TA ‘Darkpuger’ offers Stolen Data from OnEMI Technology Solutions Private Limited

FPT Metrodata IndonesiaFPT Metrodata Indonesia
7 min read

Summary

Cyble Research & Intelligence Labs (CRIL) was alerted by a private source on April 9, 2025, that the TA DarkPurger, operating within the Russian cybercrime forum XSS, is reportedly engaged in the clandestine sale of 30 TB data containing approximately 430 million records pertaining to Indian citizens allegedly stolen from OnEMI Technology Solutions Private Limited, which operates under the brand name Kissht.

Through a fintech platform, the company offers instant personal and secured loans with minimal documentation, driven by advanced technology and a focus on financial inclusion. This advisory provides an overview of the TA's claims and presents detailed information about the threat activity, including the artifacts gathered by the source.

Information from the Source

According to the CRIL’s source, the TA exfiltrated multiple databases associated with the company, totaling 30 TB. The stolen data includes:

  • Over 6 million users’ full names, email addresses, phone numbers, PAN details, and CIBIL-related information.

  • 3 TB of user KYC documents (including Aadhaar scans, address proof, ID photos, etc.).

  • 3 TB customer transaction database containing stored financial SMS data.

  • Over 423 million individual records related to SIM card registrations in India, including dates of birth, addresses, and phone numbers.

  • Financial documents and backups containing personally identifiable information (PII).

  • Source code of projects.

The TA also provided sample records to validate their claims, including spreadsheets and text files containing sensitive user information. These samples allegedly consist of PAN card numbers, Aadhaar numbers, CIBIL scores, KYC records, customer contact details, and various financial documents.

The screenshot in Figure 1 shows a set of sample files containing sensitive data samples comprising a mix of CSV and TXT files, each named to indicate its contents and approximate record count:

  • ckyc_158K.csv – Contains over 158,000 records, including CKYC (Central Know Your Customer) data, typically comprising detailed identity verification documents.

  • Good_Customers_367K.txt – A text file listing 367,000 entries likely categorizing users considered low-risk or creditworthy.

  • Kissht_temp_users_2.7M.csv – A dataset with 2.7 million entries containing temporarily onboarded or pre-approved user profiles.

  • Kissht_user_PAN_2.7M.csv – Includes 2.7 million user records with Permanent Account Number (PAN) details, commonly used for taxation and financial identity in India.

  • t30-customers_902K.txt – Includes nearly 902,000 user records filtered based on activity, transaction volume, or engagement.

  • Users_with_Cibil_score_6.75M.csv – File with 6.75 million user records, each linked to CIBIL scores, indicating access to users' credit profiles.

The screenshot in Figure 2 shows a set of folders containing large volumes of sensitive financial and identity-related data:

  • Bureau-Reporting__120GB – Folder containing detailed credit bureau reports for individuals sourced from partner agencies CIBIL.

  • CIBIL_7.5K – Contains 7,500 individual records tied to CIBIL scores, which represent a user’s creditworthiness in India.

  • Deduplicationcases_478K_Files – Comprising nearly 478,000 files, this directory includes internal data used for identity verification or fraud detection through deduplication.

  • financier_mas_zip_2023-02-08 – Archive from a lender or financial institution dated February 8, 2023, containing sensitive partnership, transactional, or underwriting information.

  • User_KYC_Docs_3TB – Folder containing 3 terabytes of Know Your Customer (KYC) documents, including Aadhaar cards, PAN cards, address proofs, and user-submitted selfies.

The screenshots in Figures 3 & 4 show KYC documents and internal loan confirmation letters. One image shows an Aadhaar-linked KYC form with the applicant’s photograph and address, indicating sensitive government-issued identity data. Another image is a loan welcome letter from Si Creva Capital Services Pvt. Ltd. (operating under the Kissht brand), which confirms the approval and disbursal of a credit facility, including details such as the date, transaction ID, and loan ID.

Si Creva Capital Services Private Limited is a wholly owned subsidiary of OnEMI Technology Solutions Pvt. Ltd. (OnEMI). It operates the Kissht digital lending platform. Kissht is a digital lending application that allows users to apply for loans and offers insurance products. Si Creva Capital and Kissht are affiliated entities under the OnEMI umbrella.

