‼️🇫🇷 École Française de Comptabilité allegedly breached: 41 GB and 60,683 student, teacher, and bank documents exposed from the French distance learning institution
A threat actor is selling 41 GB of data totalling 60,683 PDF files allegedly exfiltrated from the École Française de Comptabilité (EFC), a French private distance learning institution founded in 1945 and based in Lyon, specializing in accounting, payroll, human resources, law, and real estate training.
The dump reportedly contains student documents, teacher documents, bank documents, certificates, invoices, and other identity and financial paperwork. Sample images show payslips, RIB bank statements (Monabanq), employer attestations, and EFC-issued enrolment documents including French postal RIP forms tied to a Paris address.
▸ Actor: ChimeraZ
▸ Sector: Education / Distance Learning / Professional Training
▸ Type: Data Sale
▸ Format: PDF (60,683 files, 41 GB total)
▸ Records: 60,683 documents
▸ Country: France
▸ Date: 13/05/2026
Compromised data:
▪️ Student documents (enrolment forms, identity records, course records)
▪️ Teacher documents
▪️ Bank documents including RIB statements (Monabanq and others)
▪️ Certificates and attestations
▪️ Invoices
▪️ Employer salary attestations
▪️ EFC enrolment and contract documents
▪️ Postal RIP (Relevé d'Identité Postal) forms tied to La Poste accounts
▪️ IBAN and BIC identifiers visible in sample documents
▪️ Full names, postal addresses (including Paris), and dates of birth
▪️ Bank domiciliation details
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor is selling 41 GB of data totalling 60,683 PDF files allegedly exfiltrated from the École Française de Comptabilité (EFC), a French private distance learning institution founded in 1945 and based in Lyon, specializing in accounting, payroll, human resources, law, and real estate training.
The dump reportedly contains student documents, teacher documents, bank documents, certificates, invoices, and other identity and financial paperwork. Sample images show payslips, RIB bank statements (Monabanq), employer attestations, and EFC-issued enrolment documents including French postal RIP forms tied to a Paris address.
▸ Actor: ChimeraZ
▸ Sector: Education / Distance Learning / Professional Training
▸ Type: Data Sale
▸ Format: PDF (60,683 files, 41 GB total)
▸ Records: 60,683 documents
▸ Country: France
▸ Date: 13/05/2026
Compromised data:
▪️ Student documents (enrolment forms, identity records, course records)
▪️ Teacher documents
▪️ Bank documents including RIB statements (Monabanq and others)
▪️ Certificates and attestations
▪️ Invoices
▪️ Employer salary attestations
▪️ EFC enrolment and contract documents
▪️ Postal RIP (Relevé d'Identité Postal) forms tied to La Poste accounts
▪️ IBAN and BIC identifiers visible in sample documents
▪️ Full names, postal addresses (including Paris), and dates of birth
▪️ Bank domiciliation details
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️ New Dark Web Informer Blog Post!
Title: mutreasury Allegedly Breached: Admin Credentials and API Keys Exposed From the Egyptian University Payment Gateway Covering 28+ Universities, Sold With a Zero-Day Vulnerability
Link: https://darkwebinformer.com/mutreasury-allegedly-breached-admin-credentials-and-api-keys-exposed-from-the-egyptian-university-payment-gateway-covering-28-universities-sold-with-a-zero-day-vulnerability/
Title: mutreasury Allegedly Breached: Admin Credentials and API Keys Exposed From the Egyptian University Payment Gateway Covering 28+ Universities, Sold With a Zero-Day Vulnerability
Link: https://darkwebinformer.com/mutreasury-allegedly-breached-admin-credentials-and-api-keys-exposed-from-the-egyptian-university-payment-gateway-covering-28-universities-sold-with-a-zero-day-vulnerability/
Dark Web Informer
mutreasury Allegedly Breached: Admin Credentials and API Keys Exposed From the Egyptian University Payment Gateway Covering 28+…
A threat actor is selling a database from mutreasury, the centralized payment gateway connecting more than 28 Egyptian universities for tuition, application fees, and other student payments.
