‼️ New Dark Web Informer Blog Post!
Title: Credilink Allegedly Breached Exposing 243 Million Records From the Brazilian Credit Data Provider
Link: https://darkwebinformer.com/credilink-allegedly-breached-exposing-243-million-records-from-the-brazilian-credit-data-provider/
Title: Credilink Allegedly Breached Exposing 243 Million Records From the Brazilian Credit Data Provider
Link: https://darkwebinformer.com/credilink-allegedly-breached-exposing-243-million-records-from-the-brazilian-credit-data-provider/
Dark Web Informer
Credilink Allegedly Breached Exposing 243 Million Records From the Brazilian Credit Data Provider
A threat actor is selling a 243 million record dataset attributed to credilink.com.br, described in the post as a Brazilian credit information and risk analysis provider serving financial institutions and retailers.
‼️🏴☠️ R4T Ghost v1.7.5 Remote Access Trojan allegedly being sold on a hacking forum
An actor is selling ownership of "R4T Ghost v1.7.5," a Windows Remote Access Trojan, for $1,530, advertising it as their "latest 2026" build with a free update guarantee. Screenshots from the post show a builder/controller GUI with modules for client management, file transfer, registry editing, screenshot capture, webcam and microphone access, keylogging, and a remote shell.
Post details:
▸ Actor(s): MDGhost
▸ Sector: Malware / Offensive tooling
▸ Type: Tool Sale (Remote Access Trojan)
▸ Format: Builder + controller (port 5555 default listener)
▸ Price: $1,530 (with claimed free update guarantee)
Capabilities described in the post:
▪️ Steal files and saved passwords
▪️ Spy on user activity
▪️ Take screenshots
▪️ Access webcam and microphone
▪️ Remote control of victim devices
▪️ Exfiltrate internal documents and customer databases
▪️ Harvest emails, login credentials, project files, and financial data
▪️ Client dashboard with IP, country, PC name, user, OS, AV, ping, idle time
▪️ Tabs for system info, network, process manager, files, registry, services, tasks, screenshot, webcam, keylogger, remote shell
Defender notes:
▪️ Hunt for unsigned binaries opening listeners on port 5555 or other non-standard high ports
▪️ Alert on unexpected webcam/microphone access by non-conferencing processes
▪️ Monitor for new persistence entries (Run keys, scheduled tasks, services) created by recently executed user-mode binaries
▪️ EDR rules for combined keystroke logging plus screen capture plus outbound C2 beaconing patterns
▪️ Block execution of binaries from user-writable paths via AppLocker/WDAC and enforce MFA on credential stores
Note: The blurs on the RAT screenshot are not mine.
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
An actor is selling ownership of "R4T Ghost v1.7.5," a Windows Remote Access Trojan, for $1,530, advertising it as their "latest 2026" build with a free update guarantee. Screenshots from the post show a builder/controller GUI with modules for client management, file transfer, registry editing, screenshot capture, webcam and microphone access, keylogging, and a remote shell.
Post details:
▸ Actor(s): MDGhost
▸ Sector: Malware / Offensive tooling
▸ Type: Tool Sale (Remote Access Trojan)
▸ Format: Builder + controller (port 5555 default listener)
▸ Price: $1,530 (with claimed free update guarantee)
Capabilities described in the post:
▪️ Steal files and saved passwords
▪️ Spy on user activity
▪️ Take screenshots
▪️ Access webcam and microphone
▪️ Remote control of victim devices
▪️ Exfiltrate internal documents and customer databases
▪️ Harvest emails, login credentials, project files, and financial data
▪️ Client dashboard with IP, country, PC name, user, OS, AV, ping, idle time
▪️ Tabs for system info, network, process manager, files, registry, services, tasks, screenshot, webcam, keylogger, remote shell
Defender notes:
▪️ Hunt for unsigned binaries opening listeners on port 5555 or other non-standard high ports
▪️ Alert on unexpected webcam/microphone access by non-conferencing processes
▪️ Monitor for new persistence entries (Run keys, scheduled tasks, services) created by recently executed user-mode binaries
▪️ EDR rules for combined keystroke logging plus screen capture plus outbound C2 beaconing patterns
▪️ Block execution of binaries from user-writable paths via AppLocker/WDAC and enforce MFA on credential stores
Note: The blurs on the RAT screenshot are not mine.
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️ New Dark Web Informer Blog Post!
