Skip to main content
OpasSecure Ltd
Threat intel · 7 min read

Credential-stuffing waves against regional banks

Amara Njeri · Threat Intelligence

Sample article. An illustrative field note showing the format of OpasSecure threat write-ups — the figures and byline are demonstrative, not a report of specific client or honeypot data.

Over three months we watched a set of honeypot banking portals absorb a steady drumbeat of automated login attempts. This is what the data told us about who is knocking, when, and how.

What we saw

Traffic arrived in tight bursts — thousands of attempts against a single tenant inside a few minutes, then silence. The credential pairs were recycled from public breach corpora, not guessed, which is the signature of stuffing rather than brute force.

Every wave reused the same breach corpora — success depended entirely on password reuse, not on cracking anything.

The tooling

Request fingerprints clustered around a handful of off-the-shelf stuffing frameworks behind rotating residential proxies. Config files leaked enough structure to detect the pattern regardless of the source IP.

# detection heuristic (illustrative)
rate(login_fail[5m]) by (tenant) > 200
  and distinct(username) / distinct(ip) > 50

Timing and targets

Waves clustered in the late evening local time and disproportionately targeted tenants that had recently appeared in the news — attention drives attempts.

What to do about it

Enforce MFA, watch the fail-rate-per-tenant ratio rather than per-IP, and feed known breach corpora into your own detections. None of this is exotic — it is discipline, applied before the wave arrives.

Amara Njeri

Threat Intelligence, OpasSecure