In a startling revelation that has sparked major alarm over the state of data security in India’s banking ecosystem, a threat actor has emerged on a well-known dark web forum, claiming to have accessed and exfiltrated sensitive financial data belonging to more than 13 million Indian banking customers. The alleged data dump, said to be the result of a large-scale breach, is now being offered for exclusive sale to a single buyer for $10,000.
Scope of the Leak
The dark web post claims that the compromised data includes personal and financial information such as:
Full names of account holders
Bank account numbers
IFSC codes
Registered mobile numbers
Email addresses
To support the legitimacy of the claim, the threat actor has reportedly shared a sample of 6,000 records from the alleged leak. The full dataset is said to be formatted in CSV and amounts to 11.2GB in size.
🇮🇳 #India – Alleged Dark Web Leak Exposes 13.6M Bank Users
A threat actor has allegedly put up for sale financial data from 13.6M Indian bank users, claiming to have details from multiple major institutions.https://t.co/C4ajzg3enW#darkweb #financial #infosec pic.twitter.com/yEhU9snMkv
— Dark Web Intelligence (@DailyDarkWeb) March 27, 2025
Now Open: Pan-India Registration for Fraud Investigators!
The threat actor further emphasized the seriousness of the sale by stating that only one buyer will be entertained, and that escrow services would be accepted to facilitate the transaction—an uncommon practice that underscores the actor’s confidence in the authenticity of the breach.
Top Banks Allegedly Affected
According to the forum post, the breach reportedly affects customer databases of several leading Indian financial institutions, including:
State Bank of India (SBI)
HDFC Bank
ICICI Bank
Kotak Mahindra Bank
Several other private and public sector banks
While the precise method of intrusion remains undisclosed, cyber intelligence analysts are speculating a possible vulnerability exploited through third-party banking APIs or KYC data aggregators. The420.in cannot independently verify the claim made by the threat actor.
However, cyber security researchers at CloudSEK claim that the data is old and was reposted by the threat actor. On November 8, 2024, CloudSEK’s contextual AI digital risk platform, XVigil, identified a threat actor known as “moon_WALK” offering financial data from multiple organizations for sale. Further investigation revealed that “moon_WALK” was the same entity previously operating under the aliases “Night Walkerz” and “UFO LEAK MARKET.” The breach was traced back to the exploitation of a misconfigured and exposed Elasticsearch instance.
“During multiple engagements with the threat actor, data samples contained a critical field, “notify_url,” which linked to various payment processors and platforms. Analysis of these URLs suggested that they were associated with payment gateway services allegedly used by online casinos, gambling sites, and other fraudulent activities,” said a CloudSEK researcher.
The researcher added that while the compromised data was not directly obtained from any bank’s servers, it still contained personally identifiable information (PII) of individuals who are customers of these financial institutions, posing a significant risk to their privacy and security. This week, to gain traction of their sales, they have reposted the selling thread, this time segregating data from different banks’ customers.
Potential Risks and Implications
Another cybersecurity experts warn that such a breach—if verified—could have far-reaching consequences:
Financial fraud: Access to account numbers and phone numbers could allow cybercriminals to launch targeted phishing or vishing attacks.
Identity theft: The combination of email, phone number, and bank data could allow for large-scale impersonation and KYC frauds.
Reputational damage: If major banks are indeed involved, the fallout could impact consumer trust and regulatory compliance in the fintech space.
Empanelment for Speakers, Trainers, and Cyber Security Experts Opens at Future Crime Research Foundation
Authorities and Institutions on Alert
As of now, there has been no official statement from the Indian Computer Emergency Response Team (CERT-In) or the Reserve Bank of India (RBI). Representatives of the banks mentioned in the leak have also not issued any confirmations or denials.
Dark Web Marketplace Trends
This leak is yet another example of how the dark web is evolving into a marketplace for sensitive and strategic data. Threat actors are increasingly adopting business-like practices—providing samples, offering escrow, and negotiating exclusive deals with buyers.
The demand for banking data in particular remains high due to the surge in digital banking and the proliferation of fintech apps. Past incidents have shown how such leaks fuel social engineering, loan fraud, and account takeovers.