‼️🇲🇽 Poder Judicial del Estado de Tabasco allegedly leaked exposing 11,741 worker records from the Mexican state judicial body
A threat actor claims to have leaked the database of Poder Judicial del Estado de Tabasco (Órgano de Administración Judicial), the judicial branch of the Mexican state of Tabasco. The actor states that 11,741 workers are exposed due to poor security and frames the release as a hack performed by "hackstage". The CSV sample shows full identity records including government tax IDs, institutional and personal emails, phone numbers, and marital status, with sample entries dating back to 2021.
Post details:
▸ Actor(s): hackstage
▸ Sector: Government / Judicial
▸ Type: Database Leak
▸ Format: CSV
▸ Price: Free
▸ Records: 11,741
▸ Country: Mexico
▸ Date: 10/05/2026
Compromised data:
▪️ ID
▪️ Names (nombres)
▪️ First surname (primer_apellido)
▪️ Second surname (segundo_apellido)
▪️ CURP (Mexican national identity code)
▪️ RFC (Mexican federal taxpayer registry)
▪️ Institutional email (correo_institucional)
▪️ Personal email (correo_personal)
▪️ Home phone (telefono_casa)
▪️ Personal phone (telefono_personal)
▪️ Marital status (estado_civil)
▪️ Matrimonial regime (regimen_matrimonial)
▪️ Country (pais)
▪️ Observations (observaciones)
▪️ Last update field and timestamp (actualizo, f_actualizacion)
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to have leaked the database of Poder Judicial del Estado de Tabasco (Órgano de Administración Judicial), the judicial branch of the Mexican state of Tabasco. The actor states that 11,741 workers are exposed due to poor security and frames the release as a hack performed by "hackstage". The CSV sample shows full identity records including government tax IDs, institutional and personal emails, phone numbers, and marital status, with sample entries dating back to 2021.
Post details:
▸ Actor(s): hackstage
▸ Sector: Government / Judicial
▸ Type: Database Leak
▸ Format: CSV
▸ Price: Free
▸ Records: 11,741
▸ Country: Mexico
▸ Date: 10/05/2026
Compromised data:
▪️ ID
▪️ Names (nombres)
▪️ First surname (primer_apellido)
▪️ Second surname (segundo_apellido)
▪️ CURP (Mexican national identity code)
▪️ RFC (Mexican federal taxpayer registry)
▪️ Institutional email (correo_institucional)
▪️ Personal email (correo_personal)
▪️ Home phone (telefono_casa)
▪️ Personal phone (telefono_personal)
▪️ Marital status (estado_civil)
▪️ Matrimonial regime (regimen_matrimonial)
▪️ Country (pais)
▪️ Observations (observaciones)
▪️ Last update field and timestamp (actualizo, f_actualizacion)
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️ Possible ShinyHunters clearnet domain seizure as of about 7 hours ago detected by my FBI Watchdog script.
Site is currently down.
Site is currently down.
❤1
Forwarded from FBI Watchdog Alerts by Dark Web Informer
⚠️ FBI Watchdog - WHOIS Change ⚠️
🔗 DarkWebInformer.com - Cyber Threat Intelligence
Domain: shinyhunte.rs
Record Type: WHOIS Change
Time Detected: 2026-05-11 08:15:07 UTC
Previous Records:
New Records:
🔗 DarkWebInformer.com - Cyber Threat Intelligence
Domain: shinyhunte.rs
Record Type: WHOIS Change
Time Detected: 2026-05-11 08:15:07 UTC
Previous Records:
status: ['active', 'clientupdateprohibited', 'https://www.rnids.rs/e
New Records:
status: ['active', 'clientupdateprohibited', 'https://www.rnids.rs/en/domain-name-sta... → ['clientupdateprohibited', 'https://www.rnids.rs/en/domain-name-status-codes#...
‼️🇫🇷 CalendrIDEL allegedly leaked exposing 1,400 user records from the French independent nurses platform
A threat actor claims to have leaked a database from CalendrIDEL, a French platform designed for independent nurses (IDELs) used to find replacements, collaborations, and practice opportunities through local job listings, matching tools, and regional networking across France. The actor states 1,400 email addresses, phone numbers, and usernames have been shared. The TXT sample shows email, phone, postal code, and pseudonym entries.
