Hackers breach contractor linked to Ukraine’s central bank collectible coin store

Ukraine’s central bank said its online store for collectible coins and numismatic products was temporarily taken offline after a cyberattack exposed some customer information.

The National Bank of Ukraine (NBU) said in a statement on Thursday that attackers may have gained access to users’ personal data, including names, phone numbers, email addresses and delivery addresses.

The bank said the attack did not affect its core systems and that no financial data, such as payment card details or other banking information, was compromised.

The breach affected only a contractor supporting the online store, the central bank said, adding that its core infrastructure and internal information systems continue to operate normally.

The incident appears to be a supply-chain attack, a tactic in which hackers breach third-party vendors to gain indirect access to a primary target. The NBU said its systems were designed to isolate contractors from critical infrastructure, preventing the breach from spreading to core banking systems.

Only data submitted during registration in the online store may have been exposed, the bank said, warning that attackers could attempt to use the information in phishing campaigns targeting customers.

As of Friday, the online store remained offline, displaying a notice saying the site was undergoing technical maintenance and that processed orders would be shipped once service resumes.

The National Bank’s numismatic program produces limited-edition collectible coins, medals, and commemorative banknotes marking major events in Ukraine and around the world.

The motive for the attack remains unclear, and neither Ukrainian authorities nor the central bank has publicly attributed the intrusion to a specific group.

Ukraine’s banking sector has faced repeated cyberattacks since the start of Russia’s full-scale invasion, often involving disruptive campaigns aimed at undermining public confidence or interrupting financial services. In August 2024, a major Ukrainian online bank reported a large distributed denial-of-service attack that temporarily disrupted services linked to military donations.

Russian banks have also been targeted by cyber operations. In July 2024, Ukraine’s military intelligence agency said it had carried out a campaign disrupting mobile apps and websites of several Russian financial institutions.