I want to be honest with you upfront: what HDFC AMC told investors last Thursday evening was the bare minimum they were legally required to say. The email that landed in millions of inboxes – “reset your password, your portfolio is safe, we’ve engaged cybersecurity experts” read like it was written by a legal team, not a security team. Which it probably was.

That’s not a criticism exactly. There’s a SEBI framework, there’s the CERT-In mandate, there are Bombay High Court orders in play. When counsel is involved, every word gets lawyered into bluntness. But bluntness doesn’t help investors understand what actually happened, what “680 GB of critical company data” actually means, or why HDFC AMC is warning people about SIM swaps specifically.

So let me try to fill in those gaps.

Email Sent by HDFC
Email Sent by HDFC

What We Actually Know About the Breach

On May 16, HDFC AMC’s IT administrator found that parts of the company’s on-premises VMware infrastructure had become inaccessible. Specifically: the VPN servers, SFTP servers, and antivirus management servers were all down. That’s not a random assortment of systems to lose simultaneously – VPN and SFTP going dark together is a classic sign of an attacker who has already established persistence and is now cutting off the defender’s ability to respond remotely while staging exfiltration over the same channels.

Later that same day, the company received an email from an entity calling itself Morpheus, claiming it had extracted more than 680 GB of data and threatening to publish everything unless HDFC AMC contacted them within three days.

As of June 10, 2026, nearly four weeks after the initial breach, Morpheus posted HDFC AMC as a victim on their onion dark web leak site, identified under the name “HDFC FUND.” The post was scraped and documented by threat intelligence tracking service RedPacket Security. So to be clear: this is not a group that made a claim and went quiet. They have an active leak infrastructure and they used it. The data is out there, or at minimum the threat of publishing it is active and live.

Morpheus itself I hadn’t seen in any major ransomware tracking database before this incident – no RaaS affiliate relationships with LockBit or ALPHV documented publicly, no long-running leak site history. That could mean a newer independent group, a rebranded operation, or a smaller crew running a targeted campaign rather than a spray-and-pray affiliate model. Court filings refer to them only as “unidentified hackers,” meaning HDFC AMC’s incident response team hasn’t been able to pin down attribution with enough confidence to name a country or specific threat actor in open proceedings.

What we know from the Bombay High Court petition about the stolen data is more specific than HDFC AMC’s public communications let on. The compromised dataset allegedly includes names, addresses, PAN details, bank account information, investment records, mobile numbers, email addresses, proprietary investment analyses, and employee records. Those last two categories matter. This wasn’t just a customer database exfil. Proprietary investment analyses and employee data mean the attackers potentially have internal strategic information that goes beyond identity theft risk.

680 GB is a very specific number. For reference – a typical enterprise database dump of 10 million customer records with PII usually compresses to somewhere between 5–40 GB depending on schema and compression. 680 GB uncompressed could represent far larger volumes of structured and unstructured data: emails, internal documents, configuration files, code repositories. The VMware infrastructure compromise gives this context – if the attackers had access to multiple virtual machines running different business functions, they could have been sweeping across datastores, not just one database.

The Bombay High Court, in its May 29 interim order, noted: “If the confidential data is misused or leaked or traded or compromised, it will lead to dreadful consequences, and it can cause irreparable and irreversible damage.” The vacation bench under Justice Shreeram Shirsat was persuaded that the prima facie case warranted immediate ex parte relief – that’s a meaningful legal bar to clear, and the court cleared it in 13 days from detection to injunction.

The Attack Vector: What We Can Reasonably Infer

HDFC AMC hasn’t disclosed the initial access vector, and I don’t expect them to during an active legal proceeding. But now that we know the specific systems compromised – on-premises VMware infrastructure, with VPN, SFTP, and antivirus management servers going down simultaneously, we can build a much more specific picture of what likely happened.

The VMware infrastructure detail is particularly significant. On-premises VMware environments, especially those running older vCenter or ESXi versions, have been among the most aggressively targeted enterprise attack surfaces since 2021. The CVE-2021-21985 (vCenter RCE), CVE-2021-22005 (vCenter file upload), CVE-2022-22954 (Workspace ONE RCE), and the 2024-era ESXi hypervisor vulnerabilities have all been weaponized by ransomware groups at scale. If HDFC AMC was running unpatched VMware infrastructure, that’s a plausible initial access path that requires no phishing, no insider threat, no credential purchase – just a scanner pointed at an externally reachable vCenter instance.

