Exfiltration — CraftedSignal Threat Feed

Compromised Bitwarden CLI npm Package Enables Credential Theft and Information Exfiltration

hello@craftedsignal.io — Mon, 04 May 2026 11:28:56 +0000

A compromised Bitwarden CLI npm package allows a remote, anonymous attacker to steal credentials and exfiltrate sensitive information. The specific version of the compromised package is not detailed in the advisory. This supply chain attack targets developers and users who rely on the Bitwarden CLI for managing their passwords and secrets. This attack has the potential to expose sensitive credentials, leading to unauthorized access to systems and data. Defenders need to monitor for unusual activity related to the Bitwarden CLI and its usage within their environments to mitigate this risk.

Attack Chain

Attacker compromises a Bitwarden CLI npm package through techniques such as typosquatting, account compromise, or dependency confusion.
Unsuspecting developers or users download and install the compromised package from the npm registry.
During installation, the malicious package executes malicious code injected by the attacker.
The malicious code collects Bitwarden credentials and other sensitive information stored in the CLI’s configuration.
The compromised package establishes a covert communication channel (e.g., HTTPS) to an attacker-controlled server.
Stolen credentials and sensitive information are exfiltrated to the attacker’s server.
The attacker uses the stolen credentials to access victim’s Bitwarden vaults or other systems.
The attacker may further escalate privileges and compromise additional systems within the victim’s environment using the stolen credentials.

Impact

Successful exploitation leads to the theft of sensitive credentials and information stored within Bitwarden CLI. The number of victims is currently unknown. Organizations using the compromised package could experience unauthorized access to critical systems, data breaches, and potential financial losses. The targeted sectors are broad, encompassing any organization utilizing the Bitwarden CLI for password management and secret storage.

Recommendation

Monitor npm package installations for unusual activity or unexpected dependencies using process creation logs and file integrity monitoring.
Implement strict code review processes for all third-party dependencies, especially those related to security tools like Bitwarden CLI.
Deploy the Sigma rule detecting suspicious network connections from the Bitwarden CLI executable to identify potential data exfiltration.
Enforce multi-factor authentication (MFA) on Bitwarden accounts to mitigate the impact of credential theft.
Regularly audit and review the permissions and access rights associated with Bitwarden CLI credentials.

Malicious Chrome Extensions Stealing Data and Opening Backdoors

hello@craftedsignal.io — Thu, 16 Apr 2026 12:00:00 +0000

A coordinated campaign involving 108 malicious Chrome extensions has been discovered. These extensions, distributed through five accounts (GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project), are designed to steal user data, inject ads, and create backdoors. Over 20,000 users have installed these extensions. The extensions provide expected functionality to avoid suspicion, but malicious code runs in the background, communicating with a shared C&C infrastructure to perform nefarious activities. The extensions target various user types by masquerading as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions. This campaign poses a significant threat to user privacy and system security.

Attack Chain

Users install malicious Chrome extensions from the Chrome Web Store, believing they are legitimate tools (e.g., Telegram clients, games, enhancers).
Upon installation, the extensions execute JavaScript code in the background.
Extensions designed for credential theft acquire Google OAuth2 Bearer tokens and exfiltrate user information (email, name, profile picture) to a remote server.
Extensions targeting Telegram steal the active Telegram Web session by overwriting local storage with attacker-supplied data and force-reloading Telegram.
Some extensions contain a backdoor that opens an arbitrary URL received from the C&C server in a new tab upon browser start.
Other malicious activities include injecting ads into YouTube and TikTok pages, injecting content scripts into all visited pages, or proxying translation requests through attacker-controlled servers.
The attacker gains access to user accounts (Google, Telegram) and can inject malicious content, redirect traffic, and steal sensitive information.

Impact

Over 20,000 users have been affected by these malicious extensions. The campaign targets a broad range of users by using different categories of extensions. Successful exploitation can lead to stolen credentials, account takeover, data exfiltration, ad fraud, and the ability to inject arbitrary content into visited websites. The compromised systems could be used for further malicious activities.

