Skip to content
Support
Donations
Leads

Threat Actor Selling 1.2 Million French FICOBA Banking Leads With IBANs, SSNs, and Tax IDs From 15+ Banks

 and  Dark Web Informer
9 min read
Dark Web Informer - Cyber Threat Intelligence

Threat Actor Selling 1.2 Million French FICOBA Banking Leads With IBANs, SSNs, and Tax IDs From 15+ Banks

April 7, 2026 - 7:20:44 PM UTC
France
Banking / Financial Services
Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more.
View API
Unlock Exclusive Cyber Threat Intelligence
Powered by DarkWebInformer.com
Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously.
Subscribe Now

Quick Facts

Date & Time 2026-04-07 19:20:44 UTC
Threat Actor bestdata
Victim FICOBA / French Banking Sector
Industry Banking / Financial Services
Category Data Breach
Total Records 1.2 Million
Banks Affected 15+ Institutions
Data Year 2026
Severity Critical
Price Contact Seller
Network Open Web
Country France

Incident Overview

A threat actor going by bestdata claims to be selling a 1.2 million record dataset described as French FICOBA banking leads. FICOBA (Fichier des Comptes Bancaires et Assimilés) is France's national registry of bank accounts maintained by the French tax authority, which records every bank account opened in France along with the account holder's identity. If this dataset is genuinely sourced from or mirrors FICOBA data, it represents one of the most sensitive French financial datasets possible.


The listing names the following banks whose customers appear in the dataset: BNP Paribas, Societe Generale, Credit Lyonnais (LCL), Credit Agricole (multiple regional banks), Caisse d'Epargne, Credit Mutuel, CIC, Banque Populaire, AXA Banque, Boursorama, Revolut, Monabanq, Carrefour Banque, HSBC, Allianz Banque, BRED, BforBank, and many other regional institutions. The data fields per record are extensive:

  • Identity: Full names, dates of birth, birth city and department, territory classification.
  • Government Identifiers: Social security numbers and tax identifiers (SPI, the French tax reference number).
  • Banking Details: IBANs, BIC/SWIFT codes, bank names, bank branch information, account types, and account nature.
  • Contact Information: Phone numbers, email addresses, main addresses, and possible secondary addresses.
  • Family Data: Relatives information including names and birthdates of family members.
  • Credentials: Possible password fields are listed, though the scope of this field is unclear.

The sample record shows a structured format with distinct Identity, Contact, and Address sections, including a specific individual's name, date of birth, Paris arrondissement of birth, department number, territory, and phone number. The combination of IBANs, social security numbers, tax identifiers, and full identity details across 15+ banks makes this a complete financial identity theft package. An attacker with this data could initiate fraudulent SEPA transfers, file false tax returns, open accounts in victims' names, or conduct highly targeted social engineering against specific bank customers.

Compromised Data Categories

Full Names Dates of Birth Birth City & Department Social Security Numbers Tax Identifiers (SPI) IBANs BIC / SWIFT Codes Bank Names & Branch Info Account Types & Nature Phone Numbers Email Addresses Main & Secondary Addresses Relatives (Names & Birthdates) Possible Passwords

Image Preview

Forum post by bestdata selling 1.2 million French FICOBA banking leads with data fields listing, affected banks including BNP Paribas, Societe Generale, Credit Agricole, and 15+ other institutions Sample FICOBA record showing structured identity, contact, and address sections with Paris arrondissement birth details and phone number

Claim URL

Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers.
Subscribe
Subscriber Access View the original listing URL and unredacted claim images on the feeds below.
Threat Feed Ransomware Feed

MITRE ATT&CK Mapping

T1589.001 Gather Victim Identity: Credentials
Harvests IBANs, social security numbers, tax identifiers, and possible passwords for 1.2 million French banking customers across 15+ financial institutions.
T1213 Data from Information Repositories
Extracts structured banking records from what appears to be a FICOBA-format dataset, pulling account details, personal identifiers, and financial data across France's banking sector.
T1657 Financial Theft
The combination of IBANs, BIC/SWIFT codes, and full identity details enables direct financial fraud including fraudulent SEPA transfers, tax return fraud, and account impersonation.
T1567 Exfiltration Over Web Service
Advertises and sells the French banking dataset through web forums, with serious inquiries directed to a Telegram handle for pricing and sample verification.

Dark Web Informer © 2026 | Cyber Threat Intelligence
DarkWebInformer.com

Related

Latest