The TA also shared details of their attack method, stating that the breach originated from exposed Git repositories. Using a tool called Git-Dumper, the TA claims to have acquired initial credentials and used them to access and dump additional private repositories. From there, they reportedly obtained AWS keys, pivoted to the secrets manager, and ultimately gained read-only access to all assets. According to the TA, the exposure was spread across multiple points and not a single place to point out.

AWS keys, which enabled access to a wide range of AWS resources. TA shared a screenshot showing a terminal listing multiple AWS S3 buckets associated with the compromised organization.

The screenshot in Figure 3, which appears to be from a PowerShell interface, displays dozens of S3 buckets, some of which are linked to Kissht, including:

  • analytics-kissht-model-1

  • aws-athena-query-report-kissht

  • call-feedback-kissht-com

  • codepipeline-artifacts-kissht-prod

  • config-bucket-944880704145

  • customer-backups-prod-mumbai

These S3 buckets contain application logs, analytics models, customer communications, and potentially sensitive backups or artifacts related to internal systems and user data.

Overview of the TA’s forum activities

TA DarkPuger joined the XSS forum on Jan 11, 2024, and has posted a total of 2 threads about advertising compromised databases and unauthorized access. TA AKS GreyMan on BreachForums

The TA’s coordinates are:

  • Telegram: burning_candles

The notable activities of the TA are as follows:

  • July 12, 2024 - Unauthorized Access to India-based Logistics company on Sale

  • March 18, 2024 - Data and unauthorized access of an undisclosed Indian Software company on sale.

Assessment of the Actor & Information

The TA DarkPuger has a reliable history of past activities and even provided our source proofs in support of their claims. Hence, their reliability is rated as B - Usually reliable.

Based on the overall analysis of the information submitted by our source. CIRIL suspects the authenticity of the access and data obtained with a high degree of confidence. Based on this, we rate the TA’s claims as 2 - Probably True

References

"Assessment of the source/threat actor & information" - NATO's Admiralty Code

This section includes our researchers/analysts' assessment based on NATO's admiralty code rating system. This rating system provides our researchers with a standard method to assess the reliability of the Source or Threat Actor/group being covered in cybercrime advisory, the credibility of actor's claims or information derived from our sources.

The following table is referenced by researchers while assigning the ratings:

Reliability of Source/Threat Actor

Credibility of Information/Threat Actor's claims

A - Completely reliable

1 - Confirmed by other sources

B - Usually reliable

2 - Probably true

C - Fairly reliable

3 - Possibly true

D - Not usually reliable

4 - Doubtful

E - Unreliable

5 - Improbable

F - Reliability cannot be judged

6 - Truth cannot be judged

The above assessment ratings will be assigned based on the parameters described by NATO's admiralty code rating system as follows:

"Reliability of Source/Threat Actor"

A - Completely reliable: No doubt of authenticity, trustworthiness, or competency; has a history of complete reliability

B - Usually reliable: Minor doubt about authenticity, trustworthiness, or competency; has a history of valid information/claim most of the time

C - Fairly reliable: Doubt of authenticity, trustworthiness, or competency but has provided valid information/claim in the past

D - Not usually reliable: Significant doubt about authenticity, trustworthiness, or competency but has provided valid information/claim in the past

E - Unreliable: Lacking in authenticity, trustworthiness, and competency; history of invalid information/claim

F - Reliability cannot be judged: No basis exists for evaluating the reliability of the source/actor

"Credibility of information/Threat Actor's claims"

1 - Confirmed by other sources: Confirmed by other independent sources; logical in itself; Consistent with other information/claim on the subject

2 - Probably True: Not confirmed; logical in itself; consistent with other information/claim on the subject

3 - Possibly True: Not confirmed; reasonably logical in itself; agrees with some other information/claim on the subject

4 - Doubtful: Not confirmed; possible but not logical; no other information/claim on the subject

5 - Improbable: Not confirmed; not logical in itself; contradicted by other information/claim on the subject

6 - Truth cannot be judged: No basis exists for evaluating the validity of the information/claim

0
Subscribe to my newsletter

Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Darkpugerthreat actor

Written by

FPT Metrodata Indonesia
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.