Unicredit employees database for sale on cyber-crime forums

On the late afternoon of 19/04/2020, a threat actor posted a new sale on a hacking and cyber-crime forum selling the database of UniCredit employees. UniCredit S.p.A. is an Italian banking and a global financial services company. It is present on 17 countries and has almost 100k employees worldwide.

While currently we are not aware how this potential data loss could have occurred, according to the actor post, in the leak there are information about thousand of employees, including emails, phone, encrypted password, last name and first name. We found the database being available on at least two cyber-crime and hacking related forum.

The nickname of the user selling it is c0c0linoz, as evidences reported below:

Data leaked is sold on the basis of a plan relating to the “rows” offered to the buyer . As showed, 150k rows is selled for 10k USD. According to the seller, it contains Unicredit data “from late 2018-2019“.

The seller has publicly referred to an email address for the purchase negotiations, that is c0c0linoz at protonmail.com

According to evidences acquired by others account linked to the seller, he/she claims to be from Romania, like reported in the following image:

By the first technical details retrieved, the database appears to be genuine and the potential result of a SQL Injection attack. Alternatively, it could be the result of extensive compromise of the victim network with the dump of the database directly from one of the internal servers. For now, however, we have no evidence regarding such scenarios that could endorse or deny these hypotheses.

By further investigating, we know c0c0linoz created new accounts on at least one cyber-crime related forum on 19/04/2020 specifically for this sale. Other related accounts on different forums suggest a much longer user history.

Finally, the seller has shown some partial data in order to confirm the authenticity of the data in his/her possession and says that he/she will post further sample data after 24-36h from the first post.



A temporal overlap compared to that reported by the seller (“from late 2018-2019“), could be represented by an incident that Unicredit suffered in the past. On 21 October 2018, indeed, Unicredit suffered a hacker attack that violated the data of customers participating in online banking services. In the immediacy of the incident, the largest Italian bank had promptly notified the violation of personal data, pursuant to art. 33 of the GDPR.

Once again, however, despite the coincidence about the times, there is no actual evidence that the recent data leak is the result of that same attack.