DragonForce Hits Conrad Capital: 74GB Breach Lessons for SAMA Banks

On 18 March 2026, the DragonForce ransomware cartel published Conrad Capital Management — a US Registered Investment Advisor managing complex fixed-income and alternative portfolios — on its leak site, claiming exfiltration of 74.23 GB of client and financial records with a five-day negotiation deadline. For SAMA-regulated banks operating private banking and wealth divisions in Riyadh, Jeddah, and Dammam, this incident is not a distant headline; it is a direct preview of the threat surface facing every investment advisory function in the Kingdom.

How the DragonForce Cartel Operates Against Financial Targets

DragonForce evolved from a single-strain operation into a Ransomware-as-a-Service cartel during 2025, and its 2026 victim list now exceeds 360 organizations across financial services, healthcare, and professional services. The group runs a hybrid model: it allows affiliates to bring their own ransomware brands while leveraging DragonForce infrastructure for negotiations and leak hosting. Affiliates typically gain initial access through phishing, exposed remote services, or unpatched edge appliances such as Citrix, SonicWall, and Ivanti — the same edge gear that sits at the perimeter of many Saudi banking branches and disaster recovery sites.

Once inside, DragonForce affiliates focus on identity escalation through tools like Mimikatz and Rubeus, lateral movement using legitimate administrative tooling (RMM, PsExec, AnyDesk), and exfiltration through Rclone or MEGAsync to attacker-controlled cloud buckets before encryption begins. The double-extortion playbook is now standard.

What the Conrad Capital Disclosure Tells Us

According to the leak description, DragonForce claims the stolen 74.23 GB includes customer personal information and financial advisory data. Conrad Capital, founded in 1998, specializes in fixed-income portfolio management, alternative investments, and customized retirement planning — exactly the data classes that map to "Customer Sensitive Information" under SAMA Cyber Security Framework definitions. A breach of comparable scale at a Saudi private bank would simultaneously trigger SAMA CSCC Domain 4 (Cyber Security Operations) reporting obligations, NCA ECC-1:2018 incident-response controls, and PDPL Article 20 data-breach notification within 72 hours.

Critically, Conrad Capital had not publicly responded at the time of leak publication — a delay that, in the Saudi regulatory context, would itself constitute a compliance failure. The reputational and supervisory cost of silence often eclipses the ransom itself.

Impact on Saudi Financial Institutions Under SAMA Oversight

Saudi banks have aggressively expanded private banking and discretionary portfolio management to capture Vision 2030 wealth flows. That growth has multiplied the volume of high-value customer records living in CRM platforms, portfolio management systems, and third-party fund-administration tools — many of which sit outside the core banking perimeter and are governed by SAMA's Third-Party Cyber Security control set (CSCC subdomain 1.3.4).

The Conrad Capital scenario stresses three SAMA CSCC control families directly: Asset Management (CSCC 3.1) for the inventory of unstructured advisory data; Identity and Access Management (CSCC 3.3.5) for privileged advisor accounts; and Cyber Security Event Management (CSCC 3.3.14) for the detection of staged exfiltration before encryption. Saudi institutions that have not validated these controls against a wealth-management-specific tabletop in the last twelve months are operating on assumed posture, not measured posture.

Recommendations and Practical Steps

1. Run a DragonForce-themed tabletop exercise scoped to your private banking and wealth advisory units. Simulate a 74 GB exfiltration claim and rehearse the SAMA notification chain, PDPL 72-hour timer, and customer-communication script in parallel.
2. Deploy egress data-loss-prevention rules that alert on Rclone, MEGAcmd, and unusual cloud-storage uploads from any host containing portfolio management or KYC data. Pair this with a deny-list at the proxy for known exfiltration domains.
3. Enforce phishing-resistant MFA (FIDO2 or PIV) for every advisor and operations user with access to customer holdings or trade-instruction systems. Legacy SMS or push-only MFA is no longer defensible under SAMA CSCC 3.3.5.
4. Tighten third-party access by reviewing every fund administrator, custodian, and portfolio-system vendor against SAMA's CSCC subdomain 1.3 and the Third-Party Cyber Security Standard. Demand evidence of segmented network access and just-in-time credentials, not standing VPN tunnels.
5. Retire or segment unsupported edge devices. DragonForce affiliates harvest Citrix NetScaler, Ivanti Connect Secure, and SonicWall instances daily; any branch firewall or VPN appliance not on a vendor-supported firmware track is a pre-positioned breach.
6. Validate immutable backups for advisory and CRM data with quarterly restore tests, and confirm that backup credentials are stored outside the Active Directory forest used by production.
7. Map your incident-response runbook against PDPL Article 20, SAMA reporting timelines, and SAOC/Tadawul disclosure thresholds simultaneously, so the legal team is not improvising during the first hour.

Conclusion

DragonForce's Conrad Capital breach is a clean case study in why wealth management and investment advisory functions deserve dedicated cyber resilience programs rather than inheritance from retail banking baselines. Saudi financial institutions building private banking propositions for Vision 2030 cannot afford to discover the gap during an active extortion negotiation.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment scoped to your wealth management and third-party advisory ecosystem.