Indian Loan Documents Sold Over Cybercrime Forum

Published 18 May 2021

  • CloudSEK discovered a post advertising loan documents belonging to Indian citizens
  • These documents include KYC documents, salary slips, bank statements, etc.

Share this Threat Intel:

Adversary Intelligence
Affected Industries
Affected Region
SAARC, India

Executive Summary

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising loan documents belonging to Indian citizens. The CloudSEK Threat Intelligence Research team has validated the information in this post and has found that the compromised data belongs to Loan Wired, a fintech startup specializing in personal and business loans.


On 02 May 2021, a threat actor shared a post advertising a database of loan documents of Indian citizens. The actor, who joined the forum in June 2018, has been actively selling  databases and accesses of various companies across  Asia Pacific, Middle East and US region. Through the course of their time on the forum, the actor has garnered a good reputation on the forum.


Information from Source

The threat actor has shared a screenshot of multiple samples in their post, including Aadhar, bank statements of individuals, and files that are part of the leaked database. 

Indian Loan Post
Information from HUMINT

CloudSEK Threat Intelligence Researchers were able to confirm that the compromised loan documents were dumped from the website Loanwired(.)com. Loan Wired is a lending platform offering personal loans across India.

Database shared by the actor includes the following documents:

  1. KYC documents (PAN, Aadhar, customer photographs)
  2. Salary slip
  3. Bank statements
  4. Electricity bills
  5. Income tax return statement 
  6. GST certificate

Indian Loan Samples

Information from Technical Analysis

The dumped database structure indicates that the threat actor gained server access to the website. Which allowed them to access customer records and documents. It is also highly likely that the actor may have established a persistent connection to exfiltrate more data. 

Possible Attack Vectors

  1. Brute-forcing RDP may have allowed the threat actor to take over the server.
  2. Exploiting common vulnerabilities in VPN like unprotected endpoints, or web application vulnerabilities are some alternate ways by which the threat actor may have exfiltrated the data.    


Since the leaked database contains sensitive information such as PII of customers:

  • Threat actors can leverage this data to carry out social engineering attacks, scams, and even identify theft.
  • The data can also be used for targeted attacks, causing financial loss to the company.


  • Use strong passwords
  • Enable multi-factor authentication for all online accounts
  • Don’t share OTPs with third-parties
  • Review online accounts and financial statements periodically
  • Regularly update apps and other software

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.