🔪 Slice For Life - Part 2 🔪
‼️ New Ransomware Group and IP Leak: CMD Organization Clearnet: cmdofficial[.]com IP: 209[.]99[.]186[.]211 Onion: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion ________________________________________ Main Channel: https://t.m…
‼️ Some open links to scammers CMD Organization:
Screenshot 1: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/index.html
Screenshot 2: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/base.html
Screenshot 1: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/index.html
Screenshot 2: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/base.html
‼️🇸🇦 Thmanyah allegedly breached: 107,084 subscriber emails and a Bitmovin license key exposed from the leading Arabic podcast and media-tech platform
A threat actor is selling a database from Thmanyah, the Saudi media-tech company founded in 2016 in Riyadh and majority-owned by Saudi Research and Media Group (SRMG), which operates the largest Arabic podcast network in the Middle East and North Africa and holds the Guinness World Record for the most-viewed podcast episode on YouTube.
The actor states the breach exposed 107,084 subscriber emails along with a Bitmovin video-streaming LICENSE key embedded in the dump. The sample shows internal admin accounts on the thmanyah[.]com domain, user join dates from 2024, language and category preferences across Documentary, Science Fiction, True Crime, Food, and Relationships content, plus Apple Podcasts category mappings and translation metadata.
▸ Actor: lulzintel (GOD User)
▸ Sector: Media / Podcast Platform / Tech
▸ Type: Data Sale (paywalled, 6 forum points)
▸ Records: 107,084 subscriber emails + Bitmovin LICENSE key
▸ Country: Saudi Arabia
▸ Date: 14/05/2026
Compromised data:
▪️ Subscriber email addresses (107,084 records)
▪️ User ID
▪️ Account approval flag (is_approved)
▪️ Join date
▪️ Language preference (lang, e.g., "en", "ar")
▪️ Name
▪️ Question fields (q7, q4_2, q5, q6, q1, q2_2, q8, q3, q3_str)
▪️ Interests array (e.g., "google_podcast")
▪️ VUE_APP_BITMOVIN_LICENSE_KEY (included in the file)
▪️ Internal Thmanyah staff accounts visible in sample
▪️ Waitlist IDs and category mappings to Apple Podcasts taxonomy (Documentary, Science Fiction, True Crime, Food, Relationships)
▪️ Translation pairs (Arabic and English) for category names
▪️ Listen/yes flags, device type (e.g., android), age ranges (e.g., 20+, 4_8)
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor is selling a database from Thmanyah, the Saudi media-tech company founded in 2016 in Riyadh and majority-owned by Saudi Research and Media Group (SRMG), which operates the largest Arabic podcast network in the Middle East and North Africa and holds the Guinness World Record for the most-viewed podcast episode on YouTube.
The actor states the breach exposed 107,084 subscriber emails along with a Bitmovin video-streaming LICENSE key embedded in the dump. The sample shows internal admin accounts on the thmanyah[.]com domain, user join dates from 2024, language and category preferences across Documentary, Science Fiction, True Crime, Food, and Relationships content, plus Apple Podcasts category mappings and translation metadata.
▸ Actor: lulzintel (GOD User)
▸ Sector: Media / Podcast Platform / Tech
▸ Type: Data Sale (paywalled, 6 forum points)
▸ Records: 107,084 subscriber emails + Bitmovin LICENSE key
▸ Country: Saudi Arabia
▸ Date: 14/05/2026
Compromised data:
▪️ Subscriber email addresses (107,084 records)
▪️ User ID
▪️ Account approval flag (is_approved)
▪️ Join date
▪️ Language preference (lang, e.g., "en", "ar")
▪️ Name
▪️ Question fields (q7, q4_2, q5, q6, q1, q2_2, q8, q3, q3_str)
▪️ Interests array (e.g., "google_podcast")
▪️ VUE_APP_BITMOVIN_LICENSE_KEY (included in the file)
▪️ Internal Thmanyah staff accounts visible in sample
▪️ Waitlist IDs and category mappings to Apple Podcasts taxonomy (Documentary, Science Fiction, True Crime, Food, Relationships)
▪️ Translation pairs (Arabic and English) for category names
▪️ Listen/yes flags, device type (e.g., android), age ranges (e.g., 20+, 4_8)
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
🔪 Slice For Life - Part 2 🔪
‼️ Some open links to scammers CMD Organization: Screenshot 1: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/index.html Screenshot 2: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/base.html
Simpler way to flood.
