Saudi Bank Accounts 690,000 High-Value Records Sold for $420

• .What: 690,000 Saudi bank records sold on a Chinese-language forum for $420.
• .Who: Saudi bank account holders across an unidentified institution.
• .Data Exposed: Full names, IBANs, and account balances.
• .Outcome: Dual regulatory exposure under PDPL and SAMA framework.

In July 2025, a threat actor posted a listing on a Chinese-language cybercrime forum offering 690,000 Saudi bank account records for sale at $420 USD. The listing included sample records demonstrating the dataset's contents: full account holder names, International Bank Account Numbers (IBANs), and current account balances.

The threat actor described the acquisition method as "self-infiltration," a term used in Chinese-language cybercrime forums to indicate direct unauthorized access to the target institution's systems rather than acquisition through a third-party broker or data aggregator.

The identity of the compromised banking institution has not been publicly confirmed.

The threat actor did not name the bank in the listing, though the uniform formatting and consistent data structure across all 690,000 records indicate a single institutional source rather than an aggregation from multiple banks.

The inclusion of current account balances - real-time financial data that changes daily - suggests the access was recent and that the attacker had query-level access to the bank's core banking system or a closely connected reporting database.

The $420 price for 690,000 banking records is extraordinarily low - less than $0.001 per record.

This pricing model is consistent with two scenarios: a volume-based sales strategy designed to maximize buyer count and distribution speed, or an actor prioritizing rapid monetization over maximizing revenue per record.

In either case, the low price ensures broad distribution, meaning the data is likely in the hands of multiple buyers who will use it for targeted social engineering, account takeover attempts, and financial fraud directed at high-balance account holders.

Full names of 690,000 bank account holders. IBANs providing complete routing information. Account balances revealing financial standing - enabling targeted social engineering against high-value accounts.

The extraordinarily low price suggests either a volume-based sales strategy or an actor seeking rapid monetization.

A dataset of 690,000 Saudi bank account records - names, IBANs, and account balances - sold for $420 on a Chinese-language cybercrime forum. The price per record was less than a tenth of a cent.

The threat actor's description of "self-infiltration" indicates direct unauthorized access to the banking institution's systems, not a credential dump or third-party aggregation.

The account balances are the most dangerous element: they allow threat actors to prioritize targets by financial value, directing social engineering campaigns at high-balance account holders whose losses will be largest.

Every control below addresses a specific failure in the chain from initial access to bulk data extraction.

The threat actor gained query-level access to a database containing account holder names, IBANs, and real-time balances.

This indicates either compromised database credentials, exploitation of a web application vulnerability providing SQL injection access, or compromise of an internal system with direct database connectivity.

Privileged Access Management (PAM) solutions from CyberArk, BeyondTrust, or Delinea must govern all access to core banking databases.

PAM enforces just-in-time access provisioning, session recording, automatic credential rotation, and multi-factor authentication for every database session. No standing database credentials should exist.

The difference between PAM-governed access and static database credentials is the difference between an attacker who must compromise a vault, bypass MFA, and trigger session recording alerts versus an attacker who uses a harvested username and password to query 690,000 records without generating a single alert.

Account balances are among the most sensitive data elements in any banking system. They should be encrypted at the field level using AES-256 with keys managed by a Hardware Security Module (HSM) physically separated from the database infrastructure.

Field-level encryption - available through Oracle Transparent Data Encryption, Microsoft SQL Server Always Encrypted, or application-layer encryption - ensures that even if an attacker exfiltrates the raw database, the balance column contains encrypted ciphertext that is computationally infeasible to decrypt without the HSM-managed key.

The attacker would have obtained names and IBANs but not the account balances that make this dataset valuable for targeted fraud.

IBANs themselves should be tokenized in any system that does not require the full IBAN for transaction processing, replacing the real account number with a non-reversible token that is useless outside the tokenization system.

The extraction of 690,000 records from a core banking system should have triggered immediate automated detection and response.

Database Activity Monitoring (DAM) solutions from Imperva or IBM Guardium monitor all SQL queries in real time and alert on bulk data extraction patterns.

A query returning 690,000 account records is not a normal banking operation - it is, by definition, an anomaly that should trigger automatic session termination and security operations center escalation.

SAMA's Cyber Security Framework requires Saudi financial institutions to implement continuous monitoring and anomaly detection.

The absence of detection on a 690,000-record extraction indicates either that DAM was not deployed, was not configured to alert on bulk queries, or was not monitored by a staffed security operations center.

The listing appeared on a Chinese-language cybercrime forum, broadening the buyer pool beyond the Arabic and Russian-speaking ecosystems that typically monetize Gulf financial data.

The 690,000 affected account holders face immediate risk of social engineering attacks - phone calls and messages impersonating bank staff, referencing the victim's actual balance to establish credibility, and directing them to fraudulent transfer or credential capture pages.

The compromised institution must notify all affected account holders, implement enhanced transaction monitoring for the exposed accounts, and deploy anti-fraud controls that flag unusual transfer patterns from accounts in the exposed dataset.

SAMA's requirement for breach reporting under the Cyber Security Framework and the PDPL's notification obligations under Article 19 both mandate disclosure.

The absence of any public acknowledgment from a Saudi banking institution regarding 690,000 compromised accounts suggests that regulatory notification requirements may not have been met.

Chinese-Language Forum Listing, Saudi PDPL, SAMA Regulatory Framework