Cybercriminals claiming affiliation with the ShinyHunters gang say they have exfiltrated and are selling more than 160 million records of sensitive financial data from Vietnam’s National Credit Information Center (CIC). Vietnam’s central bank confirmed an intrusion at the institution and ordered CIC to cooperate with investigators as authorities open a probe.
Criminal Post Describes Broad Financial and Identity Data for Sale
On an illicit forum, the threat actors posted a listing for a large dataset and described its contents as highly sensitive. The criminals wrote that the haul includes personal identifiable information, credit payment histories, risk analysis, encrypted credit card data, government and military IDs, tax IDs, income statements, debts, and more. The post set a negotiable price of $175,000 for the data and claimed the buyer must perform their own deciphering of the FDE algorithm for some encrypted card fields.
The posting states in part:
“This data contains very sensitive information, including general PII, credit payment, risk analysis, credit cards (require your own deciphering of the FDE algorithm), military IDs, government IDs, tax IDs, income statements, debts owed, and more.”
Central Bank Confirms Breach and Orders Cooperation
Vietnam’s State Bank publicly confirmed the breach at CIC and directed the credit bureau to work with law enforcement and regulatory authorities on an investigation. The central bank also emphasized that CIC and other licensed providers do not collect raw transaction histories, card CVV codes, account balances, or full debit and credit card numbers, noting limitations in what data is stored at the national credit center.
CIC is a government-owned, centralized credit information repository that plays a central role in Vietnam’s financial system, which investigators say increased its attractiveness as a target.
ReSecurity Acquired Samples and Verified Recent Records
Cybersecurity firm ReSecurity engaged directly with the criminal seller posing as a potential purchaser and acquired sample records. The research team reported the samples included timestamps from 2025, with the most recent entries dated February 2025. ReSecurity also confirmed references in the files to major Vietnamese financial institutions such as VietCredit, MB Bank, Ocean Bank, VPBank, Sacombank, and Agribank.
In its report, ReSecurity said it contacted victims. “ReSecurity has reached out to over 100 victims randomly selected from the acquired data set for comments via email. While the data was confirmed to be authentic, its source remains unclear,” the firm wrote. Local media coverage and industry sources say none of the sampled victims had received notifications about their data being exposed at the time of outreach.
Types of Data Appearing In the Samples
According to the samples and the criminal post, the stolen records reportedly include:
- Full names and detailed personally identifiable information (dates of birth, emails, phone numbers)
- Credit payment histories and balance records with recent updates
- Income statements, debt listings, contact and employment details, and some banking information
- Encrypted credit card information and references to card data requiring decryption
- Military, government, and tax identification numbers
- Risk assessment and credit scoring data
ReSecurity and other researchers flagged the presence of risk analysis and credit scores as particularly sensitive because that data can affect lending decisions and financial reputations.
Scale Disproportionate to Population Suggests Historical or Multiple Records
The advertised dataset totals 160 million records in a country with an estimated population near 102 million, suggesting the export could contain historical entries, multiple records per person, or repeated data from multiple reporting institutions. The criminal post further claimed the full dataset exceeds 2.6 billion lines across many categories, an assertion that underscores the potential size and complexity of the breach if confirmed.
Attack Vector And Lack of Extortion
ReSecurity reported that the criminals said they exploited a known, unpatched vulnerability in end-of-life software used by CIC. According to the researchers, the attackers did not attempt to extort CIC or the Vietnamese government, stating an extortion attempt was unlikely to succeed. Instead, the group opted to list the data openly for sale on underground markets.
Breach Raises National and Criminal Concerns
Security experts describe breaches of national credit bureaus as among the worst-case scenarios because a single, centralized repository can contain identifiers and financial markers that affect a very large portion of the population. “Breaching it exposed a single point of failure affecting nearly the entire population,” ReSecurity wrote in its findings.
Researchers warn the stolen data has immediate criminal value on underground markets. On the dark web, individual credit profiles and government IDs can be monetized for fraud, identity theft, and account takeover. The post-sale uses range from targeted phishing and social engineering to financial fraud and possible nation-state interest for intelligence and surveillance.
Authorities Urge Caution and Strict Legal Penalties Announced
Vietnamese authorities have urged citizens and organizations not to download, share, or otherwise exploit the leaked data. The central bank warned institutions that unauthorized collection, processing, use, or distribution of credit information will be subject to strict penalties under Vietnamese law and that violators will face fines and prosecution.
Officials continue to investigate, and CIC has been ordered to cooperate fully with the central bank and law enforcement as the inquiry proceeds.
ShinyHunters is a well-known cybercriminal group with a history of high-profile data thefts. Recently the gang was reported to operate as part of an ad-hoc conglomerate with other groups, but that coalition appears to have ceased public activity even as marketplace listings and remnants of their operations remain active.