Title: Meetic Allegedly Leaked Exposing 7 Million User Records From the French Online Dating Platform
Link: https://darkwebinformer.com/meetic-allegedly-leaked-exposing-7-million-user-records-from-the-french-online-dating-platform/
Title: Meetic Allegedly Leaked Exposing 7 Million User Records From the French Online Dating Platform
Link: https://darkwebinformer.com/meetic-allegedly-leaked-exposing-7-million-user-records-from-the-french-online-dating-platform/
Dark Web Informer
Meetic Allegedly Leaked Exposing 7 Million User Records From the French Online Dating Platform
A threat actor claims to have leaked a database from Meetic, a major French online dating platform, releasing 7,169,561 records for free under the hashtag #freebreach3d.
‼️ Instructure has updated their security incident page with further information.
https://www.instructure.com/incident_update
They state ShinyHunters exploited an issue related to their Free-For-Teacher accounts and have shut it down temporarily.
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
https://www.instructure.com/incident_update
They state ShinyHunters exploited an issue related to their Free-For-Teacher accounts and have shut it down temporarily.
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️🇻🇪 Cashea allegedly re-leaked exposing 79 million transaction records from the Venezuelan BNPL app
A threat actor is reposting and updating a leak of Cashea, a Venezuelan "buy now, pay later" app, claiming a 46.5GB JSON dataset dated 21/02/2026 with sample files including transaction history through that date. The post warns about scammers recycling earlier samples and includes a record showing customer identity, phone, and an installment payment schedule.
Post details:
▸ Actor(s): malconguerra2
▸ Sector: Fintech / BNPL (buy now, pay later)
▸ Type: Data Re-leak (update)
▸ Format: JSON, 46.5GB compressed
▸ Records: 79,006,942 transactions, 29,769 stores, 15,227 merchants
▸ Country: Venezuela
▸ Date: 07/05/2026 (data dated 21/02/2026)
Compromised data:
▪️ Transaction ID, created/billing dates
▪️ Amount and invoice ID
▪️ Paid-to-merchant flag
▪️ Identifier number
▪️ Delivery type, channel, delivery status
▪️ User identification number
▪️ Down payment paid date and status (OPEN/CLOSED)
▪️ Payment details
▪️ Full user profile: identification number, full name, phone number
▪️ Installment schedules (ID, number, scheduled payment date, amount, status)
▪️ Store ID and store name
▪️ Merchant ID and merchant name
▪️ Order products and shipment data
▪️ Status name
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor is reposting and updating a leak of Cashea, a Venezuelan "buy now, pay later" app, claiming a 46.5GB JSON dataset dated 21/02/2026 with sample files including transaction history through that date. The post warns about scammers recycling earlier samples and includes a record showing customer identity, phone, and an installment payment schedule.
Post details:
▸ Actor(s): malconguerra2
▸ Sector: Fintech / BNPL (buy now, pay later)
▸ Type: Data Re-leak (update)
▸ Format: JSON, 46.5GB compressed
▸ Records: 79,006,942 transactions, 29,769 stores, 15,227 merchants
▸ Country: Venezuela
▸ Date: 07/05/2026 (data dated 21/02/2026)
Compromised data:
▪️ Transaction ID, created/billing dates
▪️ Amount and invoice ID
▪️ Paid-to-merchant flag
▪️ Identifier number
▪️ Delivery type, channel, delivery status
▪️ User identification number
▪️ Down payment paid date and status (OPEN/CLOSED)
▪️ Payment details
▪️ Full user profile: identification number, full name, phone number
▪️ Installment schedules (ID, number, scheduled payment date, amount, status)
▪️ Store ID and store name
▪️ Merchant ID and merchant name
▪️ Order products and shipment data
▪️ Status name
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️🇦🇺 1,169 Australian websites allegedly being sold as full panel access by a single threat actor
The threat actor claims to be selling full access to 1,169 Australian websites in their possession, delivered as a url:user:pass list that the seller says grants entry to the panels, databases, source code, and emails of each site. The listing is priced at $400.
Post details:
▸ Actor(s): NormalLeVrai (Immortal)
▸ Sector: Mixed (1,169 Australian websites)
▸ Type: Access Sale
▸ Format: url:user:pass list
▸ Price: $400 (one buyer only)
▸ Targets: 1,169 sites
▸ Country: Australia
▸ Date: 07/05/2026
Compromised data and capabilities:
▪️ Admin panel credentials for 1,169 Australian websites
▪️ Database access for each site
▪️ Source code access
▪️ Hosted email accounts and inboxes
▪️ Site configuration and stored content
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
The threat actor claims to be selling full access to 1,169 Australian websites in their possession, delivered as a url:user:pass list that the seller says grants entry to the panels, databases, source code, and emails of each site. The listing is priced at $400.
