case study icon

Employee data on the Dark Web. How a bank reduced the risk of attacks by detecting leaks

A data breach doesn’t have to originate within a bank to become its problem. Employee data exposed on the Dark Web – often leaked from external services – can serve as a starting point for effective social engineering attacks.

Graphic promoting the Dark Web Investigation service for banking, featuring a laptop, a bank icon, and the PREBYTES logo.

Implementation Context

Client: commercial bank / security teams (SOC, Blue Team)
Area: cybersecurity – Dark Web monitoring and data leak identification
Integration: keyword-based monitoring + expert analysis by PREBYTES SIRT
Result: increased visibility of external threats and the ability to respond before an incident occurs

What challenge was the client facing – and why did it matter?

The bank had well-developed system protection mechanisms and mature incident response processes. However, it lacked visibility into what was happening with data related to the organization outside its infrastructure.

In practice, this meant that potential threats could emerge and evolve externally, without the ability to detect them early.

As part of the implemented Dark Web Investigation service provided by PREBYTES SIRT (Security Incident Response Team), a database published on a cybercriminal forum was identified early on. It contained login credentials, passwords, and information about the services from which the data originated.

Among the records were email addresses in the bank’s domain, linked to various services such as cta.pl, gateway.hbogo.pl, gandalf.com.pl, and krakow-biblioteka.sowa.pl.

Importantly, the data did not originate from a single incident but from multiple independent breaches, indicating broad exposure of employees outside the organization.

The key question was not “has a breach occurred?” but rather “if and how can this data be used against our organization?”

Key Challenges

  • lack of visibility into data leaks occurring outside the organization
  • fragmentation and scale of sources
  • lack of context to assess real risk
  • risks related to password reuse
  • employee behavior, including the use of corporate email addresses in external services

What was implemented and how does it work in practice?

The implemented Dark Web Investigation service is based on a set of keywords associated with the bank – primarily employee email domains and other organizational identifiers.

Monitoring covers, among others, TOR, Freenet, and I2P networks, cybercriminal forums, and underground marketplaces. In practice, this means continuous scanning of a wide range of sources for data related to the organization.

When such information is detected, its source and scope are identified – particularly the type of exposed data and the services it is associated with.

The bank receives insights that enable its security teams to assess whether the data can be used in practice – for example in login attempts, phishing campaigns, or social engineering attacks.

The key value of the service lies in providing an early signal of data exposure outside the organization.

Based on this, the bank can prioritize incidents, verify potentially compromised accounts, and decide on further actions such as password resets, additional access verification, or user awareness activities.

Results and impact on daily operations

The most significant change was gaining real visibility into how data related to employees functions outside the organization.

Identified leaks were no longer treated as isolated incidents but as potential entry points for further malicious activity. The approach shifted from reactive (after an incident) to proactive (before it occurs).

It is also worth emphasizing that the scope of monitoring is not limited to employee email addresses. The service also includes identification of data related to the organization in a broader context – including information about customers, suppliers, and mentions of the institution itself.

This makes it possible to detect not only individual leaks but also broader patterns and potential attack vectors that may impact the security of the entire organizational ecosystem.

Results after implementation

  • increased visibility of leaks associated with the bank’s email domains
  • ability to respond quickly (e.g., password resets, access verification)
  • reduced impact of leaks by limiting their usability in attacks
  • decreased susceptibility to phishing and targeted social engineering attacks
  • identification and reduction of risky user behaviors
  • shorter response time for security teams
  • improved compliance with regulatory requirements (e.g., DORA)

Are your employees’ data already for sale? Verify your exposure on the Dark Web: Dark Web Investigation | Uncover stolen data on the Darknet | PREBYTES

See more deployments in this industry: Banking
PREBYTES banner promoting Cyber Threat Intelligence Feed for the banking sector; on the right, blue gears display security icons and labels including SIEM, IDS, IPS, SOAR, and REST API, with a bank symbol in the center.

How did a bank increase the value of threat intelligence through better data quality and selectivity?

banking

A commercial bank needed a threat intelligence source better suited to the realities of the financial sector. Implementing CTI Feed reduced noise, improved data relevance, and increased the effectiveness of daily security operations.

Learn more
Cover image showing the workflow of IOC Simulator – a solution for validating security effectiveness.

Dead tools vs. Real Detection: How to eliminate “shelfware” and reduce threat verification time by 90%

banking

In critical moments, the problem is not a lack of tools, but a lack of confidence that they work as intended. IOC Simulator - straightforward to deploy and supported by engineers - enabled the bank to implement a continuous testing process and provide reliable audit evidence. The solution is designed for Red, Blue, and Purple Teams.

Learn more
Mobile anti-malware for banking with smartphone app screens and PREBYTES logo.

Mobile malware: how to reduce fraud when variants change faster than signatures?

banking

Dynamic in-app detection identified malware risk even for new variants not yet covered by signature databases. As a result, the bank could trigger antifraud response earlier–before an unauthorized transaction was executed.

Learn more
DP Smart case study cover: a smartphone with the text “Case Study #Banking” and a fingerprint icon.

“Untrusted device” every few weeks? How to stabilize fingerprinting and reduce ATO in banking (PSD2/SCA)

banking

A routine browser update could turn a “trusted” device into “untrusted,” triggering unnecessary checks. With multi-stream device fingerprinting, the bank reduced false positives, improved login UX, and stayed PSD2/SCA compliant.

Learn more
PREBYTES Case Study: Remote Desktop Detection for Web on a monitor. #BANKING

Mitigating Remote Access Scams: How a Top 3 Bank Reduced Fraud by 97% with Zero UX Friction

banking

A major European bank struggled with a remote access scams, detected only after the fact. Implementing Remote Desktop Detection (1 line of JS) provided a precise, real-time signal and reduced fraud without impacting UX.

Learn more
An image showing a smartphone with the text “Remote Desktop Detection for Mobile” and the hashtag #BANKING.

How the Bank Reduced Remote Access Fraud in Its Mobile Channel

banking

A leading commercial bank with 3M+ users, despite having its own mobile protection, deployed remote desktop detection in its mobile app. It closed the post-login gap and achieved a 97% detection of remote access scam events.

Learn more
Deployment Dark Web Investigation in other industries
No items found.