Ransomware victim disclosure

Bank Negara Indonesia (BNI)

Claimed by TRIPLE X · listed 5 days ago

2 TB (full); ~100 GB (free sample)

Data size

Age

since listed · data leaked

Status timeline

Listed
May 27, 2026
Data leaked

At a glance

Group: TRIPLE X
Status: Data leaked
Country: Indonesia
Sector: Finance
Listed on leak site: May 27, 2026
Data size: 2 TB (full); ~100 GB (free sample)

About the victim

AI dossier — public-source company profile

Bank Negara Indonesia (BNI) is Indonesia's state-owned commercial bank and one of the largest banks in the country, providing retail and corporate banking services across Indonesia.

Industry: Banking & Financial Services

Attack summary

Severity: critical — Confirmed exfiltration of regulated financial institution data at massive scale (2 TB); includes personally identifiable information (passports, ID cards, contracts) affecting potentially millions of customers. Regulatory data exposure at a systemically important bank in Southeast Asia.

TRIPLE X claims to have exfiltrated 2 TB of customer data from BNI, including customer contracts, passports, and ID cards covering the period 2024–2026. The group has published a ~100 GB free sample and is offering the full dataset for sale.

critical

Data the group says was taken

AI dossier — extracted from the leak post

Customer contracts
Passports
ID cards
Customer information

The group's post references roughly 3 sample images proof files.

What the group claims

Customer information from 2024 to 2026 including customer contracts, passports, and ID cards. The threat actor claims the bank has severe security weaknesses. A partial free sample of ~100GB is available, with the full dataset reported as 2TB.

The leak post

captured from the group's site

## Bni.co.id bank of indonesia free data.
BANK of indonesia bni.co.id Customer information from 2024 to 2026 All customer contracts, passports, and ID cards (few pic attached) It’s strange the bank has such a severe security weakness. full data is 2 TB few sample pics: part 1 ~ 100Gig free download : http://6qqz6m3b6htudohg2mlf5gdcalonxy3sh5g4dix4mpyirjcgelqqufad.onion/bni.co.id/ pass : bnibnibni we will leak few days later new parts, if u wanna download full pack PM us in forums (https://forum.exploit.in/profile/240235-apt8172/) and get link. If you want to buy the bni bank 2026 fresh data, send a private message...

Data the group says was taken

customer information
contracts
passports
ID cards

Sources

Victim sitebni.co.id
Leak posthttp://ojcmpbdncjo5dhaxxll44bq6to3kwqtoeraevgsjquhdtt4uv5l4igid.onion

Source

Indexed 5 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About TRIPLE X

TRIPLE X is a ransomware group first observed in May 2026 with an apparently financially motivated operational focus, though its limited activity to date makes comprehensive characterization difficult. Based on available data, the group has claimed or confirmed at least one victim, with targeting concentrated in Indonesia and within the financial sector, suggesting either a regionally focused threat actor or an early-stage operation still establishing its scope. No detailed technical analysis of TRIPLE X has been publicly documented by CISA, the FBI, Mandiant, or other major threat intelligence providers at this time, meaning its initial access vectors, encryption methodology, extortion tactics, and tooling remain unattributed or unconfirmed in open sources. No notable high-profile campaigns, record ransom demands, or law enforcement actions involving this group have been publicly reported. Given its very recent emergence and single known victim, TRIPLE X should be considered an emerging or nascent threat actor whose operational patterns, affiliations, and capabilities warrant continued monitoring but cannot be fully assessed with the intelligence currently available in the public domain. The group has been linked to 1 public disclosures across our corpus. First observed on a leak site on May 27, 2026. The operation is currently active.

Timeline of this disclosure

May 27, 2026Bank Negara Indonesia (BNI) listed by TRIPLE Xon the group's public leak site

Data size: 2 TB (full); ~100 GB (free sample)

Sector and geography

This disclosure adds to ransomware activity in the Finance sector, which has 92 disclosures indexed across all operators we track. Geographically, Bank Negara Indonesia (BNI) is reported in Indonesia.