Over 31,000 Aussie bank logins stolen and sold—are yours on the list?
- Replies 19
Online threats often unfold quietly—until the damage is done.
A disturbing new discovery has shed light on just how easily cyber criminals can slip past everyday defences, leaving unsuspecting Australians exposed.
Behind the scenes, a rapidly growing issue is compromising personal data at an unprecedented scale—raising questions about whether traditional safeguards are enough.
A wave of stolen Australian banking credentials was circulating among cyber criminals online, with more than 31,000 sets of login details from customers of the Big Four banks found on the dark web and on social media platforms.
Cybersecurity experts warned that despite anti-fraud systems, affected customers could ‘definitely’ suffer financial losses.
An investigation by Australian cyber intelligence company Dvuln revealed that credentials from at least 14,000 Commonwealth Bank customers, 7,000 ANZ customers, 5,000 NAB customers and 4,000 Westpac customers had been exposed.
The credentials were being traded or shared freely among criminals, with many of them offered through subscription services or even given away to attract buyers for more private data.
Dvuln's founder, Jamie O’Reilly, said the breach was not due to flaws in bank systems but rather malware infections on individual users’ devices.
‘This is not a vulnerability in the banks,’ Mr O’Reilly said.
‘These are customer devices that have been infected.’
The malware in question, known as an infostealer, had been silently collecting personal data from compromised computers and delivering it directly to criminals.
These infostealers primarily targeted Windows systems and could gather not just passwords, but browser cookies, user history, credit card information, cryptocurrency wallets, and local files.
Dvuln began examining the scope of the problem in Australia after superannuation funds were targeted earlier in April.
‘We’ve seen a tight correlation between the use of infostealer malware and using those passwords to conduct these types of attacks,’ Mr O’Reilly said.
Mr O’Reilly added that although some infections dated back as far as 2021, the stolen data remained valuable to attackers.
‘As a day job, I work to hack some of the biggest companies in the world,’ he said.
‘We have been able to compromise even some ASX-listed companies, in a controlled scenario, with four- or five-year-old passwords.’
Leonid Rozenberg from cybersecurity firm Hudson Rock explained that a compromised bank account could be used for theft, money transfers or laundering.
‘Threat actors can use the bank account to link to some kind of payment system, to transfer funds, or for money laundering,’ Mr Rozenberg said.
He noted that infostealers presented a wider threat than just bank accounts.
‘We see that the average [infostealer] victim has between 200 [and] 300 account [details] stored inside the browser,’ he said.
‘It can be a PayPal account…it can be [an] account that is used [to] transfer money between different countries … it can be, for example, [an] e-commerce account that already has [a] credit card linked.’
Some of the stolen credentials were posted publicly, revealing access to sensitive accounts like those linked to superannuation providers.
Dvuln’s research showed that over 31,000 Australian devices had been infected by infostealers, and globally, Hudson Rock estimated there had been more than 31 million infections.
That was a stark jump from 135,000 infections reported in 2018.
The Australian Signals Directorate had dubbed this surge ‘the silent heist’, as many of these breaches went undetected or unreported.
‘There may be a large number of fraud attacks happening against individuals and businesses… but there’s been no public attribution because it’s very difficult to trace back to a specific malware infection,’ Mr O’Reilly said.
‘A lot of this crime, on an individual level, goes unreported.’
Mr O’Reilly monitored around 100 social media groups dedicated to trading stolen data, with some offering access to hundreds of thousands of new logs monthly for as little as $US400.
That converted to roughly $626 in Australian dollars and less than a cent per compromised device.
Higher-tier subscriptions, priced between $US3,000 and $US10,000, promised lifetime access to data leaks.
Some groups gave away thousands of credentials for free to attract more criminal buyers.
‘The criminals have so many passwords and so much data, that they actually give away thousands and thousands of credentials just to entice new criminal customers to come and buy the private information,’ Mr O’Reilly said.
