βΌοΈπ°π A threat actor using the handle "UNIT_PEGASUS" is auctioning network access to a Cambodian telecommunications company with an estimated revenue of ~$180 million on a dark web forum. The access type is listed as GlobalProtect + RDP with domain user (local admin) privileges.
The compromised network reportedly includes 2 domain controllers and over 200 computers, with CrowdStrike (CS) identified as the antivirus solution in place.
The auction starts at $4,000 with $200 bidding increments and a blitz (buy now) price of $8,000.
The compromised network reportedly includes 2 domain controllers and over 200 computers, with CrowdStrike (CS) identified as the antivirus solution in place.
The auction starts at $4,000 with $200 bidding increments and a blitz (buy now) price of $8,000.
βΌοΈA threat actor using the handle "fanfan" has leaked the database of 17Media, a popular live streaming app previously operating under the domain 17.media, on a dark web forum. The breach dates back to April 2016 and contains 28,052,321 records in a single SQL file.
Exposed data includes OpenID, MD5-hashed passwords (unsalted), country code, phone number, IP address, email, device type, and device model.
The actor describes the original incident as a large-scale breach that compromised personal data from over 27 million user accounts through the platform's shared video content connectivity features. A data snippet was provided as proof.
Exposed data includes OpenID, MD5-hashed passwords (unsalted), country code, phone number, IP address, email, device type, and device model.
The actor describes the original incident as a large-scale breach that compromised personal data from over 27 million user accounts through the platform's shared video content connectivity features. A data snippet was provided as proof.
βΌοΈπ―π΅ The first claim of the Crunchyroll breach has hit a popular dark web forum.
A threat actor using the handle "hubert" is selling a partial Crunchyroll Zendesk database.
The breach is dated March 2026 and targets the leading global anime and East Asian entertainment streaming service, which has an estimated yearly revenue of $1.16 billion to $1.4 billion and a valuation between $3 billion and $5 billion.
The leaked data consists of 2,000,000 support tickets containing 1,394,207 unique email addresses.
An extensive sample of the raw Zendesk ticket data was provided as proof, spanning multiple screenshots showing structured JSON-like support ticket records with detailed user and ticket metadata.
The asking price is $2,000 with a "Guarantee ++" designation.
A threat actor using the handle "hubert" is selling a partial Crunchyroll Zendesk database.
The breach is dated March 2026 and targets the leading global anime and East Asian entertainment streaming service, which has an estimated yearly revenue of $1.16 billion to $1.4 billion and a valuation between $3 billion and $5 billion.
The leaked data consists of 2,000,000 support tickets containing 1,394,207 unique email addresses.
An extensive sample of the raw Zendesk ticket data was provided as proof, spanning multiple screenshots showing structured JSON-like support ticket records with detailed user and ticket metadata.
The asking price is $2,000 with a "Guarantee ++" designation.
βΌοΈπΊπΈ MAJOR CLAIM: A threat actor using the handle "luc1f3rg4ng" is claiming to sell insider-sourced documents from United Health Group (UHG), described as the largest healthcare provider in the United States, on a dark web forum. The data reportedly spans 2024β2026 and contains over 500,000 records of UHG clients based in Florida.
The exposed data includes highly sensitive personal and healthcare information such as SSN, date of birth, address, phone number, region, coverage dates, plan names, Medicaid care coordination details, case numbers, enrollment and disenrollment dates, and provider information.
The sample data reveals full names, specific Florida addresses (Miami, Miami-Dade, Jacksonville), and detailed insurance records tied to individual patients.
The actor claims the documents were sourced from an insider with access to confidential company documents and provides three image links as proof of insider access.
The asking price is $350,000 for the full dataset, with the option to sell as a bundle or in parts. The actor also notes that once all data is sold, they will consider selling the insider access itself.
The exposed data includes highly sensitive personal and healthcare information such as SSN, date of birth, address, phone number, region, coverage dates, plan names, Medicaid care coordination details, case numbers, enrollment and disenrollment dates, and provider information.
The sample data reveals full names, specific Florida addresses (Miami, Miami-Dade, Jacksonville), and detailed insurance records tied to individual patients.
The actor claims the documents were sourced from an insider with access to confidential company documents and provides three image links as proof of insider access.
The asking price is $350,000 for the full dataset, with the option to sell as a bundle or in parts. The actor also notes that once all data is sold, they will consider selling the insider access itself.
π2
βΌοΈA threat actor with the handle "punk" holding a Manager rank has leaked the database of Cuties.AI, a popular AI editor website, on a dark web forum. The breach is dated March 2026 and contains data from over 153,000 unique users.
Compromised fields include email, nickname, type, avatar, generation tokens, active plan, can_send_message, can_generate_character, can_request_image, has_standard_subscription, age_verified, allowed_feed_count, standard_subscription_cancel_at, standard_subscription_expire_at, preference_type, source_brand, and uid.
Compromised fields include email, nickname, type, avatar, generation tokens, active plan, can_send_message, can_generate_character, can_request_image, has_standard_subscription, age_verified, allowed_feed_count, standard_subscription_cancel_at, standard_subscription_expire_at, preference_type, source_brand, and uid.
