{ "id": "89e67de0-02a4-4fdb-bf84-002752e1eb7e", "created_at": "2026-04-06T00:09:47.669336Z", "updated_at": "2026-04-10T03:36:01.425938Z", "deleted_at": null, "sha1_hash": "b7fda565b8b778e94e1533ea100dc16174c9e9dd", "title": "Hackers are threatening to leak World-Check, a huge sanctions and financial crimes watchlist | TechCrunch", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49445, "plain_text": "Hackers are threatening to leak World-Check, a huge sanctions\r\nand financial crimes watchlist | TechCrunch\r\nBy Zack Whittaker\r\nPublished: 2024-04-18 · Archived: 2026-04-05 14:18:52 UTC\r\nA financially motivated criminal hacking group says it has stolen a confidential database containing millions of\r\nrecords that companies use for screening potential customers for links to sanctions and financial crime.\r\nThe hackers, which call themselves GhostR, said they stole 5.3 million records from the World-Check screening\r\ndatabase in March and are threatening to publish the data online.\r\nWorld-Check is a screening database used for “know your customer” checks (or KYC), allowing companies to\r\ndetermine if prospective customers are high risk or potential criminals, such as people with links to money\r\nlaundering or who are under government sanctions. The hackers told TechCrunch that they stole the data from a\r\nSingapore-based firm with access to the World-Check database, but did not name the firm.\r\nA portion of the stolen data, which the hackers shared with TechCrunch, includes individuals who were sanctioned\r\nas recently as this year.\r\nSimon Henrick, a spokesperson for the London Stock Exchange Group, which maintains the database, told\r\nTechCrunch: “This was not a security breach of LSEG/our systems. The incident involves a third party’s data set,\r\nwhich includes a copy of the World-Check data file. This was illegally obtained from the third party’s system. We\r\nare liaising with the affected third party, to ensure our data is protected and ensuring that any appropriate\r\nauthorities are notified.”\r\nLSEG did not name the third-party company, but did not dispute the amount of data stolen.\r\nThe portion of stolen data seen by TechCrunch contains records on thousands of people, including current and\r\nformer government officials, diplomats, and private companies whose leaders are considered “politically exposed\r\npeople,” who are at a higher risk of involvement in corruption or bribery. The list also contains individuals\r\naccused of involvement in organized crime, suspected terrorists, intelligence operatives and a European spyware\r\nvendor.\r\nTechcrunch event\r\nSan Francisco, CA | October 13-15, 2026\r\nThe data varies by record. The database contains names, passport numbers, Social Security numbers, online crypto\r\naccount identifiers and bank account numbers, and more.\r\nWorld-Check is currently owned by the London Stock Exchange Group following a $27 billion deal to buy\r\nfinancial data provider Refinitiv in 2021. LSEG collects information from public sources, including sanctions\r\nhttps://techcrunch.com/2024/04/18/world-check-database-leaked-sanctions-financial-crimes-watchlist/\r\nPage 1 of 2\n\nlists, government sources and news outlets, then provides the database as a subscription to companies for\r\nconducting customer due diligence.\r\nBut privately run databases, like World-Check, are known to contain errors that can affect entirely innocent people\r\nwith no nexus or connection to crime but whose information is stored in these databases.\r\nIn 2016, an older copy of the World-Check database leaked online following a security lapse at a third-party\r\ncompany with access to the data, including a former advisor to the U.K. government that World-Check had\r\napplied a “terrorism” label to his name. Banking giant HSBC shut down bank accounts belonging to several\r\nprominent British Muslims after the World-Check database branded them with “terrorism” tags.\r\nA spokesperson for the U.K.’s data protection authority, the Information Commissioner’s Office, did not\r\nimmediately comment on the breach.\r\nTo contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send\r\nfiles and documents via SecureDrop.\r\nZack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this\r\nweek in security.\r\nHe can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or\r\nto verify outreach, at zack.whittaker@techcrunch.com.\r\nView Bio\r\nSource: https://techcrunch.com/2024/04/18/world-check-database-leaked-sanctions-financial-crimes-watchlist/\r\nhttps://techcrunch.com/2024/04/18/world-check-database-leaked-sanctions-financial-crimes-watchlist/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://techcrunch.com/2024/04/18/world-check-database-leaked-sanctions-financial-crimes-watchlist/" ], "report_names": [ "world-check-database-leaked-sanctions-financial-crimes-watchlist" ], "threat_actors": [ { "id": "6e8effad-d9fb-4b49-bba4-9b4e5953356d", "created_at": "2024-04-23T02:00:04.243074Z", "updated_at": "2026-04-10T02:00:03.630533Z", "deleted_at": null, "main_name": "GhostR", "aliases": [], "source_name": "MISPGALAXY:GhostR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad", "created_at": "2022-10-25T16:07:24.444096Z", "updated_at": "2026-04-10T02:00:04.994412Z", "deleted_at": null, "main_name": "ALTDOS", "aliases": [ "0mid16B", "ALTDOS", "Desorden", "GHOSTR" ], "source_name": "ETDA:ALTDOS", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434187, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b7fda565b8b778e94e1533ea100dc16174c9e9dd.pdf", "text": "https://archive.orkl.eu/b7fda565b8b778e94e1533ea100dc16174c9e9dd.txt", "img": "https://archive.orkl.eu/b7fda565b8b778e94e1533ea100dc16174c9e9dd.jpg" } }