While most infostealer infections still occurred on Windows devices, mobile phones were not entirely immune, although the scale of infection was significantly lower.
‘There is a growing number of mobile devices being infected with malware, but it’s nowhere near as much,’ he said.
Mr Rozenberg said that attackers focused on Windows because it remained the most commonly used operating system.
‘Still, today, in 2025, most of the people, they’re using Windows devices,’ he said.
‘So [attackers] mostly develop infostealers for Windows,’ he said.
Although password rotation and multi-factor authentication were helpful, Mr O’Reilly warned that malware could sometimes bypass MFA using stolen cookies or access tokens.
‘If you do have someone’s active access token, a lot of the time you can actually bypass their MFA,’ he said.
‘It’s the equivalent of changing your locks while the burglars are still in your house,’ Mr O’Reilly said, referring to the limited benefit of changing passwords on an already-infected device.
He urged users to change passwords from a secure device and to keep all software—including antivirus programs—regularly updated.
‘Research does show that up to 50 per cent of devices infected with infostealer malware have antivirus,’ he said.
‘But what a lot of people don’t talk about is the fact that either the operating system or the antivirus itself isn’t kept up to date.’
He also advised separating personal or financial activity from shared computers, particularly family devices used by children.
‘One of the most common ways…[is] Minecraft mods or cracked software, which is software that you would typically have to pay license fees for,’ he said.
‘If you’ve got banking credentials or highly sensitive information on your computer, keep that separate from the computer your children are using,’ he said.
Mr O’Reilly said he hoped the findings would act as a wake-up call for Australians.
‘Nothing is 100 per cent unhackable, but there are definitely strategies that people can use at home to make it much harder for criminals to get their information in the first place,’ he said.
In a previous story, an elderly man was left devastated after scammers drained $70,000 from his account.
Shockingly, the bank insisted he was at fault despite the sophisticated nature of the con.
Read more about how the situation unfolded and the response that followed.
With so much stolen data circulating online, do you think enough is being done to protect everyday Aussies from cybercrime? Let us know your thoughts in the comments.
A disturbing new discovery has shed light on just how easily cyber criminals can slip past everyday defences, leaving unsuspecting Australians exposed.
Behind the scenes, a rapidly growing issue is compromising personal data at an unprecedented scale—raising questions about whether traditional safeguards are enough.
A wave of stolen Australian banking credentials was circulating among cyber criminals online, with more than 31,000 sets of login details from customers of the Big Four banks found on the dark web and on social media platforms.
Cybersecurity experts warned that despite anti-fraud systems, affected customers could ‘definitely’ suffer financial losses.
An investigation by Australian cyber intelligence company Dvuln revealed that credentials from at least 14,000 Commonwealth Bank customers, 7,000 ANZ customers, 5,000 NAB customers and 4,000 Westpac customers had been exposed.
The credentials were being traded or shared freely among criminals, with many of them offered through subscription services or even given away to attract buyers for more private data.
Dvuln's founder, Jamie O’Reilly, said the breach was not due to flaws in bank systems but rather malware infections on individual users’ devices.
‘This is not a vulnerability in the banks,’ Mr O’Reilly said.
‘These are customer devices that have been infected.’
The malware in question, known as an infostealer, had been silently collecting personal data from compromised computers and delivering it directly to criminals.
These infostealers primarily targeted Windows systems and could gather not just passwords, but browser cookies, user history, credit card information, cryptocurrency wallets, and local files.
Dvuln began examining the scope of the problem in Australia after superannuation funds were targeted earlier in April.
‘We’ve seen a tight correlation between the use of infostealer malware and using those passwords to conduct these types of attacks,’ Mr O’Reilly said.
Mr O’Reilly added that although some infections dated back as far as 2021, the stolen data remained valuable to attackers.
‘As a day job, I work to hack some of the biggest companies in the world,’ he said.
‘We have been able to compromise even some ASX-listed companies, in a controlled scenario, with four- or five-year-old passwords.’