Post details:
▸ Actor(s): ridok61
▸ Sector: Healthcare / Nursing Platform
▸ Type: Data Leak
▸ Format: TXT
▸ Price: Free
▸ Records: 1,400
▸ Country: France
▸ Date: 11/05/2026
Compromised data:
▪️ Email address
▪️ Phone number
▪️ Postal code (CP)
▪️ Pseudonym / username
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to have leaked a database from CalendrIDEL, a French platform designed for independent nurses (IDELs) used to find replacements, collaborations, and practice opportunities through local job listings, matching tools, and regional networking across France. The actor states 1,400 email addresses, phone numbers, and usernames have been shared. The TXT sample shows email, phone, postal code, and pseudonym entries.
Post details:
▸ Actor(s): ridok61
▸ Sector: Healthcare / Nursing Platform
▸ Type: Data Leak
▸ Format: TXT
▸ Price: Free
▸ Records: 1,400
▸ Country: France
▸ Date: 11/05/2026
Compromised data:
▪️ Email address
▪️ Phone number
▪️ Postal code (CP)
▪️ Pseudonym / username
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
🔪 Slice For Life - Part 2 🔪
‼️ Possible ShinyHunters clearnet domain seizure as of about 7 hours ago detected by my FBI Watchdog script. Site is currently down.
Looks like the domain was indeed suspended by the registrar as of now. I will follow up if anything more comes of it. The Pay or Leak portal is still online.
❤1
‼️ New Dark Web Informer Blog Post!
Title: Mansoura University Allegedly Leaked Exposing 731 Contact Records From the Egyptian Academic Institution
Link: https://darkwebinformer.com/mansoura-university-allegedly-leaked-exposing-731-contact-records-from-the-egyptian-academic-institution/
Title: Mansoura University Allegedly Leaked Exposing 731 Contact Records From the Egyptian Academic Institution
Link: https://darkwebinformer.com/mansoura-university-allegedly-leaked-exposing-731-contact-records-from-the-egyptian-academic-institution/
Dark Web Informer
Mansoura University Allegedly Leaked Exposing 731 Contact Records From the Egyptian Academic Institution
Google's Threat Intelligence Group has documented what it describes as the first confirmed instance of threat actors leveraging artificial intelligence to engineer a zero-day exploit, marking a significant escalation in how AI is being weaponized for cyberattacks. The exploit successfully circumvented multi-factor authentication protections in a web-based administrative tool.
https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access?e=48754805
According to the report, attackers used AI systems to assist in discovering and developing the exploit code targeting a previously unknown vulnerability. The bypass allowed unauthorized access to administrative interfaces despite MFA being enabled, undermining one of the most widely recommended security controls for protecting privileged accounts.
This finding represents a notable shift in the threat landscape. While security researchers and defenders have warned for years that generative AI could lower the barrier to producing sophisticated malware, most documented cases until now have involved AI being used for phishing content, social engineering scripts, or refinement of existing malicious code rather than original vulnerability research and exploit development.
The report underscores growing concerns that AI tools are accelerating the offensive capabilities of threat actors, potentially compressing the timeline between vulnerability discovery and weaponization. Organizations relying on MFA as a primary defense layer may need to revisit their security architecture, layering in additional controls such as phishing-resistant authentication methods, behavioral analytics, and stricter access policies for administrative tools.
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access?e=48754805
According to the report, attackers used AI systems to assist in discovering and developing the exploit code targeting a previously unknown vulnerability. The bypass allowed unauthorized access to administrative interfaces despite MFA being enabled, undermining one of the most widely recommended security controls for protecting privileged accounts.
This finding represents a notable shift in the threat landscape. While security researchers and defenders have warned for years that generative AI could lower the barrier to producing sophisticated malware, most documented cases until now have involved AI being used for phishing content, social engineering scripts, or refinement of existing malicious code rather than original vulnerability research and exploit development.