Screenshot 3: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/_bid_modal.html
Screenshot 4: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/_contact_modal.html
Screenshot 3: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/_bid_modal.html
Screenshot 4: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/_contact_modal.html
‼️🇺🇸 CoreWeave allegedly breached: full infrastructure access claimed against the US GPU cloud provider that powers OpenAI workloads
A threat actor claims to have pulled full infrastructure access from CoreWeave, the US-based GPU cloud provider that went public in 2025 with revenue exceeding $500 million and is one of the primary compute providers for OpenAI workloads.
The actor describes the access as wide open with zero authentication required, stating they cannot determine whether the exposure represents gross negligence or a honeypot. The claimed access spans multiple internal notebook servers with root shells across regions, full cloud account credentials, the central monitoring stack, customer data storage, internal infrastructure topology, and long-term persistence mechanisms. The post is currently unverified.
▸ Actor: macaroni
▸ Sector: Cloud Computing / GPU Infrastructure / AI Compute
▸ Type: Infrastructure Access Claim (unverified)
▸ Records: Full infrastructure access claim, no record count specified
▸ Country: United States
▸ Date: 13/05/2026
Compromised data:
▪️ Multiple internal notebook servers with root shells across multiple regions
▪️ Cloud account credentials and data access roles, including permanent IAM keys with sts:AssumeRole and temporary keys from 4 accounts
▪️ Central monitoring dashboard with full Grafana admin access, every dashboard, Loki logs, Prometheus metrics, and live GPU telemetry
▪️ Customer data storage including S3 buckets, EBS snapshots, and workload logs reportedly containing personal and financial records
▪️ Internal infrastructure topology including Kubernetes API, Docker registry, Jenkins, ArgoCD, PostgreSQL, and Redis (no authentication), with a full network map
▪️ Long-term persistence including deployed SSH keys, backdoor user accounts, and identified IAM persistence paths
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to have pulled full infrastructure access from CoreWeave, the US-based GPU cloud provider that went public in 2025 with revenue exceeding $500 million and is one of the primary compute providers for OpenAI workloads.
The actor describes the access as wide open with zero authentication required, stating they cannot determine whether the exposure represents gross negligence or a honeypot. The claimed access spans multiple internal notebook servers with root shells across regions, full cloud account credentials, the central monitoring stack, customer data storage, internal infrastructure topology, and long-term persistence mechanisms. The post is currently unverified.
▸ Actor: macaroni
▸ Sector: Cloud Computing / GPU Infrastructure / AI Compute
▸ Type: Infrastructure Access Claim (unverified)
▸ Records: Full infrastructure access claim, no record count specified
▸ Country: United States
▸ Date: 13/05/2026
Compromised data:
▪️ Multiple internal notebook servers with root shells across multiple regions
▪️ Cloud account credentials and data access roles, including permanent IAM keys with sts:AssumeRole and temporary keys from 4 accounts
▪️ Central monitoring dashboard with full Grafana admin access, every dashboard, Loki logs, Prometheus metrics, and live GPU telemetry
▪️ Customer data storage including S3 buckets, EBS snapshots, and workload logs reportedly containing personal and financial records
▪️ Internal infrastructure topology including Kubernetes API, Docker registry, Jenkins, ArgoCD, PostgreSQL, and Redis (no authentication), with a full network map
▪️ Long-term persistence including deployed SSH keys, backdoor user accounts, and identified IAM persistence paths
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️🇮🇹 KRIA S.r.l. allegedly breached: 2.03 GB of speed and red-light enforcement data exposed from the Italian traffic monitoring technology vendor
A threat actor is selling a 2.03 GB dump allegedly exfiltrated from KRIA S.r.l., the Italian traffic enforcement technology company based in Seregno that manufactures the T-EXSPEED speed measurement system and T-REDSPEED red-light violation detection system used by Italian municipalities and traffic police.
