Operation DoppelBrand: Sophisticated Phishing Campaign Targets Fortune 500 Firms An elusive cyberthreat group known as GS7 has been running Operation DoppelBrand, a large-scale phishing campaign targeting Fortune 500 companies, financial institutions, and high-value entities worldwide. First observed between December 2025 and January 2026, the operation leverages near-perfect replicas of corporate login portals to steal credentials and deploy remote management and monitoring (RMM) tools for further exploitation. ### Key Details of the Campaign - Targets: Primarily U.S.-based financial institutions including Wells Fargo, USAA, Navy Federal Credit Union, Fidelity Investments, and Citibank alongside technology, healthcare, and telecommunications firms in Europe and other regions. - Tactics: GS7 registers over 150 malicious domains via registrars like NameCheap and OwnRegistrar, routing traffic through Cloudflare to evade detection. Attackers exfiltrate stolen data usernames, passwords, IP addresses, geolocation, device fingerprints, and timestamps to Telegram bots controlled by the group. - Infrastructure: The group has operated since at least 2022, with claims of activity dating back nearly a decade. Researchers linked GS7 to Brazilian cybercrime forums, where stolen credentials and financial data are traded. - Impact: Beyond credential theft, GS7 installs RMM tools on victim systems, enabling remote access or malware deployment. The campaign’s sophistication including rotating infrastructure and meticulous branding mimicry has allowed it to evade detection until now. ### Researcher Findings Security firm SOCRadar uncovered the operation, identifying a Telegram group ("NfResultz by GS") tied to the threat actor. A self-proclaimed GS7 member provided screenshots of past campaigns, including a Fidelity Investments phishing demo that triggered RMM tool downloads upon login. SOCRadar released TTPs (tactics, techniques, and procedures) and IoCs (indicators of compromise) to help defenders track the group’s activities. With English-speaking markets as the primary focus, GS7’s DoppelBrand campaign remains active, underscoring the growing threat of highly organized, financially motivated phishing operations.

Cyber Threats in Finance: 2025’s Rising Risks and Evolving Attack Tactics In 2025, financially motivated cyberattacks dominated the financial sector, driving 90% of breaches targeting banks, insurers, and payment processors. Data breaches accounted for 64% of incidents, with ransomware making up the remaining 36%. The average cost of a breach in finance reached $5.56 million per incident, the second-highest across all industries. Personal data was the most frequently compromised asset (54% of cases), followed by internal organizational data (35%) and credentials (22%). Attackers leveraged stolen information for fraud, credential resale, and persistent network access. Initial access methods remained consistent, with hacking (45%), malware (37%), and social engineering (25%) as the primary vectors. AI Accelerates Attack Timelines and Fraud AI integration reshaped cyber threats in 2025, compressing the window between vulnerability disclosure and exploitation. Machine learning-powered scanning tools enabled faster reconnaissance, while adaptive malware evaded signature-based detection by dynamically altering behavior in response to security controls. Generative AI amplified social engineering, producing contextually accurate phishing emails, deepfake impersonations, and fraudulent invoices that bypassed traditional filters. Fraud-as-a-service offerings on underground markets further lowered the barrier to entry for less skilled attackers. Unmanaged AI adoption within organizations termed shadow AI contributed to 20% of AI-related breaches. Among affected institutions, 97% lacked adequate access controls for AI systems. Third-Party Risks Escalate Supply chain compromises played a role in 30% of financial sector breaches, a significant increase from prior years. Vulnerable file transfer solutions, managed service platforms, and APIs served as common entry points. A breach at a shared third-party provider exposed customer data at major U.S. banks, including JPMorgan Chase, Citigroup, and Morgan Stanley, prompting regulatory scrutiny. Cryptocurrency exchange Bybit suffered a $1.5 billion theft after attackers exploited weaknesses in third-party wallet infrastructure. Ransomware Shifts to Data Exfiltration Ransomware impacted 12.8% of B2B financial organizations, with attackers prioritizing data exfiltration over encryption. Variants like Akira, Datacarry, and BlackLock targeted European institutions, while U.S. attacks increasingly focused on stealing sensitive data to trigger regulatory disclosures and investigations even when systems remained operational. Hacktivists and State Actors Intensify Pressure Hacktivist groups, including NoName057(16) and DarkStorm Team, launched DDoS campaigns against banks, particularly during elections and periods of geopolitical tension. State-aligned advanced persistent threat (APT) actors continued targeting financial institutions for intelligence gathering, exploiting zero-day vulnerabilities and maintaining long-term access. Geopolitical instability sustained elevated levels of disruptive activity throughout the year.

The customers of Citibank are being targeted in a large-scale phishing campaign. The campaign features CitiBank logos and requestes the recipients to disclose sensitive personal details to lift alleged account holds. The customers are diverted to a website that looks exactly same as citybank portal and any credentials entered there would be compromised and can be misused.

The California Office of the Attorney General reported a data breach involving Citi on March 28, 2013. The breach involved the accidental exposure of personally identifiable information due to an imperfect process used during a bankruptcy proceeding. The specific number of affected individuals and types of information compromised are unknown.