‼️🇮🇷 Iran Nuclear allegedly breached with 77.56 GB of data threatened for release under "Pay Or Leak" ransom
A threat actor claims to have obtained 77.56 GB of data related to Iran, including archives tied to the Iranian nuclear program, government databases, and a nuclear authority website. The actor has issued a "Pay Or Leak" ultimatum, demanding €5,000 by May 15th and threatening to publicly release all collected information if the ransom is not paid. The actor frames the operation as a response to events involving Israel and Iran, and claims to have also defaced Iranian websites and exfiltrated their databases during the intrusion.
Post details:
▸ Actor(s): NormalLeVrai
▸ Sector: Government / Nuclear / Insurance
▸ Type: Ransom / Pre-Leak Extortion
▸ Format: RAR, ZIP, JSON, XLSX, TXT
▸ Price: €5,000 (ransom) / Free if unpaid by deadline
▸ Records: 77.56 GB
▸ Country: Iran
▸ Deadline: 15/05/2026
▸ Date: 10/05/2026
Compromised data:
▪️ Data_Iran_Nuclear_Program - ~1.6 GB per file, archives related to the Iranian nuclear program (multiple files)
▪️ Nuclear Iranian Database.part01–35.rar - database divided into 35 parts, up to ~1.48 GB each
▪️ Iran 4.63GB.json.002 - part of a large structured JSON file
▪️ Iran & RF 95.000.000.zip.001 - ~1.84 GB
▪️ Iran & RF 95.000.000database.zip - additional part of a 95 million record database
▪️ iran_insurances_samples.zip - Iranian insurance data
▪️ IranBudget-Table-07-1-Bill1399.xlsx - Iranian budget table
▪️ Iran 500k.txt - large list of telephone number data
▪️ bapeten.go.id - ~1.47 GB, archive related to Iranian nuclear authority / government website
▪️ Defacement evidence and extracted databases from additional Iranian websites
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to have obtained 77.56 GB of data related to Iran, including archives tied to the Iranian nuclear program, government databases, and a nuclear authority website. The actor has issued a "Pay Or Leak" ultimatum, demanding €5,000 by May 15th and threatening to publicly release all collected information if the ransom is not paid. The actor frames the operation as a response to events involving Israel and Iran, and claims to have also defaced Iranian websites and exfiltrated their databases during the intrusion.
Post details:
▸ Actor(s): NormalLeVrai
▸ Sector: Government / Nuclear / Insurance
▸ Type: Ransom / Pre-Leak Extortion
▸ Format: RAR, ZIP, JSON, XLSX, TXT
▸ Price: €5,000 (ransom) / Free if unpaid by deadline
▸ Records: 77.56 GB
▸ Country: Iran
▸ Deadline: 15/05/2026
▸ Date: 10/05/2026
Compromised data:
▪️ Data_Iran_Nuclear_Program - ~1.6 GB per file, archives related to the Iranian nuclear program (multiple files)
▪️ Nuclear Iranian Database.part01–35.rar - database divided into 35 parts, up to ~1.48 GB each
▪️ Iran 4.63GB.json.002 - part of a large structured JSON file
▪️ Iran & RF 95.000.000.zip.001 - ~1.84 GB
▪️ Iran & RF 95.000.000database.zip - additional part of a 95 million record database
▪️ iran_insurances_samples.zip - Iranian insurance data
▪️ IranBudget-Table-07-1-Bill1399.xlsx - Iranian budget table
▪️ Iran 500k.txt - large list of telephone number data
▪️ bapeten.go.id - ~1.47 GB, archive related to Iranian nuclear authority / government website
▪️ Defacement evidence and extracted databases from additional Iranian websites
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
❤1
"Use a computer. Then make it vanish."
‼️bubbl.cx allegedly advertised as disposable anonymous RDP service for Windows & Linux
A threat actor is promoting bubbl.cx, a service marketed as a disposable cloud desktop platform offering anonymous Windows and Linux RDP access. The service advertises no-email signup, cryptocurrency-only payments, and full destruction of VMs, disks, and keys on termination, branded as "anonymous by design" and aimed at users seeking untraceable remote computing infrastructure.
Post details:
▸ Actor(s): gravem1nd (VIP)
▸ Sector: Anonymous Hosting / Disposable RDP
▸ Type: Service Advertisement
▸ Format: Browser-based RDP + SSH
▸ Country: Multi-region (DE, US, AU)
▸ Date: 10/05/2026
Service features:
▪️ Full Windows or Linux RDP in-browser, deployable in under 60 seconds
▪️ Supported OS: Windows 11, Windows Server 2022, Ubuntu, Debian, Fedora, Parrot
▪️ Regions: Frankfurt, NYC, Sydney
▪️ WireGuard kill switch, all traffic forced through encrypted VPN at firewall level
▪️ No email signup, password-only authentication
▪️ "Pop & Gone" destruction, VM, disk, and keys wiped on termination, advertised as unrecoverable
▪️ LUKS full-disk encryption on NVMe storage at rest
▪️ Browser RDP + SSH access, no client install required
▪️ US and EU exit nodes for traffic routing
▪️ Plans: Micro ($9/mo, 2 vCPU, 4GB RAM, 60GB, 1 Bubble), Standard ($19/mo, 4 vCPU, 8GB RAM, 120GB, 2 Bubbles), Pro ($39/mo, 6 vCPU, 12GB RAM, 180GB, 3 Bubbles)
▪️ Payment: BTC, ETH, XMR, LTC plus 50 more cryptocurrencies
▪️ Slogan: "No logs, no traces, no recovery"
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️bubbl.cx allegedly advertised as disposable anonymous RDP service for Windows & Linux
A threat actor is promoting bubbl.cx, a service marketed as a disposable cloud desktop platform offering anonymous Windows and Linux RDP access. The service advertises no-email signup, cryptocurrency-only payments, and full destruction of VMs, disks, and keys on termination, branded as "anonymous by design" and aimed at users seeking untraceable remote computing infrastructure.
Post details:
▸ Actor(s): gravem1nd (VIP)
▸ Sector: Anonymous Hosting / Disposable RDP
▸ Type: Service Advertisement
▸ Format: Browser-based RDP + SSH
▸ Country: Multi-region (DE, US, AU)
▸ Date: 10/05/2026
Service features:
▪️ Full Windows or Linux RDP in-browser, deployable in under 60 seconds
▪️ Supported OS: Windows 11, Windows Server 2022, Ubuntu, Debian, Fedora, Parrot
▪️ Regions: Frankfurt, NYC, Sydney
▪️ WireGuard kill switch, all traffic forced through encrypted VPN at firewall level
▪️ No email signup, password-only authentication
▪️ "Pop & Gone" destruction, VM, disk, and keys wiped on termination, advertised as unrecoverable
▪️ LUKS full-disk encryption on NVMe storage at rest
▪️ Browser RDP + SSH access, no client install required
▪️ US and EU exit nodes for traffic routing
▪️ Plans: Micro ($9/mo, 2 vCPU, 4GB RAM, 60GB, 1 Bubble), Standard ($19/mo, 4 vCPU, 8GB RAM, 120GB, 2 Bubbles), Pro ($39/mo, 6 vCPU, 12GB RAM, 180GB, 3 Bubbles)
▪️ Payment: BTC, ETH, XMR, LTC plus 50 more cryptocurrencies
▪️ Slogan: "No logs, no traces, no recovery"
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
❤1🔥1
‼️🇬🇧 LAPSUS$ Group has leaked the data of Vodafone.
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
Historical feed is coming along. It has its own frontend working. Give it 2-3 weeks and API will have the data and then platform will get it shortly after.
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
For those asking how many forums are being monitored by the threat feed: 18... this includes 1 that is down, and 1 that is being onboarded. I have updated the pricing page and API details page to reflect this. There has been 552 alerts on the feed today alone.
Cyberattack News Alert
━━━━━━━━━━━━━━━━━━━━━━━━━
Victim: Direction générale de la Comptabilité publique et du Trésor
Domain:
Country: 🇸🇪 SE
Date: May 10th, 2026
Summary:
La Direction générale de la Comptabilité publique et du Trésor (DGCPT) a annoncé une perturbation de ses systèmes d'information depuis le dimanche 10 mai 2026, suite à un incident non précisé. Cette panne survient quelques mois après une attaque de cyber-extorsion ayant touché la Direction générale des Impôts et des Domaines (DGID). Ces événements s'inscrivent dans un contexte africain marqué par une augmentation des cybermenaces ciblant les institutions publiques.
Source: https://fr.apanews.net/news/senegal-incident-technique-au-tresor-public/
━━━━━━━━━━━━━━━━━━━━━━━━━
Victim: Direction générale de la Comptabilité publique et du Trésor
Domain:
sentresor.orgCountry: 🇸🇪 SE
Date: May 10th, 2026
Summary:
La Direction générale de la Comptabilité publique et du Trésor (DGCPT) a annoncé une perturbation de ses systèmes d'information depuis le dimanche 10 mai 2026, suite à un incident non précisé. Cette panne survient quelques mois après une attaque de cyber-extorsion ayant touché la Direction générale des Impôts et des Domaines (DGID). Ces événements s'inscrivent dans un contexte africain marqué par une augmentation des cybermenaces ciblant les institutions publiques.
Source: https://fr.apanews.net/news/senegal-incident-technique-au-tresor-public/
APAnews - Agence de Presse Africaine
Sénégal : le Trésor public signale un incident informatique
La Direction générale de la Comptabilité publique et du Trésor a annoncé lundi une perturbation de ses systèmes d'information, au lendemain d'un week-end. L'incident intervient quelques mois après une attaque informatique attribuée à un groupe de cyber-extorsion…
‼️🇲🇽 Poder Judicial del Estado de Tabasco allegedly leaked exposing 11,741 worker records from the Mexican state judicial body
A threat actor claims to have leaked the database of Poder Judicial del Estado de Tabasco (Órgano de Administración Judicial), the judicial branch of the Mexican state of Tabasco. The actor states that 11,741 workers are exposed due to poor security and frames the release as a hack performed by "hackstage". The CSV sample shows full identity records including government tax IDs, institutional and personal emails, phone numbers, and marital status, with sample entries dating back to 2021.
Post details:
▸ Actor(s): hackstage
▸ Sector: Government / Judicial
▸ Type: Database Leak
▸ Format: CSV
▸ Price: Free
▸ Records: 11,741
▸ Country: Mexico
▸ Date: 10/05/2026
Compromised data:
▪️ ID
▪️ Names (nombres)
▪️ First surname (primer_apellido)
▪️ Second surname (segundo_apellido)
▪️ CURP (Mexican national identity code)
▪️ RFC (Mexican federal taxpayer registry)
▪️ Institutional email (correo_institucional)
▪️ Personal email (correo_personal)
▪️ Home phone (telefono_casa)
▪️ Personal phone (telefono_personal)
▪️ Marital status (estado_civil)
▪️ Matrimonial regime (regimen_matrimonial)
▪️ Country (pais)
▪️ Observations (observaciones)
▪️ Last update field and timestamp (actualizo, f_actualizacion)
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to have leaked the database of Poder Judicial del Estado de Tabasco (Órgano de Administración Judicial), the judicial branch of the Mexican state of Tabasco. The actor states that 11,741 workers are exposed due to poor security and frames the release as a hack performed by "hackstage". The CSV sample shows full identity records including government tax IDs, institutional and personal emails, phone numbers, and marital status, with sample entries dating back to 2021.
Post details:
▸ Actor(s): hackstage
▸ Sector: Government / Judicial
▸ Type: Database Leak
▸ Format: CSV
▸ Price: Free
▸ Records: 11,741
▸ Country: Mexico
▸ Date: 10/05/2026
Compromised data:
▪️ ID
▪️ Names (nombres)
▪️ First surname (primer_apellido)
▪️ Second surname (segundo_apellido)
▪️ CURP (Mexican national identity code)
▪️ RFC (Mexican federal taxpayer registry)
▪️ Institutional email (correo_institucional)
▪️ Personal email (correo_personal)
▪️ Home phone (telefono_casa)
▪️ Personal phone (telefono_personal)
▪️ Marital status (estado_civil)
▪️ Matrimonial regime (regimen_matrimonial)
▪️ Country (pais)
▪️ Observations (observaciones)
▪️ Last update field and timestamp (actualizo, f_actualizacion)
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️ Possible ShinyHunters clearnet domain seizure as of about 7 hours ago detected by my FBI Watchdog script.
Site is currently down.
Site is currently down.
❤1
Forwarded from FBI Watchdog Alerts by Dark Web Informer
⚠️ FBI Watchdog - WHOIS Change ⚠️
🔗 DarkWebInformer.com - Cyber Threat Intelligence
Domain: shinyhunte.rs
Record Type: WHOIS Change
Time Detected: 2026-05-11 08:15:07 UTC
Previous Records:
New Records:
🔗 DarkWebInformer.com - Cyber Threat Intelligence
Domain: shinyhunte.rs
Record Type: WHOIS Change
Time Detected: 2026-05-11 08:15:07 UTC
Previous Records:
status: ['active', 'clientupdateprohibited', 'https://www.rnids.rs/e
New Records:
status: ['active', 'clientupdateprohibited', 'https://www.rnids.rs/en/domain-name-sta... → ['clientupdateprohibited', 'https://www.rnids.rs/en/domain-name-status-codes#...
‼️🇫🇷 CalendrIDEL allegedly leaked exposing 1,400 user records from the French independent nurses platform
A threat actor claims to have leaked a database from CalendrIDEL, a French platform designed for independent nurses (IDELs) used to find replacements, collaborations, and practice opportunities through local job listings, matching tools, and regional networking across France. The actor states 1,400 email addresses, phone numbers, and usernames have been shared. The TXT sample shows email, phone, postal code, and pseudonym entries.
Post details:
▸ Actor(s): ridok61
▸ Sector: Healthcare / Nursing Platform
▸ Type: Data Leak
▸ Format: TXT
▸ Price: Free
▸ Records: 1,400
▸ Country: France
▸ Date: 11/05/2026
Compromised data:
▪️ Email address
▪️ Phone number
▪️ Postal code (CP)
▪️ Pseudonym / username
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to have leaked a database from CalendrIDEL, a French platform designed for independent nurses (IDELs) used to find replacements, collaborations, and practice opportunities through local job listings, matching tools, and regional networking across France. The actor states 1,400 email addresses, phone numbers, and usernames have been shared. The TXT sample shows email, phone, postal code, and pseudonym entries.
Post details:
▸ Actor(s): ridok61
▸ Sector: Healthcare / Nursing Platform
▸ Type: Data Leak
▸ Format: TXT
▸ Price: Free
▸ Records: 1,400
▸ Country: France
▸ Date: 11/05/2026
Compromised data:
▪️ Email address
▪️ Phone number
▪️ Postal code (CP)
▪️ Pseudonym / username
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
🔪 Slice For Life - Part 2 🔪
‼️ Possible ShinyHunters clearnet domain seizure as of about 7 hours ago detected by my FBI Watchdog script. Site is currently down.
Looks like the domain was indeed suspended by the registrar as of now. I will follow up if anything more comes of it. The Pay or Leak portal is still online.
❤1
‼️ New Dark Web Informer Blog Post!
Title: Mansoura University Allegedly Leaked Exposing 731 Contact Records From the Egyptian Academic Institution
Link: https://darkwebinformer.com/mansoura-university-allegedly-leaked-exposing-731-contact-records-from-the-egyptian-academic-institution/
Title: Mansoura University Allegedly Leaked Exposing 731 Contact Records From the Egyptian Academic Institution
Link: https://darkwebinformer.com/mansoura-university-allegedly-leaked-exposing-731-contact-records-from-the-egyptian-academic-institution/
Dark Web Informer
Mansoura University Allegedly Leaked Exposing 731 Contact Records From the Egyptian Academic Institution
Google's Threat Intelligence Group has documented what it describes as the first confirmed instance of threat actors leveraging artificial intelligence to engineer a zero-day exploit, marking a significant escalation in how AI is being weaponized for cyberattacks. The exploit successfully circumvented multi-factor authentication protections in a web-based administrative tool.
https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access?e=48754805
According to the report, attackers used AI systems to assist in discovering and developing the exploit code targeting a previously unknown vulnerability. The bypass allowed unauthorized access to administrative interfaces despite MFA being enabled, undermining one of the most widely recommended security controls for protecting privileged accounts.
This finding represents a notable shift in the threat landscape. While security researchers and defenders have warned for years that generative AI could lower the barrier to producing sophisticated malware, most documented cases until now have involved AI being used for phishing content, social engineering scripts, or refinement of existing malicious code rather than original vulnerability research and exploit development.
The report underscores growing concerns that AI tools are accelerating the offensive capabilities of threat actors, potentially compressing the timeline between vulnerability discovery and weaponization. Organizations relying on MFA as a primary defense layer may need to revisit their security architecture, layering in additional controls such as phishing-resistant authentication methods, behavioral analytics, and stricter access policies for administrative tools.
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access?e=48754805
According to the report, attackers used AI systems to assist in discovering and developing the exploit code targeting a previously unknown vulnerability. The bypass allowed unauthorized access to administrative interfaces despite MFA being enabled, undermining one of the most widely recommended security controls for protecting privileged accounts.
This finding represents a notable shift in the threat landscape. While security researchers and defenders have warned for years that generative AI could lower the barrier to producing sophisticated malware, most documented cases until now have involved AI being used for phishing content, social engineering scripts, or refinement of existing malicious code rather than original vulnerability research and exploit development.
The report underscores growing concerns that AI tools are accelerating the offensive capabilities of threat actors, potentially compressing the timeline between vulnerability discovery and weaponization. Organizations relying on MFA as a primary defense layer may need to revisit their security architecture, layering in additional controls such as phishing-resistant authentication methods, behavioral analytics, and stricter access policies for administrative tools.
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
Google Cloud Blog
Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access | Google Cloud Blog
Explore GTIG's 2026 report on how adversaries leverage AI for zero-day exploits, autonomous malware, and industrial-scale cyber operations.
❤1🔥1