Habib Bank AG Zurich – Qilin Hit

By Ashish S
Habib Bank AG Zurich – Qilin Hit

Habib Bank AG Zurich
Targeted in Major Qilin Ransomware Attack

Breaking | Wednesday, 5 November 2025

On the morning of 5 November 2025, the notorious Qilin ransomware gang added Switzerland’s Habib Bank AG Zurich to its dark-web leak site—claiming the theft of 2.5 terabytes of data and nearly 2 million files.

What Qilin Claims to Have Stolen

  • Full customer KYC packages (passports, IDs, proof-of-address)
  • Account balances and credit positions
  • Internal transaction logs and SWIFT message archives
  • Employee HR files, payroll, and medical records
  • Source code of the bank’s core-banking and mobile-app platforms
  • Blacklist databases and sanctions-screening logs
  • Board-meeting minutes and merger documents

The 7-Day Clock

Qilin has set a 7-day public countdown ending Wednesday 12 November 2025.

If the undisclosed ransom is not paid, the gang threatens to publish the entire 2.5 TB archive and auction the source code to the highest bidder.

Why This Breach Matters

Habib Bank AG Zurich is one of the few remaining family-owned Swiss private banks with a global footprint:

  • Headquartered at Weinbergstrasse 59, 8006 Zurich
  • Operations in 11 countries across four continents
  • Nearly 8 000 employees and over 500 branches
  • 2024 revenue: USD 750 million
  • Specialises in trade finance between Europe, Middle East, and South Asia

A confirmed leak would expose wealthy individuals, correspondent banks, and trade-finance counterparties to identity theft, sanctions evasion, and targeted phishing for years.

How Qilin Operates

Qilin (formerly “Agenda”) is a Russian-speaking ransomware-as-a-service cartel that exploded onto the scene in 2022. Key traits:

  • Affiliates keep 80–85 % of every ransom
  • Double-extortion: encrypt + exfiltrate
  • Rust-language encryptor that evades most EDR tools
  • Real-time leak-site automation (new victims appear within hours)
  • 2025 victim count already exceeds 950 organisations

Immediate Advice for Customers

  1. Freeze your credit file with all three bureaus.
  2. Enable two-factor SMS or app authentication on HBZ online banking.
  3. Watch for phishing emails pretending to be “security updates”.
  4. Request a fresh account number if you suspect exposure.

What Happens Next?

Swiss regulator FINMA has opened an emergency supervisory review. The bank’s incident-response team—assisted by external forensics firms—is racing to:

  • Confirm the breach scope
  • Patch the initial entry vector (believed to be a compromised VPN appliance)
  • Notify affected clients under Swiss data-protection law

Qilin’s leak page already displays 34 screenshot teasers. More proof files are expected hourly until the deadline.

Ashish S
Ashish S
Ashish is a Cybersecurity Student with over 2 years of experience in Cybersecurity Research, Bug Bounty hunting and programming.