The report underscores growing concerns that AI tools are accelerating the offensive capabilities of threat actors, potentially compressing the timeline between vulnerability discovery and weaponization. Organizations relying on MFA as a primary defense layer may need to revisit their security architecture, layering in additional controls such as phishing-resistant authentication methods, behavioral analytics, and stricter access policies for administrative tools.
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
Google Cloud Blog
Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access | Google Cloud Blog
Explore GTIG's 2026 report on how adversaries leverage AI for zero-day exploits, autonomous malware, and industrial-scale cyber operations.
❤1🔥1
‼️ New Dark Web Informer Blog Post!
Title: Google Threat Intelligence Group Reports First Known AI-Developed Zero-Day Exploit
Link: https://darkwebinformer.com/google-threat-intelligence-group-reports-first-known-ai-developed-zero-day-exploit/
Title: Google Threat Intelligence Group Reports First Known AI-Developed Zero-Day Exploit
Link: https://darkwebinformer.com/google-threat-intelligence-group-reports-first-known-ai-developed-zero-day-exploit/
Dark Web Informer
Google Threat Intelligence Group Reports First Known AI-Developed Zero-Day Exploit
Google's Threat Intelligence Group has documented what it describes as the first confirmed instance of threat actors leveraging artificial intelligence to engineer a zero-day exploit, marking a significant escalation in how AI is being weaponized for cyberattacks.
❤1
‼️🇲🇽 InterLAB allegedly breached exposing data from 30 Mexican laboratories via compromised server
A threat actor claims to have compromised a server belonging to InterLAB (interlab.mx, also known as biosystem.mx), a Mexican clinical laboratory software provider, and exfiltrated data from 30 affiliated laboratories. The actor states they attempted to negotiate a deal with the company, were refused, and are now releasing the data for free. The leak contains patient records, billing data, and clinical test results captured through the platform's "Modificar Paciente" and "Captura de resultados" interfaces. Each folder in the dump corresponds to a separate laboratory, with company information stored in a datosempresa.csv file inside each.
Post details:
▸ Actor(s): Alameda_slim
▸ Sector: Healthcare / Clinical Laboratories
▸ Type: Data Breach / Server Compromise
▸ Format: CSV (multiple folders, one per lab)
▸ Price: Free
▸ Records: Data from 30 laboratories
▸ Country: Mexico
▸ Date: 11/05/2026
Compromised data:
▪️ Patient ID (Clave)
▪️ Patient name (Nombre)
▪️ Patient ID number (Cedula Pac.)
▪️ Date of birth (Fecha de Nac)
▪️ Age (Edad)
▪️ Sex (Sexo)
▪️ Blood type (Tipo Sanguineo)
▪️ Classification (Clasificación)
▪️ Credit days and credit amount (Dias Credito, Credito)
▪️ Home phone (Tel. Casa)
▪️ Mobile phone (Celular)
▪️ Address (Direccion)
▪️ Email address (E-Mail)
▪️ Access key and password (Clave de acceso, Contraseña) stored in plaintext
▪️ Family risk and medical conditions (Riesgo Familiar, Padecimientos)
▪️ Observations (Observaciones)
▪️ Billing data (RFC, Nombre, Pais, Estado, Municipio, Calle, No Exterior, No Interior, Colonia, Reg. Fiscal, Localidad, CP, Referencia)
▪️ Clinical test results including general urine exam (EGO), physical exam (color, aspect, volume), chemical exam (density, pH, proteins, glucose, ketones, hemoglobin, bilirubin, urobilinogen, leukocyte esterase, nitrites), and microscopic observation (leukocytes)
▪️ Folio number, test date, and signature field per result
▪️ Company/laboratory metadata stored in datosempresa.csv per lab
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to have compromised a server belonging to InterLAB (interlab.mx, also known as biosystem.mx), a Mexican clinical laboratory software provider, and exfiltrated data from 30 affiliated laboratories. The actor states they attempted to negotiate a deal with the company, were refused, and are now releasing the data for free. The leak contains patient records, billing data, and clinical test results captured through the platform's "Modificar Paciente" and "Captura de resultados" interfaces. Each folder in the dump corresponds to a separate laboratory, with company information stored in a datosempresa.csv file inside each.
