Back

nu.nl Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure of 6,007 client accounts and 246 employee accounts, primarily driven by 5,590 historical data breaches and 663 active infostealer logs. The data breaches are predominantly sourced from "Combolist sources" (98.2%), suggesting credential stuffing or account takeover attempts. Infostealer activity is led by LummaC2 (25.2%), Redline (19.6%), and Rhadamanthys (8%), which are known to exfiltrate credentials and sensitive information. The exposure period spans from July 2025 to June 2026, with notable spikes in client account exposure during September 2025 and March-April 2026. The primary affected geography is the Netherlands. Given the high volume of historical data breaches and active infostealer logs targeting client and employee accounts, this situation presents a critical risk. The prevalence of LummaC2 and Redline malware families indicates a direct threat to credential integrity and potential for further compromise. Remediation should focus on immediate credential rotation for all affected employee and client accounts, enhanced monitoring for suspicious login activity, and implementing robust multi-factor authentication across all services. A thorough investigation into the root cause of the data breaches and infostealer infections is also paramount.

Total Events

6,253
credential exposure events

Employee Affected Events

246
account email domain = nu.nl

Client Affected Events

6,007
service target = nu.nl

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
1,5001,0005000
peak month 1,480
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events663
Share11%
Data breaches
Events5,590
Share89%
Infostealer logs (11%)
663events
Data breaches (89%)
5,590events

246 compromised employee accounts pose an infrastructure risk, while 6,007 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender25
ESET Security1

Malware Families Distribution

Distribution of Active Stealer Strains

LummaC2167
Redline130
Rhadamanthys53
Acreed33
Vidar28
StealC21
Millenium13
Remus11
RisePro11

Top Login URLs

Top exposed services found in the event results

  1. 1https://nu.nl644
  2. 2https://www.nu.nl624
  3. 3https://www.nu.nl/543
  4. 4nu.nl/480
  5. 5www.nu.nl421
  6. 6www.nu.nl/318
  7. 7https://nu.nl/137
  8. 8nu.nl/gp-spel79
  9. 9https://www.nu.nl/gp-spel76
  10. 10https://www.nu.nl/password-reset65

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

Netherlands
Events332
United States
Events21
Venezuela
Events16
France
Events13
China
Events6
Ghana
Events6
Saudi Arabia
Events5
Switzerland
Events5

Country Breakdown

  1. 1Netherlands332
  2. 2United States21
  3. 3Venezuela16
  4. 4France13
  5. 5China6
  6. 6Ghana6
  7. 7Saudi Arabia5
  8. 8Switzerland5

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Citrix4

Operating System Distribution

Distribution of compromised endpoint builds

Windows 1173
Windows 10 Enterprise x6458
Windows 11 24H2 build 26100 (64 Bit)41
Windows 10 Pro39
Windows 11 Pro (10.0.26100) x6437

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
5,490
Combolist pools
100
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.