Cybercriminal Claims to Drain Offshore Crypto Bank Wallets in 37GB Leak

By Leakd.com Authors

April 07, 2025

A cybercriminal data extortion group operating under the alias "Weyhro" has posted a bombshell data leak on a closed Russian-language cybercrime forum, claiming to have drained the crypto wallets of Valens Bank — an offshore financial institution operating out of the Comoros Islands and South Africa. The leaked trove reportedly includes 37GB of data compromising internal infrastructure, financial operations, and sensitive customer details.

Crypto Bank data Leak — Screenshot from a russian cybercrime forum

"They still don’t know how deep this goes" — hacker claims total backend access

According to the leak post dated March 28, the hacker alleges they fully compromised Valens Holding AG’s digital infrastructure, including the systems behind Valens Bank, Valens Pay, and Valens Exchange. The leak includes source code, backend API logic, cryptocurrency integrations, customer databases, and private keys used for crypto wallet management.

The hacker claims:

“I managed to get root access to everything. Their crypto wallets, KYC systems, internal source code — everything was exposed. There are still leads to dig.”

Infrastructure details and leaked data overview

Screenshots from the hacker’s post show a breakdown of the compromised systems, including:

Database exposure: Over 400,000 customer records and financial entries
Cryptographic keys: Allegedly encrypted with weak ECC implementation
Source code: Entire repositories for their payment platform, exchange backend, and mobile apps
Financial processing systems: Including international wire gateway logs
Authentication systems: Multi-factor login mechanisms and session logic

The hacker also provided download links via .onion domains and shared a directory structure showing folders labeled “DB,” “Git,” and “S3,” along with a file list of nearly 54MB indexing the entire breach content.

About Valens Bank

Valens Bank, operated under Valens Private Bank Ltd., markets itself as a “frontier digital bank” providing blockchain and fintech solutions, including multi-currency accounts and crypto wallets. According to its website, the bank is registered in Anjouan (Comoros) and has a regional office in Johannesburg, South Africa.

The breach appears to affect multiple operational regions, with the hacker claiming that backend systems in Canada, the UK, and unnamed European locations were also accessed.

Threat actor shares decryption method for private keys

In a technically detailed section, Weyhro claims the bank used TripleDES with a hardcoded encryption key to secure private wallet keys. The post even includes a step-by-step decryption method leveraging known MD5 hash vulnerabilities and a custom key management bypass.

If validated, this could allow malicious actors to unlock customer wallets and potentially move funds — a risk the hacker alleges has already materialized.

Disclaimer

Leakd.com does not engage in the exfiltration, downloading, hosting, viewing, reposting, or disclosure of any stolen or illegally obtained information. All breach data reported here is sourced from publicly available threat intelligence sources and cybercriminal forums for public awareness and research purposes only.