Post details:
▸ Actor(s): Alameda_slim
▸ Sector: Healthcare / Clinical Laboratories
▸ Type: Data Breach / Server Compromise
▸ Format: CSV (multiple folders, one per lab)
▸ Price: Free
▸ Records: Data from 30 laboratories
▸ Country: Mexico
▸ Date: 11/05/2026
Compromised data:
▪️ Patient ID (Clave)
▪️ Patient name (Nombre)
▪️ Patient ID number (Cedula Pac.)
▪️ Date of birth (Fecha de Nac)
▪️ Age (Edad)
▪️ Sex (Sexo)
▪️ Blood type (Tipo Sanguineo)
▪️ Classification (Clasificación)
▪️ Credit days and credit amount (Dias Credito, Credito)
▪️ Home phone (Tel. Casa)
▪️ Mobile phone (Celular)
▪️ Address (Direccion)
▪️ Email address (E-Mail)
▪️ Access key and password (Clave de acceso, Contraseña) stored in plaintext
▪️ Family risk and medical conditions (Riesgo Familiar, Padecimientos)
▪️ Observations (Observaciones)
▪️ Billing data (RFC, Nombre, Pais, Estado, Municipio, Calle, No Exterior, No Interior, Colonia, Reg. Fiscal, Localidad, CP, Referencia)
▪️ Clinical test results including general urine exam (EGO), physical exam (color, aspect, volume), chemical exam (density, pH, proteins, glucose, ketones, hemoglobin, bilirubin, urobilinogen, leukocyte esterase, nitrites), and microscopic observation (leukocytes)
▪️ Folio number, test date, and signature field per result
▪️ Company/laboratory metadata stored in datosempresa.csv per lab
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
Cyberattack News Alert
━━━━━━━━━━━━━━━━━━━━━━━━━
Victim: Heberger
Domain:
Country: 🇩🇪 DE
Date: May 7th, 2026
Summary:
L'entreprise de construction Heberger, basée à Schifferstadt, a été victime d'une cyberattaque la semaine dernière. L'incident, confirmé par une porte-parole de l'entreprise, aurait eu lieu le jeudi 7 mai tôt le matin. Malgré des normes élevées en matière de sécurité informatique, l'entreprise a été touchée par cette intrusion.
Source: https://www.rheinpfalz.de/lokal/ludwigshafen_artikel,-cyberangriff-auf-baufirma-heberger-_arid,5889199.html
━━━━━━━━━━━━━━━━━━━━━━━━━
Victim: Heberger
Domain:
heberger.comCountry: 🇩🇪 DE
Date: May 7th, 2026
Summary:
L'entreprise de construction Heberger, basée à Schifferstadt, a été victime d'une cyberattaque la semaine dernière. L'incident, confirmé par une porte-parole de l'entreprise, aurait eu lieu le jeudi 7 mai tôt le matin. Malgré des normes élevées en matière de sécurité informatique, l'entreprise a été touchée par cette intrusion.
Source: https://www.rheinpfalz.de/lokal/ludwigshafen_artikel,-cyberangriff-auf-baufirma-heberger-_arid,5889199.html
DIE RHEINPFALZ
Cyberangriff auf Baufirma Heberger
Bereits vergangene Woche hat es einen Cyberangriff auf das Schifferstadter Bauunternehmen Heberger gegeben.
‼️🇻🇪 familybox.store allegedly breached exposing 1,100,000 PII records from the Venezuelan online supermarket
A threat actor is selling 1,100,000 rows of PII data allegedly obtained from familybox.store, an online supermarket designed for people living anywhere in the world to buy and send goods to people living inside Venezuela. The platform allows users worldwide to send food, personal care, and household items to Venezuela, and is described as the official online store of the TEALCA Group, a Venezuelan logistics company with over 40 years of experience. The actor provided a proof sample consisting of 1 CSV and 1 JPG.