The simultaneous loss of VPN, SFTP, and antivirus management servers is also telling. Those three systems share a common characteristic: they all have outbound network connectivity that’s considered “normal” in enterprise environments. VPN concentrators talk to external IPs constantly. SFTP servers push and pull files to external partners. Antivirus management servers often have broad internal network access to push signatures to endpoints. An attacker who compromises a VMware host running these services has a ready-made exfiltration and lateral movement platform that blends into normal traffic.

Modern ransomware-adjacent operations – groups that steal data and threaten to publish it without necessarily encrypting files, a model called data-extortion-only typically follow this kill chain:

Initial Access → on-premises VMware exploitation (most likely given what’s confirmed), or alternatively: phishing with credential harvesting, exploitation of the VPN appliance itself (Ivanti, Fortinet, and Palo Alto VPN vulnerabilities have been heavily exploited in 2025–2026), purchase of valid credentials from an initial access broker, or third-party vendor compromise.

Lateral Movement → once inside the hypervisor layer, attackers can move laterally without ever touching the physical network. They pivot between virtual machines hosted on the same ESXi host or vCenter cluster. They can also use BloodHound/SharpHound to enumerate Active Directory, abuse Kerberoastable service accounts, or exploit trust relationships between VMware-hosted systems and the broader domain.

Antivirus Disablement → this is where the antivirus management server compromise becomes critical. If you control the AV management server, you can push a policy update that disables endpoint protection across the entire estate, silently, in a way that looks like a legitimate administrative action. This is why losing the AV management server matters as much as losing the VPN or SFTP.

Data Discovery and Staging → with AV blinded and lateral movement achieved, attackers enumerate datastores, databases, and file servers. Common techniques include native tools (Robocopy, PowerShell, xcopy), compressing to encrypted 7-Zip or WinRAR archives on staging hosts, and exfiltrating over HTTPS to attacker-controlled cloud infrastructure (Mega, rclone to S3-compatible storage, or purpose-built exfil servers). The SFTP server compromise likely served as a staging or exfiltration relay here.

Exfiltration → 680 GB over a network connection, undetected, points to either slow exfiltration spread over days using the SFTP server’s normal traffic as cover, or the organization’s outbound monitoring wasn’t tuned to flag large transfers to unusual destinations. Exfiltrating 680 GB in a single session over a 1 Gbps corporate link takes roughly 90 minutes and generates an obvious traffic spike unless it was throttled and spread across multiple sessions mimicking normal SFTP transfer patterns.

The detection on May 16 almost certainly came at or after the exfiltration phase, not at initial access. Median dwell time for financially motivated attackers in the Asia-Pacific region hovered around 11–14 days in 2024 breach reports. Two weeks of undetected access inside a VMware environment, with AV management compromised, would explain both the volume of data taken and the breadth of systems affected.

Why the SIM Swap Warning Is the Most Important Part of the Email

I’ve seen a lot of post-breach investor communication. This is the first time I remember an AMC explicitly warning investors about SIM swaps, and I think it’s being underreported.

Here’s what a SIM swap attack looks like in the context of a financial data breach:

  1. Attacker acquires your PAN, name, registered mobile number, and bank account details from the breached database.
  2. Attacker contacts your telecom operator (Airtel, Jio, Vi) pretending to be you, claiming a lost SIM or porting to a new number.
  3. Because they have your KYC details, they can answer verification questions convincingly. Many Indian telecom operators still rely on basic identity verification for SIM replacements.
  4. Once your number is ported to a SIM the attacker controls, every OTP sent to your mobile for banking, for your HDFC AMC account, for CDSL/NSDL transactions – all goes to the attacker’s phone.
  5. From there, password resets, account takeovers, and unauthorized fund transfers become trivially easy.

The specific combination of data apparently in scope here – PAN, bank account, phone number, investment data is almost exactly the data profile you’d need to mount a convincing SIM swap. HDFC AMC warning investors about a “sudden loss of signal or inability to receive calls and messages” is them telling you, in polite corporate language, that this is the attack chain they’re worried about.

If your phone suddenly shows no network signal, or your calls stop going through, don’t assume it’s a tower issue. Call your operator immediately from another phone. Ask whether a SIM replacement was requested for your number. If one was processed without your authorization, you’re looking at an active SIM swap.

Why Your Mutual Fund Units Are Actually Safe (and What That Really Means)

HDFC AMC was very clear on this point, and for once, the corporate reassurance is technically accurate.

Mutual fund units in India are held in demat form with either CDSL (Central Depository Services Limited) or NSDL (National Securities Depository Limited). These are separate regulated entities with their own IT infrastructure, authentication systems, and regulatory oversight. A breach of an AMC’s systems does not compromise the depository.