Recommendation

Monitor network connections originating from Chrome extensions for connections to unusual or suspicious domains using a network connection rule (see example rule below).
Implement strict policies for Chrome extension installations, including whitelisting approved extensions and blocking installation from untrusted sources.
Deploy the Sigma rule to detect the execution of scripts from the malicious extensions to your SIEM and tune for your environment.

GitHub Exfiltration via High Number of Repository Clones

hello@craftedsignal.io — Fri, 10 Apr 2026 17:40:11 +0000

This alert identifies potential data exfiltration from GitHub via rapid repository cloning. Attackers often target code repositories to steal proprietary code, embedded secrets, and build artifacts. This activity can be indicative of a compromised personal access token (PAT) being used in a script to enumerate and clone repositories from a CI runner or cloud VM. Private and internal repositories are particularly attractive targets, as they often contain sensitive information. The alert focuses on detecting unusual patterns of bulk cloning within a short timeframe, allowing defenders to respond quickly before significant data loss occurs. The original rule was created on 2025/12/16 and updated on 2026/04/10. This activity is often associated with supply chain attacks and the compromise of CI/CD pipelines, similar to the Shai Hulud attacks.

Attack Chain

Attacker gains unauthorized access to a GitHub account or obtains a valid, but misused, Personal Access Token (PAT).
The attacker uses the compromised credentials to authenticate to the GitHub API.
The attacker script enumerates accessible repositories within the organization, identifying potential targets.
A script is executed to initiate a high volume of git clone operations against the targeted repositories.
Repositories, including private and internal ones, are cloned to a staging area, often a CI runner or cloud VM.
The cloned data is compressed and staged for exfiltration, potentially involving archiving or large outbound transfers.
The attacker exfiltrates the cloned data to an external location, potentially via a web service or other covert channel.
The exfiltrated data is used for malicious purposes, such as reverse engineering, finding vulnerabilities, or selling sensitive information.

Impact

Successful exfiltration of GitHub repositories can lead to the exposure of sensitive source code, trade secrets, and proprietary algorithms. This can result in significant financial losses, reputational damage, and competitive disadvantage. In the event of secrets exposure (API keys, passwords, etc.), downstream systems and services may also be compromised. Depending on the nature of the exfiltrated code, legal and regulatory repercussions are also possible. Mass cloning of dozens of repositories can quickly siphon proprietary code, embedded secrets, and build artifacts across teams before defenses can respond.

Recommendation

Deploy the Sigma rule Github Exfiltration via High Number of Clones in Short Time to your SIEM and tune the threshold (event_count >= 25) for your environment to reduce false positives based on legitimate automated activity.
Monitor GitHub audit logs for git.clone events, focusing on users with a high number of clones within a short timeframe to catch suspicious activity.
Revoke any GitHub tokens identified as being used for mass cloning, and force password resets and 2FA re-verification for the associated user accounts.
Investigate the originating host (identified by the agent.id or user_agent fields) for signs of compromise and block/quarantine it to prevent further exfiltration.
Implement organization-wide SAML SSO, disallow classic PATs, and enforce IP allowlisting for PAT use to enhance security posture.
Enable secret scanning with push protection on all repositories to prevent accidental or intentional exposure of credentials.

Kimsuky Malware Using Dropbox API for Command and Control

hello@craftedsignal.io — Thu, 19 Mar 2026 12:00:00 +0000

Kimsuky, a North Korean APT group, has been observed utilizing malware that leverages the Dropbox API for command and control (C2). This allows the malware to blend in with legitimate network traffic, making detection more challenging. The malware uses the Dropbox API to upload stolen data and download commands from the attackers. This method provides a covert channel for exfiltration and control, bypassing traditional network-based security measures. The group has been known to target South Korean entities, but the scope of targeting may extend beyond this region. This technique has been observed starting in early 2026.

