This week’s Cyber Intelligence House, Leak of the Week highlights a breach involving American Financial Documents, a U.S.-based corpus of mortgage and identity records evidenced by tax, ID, wire and notarization files.
On September 15, 2025 (observed), a dataset was shared on DarkForums by user Tanaka, with multi-part downloads and passwords. Upon analysis, 20,484 files in 9 folders were identified: 10,202 PNG, 7,272 PDF, 1,768 JPG, 1,232 JPEG, 9 TIF, 1 DOCX. The materials include passports, IDs, tax forms, voided checks, and explicit wire instructions consistent with mortgage origination/servicing. The thread title referenced “New American Funding”; public notices confirm that company reported a vendor-linked incident in July 2025.
Format of leaked items:
1. “Incoming Wire Instructions – Nichols Estate-1.pdf”
2. “Jeanine McKay SSN.jpg”
3. “Okoro passport.pdf”
4. “Arocho voided check.pdf”
5. “Uniform Residential Loan Application.pdf”.
Threat actor background (Tanaka): Tanaka is an active moderator persona on
underground forums; also observed posting via Telegram about BreachForums disruptions.
Implications
For Individuals:
1. Identity theft using SSNs/ID images and tax forms.
2. Bank fraud/wire diversion via voided checks and wire PDFs.
3. Account takeover/doxing from high-fidelity PII.
Supply Chain Risks: State-labelled notary archives suggest third-party notary/closing providers were in the document flow, increasing exposure from vendor compromise and uncontrolled file-sharing.
Cyber Intelligence House’s Recommendations:
– Containment: Takedown the specific links; rotate and recall wire instructions and invalidate older PDF packets.
– Customer protection: Enroll affected individuals in monitoring; enforce call-back verification for payment and wire changes.
– Vendor risk: Urgent third-party review of notary and closing providers, require portal-based uploads with MFA and access logs.
– Threat monitoring: Track Tanaka/DarkForums reposts and Telegram chatter; watch for fraud/ATO against impacted borrowers.