
4. Gender
5. Email Address
6. Birth Date
7. ID Type and ID Number (e.g., TIN, Government-issued IDs)
8. Home Address, Province, City, Postal Code, Country
9. Settlement Account Name and Number
The threat actor claims to have obtained this data by scraping a third-party web application, indicating a possible security lapse in external service providers linked to financial institutions.
The hacker, known as "akrust," has been actively selling stolen databases on cybercrime forums. The posts indicate that the threat actor gained access via:
Banking Admin Backend Exploitation – Used to extract CardBank Philippines data.
Third-Party Web App Scraping – Suspected entry point for the KYC breach.
Both datasets are being sold for cryptocurrency, making it difficult to trace transactions. The hacker has also mentioned access to Apache Tomcat manager interfaces, potentially allowing further intrusions within financial networks.
Upon detecting these breaches, Deep Web Konek’s Breach Notification Team immediately notified CardBank Philippines and initiated efforts to verify the KYC leak’s ownership, urging affected institutions to:
1. Verify the breach and its extent
2. Secure affected systems and patch vulnerabilities
3. Alert customers about potential fraud risks
4. Enhance cybersecurity monitoring to prevent further attacks
As the situation unfolds, we will continue to monitor developments and provide updates.
For affected customers, we strongly recommend monitoring financial accounts, enabling two-factor authentication (2FA), and being cautious of phishing attempts that may leverage this leaked information.
Deep Web Konek will remain vigilant in uncovering cyber threats to help protect the public from digital risks.