Post details:
▸ Actor(s): NormalLeVrai (Immortal)
▸ Sector: Mixed (1,169 Australian websites)
▸ Type: Access Sale
▸ Format: url:user:pass list
▸ Price: $400 (one buyer only)
▸ Targets: 1,169 sites
▸ Country: Australia
▸ Date: 07/05/2026
Compromised data and capabilities:
▪️ Admin panel credentials for 1,169 Australian websites
▪️ Database access for each site
▪️ Source code access
▪️ Hosted email accounts and inboxes
▪️ Site configuration and stored content
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
❤1
‼️Preferred Hotels & Resorts allegedly breached exposing 450,000 high-net-worth reservations across 620 hotels
A threat actor claims they exploited a vulnerability in the Preferred Hotels & Resorts Central Reservation System (CRS) in 2025 to extract roughly 450,000 reservations across about 620 hotels, then launched a denial-of-service attack to alert the company. The post states that while the vulnerability was patched, the breach was allegedly never disclosed, and the seller is now offering the data for €99 with a personal narrative aimed at the company's leadership.
Post details:
▸ Actor(s): dnacookies
▸ Sector: Hospitality / Luxury Hotels
▸ Type: Data Sale
▸ Format: Pipe-delimited records
▸ Price: €99
▸ Records: ~450,000 reservations across ~620 hotels
▸ Original incident: 2025 (CRS vulnerability)
▸ Date: 08/05/2026
Compromised data:
▪️ Hotel name and CRS confirmation number
▪️ Guest full name, prefix (Mr./Ms./Mrs.)
▪️ Reservation start date
▪️ Email address
▪️ Contact numbers
▪️ Country, state/province, city
▪️ Address line and postal code
▪️ Card type, cardholder name, card number
▪️ Card expiry date and average price
▪️ Booking currency and amount (USD, EUR, CNY, SGD, etc.)
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims they exploited a vulnerability in the Preferred Hotels & Resorts Central Reservation System (CRS) in 2025 to extract roughly 450,000 reservations across about 620 hotels, then launched a denial-of-service attack to alert the company. The post states that while the vulnerability was patched, the breach was allegedly never disclosed, and the seller is now offering the data for €99 with a personal narrative aimed at the company's leadership.
Post details:
▸ Actor(s): dnacookies
▸ Sector: Hospitality / Luxury Hotels
▸ Type: Data Sale
▸ Format: Pipe-delimited records
▸ Price: €99
▸ Records: ~450,000 reservations across ~620 hotels
▸ Original incident: 2025 (CRS vulnerability)
▸ Date: 08/05/2026
Compromised data:
▪️ Hotel name and CRS confirmation number
▪️ Guest full name, prefix (Mr./Ms./Mrs.)
▪️ Reservation start date
▪️ Email address
▪️ Contact numbers
▪️ Country, state/province, city
▪️ Address line and postal code
▪️ Card type, cardholder name, card number
▪️ Card expiry date and average price
▪️ Booking currency and amount (USD, EUR, CNY, SGD, etc.)
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
❤1
‼️ New Dark Web Informer Blog Post!
Title: Kingdom Market Admin Sentenced to 16 Years in Prison
Link: https://darkwebinformer.com/kingdom-market-admin-sentenced-to-16-years-in-prison/
Title: Kingdom Market Admin Sentenced to 16 Years in Prison
Link: https://darkwebinformer.com/kingdom-market-admin-sentenced-to-16-years-in-prison/
Dark Web Informer
Kingdom Market Admin Sentenced to 16 Years in Prison
Alan Bill, a 33-year-old Slovakian man from Bratislava, was sentenced Thursday to 200 months (16 years and 8 months) in federal prison by U.S. District Judge Cristian M. Stevens for his role in operating Kingdom Market, a darknet marketplace that ran from…
This media is not supported in your browser
VIEW IN TELEGRAM
‼️ Dirty Frag: A Universal Linux Local Privilege Escalation via Page-Cache Write Primitives
GitHub: https://github.com/V4bel/dirtyfrag
Patches: https://almalinux.org/blog/2026-05-07-dirty-frag/
CVE-2026-43284: A page-cache write flaw in the Linux kernel's xfrm-ESP (IPsec) subsystem that lets a local user corrupt read-only file pages via in-place decryption on shared skb fragments
CVE-2026-43500: A sibling page-cache write flaw in the Linux kernel's RxRPC subsystem (AFS protocol) where the same fast-path pattern enables arbitrary plaintext writes into attacker-chosen pages, escalating to root
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
GitHub: https://github.com/V4bel/dirtyfrag
Patches: https://almalinux.org/blog/2026-05-07-dirty-frag/
CVE-2026-43284: A page-cache write flaw in the Linux kernel's xfrm-ESP (IPsec) subsystem that lets a local user corrupt read-only file pages via in-place decryption on shared skb fragments
CVE-2026-43500: A sibling page-cache write flaw in the Linux kernel's RxRPC subsystem (AFS protocol) where the same fast-path pattern enables arbitrary plaintext writes into attacker-chosen pages, escalating to root
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
🔪 Slice For Life - Part 2 🔪
‼️ Dirty Frag: A Universal Linux Local Privilege Escalation via Page-Cache Write Primitives GitHub: https://github.com/V4bel/dirtyfrag Patches: https://almalinux.org/blog/2026-05-07-dirty-frag/ CVE-2026-43284: A page-cache write flaw in the Linux kernel's…
Credit Hyunwoo Kim // @v4bel // https://github.com/V4bel
GitHub
V4bel - Overview
V4bel has 2 repositories available. Follow their code on GitHub.