Leonid Rozenberg from cybersecurity firm Hudson Rock explained that a compromised bank account could be used for theft, money transfers or laundering.
‘Threat actors can use the bank account to link to some kind of payment system, to transfer funds, or for money laundering,’ Mr Rozenberg said.
He noted that infostealers presented a wider threat than just bank accounts.
‘We see that the average [infostealer] victim has between 200 [and] 300 account [details] stored inside the browser,’ he said.
‘It can be a PayPal account…it can be [an] account that is used [to] transfer money between different countries … it can be, for example, [an] e-commerce account that already has [a] credit card linked.’
Some of the stolen credentials were posted publicly, revealing access to sensitive accounts like those linked to superannuation providers.
Dvuln’s research showed that over 31,000 Australian devices had been infected by infostealers, and globally, Hudson Rock estimated there had been more than 31 million infections.
That was a stark jump from 135,000 infections reported in 2018.
The Australian Signals Directorate had dubbed this surge ‘the silent heist’, as many of these breaches went undetected or unreported.
‘There may be a large number of fraud attacks happening against individuals and businesses… but there’s been no public attribution because it’s very difficult to trace back to a specific malware infection,’ Mr O’Reilly said.
‘A lot of this crime, on an individual level, goes unreported.’
Mr O’Reilly monitored around 100 social media groups dedicated to trading stolen data, with some offering access to hundreds of thousands of new logs monthly for as little as $US400.
That converted to roughly $626 in Australian dollars and less than a cent per compromised device.
Higher-tier subscriptions, priced between $US3,000 and $US10,000, promised lifetime access to data leaks.
Some groups gave away thousands of credentials for free to attract more criminal buyers.
‘The criminals have so many passwords and so much data, that they actually give away thousands and thousands of credentials just to entice new criminal customers to come and buy the private information,’ Mr O’Reilly said.
While most infostealer infections still occurred on Windows devices, mobile phones were not entirely immune, although the scale of infection was significantly lower.
‘There is a growing number of mobile devices being infected with malware, but it’s nowhere near as much,’ he said.
Mr Rozenberg said that attackers focused on Windows because it remained the most commonly used operating system.
‘Still, today, in 2025, most of the people, they’re using Windows devices,’ he said.
‘So [attackers] mostly develop infostealers for Windows,’ he said.
Although password rotation and multi-factor authentication were helpful, Mr O’Reilly warned that malware could sometimes bypass MFA using stolen cookies or access tokens.
‘If you do have someone’s active access token, a lot of the time you can actually bypass their MFA,’ he said.
‘It’s the equivalent of changing your locks while the burglars are still in your house,’ Mr O’Reilly said, referring to the limited benefit of changing passwords on an already-infected device.
He urged users to change passwords from a secure device and to keep all software—including antivirus programs—regularly updated.
‘Research does show that up to 50 per cent of devices infected with infostealer malware have antivirus,’ he said.
‘But what a lot of people don’t talk about is the fact that either the operating system or the antivirus itself isn’t kept up to date.’
He also advised separating personal or financial activity from shared computers, particularly family devices used by children.
‘One of the most common ways…[is] Minecraft mods or cracked software, which is software that you would typically have to pay license fees for,’ he said.
‘If you’ve got banking credentials or highly sensitive information on your computer, keep that separate from the computer your children are using,’ he said.
Mr O’Reilly said he hoped the findings would act as a wake-up call for Australians.
‘Nothing is 100 per cent unhackable, but there are definitely strategies that people can use at home to make it much harder for criminals to get their information in the first place,’ he said.
In a previous story, an elderly man was left devastated after scammers drained $70,000 from his account.
Shockingly, the bank insisted he was at fault despite the sophisticated nature of the con.
Read more about how the situation unfolded and the response that followed.
With so much stolen data circulating online, do you think enough is being done to protect everyday Aussies from cybercrime? Let us know your thoughts in the comments.
Last edited:
.png){kind=icon}
