The ADFW Leak: How One Public Cloud Setting Exposed Global VIP Data
Abu Dhabi Finance Week (ADFW) is the "Davos of the Desert." It represents the pinnacle of global wealth. But today, it is the poster child for Third-Party Risk. For over two months, an unprotected cloud storage server associated with the event turned the private credentials of elite delegates into public information.
1. Technical Breakdown: The "Open S3" Anatomy
This wasn't an APT attack or a zero-day. It was a failure of Cloud Governance. A third-party vendor-managed storage environment (likely an Amazon S3 bucket) was misconfigured with Public-Read permissions.
The Exposure: Scans of 700+ passports and government IDs, tens of thousands of invoices, and internal wire transfer details.
The Discovery: Security researcher Roni Suchowski used commercial cloud-scanning software to identify the bucket. It responded to unauthenticated
GETrequests from a standard web browser—no hacking tools required.The Duration: The data sat live from the December 2025 summit until it was finally secured this past Monday.
2. The "VIP" Casualty List
The data leaked is a "Who's Who" of global influence. A leaked passport isn't just a privacy headache; in 2026, it's the Golden Key for AI-driven identity theft.
Lord David Cameron (Former UK PM)
Anthony Scaramucci (SkyBridge Capital / Former White House)
Alan Howard (Billionaire Hedge Fund Manager)
Richard Teng (CEO of Binance)
Lucie Berger (EU Ambassador to the UAE)
3. MITRE ATT&CK Mapping
| Tactic | Technique ID | Zyber Analysis |
| Reconnaissance | T1595.001 | Active Scanning: Using automated bots to crawl IP ranges for open buckets. |
| Initial Access | T1530 | Data from Cloud Storage: Direct access to S3/Blob objects without authentication. |
| Exfiltration | T1020 | Automated Exfiltration: The ability to "dump" the bucket once the URL is known. |
| Impact | T1491 | Reputational Damage: High-level loss of trust for ADGM and the UAE's financial hub. |
4. Indicators of Compromise (IOCs)
Since this was a misconfiguration, there is no "malware" hash. Instead, look for these Behavioral Signatures in your cloud logs:
Suspect API Calls:
S3:GetBucketPolicyorS3:ListBucketoriginating from unknown, non-corporate IP addresses (specifically from hosting providers like DigitalOcean or Linode).User-Agent Anomalies: Requests from
Zgrab/0.x,Cloud-Scanner, or headless browsers that don't match your team's standard stack.Bulk GET Requests: A sudden spike in
GETrequests for.pdfor.jpgfiles (passport scans) from a single external IP.
5. The "Vibe Extortion" Link
Yesterday we talked about Vibe Extortion. This leak is the ultimate fuel for it. An attacker with David Cameron's actual passport scan can craft an AI-generated lure that is virtually impossible to ignore. They don't need to "guess" your details; they have the receipt.
6. Zyberwalls Signatures: The Defender’s Code
To ensure your org doesn't pull an "ADFW," implement these signatures today:
Signature 01: The "Kill-Switch" Automation
Deploy a "Guard Duty" script. If an S3 bucket permission is changed to
Public, the script must auto-revert it toPrivatewithin 60 seconds and lock the IAM user who made the change.
Signature 02: Third-Party Sanitization
Mandate Cryptographic Erasure. If a vendor handles VIP scans for an event, the contract must require a Certificate of Destruction within 14 days of the event's end. No data, no risk.
Signature 03: Identity-First Storage
Stop using ACLs. Move to Identity-Based Access Control. If the requester isn't authenticated via your SSO/IdP, the bucket shouldn't even exist to the outside world.
Conclusion: Trillions vs. Toggles
The ADFW leak proves that in 2026, complexity is the enemy. You can have $62 trillion in represented assets, but your security is only as strong as a single "Public" toggle on a vendor's cloud dashboard.
Stay Alert. Stay Private. Stay Human.
— ZyberWalls Research Team