Attack Chain

Initial access is gained through an unconfirmed vector, such as spear phishing or watering hole attacks, delivering an initial downloader.
The downloader executes and establishes persistence, potentially by creating scheduled tasks or modifying registry keys.
The malware initializes the Dropbox API, authenticating with stolen or embedded API keys.
The malware enumerates files on the compromised system, targeting documents, credentials, and other sensitive data.
Stolen data is compressed and encrypted before being uploaded to a designated Dropbox folder controlled by the attacker, using the Dropbox API.
The malware periodically checks the attacker’s Dropbox folder for new commands, also using the Dropbox API.
Downloaded commands are decrypted and executed on the compromised system, enabling actions such as remote code execution or further data exfiltration.
The cycle of data exfiltration and command execution continues, allowing the attacker to maintain persistent access and control over the compromised system.

Impact

Successful attacks can lead to significant data breaches, intellectual property theft, and espionage. Kimsuky’s targeting of South Korean entities suggests a focus on political and strategic intelligence gathering. The use of Dropbox as a C2 channel allows the attackers to remain undetected for extended periods, maximizing the impact of the compromise. The number of victims is currently unknown, but the potential for widespread compromise is high.

Recommendation

Monitor network traffic for unusual API calls to Dropbox, especially from unknown or suspicious processes (see: “Detect Suspicious Dropbox API Usage” Sigma rule).
Implement strict access controls and monitoring for Dropbox API usage within the organization.
Investigate and block any suspicious processes attempting to access Dropbox API endpoints.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Potential Abuse of Certreq for File Transfer via HTTP POST

hello@craftedsignal.io — Sun, 28 Jan 2024 20:47:00 +0000

The Windows Certreq utility is a command-line tool used for managing certificates. Adversaries may abuse Certreq to download files from or upload data to a remote server by initiating an HTTP POST request. This behavior can be used for command and control (C2) or exfiltration. This technique leverages a legitimate system binary (LOLBin) to evade detection. Elastic has observed this behavior being detected through multiple data sources including Elastic Defend, Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike. This is a cross-industry threat that can affect any organization using Windows.

Attack Chain

An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
The attacker executes Certreq.exe with the -Post argument to initiate an HTTP POST request.
The Certreq process attempts to connect to a remote server to send or receive data.
The remote server responds to the Certreq request, potentially delivering a file or receiving exfiltrated data.
The downloaded file is saved to disk (if applicable).
The attacker may execute the downloaded file or further process the exfiltrated data.
The attacker may attempt to clean up the Certreq command from command history or logs to evade detection.

Impact

Successful exploitation could lead to the download and execution of malicious payloads, potentially compromising the affected system and network. Alternatively, sensitive data could be exfiltrated from the target environment. The impact can range from data theft and system compromise to full network intrusion, depending on the attacker’s objectives and the data accessed. The severity is medium because Certreq is a legitimate tool, and its abuse requires specific command-line arguments and network activity.

Recommendation

Deploy the Sigma rule “Detect Certreq HTTP Post Request” to your SIEM to identify potential abuse of Certreq for file transfer.
Enable Sysmon process creation logging (Event ID 1) to capture the execution of Certreq.exe and its command-line arguments, enabling detections.
Monitor network connections originating from Certreq.exe for unusual destinations or data transfer patterns using network connection logs.
Investigate any instances of Certreq.exe executing with the -Post argument, as this is not typical usage of the utility.

Detecting Rare SMB Connections for Potential NTLM Credential Theft

hello@craftedsignal.io — Thu, 25 Jan 2024 12:00:00 +0000

This detection strategy focuses on identifying unusual Server Message Block (SMB) traffic that originates from internal IP addresses and connects to external networks. The SMB protocol, commonly used for file and printer sharing within a network, can be exploited to exfiltrate data by injecting rogue UNC paths to capture NTLM credentials. This activity is often associated with threat actors attempting to steal credentials for lateral movement or data exfiltration. Defenders should be aware of this technique as it allows adversaries to bypass traditional security controls by leveraging a legitimate protocol for malicious purposes. This detection is relevant for environments utilizing Windows operating systems and SMB for internal network communications. The goal is to identify and alert on SMB connections to external IPs, excluding known safe ranges and legitimate business applications.

