Indian Loan Documents Sold Over Cybercrime Forum

###### Category Adversary Intelligence
###### Affected Industries BFSI
###### Affected Region SAARC, India

Executive Summary

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising loan documents belonging to Indian citizens. The CloudSEK Threat Intelligence Research team has validated the information in this post and has found that the compromised data belongs to Loan Wired, a fintech startup specializing in personal and business loans.


On 02 May 2021, a threat actor shared a post advertising a database of loan documents of Indian citizens. The actor, who joined the forum in June 2018, has been actively selling databases and accesses of various companies across Asia Pacific, Middle East and US region. Through the course of their time on the forum, the actor has garnered a good reputation on the forum.


Information from Source

The threat actor has shared a screenshot of multiple samples in their post, including Aadhar, bank statements of individuals, and files that are part of the leaked database.

Information from HUMINT

CloudSEK Threat Intelligence Researchers were able to confirm that the compromised loan documents were dumped from the website Loanwired(.)com . Loan Wired is a lending platform offering personal loans across India.

Database shared by the actor includes the following documents:

  1. KYC documents (PAN, Aadhar, customer photographs)
  2. Salary slip
  3. Bank statements
  4. Electricity bills
  5. Income tax return statement
  6. GST certificate

Information from Technical Analysis

The dumped database structure indicates that the threat actor gained server access to the website. Which allowed them to access customer records and documents. It is also highly likely that the actor may have established a persistent connection to exfiltrate more data.

Possible Attack Vectors

  1. Brute-forcing RDP may have allowed the threat actor to take over the server.
  2. Exploiting common vulnerabilities in VPN like unprotected endpoints, or web application vulnerabilities are some alternate ways by which the threat actor may have exfiltrated the data.


Since the leaked database contains sensitive information such as PII of customers:

  • Threat actors can leverage this data to carry out social engineering attacks, scams, and even identify theft.
  • The data can also be used for targeted attacks, causing financial loss to the company.


  • Use strong passwords
  • Enable multi-factor authentication for all online accounts
  • Don’t share OTPs with third-parties
  • Review online accounts and financial statements periodically
  • Regularly update apps and other software
1 Like