Thousands of super fund account details for sale on the dark web
Lucas Baird and Paul Smith
Apr 8, 2025
The superannuation account details of thousands of Australian retirees are up for sale online, according to cybersecurity researchers who say the data was taken by covertly installed software known as “infostealers”.
The theft of the data is separate from the co-ordinated hack on superannuation funds last week that resulted in the removal of hundreds of thousands of dollars from members’ accounts, and from the phishing attack that targeted executives at the sector’s peak organisations late last month.
Super fund customers’ details are up for sale on dark web forums. Bethany Rae
Dvuln, a Sydney-headquartered cybersecurity research firm, said it had identified over 5800 account details from some of the nation’s largest funds, up for sale on dark web forums, Telegram channels and other marketplaces. Israeli cyber intelligence firm Kela says it has also found details for thousands of other superannuation fund members up for sale.
Dvuln’s chief executive Jamieson O’Reilly said his team had passed details of its findings to the Australian Signals Directorate, and the affected funds. The dark web is a hidden part of the internet accessible only through specialised software, and often used by criminals to sell stolen goods.
Infostealers are an increasingly common form of malware that infects people’s devices. They collect sensitive information such as website login credentials, credit card details and social media accounts. They get on computers and phones in various ways, including when victims click on links in phishing emails or malicious websites, or if they download infected software.
User responsibility
MinterEllison cyber-risk partner Shannon Sedgwick said the stolen information could be used by cybercriminals for account takeovers, financial fraud or extortion, identity theft and ransomware attacks.
The super funds are not to blame for the details being stolen, but while the onus is on individuals to protect their devices, Sedgwick said companies should help mitigate the risks with rigorous checking procedures.
“Infostealer malware is often used by low-level threat actors because it takes little technical skill to procure and deploy … Historically, personal devices are the primary targets, as they don’t have the benefit of corporate security oversight and mobile device management tools,” Sedgwick said.
“By implementing complex passwords and multifactor authentication, patching software, using antivirus software, and staying vigilant against phishing attacks, individuals can significantly reduce their risk of falling victim to infostealer threats.
The Australian Financial Review revealed last week that criminals had hacked accounts at AustralianSuper and Australian Retirement Trust – the country’s two biggest funds with a combined $676 billion of pension savings under management.
REST, Hostplus and the MLC Expand platform, run by ASX-listed Insignia Financial, were also hit in the attack. Cbus, the construction industry fund chaired by federal Labor president Wayne Swan, said overnight its customers were also breached in last week’s attack.
The funds have been criticised for not having multifactor authentication in place to protect their customers’ funds.
The first attacks occurred using a technique called credential stuffing, where criminals use details leaked in a different incident and found on the dark web to get into other accounts that have the same passwords.
Infostealer is an increasingly common form of malware that infects people’s devices, and was likely used to collect account information on pension savings held by superannuation funds. Nic Walker
The Australian Prudential Regulation Authority said it had “heightened” monitoring activity since the attack on Tuesday.
“Supervision has been heightened across the industry with a focus on information sharing and the monitoring and containment of issues, with the objective of protecting Australians,” a spokeswoman said. “Australian superannuation funds and other Australian financial institutions are required to protect members’ funds and information security.”
Dvuln’s O’Reilly said the account details for sale online were most likely sourced from attacks on other businesses such as cryptocurrency exchange Binance, financial firm Revolut and biotechnology outfit 23andMe, which installed malware onto user devices.
Steals new passwords
Critically, O’Reilly warned that if an infostealer virus was still on someone’s device, it could track if and when a password is changed. O’Reilly said this meant the current advice to members about the super breach was “flawed”.
“The government has said ‘use a strong password or a different password’ – if you have malware on your device, it doesn’t matter,” he said.
O’Reilly said the discovery of stolen account details showed that companies needed to spend more on monitoring for compromised accounts, and ensuring those accessing accounts are who they say they are.
“Companies should be increasing the scope of their monitoring. If we can find these accounts, so can AustralianSuper, and they can do what they need to do to protect customers,” O’Reilly said.
Irina Nesterovsky, the chief research officer at Kela, said the firm had found nearly 50,000 examples of account credentials from the named funds “that were stolen through different infostealing malware infections and shared on various cybercrime platforms”.
Kela has found records associated with dozens of other superannuation funds, but it is unclear if they were used in the co-ordinated attack last week.
“The threat of infostealing malware and its impact of sourcing valid credentials is recognised as one of the top threats to cybersecurity,” Nesterovsky said. “It is therefore possible that cybercriminals who intended to target customers of Australian superannuation funds used this source of data to gain access to the accounts.”
