[April-17-2026] Daily Cybersecurity Threat Report

This comprehensive threat intelligence report provides an exhaustive analysis of 274 detected cybersecurity incidents recorded between April 17 and April 18, 2026. The data reflects a highly active cybercrime ecosystem characterized by massive data breaches, extensive distribution of compromised credentials, persistent website defacement campaigns, and the proliferation of malware and initial access services.

This report is structured to categorize and analyze these events in detail, identifying key threat actors, targeted industries, and the operational tactics currently dominating the underground threat landscape.

1. High-Impact Data Breaches and Corporate Compromises

The reporting period witnessed an alarming volume of high-impact data breaches, severely compromising the data security of millions of individuals across multiple global enterprises and government entities.

1.1 The ShinyHunters Campaigns

The threat actor group known as “ShinyHunters” (and the associated alias “shinyc0rpsss”) orchestrated some of the most devastating breaches in this dataset, frequently leveraging compromised Snowflake environments and demanding high-value ransoms.

Neiman Marcus: ShinyHunters offered a massive dataset allegedly stolen from luxury retailer Neiman Marcus for $50,000 USD. The group claimed the retailer declined to pay a ransom for data security. The exposed data purportedly includes 182 million customer profiles containing names, addresses, phone numbers, dates of birth, emails, partial Social Security Numbers, and partial credit card details. Critically, the dataset is claimed to include 3 million plaintext credit card numbers, 70 million transactions, 50 million customer emails with IP tracking, 12 million gift card records, and 6 billion rows of internal operational data.
Advance Auto Parts: Operating as “shinyc0rpsss,” the actor attempted to sell a 3TB dataset allegedly stolen from the Advance Auto Parts Snowflake environment. Priced at $100,000 USD, the data allegedly contains 380 million customer profiles, 140 million customer orders, 44 million loyalty or gas card numbers, and employment data (including SSNs) for 358,000 employees and candidates.
Cylance: The group offered 34 million customer, partner, and employee records from cybersecurity firm Cylance for $500,000 USD. The data reportedly includes personally identifiable information (PII), sales prospect lists, and product usage metrics.
Jollibee Foods Corporation: A database containing 32 million customer records (names, addresses, hashed passwords) and 650 million transactional rows from Jollibee Food Delivery was offered for $40,000 USD.
Los Angeles Unified School District (LAUSD) & Edgenuity: The actor claimed to have stolen over 4 million K-12 student records via a Snowflake instance, offering them for $150,000 USD. The highly sensitive data reportedly includes demographics, medical and disability information, discipline records, grades, and parent/student login credentials.
TEG.com.au: A dataset containing 30 million user records from the Australian ticket vendor TEG was listed for $20,000 USD. The data allegedly includes names, dates of birth, and hashed passwords.
Europol & ANTS: ShinyHunters also claimed to have leaked data from Europol. Furthermore, the group claimed to sell 20 million records from ANTS (Agence Nationale des Titres Sécurisés), the French government agency for secure identity documents. This dataset allegedly contained full legal names, physical addresses, and state-verified identity flags.
Jaguar Land Rover: The group claimed responsibility for a cyber attack against Jaguar Land Rover, allegedly executed via a third-party Salesforce supply chain vector.
SigningHub: ShinyHunters allegedly leaked the source code (SRC) of the file signing service SigningHub.

1.2 Government and Public Sector Breaches

State and local governments globally suffered severe data exposure during this period.

Russian Federal Border Service (Kordon): A threat actor named “gosee” attempted to sell a 1.09 billion record database from the Kordon system for $30,000 USD. The database, reportedly compromised in September 2023, contains detailed border crossing metadata for 79.5 million unique individuals spanning 195 countries.
National Public Data (NPD): The threat actor “Mnemonic” freely leaked what was claimed to be the full 277GB plaintext database of National Public Data, a US data broker.
French Government Portal (mairie.ants.gouv.fr): Threat actor “RubiconH4ck” sold a database purportedly containing 127 million records of French citizens for $4,000 USD. The data allegedly included death records, nationality, and full contact details.
Indonesian Taxpayer Records: Actor “OnarDev” sold a database of 10.6 million Indonesian taxpayer records (NPWP), allegedly including high-profile individuals.
Peru National Police (PNP) and Ministry of Transport (SUTRAN): Threat actor “breach3d” sold a dataset containing police intervention reports, arrest records, and citizen DNI numbers.
USA Police Personnel Records: Threat actors “clara283” and “spider321” leaked databases containing over 90,000 records of US law enforcement personnel, exposing names, ranks, and supervisor contact details for agencies including the Frisco PD and Dallas County Sheriff’s Office.
Pakistan Nuclear Regulatory Authority (PNRA): “ModernStealer” claimed to have compromised the PNRA mail server, exfiltrating 60 databases containing sensitive infrastructure documents and exact locations of nuclear reactors.
Sri Lanka Ministry of Public Administration: The actor “wh6ami” sold 5,000 records of civil servants, including National ID numbers and internal government circulars, for $200 USD.
Kantor Pertanahan Kabupaten Banjar (Indonesia): Threat actor “XyphOrix” freely leaked a land registry database containing citizen NIKs, land parcel details, and certificate numbers. Additionally, the “Rakyat Digital Crew” claimed to have breached the same database.
South Sulawesi Provincial Education Department: Actor “DongHyunShiz” advertised unauthorized administrative access to this portal, allowing the modification of news articles.
CONALEP de Morelos: The actor “Lvn4t1k0” freely leaked a database belonging to this Mexican educational institution, exposing teacher and student personal data including plaintext passwords and RFC/CURP numbers.

1.3 Corporate and Healthcare Breaches

Claro El Salvador: Hacktivist group “Anonymous Switzerland” claimed to have exfiltrated 200 GB of internal data from the telecom provider, framing the attack under political operations #OpUSA and #OpIsrael.
Iraq Hospital Database: Threat actor “ahmadxalil” sold 32 million records for $600 USD, exposing highly sensitive medical diagnoses such as cancer and chronic respiratory diseases belonging to Iraqi citizens.
Twitter (X) Iraq Users: The same actor, “ahmadxalil,” claimed to sell a database of 100 million Iraqi Twitter users for $180 USD.
Dubai Health Authority: Actor “dark_habibi” sold 836 exfiltrated files for $300 USD, including passports, architectural blueprints of medical facilities, and internal reports.
Fédération Française de Basket-Ball (FFBB): Threat actor “HexDex” sold a database containing personal data of 1.9 million members and 800,000 parents, including medical certificate dates.
Diner en Blanc: Actor “888” sold a database of 411,000 user records from the global dining event organization.
Crumbl LLC: “spider321” sold a database of employee and customer records for $4,000 USD, which included employee Firebase Cloud Messaging tokens.
Ellucian PowerCampus (Neoskool India): Threat actor “ShadowByt3$” breached Azure Blob storage and Amazon S3 buckets, exposing sensitive student PII, Aadhaar numbers, and plain-text passwords across schools in North-East India.
Chinese Citizen Data: Threat actor “ALTGIANT” leaked an 11.6 GB archive containing Chinese ID cards, credit card information, and business records.
KFC Hungary: Actor “herbamatyi” shared a sample dataset containing plaintext passwords and physical addresses of KFC Hungary customers.
ComptoirDuReve.fr: Threat actor “ChimeraZ” freely leaked a database of 42,000 customer records from the French retail website.
Credix (Fibextelecom): Threat actor “BaphyHack” freely leaked 44,548 records from the Venezuelan credit service, exposing national ID documents and verification tokens.
RSUD K.R.M.T Wongsonegoro Hospital: Threat actor “CyphieNesia” doxed the hospital’s director, leaking their NIK, NPWP, and home address.
Konačište Dabić Zlatibor: Actor “vvvv” leaked 2,500 personal records from the Serbian hospitality establishment, allegedly in retaliation for failed negotiations.

2. Massive Credential Leaks and Combolist Proliferation

The dataset reveals an industrial-scale distribution of compromised credentials, primarily in the form of “combolists” (combinations of emails/usernames and passwords). These lists are the primary fuel for credential stuffing attacks and account takeovers.

2.1 The “X Forums Bot” Automated Distribution Campaign

An entity operating as “X Forum Bot” or “X FORUMS” executed an aggressive, automated distribution campaign, releasing dozens of massive credential files on an underground forum. These files were consistently formatted as URL:Login:Password and were freely distributed to registered members.

The volume of credentials distributed by this single entity is staggering:

A 24.41 million line combolist.
A 7.5 million line combolist targeting Google and gaming platforms.
A 6.1 million line combolist targeting international government portals and e-commerce apps.
Multiple parts of an ongoing series (Parts 5 to 58) with each file containing between 800,000 and 1.8 million lines. Key releases included Part 46 (1.27M lines) , Part 48 (1.2M lines) , Part 49 (1.76M lines) , Part 50 (1.59M lines) , Part 52 (1.8M lines) , Part 53 (1.3M lines) , and Part 58 (1.45M lines).
Specific smaller subsets, such as a 234K line combolist targeting Amazon AWS, Facebook, and Microsoft.
These lists indiscriminately targeted platforms such as Netflix, Riot Games, Booking.com, TikTok, Atlassian, Trello, and Discord.

2.2 The “CODER” Combolist Operations

Another highly prolific actor, “CODER,” leveraged Telegram channels (e.g., t.me/Combo445544) to distribute massive, themed combolists for free.

Gaming Sector: CODER distributed an 8 million credential list targeting PlayStation Network, Xbox Live, Steam, Nintendo, and Epic Games.
Corporate & Business: The actor released an 11 million credential mixed-country corporate list , an 8 million business-related list , a 7 million corporate lead list , and a specific combolist targeting 3ML Corp.
Other Platforms: CODER also distributed a 9 million “Office combo mix” and an 11 million mixed-country SMTP list.

2.3 “Blackcloud” and “VitVit” Mega-Leaks

Blackcloud: This actor distributed massive datasets via the Telegram channel @BLACK_CLOUDX. Releases included a 31 million credential ULP list , a 25 million credential list , and a 23 million credential list. All were advertised as “UHQ” (ultra-high quality) and fresh.
VitVit / Gektor009: A massive 22.5 million line, 1.2GB combolist in URL:Login:Password format was freely shared by these actors across different forums.
RandomUpload: This actor shared a 1 million credential list and a 1.7 million credential list.

2.4 Geographically Targeted Credential Leaks

Many threat actors curated and sold/leaked combolists specifically sorted by the victim’s geographic origin.

Russia: Threat actor “CobraEgy” leaked 2.7 million Russian credentials. “MegaCloudshop” and “MailAccesss” both leaked smaller 5,000-record Russian lists.
Germany: “HQcomboSpace” shared 414,009 shopping-themed credentials and 130,233 gaming/casino credentials. “MegaCloudshop” and “MailAccesss” shared 23,000 full mail access credentials.
Spain: Actor “thejackal101” leaked 436,000 Spanish credentials , a dataset later echoed by “CobraEgy”.
Switzerland: “thejackal101” leaked 73,000 credentials.
Thailand: “Elite_Cloud1” leaked 62,000 credentials.
Turkey: “thejackal101” leaked 61,000 credentials.
Sweden: “thejackal101” leaked 47,000 credentials.
Taiwan: “thejackal101” leaked 29,000 credentials.
Sri Lanka: “thejackal101” leaked 12,000 credentials.
Japan: “MegaCloudshop” and “MailAccesss” shared 6,000 Japanese mail access credentials.
South Africa: “CobraEgy” shared 67,000 credentials.

2.5 Service-Specific Credential Leaks

Microsoft / Hotmail: There was a highly concentrated effort to leak Hotmail and Microsoft-associated credentials. Threat actors including alphaxdd, MailAccesss, noir, HollowKnight07, UniqueCombo, redcloud, snowstormxd, Kokos2846q, karaokecloud, and Adawongv1 flooded forums with Hotmail combolists ranging from 580 to 13,000 records per file.
Comcast: Threat actors “steeve75” and “Ra-Zi” sold high-quality combolists containing 142,000 Comcast credential pairs.
Netflix, Steam, Spotify: Actor “Ra-Zi” offered 200,000 credential pairs targeting entertainment and gaming platforms.
Yahoo & Gmail: “HQcomboSpace” shared 931,601 Yahoo lines , while “D4rkNetHub” shared over 100,000 Gmail credentials.
Education Sector (EDU): Actor “zod” shared an EDU combolist containing 111,935 credentials , and actor “IMROG” advertised valid, fresh EDU credentials.

3. Website Defacement Campaigns

Website defacement remains a prominent tactic for hacktivists and opportunistic cyber vandals. The data highlights the activities of several highly active individuals and groups.

3.1 The “DimasHxR” Defacement Spree

The most prolific individual defacer in this dataset is “DimasHxR,” acting independently without any known team affiliation. This actor demonstrated a distinct pattern of targeting web subdirectories, particularly /readme.txt, /b.html, or Magento-based /pub/media/customer paths, suggesting the automated exploitation of a specific file upload vulnerability or CMS misconfiguration.

DimasHxR successfully defaced the following domains across the globe:

Retail and E-commerce: buyshowerdoor.com (US) , sidex.es (Spain) , tucch.com , moob.ee (Estonia) , mecbay.com , riverdaletool.com (US) , pneufood.nl (Netherlands) , outpro.ee (Estonia) , rogersstationery.com , luxyscent.com , nowodvorski.ro (Romania).
Healthcare and Pharmaceuticals: pharmedica.com , santehart.com , pharmcohealth.com.
Logistics and Business Services: bojoviclogistics.com.ng (Nigeria) , businesmind.ru (Russia).
Travel and Hospitality: glovetravellersbd.com (Bangladesh) , woodflowercottage.com , walkicity.com.
Other Sectors: aflife.co.zm (Zambia) , pro-zemlyu.ru (Russia) , thefittank.com (US) , 14slotspk.com.pk (Pakistan) , dieschreibers.at (Austria) , flametidefinance.com , sitebuild1001.com , danounpromotion.com , altco.com.br (Brazil) , stagedstewart.com , remorquegator.com , cbtg.pl (Poland) , milenariachile.cl (Chile) , famoustoasterybowl.shop , slideteam.net (US).

3.2 The “Umbra Community” and “PWNLOLZ” Operations

Umbra Community: Represented primarily by the actor “L4663R666H05T”, this group executed targeted, single-site defacements often focusing on media directories. Victims included Electronics Bazaar , Interrecords , Electrical4All (UK) , Anjali Fab (India) , Leeco Steel (US) , and mymalleg.com.
PWNLOLZ: The actor “aksaity” operating under this team targeted main index pages (homepages) primarily in India and Brazil. Victims included Atharva Palace Jaipur (India) , BrasilSSH (Brazil) , Uptise , Saanvi Systems (India) , Consumer Care Service Center (India) , and JetaAds.

3.3 Regional and Ideological Hacktivism

Indonesian Groups: The Indonesian defacement scene remains highly active. “Mr.spongebob” of “Hackersec.ID” defaced the Lebak Regency Government Portal. “Babayo Eror System” defaced the South Sulawesi Provincial Education Department website. “Dewata Blackhat” defaced jopssed.org. “Irene” of “XmrAnonye.id” defaced The Daily Hug blog. “Zod” executed a mass defacement against titik0km.com.
Pro-Palestinian Operations: The hacktivist group “OpsShadowStrike” defaced the Indian website advancebirdnetservices.com, using hashtags like #SavePalestine.
Russian-aligned Operations: The group “NoName057(16)” compromised the internal CCTV network of Pearce’s Farm Shop and Cafe in the UK, gaining real-time access to 32 cameras in stated retaliation for British support of Ukraine. Furthermore, the Russian group “OverFlame” targeted the Ukrainian automotive domain parus-auto.com.ua.

3.4 Other Defacements

“maw3six” defaced Realogistic and the Polish site evaron.pl.
“XYZ” of “Alpha Wolf” defaced the German cycling retailer rad-hof.de.
“QATAR911” defaced a subpage of the Dutch music festival Koninginnepop.
“systemdarkdenied” defaced a security subdomain of D-Link India.
“ffd” of team “dfdf” defaced faef.com.
“Keymous” defaced The Spirit High School Yashfa Campus in Pakistan.

4. Initial Access, Malware, and Cybercrime Infrastructure

The underground economy is highly diversified, offering sophisticated tools, pre-established network access, and specialized fraud services to lower the barrier of entry for malicious actors.

4.1 Initial Access Brokers (IABs)

IABs sell unauthorized entry into corporate networks, facilitating devastating subsequent attacks like ransomware.

Pulse Secure VPN Compromise: Threat actor “KazeFreak” sold initial access to an Indian insurance company generating $500M-$1B in annual revenue. The access was achieved via a compromised Pulse Secure VPN with “Cloud Admin” privileges on a network of 5,000 hosts protected by CrowdStrike Falcon.
Bulk Root Access: Actor “alon3Hunt” sold root-level access to over 400 global websites via escrow on dark forums.
Logistics Platform: Actor “xdlolxd” sold full access for $1,000 to Packeta, a European logistics platform serving 60,000 online stores across 30 countries.
Telecommunications Panel: Actor “0miedoPenta” claimed access to the administrator panel of Movistar Peru, exposing user data and management capabilities.
Mail Account Access: Actor “EngineeringPhantom” ran an active service selling mail account access, configs, and scripts targeting users in France, Belgium, Australia, Canada, the UK, the US, and Japan.

4.2 Malware and Exploit Distribution

Android Crypto RAT: Actor “OnarDev” sold a sophisticated Android Remote Access Trojan targeting banking and cryptocurrency applications. Features included VNC remote control, keylogging, banking overlays, ransomware, silent APK deployment, and camera/microphone access, bundled with anti-detection obfuscation.
Hardware Wallet Supply Chain Attack: Chinese threat actors were observed selling counterfeit Ledger hardware cryptocurrency wallets modified with embedded malicious chips, Wi-Fi, and Bluetooth modules designed to silently exfiltrate seed phrases and funds.
Microsoft RDWeb RCE Methodology: An actor named “Carat” published a detailed methodology on a Tier 1 underground forum for discovering and exploiting Remote Code Execution (RCE) vulnerabilities in Microsoft RDWeb, focusing on unsafe .NET deserialization and trust boundary crossings.
BLACKNET-00: A group called “Infrastructure Destruction Squad” sold a malicious tool named BLACKNET-00 for $200.
Cracked Streaming Tools: Actor “Starip” distributed a cracked, potentially malware-laced version of “StreamFab Premium,” advising users to disable their antivirus software prior to installation.

4.3 Credential Harvesting and Account Takeover Tools

Stealer Logs: The harvesting of active session data is prevalent. Actor “KazeFreak” released 2,500 “Mystic Stealer” logs from Japanese Windows 10 users, containing Chrome browser cookies and cryptocurrency wallet data. “UP_DAISYCLOUD” freely shared 5,406 fresh stealer logs via cloud storage.
Session Cookies: Actor “bluestarcrack” frequently leaked active session cookies via third-party hosting sites, compromising accounts for platforms like Netflix, TikTok, Steam, Costco, Target, Shein, OnlyFans, Binance, and LinkedIn. These cookies allow attackers to bypass standard authentication and MFA.
SilverBullet Configs: Actor “fent888” distributed SilverBullet configuration files designed to automate credential stuffing attacks against Disney Plus, Crunchyroll, Mullvad VPN, SFR, Hotmail, and Glovo.
OnlyFans/Fansly Cracking Pack: Actor “Starip” distributed a bundle of tools designed to automate credential checking and content indexing against adult platforms OnlyFans and Fansly.

4.4 Fraud Support Services

SMS Verification Bypass: The service “majorphones” sold virtual phone numbers and physical SIM card services to facilitate SMS/OTP verification bypass for fraudulent account creation. The service included API access and bulk messaging capabilities.
Document Forgery: The alias “BBYSHOP” advertised a document forgery service rendering high-quality passports, bank statements, and selfies, claiming a 99% conversion rate. Similarly, actor “decipher” sold fraudulent passport and driver’s license scans for any country , while “vad428” sold identity document scans from the CIS and Europe.
Credit Card (CVV) Trading: The actor “yidat” sold non-VBV (Verified by Visa) credit cards that bypass OTP authentication, offering CC-to-BTC cash-out services. The “PepeCard” store advertised 100,000+ daily card renewals globally , and “Xiao Blyat” sold live-tested CVV data across 180 countries.
OSINT Bots: The Telegram bot “Dyxless” was advertised as an intelligence-gathering tool that searches aggregated data leaks to uncover phone numbers, facial recognition data, border crossings, and criminal records.
DMCA Abuse: Actor “Ab_DMCA” sold a service designed to abuse DMCA takedown notices to sabotage competitor SEO and trigger domain suspensions, specifically marketing to the iGaming industry.

5. Cybercrime Ecosystem Dynamics and Forum Drama

The underground forums are not merely marketplaces but complex communities fraught with internal conflicts, law enforcement pressure, and operational instability.

5.1 BreachForums Revival and Authentication

Following law enforcement disruptions, “BreachForums” claimed to be back online at breachforums.ai, featuring new anti-spam protections and a credits system. The prominent threat actor group “ShinyHunters” posted an official verification message to establish their identity and warn the community about impersonators (named “Mattys Savoie” & “James”) who were allegedly misusing their PGP key to extort ransoms.

5.2 Inter-Forum Conflict and Doxxing

A severe escalation in inter-forum rivalry occurred when the owner of the competing “DarkForums” platform (known by aliases “Knox,” “Lucifer,” “Hritik,” or “AnonOne”) was extensively doxed. A post on a Breach Telegram channel, amplified by ShinyHunters, revealed the owner’s true identity as Hritik Kumbhar from Odisha, India. The doxxing, executed in retaliation for alleged attacks against BreachForums users, exposed his home address, mobile data IPs, school location, PayPal details, and multiple social media profiles.

6. Institutional Responses and Acknowledged Incidents

While the dark web is flooded with claims, clear-web reports confirmed several ongoing incident responses during this 48-hour window.

Corporate Affairs Commission (Nigeria): The CAC confirmed a cyberattack involving unauthorized system access, activating response protocols and urging users to monitor records.
Clinton County (Iowa, US): The county government took parts of its network offline following the detection of a cyber intrusion. Forensic analysis confirmed a contained threat, and essential services were subsequently restored.
Fusion Superplex (Bahamas): The entertainment complex experienced a cybersecurity incident impacting systems, prompting them to take online ticketing offline as a precautionary measure during recovery.

Conclusion

The intelligence gathered between April 17 and April 18, 2026, portrays a cyber threat landscape operating at a staggering scale. The sheer volume of data compromised—spanning hundreds of millions of plaintext credentials, highly sensitive corporate databases, and critical government infrastructure—indicates that threat actors are operating with relative impunity and highly automated efficiency.

The most critical takeaway is the weaponization of the supply chain and third-party environments. The repeated targeting of Snowflake environments by the ShinyHunters collective to breach massive organizations like Advance Auto Parts, LAUSD, and Neiman Marcus highlights a systemic vulnerability in cloud data warehousing security. Furthermore, the industrial-scale distribution of tens of millions of credential pairs by bots on XForums guarantees that credential stuffing attacks will remain a persistent, high-volume threat against enterprise authentication portals globally. Organizations must adopt zero-trust architectures, enforce stringent MFA protocols, and continuously monitor underground markets to preemptively invalidate compromised session tokens and credentials before they are weaponized.

Detected Incidents Draft Data

Alleged Private Hacking Training Course Offering Ransomware, Malware, and Exploitation Techniques
Category: Malware
Content: A group identified as CY8ER AGENCY INDONESIA is advertising an open private hacking class covering a wide range of offensive cybersecurity topics including CVE exploitation, SQL injection, web defacement, webshell/script creation, ransomware and malware development for APK/Web platforms, dorking, and database extraction. The course also promises VVIP tools and mentorship. Contact is via Telegram handle @cy8ern4ti0n.
Date: 2026-04-17T23:46:44Z
Network: telegram
Published URL: https://t.me/cyberagencyindonesia/24
Screenshots:
None
Threat Actors: CY8ER AGENCY INDONESIA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 21,000 valid email credentials (combolist)
Category: Combo List
Content: A threat actor known as TeraCloud1 shared a combolist containing approximately 21,000 allegedly valid email and password combinations on a cybercrime forum. The content is hidden behind a registration or login requirement, suggesting it is restricted to forum members. No specific victim organization, industry, or country has been identified.
Date: 2026-04-17T23:37:06Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-21K-VALID-MAIL-ACCESS–200795
Screenshots:
None
Threat Actors: TeraCloud1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor known as StrawHatBase has made available a combolist containing approximately 14,000 email address and password combinations on the cybercrime forum DemonForums. The post is titled GOOD MAIL ACCESS MIX, suggesting the credentials span multiple email providers. The content is hidden behind a registration or login requirement, indicating it is restricted to forum members.
Date: 2026-04-17T23:36:12Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-14K-GOOD-MAIL-ACCESS-MIX
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of corporate email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 68,191 corporate email and password combinations via a Mega.nz file sharing link. The credential list, described as Corporate MailPass Leaks, appears to aggregate email:password pairs from multiple organizations. The data was shared freely on the cracking forum CrackingX without any payment requirement.
Date: 2026-04-17T23:35:25Z
Network: openweb
Published URL: https://crackingx.com/threads/72436/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Multiple Organizations
Victim Site: Unknown
Alleged leak of stealer logs distributed via cloud storage
Category: Logs
Content: A threat actor operating under the alias UP_DAISYCLOUD has made available a collection of 5,406 stealer logs dated April 17, shared freely via a Pixeldrain cloud storage link. The logs likely contain harvested credentials and other sensitive data captured by information-stealing malware. No specific victim organization or country has been identified.
Date: 2026-04-17T23:12:54Z
Network: openweb
Published URL: https://darkforums.su/Thread-%F0%9F%9A%80-5406-LOGS-CLOUD-%E2%98%81-17-APRIL-%E2%9D%A4%EF%B8%8F-FRESH-LOGS%E2%9D%97%EF%B8%8F
Screenshots:
None
Threat Actors: UP_DAISYCLOUD
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as MailAccesss has shared a combolist of approximately 700 Hotmail account credentials on a cracking forum, described as fresh hits of top quality dated April 18. The content is available to registered users of the forum and may represent recently verified working email and password combinations.
Date: 2026-04-17T22:59:16Z
Network: openweb
Published URL: https://crackingx.com/threads/72433/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Website Defacement of Electronics Bazaar by L4663R666H05T (Umbra Community)
Category: Defacement
Content: On April 18, 2026, the threat actor L4663R666H05T, affiliated with the group Umbra Community, defaced a subdirectory of electronicsbazaar.com. The attack targeted a media or public directory path and was a standalone, non-mass defacement. No specific motive or server details were disclosed in the available data.
Date: 2026-04-17T22:56:40Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845792
Screenshots:
None
Threat Actors: L4663R666H05T, Umbra Community
Victim Country: Unknown
Victim Industry: Retail / Electronics
Victim Organization: Electronics Bazaar
Victim Site: electronicsbazaar.com
Website Defacement of Interrecords by L4663R666H05T of Umbra Community
Category: Defacement
Content: On April 18, 2026, the website interrecords.net was defaced by threat actor L4663R666H05T, affiliated with the group Umbra Community. The attack was a targeted single-site defacement, with no mass or redefacement indicators noted. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-04-17T22:53:52Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845798
Screenshots:
None
Threat Actors: L4663R666H05T, Umbra Community
Victim Country: Unknown
Victim Industry: Media / Entertainment
Victim Organization: Interrecords
Victim Site: interrecords.net
Website Defacement of Koninginnepop by QATAR911
Category: Defacement
Content: On April 18, 2026, the threat actor QATAR911 defaced a page on the Dutch music festival website koninginnepop.nl. The attack targeted a specific subpage (qa123.htm) rather than the homepage, indicating a targeted single-page defacement. No mass or redefacement characteristics were identified in this incident.
Date: 2026-04-17T22:20:02Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845779
Screenshots:
None
Threat Actors: QATAR911, QATAR911
Victim Country: Netherlands
Victim Industry: Entertainment / Music Festival
Victim Organization: Koninginnepop
Victim Site: www.koninginnepop.nl
Alleged Data Breach of Claro El Salvador by Anonymous Switzerland
Category: Data Breach
Content: The threat actor group Anonymous Switzerland claims to have breached Claro El Salvador, the largest telecommunications provider in El Salvador. The group alleges exfiltration of over 200 GB of internal data, including PDF, DOC, XLSX, and DOCX files containing contracts, user data, and corporate information. Approximately 5 GB of sensitive data has been made available for free download via Gofile links. The operation is framed under hacktivist campaigns #OpUSA, #OpIsrael, and #OpSalvador, targeting countries with perceived ties to the US and Israel.
Date: 2026-04-17T22:14:55Z
Network: telegram
Published URL: https://t.me/Anonymous_Switzerland/128
Screenshots:
None
Threat Actors: Anonymous Switzerland
Victim Country: El Salvador
Victim Industry: Telecommunications
Victim Organization: Claro El Salvador
Victim Site: Unknown
Website Defacement of Electrical4All by L4663R666H05T (Umbra Community)
Category: Defacement
Content: On April 18, 2026, the UK-based electrical supplies retailer Electrical4All had its website defaced by threat actor L4663R666H05T, operating under the group Umbra Community. The defacement targeted a media directory path on the site and was recorded as a single, non-mass defacement incident. A mirror of the defaced page has been archived via zone-xsec.com.
Date: 2026-04-17T22:13:50Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845771
Screenshots:
None
Threat Actors: L4663R666H05T, Umbra Community
Victim Country: United Kingdom
Victim Industry: Retail / Electrical Supplies
Victim Organization: Electrical4All
Victim Site: electrical4all.co.uk
Website Defacement of Anjalifab by L4663R666H05T of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor identified as L4663R666H05T, operating under the group Umbra Community, defaced a media/custom directory path on the website of Anjali Fab, likely an Indian textile or fabric company. The incident was a targeted single-site defacement, with no mass or redefacement indicators noted. A mirror of the defaced page was archived via zone-xsec.com.
Date: 2026-04-17T22:11:45Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845770
Screenshots:
None
Threat Actors: L4663R666H05T, Umbra Community
Victim Country: India
Victim Industry: Textile / Fashion Manufacturing
Victim Organization: Anjali Fab
Victim Site: www.anjalifab.com
Website Defacement of Leeco Steel by L4663R666H05T (Umbra Community)
Category: Defacement
Content: On April 18, 2026, the threat actor L4663R666H05T, affiliated with the group Umbra Community, defaced a web page on leecosteel.com, a steel products company. The defacement targeted a subdirectory of the site rather than the homepage and was not part of a mass defacement campaign. A mirror of the defaced page was archived at zone-xsec.com.
Date: 2026-04-17T22:09:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845767
Screenshots:
None
Threat Actors: L4663R666H05T, Umbra Community
Victim Country: United States
Victim Industry: Manufacturing / Steel Industry
Victim Organization: Leeco Steel
Victim Site: leecosteel.com
Alleged leak of multi-platform credential combolist targeting Netflix, Minecraft, Steam, and other services
Category: Combo List
Content: A threat actor operating under the alias Ra-Zi has made available a combolist of approximately 200,000 email:password credential pairs allegedly valid for multiple platforms including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. The post provides a hidden download link accessible upon registration and promotes a Telegram channel and website associated with credential trading. The actor also advertises paid combolist services via Telegram handle @KOCsupport, offering various credential
Date: 2026-04-17T22:05:06Z
Network: openweb
Published URL: https://demonforums.net/Thread-200k-Fresh-HQ-Combolist-Email-Pass-Netflix-Minecraft-Uplay-Steam-Hulu-spotify–200774
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: Unknown
Victim Industry: Entertainment, Gaming
Victim Organization: Netflix, Minecraft, Uplay, Steam, Hulu, Spotify
Victim Site: Unknown
Alleged sale and leak of 200,000 mixed email and password credentials
Category: Combo List
Content: A threat actor operating under the alias steeve75 has made available a combolist containing approximately 200,000 email:password and username:password credential pairs on the cracking forum CX. The combolist reportedly includes accounts from multiple email providers such as AOL, Yahoo, Hotmail, and Outlook, spanning various countries including France, the UK, Germany, the USA, Spain, Italy, Canada, and Australia. The actor is also advertising the sale of additional high-quality combolists via
Date: 2026-04-17T22:03:43Z
Network: openweb
Published URL: https://crackingx.com/threads/72431/
Screenshots:
None
Threat Actors: steeve75
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of URL:Login:Password combolist with 210,000 credentials
Category: Combo List
Content: A threat actor operating under the alias Seaborg has shared a combolist containing 210,000 URL:Login:Password credential pairs on the cracking forum CrackingX. The post is labeled EXCLUSIVE PLUTONIUM and marked as UHQ (ultra-high quality), suggesting the credentials may be fresh or have a high validity rate. No specific victim organization or country is identified, indicating the combolist likely aggregates credentials from multiple sources.
Date: 2026-04-17T21:45:17Z
Network: openweb
Published URL: https://crackingx.com/threads/72430/
Screenshots:
None
Threat Actors: Seaborg
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of mymalleg.com by L4663R666H05T of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor identified as L4663R666H05T, operating under the group Umbra Community, defaced a page on mymalleg.com, likely an e-commerce or retail platform suggested by the pub/media path indicative of Magento-based infrastructure. The attack was a targeted single-page defacement, not classified as a mass or home page defacement. No specific motive or server details were disclosed.
Date: 2026-04-17T21:35:36Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845764
Screenshots:
None
Threat Actors: L4663R666H05T, Umbra Community
Victim Country: Unknown
Victim Industry: E-commerce / Retail
Victim Organization: My Mall EG
Victim Site: mymalleg.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias wingoooW has made available a combolist of alleged Hotmail email and password credentials on a cybercrime forum. The post describes the list as UHQ (ultra-high quality), suggesting the credentials are claimed to be largely valid. The combolist was shared via an external paste site as a free download with no price indicated.
Date: 2026-04-17T21:27:53Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-VALID-HOTMAIL-UHQ
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credentials combolist (29,000 records)
Category: Combo List
Content: A threat actor operating under the alias MegaCloudshop has shared a combolist containing approximately 29,000 email address and password credential pairs, described as a mixed mail access list. The content is hidden behind a registration or login requirement on the forum, with the actor also promoting their storefront at megacloudshop.top. No specific victim organization or targeted service has been identified.
Date: 2026-04-17T21:26:46Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-29K-Fresh-Mail-Access-Mix-17-04–200772
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 29,000 mixed email account credentials
Category: Combo List
Content: A threat actor using the alias MailAccesss has made available a combolist of approximately 29,000 mixed email account credentials on the cracking forum CrackingX. The post, dated April 17, is categorized under Combolists & Dumps and the content is restricted to registered forum users. The victim organizations, countries, and email providers affected are not specified in the post.
Date: 2026-04-17T21:26:19Z
Network: openweb
Published URL: https://crackingx.com/threads/72428/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German gaming and casino credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 130,233 credential entries targeting German gaming and casino platforms. The data was shared for free via a Mega.nz file hosting link on the cracking forum CrackingX. No specific victim organizations or domains were identified in the post.
Date: 2026-04-17T21:26:04Z
Network: openweb
Published URL: https://crackingx.com/threads/72429/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Gaming and Gambling
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Russian Federal Border Service Kordon System
Category: Data Breach
Content: A threat actor is selling a database allegedly obtained from the Russian Federal Border Services Kordon system, compromised in September 2023. The database contains over 1.09 billion records covering border crossing events from 2014 to 2023, including full names, dates of birth, travel document details, citizenship, and detailed border crossing metadata for approximately 79.5 million unique individuals from 195 countries. The full database is priced at $30,000, with individual country subsets
Date: 2026-04-17T21:03:26Z
Network: openweb
Published URL: https://breached.st/threads/data-leak-kordon-russian-federal-border-service-2023-full.86057/unread
Screenshots:
None
Threat Actors: gosee
Victim Country: Russia
Victim Industry: Government
Victim Organization: Russian Federal Border Service (Kordon)
Victim Site: Unknown
Alleged leak of SilverBullet credential stuffing configs for multiple services
Category: Data Leak
Content: A threat actor operating under the alias fent888 has freely distributed six SilverBullet configuration files targeting Disney Plus, Crunchyroll, Mullvad VPN, SFR, Hotmail, and Glovo via a public file hosting link. SilverBullet configs are used to automate credential stuffing attacks against specific web services. These configs enable attackers to test large volumes of credentials against the targeted platforms.
Date: 2026-04-17T21:02:45Z
Network: openweb
Published URL: https://breached.st/threads/star6-premium-svb-configsstardisneyplusstarcrunchyrollstarmullvadvpnstarsfr-frstarhotmailstarglovostar.86056/unread
Screenshots:
None
Threat Actors: fent888
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Disney Plus, Crunchyroll, Mullvad VPN, SFR, Hotmail, Glovo
Victim Site: disneyplus.com, crunchyroll.com, mullvad.net, sfr.fr, hotmail.com, glovoapp.com
Website Defacement of Atharva Palace Jaipur by aksaity (PWNLOLZ)
Category: Defacement
Content: On April 18, 2026, threat actor aksaity operating under the team PWNLOLZ defaced the homepage of Atharva Palace Jaipur, a hospitality establishment based in Jaipur, India. The attack was a targeted single-site defacement replacing the main index page. No mass defacement or prior redefacement activity was recorded for this incident.
Date: 2026-04-17T20:50:35Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845722
Screenshots:
None
Threat Actors: aksaity, PWNLOLZ
Victim Country: India
Victim Industry: Hospitality
Victim Organization: Atharva Palace Jaipur
Victim Site: atharvapalacejaipur.in
Website Defacement of BrasilSSH by aksaity of PWNLOLZ
Category: Defacement
Content: On April 18, 2026, the website brasilssh.com was defaced by threat actor aksaity, operating under the team PWNLOLZ. The attack targeted the homepage of BrasilSSH, a Brazil-based platform likely associated with SSH services or cybersecurity tooling. The incident was a single-site, non-mass defacement with no prior redefacement history recorded.
Date: 2026-04-17T20:49:27Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845720
Screenshots:
None
Threat Actors: aksaity, PWNLOLZ
Victim Country: Brazil
Victim Industry: Technology / Cybersecurity Services
Victim Organization: BrasilSSH
Victim Site: brasilssh.com
Alleged Leak of 13,000 Hotmail Valid Credentials
Category: Combo List
Content: A threat actor known as Cir4d has shared a combolist containing approximately 13,000 allegedly valid Hotmail credentials on the cracking forum CrackingX. The credential list was made available via an external paste link. The records are described as valid access, suggesting the credentials have been verified against Hotmail authentication systems.
Date: 2026-04-17T20:48:21Z
Network: openweb
Published URL: https://crackingx.com/threads/72427/
Screenshots:
None
Threat Actors: Cir4d
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Website Defacement of Uptise by aksaity of PWNLOLZ
Category: Defacement
Content: On April 18, 2026, the website uptise.com was defaced by threat actor aksaity, operating under the group PWNLOLZ. The attack targeted the homepage of the site in a single, targeted defacement operation. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-17T20:48:05Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845736
Screenshots:
None
Threat Actors: aksaity, PWNLOLZ
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Uptise
Victim Site: uptise.com
Alleged cyber attack on The Spirit High School Yashfa Campus Mianwali, Pakistan
Category: Defacement
Content: Threat actor Keymous claims to have targeted The Spirit High School Yashfa Campus located in Mianwali, Pakistan. The post is consistent with defacement or cyber attack activity typical of this group, referencing their network channels and branding.
Date: 2026-04-17T20:48:01Z
Network: telegram
Published URL: https://t.me/c/2588114907/1108
Screenshots:
None
Threat Actors: Keymous
Victim Country: Pakistan
Victim Industry: Education
Victim Organization: The Spirit High School Yashfa Campus Mianwali
Victim Site: Unknown
Website Defacement of Saanvi Systems by aksaity (PWNLOLZ)
Category: Defacement
Content: On April 18, 2026, threat actor aksaity, operating under the team PWNLOLZ, defaced the homepage of Saanvi Systems (saanvisystems.com). The attack was a targeted single-site defacement replacing the home page content. No specific motive or vulnerability details were disclosed in the available reporting.
Date: 2026-04-17T20:46:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845716
Screenshots:
None
Threat Actors: aksaity, PWNLOLZ
Victim Country: India
Victim Industry: Technology / IT Services
Victim Organization: Saanvi Systems
Victim Site: saanvisystems.com
Website Defacement of Consumer Care Service Center by aksaity (PWNLOLZ)
Category: Defacement
Content: On April 18, 2026, the website consumercareservicecenter.in was defaced by threat actor aksaity, operating under the team PWNLOLZ. The attack targeted the homepage of the Indian consumer services website in a single-target defacement operation. The incident has been archived and mirrored via zone-xsec.com.
Date: 2026-04-17T20:45:30Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845730
Screenshots:
None
Threat Actors: aksaity, PWNLOLZ
Victim Country: India
Victim Industry: Consumer Services
Victim Organization: Consumer Care Service Center
Victim Site: consumercareservicecenter.in
Website Defacement of JetaAds by aksaity (PWNLOLZ)
Category: Defacement
Content: On April 18, 2026, the website jetaads.com was defaced by threat actor aksaity operating under the team PWNLOLZ. The attack targeted the homepage of the advertising platform in a single-target defacement operation. The incident has been archived and mirrored via zone-xsec.com.
Date: 2026-04-17T20:43:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845717
Screenshots:
None
Threat Actors: aksaity, PWNLOLZ
Victim Country: Unknown
Victim Industry: Advertising
Victim Organization: JetaAds
Victim Site: jetaads.com
Alleged leak of Spanish credential combolist containing 436,000 email:password pairs
Category: Combo List
Content: A threat actor known as thejackal101 has made available a combolist of approximately 436,000 email:password credential pairs purportedly sourced from Spain. The content is described as FRESH and HQ (high quality), suggesting recently validated credentials. The post directs users to a Telegram channel (@elite_cloud1) for additional credential lists.
Date: 2026-04-17T20:30:00Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-436-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Spain-%E2%9C%AA-17-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Spain
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Switzerland credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 73,000 email and password credential pairs allegedly associated with Switzerland. The list is described as fresh and high quality and is shared via a hidden download link on the forum. The actor promotes additional credential material through a Telegram channel at t.me/elite_cloud1.
Date: 2026-04-17T20:29:19Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-73-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Switzerland-%E2%9C%AA-17-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Switzerland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Turkish email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has shared a combolist of approximately 61,000 email address and password combinations purportedly associated with Turkish users. The credential list is described as fresh and high quality and was made available via a hidden download link on the forum. The actor also directs users to a Telegram channel (@elite_cloud1) for additional credential material.
Date: 2026-04-17T20:28:36Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-61-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Turkey-%E2%9C%AA-17-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Turkey
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Thailand email credential combolist
Category: Combo List
Content: A threat actor operating under the alias Elite_Cloud1 has made available a combolist of approximately 62,000 email address and password credential pairs allegedly sourced from Thailand. The list is described as fresh and high quality and is being distributed freely via a Telegram channel. No specific victim organization or service has been identified.
Date: 2026-04-17T20:28:02Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-62-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Thailand-%E2%9C%AA-17-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Thailand
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Swedish credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist containing approximately 47,000 email and password credential pairs allegedly associated with Swedish users. The list is described as fresh and high quality, and was shared freely on a cybercrime forum. The actor promotes additional credential materials via a Telegram channel at t.me/elite_cloud1.
Date: 2026-04-17T20:27:23Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-47-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Sweden-%E2%9C%AA-17-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Sweden
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Taiwan credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 29,000+ email and password combinations allegedly sourced from Taiwan. The credential list is described as Fresh and High Quality and is shared via a hidden content mechanism on the forum. The actor promotes additional credential logs through a Telegram channel at t.me/elite_cloud1.
Date: 2026-04-17T20:26:53Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-29-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Taiwan-%E2%9C%AA-17-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Taiwan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Sri Lanka credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 12,000+ email:password credential pairs allegedly associated with Sri Lanka. The list is described as fresh and high quality and is shared via a hidden download link on the forum. The actor also promotes a Telegram channel (@elite_cloud1) for additional credential logs.
Date: 2026-04-17T20:26:22Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-12-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Sri-Lanka-%E2%9C%AA-17-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Sri Lanka
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 1 million URL-login-password credentials
Category: Combo List
Content: A threat actor operating under the alias RandomUpload has made available a combolist containing approximately 1 million URL-login-password credential combinations on the cracking forum CrackingX. The post is dated April 26, 2018, and the content is restricted to registered forum users. No specific victim organization or country has been identified.
Date: 2026-04-17T20:07:45Z
Network: openweb
Published URL: https://crackingx.com/threads/72426/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Diner en Blanc Event Platform
Category: Data Breach
Content: A threat actor identified as 888 claims to be selling a database allegedly stolen from Diner en Blanc, a global dining event organization, in April 2026. The database purportedly contains 411,000 unique user records including names, email addresses, invite codes, event participation details, and registration status flags. Sample records suggest the data is linked to event registrations across multiple cities including Baltimore.
Date: 2026-04-17T20:01:01Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-DinerEnBlanc-com-Database-Leaked-Download
Screenshots:
None
Threat Actors: 888
Victim Country: Canada
Victim Industry: Events & Entertainment
Victim Organization: Diner en Blanc
Victim Site: dinerenblanc.com
Alleged Data Leak of KFC Hungary Customer Personal Data
Category: Data Leak
Content: A threat actor known as herbamatyi has freely shared a sample dataset allegedly originating from KFC Hungary (kfc.hu) on a dark web forum. The leaked records include customer email addresses, plaintext passwords, full names, phone numbers, and physical addresses. The data appears to represent structured customer account records containing multiple personally identifiable information fields.
Date: 2026-04-17T19:59:26Z
Network: openweb
Published URL: https://darkforums.su/Thread-kfc-hu-email-pass-phone-addres
Screenshots:
None
Threat Actors: herbamatyi
Victim Country: Hungary
Victim Industry: Food & Beverage / Quick Service Restaurant
Victim Organization: KFC Hungary
Victim Site: kfc.hu
Alleged distribution of cracked StreamFab Premium video downloading tool
Category: Initial Access
Content: A threat actor on DemonForums has made available a cracked version of StreamFab Premium, a commercial media downloading suite supporting Netflix, Amazon Prime, Disney+, Hulu, and other streaming platforms. The cracked tool is distributed for free and includes full premium features such as high-quality video downloads, batch processing, and multi-platform support. The post notably advises users to disable antivirus software to use the tool, suggesting the cracked build may contain malicious compo
Date: 2026-04-17T19:48:02Z
Network: openweb
Published URL: https://demonforums.net/Thread-StreamFab-Premium-Cracked
Screenshots:
None
Threat Actors: Starip
Victim Country: Unknown
Victim Industry: Software
Victim Organization: StreamFab
Victim Site: streamfab.com
Alleged Distribution of OnlyFans and Fansly Credential Cracking Tools Pack
Category: Data Leak
Content: A threat actor operating under the alias Starip has made available a bundle of cracking and credential-checking utilities targeting OnlyFans and Fansly platforms on DemonForums. The pack includes searcher tools, checker-style utilities, and dataset processing tools designed to automate credential attacks and content indexing against these platforms. The tools are distributed as a free download and are flagged as potentially malicious by antivirus software, consistent with credential stuffing a
Date: 2026-04-17T19:47:25Z
Network: openweb
Published URL: https://demonforums.net/Thread-Onlyfans-and-Fansly-Cracking-Tools-Pack
Screenshots:
None
Threat Actors: Starip
Victim Country: Unknown
Victim Industry: Adult Content Platforms
Victim Organization: OnlyFans, Fansly
Victim Site: onlyfans.com, fansly.com
Alleged RCE Exploitation Methodology for Microsoft RDWeb Published on Underground Forum
Category: Initial Access
Content: A threat actor on the T1 underground forum published a detailed technical methodology for discovering and exploiting Remote Code Execution (RCE) vulnerabilities in Microsoft RDWeb (Remote Desktop Web Access). The post covers attack surface mapping across IIS/ASP.NET, RD Gateway, Connection Broker, and RDP parser components, with specific focus on trust boundary crossings between web-layer validation and system-level RPC calls. The methodology highlights unsafe .NET ViewState/Session deserializat
Date: 2026-04-17T19:44:55Z
Network: openweb
Published URL: https://tier1.life/thread/149
Screenshots:
None
Threat Actors: Carat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German shopping-themed combolist with 414,009 credentials
Category: Combo List
Content: A threat actor known as HQcomboSpace has made available a combolist containing 414,009 credential lines targeting European, specifically German, shopping platforms. The file was shared freely via a Mega.nz link on the cracking forum CrackingX. No specific victim organization or website was identified in the post.
Date: 2026-04-17T19:10:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72420/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Retail & E-Commerce
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Non-VBV Credit Cards and CC-to-BTC Cashing Services
Category: Initial Access
Content: A threat actor operating under the Telegram handle @jake-watar is advertising the sale of non-VBV (Verified by Visa) credit cards that bypass OTP authentication, claiming compatibility with Apple Pay, Google Pay, Cash App, PayPal, eBay, Amazon, and other platforms. The actor also offers a CC-to-BTC cash-out service, enabling conversion of stolen card funds into cryptocurrency. Cards are claimed to be available across all countries and are marketed for use in various fraud schemes including bill
Date: 2026-04-17T18:53:15Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%93%82%EF%B8%8F-CC-to-BTC–200760
Screenshots:
None
Threat Actors: yidat
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Non-VBV Credit Cards and CC-to-BTC Conversion Services
Category: Initial Access
Content: A threat actor operating under the alias yidat is advertising the sale of non-VBV (Verified by Visa) credit cards claimed to be usable across multiple platforms including Apple Pay, Cash App, GPay, eBay, Amazon, and PayPal. The actor also offers a CC-to-BTC conversion method and claims the cards are linkable for various fraud methods with no OTP verification required. Contact is facilitated via Telegram handle @jake-watar, with a guarantee of refund or replacement for non-functional cards.
Date: 2026-04-17T18:34:30Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%93%82%EF%B8%8F-CC-to-BTC
Screenshots:
None
Threat Actors: yidat
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Gmail credentials combolist
Category: Combo List
Content: A threat actor known as D4rkNetHub has made available a combolist allegedly containing over 100,000 Gmail credentials on the cracking forum CrackingX. The post is gated behind registration, limiting full visibility into the datas content and authenticity. The credentials appear to be email and password combinations targeting Google Gmail accounts.
Date: 2026-04-17T18:15:38Z
Network: openweb
Published URL: https://crackingx.com/threads/72418/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged distribution of 8 million business credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist claimed to contain 8 million business-related credentials via Telegram channels. The post offers free access to the combolist through two Telegram groups (t.me/Combo445544 and t.me/Coder554455). No specific victim organization or industry has been identified, and the legitimacy of the claimed record count remains unverified.
Date: 2026-04-17T18:15:13Z
Network: openweb
Published URL: https://crackingx.com/threads/72419/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Ellucian PowerCampus via Neoskool India Affecting Multiple Schools
Category: Data Breach
Content: Threat actor ShadowByt3$ claims to have breached Ellucian PowerCampus infrastructure managed by Neoskool India by exploiting misconfigured Amazon S3 buckets and Azure Blob storage as part of Operation Cloud. The breach affects multiple schools across North-East India, primarily in Manipur and Meghalaya, exposing sensitive student and staff PII including Aadhaar numbers, plain-text passwords, ID card photos, bulk enrollment CSVs, financial fee records, mark sheets, and official certificates for
Date: 2026-04-17T18:08:04Z
Network: openweb
Published URL: https://darkforums.su/Thread-ShadowByt3-Claims-Ellucian-PowerCampus
Screenshots:
None
Threat Actors: ShadowByt3S
Victim Country: India
Victim Industry: Education
Victim Organization: Neoskool India / Ellucian PowerCampus
Victim Site: ellucian.com
Alleged cyber attack targeting parus-auto.com.ua by OverFlame
Category: Cyber Attack
Content: Russian hacktivist group OverFlame posted the Ukrainian automotive domain parus-auto.com.ua, suggesting a cyber attack, defacement, or DDoS targeting this Ukrainian organization.
Date: 2026-04-17T17:28:56Z
Network: telegram
Published URL: https://t.me/c/2355478671/582
Screenshots:
None
Threat Actors: OverFlame
Victim Country: Ukraine
Victim Industry: Automotive
Victim Organization: Parus Auto
Victim Site: parus-auto.com.ua
Alleged leak of 47,000 mixed-domain email credentials
Category: Combo List
Content: A threat actor known as Cir4d shared a combolist containing approximately 47,000 alleged valid email credentials spanning multiple domains on a cracking forum. The credential list was made available via an external paste link. No specific victim organization or country has been identified, as the combolist appears to aggregate accounts across mixed domains.
Date: 2026-04-17T17:19:35Z
Network: openweb
Published URL: https://crackingx.com/threads/72415/
Screenshots:
None
Threat Actors: Cir4d
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed-country shopping combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a shopping-themed combolist described as Mixed Country, suggesting credentials originate from multiple countries. The combolist is being distributed for free via Telegram channels and groups linked to the actor. No specific victim organizations or record counts have been identified.
Date: 2026-04-17T17:18:36Z
Network: openweb
Published URL: https://crackingx.com/threads/72417/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials including Hotmail accounts
Category: Combo List
Content: A threat actor operating under the alias alphaxdd on Demonforums has made available a combolist of 4,638 alleged premium mixed email credentials, including Hotmail validated accounts and private cloud access. The content is hidden behind a registration or login requirement on the forum. The actor also promotes a Telegram handle alphaaxd for further contact.
Date: 2026-04-17T17:18:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9A%A1%E2%9A%A1-4638x-PREMIUM-MIX-MAIL-HITS%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of The Daily Hug by Irene of XmrAnonye.id
Category: Defacement
Content: On April 18, 2026, the website thedailyhug.com was defaced by a threat actor identified as Irene affiliated with the group XmrAnonye.id. The attack targeted the homepage of the site in a singular, non-mass defacement operation. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-17T17:17:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845614
Screenshots:
None
Threat Actors: Irene, XmrAnonye.id
Victim Country: Unknown
Victim Industry: Media / Entertainment
Victim Organization: The Daily Hug
Victim Site: thedailyhug.com
Website Defacement of The Daily Hug by Irene (XmrAnonye.id)
Category: Defacement
Content: On April 17, 2026, the website thedailyhug.com was defaced by a threat actor known as Irene, affiliated with the Indonesian group XmrAnonye.id. The attacker targeted the about.php page on a Linux-based server. The incident was a single targeted defacement, not part of a mass or repeated campaign.
Date: 2026-04-17T17:00:44Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248585
Screenshots:
None
Threat Actors: Irene, XmrAnonye.id
Victim Country: Unknown
Victim Industry: Media/Blog
Victim Organization: The Daily Hug
Victim Site: thedailyhug.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 787 alleged valid Hotmail credentials on a cybercrime forum. The post references premium hits with mixed email formats and mentions private cloud access. The actor provides a Telegram handle for contact, with the actual credential content hidden behind a registration wall.
Date: 2026-04-17T16:59:55Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F-787x-PREMIUM-HOTMAIL-HITS-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 787 alleged valid Hotmail credentials on the cracking forum CrackingX. The post describes the credentials as premium hits associated with private cloud and mixed mail accounts. The actor can also be contacted via Telegram handle alphaaxd.
Date: 2026-04-17T16:59:30Z
Network: openweb
Published URL: https://crackingx.com/threads/72409/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of 26,000 valid email credentials shared on underground forum
Category: Combo List
Content: A threat actor operating under the alias TeraCloud1 has made available a combolist containing approximately 26,000 allegedly valid email credentials on DemonForums. The post requires forum registration or login to access the hidden content, suggesting it is gated but freely available to registered members. No specific victim organization, industry, or country has been identified from the available information.
Date: 2026-04-17T16:58:59Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-26K-VALID-MAIL-ACCESS–200753
Screenshots:
None
Threat Actors: TeraCloud1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed corporate credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist containing approximately 11 million credential pairs sourced from mixed countries and corporate targets. The list is being distributed freely via Telegram channels and groups associated with the actor. No specific victim organizations or industries have been identified.
Date: 2026-04-17T16:58:21Z
Network: openweb
Published URL: https://crackingx.com/threads/72412/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist by threat actor klyne05
Category: Combo List
Content: A threat actor known as klyne05 has shared a mixed email:password combolist on DemonForums, described as private and freshly verified. The content is hidden behind a like-to-unlock mechanism requiring forum registration or login. No specific victim organization, record count, or targeted service has been identified.
Date: 2026-04-17T16:57:51Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1MIX-MAIL%E2%9A%A1%E2%9A%A1PRIVATE%E2%9A%A1%E2%9A%A1FRESH%E2%9A%A1%E2%9A%A1CHEKED-BY-klyne05-%E2%9A%A1%E2%9A%A1–200754
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo credentials combolist
Category: Combo List
Content: A threat actor using the alias HQcomboSpace has made available a mixed-target Yahoo combolist containing approximately 931,601 lines via a Mega.nz file sharing link. The post was shared on the CrackingX forum under the Combolists & Dumps section. The combolist likely contains email and password combinations associated with Yahoo accounts.
Date: 2026-04-17T16:57:45Z
Network: openweb
Published URL: https://crackingx.com/threads/72414/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias KiwiShio has made available a combolist of 1,405 alleged Hotmail credentials on the cracking forum CrackingX. The post offers a free download of what is described as fresh, high-quality email and password combinations. The origin and method of collection of these credentials are unknown.
Date: 2026-04-17T16:57:08Z
Network: openweb
Published URL: https://crackingx.com/threads/72413/
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Data Breach of Hopewell Area School District
Category: Data Breach
Content: A threat actor operating under the alias RubiconH4ck claims to be selling approximately 2.4TB of sensitive data allegedly obtained from Hopewell Area School District. The actor is advertising the data on the Breached forum and directing potential buyers to contact them via Telegram. No specific record count or data types were disclosed beyond a general claim of sensitive data.
Date: 2026-04-17T16:50:58Z
Network: openweb
Published URL: https://breached.st/threads/full-acces-hopewell-area-school-district.86055/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: United States
Victim Industry: Education
Victim Organization: Hopewell Area School District
Victim Site: Unknown
Alleged leak of stealer logs containing credentials and cookies from Japanese Windows users via Mystic Stealer
Category: Logs
Content: A threat actor operating under the alias KazeFreak has made available approximately 2,500 stealer logs collected via Mystic Stealer from Japanese victims running Windows 10 Pro (22H2). The logs contain credentials in URL:LOGIN:PASS format, browser cookies, and cryptocurrency wallet data harvested from Chrome 121.x. The actor references an onion marketplace where fresh logs are allegedly added daily within 72 hours of extraction.
Date: 2026-04-17T16:48:33Z
Network: openweb
Published URL: https://darkforums.su/Thread-2500-logs-URL-LOGIN-PASS-Mystic-Stealer–73759
Screenshots:
None
Threat Actors: KazeFreak
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of initial access to Indian insurance company via Pulse Secure VPN
Category: Initial Access
Content: A threat actor identified as KazeFreak is selling alleged initial access to an Indian insurance company via a compromised Pulse Secure VPN with Cloud Admin (Owner) privileges. The target organization reportedly generates between $500 million and $1 billion in annual revenue and operates a network of approximately 5,000 hosts. The endpoint is protected by CrowdStrike Falcon, and the access is being offered through a darknet marketplace.
Date: 2026-04-17T16:47:24Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-VPN-Pulse-Secure-Insurance-India-500M-1B-revenue
Screenshots:
None
Threat Actors: KazeFreak
Victim Country: India
Victim Industry: Insurance
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Fédération Française de Basket-Ball Affecting 2.7 Million Records
Category: Data Breach
Content: A threat actor known as HexDex is selling a structured database dump allegedly obtained from the French Basketball Federation (FFBB), containing personal data of approximately 1,926,409 members and roughly 800,000 parents. Exposed data includes full names, dates of birth, addresses, email addresses, phone numbers, license numbers, medical certificate dates, nationality, height, and organizational affiliations. The dataset also contains parental contact information including phone numbers and ema
Date: 2026-04-17T16:46:08Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-FR-2-7M-F%C3%A9d%C3%A9ration-Fran%C3%A7aise-de-Basket-Ball
Screenshots:
None
Threat Actors: HexDex
Victim Country: France
Victim Industry: Sports & Recreation
Victim Organization: Fédération Française de Basket-Ball
Victim Site: ffbb.com
Alleged Data Breach of Pakistan Nuclear Regulatory Authority (PNRA) Mail Server
Category: Data Breach
Content: A threat actor operating under the name ModernStealer claims to have compromised the mail server of Pakistans Nuclear Regulatory Authority (PNRA), allegedly exfiltrating over 60 databases. Seventeen of these databases, totaling 3.2 GB, are being offered for sale, with the remainder to be sold at a later date. The data purportedly includes precise locations of nuclear reactors, chemical laboratory locations, employee information, email addresses, and highly sensitive infrastructure-related doc
Date: 2026-04-17T16:45:01Z
Network: openweb
Published URL: https://darkforums.su/Thread-PK-Nuclear-Regulatory-Authority-PNRA-DATABASE
Screenshots:
None
Threat Actors: ModernStealer
Victim Country: Pakistan
Victim Industry: Nuclear Regulatory / Government
Victim Organization: Pakistan Nuclear Regulatory Authority (PNRA)
Victim Site: pnra.org
Alleged Sale of Bulk Root Website Access and Databases
Category: Initial Access
Content: A threat actor operating under the alias alon3Hunt is selling access to over 400 websites, claiming all accesses are root-level and span multiple countries. The actor requests potential buyers to contact them via Session or Telegram to receive a full list of targets. Transactions are conducted through escrow only.
Date: 2026-04-17T16:43:55Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-The-sale-of-more-than-400-access-the-website-DB
Screenshots:
None
Threat Actors: alon3Hunt
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged DMCA Abuse Service Offering Competitor SEO Sabotage and Search Engine Deindexing
Category: Defacement
Content: A threat actor operating under the alias Ab_DMCA is selling a DMCA abuse service designed to remove competitor websites from search engine results and trigger registrar-level domain suspensions. The service is advertised starting at $150 per target site, with discounts for SEO teams, and is highlighted as particularly effective against iGaming industry competitors. Contact is facilitated via Telegram handle @abuser_dmca or direct forum messages.
Date: 2026-04-17T16:42:50Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-DMCA-Abuse-and-Protect-Eliminate-SEO-Competitors-with-DMCA
Screenshots:
None
Threat Actors: Ab_DMCA
Victim Country: Unknown
Victim Industry: iGaming, Multi-sector
Victim Organization: Unknown
Victim Site: Unknown
CAC confirms cyber incident after unauthorised system access
Category: Cyber Attack
Content: La Commission des affaires corporatives du Nigeria a confirmé avoir subi une cyberattaque impliquant un accès non autorisé à certaines parties de ses systèmes dinformation. Lagence a activé ses protocoles de réponse et collabore avec les autorités technologiques nationales pour évaluer létendue exacte de lincident. En attendant les conclusions de lenquête, il est conseillé aux utilisateurs de surveiller leurs dossiers et de mettre à jour leurs identifiants de connexion.
Date: 2026-04-17T16:42:16Z
Network: openweb
Published URL: https://akwaibomtimes.ng/cac-confirms-cyber-incident-unauthorised-system-access/
Screenshots:
None
Threat Actors:
Victim Country: Nigeria
Victim Industry: Unknown
Victim Organization: Corporate Affairs Commission (CAC)
Victim Site: cac.gov.ng
Clinton County, Iowa restores systems after attempted cyber intrusion
Category: Cyber Attack
Content: Le comté de Clinton, dans lIowa, a dû mettre une partie de son réseau hors ligne suite à la détection dune tentative dintrusion cybernétique. Bien que la cause initiale soit restée incertaine, une analyse médico-légale a confirmé quune menace avait été identifiée et contenue précocement grâce aux protocoles de sécurité. Les services essentiels ont été testés et rétablis après la mise en place de mesures de surveillance renforcées.
Date: 2026-04-17T16:42:13Z
Network: openweb
Published URL: https://dysruptionhub.com/clinton-county-possible-cyber-incident/
Screenshots:
None
Threat Actors:
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Clinton County
Victim Site: clintoncounty-ia.gov
Fusion Superplex
Category: Cyber Attack
Content: Fusion Superplex recently experienced a cybersecurity incident that temporarily impacted some of our systems. As a precaution, online ticketing has been taken offline while we complete recovery and ensure full security.
Date: 2026-04-17T16:42:11Z
Network: openweb
Published URL: https://www.facebook.com/fusionsuperplex/posts/pfbid08RGuv8M88iRKFdVFY1a6WPhg9hB276EN8RUdYDLN7PnF69GAYV2uoqpspKtP1yq7l?rdid=FIg12jWuH9tkOZs8
Screenshots:
None
Threat Actors: Qilin
Victim Country: BH
Victim Industry: Unknown
Victim Organization: Fusion Superplex
Victim Site: fusionsuperplex.com
Alleged Sale of 10 Million Indonesian Taxpayer (NPWP) Records
Category: Data Breach
Content: A threat actor known as OnarDev is selling a database of over 10.6 million Indonesian taxpayer records allegedly breached in September 2025. The dataset includes sensitive personal information such as full names, National Identity Numbers (NIK), Taxpayer Identification Numbers (NPWP), addresses, email addresses, phone numbers, dates of birth, and tax office affiliation data in CSV format. The seller claims the data includes records of high-profile individuals including the President of Indonesia
Date: 2026-04-17T16:42:04Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-10-MILION-INDONESIA-TAXPAYER-IDENTIFICATION-NUMBER-NPWP
Screenshots:
None
Threat Actors: OnarDev
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Direktorat Jenderal Pajak (Indonesia Directorate General of Taxes)
Victim Site: pajak.go.id
Alleged Data Breach of Peru National Police (PNP) and Ministry of Transport (SUTRAN)
Category: Data Breach
Content: A threat actor identified as breach3d is selling a dataset allegedly obtained from Perus National Police (PNP) and Ministry of Transport and Communications (MTC/SUTRAN). The data reportedly includes police intervention reports, arrest records, inspection reports, internal memos, and personal information such as full names, DNI numbers, dates of birth, addresses, phone numbers, and vehicle information. The dataset is claimed to include records from 2025, with proof samples provided via externa
Date: 2026-04-17T16:41:19Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Peru-National-Police-Ministry-of-Transport
Screenshots:
None
Threat Actors: breach3d
Victim Country: Peru
Victim Industry: Government
Victim Organization: Peru National Police (PNP) and Ministry of Transport and Communications (MTC/SUTRAN)
Victim Site: sutran.gob.pe
Alleged Data Breach of USA Police Personnel Records Exposed on Dark Web Forum
Category: Data Breach
Content: A threat actor operating under the alias clara283 is selling a database containing over 90,000 records of US law enforcement personnel. The dataset includes personally identifiable information such as full names, email addresses, phone numbers, IP addresses, job titles, agency affiliations, and supervisor contact details. Affected agencies include multiple Texas-based police departments such as Frisco PD, Dallas County Sheriffs Office, Rockwall PD, and others across multiple states.
Date: 2026-04-17T16:40:34Z
Network: openweb
Published URL: https://darkforums.su/Thread-USA-Police-Records-db-above-90k
Screenshots:
None
Threat Actors: clara283
Victim Country: United States
Victim Industry: Law Enforcement / Government
Victim Organization: Multiple US Police Departments and Law Enforcement Agencies
Victim Site: Unknown
Alleged Sale of Fraudulent Identity Documents and Financial Records by BBYSHOP
Category: Data Breach
Content: A threat actor operating under the alias BBYSHOP is advertising a document forgery and rendering service on a dark web forum. The service claims to produce high-quality fraudulent identity documents including passports, bank statements, and selfies with documents, boasting a 99% conversion rate and over 5 years of operation. The actor offers a rush order option at double the standard price and can be contacted via Telegram at t.me/bbyshop_otrisovka.
Date: 2026-04-17T16:39:47Z
Network: openweb
Published URL: https://darkforums.su/Thread-Document-BBYSHOP-High-quality-rendering-Passports-bank-statements-selfies-with-documents
Screenshots:
None
Threat Actors: BBYSHOP
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Dubai Health Authority by Threat Actor dark_habibi
Category: Data Breach
Content: A threat actor operating under the alias dark_habibi claims to be selling 836 files allegedly exfiltrated from the Dubai Health Authority for $300. The data reportedly includes passports, Emirates IDs, visas, university and professional certifications, architectural blueprints of medical facilities, personal signatures, government policy documents, and internal reports and contracts. The actor has posted sample files and provided a Session messaging handle for contact, and has indicated furthe
Date: 2026-04-17T16:39:03Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-UAE-Dubai-Health-Authority–73784
Screenshots:
None
Threat Actors: dark_habibi
Victim Country: United Arab Emirates
Victim Industry: Healthcare
Victim Organization: Dubai Health Authority
Victim Site: dha.gov.ae
Alleged data leak of personal information of RSUD K.R.M.T Wongsonegoro Hospital Director
Category: Data Leak
Content: A threat actor operating under the alias CyphieNesia leaked personally identifiable information (PII) of dr. Eko Krisnarto, Sp.KK, the Director of RSUD K.R.M.T Wongsonegoro hospital in Semarang, Indonesia. The leaked data includes full name, national identity number (NIK), family card number (No KK), tax identification number (NPWP), date of birth, home address, phone number, email address, and government employment details. The data was made publicly available on a dark web forum without any in
Date: 2026-04-17T16:37:49Z
Network: openweb
Published URL: https://darkforums.su/Thread-Document-DATA-PRIBADI-dr-EKO-KRISNARTO-Sp-KK
Screenshots:
None
Threat Actors: CyphieNesia
Victim Country: Indonesia
Victim Industry: Healthcare / Government
Victim Organization: RSUD K.R.M.T Wongsonegoro / Pemerintah Kota Semarang
Victim Site: Unknown
Alleged Data Leak of Konačište Dabić Zlatibor Personal Records
Category: Data Leak
Content: A threat actor known as vvvv has made available a database allegedly belonging to Konačište Dabić, a hospitality establishment in Zlatibor, Serbia. The leaked data contains approximately 2,500 records including full names and JMBG (Serbian personal identification numbers). The actor claims to have been ghosted by the organization, suggesting this may be a retaliation leak following a failed extortion or negotiation attempt.
Date: 2026-04-17T16:36:37Z
Network: openweb
Published URL: https://darkforums.su/Thread-RS-Serbia-2-5k-Personal-Data-Database
Screenshots:
None
Threat Actors: vvvv
Victim Country: Serbia
Victim Industry: Hospitality
Victim Organization: Konačište Dabić Zlatibor
Victim Site: Unknown
Alleged Data Leak of Kantah Kabupaten Banjar Government Land Registry Database
Category: Data Leak
Content: A threat actor operating under the alias XyphOrix has leaked a database allegedly belonging to the Kantor Pertanahan Kabupaten Banjar, an Indonesian government land registry office. The leaked data includes personally identifiable information such as NIK (national identity numbers), full names, ages, occupations, home addresses, phone numbers, land parcel details, land rights types, and certificate numbers. The database appears to relate to land transfer transactions and has been made available
Date: 2026-04-17T16:35:51Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-DATABASE-KANTAHKABBANJAR-GO-ID
Screenshots:
None
Threat Actors: XyphOrix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kantor Pertanahan Kabupaten Banjar (Kantah Kab Banjar)
Victim Site: kantahkabbanjar.go.id
Alleged data leak of ComptoirDuReve.fr customer database
Category: Data Leak
Content: A threat actor operating under the alias ChimeraZ has freely leaked a database belonging to ComptoirDuReve.fr, a French retail website. The database contains approximately 42,000 records in JSON format (10.5 MB) including customer personal information such as full names, postal addresses, postal codes, cities, and titles. The data has been made available via multiple file-sharing platforms.
Date: 2026-04-17T16:35:08Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-42K-ComptoirDuReve-fr
Screenshots:
None
Threat Actors: ChimeraZ
Victim Country: France
Victim Industry: Retail
Victim Organization: Comptoir du Rêve
Victim Site: comptoirdureve.fr
Alleged sale of identity document scans and photos from CIS and European countries
Category: Data Breach
Content: A threat actor operating under the alias vad428 is selling sets of identity documents including passport scans, drivers licenses, SNILS (Russian social insurance numbers), and selfies sourced from CIS and some European countries. The offerings include both original documents and fabricated ones, with selection filters available by city, gender, and region. Contact is facilitated via email and Telegram, with bulk pricing negotiated individually.
Date: 2026-04-17T16:34:15Z
Network: openweb
Published URL: https://darkforums.su/Thread-I-sell-scans-and-photos-of-passports–73761
Screenshots:
None
Threat Actors: vad428
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Full Access to Packeta.ro E-Commerce Logistics Platform
Category: Initial Access
Content: A threat actor operating under the alias xdlolxd is allegedly selling full access to Packeta, a European e-commerce logistics platform, for $1,000. Packeta serves over 60,000 online stores across more than 30 countries and provides parcel delivery to lockers, pick-up points, and addresses. The seller is directing interested buyers to contact them via Telegram.
Date: 2026-04-17T16:33:31Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-packeta-ro-full-acces
Screenshots:
None
Threat Actors: xdlolxd
Victim Country: Romania
Victim Industry: Logistics & E-Commerce
Victim Organization: Packeta
Victim Site: packeta.ro
Alleged inquiry regarding BreachForums availability and access
Category: Data Breach
Content: A forum user is inquiring about the current operational status of BreachForums and requesting a working link to the site. The post does not contain any threat data, breach claims, or leaked information. This appears to be a general inquiry about accessing the cybercrime forum BreachForums.
Date: 2026-04-17T16:32:48Z
Network: openweb
Published URL: https://darkforums.su/Thread-how-can-i-find-link-the-breachforums
Screenshots:
None
Threat Actors: neil617617
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: BreachForums
Victim Site: breachforums.st
Alleged leak of mixed Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias noir has made available a combolist of approximately 2,600 alleged valid Hotmail credentials described as a UHQ Mix, suggesting high-quality or unique entries. The post references a private cloud hosting location and directs interested parties to a Telegram handle (@NoirAccesss) for access. Content requires forum registration to view, indicating it may be gated behind community membership.
Date: 2026-04-17T16:03:35Z
Network: openweb
Published URL: https://crackingx.com/threads/72407/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of mixed Hotmail and email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Roronoa044 has shared a combolist containing approximately 2,600 alleged valid email credentials, including Hotmail accounts and a mixed set of email/password combinations. The content is distributed as hidden/gated content on the DemonForums cybercrime forum. The actor also promotes a Telegram channel (@noiraccesss) likely used for further distribution of similar credential lists.
Date: 2026-04-17T16:03:12Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X2600-Valid-UHQ-Mix-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 22.5 million URL:Login:Password credential lines
Category: Combo List
Content: A threat actor known as VitVit has shared a large combolist containing approximately 22.5 million lines in URL:Login:Password format, totaling 1.2GB in size, on the cracking forum CX. The credentials appear to be aggregated from multiple sources and are being made available to registered forum members at no stated cost. No specific victim organization or country has been identified, suggesting this is a compiled credential list drawn from various origins.
Date: 2026-04-17T16:02:50Z
Network: openweb
Published URL: https://crackingx.com/threads/72408/
Screenshots:
None
Threat Actors: VitVit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of URL:Login:Password combolist with 22.5 million lines
Category: Data Leak
Content: A threat actor operating under the alias Gektor009 has shared a large combolist containing approximately 22.5 million lines in URL:Login:Password format, totaling 1.2GB in size, on the DemonForums cybercrime forum. The content is hidden behind a registration or login requirement, suggesting it is being distributed to forum members at no explicit cost. No specific victim organization or targeted service has been identified.
Date: 2026-04-17T16:02:27Z
Network: openweb
Published URL: https://demonforums.net/Thread-Url-Log-Pass-22-528-702-M%C4%B1ll%C4%B1on-L%C4%B1nes-1-2gb
Screenshots:
None
Threat Actors: Gektor009
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of ANTS (Agence Nationale des Titres Sécurisés) – 20 Million French Citizens Records for Sale
Category: Data Breach
Content: The threat actor group ShinyHunters claims to be selling approximately 20 million records allegedly exfiltrated from ANTS (Agence Nationale des Titres Sécurisés), the French government agency responsible for secure identity documents. The dataset is offered in JSONL format and reportedly contains: internal system IDs, full legal names (including maiden and middle names), dates and places of birth, gender, mobile phone numbers, email addresses, physical addresses with postal codes, and state-verified identity flags. Payment is accepted in XMR or BTC, with escrow/trusted middleman accepted. Contact via Session messenger ID provided.
Date: 2026-04-17T15:56:38Z
Network: telegram
Published URL: https://t.me/c/3737716184/1312
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: France
Victim Industry: Government
Victim Organization: Agence Nationale des Titres Sécurisés (ANTS)
Victim Site: ants.gouv.fr
Alleged free distribution of Office-themed credential combolist mix
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist mix of approximately 9 million credential pairs, described as an Office combo mix, via Telegram channels. The actor promotes free access through two Telegram groups and offers additional combos via direct Telegram contact. No specific victim organization or targeted service has been identified.
Date: 2026-04-17T15:44:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72406/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 31 million ULP credentials distributed via Telegram channel
Category: Combo List
Content: A threat actor operating under the alias Blackcloud is distributing a combolist of approximately 31 million credentials in ULP (URL:Login:Password) format via a Telegram channel (@BLACK_CLOUDX). The data is described as UHQ (ultra-high quality) and fresh, suggesting recently harvested credentials. The post provides a download link with no explicit price, indicating the combolist is being made available for free.
Date: 2026-04-17T15:26:53Z
Network: openweb
Published URL: https://crackingx.com/threads/72403/
Screenshots:
None
Threat Actors: Blackcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of UHQ combolist containing 25 million credentials
Category: Combo List
Content: A threat actor operating as Blackcloud has made available a combolist of approximately 25 million credentials via their Telegram channel @BLACK_CLOUDX. The data is described as ULP (URL:Login:Password) format and labeled as UHQ (Ultra High Quality) and fresh, suggesting recently obtained or verified credentials. The post offers a free download with no specific victim organization or country identified.
Date: 2026-04-17T15:26:09Z
Network: openweb
Published URL: https://crackingx.com/threads/72404/
Screenshots:
None
Threat Actors: Blackcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 23 million ULP credentials via Telegram channel
Category: Combo List
Content: A threat actor operating under the alias Blackcloud has made available a combolist containing approximately 23 million username:login:password (ULP) credentials described as ultra-high quality (UHQ) and fresh, dated April. The content is being distributed via a Telegram channel (@BLACK_CLOUDX) and shared on the cracking forum CrackingX. No specific victim organization or targeted service has been identified.
Date: 2026-04-17T15:25:32Z
Network: openweb
Published URL: https://crackingx.com/threads/72405/
Screenshots:
None
Threat Actors: Blackcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 1.7 million URL-login-password credentials
Category: Combo List
Content: A threat actor operating under the alias RandomUpload has shared a combolist containing approximately 1.7 million URL, login, and password combinations on the cracking forum CrackingX. The credential list appears to be a compilation of stolen authentication data spanning multiple sites and services. The post requires forum registration to access the hidden download content.
Date: 2026-04-17T15:06:30Z
Network: openweb
Published URL: https://crackingx.com/threads/72401/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 48,000 mixed corporate mail access credentials across multiple regions
Category: Combo List
Content: A threat actor operating under the alias MailAccesss has made available a combolist of approximately 48,000 allegedly valid corporate email access credentials. The dataset reportedly includes accounts spanning the United States, Europe, Asia, and Russia. The content is restricted to registered users of the cracking forum CrackingX.
Date: 2026-04-17T15:05:50Z
Network: openweb
Published URL: https://crackingx.com/threads/72402/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 48,000 mixed corporate and personal email credentials across multiple regions
Category: Combo List
Content: A threat actor operating under the alias MegaCloudshop has made available a combolist containing approximately 48,000 allegedly valid email credentials. The list claims to include a mix of corporate and personal accounts spanning multiple regions including the United States, Europe, Asia, and Russia. The content is hidden behind a registration or login requirement on the forum, with the actor also promoting an external store at megacloudshop.top.
Date: 2026-04-17T15:05:30Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-48-K-Full-Valid-Mix-USA-Eu-Asia-Ru-Corp-Mail-Access-17-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Twitter (X) Iraq User Database
Category: Data Breach
Content: A threat actor known as ahmadxalil is selling an alleged database purportedly containing data of Iraqi Twitter (X) users. The database is claimed to contain 100 million records and is being offered for $180 on the Breached forum. The post contains minimal details beyond the price and claimed record count.
Date: 2026-04-17T14:59:40Z
Network: openweb
Published URL: https://breached.st/threads/iraq-twitter-x-database-100m-180.86054/unread
Screenshots:
None
Threat Actors: ahmadxalil
Victim Country: Iraq
Victim Industry: Social Media
Victim Organization: Twitter (X)
Victim Site: x.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias HollowKnight07 has made available a sample combolist containing 580 Hotmail credentials on the cracking forum CrackingX. The post offers a free download link, suggesting this is a sample release likely intended to demonstrate the validity of a larger credential set. The data likely consists of email and password combinations associated with Hotmail accounts.
Date: 2026-04-17T14:46:21Z
Network: openweb
Published URL: https://crackingx.com/threads/72399/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed credential combolist (X1723 HQ Mix)
Category: Combo List
Content: A threat actor operating under the alias Steveee36 and posted by user erwinn91 on DemonForums has made available a combolist referred to as X1723 HQ Mix. The content is hidden behind a registration or login requirement, limiting visibility into the specific credentials or affected organizations. No victim organization, country, or record count could be determined from the available post data.
Date: 2026-04-17T14:45:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9A%A1%E2%9A%A1-X1723-HQ-Mix-%E2%9A%A1%E2%9A%A1-BY-Steveee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Iraq Hospital Medical Database containing 32 million records
Category: Data Breach
Content: A threat actor operating under the alias ahmadxalil is selling an alleged Iraqi hospital database containing over 32 million records for $600. The exposed data includes personally identifiable information such as national ID numbers, phone numbers, gender, location details, and sensitive medical information including diagnoses such as cancer, blood pressure, chronic respiratory diseases, and immunopathies. Sample data indicates records are linked to Iraqi citizens, including those in the Kurdi
Date: 2026-04-17T14:39:35Z
Network: openweb
Published URL: https://breached.st/threads/iraq-hospital-database-32-382-065-600.86053/unread
Screenshots:
None
Threat Actors: ahmadxalil
Victim Country: Iraq
Victim Industry: Healthcare
Victim Organization: Iraq Hospital Database (multiple hospitals including Azadi Teaching Hospital)
Victim Site: Unknown
Website Defacement of aflife.co.zm by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced the website aflife.co.zm, a Zambian organization, by altering the readme.txt file. The attack was an individual defacement, not part of a mass or coordinated campaign. No specific motivation or technical details regarding the server environment were disclosed.
Date: 2026-04-17T14:33:32Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844631
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Zambia
Victim Industry: Unknown
Victim Organization: AF Life
Victim Site: aflife.co.zm
Alleged leak of mixed email access credentials (17,000 records)
Category: Combo List
Content: A threat actor operating under the alias RandomUpload shared a mixed mail access combolist containing approximately 17,000 credential pairs on the cracking forum CX (crackingx.com). The list appears to include email account credentials from various providers. No specific victim organization or country was identified, and the content is available to registered forum members.
Date: 2026-04-17T14:26:21Z
Network: openweb
Published URL: https://crackingx.com/threads/72396/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist (10,800 records)
Category: Combo List
Content: A threat actor known as Lexser has shared a mixed email (MIXMAIL) credential combolist containing approximately 10,800 records via an external paste site. The post describes the content as fresh and UHQ (Ultra High Quality), suggesting recently obtained and verified credentials. The combolist was made freely available through a pasteview link on the cracking forum CrackingX.
Date: 2026-04-17T14:25:42Z
Network: openweb
Published URL: https://crackingx.com/threads/72397/
Screenshots:
None
Threat Actors: Lexser
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias StrawHatBase has made available a combolist containing approximately 45,000 email address and password combinations on a cybercrime forum. The post is gated behind registration or login, suggesting the content is accessible to forum members at no explicit charge. The affected accounts appear to span multiple mail providers, as indicated by the MIX designation in the thread title.
Date: 2026-04-17T14:25:19Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-45K-MAIL-ACCESS-MIX
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of 8 million credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist allegedly containing 8 million credential pairs via Telegram channels. The actor promotes free combo distribution through two Telegram groups and invites users to contact them directly for additional combolists. No specific victim organization or targeted service has been identified.
Date: 2026-04-17T14:25:08Z
Network: openweb
Published URL: https://crackingx.com/threads/72398/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Businesmind.ru by DimasHxR
Category: Defacement
Content: On April 17, 2026, the website businesmind.ru was defaced by a threat actor identified as DimasHxR, operating without affiliation to a known group or team. The attack targeted a readme.txt file on the Russian business-oriented domain. No specific motivation or technical details were disclosed in connection with the incident.
Date: 2026-04-17T14:21:48Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844624
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Russia
Victim Industry: Business Services
Victim Organization: Businesmind
Victim Site: businesmind.ru
Website Defacement of Buy Shower Door by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a specific page (b.html) on buyshowerdoor.com, a US-based online retailer specializing in shower doors and related home improvement products. The incident was a targeted single-page defacement, not classified as a mass or home page defacement. The attack details, including the server infrastructure and attacker motivation, remain unknown at this time.
Date: 2026-04-17T14:19:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844620
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Retail / Home Improvement
Victim Organization: Buy Shower Door
Victim Site: buyshowerdoor.com
Website Defacement of Bojovic Logistics by DimasHxR
Category: Defacement
Content: On April 17, 2026, the attacker known as DimasHxR defaced the website of Bojovic Logistics, a logistics company operating under the Nigerian country-code domain (.com.ng). The attack was a targeted single-site defacement with no team affiliation reported. Technical details regarding the server environment and attack vector remain unknown.
Date: 2026-04-17T14:13:30Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844610
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Nigeria
Victim Industry: Logistics and Transportation
Victim Organization: Bojovic Logistics
Victim Site: bojoviclogistics.com.ng
Alleged defacement of jopssed.org by Dewata Blackhat
Category: Defacement
Content: A threat actor operating under the name Dewata Blackhat (formerly Silent Error System) claims to have defaced the website jopssed.org. The post includes a photo as proof and credits several affiliated groups including Babayo Error System, Defacer Indonesia Team, Akatsuki Cyber Team, Anonm Ghost Track, Pasko Cyber Rexor, and Dream Hack.
Date: 2026-04-17T14:12:33Z
Network: telegram
Published URL: https://t.me/c/3841736872/267
Screenshots:
None
Threat Actors: Dewata Blackhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: jopssed.org
Website Defacement of The Fit Tank by DimasHxR
Category: Defacement
Content: On April 17, 2026, the website thefittank.com was defaced by a threat actor identified as DimasHxR, operating without affiliation to any known group. The attacker targeted a specific page (b.html) rather than the homepage, indicating a partial or targeted defacement. The incident was recorded and mirrored by zone-xsec.com.
Date: 2026-04-17T14:12:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844618
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Health & Fitness
Victim Organization: The Fit Tank
Victim Site: thefittank.com
Website Defacement of pro-zemlyu.ru by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the alias DimasHxR defaced the Russian website pro-zemlyu.ru, targeting the page at /b.html. The attack was carried out as a solo operation with no affiliated team, and the specific motivation behind the defacement remains undisclosed.
Date: 2026-04-17T14:10:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844609
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Russia
Victim Industry: Unknown
Victim Organization: Pro Zemlyu
Victim Site: pro-zemlyu.ru
Website Defacement by DimasHxR Targeting Unknown Organization
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the alias DimasHxR defaced a website hosted at the internationalized domain xn--80agpaqquib9bxc1b.online. The attack was a targeted single-page defacement with no team affiliation reported. Limited technical details are available regarding the server infrastructure or the attackers motive.
Date: 2026-04-17T14:08:43Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844619
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: xn--80agpaqquib9bxc1b.online
Alleged sale of Comcast-targeted credential combolist
Category: Combo List
Content: A threat actor known as steeve75 is selling a Comcast-targeted combolist containing approximately 142,000 email and password credential pairs on the CrackingX forum. The actor also advertises additional combolists for various email providers and regions including AOL, Yahoo, Hotmail, and Outlook across multiple countries. Interested buyers are directed to contact the seller via Telegram at @KOCsupport.
Date: 2026-04-17T14:06:56Z
Network: openweb
Published URL: https://crackingx.com/threads/72393/
Screenshots:
None
Threat Actors: steeve75
Victim Country: United States
Victim Industry: Telecommunications
Victim Organization: Comcast
Victim Site: comcast.com
Alleged sale of Comcast-targeted credential combolist
Category: Combo List
Content: A threat actor known as Ra-Zi is selling a Comcast-targeted combolist containing approximately 142,000 credential pairs in email:password and user:password formats. The actor advertises high-quality combos with a guarantee and promotes additional combolists targeting multiple email providers and countries including AOL, Yahoo, Hotmail, Outlook, and users from the USA, UK, France, Germany, and others. Contact is facilitated via Telegram handle @KOCsupport and an associated cracking community we
Date: 2026-04-17T14:06:39Z
Network: openweb
Published URL: https://demonforums.net/Thread-142K-COMCAST-TARGETED-COMBOLIST
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: United States
Victim Industry: Telecommunications
Victim Organization: Comcast
Victim Site: comcast.com
Website Defacement of Danoun Promotion by DimasHxR
Category: Defacement
Content: On April 17, 2026, the website danounpromotion.com was defaced by the threat actor DimasHxR, acting independently without a group affiliation. The attacker targeted a specific page (b.html) rather than the homepage, indicating a targeted subpage defacement. No specific motivation or technical details regarding the server environment were disclosed.
Date: 2026-04-17T14:02:38Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844608
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Marketing and Promotions
Victim Organization: Danoun Promotion
Victim Site: danounpromotion.com
Alleged data breach of ANTS Mairie French Government Portal
Category: Data Breach
Content: A threat actor known as RubiconH4ck is selling an alleged database from mairie.ants.gouv.fr, the French national secure titles agency portal, purportedly containing 127 million records dated 2025. The dataset includes extensive personally identifiable information such as full names, addresses, postal codes, dates and places of birth, death records, nationality, phone numbers, fax numbers, mobile numbers, and email addresses. The data is being offered for $4,000 USD, described as negotiable, with
Date: 2026-04-17T14:00:19Z
Network: openweb
Published URL: https://breached.st/threads/ants-mairie-access-data.86052/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: France
Victim Industry: Government
Victim Organization: ANTS Mairie (Agence Nationale des Titres Sécurisés)
Victim Site: mairie.ants.gouv.fr
Website Defacement of Altco by DimasHxR
Category: Defacement
Content: On April 17, 2026, the Brazilian website altco.com.br was defaced by a threat actor identified as DimasHxR. The attacker targeted a readme.txt file on the domain, leaving a defacement marker. The incident was recorded as a single, non-mass defacement with no affiliated team or stated motive.
Date: 2026-04-17T13:56:35Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844597
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Altco
Victim Site: altco.com.br
Alleged leak of WordPress credentials or data by threat actor zod
Category: Combo List
Content: A threat actor operating under the alias zod has shared content described as WordPress-related data on the cracking forum CX. The post requires registration or sign-in to access, with a password distributed via a Telegram channel at t.me/zoooddddd. The exact nature, volume, and origin of the data remain unknown due to limited post visibility.
Date: 2026-04-17T13:46:13Z
Network: openweb
Published URL: https://crackingx.com/threads/72392/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of SMS Verification Numbers and SIM-Based Phone Services via MajorPhones
Category: Initial Access
Content: A threat actor operating under the alias majorphones is selling virtual phone numbers, empty SIM cards, and VoIP SMS tools via the cracking forum CrackingX. Services include non-VoIP numbers for SMS/OTP verification bypass across platforms, with rentals ranging from short-term to 365-day options, bulk messaging capabilities, and API access for automation. Payment is accepted via card, cryptocurrency, and alternative methods, enabling anonymous account creation and multi-platform verification f
Date: 2026-04-17T13:45:58Z
Network: openweb
Published URL: https://crackingx.com/threads/72391/
Screenshots:
None
Threat Actors: majorphones
Victim Country: Unknown
Victim Industry: Telecommunications
Victim Organization: MajorPhones
Victim Site: majorphones.com
Website Defacement of Glove Travellers BD by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a page on glovetravellersbd.com, a Bangladeshi travel-related website. The attack targeted a specific subpage (b.html) rather than the homepage, indicating a targeted page-level defacement. No team affiliation, motive, or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-17T13:44:54Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844561
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Bangladesh
Victim Industry: Travel and Tourism
Victim Organization: Glove Travellers BD
Victim Site: glovetravellersbd.com
Alleged Data Breach of USA Police Personnel Database Exposing 90,000 Records
Category: Data Breach
Content: A threat actor operating under the alias spider321 has shared samples of an alleged database containing approximately 90,000 records belonging to US law enforcement personnel. The exposed data includes full names, email addresses, phone numbers, IP addresses, home zip codes, agency affiliations, ranks/titles, and supervisor contact information. Affected agencies visible in the sample include multiple Texas-based police departments such as Frisco PD, Dallas County Sheriffs Office, Lancaster PD
Date: 2026-04-17T13:40:58Z
Network: openweb
Published URL: https://breached.st/threads/usa-police-db-90k-records.86051/unread
Screenshots:
None
Threat Actors: spider321
Victim Country: United States
Victim Industry: Government & Law Enforcement
Victim Organization: Unknown
Victim Site: Unknown
Mass Website Defacement of titik0km.com by Threat Actor Zod
Category: Defacement
Content: On April 17, 2026, threat actor Zod conducted a mass defacement campaign targeting www.titik0km.com, a Linux-hosted website. The defacement was confirmed as part of a mass defacement operation, with the compromised page archived at haxor.id. No specific motive or server software details were disclosed in relation to this incident.
Date: 2026-04-17T13:38:19Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248584
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Indonesia
Victim Industry: Unknown
Victim Organization: Titik 0 KM
Victim Site: www.titik0km.com
Website Defacement of 14slotspk.com.pk by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced the Pakistani online slots/gaming website 14slotspk.com.pk by altering the readme.txt file. The defacement was a targeted, non-mass attack with no group affiliation reported. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-04-17T13:26:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844515
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Pakistan
Victim Industry: Gambling / Online Gaming
Victim Organization: 14 Slots PK
Victim Site: 14slotspk.com.pk
Alleged leak of South Africa email credential combolist
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist of approximately 67,000 email address and password combinations targeting South Africa. The credential list is described as fresh and was shared on the DemonForums combolist section on April 17, 2026. No specific organization or domain is identified as the source of the leaked credentials.
Date: 2026-04-17T13:26:50Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-67-K-%E2%9C%A6-South-Africa-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-17-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: South Africa
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 5,000 Russian email credentials
Category: Combo List
Content: A threat actor operating under the alias MegaCloudshop has made available a combolist containing approximately 5,000 Russian email account credentials, claimed to be valid as of April 17. The content is hidden behind a forum registration requirement and is associated with a storefront at megacloudshop.top. No specific victim organization or email provider has been identified.
Date: 2026-04-17T13:25:58Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-5K-Russian-Mail-Access-Just-Valid-data-17-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Russia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of ULP combolist by threat actor zod
Category: Combo List
Content: A threat actor operating under the alias zod has shared a ULP (URL:Login:Password) combolist on the cracking forum CrackingX. The content is gated behind registration or sign-in, with access to additional details or downloads directed through a Telegram channel at t.me/zoooddddd. No specific victim organization, record count, or targeted country has been identified.
Date: 2026-04-17T13:25:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72388/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Russian email account credentials
Category: Combo List
Content: A threat actor known as MailAccesss has made available a combolist of approximately 5,000 Russian email account credentials on a cracking forum. The data is claimed to be valid as of April 17th and includes mail access credentials. The post requires forum registration to access the hidden content.
Date: 2026-04-17T13:24:49Z
Network: openweb
Published URL: https://crackingx.com/threads/72389/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Russia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of mixed-country corporate combolists
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing mixed-country corporate combolists, reportedly including credentials from South Africa, Italy, France, Germany, and other countries. The actor is sharing free combolists and tools via two Telegram channels. No specific organizations, record counts, or pricing details were disclosed in the post.
Date: 2026-04-17T13:24:15Z
Network: openweb
Published URL: https://crackingx.com/threads/72390/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of dieschreibers.at by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a page on the Austrian website dieschreibers.at. The attack targeted a specific subpage (b.html) and was not classified as a mass or home page defacement. No team affiliation, stated motive, or technical details regarding the server infrastructure were identified.
Date: 2026-04-17T13:20:50Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844514
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Austria
Victim Industry: Unknown
Victim Organization: Die Schreibers
Victim Site: www.dieschreibers.at
Alleged Data Breach of Sri Lanka Ministry of Public Administration Government Portal
Category: Data Breach
Content: A threat actor operating under the handle wh6ami is selling a database allegedly exfiltrated from the Sri Lankan Ministry of Public Administrations portal (pubad.gov.lk) for $200. The dataset purportedly contains approximately 5,000 records of civil servants including full names, National ID numbers (NIC), email addresses, phone numbers, physical addresses, job titles, hashed passwords, and internal government documents such as service circulars and gazettes in PDF format. Contact is offered
Date: 2026-04-17T13:19:02Z
Network: openweb
Published URL: https://breached.st/threads/ministry-of-public-administration-home-affairs-provincial-councils-and-local-government-government-of-sri-lanka.86050/unread
Screenshots:
None
Threat Actors: wh6ami
Victim Country: Sri Lanka
Victim Industry: Government
Victim Organization: Ministry of Public Administration, Home Affairs, Provincial Councils and Local Government
Victim Site: pubad.gov.lk
Website Defacement of FlameTide Finance by DimasHxR
Category: Defacement
Content: On April 17, 2026, the threat actor DimasHxR defaced a page on flametidefinance.com, targeting the finance sector. The attack was a single-page defacement rather than a mass or home page defacement. No team affiliation, specific motive, or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-17T13:17:48Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/844513
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: FlameTide Finance
Victim Site: flametidefinance.com
Alleged leak of 436,000 Spanish email credentials
Category: Combo List
Content: A threat actor known as CobraEgy has shared a combolist of approximately 436,000 email:password credential pairs allegedly associated with Spanish users on the DemonForums cybercrime forum. The post, dated April 17, 2026, is categorized under combolists and labeled as fresh. No specific victim organization or source has been identified.
Date: 2026-04-17T13:00:41Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-436-K-%E2%9C%A6-Spain-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-17-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Spain
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub has made available a combolist containing approximately 1,909 Hotmail credentials on the cracking forum CrackingX. The post is categorized under Combolists & Dumps and is hosted via D4rkNetHubs cloud service. Full content requires forum registration or sign-in, limiting full verification of the claim.
Date: 2026-04-17T12:57:33Z
Network: openweb
Published URL: https://crackingx.com/threads/72386/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared an alleged Hotmail credential combolist on the cracking forum CrackingX. The post, titled Hotmail Unique Combo_3_11000, suggests the list contains approximately 11,000 unique email and password combinations. The content is gated behind registration or sign-in, limiting immediate visibility into the full scope of the leak.
Date: 2026-04-17T12:57:03Z
Network: openweb
Published URL: https://crackingx.com/threads/72387/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist via PandaCloud distribution channel
Category: Combo List
Content: A threat actor operating under the alias Kokos2846q has made available a combolist of purportedly valid Hotmail email credentials via a file-sharing link and a Telegram channel named PandaCloud04. The post claims the credentials are fully valid and fresh, with new data added daily. The content was distributed freely with no price mentioned.
Date: 2026-04-17T12:39:37Z
Network: openweb
Published URL: https://crackingx.com/threads/72382/
Screenshots:
None
Threat Actors: Kokos2846q
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of mixed email access credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Kommander0 has shared a mixed email access combolist containing approximately 6,000 credential pairs via a Gofile download link. The post was made on the cracking forum CrackingX under the Combolists & Dumps section. The credentials appear to span multiple email providers and no specific victim organization or country has been identified.
Date: 2026-04-17T12:38:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72384/
Screenshots:
None
Threat Actors: Kommander0
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias NotSellerXd has shared a mixed combolist containing approximately 6,120 email and password credential pairs on a cybercrime forum. The credentials appear to originate from multiple sources, as indicated by the MIX MAIL designation. The content is gated behind forum registration or login, suggesting it is being distributed freely to forum members.
Date: 2026-04-17T12:38:31Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-6120x-MIX-MAIL
Screenshots:
None
Threat Actors: NotSellerXd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 3,000 USA email account credentials
Category: Combo List
Content: A threat actor operating under the alias MailAccesss has shared a combolist of approximately 3,000 checked and verified US email account credentials on a cracking forum. The post, dated April 17th, advertises fresh mail access credentials restricted to registered forum users. No specific email provider or organization has been identified as the source of the compromised accounts.
Date: 2026-04-17T12:38:05Z
Network: openweb
Published URL: https://crackingx.com/threads/72385/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 3,000 USA email credentials (combolist)
Category: Combo List
Content: A threat actor operating under the alias MegaCloudshop has made available a combolist containing approximately 3,000 checked email credentials purportedly belonging to US-based users, dated April 17. The content is hidden behind a registration or login requirement on the forum. The actor promotes an external store at megacloudshop.top, suggesting this may be a promotional sample for commercial activity.
Date: 2026-04-17T12:37:57Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-3K-USA-Fresh-Checked-Mail-Access-17-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Japanese email access credentials
Category: Combo List
Content: A threat actor operating under the alias MegaCloudshop has made available a combolist of approximately 6,000 Japanese email credentials, described as fully valid mail access entries. The content is hidden behind a registration/login wall on the forum and is associated with a storefront at megacloudshop.top. No specific victim organization or service has been identified.
Date: 2026-04-17T12:19:27Z
Network: openweb
Published URL: https://demonforums.net/Thread-6K-JAPAN-Just-Full-Valid-Mail-Access-17-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 6,000 Japanese email account credentials
Category: Combo List
Content: A threat actor on the CrackingX forum has shared a list of approximately 6,000 Japanese email account credentials, described as fully valid mail access. The data was made available to registered forum users as of April 17th. The specific email providers or organizations affected are not identified in the post.
Date: 2026-04-17T12:19:01Z
Network: openweb
Published URL: https://crackingx.com/threads/72378/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 23,000 German email credentials
Category: Combo List
Content: A threat actor operating under the alias MegaCloudshop has made available a combolist containing approximately 23,000 German email credentials with claimed full mail access. The post is dated April 17 and the content is hidden behind a login/registration wall on the forum. The actor promotes their store at megacloudshop.top, suggesting this may also be part of a broader commercial offering.
Date: 2026-04-17T12:18:45Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-23K-Germany-Full-Mail-Access-Top-Quality-17-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 23,000 German email account credentials
Category: Combo List
Content: A threat actor operating under the alias MailAccesss has shared a list of approximately 23,000 full mail access credentials targeting German email accounts on a cracking forum. The post, dated April 17, is described as top quality and provides full mail access, suggesting valid email address and password combinations. The content is made available to registered forum users at no stated cost.
Date: 2026-04-17T12:18:26Z
Network: openweb
Published URL: https://crackingx.com/threads/72379/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of corporate combolist containing business credentials
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist purportedly containing 7 million corporate and business leads via Telegram channels. The post, shared on the cracking forum CrackingX, directs users to a Telegram handle (CODER5544) and two Telegram groups for free access to the credential list and associated tools. No specific victim organization or country has been identified.
Date: 2026-04-17T12:17:50Z
Network: openweb
Published URL: https://crackingx.com/threads/72380/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Russian email and password credentials
Category: Combo List
Content: A threat actor known as CobraEgy has made available a combolist of approximately 2.7 million email and password credential pairs allegedly associated with Russian users. The content is described as fresh and high quality, and is being distributed freely via a hidden download link on DemonForums. The post also references a Telegram channel, Maxi_links, as a source for additional combolists.
Date: 2026-04-17T12:17:43Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-2-712-K-%E2%9C%A6-Russia-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-17-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Russia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of banking session cookies in two parts
Category: Data Leak
Content: A threat actor operating under the alias bluestarcrack has shared what are alleged to be session cookies associated with banking institutions, distributed in two parts via an external file hosting service. The post appears to offer free access to the cookie files through uploadery.com. Session cookies of this nature can potentially be used for account takeover attacks against banking customers.
Date: 2026-04-17T12:13:17Z
Network: openweb
Published URL: https://breached.st/threads/cookies-banks-1-and-2-parts.86048/unread
Screenshots:
None
Threat Actors: bluestarcrack
Victim Country: Unknown
Victim Industry: Banking & Finance
Victim Organization: Unknown
Victim Site: Unknown
Alleged Initial Access to Movistar Peru Administrator Panel
Category: Initial Access
Content: A threat actor operating under the alias 0miedoPenta has claimed access to an administrator panel belonging to Movistar Peru, a major telecommunications provider. The actor alleges the panel exposes user information and account management capabilities with minimal security controls in place. The post suggests unauthorized access to sensitive customer data and administrative functions, though no explicit sale price or data volume was mentioned.
Date: 2026-04-17T12:11:44Z
Network: openweb
Published URL: https://breached.st/threads/access-to-the-movistar-peru-administrator.86047/unread
Screenshots:
None
Threat Actors: 0miedoPenta
Victim Country: Peru
Victim Industry: Telecommunications
Victim Organization: Movistar Peru
Victim Site: movistar.com.pe
Website Defacement of D-Link India Security Portal by systemdarkdenied
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the handle systemdarkdenied defaced the security subdomain of D-Link Indias official website, targeting the page at security.dlink.co.in/indexKK.html. The attack was conducted on a Linux-based server and represents a single, targeted defacement rather than a mass or home page defacement. No specific motive or team affiliation was disclosed by the attacker.
Date: 2026-04-17T12:05:49Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248583
Screenshots:
None
Threat Actors: systemdarkdenied
Victim Country: India
Victim Industry: Technology / Networking Hardware
Victim Organization: D-Link India
Victim Site: security.dlink.co.in
Website Defacement of sitebuild1001.com by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the handle DimasHxR defaced a media subdirectory of sitebuild1001.com. The attack was a targeted single-site defacement with no team affiliation reported. Server and infrastructure details were not disclosed in the available intelligence.
Date: 2026-04-17T12:05:02Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/840107
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Web Development / Hosting
Victim Organization: SiteBuild1001
Victim Site: www.sitebuild1001.com
Website Redefacement of Wood Flower Cottage by DimasHxR
Category: Defacement
Content: On April 17, 2026, threat actor DimasHxR defaced the website woodflowercottage.com, targeting a subdirectory of what appears to be a cottage or hospitality-related website. This incident is recorded as a redefacement, indicating the site had been previously compromised by the same or another attacker. The attacker operated independently without an affiliated team, and technical details such as server software and IP address were not disclosed.
Date: 2026-04-17T12:03:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/840138
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Hospitality / Tourism
Victim Organization: Wood Flower Cottage
Victim Site: woodflowercottage.com
Website Defacement of Sidex by Threat Actor DimasHxR
Category: Defacement
Content: On April 17, 2026, threat actor DimasHxR defaced a page on the Spanish website sidex.es, targeting a media/customer directory path. The defacement was a single-target, non-mass incident with no team affiliation reported. No specific motive or server details were disclosed.
Date: 2026-04-17T12:02:00Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/840104
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Spain
Victim Industry: Retail / E-Commerce
Victim Organization: Sidex
Victim Site: www.sidex.es
Website Defacement of TUCCH by Threat Actor DimasHxR
Category: Defacement
Content: On April 17, 2026, threat actor DimasHxR defaced a media/customer directory page on www.tucch.com, a website associated with TUCCH, a company known for producing phone cases and accessories. The defacement was a targeted, non-mass incident affecting a subdirectory rather than the homepage. No team affiliation, specific motive, or technical details regarding the server environment were disclosed.
Date: 2026-04-17T12:01:05Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/840118
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / E-Commerce
Victim Organization: TUCCH
Victim Site: www.tucch.com
Website Defacement of Walkicity by Threat Actor DimasHxR
Category: Defacement
Content: Threat actor DimasHxR defaced the website walkicity.com, targeting a subdirectory within the media/custom path. This incident is recorded as a redefacement, indicating the site had been previously compromised by the same or another actor. The attacker operated without an affiliated team, and no specific motive or proof-of-concept was disclosed.
Date: 2026-04-17T11:59:47Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/840128
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Travel / Local Services
Victim Organization: Walkicity
Victim Site: walkicity.com
Alleged Leak of Educational Sector Combolist by Threat Actor zod
Category: Combo List
Content: A threat actor operating under the alias zod has made available an educational sector combolist containing approximately 111,935 credential pairs on the cracking forum CrackingX. The leak is distributed via a Telegram channel (@zoooddddd) and requires forum registration to access the download password. The combolist appears to target educational institutions, though specific organizations or countries affected are not identified.
Date: 2026-04-17T11:58:17Z
Network: openweb
Published URL: https://crackingx.com/threads/72376/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed country SMTP combolist with 11 million credentials
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a mixed-country SMTP combolist allegedly containing 11 million credential pairs via Telegram. The content is gated behind registration on the cracking forum but is being made available for free through associated Telegram channels. No specific victim organization or targeted sector has been identified.
Date: 2026-04-17T11:57:42Z
Network: openweb
Published URL: https://crackingx.com/threads/72377/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of session cookies for Costco, Target, Shein and other retailers
Category: Data Leak
Content: A threat actor operating under the alias bluestarcrack on the Breached forum has shared what are claimed to be session cookies associated with multiple retail platforms including Costco, Target, and Shein. The files were made available via an external file hosting service (uploadery.com). Session cookies of this nature can be used to hijack authenticated user sessions without requiring passwords.
Date: 2026-04-17T11:53:34Z
Network: openweb
Published URL: https://breached.st/threads/cookies-costco-target-shein-more.86045/unread
Screenshots:
None
Threat Actors: bluestarcrack
Victim Country: Unknown
Victim Industry: Retail
Victim Organization: Costco, Target, Shein and others
Victim Site: costco.com, target.com, shein.com
Website Defacement of Pharmedica by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a media/customer-facing page on pharmedica.com. The attack was a targeted, single-site defacement with no team affiliation reported. Technical details such as the web server, IP address, and exploitation method remain unknown.
Date: 2026-04-17T11:53:24Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839791
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Pharmaceutical / Healthcare
Victim Organization: Pharmedica
Victim Site: pharmedica.com
Website Defacement of Outpro.ee by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a media/customer directory path on the Estonian website outpro.ee. The attack was a targeted single-site defacement, with no team affiliation reported. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-17T11:52:29Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839775
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Estonia
Victim Industry: E-commerce / Retail
Victim Organization: Outpro
Victim Site: outpro.ee
Website Defacement of Rogers Stationery by DimasHxR
Category: Defacement
Content: On April 17, 2026, the website rogersstationery.com was defaced by a threat actor operating under the handle DimasHxR, acting independently without a team affiliation. The defacement targeted a media/customer subdirectory path and was neither a mass nor redefacement event, suggesting a targeted opportunistic attack against this retail stationery business.
Date: 2026-04-17T11:51:38Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839826
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / Stationery
Victim Organization: Rogers Stationery
Victim Site: rogersstationery.com
Website Defacement of Santehart by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a subdirectory of santehart.com, a website associated with health-related services based on the domain name. The defacement targeted a specific media or custom content path rather than the homepage, suggesting exploitation of a vulnerable file upload or CMS misconfiguration. No group affiliation, stated motive, or technical server details were disclosed.
Date: 2026-04-17T11:50:39Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839838
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Healthcare
Victim Organization: Santehart
Victim Site: santehart.com
Website Defacement of StagedStewart by DimasHxR
Category: Defacement
Content: On April 17, 2026, the website stagedstewart.com was defaced by a threat actor operating under the alias DimasHxR, acting independently without affiliation to a known group. The attack targeted a subdirectory of the domain and was neither a mass nor a redefacement incident. Server and infrastructure details were not disclosed in available reporting.
Date: 2026-04-17T11:49:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839952
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Staged Stewart
Victim Site: stagedstewart.com
Website Defacement of moob.ee by DimasHxR
Category: Defacement
Content: On April 17, 2026, threat actor DimasHxR defaced a publicly accessible media directory on moob.ee, an Estonian e-commerce website running Magento (indicated by the /pub/media/customer path). The defacement targeted a non-homepage URL within the sites customer media upload directory, suggesting exploitation of an insecure file upload or directory misconfiguration. The attacker operated independently without affiliation to any known group.
Date: 2026-04-17T11:48:47Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839370
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Estonia
Victim Industry: E-Commerce / Retail
Victim Organization: Moob
Victim Site: moob.ee
Website Defacement of Remorque Gator by DimasHxR
Category: Defacement
Content: On April 17, 2026, the website remorquegator.com was defaced by the threat actor DimasHxR acting independently without a team affiliation. The attacker targeted a subdirectory of the site, likely exploiting a vulnerability in the web application or CMS. This was a single targeted defacement, not part of a mass or repeated defacement campaign.
Date: 2026-04-17T11:48:06Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839817
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Automotive / Towing Services
Victim Organization: Remorque Gator
Victim Site: remorquegator.com
Website Defacement of Mecbay by DimasHxR
Category: Defacement
Content: On April 17, 2026, the attacker known as DimasHxR defaced a page on mecbay.com, targeting a customer address media path on the site. The defacement was a targeted single-page attack rather than a mass or home page defacement. No specific motive or team affiliation was attributed to the attacker.
Date: 2026-04-17T11:47:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839332
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: Mecbay
Victim Site: mecbay.com
Website Defacement of Riverdale Tool by DimasHxR
Category: Defacement
Content: On April 17, 2026, the threat actor DimasHxR defaced a page on riverdaletool.com, a tools and hardware retailer. The attack targeted a specific media path rather than the homepage, indicating a targeted sub-directory defacement. No team affiliation, stated motive, or server details were disclosed in connection with the incident.
Date: 2026-04-17T11:46:15Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839822
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Retail / Tools & Hardware
Victim Organization: Riverdale Tool
Victim Site: riverdaletool.com
Website Defacement of cbtg.pl by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a web page on the Polish domain cbtg.pl, targeting a subdirectory within the sites media path. The defacement was a single targeted incident, not part of a mass or home page defacement campaign. No specific motive or technical details were disclosed.
Date: 2026-04-17T11:45:15Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839303
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: CBTG
Victim Site: cbtg.pl
Website Defacement of PharmcoHealth by DimasHxR
Category: Defacement
Content: On April 17, 2026, the threat actor DimasHxR defaced a media or custom content page on pharmcohealth.com, a website associated with the healthcare and pharmaceutical sector. The incident was a targeted single-page defacement, not classified as a mass or home page defacement. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-17T11:44:30Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839787
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Healthcare / Pharmaceuticals
Victim Organization: PharmcoHealth
Victim Site: pharmcohealth.com
Website Defacement of Pneufood.nl by DimasHxR
Category: Defacement
Content: On April 17, 2026, the Dutch website pneufood.nl was defaced by a threat actor operating under the alias DimasHxR. The attacker targeted a specific media directory path on the site. The incident was a single, targeted defacement with no team affiliation, mass defacement activity, or prior redefacement history reported.
Date: 2026-04-17T11:43:32Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839797
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Netherlands
Victim Industry: Food and Beverage / Retail
Victim Organization: Pneufood
Victim Site: pneufood.nl
Website Defacement of Milenaria Chile by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a subdirectory of the Chilean website milenariachile.cl. The attack was a targeted, non-mass defacement affecting a specific media path rather than the homepage. No team affiliation, stated motive, or technical server details were disclosed in association with this incident.
Date: 2026-04-17T11:41:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/839349
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Chile
Victim Industry: Unknown
Victim Organization: Milenaria Chile
Victim Site: milenariachile.cl
Website Defacement of Nowodvorski by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a subdirectory of the Romanian e-commerce website belonging to Nowodworski Lighting, a lighting products manufacturer and retailer. The defacement targeted a specific media path within the site and was not classified as a mass or home page defacement. The attacker operated without an affiliated team, and no specific motive was disclosed.
Date: 2026-04-17T11:35:52Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/838304
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Romania
Victim Industry: Retail / Lighting Products
Victim Organization: Nowodvorski Lighting
Victim Site: www.nowodvorski.ro
Alleged Data Breach of Crumbl LLC Employee and Customer Records
Category: Data Breach
Content: A threat actor on Breached forums is selling a database allegedly belonging to Crumbl LLC, a cookie franchise company. The database purportedly contains personal information of employees including names, phone numbers, email addresses, profile images, birthdays, job positions, and Firebase Cloud Messaging tokens, as well as customer records including names, emails, and phone numbers. The seller is asking $4,000 for the full database.
Date: 2026-04-17T11:35:08Z
Network: openweb
Published URL: https://breached.st/threads/crumbl-llc.86044/unread
Screenshots:
None
Threat Actors: spider321
Victim Country: United States
Victim Industry: Food & Beverage / Retail
Victim Organization: Crumbl LLC
Victim Site: crumbl.com
Website Defacement of Luxyscent by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the alias DimasHxR defaced a media/custom subdirectory of luxyscent.com, a fragrance or beauty-related e-commerce website. The attack was a targeted single-page defacement and was not classified as a mass or home page defacement. No specific motivation or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-17T11:34:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/838303
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / E-commerce (Fragrance/Beauty)
Victim Organization: Luxyscent
Victim Site: www.luxyscent.com
Website Defacement of FamousToasteryBowl by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced the website of FamousToasteryBowl, a food and beverage retail entity operating under a .shop domain. The attack was a singular, targeted defacement with no team affiliation reported. Server and infrastructure details were not disclosed in the incident record.
Date: 2026-04-17T11:31:50Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/838302
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Food and Beverage / Retail
Victim Organization: Famous Toastery Bowl
Victim Site: www.famoustoasterybowl.shop
Alleged cyber intrusion into GNS Cloud by Hanzaleh group exposing 112,000+ devices
Category: Cyber Attack
Content: The Hanzaleh (Hanzala) cyber group has claimed a repeated intrusion into the infrastructure of GNS Cloud, one of the largest cloud service providers. The group states it gained access to various sections of the company, extracting server-related data and user passwords, with over 112,000 devices and servers reportedly exposed. The group notes this access has been maintained for an extended period and was previously referenced in an operation named Martyr Reza Awadeh, which the company had denied. The claim is reported by Iranian cybersecurity news outlet Cyberban.
Date: 2026-04-17T11:20:11Z
Network: telegram
Published URL: https://t.me/c/1283513914/21236
Screenshots:
None
Threat Actors: حنظله
Victim Country: Unknown
Victim Industry: Cloud Services / IT Infrastructure
Victim Organization: GNS Cloud
Victim Site: Unknown
Alleged leak of session cookies for OnlyFans, Binance, LinkedIn and other platforms
Category: Data Leak
Content: A threat actor operating under the alias bluestarcrack on Breached.st has made available session cookies for multiple platforms including OnlyFans, Binance, and LinkedIn, among others. The files are hosted on Uploadery, a third-party file hosting service. Session cookies can be used to hijack authenticated user sessions without requiring account passwords.
Date: 2026-04-17T11:17:10Z
Network: openweb
Published URL: https://breached.st/threads/cookies-onlyfans-binance-linkedln-more.86043/unread
Screenshots:
None
Threat Actors: bluestarcrack
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: OnlyFans, Binance, LinkedIn
Victim Site: onlyfans.com, binance.com, linkedin.com
Website Defacement of faef.com by Attacker ffd (Team: dfdf)
Category: Defacement
Content: On April 17, 2026, the website faef.com was defaced by an attacker identified as ffd, operating under the team dfdf. The attack targeted the homepage directly and was not part of a mass defacement campaign. No additional technical details such as server software, IP address, or motive were disclosed.
Date: 2026-04-17T11:14:37Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836801
Screenshots:
None
Threat Actors: ffd, dfdf
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: faef.com
Alleged leak of Hotmail credential samples
Category: Combo List
Content: A threat actor operating under the alias HollowKnight07 has made available a sample combolist of 585 Hotmail credentials on the cracking forum CrackingX. The post offers a free download link, suggesting this is a sample release, potentially to build reputation or advertise a larger dataset. The credentials likely consist of email and password combinations targeting Microsoft Hotmail accounts.
Date: 2026-04-17T11:02:26Z
Network: openweb
Published URL: https://crackingx.com/threads/72373/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor using the handle UniqueCombo has made available a combolist allegedly containing 11,000 Hotmail email and password combinations on the cracking forum CrackingX. The post is behind a registration wall, limiting full visibility into the content. The credentials may have been aggregated from previous breaches or phishing campaigns targeting Hotmail users.
Date: 2026-04-17T10:35:39Z
Network: openweb
Published URL: https://crackingx.com/threads/72372/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of streaming and gaming platform cookies including Netflix, TikTok, and Steam
Category: Data Leak
Content: A threat actor operating under the alias bluestarcrack on the Breached forum has shared what are alleged session cookies for multiple platforms including Netflix, TikTok, and Steam, hosted via the Uploadery file sharing service. The post appears to offer free access to these cookies, which could be used for session hijacking to gain unauthorized access to victim accounts. No pricing or record count details were provided in the post.
Date: 2026-04-17T10:32:04Z
Network: openweb
Published URL: https://breached.st/threads/cookies-netflix-tiktok-steam-more.86042/unread
Screenshots:
None
Threat Actors: bluestarcrack
Victim Country: Unknown
Victim Industry: Technology / Entertainment
Victim Organization: Netflix, TikTok, Steam
Victim Site: netflix.com, tiktok.com, store.steampowered.com
Alleged leak of corporate credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a corporate combolist via Telegram channels and a cracking forum. The combolist is being made available for free through two Telegram groups. No specific victim organization, record count, or geographic targeting information was disclosed in the post.
Date: 2026-04-17T10:12:55Z
Network: openweb
Published URL: https://crackingx.com/threads/72368/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 3ML Corp business combolist credentials
Category: Combo List
Content: A threat actor operating under the alias CODER has shared what is claimed to be a business combolist associated with 3ML Corp on the crackingx.com forum. The actor is distributing the credential list for free via Telegram channels and groups. No specific record count or victim domain has been disclosed in the post.
Date: 2026-04-17T10:12:37Z
Network: openweb
Published URL: https://crackingx.com/threads/72370/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: 3ML Corp
Victim Site: Unknown
Alleged Sale of BLACKNET-00 Malicious Tool
Category: Malware
Content: A threat actor operating under Infrastructure Destruction Squad is offering a tool called BLACKNET-00 for $200, with only 3 copies available in a 24-hour limited-time offer. The tools name and context suggest it may be a malicious cyber tool. Contact is via @Destructionsqua.
Date: 2026-04-17T10:12:31Z
Network: telegram
Published URL: https://t.me/c/2735908986/4007
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Chinese citizens and companies by threat actor ALTGIANT
Category: Data Leak
Content: A threat actor using the handle ALTGIANT claims to have published a large file (~11.6 GB) on the dark web containing sensitive data of Chinese individuals and companies. The alleged leak reportedly includes national ID card information, bank card details, and business records.
Date: 2026-04-17T09:52:19Z
Network: telegram
Published URL: https://t.me/c/1283513914/21235
Screenshots:
None
Threat Actors: ALTGIANT
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist with email inbox targets
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a mixed combolist of 5,247 alleged high-quality credential hits along with associated email inbox targets. The post offers free downloads of both the credential list and keyword targets, though no further details about the origin or targeted services are provided.
Date: 2026-04-17T09:46:21Z
Network: openweb
Published URL: https://crackingx.com/threads/72367/
Screenshots:
None
Threat Actors: Hotmail Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Fraudulent Passport and Drivers License Documents for Multiple Countries
Category: Data Breach
Content: A threat actor operating under the alias decipher is selling purportedly valid passport and drivers license scans and documents for any country, with pricing varying by country, state, or province. The actor claims the documents are genuine and not forged, and directs potential buyers to contact them via Telegram at @voxagon. The nature of the offering suggests either compromised identity documents or fraudulent reproductions being distributed through underground forums.
Date: 2026-04-17T09:42:02Z
Network: openweb
Published URL: https://breached.st/threads/selling-valid-passport-drivers-licence-scans-docs-any-country.86041/unread
Screenshots:
None
Threat Actors: decipher
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed access credentials combolist
Category: Combo List
Content: A threat actor known as COYTO has shared a mixed access combolist containing approximately 8,000 email and password combinations via a public paste service. The credentials appear to span multiple services or platforms, as indicated by the mixed access label. No specific victim organization or country has been identified.
Date: 2026-04-17T09:11:21Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-8K-MIXED-ACCESS–200718
Screenshots:
None
Threat Actors: COYTO
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a combolist of alleged Hotmail credentials via a public paste site and a Telegram channel. The content is being distributed for free with no payment required. The origin and volume of the credential list are unknown.
Date: 2026-04-17T09:10:48Z
Network: openweb
Published URL: https://crackingx.com/threads/72364/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 872 alleged valid Hotmail credentials on the cracking forum CrackingX. The post describes the credentials as premium hits associated with private cloud access and mixed mail types. The actor promotes contact via Telegram handle alphaaxd and offers a free download link.
Date: 2026-04-17T09:10:32Z
Network: openweb
Published URL: https://crackingx.com/threads/72366/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged CCTV Network Compromise of Pearces Farm Shop and Cafe by NoName057(16)
Category: Cyber Attack
Content: Threat actor group NoName057(16) claims to have taken full control of the internal CCTV network of Pearces Farm Shop and Cafe in the UK, gaining real-time access to over 32 cameras. The attack is framed as politically motivated retaliation for British support of Ukraine, with hashtags #FuckEastwood, #TimeOfRetribution, and #OpUK. The group states this is just the beginning, suggesting further attacks may be planned against UK targets.
Date: 2026-04-17T09:10:25Z
Network: telegram
Published URL: https://t.me/c/3087552512/1757
Screenshots:
None
Threat Actors: NoName057(16)
Victim Country: United Kingdom
Victim Industry: Retail / Food & Beverage
Victim Organization: Pearces Farm Shop and Cafe
Victim Site: pearcesfarmshop.com
Alleged OSINT Intelligence Gathering Bot Offering Personal Data Lookup Services
Category: Data Breach
Content: A Telegram-based OSINT bot named Dyxless is being advertised on a cracking forum, offering lookup services across aggregated data leaks including phone numbers, full names, vehicle records, facial recognition, email addresses, government documents, criminal records, and social media accounts. The bot claims to search across a large number of leaked databases and includes advanced search capabilities similar to known OSINT tools such as Himera, covering border crossings, call detail records,
Date: 2026-04-17T09:10:20Z
Network: openweb
Published URL: https://crackingx.com/threads/72365/
Screenshots:
None
Threat Actors: Dyxless
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: dyxlessbot.com
Alleged leak of 694K URL:Login:Password credential combolist
Category: Data Leak
Content: A threat actor associated with X Forums has made available a credential combolist containing approximately 694,509 lines in URL:login:password format. The 47.55 MB file includes credentials associated with various platforms such as Facebook, Pastelink, and various web hosting services. The combolist appears to aggregate credentials from multiple sources and is being freely distributed via the forum.
Date: 2026-04-17T08:43:38Z
Network: openweb
Published URL: https://xforums.st/threads/694k-lines-url-login-pass-by-x-forums.608674/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 790,000 URL credential combos across multiple platforms
Category: Data Leak
Content: A threat actor affiliated with X Forums has made available a combolist containing approximately 790,000 URL:login:password credential combinations. The dataset includes credentials targeting multiple services such as Netflix, Max, DirecTV GO, Sodexo Club, and Claro, with sample entries suggesting a concentration of Latin American users. The file totals 60.73 MB and was shared as a free download via the forum.
Date: 2026-04-17T08:42:24Z
Network: openweb
Published URL: https://xforums.st/threads/790k-lines-url-login-pass-by-x-forums.608675/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple (Netflix, DirecTV GO, Max, Sodexo, Claro)
Victim Site: Unknown
Alleged sale of counterfeit Ledger hardware wallets with embedded malicious chips and wireless modules
Category: Malware
Content: Threat actors, reportedly Chinese in origin, are selling counterfeit Ledger hardware cryptocurrency wallets through online marketplaces. The fake devices contain specially modified chips along with Wi-Fi and Bluetooth modules designed to steal seed phrases and silently exfiltrate funds from victims wallets at any time.
Date: 2026-04-17T08:42:18Z
Network: telegram
Published URL: https://t.me/c/1397463379/11137
Screenshots:
None
Threat Actors: Unknown Chinese threat actors
Victim Country: Unknown
Victim Industry: Cryptocurrency / Financial Technology
Victim Organization: Ledger
Victim Site: ledger.com
Alleged data breach of KANTAHKABBANJAR database
Category: Data Breach
Content: A threat actor operating under Rakyat Digital Crew claims to have successfully breached a database identified as KANTAHKABBANJAR (likely a government land office – Kantor Pertanahan Kabupaten Banjar, Indonesia). The stolen database is being made available for free download via MediaFire.
Date: 2026-04-17T08:35:30Z
Network: telegram
Published URL: https://t.me/c/3755871403/238
Screenshots:
None
Threat Actors: Rakyat Digital Crew
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kantor Pertanahan Kabupaten Banjar
Victim Site: Unknown
Alleged leak of multi-site credential combolist with 6 million entries
Category: Data Leak
Content: A threat actor affiliated with X Forums has freely distributed a credential combolist containing approximately 6.1 million URL:login:password entries across multiple organizations and countries. Sample entries include targets such as an Argentine government portal, a Saudi insurance platform, a Philippine educational institution, a Chinese e-commerce app, and a travel booking site. The 350 MB plaintext file contains a mix of email addresses and usernames paired with passwords, suggesting aggrega
Date: 2026-04-17T08:34:29Z
Network: openweb
Published URL: https://xforums.st/threads/6m-lines-url-login-pass-by-x-forums.608676/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged ShinyHunters Threat Actor Official Contact & Infrastructure Announcement
Category: Data Breach
Content: The ShinyHunters threat actor group posted an official contact verification message warning about impersonators. The post includes their official web URL, onion blog address, PGP key, Telegram handle, email, Tox ID, and Session ID. They also promoted a DB+ Collector Individual Telegram group. The message warns against individuals named Mattys Savoie & James who allegedly misused their PGP key for ransom purposes.
Date: 2026-04-17T08:32:49Z
Network: telegram
Published URL: https://t.me/c/3737716184/1308
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 862K URL:Login:Password credential combolist
Category: Data Leak
Content: A threat actor affiliated with X Forums has made available a credential combolist containing 862,056 lines of URL:email:password combinations. The 51.47 MB file includes credentials associated with multiple services such as login.live.com, mega.nz, and humanatic.com, among others. The combolist appears to aggregate credentials from various sources and targets no single organization, suggesting it is a compiled multi-source credential dump.
Date: 2026-04-17T08:31:40Z
Network: openweb
Published URL: https://xforums.st/threads/862k-lines-url-login-pass-by-x-forums.608677/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 918K URL:Login:Password credential combolist
Category: Data Leak
Content: A threat actor associated with X Forums has made available a credential combolist containing approximately 918,055 lines in URL:username:password format. The file, sized at 66.96 MB, includes credentials targeting multiple platforms such as Microsoft Live, GetResponse, Betano, and various corporate internal systems. The combolist appears to aggregate credentials from diverse sources across multiple countries and industries.
Date: 2026-04-17T08:27:44Z
Network: openweb
Published URL: https://xforums.st/threads/918k-lines-url-login-pass-by-x-forums.608678/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-site credential combolist with 989K lines
Category: Data Leak
Content: A threat actor operating under X FORUMS has made available a credential combolist containing approximately 989,107 lines in URL:login:password format. The 59.65 MB file targets multiple organizations across various countries and industries, including telecom, government employment services, financial platforms, and gaming sites. The combolist was shared as a free download via the XForums platform with a Telegram backup channel.
Date: 2026-04-17T08:24:29Z
Network: openweb
Published URL: https://xforums.st/threads/989k-lines-url-login-pass-by-x-forums.608679/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Unknown
Alleged Source Code Leak of SigningHub File Signing Platform
Category: Data Leak
Content: Threat actor ShinyHunters has allegedly leaked the source code (SRC) of SigningHub, a file signing service. The leak is being made available for free download via a BreachForums thread.
Date: 2026-04-17T08:24:05Z
Network: telegram
Published URL: https://t.me/c/3737716184/1307
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Software / Document Management
Victim Organization: SigningHub
Victim Site: Unknown
Alleged Data Breach of Europol by ShinyHunters
Category: Data Breach
Content: Threat actor ShinyHunters claims to have leaked data from Europol, the European Unions law enforcement agency. The post includes a link to BreachForums where the alleged breach data is available for download at no cost.
Date: 2026-04-17T08:22:48Z
Network: telegram
Published URL: https://t.me/c/3737716184/1305
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: European Union
Victim Industry: Law Enforcement / Government
Victim Organization: Europol
Victim Site: europol.europa.eu
Alleged defacement of South Sulawesi Provincial Education Department website
Category: Defacement
Content: Threat actor Babayo Eror System claims to have defaced the South Sulawesi Provincial Education Department website (disdik.sulselprov.go.id), posting a defacement page at the /berita/hacked-by-babayo-eror-system path.
Date: 2026-04-17T08:22:27Z
Network: telegram
Published URL: https://t.me/c/3865526389/475
Screenshots:
None
Threat Actors: Babayo Eror System
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: South Sulawesi Provincial Education Department (Disdik Sulsel)
Victim Site: disdik.sulselprov.go.id
Alleged Initial Access to Indonesian Government Education Portal disdik.sulselprov.go.id
Category: Initial Access
Content: A threat actor operating under the handle @DongHyunShiz is advertising unauthorized administrative access to the South Sulawesi Provincial Education Department website (disdik.sulselprov.go.id). The access reportedly includes capabilities to upload/edit news articles and content on the portal. The actor is offering this access for sale or contact via Telegram.
Date: 2026-04-17T08:17:48Z
Network: telegram
Published URL: https://t.me/c/3865526389/474
Screenshots:
None
Threat Actors: DongHyunShiz
Victim Country: Indonesia
Victim Industry: Government – Education
Victim Organization: Dinas Pendidikan Provinsi Sulawesi Selatan (South Sulawesi Provincial Education Department)
Victim Site: disdik.sulselprov.go.id
Alleged leak of 999K URL:Login:Password credential combolist
Category: Data Leak
Content: A threat actor on XForums has made available a credential combolist containing approximately 999,995 lines of URL:login:password combinations, totaling 45.89 MB. The combolist includes credentials associated with multiple platforms such as login.live.com, accounts.google.com, and various other websites. The file is offered as a free download to registered forum members.
Date: 2026-04-17T08:14:51Z
Network: openweb
Published URL: https://xforums.st/threads/999k-lines-url-login-pass-part-1-by-x-forums.608680/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged CVV Trading Group Advertisement Promoting Carding Channel
Category: Data Leak
Content: Multiple messages advertising a CVV benefits chat group via Telegram handle @nzccg001, forwarded from NeZha CVV Support channel. CVV groups typically trade stolen credit card data including card numbers, expiry dates, and CVV codes for fraudulent purposes.
Date: 2026-04-17T08:10:21Z
Network: telegram
Published URL: https://t.me/c/2613583520/64232
Screenshots:
None
Threat Actors: NeZha CVV Support
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Realogistic by Threat Actor maw3six
Category: Defacement
Content: On April 17, 2026, threat actor maw3six defaced a page on realogistic.com, a logistics-related website hosted on a Linux server. The attack targeted a specific subpage rather than the homepage and was conducted as a solo effort with no affiliated team. The defacement was archived via haxor.id, indicating public disclosure of the compromise.
Date: 2026-04-17T08:09:55Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248582
Screenshots:
None
Threat Actors: maw3six
Victim Country: Unknown
Victim Industry: Logistics / Supply Chain
Victim Organization: Realogistic
Victim Site: realogistic.com
Alleged sale of global credit card (CVV) combo lists across 180 countries
Category: Combo List
Content: A vendor operating as Xiao Blyat is advertising the sale of first and second-hand credit card data (CVV) targeting users across 180 countries, with primary focus on US, UK, Canada, France, Turkey, Malaysia, Singapore, Philippines, and India. The seller offers live-tested cards, bank selection, card type filtering, and deduplication services. Contact is via Telegram handle @vklmaythangcho. Payment testing and real-time verification screenshots are provided.
Date: 2026-04-17T08:09:17Z
Network: telegram
Published URL: https://t.me/vklmtc/125
Screenshots:
None
Threat Actors: Xiao Blyat
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 7.5 million URL:Login:Password credential combos by X Forums
Category: Data Leak
Content: A threat actor operating under X Forums has freely distributed a large combolist containing over 7.5 million URL:username/email:password credential combinations in a 514 MB text file. The combolist targets multiple services including Google accounts, gaming platforms, and various online portals. Sample entries suggest credentials belonging to individuals across multiple countries and platforms, making this a broad, non-targeted credential leak.
Date: 2026-04-17T08:07:34Z
Network: openweb
Published URL: https://xforums.st/threads/7m-lines-url-login-pass-by-x-forums.608681/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 999K credential combolist across multiple platforms
Category: Data Leak
Content: A threat actor affiliated with X Forums has made available a combolist containing approximately 999,992 lines of URL, login, and password combinations in a 91.85 MB text file. The credential pairs span multiple platforms and countries, including educational portals, gaming services, ERP systems, and adult content sites. The combolist was freely shared on the forum with a Telegram backup link and requires registration to download.
Date: 2026-04-17T07:59:00Z
Network: openweb
Published URL: https://xforums.st/threads/999k-lines-url-login-pass-by-x-forums.608682/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Unknown
Alleged leak of multi-site credential combolist containing ~997K URL:login:password entries
Category: Data Leak
Content: A threat actor affiliated with X Forums has freely distributed a combolist containing approximately 997,569 lines of URL:username:password credentials. The file, sized at 58.30 MB, targets multiple websites and services across various sectors including entertainment, media, and forums. The credentials appear to be aggregated from multiple sources and are made available for free download via the forum, with a Telegram backup channel also referenced.
Date: 2026-04-17T07:56:24Z
Network: openweb
Published URL: https://xforums.st/threads/997k-lines-url-login-pass-by-x-forums.608683/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of gaming platform credentials combolist (PSN, Xbox, Steam, Nintendo, Epic Games)
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist of approximately 8 million credentials allegedly targeting multiple major gaming platforms including PlayStation Network, Xbox Live, Steam, Nintendo, and Epic Games. The credentials are being made available for free via Telegram channels and groups. The post promotes two Telegram channels for free combo distribution and program access.
Date: 2026-04-17T07:54:42Z
Network: openweb
Published URL: https://crackingx.com/threads/72354/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Gaming & Entertainment
Victim Organization: Sony Interactive Entertainment, Microsoft, Valve, Nintendo, Epic Games
Victim Site: playstation.com, xbox.com, steampowered.com, nintendo.com, epicgames.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the handle @Steveee36 has made available a combolist containing 743 alleged Hotmail credentials on the cracking forum CrackingX. The post offers a free download of the credential list, categorized as HQ (high quality), suggesting the credentials may be verified or active. The origin and method of collection of these credentials is unknown.
Date: 2026-04-17T07:54:27Z
Network: openweb
Published URL: https://crackingx.com/threads/72357/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Gmail credentials combolist
Category: Combo List
Content: A threat actor known as D4rkNetHub has made available a combolist purportedly containing over 100,000 Gmail credentials on the cracking forum CrackingX. The post is gated behind registration, limiting full visibility into the content and validity of the claim. The data type is consistent with an email:password credential list targeting Gmail accounts.
Date: 2026-04-17T07:54:01Z
Network: openweb
Published URL: https://crackingx.com/threads/72359/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of 24.41 million URL:Login:Password credentials
Category: Combo List
Content: A threat actor operating under the alias Daxus has made available a combolist containing approximately 24.41 million URL:login:password credential pairs on the cracking forum CrackingX. The data is accessible via the Daxus.pro website and associated Telegram channel. No specific victim organization or targeted domain is identified, suggesting this is an aggregated credential list compiled from multiple sources.
Date: 2026-04-17T07:53:43Z
Network: openweb
Published URL: https://crackingx.com/threads/72363/
Screenshots:
None
Threat Actors: Daxus
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Logs
Content: A threat actor known as UniqueCombo has shared an alleged combolist containing approximately 11,000 unique Hotmail credentials on an underground forum. The post, titled Hotmail Unique Combo_1_11000, suggests the credential list contains email and password pairs targeting Microsofts Hotmail service. The content appears to have been made available as a free release based on the forums context.
Date: 2026-04-17T07:50:28Z
Network: openweb
Published URL: https://xforums.st/threads/hotmail-unique-combo_1_11000.608690/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged ShinyHunters Actor Identity Verification and BreachForums Platform Revival Announcement
Category: Cyber Attack
Content: A user claiming to be ShinyHunters posted a PGP key verification notice along with contact details (Telegram, email, Tox ID, Session ID), warning against impersonators named Mattys Savoie & James. Separately, BreachForums claims to be back online at breachforums.ai with new features including a credits system, rank perks, and anti-spam protections. The forum is promoting its clearnet and Tor links and requesting users to re-verify accounts banned during a security cleanup.
Date: 2026-04-17T07:48:11Z
Network: telegram
Published URL: https://t.me/c/3500620464/6904
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Doxxing of Threat Actor Knox aka DarkForums Owner
Category: Cyber Attack
Content: A post on the Breach channel exposes the alleged full identity of the threat actor known as Knox, Lucifer, Hritik, or AnonOne, identified as Hritik Kumbhar from Bolangir, Odisha, India. The post includes home address, phone numbers, mobile data IPs, school location, email addresses, social media profiles (GitHub, LinkedIn, Snapchat, Telegram, Discord), PayPal, and Discord/VPN-linked IPs. The post claims DarkForums owner has targeted BreachForums users and clones, prompting this dox in retaliation.
Date: 2026-04-17T07:46:58Z
Network: telegram
Published URL: https://t.me/c/3500620464/6900
Screenshots:
None
Threat Actors: Knox
Victim Country: India
Victim Industry: Cybercrime
Victim Organization: DarkForums
Victim Site: Unknown
Alleged leak of multi-platform credential combolist (Part 46) by X Forums
Category: Data Leak
Content: A threat actor operating under X FORUMS has made available a credential combolist containing approximately 1.27 million URL:login:password combinations as part of an ongoing series (Part 46). The 95.40 MB file includes credentials targeting multiple platforms such as Epic Games, Kaspersky, TikTok, and various WordPress installations. The combolist was distributed for free via the XForums cybercrime forum with a Telegram backup channel.
Date: 2026-04-17T07:28:29Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-46-by-x-forums.608634/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Unknown
Alleged leak of multi-platform credential combolist (Part 49) by X Forums
Category: Data Leak
Content: A threat actor operating under X Forums has made available a large credential combolist titled 1M Lines URL Login Pass Part 49, containing approximately 1.76 million URL:email/username:password combinations. Sample entries include credentials targeting multiple platforms such as Microsoft Live, Atlassian, IMDB, and Trello. The file, sized at 128.74 MB, was shared freely on the XForums threat actor forum with a Telegram backup channel.
Date: 2026-04-17T07:20:21Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-49-by-x-forums.608635/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Unknown
Alleged leak of multi-service credential combolist (Part 48) by X Forums
Category: Data Leak
Content: A threat actor operating under X Forums has freely distributed a credential combolist containing approximately 1.2 million URL:login:password combinations, totalling 91.47 MB. The combolist includes credentials for multiple services such as Netflix, Tinder, and Booking.com, with sample entries indicating Romanian-origin email addresses. The file is part of an ongoing series (Part 48) and is made available for free download on the XForums platform.
Date: 2026-04-17T07:15:10Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-48-by-x-forums.608636/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Unknown
Website Defacement of SlideTeam by DimasHxR
Category: Defacement
Content: On April 17, 2026, the threat actor DimasHxR defaced a page on SlideTeam (slideteam.net), a presentation and slide template platform. The attack targeted a specific media directory rather than the homepage, indicating a targeted file upload or directory traversal exploitation. No team affiliation, stated motivation, or server details were disclosed in connection with this incident.
Date: 2026-04-17T07:14:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836773
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Technology / Digital Media
Victim Organization: SlideTeam
Victim Site: www.slideteam.net
Alleged leak of multi-platform credential combolist (Part 52) by X Forums
Category: Data Leak
Content: A threat actor operating under X Forums has publicly distributed a credential combolist titled 1M Lines URL LOGIN PASS Part 52, containing approximately 1.8 million URL:login:password combinations in a 121 MB text file. The combolist includes credentials for multiple platforms such as Battle.net, Instagram, PDFDrive, and various other websites across multiple countries. The file was made available for free download on the XForums forum, with a Telegram backup channel referenced for redundanc
Date: 2026-04-17T07:07:40Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-52-by-x-forums.608637/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Multiple Organizations
Victim Site: Unknown
Alleged leak of multi-platform credential combolist (1.4 million lines)
Category: Data Leak
Content: A threat actor affiliated with X Forums has freely distributed a credential combolist containing approximately 1.4 million URL:username:password combinations. The file, titled 1M Lines URL LOGIN PASS PART 5, spans 83.50 MB and includes credentials associated with multiple platforms such as Google, IMDB, and various other services. The combolist appears to be part of an ongoing series of credential leaks shared on the XF forums platform.
Date: 2026-04-17T07:00:15Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-5-by-x-forums.608638/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Unknown
Alleged leak of multi-platform URL credential combolist (Part 50) by X Forums
Category: Data Leak
Content: A threat actor operating under X Forums has freely shared a credential combolist containing approximately 1.59 million URL:login:password combinations as part of an ongoing series (Part 50). The leaked file, sized at 122.37 MB, includes credentials from multiple platforms such as Riot Games and what appears to be a Mexican university network (uasnet.mx). The combolist was made available for download on the XForums marketplace with a Telegram backup channel.
Date: 2026-04-17T06:58:00Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-50-by-x-forums.608639/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak activity by ShinyHunters on BreachForums
Category: Data Leak
Content: ShinyHunters threat actor posted a message referencing uploaded content (threads) on breachforums.ai, advising users to access via Tor browser or VPN for anonymity. This suggests newly posted stolen data or breach disclosures on the forum.
Date: 2026-04-17T06:57:27Z
Network: telegram
Published URL: https://t.me/c/3737716184/1291
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist containing over 1 million URL:login:password combos
Category: Data Leak
Content: A threat actor on XForums has made available a combolist titled 1M Lines URL LOGIN PASS PART 51 containing over 1 million URL:username:password credential pairs. The 68.42 MB file includes credentials for multiple platforms such as Facebook, AnimeCix, and Magarajam, among others. The combolist appears to be part of an ongoing series and is freely distributed via the forum with a Telegram backup channel.
Date: 2026-04-17T06:52:58Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-51-by-x-forums.608640/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist (1.3 million lines, Part 53)
Category: Data Leak
Content: A threat actor operating under X Forums has made available a credential combolist containing approximately 1.3 million URL:username:password combinations across multiple platforms, including Facebook, KuCoin, Swagbucks, and others. The file, labeled as Part 53 in an ongoing series, is 76.41 MB in size and was shared as a free download on the XForums cybercrime forum on April 17, 2026. The combolist targets users across multiple countries and industries, posing a significant credential stuffing
Date: 2026-04-17T06:51:54Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-53-by-x-forums.608641/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Multiple
Alleged leak of multi-platform credential combolist (Part 54) with 1 million entries
Category: Data Leak
Content: A threat actor affiliated with X Forums has freely distributed a credential combolist containing approximately 1.14 million URL:username:password combinations. The dataset, labeled Part 54 in an ongoing series, includes credentials for multiple platforms such as Discord, Epic Games, Aternos, Optus, and Jellycat, suggesting aggregation from various sources. The file (70.83 MB) was made available for free download via the XForums forum with a Telegram backup channel.
Date: 2026-04-17T06:43:13Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-54-by-x-forums.608642/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Multiple
Alleged leak of multi-site credential combolist (Part 55) distributed on XForums
Category: Data Leak
Content: A threat actor operating under X FORUMS has made available a credential combolist containing over 1 million URL:login:password combinations as a free download on XForums. The 71.99 MB file, labeled as Part 55 in an ongoing series, contains credentials for various websites including services such as Magix, Surveoo, Patapain, Facebook, and Oursogo. The combolist appears to aggregate credentials from multiple sources and targets across different countries and industries.
Date: 2026-04-17T06:41:50Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-55-by-x-forums.608643/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-site credential combolist (1M+ lines) distributed on XForums
Category: Data Leak
Content: A threat actor on XForums has made available a credential combolist titled 1M Lines URL LOGIN PASS Part 56, containing approximately 1.08 million URL:email:password combinations across multiple platforms. Sample entries include credentials for services such as Facebook, Battle.net, PayPal, and various regional sites. The file (79.86 MB) was freely distributed and appears to be part of an ongoing series of combolist releases.
Date: 2026-04-17T06:32:49Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-56-by-x-forums.608644/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Multiple
Alleged leak of multi-platform credential combolist (1M+ lines, Part 58)
Category: Data Leak
Content: A threat actor operating under X FORUMS has freely distributed a credential combolist containing over 1.45 million URL:username:password combinations as part of an ongoing series (Part 58). The combolist includes credentials for multiple platforms across various countries, including Microsoft Live, Netflix, and government/healthcare portals. The file is approximately 95.40 MB and is made available for free download via the XForums forum and a Telegram backup channel.
Date: 2026-04-17T06:23:24Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-58-by-x-forums.608645/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist (Part 57) by X Forums
Category: Data Leak
Content: A threat actor operating under X FORUMS has freely distributed a credential combolist containing approximately 1.2 million URL:login:password combinations as part of an ongoing series (Part 57). The 76.33 MB file includes credentials spanning multiple platforms such as Instagram, AliExpress, and various other services. The combolist was made available for free download to registered forum members, with a Telegram backup channel referenced.
Date: 2026-04-17T06:20:36Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-57-by-x-forums.608646/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist containing 1.15 million lines
Category: Data Leak
Content: A threat actor operating under X FORUMS has freely distributed a credential combolist titled 1M Lines URL LOGIN PASS PART 6 containing over 1.15 million URL:login:password combinations across multiple platforms. The 72.54 MB text file includes credentials for services such as Google Accounts, MeetMe, BreachForums, Shopify, and others, suggesting aggregation from multiple sources or prior breaches. The combolist was made available for free download via the XForums cybercrime forum with a Tele
Date: 2026-04-17T06:11:43Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-6-by-x-forums.608647/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Multiple
Website Defacement of Lebak Regency Government Portal by Mr.spongebob of Hackersec.ID
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the alias Mr.spongebob, affiliated with the Indonesian hacking group Hackersec.ID, defaced a page on the official Lebak Regency Government website (lebakkab.go.id). The defacement targeted a specific page (readme.html) rather than the homepage, indicating a targeted intrusion on a Linux-based web server. The incident was archived and mirrored via haxor.id.
Date: 2026-04-17T06:07:05Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248577
Screenshots:
None
Threat Actors: Mr.spongebob, Hackersec.ID
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Lebak Regency Government
Victim Site: lebakkab.go.id
Alleged leak of multi-platform credential combolist containing 1.5 million lines
Category: Data Leak
Content: A threat actor operating under X FORUMS has freely distributed a credential combolist titled 1M Lines URL LOGIN PASS PART 8 containing approximately 1.5 million URL:login:password combinations. The combolist includes credentials for multiple platforms such as Google, Adobe, and various other services, formatted as URL-login-password triplets. The file (91.29 MB) was made available for download on the XForums threat actor forum and is backed up via a Telegram channel.
Date: 2026-04-17T06:05:00Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-8-by-x-forums.608648/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Multiple Organizations
Victim Site: Unknown
Alleged Sale of 4M+ K-12 Student Records from LAUSD and Edgenuity
Category: Data Breach
Content: A threat actor operating under the handle shinyc0rpsss is selling a database of over 4 million K-12 student records allegedly stolen from Los Angeles Unified School District (LAUSD) and Edgenuity via a Snowflake instance. The data reportedly includes student names, addresses, family information, demographics, financial details, grades, GPA, performance scores, medical and disability information, discipline records, and parent/student login credentials. The asking price is $150,000 USD. Contact is offered via XMPP, Telegram, and email.
Date: 2026-04-17T06:02:21Z
Network: telegram
Published URL: https://t.me/c/3500620464/6887
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: United States
Victim Industry: Education
Victim Organization: Los Angeles Unified School District (LAUSD) / Edgenuity
Victim Site: lausd.org
Alleged leak of 1.19 million URL credential combos across multiple platforms
Category: Data Leak
Content: A threat actor on XForums has made available a combolist containing approximately 1.19 million URL:login:password credential combinations across multiple platforms and services. The file, sized at 69.63 MB, includes credentials for various websites spanning multiple industries and countries, including email-based and numeric login identifiers. The combolist is offered as a free download to registered forum members.
Date: 2026-04-17T06:01:17Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-by-x-forums.608649/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist with 1.6 million lines
Category: Data Leak
Content: A threat actor on XForums has freely distributed a credential combolist titled 1M Lines URL Login Pass Part 7 containing approximately 1.65 million URL:username:password combinations across multiple platforms. Sample entries include credentials for accounts.epicgames.com, accounts.google.com, truckersmp.com, and enterprise.com, among others. The 98.79 MB text file was made available for free download on April 17, 2026, with a Telegram backup channel also referenced.
Date: 2026-04-17T05:58:50Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-7-by-x-forums.608650/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Multiple Organizations
Victim Site: Unknown
Alleged leak of multi-platform credential combolist (1.5 million lines)
Category: Data Leak
Content: A threat actor affiliated with X Forums has made available a credential combolist containing approximately 1.5 million URL:username:password combinations targeting multiple platforms including Discord, PayPal, Facebook, DirecTV Go, and Google. The file, sized at 91.49 MB, was shared as a free download on the XForums threat actor forum on April 17, 2026. The combolist appears to contain credentials from users across multiple countries, including Argentina and Mexico, suggesting aggregation from
Date: 2026-04-17T05:52:25Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-9-by-x-forums.608651/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Multiple
Alleged leak of 234K multi-platform credential combolist including Amazon, Facebook, and Microsoft accounts
Category: Data Leak
Content: A threat actor on XForums has freely distributed a combolist containing 234,225 URL:login:password credential pairs totaling 18.56 MB. The combolist targets multiple major platforms including Amazon AWS, Facebook, and Microsoft Live/Hotmail accounts. Credentials appear to be in plaintext and are available for free download via the forum.
Date: 2026-04-17T05:45:53Z
Network: openweb
Published URL: https://xforums.st/threads/234k-lines-url-login-pass-by-x-forums.608652/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple (Amazon, Facebook, Microsoft)
Victim Site: Multiple
Alleged leak of multi-platform credential combolist with 285K lines
Category: Data Leak
Content: A threat actor affiliated with X Forums has made available a combolist containing approximately 285,208 URL:username:password credential pairs across multiple platforms. Sample entries include credentials for services such as TikTok, OpenAI, Facebook, and regional platforms. The 19.64 MB file was shared freely on the forum with a Telegram backup link, suggesting wide distribution intent.
Date: 2026-04-17T05:43:29Z
Network: openweb
Published URL: https://xforums.st/threads/285k-lines-url-login-pass-by-x-forums.608653/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Unknown
Alleged data breach of TEG.com.au – 30 Million Australian Ticket Vendor Users
Category: Data Breach
Content: A threat actor operating under the handle shinyc0rpsss is selling a dataset allegedly containing 30 million user records from TEG.com.au, an Australian ticket vendor. The data reportedly includes names, gender, business information, date of birth, usernames, and hashed passwords. The asking price is $20,000 USD with a middleman required for purchase. The listing is posted on BreachForums.
Date: 2026-04-17T05:13:09Z
Network: telegram
Published URL: https://t.me/c/3500620464/6884
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: Australia
Victim Industry: Entertainment / Ticketing
Victim Organization: TEG
Victim Site: teg.com.au
Alleged Data Breach of Neiman Marcus — 182M Customer Profiles with Plaintext Credit Card Numbers for Sale
Category: Data Breach
Content: A threat actor operating under the handle shinyc0rpsss is selling alleged stolen data from Neiman Marcus, claimed to originate from a Snowflake environment. The dataset purportedly includes 182 million customer profiles with names, addresses, phone numbers, DOB, email, last 4 of SSN, last 4 of CC, and 3 million plaintext credit card numbers. Additional data includes 70M transactions, 50M customer emails with IP tracking, 12M gift card records, and 6 billion rows of shopping/employee/store data. The actor claims Neiman Marcus declined to pay for data security. Asking price is $50,000 USD, with an exclusive buyback option offered to Neiman Marcus. Middleman required.
Date: 2026-04-17T05:08:10Z
Network: telegram
Published URL: https://t.me/c/3500620464/6882
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: United States
Victim Industry: Retail
Victim Organization: Neiman Marcus
Victim Site: Unknown
Alleged Doxxing of Threat Actor Knox (DarkForums Owner) by ShinyHunters
Category: Data Leak
Content: ShinyHunters has published detailed personal information (doxx) of a threat actor known as Knox, Lucifer, Hritik, or AnonOne, identified as the owner of DarkForums. The post claims this individual has been targeting BreachForums users and clones. Exposed information includes full name (Hritik Kumbhar), home address in Odisha, India, phone numbers, multiple email addresses, mobile data IPs, Discord and Telegram identifiers, and numerous social media profile links.
Date: 2026-04-17T05:08:00Z
Network: telegram
Published URL: https://t.me/c/3737716184/1286
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: India
Victim Industry: Cybercrime
Victim Organization: DarkForums
Victim Site: Unknown
Alleged leak of Europe and USA combolists
Category: Combo List
Content: A threat actor on CrackingX forum has made available combolists claimed to be 100% valid and high quality, covering users from Europe and the United States. The post promotes the credential lists as free shared content targeting multiple regions. No specific organization, victim count, or additional details were provided in the post.
Date: 2026-04-17T04:47:25Z
Network: openweb
Published URL: https://crackingx.com/threads/72353/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of WordPress credentials (URL:Login:Password combolist)
Category: Combo List
Content: A threat actor on the CrackingX forum has shared a combolist containing WordPress credentials in URL:Login:Password format. The post claims the credentials are valid and includes login information for multiple WordPress sites. No specific organizations, record counts, or countries are identified in the post.
Date: 2026-04-17T04:30:35Z
Network: openweb
Published URL: https://crackingx.com/threads/72352/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of advancebirdnetservices.com by OpsShadowStrike
Category: Defacement
Content: Hacktivist group OpsShadowStrike claims to have defaced the Indian website advancebirdnetservices.com, posting a defacement page at the /ops.html path. The group operates under pro-Palestinian and anti-Israel hacktivist motivations, using hashtags referencing SavePalestine and related causes.
Date: 2026-04-17T04:15:32Z
Network: telegram
Published URL: https://t.me/c/3844432135/336
Screenshots:
None
Threat Actors: OpsShadowStrike
Victim Country: India
Victim Industry: Unknown
Victim Organization: Advance Bird Net Services
Victim Site: advancebirdnetservices.com
Alleged leak of phone number and password credential list
Category: Combo List
Content: A threat actor known as gsmfix shared what they claim to be a high-quality private combolist containing phone number and password credential pairs on a cracking forum. The post is labeled as HQ PRIVATE, suggesting the credentials may be of high quality or previously unreleased. No specific victim organization, country, or record count was identified in the post.
Date: 2026-04-17T04:13:26Z
Network: openweb
Published URL: https://crackingx.com/threads/72351/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of stolen CVV payment cards via PepeCard store
Category: Cyber Attack
Content: A CVV card store called Pepecard is advertising stolen payment card data including CVV details. The store claims to have operated for over three years, offering 100,000+ card renewals daily across US, Canada, UK, and global regions. Card validity is claimed at 75-95%. US CVV cards start at $1, international cards at $1.50. The store operates via clearnet (pepecard.mobi) and a Tor hidden service, and claims to only charge for valid cards with free verification.
Date: 2026-04-17T03:59:21Z
Network: telegram
Published URL: https://t.me/csa124wqe/4
Screenshots:
None
Threat Actors: PepeCard
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: pepecard.mobi
Alleged leak of mixed USA and Europe credential combolists
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared what they describe as an exclusive mixed combolist containing credential hits from the United States and Europe. The post offers free access to the credential list, which appears to aggregate compromised email and password combinations from multiple sources. No specific victim organizations, record counts, or targeted industries have been identified.
Date: 2026-04-17T03:43:32Z
Network: openweb
Published URL: https://crackingx.com/threads/72350/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor operating under the alias Adawongv1 has shared what is alleged to be a Hotmail combolist on the Breached forum. The post, titled CALIENTE (Spanish for hot), suggests the credential list is being made available to forum members. No additional details regarding record count or data origin were provided in the post.
Date: 2026-04-17T03:39:06Z
Network: openweb
Published URL: https://breached.st/threads/hotmail.86040/unread
Screenshots:
None
Threat Actors: Adawongv1
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of mail account access and credential tools across multiple countries
Category: Initial Access
Content: A threat actor operating as Engineering (@EngineeringPhantom) is advertising compromised mail account access for France, Belgium, Australia, Canada, UK, US, Netherlands, Poland, Germany, and Japan. The offering includes configs, scripts, tools, hits, and combo lists, with live proof/test available on request. This appears to be an ongoing credential and initial access sales operation.
Date: 2026-04-17T03:33:19Z
Network: telegram
Published URL: https://t.me/c/2613583520/64096
Screenshots:
None
Threat Actors: Engineering
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach and Sale of Neiman Marcus Customer Data by ShinyHunters
Category: Data Breach
Content: Threat actor group ShinyHunters claims to be selling a massive dataset stolen from luxury retailer Neiman Marcus after the company allegedly declined to pay a ransom. The dataset purportedly includes 182 million customer profiles with names, addresses, phone numbers, DOB, email, last 4 digits of SSN and CC; 3 million plaintext credit card numbers; 70 million transactions; 50 million customer emails and IP addresses; 12 million gift card records; and 6 billion rows of shopping/employee/store data. Asking price is $50,000 USD for exclusive purchase. Contact via XMPP, Telegram (@shinyc0rpsss), and email ([email protected]).
Date: 2026-04-17T03:15:47Z
Network: telegram
Published URL: https://t.me/c/3737716184/1282
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Retail / Luxury Fashion
Victim Organization: Neiman Marcus
Victim Site: neimanmarcus.com
Alleged Data Breach of Jollibee Foods Corporation – 32M Users and 650M Records for Sale
Category: Data Breach
Content: A threat actor operating under the handle shinyc0rpsss is selling an alleged database from Jollibee Food Delivery containing 32 million customer records (name, address, phone, email, hashed passwords) and approximately 600 million rows of transactional data including food delivery orders, sales, and service records. The asking price is $40,000 USD. Contact is offered via XMPP, Telegram, and email. The listing is posted on BreachForums.
Date: 2026-04-17T03:11:01Z
Network: telegram
Published URL: https://t.me/c/3500620464/6880
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: Philippines
Victim Industry: Food & Beverage / Fast Food
Victim Organization: Jollibee Foods Corporation
Victim Site: jollibee.com
Alleged data breach of Cylance – 34M Customer, Partner, and Employee Records for Sale
Category: Data Breach
Content: Threat actor ShinyHunters is offering an alleged Cylance database for sale at $500,000 USD. The dataset reportedly contains 34 million customer and employee emails along with PII, products used by organizations, sales prospect lists with activity status, partner lists, and user lists. Contact is via XMPP, Telegram (@shinyc0rpsss), and email. A middleman is required for the transaction. The listing is posted on BreachForums.
Date: 2026-04-17T03:10:55Z
Network: telegram
Published URL: https://t.me/c/3737716184/1281
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Cybersecurity
Victim Organization: Cylance
Victim Site: cylance.com
Website Defacement of Rad-Hof by XYZ (Alpha Wolf Team)
Category: Defacement
Content: On April 17, 2026, the German website rad-hof.de was defaced by a threat actor identified as XYZ, operating under the team name Alpha Wolf. The attacker targeted a Linux-based web server hosting the sites index page. The incident was a single-site, non-mass defacement with no stated political or ideological motive recorded.
Date: 2026-04-17T03:08:06Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248576
Screenshots:
None
Threat Actors: XYZ, Alpha wolf
Victim Country: Germany
Victim Industry: Retail / Cycling
Victim Organization: Rad-Hof
Victim Site: rad-hof.de
Website Defacement of Rad-Hof by XYZ (Alpha Wolf Team)
Category: Defacement
Content: On April 17, 2026, the German cycling retailer website rad-hof.de was defaced by a threat actor identified as XYZ, operating under the team name Alpha Wolf. The attack targeted the homepage (index.html) in a single-target defacement, with no indication of mass or repeated defacement activity. The mirror of the defaced page was archived at zone-xsec.com.
Date: 2026-04-17T03:06:30Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836765
Screenshots:
None
Threat Actors: XYZ, Alpha wolf
Victim Country: Germany
Victim Industry: Retail / Cycling
Victim Organization: Rad-Hof
Victim Site: rad-hof.de
Alleged Data Breach of Advance Auto Parts – 380M Customer Records and 3TB of Snowflake Data for Sale
Category: Data Breach
Content: A threat actor operating under the handle shinyc0rpsss is selling an alleged 3TB dataset stolen from Advance Auto Parts Snowflake environment. The data purportedly includes 380 million customer profiles (name, email, phone, address), 140 million customer orders, 44 million loyalty/gas card numbers, 358K employee records, employment candidate data including SSNs and drivers license numbers, transaction tender details, and over 200 database tables. The asking price has been reduced to $100,000 USD. Contact is via XMPP and Telegram, with a middleman required.
Date: 2026-04-17T03:03:44Z
Network: telegram
Published URL: https://t.me/c/3500620464/6878
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: United States
Victim Industry: Automotive Retail
Victim Organization: Advance Auto Parts
Victim Site: Unknown
Alleged cyber attack by ShinyHunters group targeting Jaguar Land Rover via Salesforce supply chain
Category: Cyber Attack
Content: ShinyHunters threat actor group is allegedly linked to Salesforce supply chain attacks and claims responsibility for a cyberstrike against Jaguar Land Rover. Media files and an external article from salesforceben.com corroborate the claim, indicating potential data exfiltration or system compromise via a third-party Salesforce supply chain vector.
Date: 2026-04-17T03:03:29Z
Network: telegram
Published URL: https://t.me/c/3500620464/6871
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United Kingdom
Victim Industry: Automotive
Victim Organization: Jaguar Land Rover
Victim Site: Unknown
Alleged Data Leak of Chinese ID Cards, Credit Cards, and Business Information (11.6 GB)
Category: Data Leak
Content: A threat actor operating under the alias ALTGIANT has made available an 11.6 GB archive purportedly containing Chinese citizens ID cards, credit card information, and business records. The content is accessible to registered forum members at no stated cost. The source organization and specific record count have not been disclosed.
Date: 2026-04-17T03:02:56Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DOCUMENTS-CHINA-ID-Cards-Credit-Cards-Business-Information-11-6-GB–188390
Screenshots:
None
Threat Actors: ALTGIANT
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of EDU sector combolist shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias IMROG has made available an alleged combolist targeting the education sector on a cybercrime forum. The post advertises the credentials as valid, hot, and fresh, suggesting recently verified email and password combinations. The actor promotes associated Telegram channels, likely for further distribution or community engagement.
Date: 2026-04-17T02:18:28Z
Network: openweb
Published URL: https://pwnforums.st/Thread-EDU-Valid-Hot-Fresh-Combolist
Screenshots:
None
Threat Actors: IMROG
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed valid email access credentials (32,600 records)
Category: Combo List
Content: A threat actor operating under the alias redcloud has made available a combolist of approximately 32,600 allegedly valid email credentials on the cracking forum CX. The dataset is described as UHQ (ultra-high quality) and private, suggesting the credentials have been verified as active. The file is freely distributed via MediaFire, with the actor also providing a Telegram contact handle (@tutuba5m) for further communication.
Date: 2026-04-17T01:52:50Z
Network: openweb
Published URL: https://crackingx.com/threads/72348/
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Evaron by Threat Actor maw3six
Category: Defacement
Content: Threat actor maw3six defaced the Polish website evaron.pl on April 17, 2026, targeting a specific page (maw.html) rather than the homepage. The incident was an isolated, single-site defacement with no team affiliation reported. A mirror of the defaced page was archived at haxor.id.
Date: 2026-04-17T01:37:34Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248575
Screenshots:
None
Threat Actors: maw3six
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Evaron
Victim Site: evaron.pl
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias noir has made available a combolist of alleged valid Hotmail credentials on the cracking forum CX. The post claims the credentials are UHQ (ultra-high quality) and valid, stored on a private cloud. The actor can be contacted via Telegram at @NoirAccesss, though the content requires forum registration to access.
Date: 2026-04-17T01:21:49Z
Network: openweb
Published URL: https://crackingx.com/threads/72346/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias redcloud has made available a combolist of approximately 5,800 alleged valid Hotmail credentials on the cracking forum CrackingX. The post is dated April 17, 2026, and the credential list is freely accessible via a MediaFire download link. The actor also provides a Telegram contact handle (@tutuba5m) for further communication.
Date: 2026-04-17T01:21:35Z
Network: openweb
Published URL: https://crackingx.com/threads/72347/
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged Data Leak of National Public Data (NPD) Full Database
Category: Data Leak
Content: A threat actor operating under the alias Mnemonic has made available what is claimed to be the full National Public Data (NPD) database on a cybercrime forum. The archive is approximately 50 GB compressed and expands to roughly 277 GB across two parts in plain text format. The data is being offered as a free download to registered forum members.
Date: 2026-04-17T00:56:20Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-National-People-Data-NPD-Full-Database
Screenshots:
None
Threat Actors: Mnemonic
Victim Country: United States
Victim Industry: Data Broker / Information Services
Victim Organization: National Public Data
Victim Site: nationalpublicdata.com
Alleged leak of 37,178 valid email access credentials combolist
Category: Combo List
Content: A threat actor operating under the alias VegaM has shared a combolist containing 37,178 alleged valid email credentials on a cybercrime forum. The combolist, which consists of email and password pairs granting mail access, has been made available via an external paste link. No specific victim organization, industry, or country has been identified.
Date: 2026-04-17T00:49:25Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-37-178-Valid-Mail-Access-Combolist
Screenshots:
None
Threat Actors: VegaM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail and Outlook credentials combolist
Category: Combo List
Content: A threat actor operating under the alias karaokecloud has made available a combolist containing 830 email:password credential pairs for Hotmail and Outlook accounts on the cracking forum CrackingX. The credentials are offered as a free download. The origin of the credentials is unknown and may be aggregated from multiple sources.
Date: 2026-04-17T00:48:14Z
Network: openweb
Published URL: https://crackingx.com/threads/72345/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of Android Remote Access Trojan targeting cryptocurrency and banking applications
Category: Initial Access
Content: A threat actor operating under the alias OnarDev is selling a feature-rich Android Remote Access Trojan (RAT) designed to target cryptocurrency and banking applications. The malware includes capabilities such as VNC-based remote control, accessibility-based keylogging, banking overlays (injects), ransomware, silent APK deployment, camera/microphone access, and credential harvesting. The tool is marketed with anti-detection features including APK encryption, obfuscation, and screen-hiding mechani
Date: 2026-04-17T00:41:26Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-New-Android-RAT-for-Steal-Crypto
Screenshots:
None
Threat Actors: OnarDev
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of SMS Verification and Virtual Card Services via Dark Forum
Category: Initial Access
Content: A dark forum user operating under the alias majorphones is advertising an SMS verification service utilizing real SIM cards, along with virtual credit cards (VCC) and API access. The service appears to be designed to facilitate account verification bypass or fraudulent account creation across various platforms. No specific victim organization or pricing details were disclosed in the available post content.
Date: 2026-04-17T00:40:41Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-SMS-Verification-Service-Real-SIM-Cards-Virtual-Cards-VCC-API
Screenshots:
None
Threat Actors: majorphones
Victim Country: Unknown
Victim Industry: Telecommunications / Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Credix Credit Service (Fibextelecom) Customer Records
Category: Data Leak
Content: A threat actor known as BaphyHack has freely leaked a database dump containing 44,548 records from Credix, a credit service operated by Venezuelan internet provider Fibextelecom. The leaked data includes full names, national ID document numbers, dates of birth, home addresses, states of residence, profession details, socioeconomic analysis fields, and verification tokens. The actor also claims to possess Base64-encoded photos of identity cards but has withheld those, and alleges an active securi
Date: 2026-04-17T00:39:03Z
Network: openweb
Published URL: https://darkforums.su/Thread-credix-net-Fibextelecom-credit-service-Data-leak-44548-rows-Venezuela
Screenshots:
None
Threat Actors: BaphyHack
Victim Country: Venezuela
Victim Industry: Financial Services
Victim Organization: Credix / Fibextelecom
Victim Site: credix.net
Alleged data leak of CONALEP de Morelos educational institution database
Category: Data Leak
Content: A threat actor known as Lvn4t1k0 has freely leaked an alleged database dump from CONALEP de Morelos, a Mexican vocational education institution. The leaked data reportedly includes personal information for both teachers and students, such as full names, email addresses, usernames, and plaintext passwords, with teacher records also containing RFC and CURP government identification numbers and phone numbers. The database was made available for free download via a file-sharing service, and login po
Date: 2026-04-17T00:38:21Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Mexico-Database-Conalep-de-Morelos
Screenshots:
None
Threat Actors: Lvn4t1k0
Victim Country: Mexico
Victim Industry: Education
Victim Organization: CONALEP de Morelos
Victim Site: conalepmorelos.edu.mx
Alleged sale of mail access credentials and combo tools across multiple countries
Category: Initial Access
Content: A threat actor operating as @EngineeringPhantom is advertising the sale of mail account access for multiple countries including France, Belgium, Australia, Canada, UK, US, Netherlands, Poland, Germany, and Japan. The offering includes configs/scripts, tools, hits, combo lists, and custom requests. Proof/live testing is offered.
Date: 2026-04-17T00:05:01Z
Network: telegram
Published URL: https://t.me/c/2613583520/64025
Screenshots:
None
Threat Actors: EngineeringPhantom
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown