{ "id": "d6c18e9c-b77b-4f98-9a1f-193ff920b697", "created_at": "2026-04-06T00:19:53.719345Z", "updated_at": "2026-04-10T03:36:01.427142Z", "deleted_at": null, "sha1_hash": "243d5be29b31c99ed377da100c9e79ec055a809b", "title": "Hackers threaten to leak a copy of the World-Check database used to assess potential risks associated with entities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1110101, "plain_text": "Hackers threaten to leak a copy of the World-Check database used\r\nto assess potential risks associated with entities\r\nBy Pierluigi Paganini\r\nPublished: 2024-04-22 · Archived: 2026-04-05 15:55:34 UTC\r\nA financially motivated group named GhostR claims the theft of a sensitive\r\ndatabase from World-Check and threatens to publish it.\r\nWorld-Check is a global database utilized by various organizations, including financial institutions, regulatory\r\nbodies, and law enforcement agencies, for assessing potential risks associated with individuals and entities. It\r\ncompiles information from diverse sources like public records, regulatory filings, and proprietary databases to\r\ncreate profiles of entities susceptible to financial crime, terrorism, or corruption. World-Check aids organizations\r\nin conducting due diligence and adhering to regulatory standards concerning anti-money laundering (AML) and\r\ncounter-terrorism financing (CTF).\r\nWorld-Check is currently owned by LSEG (London Stock Exchange Group).\r\nhttps://securityaffairs.com/162136/cyber-crime/hackers-threaten-leak-world-check.html\r\nPage 1 of 2\n\nA financially motivated threat actor, called GhostR, announced the theft of a confidential database containing 5.3\r\nmillion records from the World-Check.\r\nThe threat actor said that he stole the database in March and threatened to publish the data online.\r\nThe hackers told TechCrunch that they stole the database from a Singapore-based company that has access to the\r\nsensitive database, however, they did not name the victim organization.\r\nThe threat actors shared a portion of the stolen data with TechCrunch as proof of the hack, it includes records on\r\ncurrent and former government officials, diplomats, and politically exposed people. The list also includes\r\ncriminals, suspected terrorists, intelligence operatives and a European spyware firm.\r\nCompromised data vary by individuals and organizations, it includes names, passport numbers, Social Security\r\nnumbers, online crypto account identifiers and bank account numbers, and more.\r\nWorld-Check had different owners across the years, it was originally founded as an independent company.\r\nCuriously, in 2011, Thomson Reuters acquired World-Check, then in October 2018, Thomson Reuters closed a\r\ndeal with The Blackstone Group. As a result of this merger, World-Check became part of the new\r\ncompany, Refinitiv. LSEG acquired Refinitiv is 2021.\r\nThe disclosure of data in the archive poses a threat to the individuals whose data it contains. This is sensitive\r\ninformation that could lead to discrimination, persecution, or otherwise cause harm to individuals by violating\r\ntheir privacy and exposing them to various types of cyberattacks.\r\nThe database was criticized because it includes names of people and organizations that are mistakenly considered\r\nterrorists.\r\nIn June 2016, security researcher Chris Vickery found a copy of the World-Check database dated 2014 that was\r\naccidentally exposed online.\r\nIn August 2015, journalists from BBC’s Radio 4 gained 30 minutes of access thanks to the support of a\r\ndisgruntled customer and demonstrated that the designations in the archive were inaccurate.\r\nThe Vice News also gained access to the World-Check archive in February 2016 arriving at the same conclusion\r\nafter it analyzed some profiles in the database\r\nPierluigi Paganini\r\nFollow me on Twitter: @securityaffairs and Facebook and Mastodon\r\n(SecurityAffairs – hacking, GhostR)\r\nSource: https://securityaffairs.com/162136/cyber-crime/hackers-threaten-leak-world-check.html\r\nhttps://securityaffairs.com/162136/cyber-crime/hackers-threaten-leak-world-check.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://securityaffairs.com/162136/cyber-crime/hackers-threaten-leak-world-check.html" ], "report_names": [ "hackers-threaten-leak-world-check.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6e8effad-d9fb-4b49-bba4-9b4e5953356d", "created_at": "2024-04-23T02:00:04.243074Z", "updated_at": "2026-04-10T02:00:03.630533Z", "deleted_at": null, "main_name": "GhostR", "aliases": [], "source_name": "MISPGALAXY:GhostR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad", "created_at": "2022-10-25T16:07:24.444096Z", "updated_at": "2026-04-10T02:00:04.994412Z", "deleted_at": null, "main_name": "ALTDOS", "aliases": [ "0mid16B", "ALTDOS", "Desorden", "GHOSTR" ], "source_name": "ETDA:ALTDOS", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434793, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/243d5be29b31c99ed377da100c9e79ec055a809b.pdf", "text": "https://archive.orkl.eu/243d5be29b31c99ed377da100c9e79ec055a809b.txt", "img": "https://archive.orkl.eu/243d5be29b31c99ed377da100c9e79ec055a809b.jpg" } }