Everyone talks about ransomware. And understandably so: encrypted data, ransom demands, PR disasters - it naturally attracts attention. But while we’re fixated on the skull-and-crossbones in the headline, an old discipline is quietly making its return to the cyber threat landscape: identity theft.

Armed with surgical precision and an ever-growing arsenal of deceptive techniques, attackers are driving a resurgence of account compromise, business email compromise (BEC), and credential phishing. Particularly concerning is their increasing focus on high-net-worth individuals (HNWIs) and prominent figures in the cybersecurity community - including Troy Hunt, founder of the platform Have I Been Pwned.

The Troy Hunt Case - An Attack on the Sheriff

Troy Hunt is hardly an easy target. As a security researcher, Microsoft Regional Director, and founder of Have I Been Pwned, he is widely regarded as one of the world’s leading experts on data breaches and password security. Yet even he recently disclosed that his Mailchimp account had been compromised. The attackers gained access to his mailing lists - a highly valuable collection of email addresses belonging to people who trust his work.

To his credit, Hunt responded by proactively and transparently informing everyone affected - an excellent example of professional crisis communication.

The fact that even someone with Hunt’s expertise fell victim to such a carefully orchestrated attack illustrates a broader reality: modern attacks are no longer primarily about exploiting technical vulnerabilities. They increasingly rely on social engineering - the psychology of deception.

(Source: Troy Hunt: A Sneaky Phish Just Grabbed My Mailchimp Mailing List)

Target: Email. Weapon: Trust.

The attackers’ preferred battleground remains the email inbox. For good reason: compromising an email account often provides access to financial transactions, confidential information, and—within organizations—critical business processes.

The classic example is Business Email Compromise (BEC). In these attacks, a legitimate email account—often belonging to an executive or finance employee—is compromised and subsequently used to issue fraudulent payment instructions. The financial impact is staggering. According to the FBI Internet Crime Report 2023, BEC attacks alone resulted in losses exceeding USD 2.7 billion in the United States.

(Source: Internet Crime Report 2023)

The Invisible Threat

Why is identity theft making such a strong comeback?

Because it is quiet. And effective.

While multi-factor authentication (MFA) significantly increases the difficulty of compromising accounts, it does not eliminate the risk. Identity theft scales well—and, most importantly, it works.

After all, when an email appears to come from the CEO, carries the CEO’s signature, and sounds exactly like the CEO… who questions its authenticity?

The Door Is Still Open: MFA Is Essential, but Not Enough

Multi-factor authentication is not a silver bullet. Recent findings published in the IKDOK Situation Report 04/2025 demonstrate that even accounts protected by MFA have been successfully compromised, including the official X account of the Czech Prime Minister.

Phishing, MFA fatigue, MFA bombing, and SIM swapping all provide attackers with opportunities to bypass the second authentication factor.1

Organizations that have not yet adopted FIDO2, secure push authentication, and device binding remain at considerable risk.

A New Front: Artificial Intelligence as an Attack Vector

The rise of AI has fundamentally changed the threat landscape. Deepfakes enable real-time identity impersonation. AI-powered voice synthesis can deceive employees with near-perfect imitations of their managers’ voices. Large Language Models (LLMs) are increasingly being used to generate highly convincing, context-aware phishing campaigns. What once required hours of careful preparation can now be produced in minutes - complete with realistic emails, writing style, and contextual information.

Particularly in the areas of Business Email Compromise (BEC) and social engineering, AI significantly amplifies the effectiveness of attacks. The deception becomes more convincing, the success rate increases, and the potential impact grows accordingly.

Who Protects Those Who Have Everything?

High-net-worth individuals (HNWIs) have become one of attackers’ preferred targets. The reason is simple: they often have an extensive digital footprint, while their personal security measures rarely match the maturity of enterprise-grade security programs.

At the same time, even large organizations with sophisticated identity and access management (IAM) platforms such as Microsoft Entra ID, Okta, or AWS IAM are far from immune. Time and again, security incidents demonstrate that even advanced conditional access policies, role-based access controls, and complex identity architectures can fail when social engineering or configuration errors enter the equation.

Whether through account compromise, highly targeted spear-phishing campaigns, or identity theft used to support deepfake fraud, today’s attackers have a well-equipped arsenal at their disposal.

Conclusion: Old Attacks Have Become New Again—And More Dangerous Than Ever

In terms of audacity, the Troy Hunt incident is reminiscent of the widely publicized theft of Kristi Noem’s handbag. In both cases, the attacker deliberately targeted something deeply personal while operating in plain sight.

The difference is that in the digital world, the same thing happens silently, efficiently, and often with far greater consequences.

It is time to stop treating identity theft as a secondary concern and recognize it as one of today’s primary cyber risks. Anyone who still believes that SMS- or TOTP-based MFA provides sufficient protection has underestimated the current threat landscape.

Zero Trust is no longer a theoretical security model—it is a survival strategy. And in the digital world, trust is not a virtue. It is a vulnerability.

What Should You Do If You Suspect an Account Compromise?

If you suspect that something is wrong with one of your accounts - whether due to unusual login activity, repeated failed MFA attempts, or unexplained emails - don’t wait. Contact the experts at CERTAINITY.

CERTAINITY performs forensic investigations to determine the true impact of an incident and identify any additional compromised accounts. Based on the findings, our specialists develop immediate, technically sound containment measures and implement effective long-term mitigation strategies. Our team brings years of hands-on experience from real-world incident response engagements - acting discreetly, decisively, and with deep technical expertise.

CERTAINITY not only supports organizations during active security incidents but also offers proactive security assessments. Have your digital identities, access controls, and IAM configurations (e.g. Microsoft Entra ID / Azure AD) reviewed before an incident occurs. These assessments identify not only obvious misconfigurations but also weaknesses in role assignments, conditional access policies, excessive privileges, and inconsistent MFA implementations.

When every minute counts, CERTAINITY provides fast, confidential, and highly technical support.

It’s always better to ask once too often than to react once too late.

DACH Hotline: 0800 44 30 555

Email: csirt@certainity.com


  1. MFA fatigue refers to repeatedly sending MFA prompts in the hope that a user will eventually approve one out of frustration or by mistake. MFA bombing follows a similar approach by automatically triggering large numbers of authentication requests. SIM swapping, by contrast, is a physical attack in which an attacker gains control of a victim’s phone number, thereby compromising SMS-based multi-factor authentication. ↩︎