Back

citigroup.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure event impacting citigroup.com, with over 114,000 historical data breaches and nearly 4,600 active infostealer logs detected within the reporting period. The majority of these events are classified as historical data breaches, with a smaller but concerning portion attributed to active infostealer activity. The timeline shows a substantial spike in employee and client-related events in January 2026, suggesting a potential peak in compromise activity during that month. The primary malware families associated with the infostealer logs are Redline, LummaC2, and Vidar, all known for credential harvesting. Targeted services include secure mail and access portals, indicating a focus on gaining access to sensitive user accounts. The leak repository classification points to both combolist sources and database dumps as origins of exposed data, with a near even split between the two. Given the high volume of historical data breaches and the presence of active infostealer logs targeting employee and client credentials, this incident warrants immediate attention. The prevalence of Redline and LummaC2 suggests a sophisticated threat actor or multiple actors leveraging common, effective infostealing tools. Prioritization should focus on identifying the root cause of the historical breaches, containing the active infostealer infections, and assessing the full scope of compromised credentials and data. Remediation efforts should include credential reset campaigns for affected employees and clients, enhanced monitoring of critical access points, and a review of data security protocols to prevent future occurrences.

Total Events

119,087
credential exposure events

Employee Affected Events

101,525
account email domain = citigroup.com

Client Affected Events

17,562
service target = citigroup.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
50,00033,33316,6670
peak month 46,576
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events4,598
Share4%
Data breaches
Events114,489
Share96%
Infostealer logs (4%)
4,598events
Data breaches (96%)
114,489events

101,525 compromised employee accounts pose an infrastructure risk, while 17,562 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender46
Windows Defender 알약17
Avira2
Windows Defender Sentinel Agent1
Bitdefender1
Windows Defender Norton 360 Sentinel Agent1

Malware Families Distribution

Distribution of Active Stealer Strains

Redline2,087
LummaC2492
Vidar285
Rhadamanthys248
Acreed164
StealC39
Millenium35
RisePro20
X-Files20

Top Login URLs

Top exposed services found in the event results

  1. 1https://securemailcenter.citigroup.com/registerPsk.html1,602
  2. 2https://secureaccessweb.nam.citigroup.com/siteminderagent/forms/pfloginprod.fcc1,314
  3. 3securemailcenter.citigroup.com/registerPsk.html989
  4. 4securemailcenter.citigroup.com789
  5. 5https://securemailcenter.citigroup.com781
  6. 6https://securemailcenter.citigroup.com/recoverPsk.html741
  7. 7secureaccessweb.nam.citigroup.com/siteminderagent/forms/pfloginprod.fcc737
  8. 8https://secureaccessweb.nam.citigroup.com588
  9. 9secureaccessweb.nam.citigroup.com564
  10. 10citigroup.com535

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

United States
Events641
Netherlands
Events429
India
Events360
Germany
Events344
Mexico
Events191
Denmark
Events166
Philippines
Events153
United Kingdom
Events76

Country Breakdown

  1. 1United States641
  2. 2Netherlands429
  3. 3India360
  4. 4Germany344
  5. 5Mexico191
  6. 6Denmark166
  7. 7Philippines153
  8. 8United Kingdom76

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Pulse Secure432
Citrix180
Cisco (AnyConnect)11
Git8
FortiNet VPN6

Operating System Distribution

Distribution of compromised endpoint builds

Windows 11232
Windows 10 Enterprise x64189
Windows 11 Pro181
Windows 10 Pro (10.0.19045) x64169
Windows Server 2003 R2 x32139

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
59,092
Combolist pools
55,397
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.