The dump covers data from 2021 through 2026 and includes the full T-EXSPEED and T-REDSPEED software suite, complete MySQL databases of recorded violations, raw photos and videos from installations across Italian municipalities including Vicenza, Gemonio (VA), and Besozzo, along with device configurations, server credentials, and technical documentation. Sample evidence shows red-light violation records from Via San Vitale 3, Seregno, including timestamped vehicle plate captures and frame-by-frame imagery from system ID 441.
▸ Actor: prtsc
▸ Sector: Government Technology / Traffic Enforcement / Public Safety
▸ Type: Data Sale
▸ Format: Mixed (software binaries, MySQL dumps, photos, videos, configs)
▸ Records: 2.03 GB covering 2021 through 2026
▸ Price: 1,500 USDT
▸ Country: Italy
▸ Date: 12/05/2026
Compromised data:
▪️ T-EXSPEED software (original installer plus backups and install files)
▪️ T-REDSPEED software (original installer plus backups and install files)
▪️ Complete MySQL database covering events, violations, plates, statistics, whitelist, blacklist, and reports
▪️ Real speed and red-light violation records logged by deployed cameras
▪️ Original photos and videos from Italian installations, including Vicenza, Gemonio (VA), and other municipalities
▪️ Camera configurations, calibration files, and project settings
▪️ Device list and server credentials
▪️ Hardware information and inventory
▪️ Technical documents and internal reports
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor is selling a 2.03 GB dump allegedly exfiltrated from KRIA S.r.l., the Italian traffic enforcement technology company based in Seregno that manufactures the T-EXSPEED speed measurement system and T-REDSPEED red-light violation detection system used by Italian municipalities and traffic police.
The dump covers data from 2021 through 2026 and includes the full T-EXSPEED and T-REDSPEED software suite, complete MySQL databases of recorded violations, raw photos and videos from installations across Italian municipalities including Vicenza, Gemonio (VA), and Besozzo, along with device configurations, server credentials, and technical documentation. Sample evidence shows red-light violation records from Via San Vitale 3, Seregno, including timestamped vehicle plate captures and frame-by-frame imagery from system ID 441.
▸ Actor: prtsc
▸ Sector: Government Technology / Traffic Enforcement / Public Safety
▸ Type: Data Sale
▸ Format: Mixed (software binaries, MySQL dumps, photos, videos, configs)
▸ Records: 2.03 GB covering 2021 through 2026
▸ Price: 1,500 USDT
▸ Country: Italy
▸ Date: 12/05/2026
Compromised data:
▪️ T-EXSPEED software (original installer plus backups and install files)
▪️ T-REDSPEED software (original installer plus backups and install files)
▪️ Complete MySQL database covering events, violations, plates, statistics, whitelist, blacklist, and reports
▪️ Real speed and red-light violation records logged by deployed cameras
▪️ Original photos and videos from Italian installations, including Vicenza, Gemonio (VA), and other municipalities
▪️ Camera configurations, calibration files, and project settings
▪️ Device list and server credentials
▪️ Hardware information and inventory
▪️ Technical documents and internal reports
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️🇮🇶 Iraqi Ministry of Interior allegedly breached: 2025-2026 census data exposed from the Iraqi government civil registry and vehicle registration systems
A threat actor is selling Iraq's 2025-2026 census data, sourced from the Iraqi Ministry of Interior's Directorate of General Nationality and Central Information Office. The sample images show official Iraqi civil status identity cards, vehicle registration licences (with MRZ data), and family registry record cards, alongside structured digital records covering civil identity, vehicle registration, and family lineage data tied to specific governorates including Erbil, Sulaymaniyah (Kifri district), and Khabat.