🔪 Slice For Life - Part 2 🔪
Imagine if ShinyHunters turned into Dexter. For those who don't know what Dexter is and don't understand the name of this channel that is behind it. https://en.wikipedia.org/wiki/Dexter_(TV_series). His boat name was "Slice of Life" so I named this channel Slice For Life, because some nerd already has the name.
Wikipedia
Dexter (TV series)
American crime drama television series (2006–2013)
1/2‼️🇻🇪 MAJOR CLAIM: SAIME, SAREN, and Carnet Fronterizo allegedly breached exposing 35M Venezuelan IDs, 13.4M birth certificates, and 92K border records
A threat group calling itself "L4TAMFUCKERS" claims to have breached Venezuela's interconnected SAIME (national identity), SAREN (civil registry), and Carnet de Movilidad Fronteriza (border ID) systems by chaining API exploitation, IDOR/BOLA attacks, and tunneling exfiltration through official government data channels. The post, branded "Operation Hecatombe Venezuela," advertises 35.2M biographical records, 13.4M birth certificates totaling nearly 6TB of legal documents, and 92K detailed border crossing records, with the actors stating "an entire country's identity in plaintext."
Post details:
▸ Actor(s): GordonFreeman, Izanagi, YoSoyGroot (L4TAMFUCKERS)
▸ Sector: Government / National Identity & Civil Registry
▸ Type: Data Leak
▸ Format: SQL/CSV records, PDFs, scanned documents (~6TB SAREN)
▸ Records: 35.2M SAIME + 13.4M SAREN birth certificates + 92K Carnet Fronterizo
▸ Country: Venezuela
▸ Date: 08/05/2026
Compromised data:
▪️ SAIME: Cédula ID number, full names, gender, date of birth, profession code, registration date
▪️ SAIME admin users: ID, username, email, hashed password, status, lock date, full name, second name
▪️ SAREN: 13.4M scanned birth certificates with parental data, registrar signatures, hospital and parish details
▪️ SAREN: Marriage and notarial records with seals and registry numbers
▪️ Carnet Fronterizo: Foreign ID number, cédula, nationality, full names, date of birth
▪️ Carnet Fronterizo: Gender, occupation, expiration date, border post, ID photo
▪️ Carnet Fronterizo: Email addresses, passwords, phone numbers, system registration dates
▪️ Internal API channels and identifiers used to pivot between ministries
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat group calling itself "L4TAMFUCKERS" claims to have breached Venezuela's interconnected SAIME (national identity), SAREN (civil registry), and Carnet de Movilidad Fronteriza (border ID) systems by chaining API exploitation, IDOR/BOLA attacks, and tunneling exfiltration through official government data channels. The post, branded "Operation Hecatombe Venezuela," advertises 35.2M biographical records, 13.4M birth certificates totaling nearly 6TB of legal documents, and 92K detailed border crossing records, with the actors stating "an entire country's identity in plaintext."
Post details:
▸ Actor(s): GordonFreeman, Izanagi, YoSoyGroot (L4TAMFUCKERS)
▸ Sector: Government / National Identity & Civil Registry
▸ Type: Data Leak
▸ Format: SQL/CSV records, PDFs, scanned documents (~6TB SAREN)
▸ Records: 35.2M SAIME + 13.4M SAREN birth certificates + 92K Carnet Fronterizo
▸ Country: Venezuela
▸ Date: 08/05/2026
Compromised data:
▪️ SAIME: Cédula ID number, full names, gender, date of birth, profession code, registration date
▪️ SAIME admin users: ID, username, email, hashed password, status, lock date, full name, second name
▪️ SAREN: 13.4M scanned birth certificates with parental data, registrar signatures, hospital and parish details
▪️ SAREN: Marriage and notarial records with seals and registry numbers
▪️ Carnet Fronterizo: Foreign ID number, cédula, nationality, full names, date of birth
▪️ Carnet Fronterizo: Gender, occupation, expiration date, border post, ID photo
▪️ Carnet Fronterizo: Email addresses, passwords, phone numbers, system registration dates
▪️ Internal API channels and identifiers used to pivot between ministries
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
❤1