Attack Chain

An attacker compromises an internal system via phishing or other means (not detailed in source).
The attacker injects a rogue UNC path into a document, email, or other medium.
A user opens the malicious document or clicks the injected link, triggering an SMB connection to a malicious external server.
The SMB connection attempts to authenticate with the user’s NTLM credentials.
The attacker captures the NTLM hash from the authentication attempt.
The attacker attempts to crack the NTLM hash to obtain the user’s password.
Using the cracked password, the attacker gains unauthorized access to other systems and resources on the network.

Impact

Successful exploitation can lead to credential theft, allowing attackers to gain unauthorized access to sensitive data and systems within the organization. This can result in data breaches, financial losses, and reputational damage. The impact is significant because SMB is a common protocol within many Windows environments, making this technique highly effective if not properly monitored.

Recommendation

Deploy the Sigma rule “Detect SMB Connection to External IP” to your SIEM to identify potentially malicious SMB connections to the internet. Tune the rule by excluding known good external IPs used by legitimate services.
Enable Sysmon Event ID 3 (Network Connection) with proper filtering to capture SMB traffic details as recommended in the linked setup guide, to enhance the fidelity of the detection.
Implement network segmentation to restrict SMB traffic to only necessary internal communications, reducing the attack surface and mitigating the risk of external exposure.

Suspicious SMTP Activity on Port 26/TCP

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection rule identifies suspicious SMTP activity occurring over TCP port 26. While standard SMTP traffic typically uses port 25, port 26 is sometimes used as an alternative to avoid conflicts or restrictions. The BadPatch malware family has been known to leverage port 26 for command and control (C2) communications with compromised Windows systems. This activity is considered suspicious because legitimate uses of SMTP on port 26 are less common and can indicate malicious activity, such as covert C2 channels used by malware like BadPatch. The rule analyzes network traffic to detect SMTP communication occurring on this non-standard port, helping to identify potential infections or unauthorized network activity.

Attack Chain

Initial infection occurs via an unspecified method (e.g., phishing, exploit).
Malware establishes a foothold on the compromised system.
Malware configures itself to use SMTP on port 26 for C2 communications.
The infected host initiates a TCP connection to a remote server on port 26.
The malware sends commands to the infected host over the SMTP connection on port 26.
The infected host executes the received commands.
The malware may exfiltrate data to the remote server over the SMTP connection on port 26.

Impact

Compromised systems may be remotely controlled by attackers, leading to data theft, malware propagation, or further malicious activities. The use of non-standard ports like 26 can help attackers evade detection. If successful, an attacker can maintain persistence and control over the compromised system.

Recommendation

Deploy the Sigma rule Detect SMTP Traffic on TCP Port 26 to your SIEM and tune for your environment to detect potential command and control activity.
Investigate any network connections on TCP port 26 to identify potentially malicious SMTP traffic.
Review network traffic logs focusing on network_traffic.flow or zeek.smtp events to detect unusual patterns associated with TCP port 26.
Implement firewall rules to block unauthorized SMTP traffic on port 26.
Examine source and destination IP addresses of traffic on port 26, and correlate with threat intelligence sources to identify known malicious actors as per the references.

Detection of Encrypted Archive Creation with WinRAR or 7-Zip

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers frequently compress and encrypt data before exfiltration to reduce the amount of data being sent over the network and to obfuscate the contents. This behavior often indicates a later stage of intrusion where the attacker has already collected sensitive data and is preparing to move it out of the environment. The use of archiving tools like WinRAR and 7-Zip with encryption flags can help attackers to hide their activities, making it more difficult for defenders to identify and respond to data theft. This technique has been observed in multiple threat actors including Turla as documented by WeLiveSecurity. This brief focuses on detecting command-line activity indicative of archive creation with encryption using WinRAR or 7-Zip on Windows systems.

Attack Chain

Initial Access: The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.
Credential Access: The attacker attempts to obtain credentials using techniques such as Mimikatz or credential dumping.
Discovery: The attacker performs reconnaissance to identify sensitive data and systems of interest.
Data Collection: The attacker gathers sensitive data from various locations on the compromised system or network.
Archive Creation: The attacker uses WinRAR or 7-Zip to create an encrypted archive of the collected data using command-line arguments like -hp, -p, /hp, or /p with rar.exe or WinRAR.exe or -p* with 7z.exe or 7za.exe.
Data Staging: The encrypted archive is moved to a staging location, such as a temporary directory or removable media.
Exfiltration: The attacker exfiltrates the encrypted archive from the network using various methods, such as FTP, SCP, or cloud storage services.
Covering Tracks: The attacker deletes the archive from the staging location to remove evidence of the activity.