Think of it this way: the AMC is like your investment advisor’s office. CDSL/NSDL is the vault. Stealing data from the advisor’s filing cabinet tells you what’s in the vault, but it doesn’t give you the combination.

To redeem mutual fund units, you need:

All three of those can be compromised through a SIM swap plus email account takeover which is exactly why HDFC AMC’s warning about SIM swaps isn’t just precautionary. It’s pointing at the precise attack path that could theoretically allow a threat actor to do something with the data they’ve stolen.

The units themselves? Safe. The access to those units? That’s what’s at risk.

The Regulatory Architecture That Kicked In

India’s response framework for financial sector breaches has gotten considerably more structured in recent years, and this incident is a decent case study in how it’s supposed to work but also in where the gaps remain.

CERT-In notification – Under the CERT-In Directions of April 2022, any organization that detects a cybersecurity incident is required to report it to CERT-In within 6 hours. For a company of HDFC AMC’s scale, that clock started ticking the moment the IT admin detected the VMware infrastructure going dark on May 16. CERT-In handled over 29.44 lakh (2.944 million) cyber incidents in 2025 alone, so they’re not operating on a small caseload. Whether their response to this specific incident involved active technical assistance or primarily administrative receipt of the notification isn’t public.

SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) – SEBI’s framework mandates incident notification to SEBI for critical incidents at regulated entities including AMCs. HDFC AMC complied, notifying both SEBI and the exchanges (NSE and BSE) via an exchange filing on May 16. What makes this particularly interesting is what SEBI itself had said just eleven days earlier.

On May 5, 2026, eleven days before the HDFC AMC breach, SEBI issued a circular specifically warning regulated entities about AI-powered cyberattacks. The circular stated that AI-enabled threat actors could identify and exploit vulnerabilities “using speed and scale,” potentially affecting data confidentiality, application integrity, and the reliability of outputs across interconnected market participants. SEBI also warned explicitly that a breach at one entity could trigger cascading effects across the securities market ecosystem. The circular directed entities to immediately patch systems, conduct continuous AI-based vulnerability assessments, and strengthen vendor risk management.

Then, eleven days later, one of India’s largest AMCs reported a VMware infrastructure breach.

I’m not drawing a causal line there. But the timing does raise a question about whether that SEBI circular prompted an internal audit at HDFC AMC that actually led to the detection or whether the detection would have happened when it did regardless. We may never know.

The Bombay High Court route – HDFC AMC filed suit and obtained an ex parte interim injunction from a vacation bench on May 29 – 13 days after detection. The order is technically a “John Doe” order (directed against unidentified defendants), which is the appropriate legal vehicle when you can’t name the specific individuals behind a pseudonymous group. It restrains Morpheus from publishing, distributing, or disclosing the stolen data, and directs DoT and MeitY to block or remove online accounts associated with the leaked data.

The practical reach of this order against a Tor-hosted leak site is limited, as I noted earlier. But it creates real legal risk for any Indian-based intermediary – hosting provider, CDN, ISP – that knowingly facilitates access to the stolen data, which is not nothing. The matter goes back to the Bombay High Court on June 16 for further hearing.

What Morpheus Actually Did And What That Means Now

I wrote earlier in a draft of this piece that Morpheus hadn’t published the data yet. That’s no longer accurate.

On June 10, 2026 – 25 days after the initial breach and 12 days after the Bombay High Court injunction – Morpheus posted HDFC AMC as a named victim on their dark web onion leak site under the name “HDFC FUND.” The post was scraped and documented by RedPacket Security, which monitors ransomware leak sites. The listing includes HDFC AMC’s website, a revenue figure of $427.8 million, and frames it as an active ransomware disclosure.

This changes the picture considerably. The Bombay High Court order, issued on May 29, had real teeth domestically – Indian ISPs and platforms can be directed to block any URL serving the stolen data, and domestic actors knowingly using or trading the data face criminal exposure. But Morpheus’s leak site runs on Tor. Blocking it for Indian users requires ISP-level Tor exit node filtering, which is both technically imperfect and jurisdictionally complicated. The injunction may have slowed Morpheus’s ability to use Indian-facing infrastructure, but it hasn’t stopped the dark web listing.

What’s on the leak site, specifically, hasn’t been confirmed in public reporting. Ransomware groups typically post a “proof pack” which is a small sample of files to demonstrate they actually have the data – before publishing the full dump. Whether Morpheus has published sample files, a full dump, or just the victim listing is something I haven’t been able to confirm. If you’re reading this and have direct threat intelligence on the scope of the Morpheus publication, I’d genuinely want to hear from you.

