UK Cybercrime Journal: Hargreaves Landsdown Extortion Attempt by Bashe

-

What Happened

  • Over the course of September 2025 to May 2026, Hargreaves Lansdown the UK-based investment platform has been the subject of IT glitches, hacker claims, and technical outages that have triggered rumours and customer concerns.
  • On 11 September 2025, Hargreaves Lansdown customers reported discrepancies in the balances for their pension and ISA accounts, appearing as if huge sums had been mysteriously withdrawn. Customer began to fear they had been “hacked” after they logged onto their account and saw their life savings reduced. In less than 24 hours, Hargreaves Lansdown, however, swiftly responded that it was a temporary technical issue that only lasted 45 minutes and all client balances were restored.
  • On 20 March 2026, Hargreaves Lansdown customers began experiencing technical issues that were affecting some parts of its website and app. The company apologised to customers over IT issues which left them unable to access their accounts during a period of heightened volatility in the financial markets. The company also assured people that there was no evidence of a cyber incident or a data breach and that all customers’ assets and data was secure.
  • On 27 April 2026, Hargreaves Lansdown (hl.co.uk) was listed as a victim on the Bashe Tor data leak site. The attacker claimed that they allegedly stole their customer database of 658,259 unique users. They then shared five links to their other servers where other Tor users can download the alleged data.
  • On 8 May 2026, the alleged Hargreaves Lansdown data appeared on DarkForums, a cybercrime forum. From the sample posted, the database offered contains addresses, names, emails, phone numbers, and date of birth. However, no Hargreaves Lansdown customer account numbers or transaction details were included in the sample.

Analyst Comment

Hargreaves Lansdown is the UK's largest direct-to-consumer investment platform, allowing customers to buy and sell investments such as shares, as well as providing financial advice and offering accounts like cash ISAs.

Active since April 2024, Bashe (aka APT73 or Eraleign) is a cybercriminal group that focuses on data-theft-extortion and ransomware. Analysts at CloudSEK found that APT73 fabricates attacks by falsely claiming responsibility for high-profile breaches, aiming to attract affiliates and bolster its credibility. They are known for taking credit for attacks that either weren’t committed or wasn’t done by them.

Analysis of the sample data posted to DarkForums and the Bashe Tor data leak site revealed it to be purposely selected UK-based user records. Using HaveIBeenPwned to check the email addresses, the DarkForums sample email all appeared inside the Verifications[.]io breach as well as the People Data Labs (PDL) customer breach. This is unusual for recently leaked data and likely points to both the Bashe and DarkForums sharing fake data. 

Further, data from a financial trading platform such as Hargreaves Lansdown would be considered highly valuable on the cybercrime underground and could be sold for a high large amount of cryptocurrency. Therefore, it is again unusual for it to be dumped for free on a forum or Tor site. Based on the technical analysis of the leaked data sample and the established behavioural patterns of the threat actor, it is assessed with high confidence that the alleged data breach of Hargreaves Lansdown is entirely fabricated. 

It appears Bashe opportunistically weaponised Hargreaves Lansdown’s recent, IT outages and glitches (in September 2025 and March 2026) to construct a plausible, but false, narrative of a successful hack. By capitalising on pre-existing customer anxieties regarding platform stability, these cybercriminals attempted to reinforce their claims and extort their target for a quick ransom. 

This incident highlights an evolving trend where threat actors substitute complex technical exploits with psychological manipulation.


Defensive Takeaways

  • Counter Adversary Threats: To counter this trend, UK firms must integrate their public relations (PR), incident response, and threat intelligence teams. Quick, transparent communication that explicitly decouples internal IT glitches from external cyber threats remains an effective defence against brand-damaging, clout-chasing extortion tactics.
  • Precautionary Threat Hunting: Even in a fake breach scenario, it is still important to threat hunt for malicious and suspicious activities involved potentially targeted systems to help prove that the alleged data exfiltration never happened. In this scenario, the attacker claimed to have stolen customer database. Therefore, it would be prudent to hunt for any signs of data theft involving systems hosting customer data specifically.
  • Precautionary Password Resets: In a scenario like this, companies may want to trigger a precautionary customer password reset “just to be on the safe side”. However, credential rotation must be calculated, automated, and decoupled from any fear, uncertainty, and doubt (FUD). If an incident response includes this action, it must be a measured approach. Triggering a mass password reset without tailored communications can unintentionally support the cybercriminals fake breach narrative and could trigger mass panic.


Relevant Sources

  1. https://archive.is/jXLF1
  2. https://www.ransomware.live/id/aGwuY28udWtAYXB0NzM
  3. https://uk.finance.yahoo.com/news/hargreaves-lansdown-outage-halts-customer-132845651.html
  4. https://www.bbc.co.uk/news/articles/cx2reyjdyjzo
  5. https://x.com/hlinvest/status/2034923194176426310
  6. https://x.com/ibreaches/status/2052737608153997519


Relevant CTI Resources

  1. https://www.ransomware.live/group/apt73
  2. https://www.cloudsek.com/blog/unmasking-media-hungry-ransomware-groups-bashe-apt73


Popular posts from this blog

Ransomware Tool Matrix Project Updates: May 2025

-
Image
Introduction This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM) .  Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they have found these to be.  It makes me happy to hear how doing something in my spare time can help stop ransomware attacks and cybercriminals from exploiting our society’s systems. And it is for that reason, I shall continue to maintain these projects as long as ransomware is still around.  For anyone new to these projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London . Background on the current ransomware ecosystem as of May 2025 Following the impact of Operation Cronos against LockBit and the exit scam by ALPHV/BlackCat, the ransomware ecosystem has been even more unstable than usual.  The e...
Read more

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-sprea...
Read more

Lessons from the BlackBasta Ransomware Attack on Capita

-
Image
Introduction When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach.  The aim of this blog is to extract actionable cybersecurity lessons from the ICO’s findings as well as open source reports surrounding the breach from a cyber threat intelligence (CTI) analyst’s perspective to help SOC and CERT teams, and CISOs understand what happened and how to avoid the mistakes made by others. BLUF Incident Impact Summary: Capita was attacked by BlackBasta ransomware in March 2023 Over six million individual’s records were exfiltrated from Capita’s systems A £14 million fine was issued to Capita by the ICO Capita said in May 2023, the incident cost up to £20 million to recover Important context about Capita The Capita Group is a business process outsourcing (BPO) and professional servic...
Read more