Deutsche Bank AG

DB's public-facing posture is unusually strong for an institution of its scale: DMARC at p=reject with strict alignment and Proofpoint forensic reporting (ev_002); clean VirusTotal reputation (60 harmless, 0 malicious, ev_008); not indexed by URLhaus as a malware distributor (ev_052); continuously archived in Wayback (ev_067). Against that maturity, HudsonRock Cavalier surfaces 4,771 infostealer-log hits for db.com — 344 corporate employee credentials, 3,941 customer credentials, 486 third-party credentials — with https://ua.intranet.db.com/Citrix/RASweb as the single most-hit URL (81 hits) and regional dbrasweb variants accounting for hundreds more (ev_036). The leading hypothesis is that the perimeter is genuinely strong but the endpoint/identity boundary is not: stealer operators acquire credentials from infected employee endpoints and either reuse them directly or sell them on. The competing hypothesis — that the HudsonRock corpus over-counts via stale or third-party-associated URLs — is materially weaker because the URL pathnames are too specific (DanaInfo session-broker fragments) to be background noise.

Eight separate major enforcement actions cluster against DB across 2015–2025, totalling well above USD 13B in fines plus consumer relief: LIBOR/EURIBOR USD 2.5B (ev_034, ev_041), DOJ RMBS USD 7.2B (ev_042), Russian Laundromat USD 630M (ev_035, ev_040), Epstein ≥USD 225M (ev_043), Cum-Ex EUR 29M+ ongoing (ev_044), Fed AML USD 186M for Danske Estonia (ev_047), BaFin EUR 23.05M derivatives Spain (ev_048), Panama Papers EUR 15.8M for SAR delays (ev_050). The clustering across distinct business lines (rates trading, RMBS underwriting, correspondent banking, private banking, derivatives sales) — over more than a decade — distinguishes very likely systemic control gaps from incidental error. The competing hypothesis — that this is what regulatory exposure looks like at any G-SIB of comparable scale — has partial support (peers carry similar fine histories) but doesn't explain why DB's actions cluster into AML/sanctions patterns specifically. Enforcement velocity has clearly slowed under the Sewing era (2018–): no LIBOR-scale action since 2017, with BaFin 2025 being a comparatively modest EUR 23M; the bank's record 2025 profit (ent_001 attributes; ev_062) is the financial expression of that turnaround.

GLEIF fuzzy search returns at least six separate LEIs for "Deutsche Bank" entities (ev_004): the parent (7LTWFZYICNSX8D621K86), Americas Holding (529900X1YMA4ZKYHTN40), Riyadh branch, Amsterdam branch, Turkey AŞ, and a duplicate of the parent. The criminal conviction of DB Group Services (UK) Limited (ent_023) in April 2015 (ev_034) triggers a recurring three-year DOL PTE 84-14 QPAM exemption review for DWS Investment Management Americas (ev_049, ev_053) — a tangible regulatory artefact that the entity boundaries are porous on a fitness-and-propriety basis. The leading hypothesis is that DB likely retains lateral-movement risk between sanctioned-history subsidiaries and adjacent entities; the alternative — that legal separation is robust and the QPAM process is purely procedural — is weakened by the fact that DOL re-evaluates the connection every cycle. Confidence is moderate (not high) because the recon corpus does not contain direct evidence of identity-provider federation topology.

DB's SPF/DMARC and DNS TXT records (ev_002) advertise tenant verifications for a long list of third-party SaaS platforms — Microsoft 365 (MS=ms94849899), Salesforce (10+ unique org IDs), Atlassian, Adobe IDP, Pexip, Docker, Figma, New Relic, DocuSign, Facebook, GlobalSign, QuoVadis. Third-party-hosted db.com subdomains include brand.db.com on AWS-hosted Frontify (ev_007) and research.db.com on Markit On Demand AS7334 (ev_007). The bank already experienced a third-party breach in July 2023 via the MOVEit Transfer mass exploit (ent_046, ev_046). With the same vendor surface largely intact, the base rate for another such incident over a 24-month horizon is roughly even chance. Confidence is moderate (not high) because the rate is sensitive to vendor-specific events outside DB's control; a much-stronger SSPM and zero-trust posture inside DB could drop the propagation probability materially.

Recon enumerated the full leadership chain: CEO Christian Sewing (ev_018), CFO Raja Akram (ev_021), CRO Marcus Chromik (ev_019), Chairman Alexander Wynaendts (ev_020), and the historical line of CEOs and Chairs (ent_011–ent_014). DB publishes palais.populaire@db.com and dmarc.reports@db.com as public contacts (ent_058, ent_059), confirming the firstname.lastname@db.com address pattern. Akram (ent_010) is in seat 75 days as of the report date; Chromik is in role since 1 May 2025. Very likely a sophisticated adversary running an executive-targeting playbook would prioritise this transition window: BEC pretexts ("authorisation needed before quarter-close"), out-of-band finance requests, and impersonation of Wynaendts directed at Akram. The alternative — that DB's BEC controls and out-of-band verification are mature enough to neutralise this entirely — is weaker because executive transitions are the canonical defence-degradation window across the industry.

The RDAP record for db.com explicitly returns secureDNS.delegationSigned=false (ev_001). SPF for db.com is v=spf1 ip4:160.83.0.0/16 ~all (ev_002) — softfail rather than hardfail. Both are atypical for an institution of DB's scale with otherwise-mature DMARC enforcement. Likely this reflects a deliberate compatibility decision (DNSSEC validation failures take longer to recover from than DNSSEC absence; softfail SPF prevents bouncing legitimate mail during MTAs misconfigurations) rather than oversight, but both are surgical hardening opportunities. The competing hypothesis — that this is oversight in a mature program — is weaker because the rest of the email-auth stack is too disciplined for accidental omission.

The opensanctions_search MCP tool returned tool errors across four retries (ev_069). Sanctions and PEP enumeration is therefore unverified in this corpus. Likely DB AG itself is not on any major sanctions list — a 60,000-person publicly-listed European bank under direct ECB supervision would generate immediate market signals if so — but the absence in this report is a known coverage gap. Confidence is low because the conclusion rests on absence-of-tool rather than presence-of-cross-confirmation. Operator should re-run sanctions enumeration before treating the report as comprehensive on the sanctions axis.