A threat actor operating under the handle hackboy is advertising the sale of 10,152,989 credit registration records allegedly extracted from KBank Vietnam (the Vietnamese operations of Thailand's Kasikornbank) in February 2026. The claim, surfaced on the open web on April 6, 2026 and reported by Dark Web Informer, describes direct access to a system identified as Kbank_Vietnam_Core. If confirmed, this represents one of the most comprehensive financial profile leaks ever recorded from the Vietnamese banking sector.

What Happened

On April 6, 2026 at approximately 12:08 UTC, a listing appeared advertising the sale of a dataset attributed to KBank Vietnam's core banking infrastructure. The threat actor hackboy claims the data was extracted in February 2026, meaning the exposure window may have been open for roughly six weeks before public disclosure. The source system is named in the listing as Kbank_Vietnam_Core, suggesting either direct database access, a compromised API endpoint, or insider-assisted exfiltration rather than a peripheral system compromise. The data is currently listed at a negotiated price on the open web rather than a dark web forum, a tactic increasingly used to maximize visibility and attract higher-value buyers. KBank Vietnam has not issued a public statement confirming or denying the breach as of publication.

What Was Taken

The dataset is described as covering both accepted and pending loan applications, a detail that increases its value considerably, since pending applications represent current, actively verified financial data. The per-record structure is exceptionally granular:

• Identity: Full names (Vietnamese), national ID numbers (CMND/CCCD), dates of birth, phone numbers, and customer IDs
• Residential: Complete home addresses including ward, district, and city, the full Vietnamese administrative hierarchy
• Employment and Income: Job titles, base salary figures, employer names, and work addresses, verified at point of credit application
• Credit Profiles: CIC (Credit Information Center) scores, risk classifications (sample data shows Watchlist_B categorization), and originating branch details
• Relationship and Guarantor Data: A relationship field suggests the database also captures co-applicant or guarantor linkages, extending exposure beyond the primary account holder
• System Metadata: Export timestamps and profile type classifications from the core system itself

The combination of government-issued identity numbers, live salary data, employer details, and credit scores in a single dataset creates a near-complete financial dossier on each subject. This is not peripheral marketing data, it is the underwriting record.

Why It Matters

Vietnam's financial sector has undergone rapid digitization over the past decade, with consumer credit expanding significantly. KBank Vietnam serves a substantial urban professional demographic, meaning the exposed salary and employer data is likely current and high-fidelity. The CIC score inclusion is particularly significant: Vietnam's Credit Information Center is the centralized credit bureau used by all licensed lenders in the country. A scored record is a verified record, these are individuals whose identities have been cross-checked against national registries.

For regional threat analysts, this breach fits a pattern of Southeast Asian financial institutions being targeted at the core system layer rather than through customer-facing applications. The February extraction date and April listing date suggest the actor held the data for approximately 60 days before monetizing, consistent with actors who first attempt private sales or internal use before going public. The open-web listing format also signals the actor is not operating under the constraints of a ransomware group requiring negotiation infrastructure; this appears to be a straightforward data broker play.

At 10.1 million records covering a country of approximately 100 million people, this alleged breach touches roughly 10% of the Vietnamese population, weighted heavily toward the credit-active, salaried urban workforce.

The Attack Technique

The specific intrusion vector has not been publicly confirmed. However, several indicators in the listing point toward likely attack surface areas. The naming of Kbank_Vietnam_Core as the source system, rather than a CRM, data warehouse, or third-party processor, suggests the actor either had direct database credentials, exploited an authenticated internal API, or leveraged compromised administrative access. The inclusion of system metadata (export timestamps, profile classification fields) in the sample data is consistent with a structured export rather than scraping, which narrows the vector toward privileged access: SQL-level extraction, a misconfigured internal API endpoint, or an insider with export rights.

The February extraction date aligns with no known public vulnerability disclosure targeting Kasikornbank systems, which leaves three working hypotheses: a zero-day or unpatched internal vulnerability exploited quietly, a supply chain or third-party integration compromise, or social engineering against a privileged internal user. The breadth of fields exported, spanning identity, employment, credit, and relationship data from a single pull, suggests the actor had schema knowledge before the extraction, which is a hallmark of either insider involvement or extended pre-exfiltration reconnaissance.

What Organizations Should Do

Financial institutions and security teams operating in similar environments should treat this incident as a direct benchmark against their own controls:

1. Audit privileged database and API access logs for bulk export activity. Exfiltration of 10M structured records leaves a footprint in query logs, API rate metrics, and network egress. If your SIEM does not alert on anomalous large-volume authenticated reads from core systems, build that rule now.

2. Review data minimization in core banking APIs. Systems that return full salary, employer, and national ID fields in a single record response have an over-permissioned schema. Segment sensitive field access by role and enforce field-level access control at the API layer, not just the application layer.

3. Implement behavioral baselines for administrative accounts. Insider-assisted exfiltration is difficult to detect with signature rules. Baseline normal export volumes for each privileged role and alert on deviations, particularly after-hours bulk reads or unusual join queries touching identity and financial tables simultaneously.

4. Assess third-party integrations touching core systems. Credit bureau integrations, loan origination platforms, and KYC vendors often have broad read access to core tables. Map every external integration that touches identity or credit data and verify that access is scoped, logged, and audited.

5. Run tabletop exercises for the 60-day dark period scenario. This breach sat undetected, or at least undisclosed, for roughly two months. Organizations should pressure-test whether their detection capabilities would surface a slow, authenticated exfiltration of this kind, and whether their incident response plan covers the disclosure obligations triggered by national ID and financial record exposure under Vietnam's Cybersecurity Law and the Personal Data Protection Decree.

6. Notify affected populations if breach is confirmed. Ten million credit applicants whose CIC scores, national IDs, and employer data are now in circulation face elevated risk of identity fraud, synthetic identity attacks, and targeted phishing. Early, direct notification with concrete guidance on credit freeze options and identity monitoring materially reduces downstream harm.

Sources: Alleged Breach of KBank Vietnam Exposes 10.1 Million Credit Registration Records With National IDs, Salaries, Credit Scores, and Employer Details