▸ Actor: OxO (VIP)
▸ Sector: Government / Civil Registry / Vehicle Registration
▸ Type: Data Sale
▸ Records: 2025-2026 Iraqi census records
▸ Country: Iraq
▸ Date: 14/05/2026
Compromised data:
Civil Identity (Official Civil Status Identity, Iraq):
▪️ Full name (Arabic and English)
▪️ Alias
▪️ ID type and ID number
▪️ Citizenship status (e.g., "Displaced Iraqi")
▪️ Mobile phone number
▪️ Workplace (e.g., Ministry of Education)
▪️ Gender
▪️ Marital status
▪️ Birth date
▪️ Province (e.g., Erbil)
▪️ District (e.g., Khabat)
▪️ Vaccination centre (e.g., BAHRKA CAMP)
▪️ Emergency contact number
Vehicle Registration (Ministry of Interior, Iraq Licence):
▪️ Name in English and Arabic
▪️ Licence number
▪️ Issue date and expiry date
▪️ VIN code
▪️ National ID reference
▪️ Additional ID
▪️ Gender
Family Registry:
▪️ Family number
▪️ Province (e.g., Sulaymaniyah)
▪️ Location (e.g., maternity hospital, Kifri district)
▪️ Sub-district (e.g., Kifri)
▪️ Full names of family members
▪️ Dates of birth for each member spanning multiple generations (samples from 1945 through 1988)
▪️ Governorate of registration
Physical document samples:
▪️ Republic of Iraq Vehicle Registration Licence cards
▪️ Ministry of Interior civil identity cards with MRZ
▪️ Family member information record cards from the Directorate of General Nationality
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor is selling Iraq's 2025-2026 census data, sourced from the Iraqi Ministry of Interior's Directorate of General Nationality and Central Information Office. The sample images show official Iraqi civil status identity cards, vehicle registration licences (with MRZ data), and family registry record cards, alongside structured digital records covering civil identity, vehicle registration, and family lineage data tied to specific governorates including Erbil, Sulaymaniyah (Kifri district), and Khabat.
▸ Actor: OxO (VIP)
▸ Sector: Government / Civil Registry / Vehicle Registration
▸ Type: Data Sale
▸ Records: 2025-2026 Iraqi census records
▸ Country: Iraq
▸ Date: 14/05/2026
Compromised data:
Civil Identity (Official Civil Status Identity, Iraq):
▪️ Full name (Arabic and English)
▪️ Alias
▪️ ID type and ID number
▪️ Citizenship status (e.g., "Displaced Iraqi")
▪️ Mobile phone number
▪️ Workplace (e.g., Ministry of Education)
▪️ Gender
▪️ Marital status
▪️ Birth date
▪️ Province (e.g., Erbil)
▪️ District (e.g., Khabat)
▪️ Vaccination centre (e.g., BAHRKA CAMP)
▪️ Emergency contact number
Vehicle Registration (Ministry of Interior, Iraq Licence):
▪️ Name in English and Arabic
▪️ Licence number
▪️ Issue date and expiry date
▪️ VIN code
▪️ National ID reference
▪️ Additional ID
▪️ Gender
Family Registry:
▪️ Family number
▪️ Province (e.g., Sulaymaniyah)
▪️ Location (e.g., maternity hospital, Kifri district)
▪️ Sub-district (e.g., Kifri)
▪️ Full names of family members
▪️ Dates of birth for each member spanning multiple generations (samples from 1945 through 1988)
▪️ Governorate of registration
Physical document samples:
▪️ Republic of Iraq Vehicle Registration Licence cards
▪️ Ministry of Interior civil identity cards with MRZ
▪️ Family member information record cards from the Directorate of General Nationality
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️ New Dark Web Informer Blog Post!
Title: Xacria XNO Allegedly Breached: 446 Service Orders and Subscriber PII Exposed From the Italian Carrier-Grade Telecom Network Orchestration Platform Used by FASTWEB and SKY ITALIA
Link: https://darkwebinformer.com/xacria-xno-allegedly-breached-446-service-orders-and-subscriber-pii-exposed-from-the-italian-carrier-grade-telecom-network-orchestration-platform-used-by-fastweb-and-sky-italia-a-threat/
Title: Xacria XNO Allegedly Breached: 446 Service Orders and Subscriber PII Exposed From the Italian Carrier-Grade Telecom Network Orchestration Platform Used by FASTWEB and SKY ITALIA
Link: https://darkwebinformer.com/xacria-xno-allegedly-breached-446-service-orders-and-subscriber-pii-exposed-from-the-italian-carrier-grade-telecom-network-orchestration-platform-used-by-fastweb-and-sky-italia-a-threat/
Dark Web Informer
Xacria XNO Allegedly Breached: 446 Service Orders and Subscriber PII Exposed From the Italian Carrier-Grade Telecom Network Orchestration…
A threat actor claims to have breached Xacria XNO (Xacria Network Orchestrator), a carrier-grade, cloud-native network orchestration platform used by Tier 1, 2, and 3 telecommunications operators in Italy for zero-touch provisioning and automation of fiber…
Note: This claim has not been verified.