Impact

A successful attack can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, intellectual property, and other confidential information. This can result in significant financial losses, reputational damage, legal liabilities, and regulatory fines for the victim organization. The number of victims and specific sectors targeted will vary depending on the attacker’s objectives and the nature of the compromised data.

Recommendation

Deploy the Sigma rule “Detect Encrypting Files with WinRar or 7z - CommandLine” to your SIEM to detect the execution of WinRAR or 7-Zip with encryption parameters (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).
Enable process creation logging with command line arguments in Sysmon to ensure the necessary data is available for detection (Data Source: Sysmon).
Investigate any alerts generated by the Sigma rules to determine the scope and impact of the potential data exfiltration attempt (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).
Monitor network traffic for unusual outbound connections, particularly to cloud storage services or other external destinations, that may indicate data exfiltration.

SMB (Windows File Sharing) Activity to the Internet

hello@craftedsignal.io — Tue, 02 Jan 2024 14:12:00 +0000

The provided Elastic rule identifies instances of Server Message Block (SMB), also known as Windows File Sharing, being transmitted to external IP addresses. SMB is intended for internal network communication for file, printer, and resource sharing. Exposing SMB to the internet presents a significant security risk. Threat actors frequently target and exploit SMB for initial access, deploying backdoors, or exfiltrating sensitive data. This activity warrants immediate investigation as it violates best practices and poses a direct threat to network security. The rule focuses on traffic on TCP ports 139 and 445, originating from internal IP ranges and destined for external IPs, excluding known safe IP ranges, as defined by IANA. The rule was last updated April 24, 2026.

Attack Chain

An internal host is compromised, often through phishing or other social engineering techniques.
The compromised host attempts to establish an SMB connection to an external IP address on TCP ports 139 or 445.
The attacker leverages the SMB protocol to attempt authentication, potentially exploiting vulnerabilities like credential stuffing or known SMB exploits.
Upon successful authentication or exploitation, the attacker gains unauthorized access to shared resources or system services on the external system.
The attacker may upload malicious payloads, such as malware or backdoors, via the SMB connection to the external host.
The attacker uses the SMB protocol to exfiltrate sensitive data from the internal network to the external system.
The attacker maintains persistence on the compromised internal host, using SMB for command and control or lateral movement.

Impact

Compromising SMB services can lead to significant data breaches, system compromise, and potential ransomware deployment. Exposed SMB services allow attackers to gain unauthorized access to sensitive files, critical infrastructure, and internal network resources. Successful exploitation can result in complete system takeover, data exfiltration, and disruption of business operations. While the exact number of victims is unknown, the prevalence of SMB vulnerabilities and misconfigurations suggests a widespread risk across various sectors.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect SMB traffic to the internet and tune for your environment.
Review firewall and network configurations to ensure SMB traffic is not allowed to the Internet, and block any unauthorized outbound SMB traffic on ports 139 and 445, as identified by the rule description.
Investigate the source IP addresses triggering the rule, identifying internal systems initiating SMB traffic and determining if they belong to known devices or users within the organization, as described in the provided investigation guide.
Regularly audit network configurations and update the rule exceptions to include any legitimate device IPs to prevent false positives, as mentioned in the investigation guide.

First Time Seen Removable Device Registry Modification

hello@craftedsignal.io — Tue, 02 Jan 2024 14:00:00 +0000

This detection identifies the first-time appearance of removable devices on a Windows system by monitoring registry modifications. While not inherently malicious, the activity can indicate potential data exfiltration over removable media or initial access attempts using malware delivered via USB. The rule specifically looks for registry events with the “FriendlyName” value associated with USB storage devices (“USBSTOR”). This helps in identifying potentially unauthorized devices connected to the system. The detection is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.

Attack Chain

A user connects a removable device (e.g., USB drive) to a Windows system.
The operating system detects the new device and attempts to enumerate its properties.
The system queries the registry for device-specific settings, including the “FriendlyName,” under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR key.
If the device is new to the system, the registry is modified to record the device’s information, including its friendly name.
The event generates a registry modification event, which is logged by Sysmon, Elastic Defend, Microsoft Defender XDR, or SentinelOne.
An attacker may use the USB device to deploy malware or exfiltrate sensitive data.
The attacker copies files to the USB device.
The attacker removes the USB device, completing the exfiltration.

Impact

Successful exploitation and data exfiltration via USB can lead to the loss of sensitive information, intellectual property theft, or the introduction of malware into the network. Although this alert is low severity, multiple alerts across the environment may indicate an active campaign. The detection focuses on registry modifications, which are early indicators of device connection, allowing for proactive monitoring and response.

Recommendation

Enable Sysmon registry event logging to detect registry modifications related to USB devices and activate the Sigma rules below.
Deploy the Sigma rules provided to your SIEM to detect and monitor first-time seen USB devices.
Investigate any alerts generated by the Sigma rules, correlating with user activity and file access events.
Maintain a list of approved USB devices and create exceptions for them in the monitoring system to reduce false positives as described in the rule documentation.
Monitor for subsequent file access or transfer events involving the new device as described in the rule documentation.

SMB Registry Hive Exfiltration

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This threat brief addresses the potential exfiltration of Windows registry hives via SMB shares, a tactic often employed after credential dumping. Attackers target sensitive hives like the Security Account Manager (SAM) to extract cached credentials. By copying these hives to an attacker-controlled system, they evade local host-based detection and facilitate offline credential decryption. The Elastic detection rule a4c7473a-5cb4-4bc1-9d06-e4a75adbc494 identifies the creation or modification of registry hive files (identified by the “regf” header) exceeding 30KB on SMB shares, specifically when performed by the SYSTEM process (PID 4) under a user context associated with system accounts (S-1-5-21 or S-1-12-1). This behavior raises suspicion, particularly when observed outside expected file paths. Defenders should monitor for this activity as it often precedes lateral movement and further compromise.

Attack Chain

Attacker gains initial access to a Windows system.
The attacker elevates privileges to SYSTEM or a similar high-privilege account.
The attacker executes a credential dumping tool (e.g., reg save HKLM\SAM sam.hive) to extract the SAM registry hive.
The attacker executes reg save HKLM\SYSTEM system.hive to extract the SYSTEM registry hive, enabling decryption of SAM secrets.
The attacker connects to a remote SMB share (e.g., \\attacker.example.com\share) from the compromised host.
The SYSTEM process (PID 4) creates or modifies a file on the SMB share, identified as a registry hive by its header (“regf”).
The exfiltrated registry hive file is larger than 30KB, bypassing size-based filtering.
The attacker utilizes the exfiltrated SAM and SYSTEM hives to extract user credentials offline, facilitating lateral movement or further malicious activities.

Impact

Successful exfiltration of registry hives can lead to widespread credential compromise, enabling attackers to move laterally within the network, access sensitive data, and potentially achieve domain dominance. The impact includes unauthorized access to critical systems, data breaches, and significant disruption of business operations. The number of affected systems directly correlates with the scope of credential access achieved by the attacker.

Recommendation

Deploy the Elastic detection rule a4c7473a-5cb4-4bc1-9d06-e4a75adbc494 or the Sigma rules provided in this brief to your SIEM and tune for your environment to detect registry hive exfiltration attempts.
Enable file creation and modification logging on SMB shares, specifically focusing on events associated with the SYSTEM process and registry hive file signatures, to increase visibility.
Review and harden SMB share permissions to restrict unauthorized access and prevent credential dumping from remote systems.
Investigate any alerts generated by these rules promptly, focusing on identifying the source host, the user account involved, and the destination SMB share.
Implement multi-factor authentication (MFA) for all user accounts to mitigate the impact of credential theft.