Deutsche Bank AG

Across the 2017-2026 window the recon evidence base surfaces at least eight discrete enforcement or major-civil events spanning four continents and four product silos. The leading hypothesis (H1) — that this represents systemic conduct-and-controls failure rather than a portfolio of independent business-unit incidents — is supported by the cadence (an average of one material enforcement event per ~12 months) and the breadth (sanctions, money-laundering, ESG-misstatement, tax fraud, KYC, RMBS). The competing 'Sewing inflection' hypothesis (H2) — that 2018-onward represents a corrective break — is very likely wrong: the OFSI Russia penalty (ent_153, ev_049) landed seven years into Sewing's CEO tenure with conduct dating to the post-2022 sanctions regime. Very likely (HIGH confidence).

HudsonRock telemetry (ent_149, ev_062) places 81 infostealer hits on ua.intranet.db.com/Citrix/RASweb (ent_155), 51 on sg-kch5.dbrasweb.db.com (ent_156), 47 on sg-dsj5.dbrasweb.db.com (ent_157), and 36 on sg-kch4.dbrasweb.db.com (ent_158). Citrix RAS gateways accept primary corporate credentials; infostealer hits on these specific hostnames very likely represent valid-at-time-of-capture corporate credentials with VPN-equivalent reach. The Singapore concentration suggests either an unmanaged endpoint cohort (BYOD / contractor laptops outside MDM scope) or a specific malware campaign targeting DB Asia-Pacific operators. Very likely (HIGH confidence).

XposedOrNot returns hits for christian.sewing@db.com (4 corpora, ent_159), james.vonmoltke@db.com (2 corpora, ent_160), stefan.hoops@db.com (4 corpora including LinkedIn 2012/2016, ent_161), reiner.schaefer@db.com (Verifications, ent_151), and dns.admin@db.com (Epik 2021, ent_150). The LinkedIn 2012 SHA-1-unsalted hash dump has been cracked at scale and circulates with plaintext; if Hoops (ent_011) ever reused that password elsewhere, the credential-reuse risk extends to any system without MFA. Treating the named-account-takeover (NATO) vector as very likely live for legacy non-MFA systems. Very likely (HIGH confidence).

DB's DNS mail-auth records (ev_005) show v=DMARC1; p=reject; sp=reject; adkim=s; fo=1 and an SPF locked to the directly-allocated 160.83.0.0/16 block (ent_005). Reporting routes through Proofpoint (ent_051). This is very likely a mature configuration. The competing hypothesis (H2 — that internal sub-tenants have permissive overrides) is plausible but not surfaced in recon. The practical implication: phishing campaigns against DB likely shift to typosquat-DB-look-alike and compromised-supplier impersonation routes. Likely (MODERATE confidence); confidence is moderate because recon did not enumerate subsidiary-domain DMARC policies.

Certificate transparency surfaces 16 phoenix.* hosts (ent_062 codename), 40+ dbk*.trxm.{int,dev}.db.com hosts (ent_064 codename), and the US FIS BaNCS UAT environment (uatbancs.us.db.com, ent_049, ent_059). Internal codenames in public CT logs very likely shorten the lateral-movement learning curve after initial access. Severity is moderated by the fact that these are dev/test/internal-platform hostnames rather than directly-exposed production credentials. Very likely (MODERATE confidence); moderate because the operational impact depends on whether internal-network ACLs gate access to the matched hosts.

FT 2026-04-17 (ev_048) reports DB self-flagged 'potential Russia sanctions lapses' to regulators; OFSI's penalty (ent_153, ev_049) followed 13 days later for Okko (ent_142) payments. Deutsche Bank's correspondent-banking and prime-brokerage franchises (and the historical Mirror Trades record, ent_037, ev_037) make a single isolated lapse unlikely. The competing hypothesis — that this is an outlier — is not supported by either DB's own self-disclosure framing (which implies multi-event scoping) or by historical pattern. Probability of additional regulatory action in 12-24 months: roughly even chance. Unlikely (MODERATE confidence) that this is a one-off; moderate because the OFSI notice itself remains the only currently-disclosed measure.

The settled Epstein exposure ($150M NYDFS ent_087 + $75M class-action ent_034) is unlikely to terminate the surface. Wyden's (ent_145) S.2746 bill (ent_152) compels DB-held Epstein financial records to the Senate Finance Committee (ent_146). Fortune's 'Butterfly Trust' (ent_135) 2026-05-17 investigation names Richard Kahn (ent_131) and Darren Indyke (ent_132) as inside-the-wires actors. Likely (MODERATE confidence); moderate because the political timeline (US administration posture toward Epstein records) materially affects whether subpoena enforcement proceeds.

The management-board roster (ent_006-ent_015) is sourced largely from Serper search hits citing FT, MarketScreener, and Hubbis. KAC flags HIGH-sensitivity + LOW-confidence assumptions on (1) Sewing's continued tenure, (2) the announced 2026 CFO handoff to Akram, and (3) the Campelli-vs-Hoops succession framing. None were directly cross-checked against db.com (out of scope per opsec rules). Unlikely (LOW confidence) that the roster is materially misleading; low because the corroboration depth is shallow and the source of all five Serper hits is second-hand reporting.

Bloomberg 2026-03-12 (ev_055) reports DB's €26 billion ($30 billion) private-credit exposure — 1.8% of total assets, ~5.4% of customer loans, including €1 billion in Apollo-related receivables financing (ent_116). Private credit is the structurally most opaque exposure on a universal bank's book. Whether the underlying credits are performing is not derivable from passive OSINT. Very likely (MODERATE confidence) that this is the recon's headline balance-sheet risk; moderate because materiality grading requires non-public data.