‼️Instagram private account viewing method allegedly sold by threat actor claiming "100% working bypass" of Instagram privacy controls
A threat actor is selling a method that allegedly allows the buyer to view posts and stories from private Instagram accounts and even react to them, claiming the technique works at 100% effectiveness.
The actor references the now-defunct Postegro Lili service and states that the existing market is full of scams, positioning their method as the only working one. The seller is intentionally limiting sales to 2 buyers to prevent the technique from being patched, with payment in cryptocurrency only and contact handled through Telegram.
▸ Actor: Darkode1 (MVP User)
▸ Sector: Social Media Abuse / OSINT Tools
▸ Type: Method Sale (Instagram privacy bypass)
▸ Price: $500 (crypto only)
▸ Records: Limited to 2 buyers
▸ Date: 14/05/2026
Method details:
▪️ Claims to allow viewing of posts and stories from private Instagram accounts
▪️ Claims to allow interaction including liking content from private accounts
▪️ Marketed as 100% working, in contrast to clones of the closed Postegro Lili service which the actor describes as scams
▪️ Sales artificially capped at 2 buyers to delay the method being patched by Instagram
Stop guessing what's redacted. Subscribers see everything → http://darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
‼️Instagram private account viewing method allegedly sold by threat actor claiming "100% working bypass" of Instagram privacy controls
A threat actor is selling a method that allegedly allows the buyer to view posts and stories from private Instagram accounts and even react to them, claiming the technique works at 100% effectiveness.
The actor references the now-defunct Postegro Lili service and states that the existing market is full of scams, positioning their method as the only working one. The seller is intentionally limiting sales to 2 buyers to prevent the technique from being patched, with payment in cryptocurrency only and contact handled through Telegram.
▸ Actor: Darkode1 (MVP User)
▸ Sector: Social Media Abuse / OSINT Tools
▸ Type: Method Sale (Instagram privacy bypass)
▸ Price: $500 (crypto only)
▸ Records: Limited to 2 buyers
▸ Date: 14/05/2026
Method details:
▪️ Claims to allow viewing of posts and stories from private Instagram accounts
▪️ Claims to allow interaction including liking content from private accounts
▪️ Marketed as 100% working, in contrast to clones of the closed Postegro Lili service which the actor describes as scams
▪️ Sales artificially capped at 2 buyers to delay the method being patched by Instagram
Stop guessing what's redacted. Subscribers see everything → http://darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
😭2
‼️🇬🇹 Guatemalan Ministry of Finance allegedly breached: 130,000 RGAE registrations and 235,000 sensitive PDFs (324.5GB) exposed via IDOR and unauthenticated APIs
A threat actor claims to have compromised the Registro General de Adquisiciones del Estado (RGAE) system operated by the Guatemalan Ministry of Finance (Ministerio de Finanzas Públicas), the official state procurement registry.
The actor describes the breach as part of an ongoing "digital siege" against Guatemala, citing critical IDOR/BOLA vulnerabilities at /api/Solicitud/ObtenerSecciones and two open APIs without any security, including one connected to the Superintendencia de Administración Tributaria (SAT) at /api/sat/email.
The actor states that despite Cloudflare and a WAF being in place, the extraction was performed by simulating real traffic from ordinary web users to avoid alerting the system, allowing 130,000 registration records from 2020 to 2026 to be extracted, alongside 235,000 sensitive PDF documents totalling 324.5 GB.
A proof-of-concept 5,000-row CSV sample and a 200-PDF preview have been published.