π₯ I am in the process of adding a couple more forums and other resources to the threat feed. You should have seen a couple already in the last couple of days/hours. Alerts should balloon from around 200 daily to possibly 400 daily.
Finetuning is in process.
Finetuning is in process.
Normal, thee founder of OVHcloud denies your claim. If you want to be taken seriously you need to provide a broader sample or something. https://x.com/olesovhcom/status/2036316608486875292
X (formerly Twitter)
Octave Klaba (@olesovhcom) on X
le sample citΓ© ne se trouve pas dans nos bases.
βΌοΈπ¨π± A threat actor group using the handle "NyxarGroup" has leaked the database of Universidad CatΓ³lica de Temuco, a Chilean university, on a dark web forum. The breach contains 70,000 records including student photos and is being offered for free.
Exposed fields include photo, student ID, RUT (Chilean national identification number), names, paternal surname, maternal surname, primary and secondary phone/cell numbers, institutional email, personal email, race, data institution, registration year, admission details, and career information.
Exposed fields include photo, student ID, RUT (Chilean national identification number), names, paternal surname, maternal surname, primary and secondary phone/cell numbers, institutional email, personal email, race, data institution, registration year, admission details, and career information.
βΌοΈ HackerOne discloses a data breach of 287 employees after Navia was hacked.
https://www.bleepingcomputer.com/news/security/hackerone-discloses-employee-data-breach-after-navia-hack/
https://www.bleepingcomputer.com/news/security/hackerone-discloses-employee-data-breach-after-navia-hack/
BleepingComputer
HackerOne discloses employee data breach after Navia hack
Bug bounty platform HackerOne is notifying hundreds of employees that their data was stolen after attackers hacked Navia, one of its U.S. benefits administrators.
βΌοΈ New Dark Web Informer Blog Post!
Title: Alleged Full Infrastructure Compromise of National Oil Ethiopia With 800GB ERP Database Exfiltration, Veeam and Kaspersky Compromise, and Ransomware Deployment
Link: https://darkwebinformer.com/alleged-full-infrastructure-compromise-of-national-oil-ethiopia-with-800gb-erp-database-exfiltration-veeam-and-kaspersky-compromise-and-ransomware-deployment/
Title: Alleged Full Infrastructure Compromise of National Oil Ethiopia With 800GB ERP Database Exfiltration, Veeam and Kaspersky Compromise, and Ransomware Deployment
Link: https://darkwebinformer.com/alleged-full-infrastructure-compromise-of-national-oil-ethiopia-with-800gb-erp-database-exfiltration-veeam-and-kaspersky-compromise-and-ransomware-deployment/
Dark Web Informer
Alleged Full Infrastructure Compromise of National Oil Ethiopia With 800GB ERP Database Exfiltration, Veeam and Kaspersky Compromiseβ¦
βΌοΈA threat actor using the handle "secretsdump" is selling a kernel exploit designed to bypass and kill AV/EDR protections on a dark web forum. The tool is marketed as a superior alternative to commonly detected pastes and public tools.
Advertised capabilities include cleaning all forensic traces (piddb, hashbucket, unloadeddrivers), terminating any protected process, and providing a unique zero-day driver per customer with a 1-to-1 custom build. The actor claims that with a dedicated driver, the tool remains functional for months without detection.
The exploit is limited to 6 available slots at a price of $8,000 USD each.
Advertised capabilities include cleaning all forensic traces (piddb, hashbucket, unloadeddrivers), terminating any protected process, and providing a unique zero-day driver per customer with a 1-to-1 custom build. The actor claims that with a dedicated driver, the tool remains functional for months without detection.
The exploit is limited to 6 available slots at a price of $8,000 USD each.
βΌοΈA threat actor using the handle "Wallace Shawn" is advertising physical cloned JCOP cards for sale on a dark web forum. The actor claims the cards are produced in-house using data collected from a network of compromised ATMs, gas stations, and POS terminal machines.
The operation reportedly leverages a client-based network and P2P data affiliate infrastructure to collect card data, which is then encoded and liquidated to regional buyers.
Cards are segmented into three tiers... "Mid-Balance," "High Balance," and "Super High Balance," based on variables such as balance, ATM limit, and bank variant.
The actor claims the same IP used by most banks for cloning is utilized, making the cards highly untraceable. Each card comes with a separate 4-digit PIN, works across all ATM codes and any Mastercard ATM (except code 0000), and is never swallowed after reaching its limit. Custom bank designs and extra details are available at additional cost.
Pricing ranges from $250 for a $3,000 balance up to $1,000 for a $15,000 balance.
The operation reportedly leverages a client-based network and P2P data affiliate infrastructure to collect card data, which is then encoded and liquidated to regional buyers.
Cards are segmented into three tiers... "Mid-Balance," "High Balance," and "Super High Balance," based on variables such as balance, ATM limit, and bank variant.
The actor claims the same IP used by most banks for cloning is utilized, making the cards highly untraceable. Each card comes with a separate 4-digit PIN, works across all ATM codes and any Mastercard ATM (except code 0000), and is never swallowed after reaching its limit. Custom bank designs and extra details are available at additional cost.
Pricing ranges from $250 for a $3,000 balance up to $1,000 for a $15,000 balance.
π1