The fact that they published on June 10, after the court order and after investor notification emails went out on June 12, suggests the timeline here: Morpheus likely set a hard deadline, the three-day ultimatum from May 16 wasn’t met to their satisfaction, negotiations (if any happened) didn’t reach an agreement, and the leak site listing went up as leverage escalation rather than final publication.

Data-extortion-only operations work on this pressure model: claim access, amplify the threat, force public pressure through a leak site listing, and use the reputational damage of the listing itself as additional coercion. Full data publication often comes weeks or months later, if at all – sometimes groups accept payment and remove the listing, sometimes they publish regardless. Whether HDFC AMC paid or is still negotiating isn’t something their public statements address, which is standard practice when breach counsel is involved.

The Broader Context: India’s Cybercrime Trajectory

The numbers are worth sitting with. India saw 2.81 million reported cybercrime cases in 2025, up from 1.9 million in 2024 and roughly 263,000 in 2021. That’s not a linear increase. That’s exponential growth over four years and roughly a 10x jump in reported incidents over that window.

CERT-In alone handled 29.44 lakh (2.944 million) cyber incidents in 2025. Financial losses attributed to cybercrime hit ₹22,495 crore in 2025 which is a 41-fold increase between 2021 and 2024. I4C projects that annual losses could breach ₹1.2 lakh crore – roughly 0.7% of GDP if the trajectory continues. For comparison, the FBI’s Internet Crime Complaint Center recorded $20.877 billion in total cybercrime losses globally in 2025, a 26% increase from 2024, with complaints surpassing one million for the first time. India’s trajectory isn’t an outlier – it’s part of a global surge but the concentration of KYC-rich financial data in a relatively small number of large institutions makes the Indian BFSI sector a particularly dense target.

The same data that makes financial institutions valuable to customers – verified, KYC-compliant identity and financial records make them valuable to attackers. PAN plus bank account plus mobile number plus investment profile is nearly everything a fraudster needs to impersonate someone to a financial institution, a telecom operator, or a government portal. And SEBI’s own May 5 circular acknowledged that a single breach at one regulated entity can have cascade effects across the interconnected market ecosystem. HDFC AMC is not a small node in that ecosystem. They manage assets for millions of investors and are publicly traded.

It won’t be the last AMC targeted.

What You Should Do Right Now

I’m going to skip the generic “use strong passwords” advice because you already know that and it’s not specific enough for this situation.

Password reset – do it now, not the next time you log in. The HDFC AMC email said “reset your password the next time you log in.” That phrasing implies you should wait until you naturally use the platform. Don’t wait. Go reset it today. Use a password manager to generate something genuinely random, 20+ characters, not reused anywhere.

Freeze your SIM if you can. Jio, Airtel, and Vi all have mechanisms to add an extra verification layer for SIM replacement requests – call your operator and ask specifically what protections they can add to your account. Some allow you to set a verbal PIN that must be provided in person for any SIM-related request.

Enable login alerts on every financial account. HDFC AMC’s app, your net banking, CDSL/NSDL’s platforms – if they have “login alert” or “transaction alert” settings, enable them all and make sure they go to an email address that’s not the one associated with your primary phone number.

Check your CDSL/NSDL statement independently. You can view your consolidated account statement (CAS) through MF Central or directly through CDSL/NSDL’s portals. Verify that your holdings look correct independently of whatever HDFC AMC’s platform shows you.

Watch for phishing that references the breach. Attackers who buy or receive stolen databases frequently launch targeted phishing campaigns immediately after a breach goes public. An email that references “the recent HDFC AMC security incident” and asks you to click a link to “verify your account” is almost certainly a phish. HDFC AMC has stated explicitly they will not ask for your OTP, PIN, or password via email, SMS, or phone.

What We Still Don’t Know And What’s Coming

The initial access vector hasn’t been confirmed publicly. The precise number of investor records in scope hasn’t been disclosed. Whether Morpheus has published sample files or a full data dump on their leak site beyond the victim listing itself isn’t confirmed in public reporting as of this writing.

What we do know, that I didn’t know when I first drafted this: Morpheus has an active dark web presence, they posted HDFC AMC on June 10, and a Bombay High Court injunction does not stop a Tor-hosted leak site. The next court hearing is June 16. I’ll be watching closely if the court issues any orders directing specific technical measures against Tor access or if the scope of the Morpheus publication becomes clearer, I’ll update this piece.

If you’re an HDFC AMC investor reading this and you’ve seen anything suspicious on your accounts since June 12 – unexpected login attempts, SIM-related texts from your operator, phishing emails referencing the breach, I’d genuinely want to know. The pattern of how these breaches play out downstream is something worth tracking. You can reach me through the contact page.

This post first appeared at - The CyberSec Guru