Post details:
▸ Actor(s): BigBrother
▸ Sector: E-Commerce / Online Supermarket / Logistics
▸ Type: Data Sale
▸ Format: CSV
▸ Price: Not disclosed (selling)
▸ Records: 1,100,000
▸ Country: Venezuela
▸ Date: 11/05/2026
Compromised data:
▪️ Customer ID
▪️ Customer full name
▪️ Customer email
▪️ Customer phone
▪️ Customer address
▪️ Customer city
▪️ Customer state
▪️ Customer neighborhood
▪️ Subtotal (VES)
▪️ Tax (VES)
▪️ Total amount (VES)
▪️ Exchange rate
▪️ Total amount (USD)
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor is selling 1,100,000 rows of PII data allegedly obtained from familybox.store, an online supermarket designed for people living anywhere in the world to buy and send goods to people living inside Venezuela. The platform allows users worldwide to send food, personal care, and household items to Venezuela, and is described as the official online store of the TEALCA Group, a Venezuelan logistics company with over 40 years of experience. The actor provided a proof sample consisting of 1 CSV and 1 JPG.
Post details:
▸ Actor(s): BigBrother
▸ Sector: E-Commerce / Online Supermarket / Logistics
▸ Type: Data Sale
▸ Format: CSV
▸ Price: Not disclosed (selling)
▸ Records: 1,100,000
▸ Country: Venezuela
▸ Date: 11/05/2026
Compromised data:
▪️ Customer ID
▪️ Customer full name
▪️ Customer email
▪️ Customer phone
▪️ Customer address
▪️ Customer city
▪️ Customer state
▪️ Customer neighborhood
▪️ Subtotal (VES)
▪️ Tax (VES)
▪️ Total amount (VES)
▪️ Exchange rate
▪️ Total amount (USD)
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
Cyberattack News Alert
━━━━━━━━━━━━━━━━━━━━━━━━━
Victim: Notin
Domain:
Country: 🇪🇸 ES
Date: May 10th, 2026
Claimed by: Everest ransomware gang
Summary:
Le fournisseur de services informatiques Notin.es a été victime d'une nouvelle attaque par rançongiciel, cette fois menée par le groupe Crypto24 utilisant le ransomware de Lockbit 5.0. Cette cyberattaque a affecté au moins quinze offices notariaux en Espagne, entraînant l'interruption de leurs services et de leur messagerie électronique.
Source: https://www.escudodigital.com/ciberseguridad/notin-proveeedor-ti-notarias-ataque-ransomware.html
━━━━━━━━━━━━━━━━━━━━━━━━━
Victim: Notin
Domain:
notin.esCountry: 🇪🇸 ES
Date: May 10th, 2026
Claimed by: Everest ransomware gang
Summary:
Le fournisseur de services informatiques Notin.es a été victime d'une nouvelle attaque par rançongiciel, cette fois menée par le groupe Crypto24 utilisant le ransomware de Lockbit 5.0. Cette cyberattaque a affecté au moins quinze offices notariaux en Espagne, entraînant l'interruption de leurs services et de leur messagerie électronique.
Source: https://www.escudodigital.com/ciberseguridad/notin-proveeedor-ti-notarias-ataque-ransomware.html
I pushed a fix to the threat feed that was causing searches to not show that the data was actually loading, even though it was eventually showing results. You may need to hard refresh the page: CTRL+SHIFT+R.
❤1
🔪 Slice For Life - Part 2 🔪
Cyberattack News Alert ━━━━━━━━━━━━━━━━━━━━━━━━━ Victim: Notin Domain: notin.es Country: 🇪🇸 ES Date: May 10th, 2026 Claimed by: Everest ransomware gang Summary: Le fournisseur de services informatiques Notin.es a été victime d'une nouvelle attaque…
I still have no idea why this is not translating to english
❤1
‼️🇨🇴 Emergia Contact Center allegedly breached exposing 12 TB of data from the Colombian/Spanish BPO and 75 client companies
A threat actor, in collaboration with NyxarGroup, claims to have exfiltrated approximately 12 TB of data from Emergia Contact Center and Conalcréditos (a debt collection unit), as well as PLUS CONTACTO SERVICIOS INTEGRALES SL, operated by Albert Ollé, described as one of Spain's wealthiest businessmen.
