Reported by
One of the main banks in the Indian Ocean island nation of the Seychelles is being targeted in an apparent extortion attempt, with a hacker posting that they have stolen client data for sale on the dark web.
Resecurity, a Los Angeles-based cybersecurity company investigating the cyberattack against Seychelles Commercial Bank (SCB), managed to obtain a sample of the data and shared it with OCCRP.Â
The dataset includes SCB client names, addresses, and dates of birth, as well as account types and balances — some exceeding several million. The accounts themselves do not appear to have been breached.Â
OCCRP saw a photo of a printed statement apparently released by SCB, which said that “no funds have been accessed.” The statement was also reported by a newspaper in the Seychelles.
However, SCB failed to respond to repeated requests for comment, and OCCRP could not verify that the statement was genuine.
Resecurity told OCCRP that the bank did make an announcement about the data breach — after the person flogging the data on the dark web reached out directly to clients.
“The actor contacted several customers as a method of pressing the bank to initiate negotiations,” Resecurity said in an email. “To our knowledge, the bank was not able to negotiate successfully with the actor (yet).”
The statement containing SCB’s logo and contact information, which is dated July 11, says internet banking services were “temporarily suspended” in order to contain the incident.Â
An announcement on the bank’s website, accessed by reporters on July 16, does not refer to a cybersecurity incident, but says: “Due to technical issues, our internet banking platform is currently not accessible.”
SCB is one of seven commercial financial institutions listed by the Central Bank of Seychelles. The country — comprising 121,355 people on 115 islands — has long been considered a tax haven and money laundering jurisdiction. However, authorities have taken steps in recent years to clean up its reputation.
The European Union last year removed the Seychelles from its “list of non-cooperative jurisdictions for tax purposes.” In a June 27 statement, the Central Bank noted that money laundering remains a risk, but said “a number of initiatives are ongoing... to address deficiencies.”
Alongside information about SCB's corporate and individuals clients, the dataset offered on the dark web and obtained by Resecurity refers to "current accounts — government."
The Seychelles Police and Central Bank did not respond to requests for comment before publication.
