Bank passwords of 31,000 Australians traded online by cybercriminals

The bank passwords of 31,000 Australians are being traded online, it’s been revealed. See how you can track if you have been affected and what you can do to stay cyber safe.

Maria Bervanakis and Levi Joule

2 min read

April 29, 2025 - 1:28PM

National News Network

Dark-web AI models could make criminal hackers even more powerful

Security

Don't miss out on the headlines from Security. Followed categories will be added to My News.

The stolen passwords of more than 31,000 Australian banking customers are being shared among criminals online, it’s been revealed.

An investigation by Australian cybersecurity company Dvuln found the credentials of at least 14,000 CommBank customers, 7000 ANZ customers, 5000 NAB and 4000 Westpac customers can be obtained on messaging platform Telegram and the dark web.

Dvuln founder Jamie O’Reilly said the passwords were stolen directly from users’ personal devices after becoming infected with a type of malware known as an “infostealer”.

“This is not a vulnerability in the banks,” Dvuln’s founder Jamie O’Reilly told the ABC.

“These are customer devices that have been infected.”

Mr O’Reilly said some of the 31,000 devices were infected as far back as 2021, but would still provide valuable data to attackers, according to Mr O’Reilly.

Stolen passwords of Australian banking customers are being shared online with criminals.

The company launched an investigation into the extent of the infostealer problem in Australia after superannuation funds were targeted in early April.

“We’ve seen a tight correlation between the use of infostealer malware and using those passwords to conduct these types of attacks,” Mr O’Reilly said.

Other experts have warned jeopardised passwords posed a real risk of theft for account holders.

“Threat actors can use the bank account to link to some kind of payment system, to transfer funds, or for money laundering,” Hudson Rock specialist Leonid Rozenberg told the ABC.

He also said the threat of theft stretched beyond bank accounts.

“We see that the average [infostealer] victim has between 200 [and] 300 account [details] stored inside the browser,” Mr Rozenberg said.

“It can be a PayPal account … it can be [an] account that is used [to] transfer money between different countries … it can be, for example, [an] e-commerce account that already has [a] credit card linked.”

Mr O’Reilly said notable cases of theft and fraud publicly linked to infostealer in Australia has been low but that doesn’t mean it’s not happening.

“There may be a large number of fraud attacks happening against individuals and businesses … but there’s been no public attribution because it’s very difficult to trace back to a specific malware infection,” he told the ABC.

“A lot of this crime, on an individual level, goes unreported.”

Mr O’Reilly said there are some free tools online such as Hudson Rock’s cybercrime intel tools that allow users to enter their usernames/emails to check if those have been found in similar data sets but says they are not 100 per cent accurate.

“Just because a users’ credential is not in these tools doesn’t mean they are not infected,” Mr O’Reilly said.

“The best measure is a layered one. It’s not about panicking more about a refreshing wake-up call that you need to stay vigilant and practice good cyber hygiene.”