▸ Actor: GordonFreeman (VIP), branded "LAT4MFUCK3RS"
▸ Sector: Government / Public Procurement / Finance
▸ Type: Data Breach (IDOR/BOLA, unauthenticated APIs)
▸ Records: 130,000 registrations + 235,000 PDFs (324.5 GB)
▸ Country: Guatemala
▸ Date: 14/05/2026
Compromised data:
Registration records (130,000 rows, 2020-2026):
▪️ ID
▪️ NIT (Guatemalan tax identification number)
▪️ CUI (Código Único de Identificación)
▪️ Nombre (full name)
▪️ Direccion (address)
▪️ Telefono (phone number)
▪️ Correo (email address)
▪️ Tipo_Org (organization type, Individual or Juridica)
PDF documents (235,000 files, 324.5 GB):
▪️ University degrees and diplomas
▪️ Ministry of Education teaching titles
▪️ SAT invoices (Facturas)
▪️ Negotiation minutes and articles of incorporation
▪️ Sports minutes (actas)
▪️ Simple agreements
▪️ Notarial acts (Protocolos with Diez Quetzales registry stamps)
▪️ Balance sheets
▪️ Bank certifications
▪️ Administrative contracts
▪️ Signed affidavits
▪️ Tax solvency certificates
▪️ Commercial patents
▪️ Scanned DPIs
▪️ Constitution of Sociedad Anónima documents
Vulnerability details:
▪️ IDOR/BOLA
▪️ Unauthenticated SAT API
▪️ Second unauthenticated API hosting all persons registered in RGAE
▪️ Cloudflare and WAF in place but bypassed via traffic simulation
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
A threat actor claims to have compromised the Registro General de Adquisiciones del Estado (RGAE) system operated by the Guatemalan Ministry of Finance (Ministerio de Finanzas Públicas), the official state procurement registry.
The actor describes the breach as part of an ongoing "digital siege" against Guatemala, citing critical IDOR/BOLA vulnerabilities at /api/Solicitud/ObtenerSecciones and two open APIs without any security, including one connected to the Superintendencia de Administración Tributaria (SAT) at /api/sat/email.
The actor states that despite Cloudflare and a WAF being in place, the extraction was performed by simulating real traffic from ordinary web users to avoid alerting the system, allowing 130,000 registration records from 2020 to 2026 to be extracted, alongside 235,000 sensitive PDF documents totalling 324.5 GB.
A proof-of-concept 5,000-row CSV sample and a 200-PDF preview have been published.
▸ Actor: GordonFreeman (VIP), branded "LAT4MFUCK3RS"
▸ Sector: Government / Public Procurement / Finance
▸ Type: Data Breach (IDOR/BOLA, unauthenticated APIs)
▸ Records: 130,000 registrations + 235,000 PDFs (324.5 GB)
▸ Country: Guatemala
▸ Date: 14/05/2026
Compromised data:
Registration records (130,000 rows, 2020-2026):
▪️ ID
▪️ NIT (Guatemalan tax identification number)
▪️ CUI (Código Único de Identificación)
▪️ Nombre (full name)
▪️ Direccion (address)
▪️ Telefono (phone number)
▪️ Correo (email address)
▪️ Tipo_Org (organization type, Individual or Juridica)
PDF documents (235,000 files, 324.5 GB):
▪️ University degrees and diplomas
▪️ Ministry of Education teaching titles
▪️ SAT invoices (Facturas)
▪️ Negotiation minutes and articles of incorporation
▪️ Sports minutes (actas)
▪️ Simple agreements
▪️ Notarial acts (Protocolos with Diez Quetzales registry stamps)
▪️ Balance sheets
▪️ Bank certifications
▪️ Administrative contracts
▪️ Signed affidavits
▪️ Tax solvency certificates
▪️ Commercial patents
▪️ Scanned DPIs
▪️ Constitution of Sociedad Anónima documents
Vulnerability details:
▪️ IDOR/BOLA
▪️ Unauthenticated SAT API
▪️ Second unauthenticated API hosting all persons registered in RGAE
▪️ Cloudflare and WAF in place but bypassed via traffic simulation
Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________
Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations
❤1