The actor states the intrusion began by exploiting vulnerabilities in the perimeter through an obsolete Cisco ASA, pivoted into the Fortinet topology connecting Spain (Gran Canaria, Madrid, Córdoba, Catalonia) with Colombia (Bogotá, Medellín, Manizales/Pensilvania, Malambo, Davivienda), and escalated via a public Active Directory password reset portal to gain full control of corporate email (emergiacc) and the GSuite directory.
The actor maintained access until April 7 over two months of active intrusion, claims credentials were never rotated, and is selling the 12 TB dump for $3,000. The actor also alleges the leak originated from an internal source, ****************, formerly of the customer security department, and names CISO ****************, ****************, and **************** as having manipulated the incident narrative.
Post details:
▸ Actor(s): Petro_Escobar (in collaboration with NyxarGroup)
▸ Sector: BPO / Contact Center / Debt Collection
▸ Type: Data Breach / Data Sale
▸ Format: Shared resources, PST files, SFTP files, full backups
▸ Price: $3,000
▸ Records: ~12 TB across 75 compromised clients
▸ Country: Colombia / Spain
▸ Date: 11/05/2026
Compromised data:
▪️ Approximately 12 TB exfiltrated over two months of active intrusion
▪️ Shared internal resources from Emergia infrastructure
▪️ PST email archives
▪️ SFTP file transfers
▪️ Full system backups
▪️ Corporate email accounts (emergiacc)
▪️ GSuite user directory
▪️ Active Directory credentials and Kerberos data
▪️ Cisco ASA and Fortinet VPN configurations spanning Spain and Colombia
▪️ Data from 75 affiliated client companies across multiple sectors
▪️ Spanish services clients
▪️ Conalcreditos clients
▪️ Emergia CC SL clients
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor, in collaboration with NyxarGroup, claims to have exfiltrated approximately 12 TB of data from Emergia Contact Center and Conalcréditos (a debt collection unit), as well as PLUS CONTACTO SERVICIOS INTEGRALES SL, operated by Albert Ollé, described as one of Spain's wealthiest businessmen.
The actor states the intrusion began by exploiting vulnerabilities in the perimeter through an obsolete Cisco ASA, pivoted into the Fortinet topology connecting Spain (Gran Canaria, Madrid, Córdoba, Catalonia) with Colombia (Bogotá, Medellín, Manizales/Pensilvania, Malambo, Davivienda), and escalated via a public Active Directory password reset portal to gain full control of corporate email (emergiacc) and the GSuite directory.
The actor maintained access until April 7 over two months of active intrusion, claims credentials were never rotated, and is selling the 12 TB dump for $3,000. The actor also alleges the leak originated from an internal source, ****************, formerly of the customer security department, and names CISO ****************, ****************, and **************** as having manipulated the incident narrative.
Post details:
▸ Actor(s): Petro_Escobar (in collaboration with NyxarGroup)
▸ Sector: BPO / Contact Center / Debt Collection
▸ Type: Data Breach / Data Sale
▸ Format: Shared resources, PST files, SFTP files, full backups
▸ Price: $3,000
▸ Records: ~12 TB across 75 compromised clients
▸ Country: Colombia / Spain
▸ Date: 11/05/2026
Compromised data:
▪️ Approximately 12 TB exfiltrated over two months of active intrusion
▪️ Shared internal resources from Emergia infrastructure
▪️ PST email archives
▪️ SFTP file transfers
▪️ Full system backups
▪️ Corporate email accounts (emergiacc)
▪️ GSuite user directory
▪️ Active Directory credentials and Kerberos data
▪️ Cisco ASA and Fortinet VPN configurations spanning Spain and Colombia
▪️ Data from 75 affiliated client companies across multiple sectors
▪️ Spanish services clients
▪️ Conalcreditos clients
▪️ Emergia CC SL clients
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations