[April-19-2026] Daily Cybersecurity Threat Report

1.0 Executive Summary and Methodology

This report provides an exhaustive, granular analysis of global cybersecurity incidents recorded on April 18, 2026. The data reflects a highly volatile threat landscape characterized by massive data breaches, widespread hacktivist defacement campaigns, the weaponization of zero-day vulnerabilities, and the unprecedented aggregation of stolen credentials. Threat actors such as ShinyHunters dominate the corporate extortion sphere, while groups like Umbra Community engage in rampant website defacements. Furthermore, the emergence of massive centralized data aggregation platforms signals a critical shift in how threat actors manage and monetize stolen personally identifiable information (PII). This report categorizes and analyzes these incidents to provide a comprehensive understanding of the current cyber threat environment.

2.0 Major Threat Actor Profiles and Operations

2.1 ShinyHunters: Corporate Extortion and Mega-Breaches

The threat actor group known as ShinyHunters demonstrated unparalleled activity on April 18, 2026, executing multiple high-profile data breaches and extortion campaigns. Their operations primarily target large corporations, often leveraging compromised Salesforce databases.

Salesforce Infrastructure Compromise: ShinyHunters claims to have gained full access to Salesforce databases and internal systems. The actor stated they have not yet revealed all compromised data and intend to release it in stages via their dark web site. They issued a “pay or leak” ultimatum to Salesforce, threatening to publicly release sensitive data with explicit disregard for privacy implications.
Multi-Organization Cloud CDN Sale: The group is advertising a cloud CDN service containing alleged stolen databases from high-profile organizations across multiple sectors, including Salesforce, Cisco, AT&T, Ticketmaster, Microsoft, Google, Victoria’s Secret, CrowdStrike, Santander, and CIC Vietnam. Access is offered at tiered pricing: $10,000 for lifetime access, $5,000 for 1-year access, and $2,500 for 9-month access.
Targeted Corporate Extortion (Salesforce Tenants): The group utilized compromised Salesforce infrastructure to exfiltrate data from numerous corporate entities, issuing strict deadlines (April 21, 2026) for ransom payments:
- 7-Eleven: Claimed compromise of over 600,000 Salesforce records containing PII and internal corporate data from 7-Eleven, Inc..
- The Canada Life Assurance Company: Claimed compromise of over 5.6 million Salesforce records containing PII.
- Pitney Bowes Inc.: Claimed compromise of over 25 million Salesforce records containing PII.
- Aman Resorts: Claimed compromise of over 500,000 Salesforce records containing PII.
Executed Leaks and Past Breaches:
- Betterment: Claimed to have breached the investment platform Betterment on January 9, 2026, compromising over 39 million records. After Betterment refused a ransom offer (as low as $0.95 per active customer record), the group released a 4.5 GB decompressed dataset on January 23, 2026, containing approximately 1,435,141 unique email addresses, KYC information, Zendesk tickets, and HubSpot CRM dumps.
- Alert 360 Opco Inc.: Claimed a breach of over 2.5 million records containing PII and internal corporate data (10GB+ compressed). Due to failed ransom negotiations, the data was publicly leaked via a direct download link, accompanied by a negotiation chatlog.
- Edmunds.com: Claimed to have leaked over 30 million records from the automotive research platform, making it available for free download on BreachForums.
- Carnival Corporation & plc: Claimed the exfiltration of over 8.7 million records containing PII and terabytes of internal corporate data.
Other Significant Operations:
- Mandarin (mandarin.br): Claimed possession of 10TB of data from the Brazilian organization.
- Cisco Systems: Selling data allegedly stolen from Cisco for $210,000 USD. The data reportedly includes GitHub/GitLab projects, source code, hardcoded credentials, SSL/TLS certificates, API tokens, and AWS/Azure storage bucket contents. The actor claims production source code was taken from Verizon, AT&T, Bank of America, Barclays, Microsoft, T-Mobile USA, Chevron, SAP, Vodafone, and Equinix.
- Gold Union (France): Selling a database of approximately 120,000 records from goldunion.fr for $50,000 USD, containing PII, passport documents, and transaction records.
- BreachForums Database: Claimed to have leaked the BreachForums database pertaining to the BreachForums.as domain, offering a free download.
The “Whale Private” Infrastructure: ShinyHunters is advertising a paid private Telegram channel named “Whale Private” offering approximately 75TB of CDN/BF data and 10TB of combo lists, stealer logs, and databases. Subscription tiers range from $250 for 3 months to $750 for lifetime access.

2.2 Advanced Vulnerability Exploitation: RedQueen

The threat actor operating under the alias RedQueen demonstrated highly advanced capabilities in zero-day discovery, malware development, and living-off-the-land (LotL) techniques.

Automated LLM Zero-Day Pipeline: RedQueen claims to have built an automated pipeline named “DeepZero” utilizing LangChain, Ghidra, Semgrep, and Google Gemini 2.5 to scan Windows kernel drivers. The pipeline processed roughly 12,000 .sys files, triaging 7,463 unique candidates with reachable IOCTL attack surfaces. It allegedly identified a zero-day vulnerability in a signed ASUS kernel driver.
ImageMagick Zero-Days: RedQueen published research from pwn.ai claiming the discovery of multiple zero-day vulnerabilities in ImageMagick affecting millions of servers, allowing arbitrary file read/write and remote code execution (RCE). Attack chains were demonstrated via SVG, PDF, and EPT image format handlers, bypassing secure configurations.
DSCourier WinGet EDR Bypass: RedQueen published a technique dubbed DSCourier that weaponizes Windows Desired State Configuration (DSC) via WinGet’s COM API to achieve arbitrary code execution inside a Microsoft-signed process. This technique reportedly bypasses EDR solutions like CrowdStrike Falcon, Microsoft Defender, and Elastic Security by eliminating standard execution processes from the process tree.
Telegram WebK Vulnerability (CVE-2024-33905): Disclosed an XSS vulnerability in Telegram WebK that allowed arbitrary JavaScript execution and full session hijacking by extracting session tokens from localStorage.
Malware and Reconnaissance Tooling: RedQueen promoted an open-source Rust-based malware development repository containing over 60 offensive security techniques targeting Windows systems, including EDR/AMSI bypass and payload encryption. Additionally, they published a comprehensive 23-step attack reconnaissance workflow guide detailing subdomain enumeration, DNS exploitation, and directory fuzzing using tools like amass, subfinder, and nuclei.
SSRF Exploitation (Starbucks): Highlighted a bug bounty researcher’s discovery of a Server-Side Request Forgery (SSRF) vulnerability on ideas.starbucks.com, leveraging historical DNS reconnaissance to access internal Starbucks infrastructure.
SilentMoonwalk Call Stack Spoofing: Presented a proof-of-concept technique allowing malicious code to spoof arbitrary call stack frames during active execution, evading EDR and anti-cheat memory analysis.

3.0 Critical Infrastructure and State-Sponsored Activity

Attacks against critical national infrastructure (CNI) represent a severe escalation in the threat landscape, with incidents targeting energy, water, and telecommunications sectors.

3.1 Energy, Oil, and Water Sectors

United States Energy Infrastructure: CNN reported that facilities related to oil, gas, and water in the United States were targeted by cyberattacks exceeding conventional military tools in scope. Industrial systems were disrupted, and some facilities were forced to revert to manual controls. Suspected Iranian involvement was noted.
South Korean Wastewater Treatment Plant: The Z-Pentest Alliance gained full unauthorized access to the video surveillance system of a South Korean municipal wastewater treatment plant. The actors claimed the ability to view water quality analyzers, pumping stations, and control panels in real-time due to poor security protocols, utilizing the hashtag #OpSouthKorea.
Istanbul Pumping Station: A threat actor operating under “Armenian code” claimed unauthorized access to the industrial control systems of the largest pumping station in Istanbul, Turkey. The actor asserted they disabled all pumps and disrupted operational systems.
Ukraine Gas Reserves: Threat actor RubiconH4ck is selling an alleged 6.3TB database containing sensitive data related to Ukraine’s gas reserves from 2018 to 2025, including documents and system data, for $5,000.

3.2 Telecommunications and Aviation Infrastructure

Australia NBN Co (National Broadband Network): Threat actor RubiconH4ck is selling 306 GB of sensitive operational data from NBN Co’s HFC and FTTC network infrastructure projects in Queensland for $5,000 USD. The dataset includes network maps, cable routes, and as-built documentation from 2017–2020.
Claro El Salvador: The hacktivist group Anonymous Swiss claimed to have infiltrated Claro El Salvador’s telecommunications network, exfiltrating approximately 200GB of data including contracts and subscriber information.
Conviasa Airlines (Venezuela): Threat actor GordonFreeman claims to have compromised Conviasa Airlines’ MAPAS-2 network and KIU terminal systems, exfiltrating 165GB of data including passenger name records (PNR) and flight plans. The actor claimed to establish firmware-level persistence on edge devices including ZyXEL and MikroTik equipment.
Calix GPON Devices: Threat actor berz0k is selling an alleged pre-authenticated remote code execution (RCE) zero-day vulnerability targeting Calix GPON devices for $40,000, claiming approximately 10,000 exposed targets are identifiable via Shodan.

4.0 The Commoditization of Identity: Combolists and Data Aggregation

A dominant trend on April 18, 2026, was the massive distribution of credential combolists (username/email and password combinations), largely sourced from infostealer malware logs, alongside the emergence of centralized data intelligence platforms.

4.1 The DBIntelligence Platform

Reports surfaced regarding the formation of a project named DBIntelligence, which has aggregated leaked user data globally into a single centralized database.

The system combines identity information with facial images, enabling rapid identification and linking individuals to online accounts.
Over 11 billion records are stored in this collection, exceeding the global human population, as multiple data types are stored per individual. Security experts noted this poses a severe threat to privacy and security.

4.2 Massive Credential Aggregators and Stealer Logs

Mustukaral (The Database Search Provider): This threat actor is distributing a 300GB collection and a separate 900GB/1.3TB collection of URL-login-password (ULP) combolists. Instead of mere file downloads, the actor provides access to an online search tool to query credentials, featuring auto-updates and country-based filtering.
X FORUMS Bot Distributions: This automated or systemic actor released dozens of massive, multi-million line ULP (URL:Login:Password) combolists for free across multiple parts:
- Part 1: 1.27 million lines (75.63 MB) targeting Walmart, Mail.ru, etc..
- Part 3: 1 million lines (63.81 MB).
- Part 29: 1.3 million lines (78.95 MB) targeting banking, government, and Microsoft Online.
- Other major drops include 4.1 million lines , 4.3 million lines (including Brazilian platforms like JusBrasil) , 568K lines (Vietnamese platforms) , 620K lines , 651K lines (Brazilian government) , 624K lines (Google, Instagram, Facebook) , 668K lines , and 766K lines.
HQcomboSpace: Focused on specific regional and sectoral targeting:
- 1.17 million credentials targeting German (.de) domains.
- 1.17 million credentials targeting mixed German targets.
- 1.1 million German shopping credentials.
- 450,474 German online shopping credentials.
- 266,029 German shopping platform credentials.
- 171,070 German mixed domain credentials.
- 161,636 European education and shopping credentials.
- 145,183 social, shopping, and education credentials.
- 117,226 European education sector credentials.
- 110,271 education (.edu) domain credentials.
- 50,514 shopping and corporate credentials.
thejackal101 (Geographic Targeting): Promoted via the Telegram channel @elite_cloud1, this actor released region-specific combolists:
- 121,000+ Austrian credentials.
- 84,000 Australian credentials.
- 71,000 Belgian credentials.
- 70,000 Argentine credentials.
- 17,000+ Bangladesh credentials.
- 11,000 Bolivian credentials.
- 11,000 Belarusian credentials.
el_capitan: Distributed massive lists including 1 million French credentials , 1 million Gmail credentials , 550,000 targeted Steam user credentials , 260,000 Canadian credentials , and 172,000 mixed credentials.
CobraEgy: Focused on English and Vietnamese speaking regions, leaking 504,000 UK credentials , 78,000 Vietnamese credentials , and 43,000 US credentials.
CODER: Distributed massive corporate and multi-provider lists, including 11 million Hotmail, Yahoo, and Orange credentials , 8 million mixed corporate domain credentials , 7 million business/corporate leads , and mixed education credentials.
Other Significant Combolist Leaks:
- Daxus: 27.54 million URL:login:password credential pairs.
- mr_daadaa: 11 million ULP credentials from infostealer logs.
- NightFall: 3.3 million mixed-email credential pairs.
- Ra-Zi: 190,000 multi-platform credentials (Netflix, Minecraft, Steam) and 159,000 AT&T (att.net) credentials.
- steeve75: 190,000 mixed email/password pairs across multiple international providers.
Hotmail Targeting: A massive influx of specifically validated Hotmail credential lists were distributed by actors including ValidMail (40,000 forum-validated accounts) , RandomUpload (17,000 fresh accounts) , redcloud (5,500 UHQ accounts) , and numerous smaller lists by Jelooos , He_Cloud , and alphaxdd. Threat actor “Vows” advertised a proxyless Hotmail credential checking tool supporting four APIs and inbox search features.

4.3 Initial Access Brokers and Stealer Logs

D4RCK MAGICIAN: Advertised mail access for multiple countries (FR, BE, AU, CA, UK, US, NL, PL, DE, JP), along with configs, scripts, and credential hits.
PORTAL: Offered RDP access for rental ($200) across major cloud providers (Azure, AWS, DigitalOcean), marketed for inbox/spam operations.
Stealer Log Distributions: Massive stealer log collections were shared by actors like NEW_DAISYCLOUD (5,761 logs) , fatetraffic (1,257 logs) , and watercloud.

5.0 Government and Public Sector Compromises

Government infrastructure worldwide suffered significant breaches and data leaks, highlighting vulnerabilities in civil registries, municipal portals, and defense agencies.

5.1 Latin America

Brazil:
- CPF Database Sale: Threat actor Buddha is selling a database allegedly containing 251,720,444 Brazilian CPF (Cadastro de Pessoas Físicas) records for 500 USD in Bitcoin. The database includes full names, gender, DOB, parents’ names, and death flags, exceeding the living population.
- Correios (ECT): Threat actor breach3d is selling thousands of internal documents from Brazil’s national postal service, including financial records, logistics data, tracking data with employee IDs, and architectural blueprints of security-sensitive postal facilities.
- Amapá State Government: ShinyHunters posted a reference to the official webmail portal (webmail.amapa.gov.br).
Colombia: Threat actors NyxarGroup, ArcRaidersPlayer, and Petro_Escobar are selling a database from the Colombian Ministry of Interior’s civic participation e-learning platform, exposing user profiles with PII and geographic information.
Argentina: Threat actor overdose4u is selling a database of 72 Argentine Air Force (FAA) personnel (active and retired) for $200 USD, allegedly obtained via physical access to FAA facilities, containing medical info and ranks.

5.2 Middle East

Saudi Arabia:
- TAMM Platform: Threat actor Moelester is selling an alleged database dump from the Saudi government services platform tamm.sa, containing approximately 317,000 contact and professional lead records including national ID/Iqama numbers and license expiry dates.
- Taif Municipality: Threat actor RubiconH4ck is selling 12.3 GB of data exfiltrated from the Taif Municipality portal for $5,000, containing Saudi National ID scans, building certifications, and structural site plans.
Iran: Threat actor Yakohomot is selling a 500MB database from the Iranian insurance platform Pisheaz for $15,000, containing sensitive personal and vehicle-related data (VIN, engine number).
United Arab Emirates: A dataset allegedly belonging to the Dubai Health Authority (DHA) containing 836 files (passports, Emirates IDs, medical records) was listed for sale.
Israel: Hacktivist group Anonymous For Justice claimed to have leaked legal case files, lawyers’ lists, and private conversations exposing corruption within a judicial/priestly leadership structure. The group also claimed access to Mossad databases, laboratories, and weapons-related plans.

5.3 Asia-Pacific

Indonesia:
- Ministry of Health (KEMKES): Threat actor BabayoErorSystem/BABAYO EROR SYSTEM leaked a database from the KEMKES Learning Management System containing 2.2 million user records.
- TVRI (State Broadcaster): The same actor leaked employee data from the TVRI SIMPEG system, including training, assessment, and HR records for East Java provincial employees.
- Postel Indonesia: Claimed breach of 15,677 records of training participants from serena.postel.go.id, offered for $100.
- Sidoarjo Regency: Login credentials for the RDS portal were shared publicly.
Japan: Threat actor Arnoldsudney leaked a dataset containing over 20,000 Japanese driver’s license records dated 2026.
Pakistan: A threat actor claims to have infiltrated the Pakistan Nuclear Regulatory Authority (PNRA), offering internal employee records and nuclear facility information for sale.

5.4 United States & Europe

United States:
- City of Los Angeles Police Department: Threat actor Tanaka shared alleged sample data from a leak affecting the LAPD.
- USA Fullz Database: Threat actor hexvior is selling a database of 71,367 US individuals’ “fullz” records containing SSNs, addresses, and driver’s license photocopies.
- New York Drivers Licenses: Threat actor znper55 leaked alleged valid New York driver’s license data.
- NASA: Threat actor Xyph0rix claimed a cyber attack against NASA, sharing a photo as proof via a Telegram channel.
France: Threat actor breach3d is selling proprietary Smart Card Middleware Desktop software allegedly obtained from IN Groupe (the French state-owned entity issuing high-security identity documents), containing modules for smart card management and HID Global OMNIKEY integration. Threat actor ARPANET744 is selling French personal data.

6.0 Enterprise, Retail, and Consumer Data Breaches

Commercial sectors experienced significant data exfiltration, highlighting vulnerabilities in third-party supply chains, SaaS platforms, and e-commerce applications.

6.1 Retail and E-Commerce

Bol.com (Belgium): Threat actor Jeffrey Epstein is selling a database dump containing 400,000 customer records from the marketplace, including national ID numbers, DOBs, and detailed shipping/order data.
METRO Pakistan: Threat actor xklahadore is selling a database dump containing 425,000+ individual records and 611,000+ transaction records, including data from internal Super-Admin accounts.
Japan Golf Company: Threat actor logggedout is selling over 1.7 million order and customer records from itoboriusa.com, including Amazon Japan and Yahoo Shopping marketplace transaction data.
Electronic City (Indonesia): Threat actor gloriouspurposes leaked a sample of 54,000 customer records (from a total of 618,000) containing NIK identity numbers and order history. The same actor is selling real-time delivery orders (1,500–2,500 daily) from an unnamed Indonesian e-commerce platform.
Tu Taxi Amigo (Ecuador): Threat actor potato26 leaked a database of 25,000 records including credit card details, driver credentials, and admin panel logins, while disclosing an exploitable SQL injection vulnerability in the backend API.
Indian Fashion Retail Company: Threat actor Gohansan is selling a database of 4 million customer records from an unnamed retailer.

6.2 Financial Services and Cryptocurrency

Kraken (USA): Threat actor Luckiest is allegedly selling a dataset of 5.3 million records from the cryptocurrency exchange.
BitMart: Threat actor Pijush510 freely leaked a database containing approximately 657,000 email records associated with the crypto exchange.
Credit Card Fraud Operations: Threat actor gadek is selling live, linkable credit cards and fraudulent financial transfer services (CashApp, PayPal, Zelle) via Telegram. Threat actor hallcityhub4 advertised cloned ATM cards with cashout values up to $6,000.

6.3 Construction and Tourism

Hutchinson Builders (Australia): Threat actor RubiconH4ck is selling 71GB of confidential construction data for $10,000 USD in Bitcoin, including structural blueprints, risk registers, and geotechnical reports.
Xcaret Group (Mexico): Threat actor s1ethx7z leaked transaction records, ticket images, and property details.
Thailand Tourism Website: Threat actor Anonymous2090 claimed to have exfiltrated all databases (including MariaDB data_tour) from a travel website before taking it offline, sharing the password-protected archive freely.

6.4 Technology and Web Hosting

Axmir (Germany): Threat actors NormalLeVrai and Near exfiltrated over 7.2 million database records and 18.2 GB of source code from the Axmir web hosting panel and associated registrars, defacing two subdomains.
Intelligence X (Intelx.io): Threat actor Chamane99 is monetizing unauthorized access to a premium Intelx.io account by offering OSINT searches via screen-sharing for $15 per query.

7.0 Education and Healthcare Sector Breaches

Educational institutions and healthcare providers proved to be highly susceptible targets.

7.1 Education Sector

Lebanese University: Threat actor Anonymous2090 leaked a student database (Faculty of Law and Political Science) containing PII, marital status, and academic course codes.
Lagos State University (Nigeria): Threat actors NullsecNg and ki4t leaked databases containing staff, lecturer, and student matriculation details.
i-learner.com.kh (Cambodia): Threat actor blackwinter99 leaked a 240MB database from the online education platform containing records of minors (hashed passwords, DOBs, school identifiers).
CECyTE San Luis Potosi (Mexico): Threat actor Lvn4t1k0 leaked the full database, including administrator credentials.
Sergio Bernales Garcia Institute (Peru): Threat actor 0xsurf leaked a collection of student photos.
MTs Kabupaten Bintan (Indonesia): Threat actor CyphieNesia leaked student and parent records.

7.2 Healthcare Sector

ICMR (India): Threat actor Solonik is selling Indian Council of Medical Research data linked to Aadhaar biometric records for $200.
Health Information System of Lao PDR: Cyber attack claimed by Keymous.
Honduras Integrated Health Information System (SIIS): Cyber attack claimed by Keymous+.
Malaria Elimination Centre (Zambia): Cyber attack claimed by Keymous+.

8.0 Global Defacement Campaigns and Hacktivism

The volume of website defacements on April 18, 2026, was extraordinary, driven largely by specialized groups executing targeted single-site attacks rather than automated mass-defacements.

8.1 The Umbra Community / Nicotine Operations

The threat actor operating under the alias “Nicotine,” affiliated with the “Umbra Community” (and occasionally “L4663R666H05T”), executed a prolific, high-volume defacement campaign targeting dozens of websites globally, primarily focusing on altering the index.txt or specific index files of domains in India, Nepal, Saudi Arabia, and the United States.

Indian Targets: Defacements included zybox.in , West Hill Interior (westhillinterior.com) , Top Boys Boarding School (topboysboardingschool.in) , Shreeya Fineries (shreeyafineries.in) , saipay.in , prognamik.in (a redefacement indicating persistent access) , Garuda News (garudanews.in) , CBSE Residential School , Classic Pearls Parlour , Coeducational Boarding School , Key Elevators , 10x Capital , Astha Ayurveda , ayurock.in , and The Flag Company India (by DimasHxR).
Nepalese Targets: Defacements targeted medical professionals and consultants, including drkapendra.com.np , drsudip.com.np , and Baama Consultant (baamaconsultant.com.np).
Middle East Targets: Defacements included Saudi Arabian sites mawaared.sa and mawhoob.org.sa , the UAE site Horizon AE (redefacement) , Moroccan marketplace marketmaroc.net , and Kuwaiti site Falcon Kuwait (by DimasHxR).
Other Global Targets by Umbra/Nicotine: UMS Services , thetsquare.co (redefacement) , Pure Living Science , NexDPTech , nooriik.com , neelnayak.online , Khara Volleyball , khleangsbaek.com (Cambodia) , Kalas Dance Academy , Kanthi Resorts , Jefferson Land Properties (US) , huda-kh.org , fspac.online , Forexailtd , fristdream.store , Geographic Travel (Georgia) , drsivaprakash.com , drugrats.com , Eagle Eye Drone (US) , Cinnamon Isle Travels , Aquatic Animals Info , Artisans Essence , Asset Lifeguard , ATS School , ArqMiguel3D , [suspicious link removed] , 3downloadfile.com , AA LED (Canada) , 3 Musketeers Fitness , 3D Agro Solutions (Nigeria) , and 9archesbridge.com.

8.2 DimasHxR Defacements

Operating independently, DimasHxR targeted media/customer subdirectories (suggesting CMS vulnerabilities) on sites including: Nettunome.it (Italy) , Bioline (Life Sciences) , IGE.ie (Ireland) , EgyGamer (Egypt) , Haude.at (Austria) , and Rootways.

8.3 maw3six Defacements

Threat actor maw3six targeted specific HTML files (maw.html) on cloud-hosted and Linux servers, including: Elevate Advisors (US) , AUX Malaysia Dealers Conference , jega.vn (Vietnam) , Ticketsupp , Zhicuhui (China) , British Estate Mosque (UK) , and Millennials CRM (India).

8.4 Hacktivism and Geopolitical Attacks

Nullsec Philippines: Executed an anti-war hacktivist campaign against Brazilian government cultural mapping websites (#StopWar), defacing the federal Ministério da Cultura (mapa.cultura.gov.br) and numerous state/municipal portals (Ceará, Paraná, Rio de Janeiro, etc.) by uploading stopwar.html files, likely exploiting a file upload vulnerability in the Mapas Culturais platform.
313 Team: An Iraqi Islamic cyber resistance group affiliated with Beamed.SU (a DDoS service) announced threats against larger corporations, banks, and government infrastructure, citing geopolitical messaging around Palestine and Iran. They also announced a halted operation due to rapid defensive adjustments by a target.
Other Defacements:
- QATAR911 defaced Alpha Communication (Qatar) and Novo Banco (Portugal) via a compromised Chilean domain.
- CYKOMNEPAL defaced hitiya.com (E-Commerce).
- Pharaohs Team defaced the Bangladesh Navy military website (bsddhaka.navy.mil.bd) and sold access to Peruvian educational institutions.
- LunarisSec attacked the University of Burgundy (France).
- DEFACER INDONESIA TEAM / SILENT ERROR SYSTEM defaced giguy.net and ppdi.co.in.
- DEWATA BLACKHAT executed a reflected XSS attack on lepassagetoindia.com.
- Alpha Wolf (XYZ) defaced srocezinternet.sk (Slovakia).
- AKATSUKI REBORN (SAM PABLO) defaced hg86c.com.

9.0 Summary of Operational Tooling and Malware

Beyond data theft, the dark web marketplaces facilitated the sale of offensive cyber capabilities:

LulzSec Black CyberShop: Advertised offensive hacking tools including Cobalt Strike ($150), TargetFetcher ($65), CodeShieldPro ($35), AI Vulnerability Analyzer ($45), and Diecat ($25), with purchases tying into a giveaway for a NetBot subscription.

10.0 Conclusion

The cybersecurity threat landscape documented on April 18, 2026, underscores a deeply commercialized and aggressive underground economy. The activities of ShinyHunters highlight the severe systemic risk posed by the compromise of centralized SaaS platforms like Salesforce, allowing actors to execute synchronized extortion campaigns against multiple global enterprises simultaneously. Concurrently, the exponential growth in credential combolist distribution, culminated by the DBIntelligence project’s aggregation of 11 billion records, indicates that identity theft has moved from opportunistic harvesting to industrialized, searchable databases.

Critical infrastructure remains acutely vulnerable, as demonstrated by the attacks on US utilities and South Korean wastewater systems, showing that operational technology (OT) continues to suffer from poor security perimeters. Finally, the sheer volume of website defacements by actors like Umbra Community points to persistent, unpatched vulnerabilities in CMS and cloud-hosted environments worldwide. Mitigating these threats requires an immediate shift toward strict identity verification, hardware-bound authentication, and the aggressive patching of edge devices and third-party software supply chains.

Detected Incidents Draft Data

Alleged data breach of Mandarin (mandarin.br) by ShinyHunters
Category: Data Breach
Content: Threat actor ShinyHunters claims to possess 10TB of data from mandarin.br, suggesting a large-scale data breach of the Brazilian organization.
Date: 2026-04-18T23:51:08Z
Network: telegram
Published URL: https://t.me/c/3737716184/1417
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Mandarin
Victim Site: mandarin.br
Alleged cyber attack on Brazil Government – Amapá State Webmail
Category: Cyber Attack
Content: Threat actor ShinyHunters posted a reference to the official webmail portal of the Amapá state government (amapa.gov.br), suggesting a potential compromise or attack against Brazilian government infrastructure. The message implies this may be a significant or final action against the target.
Date: 2026-04-18T23:48:38Z
Network: telegram
Published URL: https://t.me/c/3737716184/1415
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Brazil
Victim Industry: Government
Victim Organization: Government of Amapá
Victim Site: webmail.amapa.gov.br
Alleged data breach of tamm.sa exposing Saudi Arabian contact and professional lead data
Category: Data Breach
Content: A threat actor operating under the alias Moelester is selling an alleged database dump from tamm.sa, a Saudi Arabian government services platform. The dataset reportedly contains approximately 317,000 contact and professional lead records including fields such as national ID/Iqama numbers, mobile numbers, email addresses, license expiry dates, plate numbers, and organization commercial registration links. The actor is offering the data for purchase via Telegram and Session messaging, with foru
Date: 2026-04-18T23:47:51Z
Network: openweb
Published URL: https://breached.st/threads/317k-saudi-arabia-https-www-tamm-sa-contact-and-professional-lead-data-including-status-and-engagement-details.86082/unread
Screenshots:
None
Threat Actors: Moelester
Victim Country: Saudi Arabia
Victim Industry: Government Services
Victim Organization: TAMM
Victim Site: tamm.sa
Alleged leak of German shopping-targeted credential combolist
Category: Combo List
Content: A threat actor known as HQcomboSpace has made available a combolist containing approximately 450,474 credential entries targeting European, specifically German, online shopping users. The file was shared via a Mega.nz download link on the CrackingX forum. No specific organization or platform is identified as the source of the credentials.
Date: 2026-04-18T23:36:49Z
Network: openweb
Published URL: https://crackingx.com/threads/72528/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Retail & E-Commerce
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach and Extortion Threat Against Salesforce by ShinyHunters
Category: Data Breach
Content: Threat actor ShinyHunters claims to have gained full access to Salesforce databases and internal systems. The actor states they have not yet revealed all compromised data, intending to release it in stages via their onion (dark web) site. They are issuing a pay or leak ultimatum, threatening to publicly release sensitive data if Salesforce does not comply, with explicit disregard for privacy implications.
Date: 2026-04-18T23:35:30Z
Network: telegram
Published URL: https://t.me/c/3737716184/1380
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Technology / SaaS / CRM
Victim Organization: Salesforce
Victim Site: salesforce.com
Alleged Sale of Massive Multi-Organization Breach Data Collection by ShinyHunters
Category: Data Breach
Content: The ShinyHunters threat group is advertising a cloud CDN service containing alleged stolen databases from numerous high-profile organizations including Salesforce, Cisco, AT&T, Ticketmaster, Microsoft, Google, Victorias Secret, CrowdStrike, Santander, CIC Vietnam, and others across multiple countries. Access is offered at tiered pricing: $10,000 for lifetime access, $5,000 for 1-year access, and $2,500 for 9-month access. Contact is provided via Telegram, email ([email protected]), Tox, and Session IDs. The post references multiple breach forums including BreachForums, RaidForums, ExposeForums, PwnForums, and BreachStars.
Date: 2026-04-18T23:22:41Z
Network: telegram
Published URL: https://t.me/c/3737716184/1378
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Multiple
Victim Industry: Multiple sectors including Technology, Telecommunications, Finance, Retail
Victim Organization: Salesforce, Cisco, AT&T, Ticketmaster, Microsoft, Google, Victorias Secret, CrowdStrike, Santander, CIC Vietnam
Victim Site: Unknown
Alleged Data Breach of BreachForums by ShinyHunters
Category: Data Breach
Content: Threat actor ShinyHunters claims to have leaked the BreachForums database, offering a free download via a post on BreachForums.ai. The leaked data allegedly pertains to the BreachForums.as domain.
Date: 2026-04-18T23:20:51Z
Network: telegram
Published URL: https://t.me/c/3737716184/1377
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Cybercrime Forum
Victim Organization: BreachForums
Victim Site: breachforums.as
Alleged Data Breach of Betterment by ShinyHunters – 39M+ Records Leaked
Category: Data Breach
Content: ShinyHunters claims to have breached Betterment (betterment.com), an American investment platform, on January 9, 2026, compromising over 39 million records across 1,114 files. After Betterment refused to pay a ransom (offers as low as $0.95 per active customer record were rejected), the group publicly released the stolen data on January 23, 2026. The decompressed dataset is 4.5 GB (~1.6 GB compressed) and contains approximately 1,435,141 unique email addresses. Compromised data includes full names, usernames, email addresses, phone numbers, physical addresses, partial payment information, customer investments and balances, KYC information, Zendesk support tickets, HubSpot CRM dumps, and more.
Date: 2026-04-18T23:20:38Z
Network: telegram
Published URL: https://t.me/c/3737716184/1370
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Financial Services / Investment Platform
Victim Organization: Betterment
Victim Site: betterment.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as snowstormxd has made available a combolist of alleged Hotmail credentials via a public paste site and a Telegram channel. The post offers free access to the credential list through two external links. No record count or additional context was provided in the original post.
Date: 2026-04-18T23:20:26Z
Network: openweb
Published URL: https://crackingx.com/threads/72526/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Data Breach of Edmunds.com Exposing 30M+ Records
Category: Data Breach
Content: Threat actor ShinyHunters claims to have leaked over 30 million records from edmunds.com, a well-known automotive research platform. The data has been made available for free download via a post on BreachForums (breachforums.ai). No price is mentioned, indicating this is a free leak rather than a sale.
Date: 2026-04-18T23:19:53Z
Network: telegram
Published URL: https://t.me/c/3737716184/1375
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Automotive / Online Research
Victim Organization: Edmunds
Victim Site: edmunds.com
Alleged sale of mail access, configs, and combolists by D4RCK MAGICIAN
Category: Logs
Content: A threat actor operating under the handle @D4RCKMAGICIAN is advertising mail access for multiple countries (FR, BE, AU, CA, UK, US, NL, PL, DE, JP), along with configs, scripts, tools, and credential hits/combos. Custom requests are accepted via Telegram contact.
Date: 2026-04-18T23:07:58Z
Network: telegram
Published URL: https://t.me/c/2613583520/65289
Screenshots:
None
Threat Actors: D4RCK MAGICIAN
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist targeting Netflix, Minecraft, Steam, and other services
Category: Combo List
Content: A threat actor known as Ra-Zi has shared a combolist of approximately 190,000 email:password credential pairs on DemonForums, allegedly targeting accounts on platforms including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. The credentials are being made available via a hidden download link requiring forum registration. The same actor is also advertising the sale of high-quality combolists through a Telegram channel and a dedicated website, offering credentials segmented by email provid
Date: 2026-04-18T23:01:54Z
Network: openweb
Published URL: https://demonforums.net/Thread-190k-Fresh-HQ-Combolist-Email-Pass-Netflix-Minecraft-Uplay-Steam-Hulu-spotify–200903
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: Unknown
Victim Industry: Entertainment, Gaming
Victim Organization: Netflix, Minecraft, Uplay, Steam, Hulu, Spotify
Victim Site: Unknown
Alleged leak of 1,356 US mail access credentials combolist
Category: Combo List
Content: A threat actor operating under the alias karaokecloud has made available a combolist containing 1,356 email credentials with mail access, targeting United States-based accounts. The list is being freely distributed via download on the cracking forum CrackingX. No specific organization or service provider has been identified as the source of the credentials.
Date: 2026-04-18T23:00:39Z
Network: openweb
Published URL: https://crackingx.com/threads/72523/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of 190,000-record mixed email and password combolist
Category: Combo List
Content: A threat actor operating under the alias steeve75 has made available a combolist containing approximately 190,000 email and password credential pairs on the cracking forum CrackingX. The combolist is described as high quality and mixed, targeting users across multiple email providers including AOL, Yahoo, Hotmail, and Outlook, spanning several countries including France, the United Kingdom, Germany, the United States, Spain, Italy, Canada, and Australia. The actor also advertises credential li
Date: 2026-04-18T23:00:25Z
Network: openweb
Published URL: https://crackingx.com/threads/72524/
Screenshots:
None
Threat Actors: steeve75
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor using the alias Jelooos has shared a combolist of alleged Hotmail credentials on a cracking forum, described as 2500x Full Valid hits. The post offers a free Hotmail checker tool alongside the credential list. The content requires registration to access, suggesting the actor is building forum reputation or community engagement.
Date: 2026-04-18T23:00:10Z
Network: openweb
Published URL: https://crackingx.com/threads/72525/
Screenshots:
None
Threat Actors: Jelooos
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged maintenance announcement by ShinyHunters for pwnforums
Category: Cyber Attack
Content: Threat actor ShinyHunters posted a maintenance notice referencing pwnforums, a known cybercriminal forum platform. The post includes a photo attachment suggesting a visual announcement of platform maintenance or downtime.
Date: 2026-04-18T22:55:51Z
Network: telegram
Published URL: https://t.me/c/3737716184/1374
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Online Forum
Victim Organization: pwnforums
Victim Site: Unknown
Alleged Sale of Gold Buyers/Sellers Database from goldunion.fr – 120K Records (France)
Category: Data Breach
Content: Threat actor ShinyHunters is selling a database of approximately 120,000 records allegedly sourced from goldunion.fr, a French gold trading platform. The dataset is offered for $50,000 USD and contains sensitive customer PII including full names, email addresses, phone numbers, home addresses, government-issued ID and passport documents, as well as transaction records featuring pricing, estimated gold weights, invoice data, and photos of gold items and signatures. The data is in JSON format and includes records with transactions dated as recently as 2026. A middleman is required for the transaction.
Date: 2026-04-18T22:52:08Z
Network: telegram
Published URL: https://t.me/c/3737716184/1369
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: France
Victim Industry: Financial Services / Precious Metals Trading
Victim Organization: Gold Union
Victim Site: goldunion.fr
Alleged Sale of Cisco Data Breach by ShinyHunters Including Source Code and Credentials from Multiple Major Corporations
Category: Data Breach
Content: Threat actor ShinyHunters is allegedly selling data stolen from Cisco for $210,000 USD. The compromised data reportedly includes GitHub/GitLab/SonarQube projects, source code, hardcoded credentials, SSL/TLS certificates, Jira tickets, API tokens, AWS and Azure storage bucket contents, Docker builds, and Cisco confidential documents. The actor claims production source code was taken from numerous high-profile companies including Verizon, AT&T, Bank of America, Barclays, Microsoft, T-Mobile USA, Chevron, SAP, Vodafone, Equinix, and others. Contact is via XMPP, Telegram (@shinyc0rpsss), and email. A middleman is required for purchase. The listing is posted on BreachForums.
Date: 2026-04-18T22:33:54Z
Network: telegram
Published URL: https://t.me/c/3737716184/1368
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Technology / Telecommunications
Victim Organization: Cisco
Victim Site: cisco.com
Alleged leak of 27.54 million URL:Login:Password credentials
Category: Combo List
Content: A threat actor operating under the alias Daxus has made available a combolist containing approximately 27.54 million URL:login:password credential pairs on the cracking forum CrackingX. The data is being distributed via the actors dedicated platform at daxus.pro and associated Telegram channels. No specific victim organization or targeted service has been identified, suggesting this is an aggregated credential list.
Date: 2026-04-18T22:28:58Z
Network: openweb
Published URL: https://crackingx.com/threads/72522/
Screenshots:
None
Threat Actors: Daxus
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of LMS KEMKES (Indonesian Ministry of Health Learning Management System) Database
Category: Data Leak
Content: A threat actor operating under the alias BabayoErorSystem has freely shared a database allegedly obtained from the official LMS (Learning Management System) of Indonesias Ministry of Health (KEMKES). The leaked data reportedly contains user data, CV data, and records related to Coaching & Mentoring cancellation requests and Learning cancellation requests. The actor claims the dataset contains millions of records and has distributed an initial sample to the community.
Date: 2026-04-18T22:21:23Z
Network: openweb
Published URL: https://breached.st/threads/data-base-lms-kemkes-pencapaian-peserta-2-2-milliond.86080/unread
Screenshots:
None
Threat Actors: BabayoErorSystem
Victim Country: Indonesia
Victim Industry: Government – Healthcare
Victim Organization: Kementerian Kesehatan (Ministry of Health Indonesia)
Victim Site: lms-kemkes.go.id
Alleged Data Leak of Multiple German Web Hosting Registrars Including Axmir and Associated Domains
Category: Data Leak
Content: Threat actors NormalLeVrai and Near claim to have gained unauthorized access to the Axmir web hosting panel and five associated German registrar domains, exfiltrating over 7.2 million database records and 18.2 GB of compressed source code. The breach extended to 13 subdomains, two of which were defaced. The stolen data and source code have been made available for free download via Gofile.
Date: 2026-04-18T22:20:52Z
Network: openweb
Published URL: https://breached.st/threads/german-registar-7m-lines-18go-src.86081/unread
Screenshots:
None
Threat Actors: NormalLeVrai
Victim Country: Germany
Victim Industry: Web Hosting / Domain Registrar
Victim Organization: Axmir and associated registrars
Victim Site: axmir.xyz
Alleged data breach of Indonesian Ministry of Health (Kemkes) LMS with 2.2 Million Records
Category: Data Breach
Content: A threat actor is sharing what appears to be a database from the Indonesian Ministry of Health (Kemkes) Learning Management System (LMS), allegedly containing 2.2 million participant/user records. The data is being distributed via breached.st forum.
Date: 2026-04-18T22:14:25Z
Network: telegram
Published URL: https://t.me/c/3865526389/505
Screenshots:
None
Threat Actors: BABAYO EROR SYSTEM
Victim Country: Indonesia
Victim Industry: Government / Healthcare
Victim Organization: Kementerian Kesehatan (Kemkes) – Indonesian Ministry of Health
Victim Site: kemkes.go.id
Alleged data leak of East Java Provincial Employee Data from TVRI SIMPEG System
Category: Data Leak
Content: Threat actor BABAYO EROR SYSTEM has leaked 6 files allegedly containing employee data from the Indonesian state broadcaster TVRIs SIMPEG (employee information management system) at simpeg.tvri.go.id. The leaked files include employee training data, employee lists (DAFTAR PEGAWAI), employee monitoring records, assessment data, and other HR-related documents. The files are shared for free and are dated April 19, 2026. The actor claims the data pertains to East Java provincial employees.
Date: 2026-04-18T22:08:04Z
Network: telegram
Published URL: https://t.me/c/3865526389/498
Screenshots:
None
Threat Actors: BABAYO EROR SYSTEM
Victim Country: Indonesia
Victim Industry: Broadcasting / Government Media
Victim Organization: TVRI (Televisi Republik Indonesia)
Victim Site: simpeg.tvri.go.id
Alleged sale of mail access, credential hits, and hacking tools by D4RCKMAGICIAN
Category: Initial Access
Content: A threat actor operating under the handle @D4RCKMAGICIAN is advertising mail access for multiple countries including France, Belgium, Australia, Canada, UK, US, Netherlands, Poland, Germany, and Japan. The offering includes configs/scripts, tools, credential hits/combos, and accepts custom requests. This represents a multi-service cybercrime offering focused on compromised email account access and credential materials.
Date: 2026-04-18T21:42:53Z
Network: telegram
Published URL: https://t.me/c/2613583520/65257
Screenshots:
None
Threat Actors: D4RCKMAGICIAN
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of social and shopping education sector combolist
Category: Combo List
Content: A threat actor operating under the handle HQcomboSpace has made available a combolist containing approximately 145,183 lines of credentials on a cracking forum. The leak is described as targeting social, shopping, and education sector accounts, labeled as HQ suggesting high-quality or recently verified credentials. The combolist was shared via a Mega.nz file link with no payment requirement indicated.
Date: 2026-04-18T21:29:13Z
Network: openweb
Published URL: https://crackingx.com/threads/72519/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias RandomUpload has made available a combolist allegedly containing 17,000 fresh Hotmail credentials on the cracking forum CrackingX. The post offers the credential list as a free download, though the actual content is restricted to registered forum users. The origin and validity of the credentials remain unverified.
Date: 2026-04-18T21:28:57Z
Network: openweb
Published URL: https://crackingx.com/threads/72520/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as Jelooos has shared an alleged combolist of approximately 1,200 validated Hotmail credentials on the cracking forum CX – Combolists & Dumps. The post is described as Full Hit Valid, suggesting the credentials have been verified as active. The full content requires forum registration or sign-in to access.
Date: 2026-04-18T21:10:33Z
Network: openweb
Published URL: https://crackingx.com/threads/72518/
Screenshots:
None
Threat Actors: Jelooos
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mail access combolist with 6,105 credential pairs
Category: Combo List
Content: A threat actor operating under the alias karaokecloud has made available a combolist containing 6,105 email access credential pairs on the cracking forum CrackingX. The post offers a free download of the list, which is described as containing valid mail access combinations. No specific victim organization or country has been identified.
Date: 2026-04-18T20:51:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72517/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of stealer logs and credential combolists
Category: Logs
Content: A threat actor operating under the alias watercloud has made available stealer logs and a ULP (URL:Login:Password) combolist via Pixeldrain file-sharing links on a dark web forum. The data is freely accessible using a shared password and likely contains credentials harvested from infostealer malware infections. No specific victim organization or country has been identified.
Date: 2026-04-18T20:44:14Z
Network: openweb
Published URL: https://darkforums.su/Thread-%E2%AD%90%E2%AD%90%E2%AD%90-STEALER-LOGS-AND-U-L-P-18-04-2026
Screenshots:
None
Threat Actors: watercloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Hitiya by CYKOMNEPAL
Category: Defacement
Content: The threat actor CYKOMNEPAL defaced a product page on hitiya.com, targeting the URL hitiya.com/shopView/134. The attack was a single-page defacement rather than a mass or home page defacement. No specific motivation or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-18T20:36:06Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/891168
Screenshots:
None
Threat Actors: CYKOMNEPAL, CYKOMNEPAL
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: Hitiya
Victim Site: hitiya.com
Alleged leak of Hotmail credential combolist with forum validity
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist of approximately 40,000 Hotmail email credentials on the cracking forum CrackingX. The post claims the credentials have been validated against forum platforms. The content requires registration or sign-in to access, suggesting it is gated but likely available for free to registered members.
Date: 2026-04-18T20:31:25Z
Network: openweb
Published URL: https://crackingx.com/threads/72515/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged cyber attack on Health Information System of Lao PDR by Keymous
Category: Cyber Attack
Content: Threat actor Keymous posted targeting the Health Information System of the Lao PDR (ລະບົບຂໍ້ມູນຂ່າວສານດ້ານສຸຂະພາບ ສປປລາວ), a government health IT system. A follow-up message indicates the previously shared access or data was sold. The post is associated with the Keymous hacking group operating under the #Elite_Network banner.
Date: 2026-04-18T20:30:39Z
Network: telegram
Published URL: https://t.me/c/2588114907/1121
Screenshots:
None
Threat Actors: Keymous
Victim Country: Laos
Victim Industry: Healthcare / Government
Victim Organization: Health Information System of Lao PDR
Victim Site: Unknown
Alleged defacement of Brazilian Government cultural portals by Nullsec Philippines
Category: Defacement
Content: Hacktivist group Nullsec Philippines claims to have defaced multiple Brazilian government cultural mapping websites, including the federal Ministério da Cultura portal (mapa.cultura.gov.br) and several state/municipal cultural map portals across Brazil. Defacement pages were uploaded as stopwar.html or stopwar.txt files with an anti-war message. The attack appears to exploit a file upload vulnerability in the Mapas Culturais platform used across multiple Brazilian government entities.
Date: 2026-04-18T20:14:35Z
Network: telegram
Published URL: https://t.me/nullsechackers/912
Screenshots:
None
Threat Actors: Nullsec Philippines
Victim Country: Brazil
Victim Industry: Government
Victim Organization: Ministério da Cultura and multiple Brazilian state/municipal governments
Victim Site: mapa.cultura.gov.br
Alleged data leak of legal documents and private communications by Anonymous For Justice
Category: Data Leak
Content: The hacktivist group Anonymous For Justice claims to have leaked documents allegedly exposing corruption within a judicial/priestly leadership structure. The disclosed materials purportedly include over ten thousand individuals legal case files, a list of lawyers with access to private citizen data, and thousands of recorded private conversations. The group frames this as part of ongoing operations (#OpIsrael, #OpUSA) and states further disclosures are forthcoming. A file-sharing link is provided for access to the leaked materials.
Date: 2026-04-18T20:11:45Z
Network: telegram
Published URL: https://t.me/c/2029743630/92
Screenshots:
None
Threat Actors: Anonymous For Justice
Victim Country: Israel
Victim Industry: Legal / Judiciary
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials via PandaCloud service
Category: Combo List
Content: A threat actor operating under the name PandaCloud has made available a collection of mixed email credential combolists via a Telegram channel and a file-sharing link. The post claims fresh email account credentials are added daily and that all entries are current and valid. The leaked data appears to be a compiled mix of email credentials from various sources with no specific victim organization identified.
Date: 2026-04-18T20:11:40Z
Network: openweb
Published URL: https://crackingx.com/threads/72513/
Screenshots:
None
Threat Actors: Kokos2846q
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Hotmail Credential Checker Tool Advertised on Cracking Forum
Category: Initial Access
Content: A threat actor operating under the alias Vows is advertising a proxyless Hotmail credential checking tool on the cracking forum CrackingX. The tool allegedly supports four APIs and includes an inbox search feature, enabling users to validate and access compromised Hotmail accounts. The service is hosted at vows.solutions.
Date: 2026-04-18T20:11:34Z
Network: openweb
Published URL: https://crackingx.com/threads/72514/
Screenshots:
None
Threat Actors: Vows
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of 11 million URL:Login:Password stealer logs (ULP combolist)
Category: Combo List
Content: A threat actor known as mr_daadaa has made available a combolist containing approximately 11 million URL:Login:Password (ULP) credential pairs via a free MediaFire download link. The data is claimed to be derived from infostealer logs and is described as fresh, dated April 18, 2026. No specific victim organization or country is identified, as the credentials likely span multiple sites and regions.
Date: 2026-04-18T19:52:29Z
Network: openweb
Published URL: https://crackingx.com/threads/72512/
Screenshots:
None
Threat Actors: mr_daadaa
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Sensitive NBN Co Network Infrastructure Data from Queensland Operations
Category: Data Breach
Content: A threat actor identified as RubiconH4ck is selling 306 GB of alleged sensitive operational data from NBN Cos HFC and FTTC network infrastructure projects across multiple Queensland regions. The dataset purportedly includes detailed network maps, cable routes, equipment specifications, field inspection reports, drilling reports, performance test results, and as-built documentation from the 2017–2020 period. The seller is asking $5,000 USD for the data and can be contacted via Telegram.
Date: 2026-04-18T19:45:51Z
Network: openweb
Published URL: https://breached.st/threads/sensitive-australian-nbn-network-infrastructure-data.86072/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: Australia
Victim Industry: Telecommunications
Victim Organization: NBN Co (National Broadband Network)
Victim Site: nbnco.com.au
Alleged sale of Ukraine gas reserves database
Category: Data Breach
Content: A threat actor operating under the alias RubiconH4ck is selling an alleged 6.3TB database containing sensitive data related to Ukraines gas reserves, covering the period 2018 to 2025. The dataset reportedly includes documents, system data, driver data, and bonus login access credentials. The seller is asking $5,000 (negotiable) and can be contacted via Telegram.
Date: 2026-04-18T19:45:20Z
Network: openweb
Published URL: https://breached.st/threads/6-3tb-gas-reserves-ukraine-data.86073/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: Ukraine
Victim Industry: Energy
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Tu Taxi Amigo Ecuador Transportation App Database with SQLi Vulnerability Disclosure
Category: Combo List
Content: A threat actor known as potato26 has freely leaked a database dump from Tu Taxi Amigo, a popular transportation app in Ecuador, containing approximately 25,000 records. The leaked data includes customer personally identifiable information, credit card and payment method details, driver credentials, and admin panel login credentials for multiple administrator accounts. The actor also disclosed a SQL injection vulnerability affecting the backend API endpoint at backend.tutaxiambato.com, along wi
Date: 2026-04-18T19:31:57Z
Network: openweb
Published URL: https://crackingx.com/threads/72510/
Screenshots:
None
Threat Actors: potato26
Victim Country: Ecuador
Victim Industry: Transportation
Victim Organization: Tu Taxi Amigo
Victim Site: tutaxiambato.com
Alleged leak of credential logs distributed via cloud hosting
Category: Combo List
Content: A threat actor operating under the alias NEW_DAISYCLOUD has made available a collection of 5,761 stealer logs via a Pixeldrain file hosting link. The logs, branded as DAISY CLOUD and dated April 18, appear to contain fresh credential data. No specific victim organization or country has been identified, suggesting the logs likely aggregate credentials from multiple sources.
Date: 2026-04-18T19:31:37Z
Network: openweb
Published URL: https://crackingx.com/threads/72511/
Screenshots:
None
Threat Actors: NEW_DAISYCLOUD
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Tu Taxi Amigo Ecuador Transportation App Database with SQLi Exploit
Category: Data Leak
Content: A threat actor known as potato26 has freely shared a database dump and SQL injection exploit for the Tu Taxi Amigo transportation app, a popular ride-hailing service in Ecuador. The leaked data includes approximately 25,000 records containing customer personal information, payment and credit card details, driver credentials, and admin panel credentials for multiple city administrators. The post also discloses an exploitable SQLi vulnerability in the applications API endpoint at backend.tutaxi
Date: 2026-04-18T19:27:38Z
Network: openweb
Published URL: https://xforums.st/threads/free-sqli-database-for-the-tu-taxi-amigo-ecuador-transportation-app.608851/
Screenshots:
None
Threat Actors: potato26
Victim Country: Ecuador
Victim Industry: Transportation
Victim Organization: Tu Taxi Amigo
Victim Site: tutaxiambato.com
Alleged cyber threat announcement by 313 Team targeting corporations, banks, and government infrastructure
Category: Cyber Attack
Content: The 313 Team, affiliated with Beamed.SU (a DDoS/attack-for-hire service), issued a message announcing a promotional discount while explicitly threatening to target larger corporations, banks, and government infrastructure. The post is signed by handle @thefergieferg and contains geopolitical messaging referencing Palestine and Iran. The group signals escalating ambitions in their attack campaigns.
Date: 2026-04-18T19:17:07Z
Network: telegram
Published URL: https://t.me/xX313XxTeam/1004
Screenshots:
None
Threat Actors: 313 Team
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Austrian email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has shared a combolist containing approximately 121,000+ email:password credential pairs allegedly associated with Austrian accounts. The list is described as fresh and high quality and is made available via a hidden download link on the forum. The actor also promotes additional credential content through a Telegram channel at t.me/elite_cloud1.
Date: 2026-04-18T19:13:25Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-121-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Austria-%E2%9C%AA-18-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Austria
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Australian email credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 84,000 email address and password credential pairs purportedly associated with Australian users. The post claims the credentials are fresh and high quality, and directs users to a Telegram channel (@elite_cloud1) for additional credential lists. No specific organization or breach source has been identified.
Date: 2026-04-18T19:12:49Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-84-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Australia-%E2%9C%AA-18-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Australia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Argentine email credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 70,000 email:password credential pairs associated with Argentine users. The list is described as fresh and high quality and is being distributed freely via a hidden content link on the forum and a Telegram channel (@elite_cloud1). No specific victim organization or platform has been identified.
Date: 2026-04-18T19:12:11Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-70-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Argentina-%E2%9C%AA-18-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Argentina
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of RDP Access on Azure, AWS, and DigitalOcean Cloud Infrastructure
Category: Initial Access
Content: A threat actor is offering RDP access for rental on a daily or monthly basis across major cloud providers including Azure, AWS, and DigitalOcean at $200. The offering includes fresh RDP with clean IPs, domain mail, Gmail, Yahoo accounts, domain access, and GitHub Student accounts. The listing is marketed for inbox/spam operations and claims limited stock with escrow available.
Date: 2026-04-18T19:11:33Z
Network: telegram
Published URL: https://t.me/c/2613583520/65206
Screenshots:
None
Threat Actors: PORTAL
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Belgian email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 71,000 email and password credential pairs associated with Belgian users. The list is described as fresh and high quality, suggesting recently harvested or verified credentials. The post directs users to a Telegram channel (@elite_cloud1) for additional credential lists.
Date: 2026-04-18T19:11:28Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-71-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Belgium-%E2%9C%AA-18-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Belgium
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Bangladesh credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has shared a combolist of approximately 17,000+ email:password credential pairs allegedly associated with Bangladesh. The credentials are described as fresh and high quality and are made available via a hidden content link requiring forum registration. The actor promotes additional credential logs through a Telegram channel linked to Elite_Cloud1.
Date: 2026-04-18T19:10:34Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-17-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Bangladesh-%E2%9C%AA-18-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Bangladesh
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Bolivian credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 11,000 email and password credential pairs allegedly associated with Bolivian users. The list is described as fresh and high quality and is shared via a hidden download link on DemonForums. The actor also promotes a Telegram channel (elite_cloud1) for additional credential leaks.
Date: 2026-04-18T19:09:43Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-11-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Bolivia-%E2%9C%AA-18-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Bolivia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Belarusian email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 11,000 email address and password credential pairs allegedly sourced from Belarus. The list is described as fresh and high quality and is offered as hidden content on the forum, with additional credential lists promoted via a Telegram channel (@elite_cloud1). No specific victim organization or domain has been identified.
Date: 2026-04-18T19:08:55Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-11-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Belarus-%E2%9C%AA-18-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Belarus
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German domain credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 1.17 million credential entries targeting German (.de) domains. The combolist was shared freely via a Mega.nz file hosting link on the CrackingX forum. The leak appears to be a compilation of email and password pairs associated with German domain accounts.
Date: 2026-04-18T19:08:34Z
Network: openweb
Published URL: https://crackingx.com/threads/72509/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 172K mixed credentials combolist
Category: Combo List
Content: A threat actor operating under the alias el_capitan has made available a combolist containing approximately 172,000 email and password credential pairs described as high-quality and valid. The content is shared via a hidden link on a cybercrime forum, with the actor also promoting related services including spamming, credential dumping, and cracking tools via Telegram. No specific victim organization or targeted platform has been identified.
Date: 2026-04-18T18:46:00Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-172K-Mixed-VALID-HQ-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 260,000 Canadian email credentials combolist
Category: Combo List
Content: A threat actor known as el_capitan has made available a combolist of approximately 260,000 Canadian email and password combinations on DemonForums, described as semi-private and good quality. The post is hidden behind a registration or login wall, suggesting limited but not exclusive access. The actor also promotes services including HQ combos, spamming, dumping, and cracking tools via Telegram.
Date: 2026-04-18T18:45:21Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-260K-CANADA-Semi-Private-Good-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Canada
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 550,000 Steam user credentials combolist
Category: Combo List
Content: A threat actor operating under the alias el_capitan has made available a claimed 550,000-entry targeted combolist of Steam user credentials in username:password format on DemonForums. The content is hidden behind a registration or login wall, and the actor promotes additional services including spamming, dumping, and cracking tools via Telegram channels. The origin of the credentials and whether they result from a direct breach of Steam or aggregation from third-party sources is unverified.
Date: 2026-04-18T18:44:38Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-550K-STEAM-Targeted-User-Pass-UHQ-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Steam
Victim Site: store.steampowered.com
Alleged leak of 45,000 email credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias TeraCloud1 has made available a combolist containing approximately 45,000 allegedly valid email credentials on a cybercrime forum. The post is behind a registration or login wall, limiting full visibility into the scope and origin of the data. No specific victim organization, industry, or country has been identified from the available post content.
Date: 2026-04-18T18:43:44Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-45K-VALID-MAIL-ACCESS–200875
Screenshots:
None
Threat Actors: TeraCloud1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 1 million French email credentials combolist
Category: Combo List
Content: A threat actor using the alias el_capitan has made available a combolist claimed to contain 1 million email and password combinations associated with French users. The content is hidden behind a registration or login requirement on the forum. The actor also advertises services including spamming, dumping, and cracking tools via Telegram channels.
Date: 2026-04-18T18:43:02Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1M-FRANCE-Fresh-UHQ-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 1 million Gmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias el_capitan has made available an alleged combolist containing approximately 1 million Gmail email and password combinations, described as high quality and fresh. The post is hosted on DemonForums and the actor advertises additional services including spamming, dumping, and cracking tools via a Telegram channel and group.
Date: 2026-04-18T18:42:16Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1M-GMAIL-High-Quality-Fresh-Combolist-Good-For-All
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias StrawHatBase has made available a combolist containing approximately 24,000 email and password combinations on DemonForums. The post is gated behind forum registration or login, suggesting it is shared freely to registered members. The origin, targeted services, or affected organizations of the credentials are not specified.
Date: 2026-04-18T18:41:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-24K-MAIL-ACCESS-MIX
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of large-scale URL-login-password credential combolist
Category: Combo List
Content: A threat actor on CrackingX is distributing a 300GB collection of URL-login-password (ULP) combolists in TXT format. The offering includes access to an online search tool to query credentials without downloading the full dataset, auto-updates, and the ability to filter results by country. The combolists appear to be compiled from browser history and stealer logs, covering multiple countries and containing fresh as well as historical credentials.
Date: 2026-04-18T18:40:39Z
Network: openweb
Published URL: https://crackingx.com/threads/72508/
Screenshots:
None
Threat Actors: Mustukaral
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of USA fullz database containing 71,367 records with PII and identity documents
Category: Data Breach
Content: A threat actor operating under the alias hexvior is selling a database of 71,367 US individuals fullz records containing SSN, full name, address, phone, email, drivers license, and SSN photocopies. The seller is pricing the data via direct message and is contactable through multiple Telegram channels. No specific source organization or breach origin has been disclosed.
Date: 2026-04-18T18:30:51Z
Network: openweb
Published URL: https://breached.st/threads/fresh-usa-fullz-for-sale.86070/unread
Screenshots:
None
Threat Actors: hexvior
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Taif Municipality Portal in Saudi Arabia
Category: Data Breach
Content: A threat actor identified as RubiconH4ck is allegedly selling 12.3 GB of data exfiltrated from the Taif Municipality e-government portal in Saudi Arabia. The dataset reportedly contains Saudi National ID scans with full personal details, building certifications signed by municipal officials, and structural site plans including villa floorplans and surveyor documents. The data is being offered for $5,000 via Telegram contact.
Date: 2026-04-18T18:30:02Z
Network: openweb
Published URL: https://breached.st/threads/saudi-arabia-gov-breach-taif-municipality-portal.86069/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: Saudi Arabia
Victim Industry: Government
Victim Organization: Taif Municipality
Victim Site: taifcity.gov.sa
Alleged Data Breach of Hutchinson Builders with 71GB of Confidential Construction Data
Category: Data Breach
Content: A threat actor identified as RubiconH4ck is selling 71GB of alleged confidential data extracted from Hutchinson Builders internal portal for $10,000 USD in Bitcoin. The data purportedly includes geotechnical reports, structural blueprints, construction specifications, planning and coordination documents, and safety and risk registers from multiple construction projects. The seller is contactable via Telegram and Twitter, with payment accepted only through anonymous cryptocurrency wallets.
Date: 2026-04-18T18:29:29Z
Network: openweb
Published URL: https://breached.st/threads/71gb-of-sensitive-hutchinson-builders-construction-data.86071/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: Australia
Victim Industry: Construction
Victim Organization: Hutchinson Builders
Victim Site: hutchinsonbuilders.com.au
Alleged sale of French personal data
Category: Data Breach
Content: A threat actor operating under the alias ARPANET744 is selling a dataset allegedly containing French personal data, comprising 200 data entries spread across 300 million lines. The seller is offering the data for a price range of $500 to $1,000 and can be contacted via Telegram. No specific victim organization or source has been identified.
Date: 2026-04-18T18:27:45Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-French-data
Screenshots:
None
Threat Actors: ARPANET744
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of METRO Pakistan Exposing 1 Million+ Customer and Transaction Records
Category: Data Breach
Content: A threat actor operating under the alias xklahadore is selling a database dump allegedly obtained from METRO Pakistan, a major wholesale retailer with operations across Lahore, Karachi, Islamabad, Multan, and Faisalabad. The dataset reportedly contains 425,000+ individual records including names, email addresses, phone numbers, dates of birth, and physical addresses, as well as 611,000+ transaction and order records. The exposed data includes both customer guest accounts and internal Super-Adm
Date: 2026-04-18T18:26:38Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Metro-Pakistan-Data-Breach-1-million-records
Screenshots:
None
Threat Actors: xklahadore
Victim Country: Pakistan
Victim Industry: Retail & Wholesale
Victim Organization: METRO Pakistan
Victim Site: metro.com
Alleged Data Breach of Colombia Ministry of Interior Civic Participation School Platform
Category: Data Breach
Content: Threat actors NyxarGroup, ArcRaidersPlayer, and Petro_Escobar are selling a database dump from the Colombian Ministry of Interiors civic participation e-learning platform (Moodle-based). The exposed data includes user profiles containing full names, email addresses, phone numbers, geographic information (city, department, municipality), age range, gender, disability categories, course enrollment details, and site access timestamps. The breach affects Colombian citizens registered on the governm
Date: 2026-04-18T18:25:53Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-CO-ESCUELADEPARTICIPACION-MININTERIOR-GOV-CO
Screenshots:
None
Threat Actors: NyxarGroup
Victim Country: Colombia
Victim Industry: Government
Victim Organization: Ministerio del Interior de Colombia – Escuela de Participación Ciudadana
Victim Site: escueladeparticipacion.mininterior.gov.co
Alleged Data Breach of Japan Golf Company (itoboriusa.com) Exposing 1.7M+ Records
Category: Data Breach
Content: A threat actor operating under the alias logggedout is allegedly selling a database containing over 1.7 million records sourced from itoboriusa.com, attributed to Japan Golf Company. The dataset, reportedly breached on April 17, 2026, contains detailed order and customer records including full names, postal addresses, phone numbers, email addresses, payment methods, and order details. Sample records indicate the data originates from Amazon Japan and Yahoo Shopping marketplace transactions, exp
Date: 2026-04-18T18:25:13Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Japan-Golf-Company-1-7M
Screenshots:
None
Threat Actors: logggedout
Victim Country: Japan
Victim Industry: Retail – Sporting Goods
Victim Organization: Japan Golf Company
Victim Site: itoboriusa.com
Alleged Sale of Smart Card Middleware Software Belonging to IN Groupe (Imprimerie Nationale)
Category: Data Breach
Content: A threat actor on DarkForums is selling proprietary Smart Card Middleware Desktop software allegedly obtained from IN Groupe, the French state-owned entity responsible for issuing high-security identity documents. The software reportedly includes modules for smart card management with HID Global OMNIKEY hardware integration, certificate store access, and key lifecycle management for encryption and digital signatures. The seller claims this provides insight into the internal secure document infra
Date: 2026-04-18T18:24:11Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-FR-Imprimerie-Nationale-Group
Screenshots:
None
Threat Actors: breach3d
Victim Country: France
Victim Industry: Government
Victim Organization: IN Groupe (Imprimerie Nationale)
Victim Site: ingroupe.com
Alleged sale of OSINT report on Saddam Husseins properties, relatives, and global assets
Category: Data Breach
Content: A threat actor known as rSosa is allegedly selling an exclusive OSINT (Open Source Intelligence) report containing information about Saddam Hussein, including details on properties, relatives, and global assets. The report appears to be a compiled intelligence dossier targeting the deceased former Iraqi leader and his associated network. No further details regarding pricing or data volume are available from the post.
Date: 2026-04-18T18:23:28Z
Network: openweb
Published URL: https://darkforums.su/Thread-WTS-EXCLUSIVE-OSINT-REPORT-Saddam-Hussein-Properties-Relatives-Global-Assets
Screenshots:
None
Threat Actors: rSosa
Victim Country: Iraq
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Alpha Communication by QATAR911
Category: Defacement
Content: On April 19, 2026, a threat actor operating under the alias QATAR911 defaced a subdirectory of the Alpha Communication website. The attack was a targeted single-site defacement, with no mass or repeated defacement indicators noted. The attackers motivation and exploitation method remain undisclosed.
Date: 2026-04-18T18:22:12Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/888772
Screenshots:
None
Threat Actors: QATAR911, QATAR911
Victim Country: Qatar
Victim Industry: Telecommunications / Communications
Victim Organization: Alpha Communication
Victim Site: www.alpha-communication.com
Alleged Data Leak of Cambodian Online Education Platform i-learner.com.kh
Category: Data Leak
Content: A threat actor operating under the alias blackwinter99 has leaked a 240MB SQL and CSV database dump belonging to i-learner.com.kh, a Cambodian online education platform. The exposed data includes student member records containing usernames, hashed passwords, email addresses, phone numbers, dates of birth, school and class identifiers, and personal details such as names and gender. The database appears to contain records of minors and was made available for free download on a dark web forum.
Date: 2026-04-18T18:21:39Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Cambodia-Online-education-website-i-learner-com-kh
Screenshots:
None
Threat Actors: blackwinter99
Victim Country: Cambodia
Victim Industry: Education
Victim Organization: i-Learner
Victim Site: i-learner.com.kh
Alleged Data Breach of Indian Fashion Retail Company Exposing 4 Million Records
Category: Data Breach
Content: A threat actor operating under the alias Gohansan on a darknet forum is allegedly selling a database dump containing data on approximately 4 million customers from an unnamed Indian fashion retail company. The post references a data dump associated with the companys customer records. The victim organization has not been specifically identified in the post.
Date: 2026-04-18T18:20:57Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-4M-India-Fashion-Retail-Company
Screenshots:
None
Threat Actors: Gohansan
Victim Country: India
Victim Industry: Fashion Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of BitMart Crypto Exchange Email Database
Category: Data Leak
Content: A threat actor known as Pijush510 has made available an alleged database associated with BitMart, a cryptocurrency exchange, containing approximately 657,000 email records. The data is being freely distributed via a file-sharing link on pixeldrain. The post does not mention a price, indicating this is a free leak rather than a commercial sale.
Date: 2026-04-18T18:20:13Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-657K-Bitmart-Crypto-Email-Database
Screenshots:
None
Threat Actors: Pijush510
Victim Country: Unknown
Victim Industry: Cryptocurrency / Financial Services
Victim Organization: BitMart
Victim Site: bitmart.com
Alleged leak of Gmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub has made available a combolist purportedly containing over 100,000 Gmail credentials on the cracking forum CrackingX. The post is gated behind registration, limiting full visibility into the datas authenticity or origin. The credentials are shared in the Combolists & Dumps section, suggesting an email:password format.
Date: 2026-04-18T18:05:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72506/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged Data Breach of Serena Postel Training Participant Database
Category: Data Breach
Content: A threat actor operating under the alias BabayoErorSystem is selling an alleged database from serena.postel.go.id, an Indonesian government portal. The database reportedly contains 15,677 records of training participants including fields such as national ID (NIK), tax ID (NPWP), full name, email, date of birth, phone number, address, religion, occupation, and regional data. The database is being offered for sale at $100.
Date: 2026-04-18T17:41:12Z
Network: openweb
Published URL: https://breached.st/threads/data-base-peserta-latihan-serena-postel-go-id-15-677-thousand.86068/unread
Screenshots:
None
Threat Actors: BabayoErorSystem
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Serena Postel
Victim Site: serena.postel.go.id
Alleged leak of education domain credential combolist
Category: Combo List
Content: A threat actor known as HQcomboSpace has made available a combolist containing approximately 110,271 credential pairs associated with education (.edu) domains. The combolist was shared via a Mega.nz file link on a cracking forum. The specific institutions or countries affected are not identified in the post.
Date: 2026-04-18T17:27:43Z
Network: openweb
Published URL: https://crackingx.com/threads/72502/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor known as KiwiShio has made available a combolist of approximately 730 Hotmail credentials on the cracking forum CrackingX. The post offers a free download of what is claimed to be fresh, high-quality email and password combinations. No price or payment method was mentioned, indicating this is a free leak rather than a sale.
Date: 2026-04-18T17:27:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72503/
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of mixed email credentials combolist with Hotmail hits
Category: Combo List
Content: A threat actor known as alphaxdd has made available a combolist containing 4,460 claimed valid email credentials described as premium mix mail hits, including Hotmail accounts. The data is offered as a free download on a cracking forum, with the actor promoting their Telegram handle alphaaxd for further contact. The post references private cloud storage and a mix of email providers.
Date: 2026-04-18T17:27:11Z
Network: openweb
Published URL: https://crackingx.com/threads/72504/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 63,000 mixed email access credentials
Category: Combo List
Content: A threat actor operating under the alias MailAccesss has shared a combolist of approximately 63,000 allegedly valid email access credentials on a cracking forum. The list is described as a MIX, suggesting credentials span multiple email providers or domains. The content is made available to registered forum users at no stated cost.
Date: 2026-04-18T17:26:52Z
Network: openweb
Published URL: https://crackingx.com/threads/72505/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of offensive hacking tools including Cobalt Strike via LulzSec Black CyberShop
Category: Malware
Content: A threat actor operating under LulzSec Black is advertising a shop selling multiple offensive/hacking tools including Cobalt Strike ($150), TargetFetcher ($65), CodeShieldPro ($35), an AI Vulnerability Analyzer ($45), and Diecat ($25). A giveaway promotion is tied to purchases, with winners receiving a free 1-month subscription to NetBot. Contact is via Telegram bot @CyberShop_contact_bot.
Date: 2026-04-18T17:09:18Z
Network: telegram
Published URL: https://t.me/c/2727439812/5806
Screenshots:
None
Threat Actors: LulzSec Black
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of Brazilian Government Cultural Ministry websites by Nullsec Philippines
Category: Defacement
Content: The hacktivist group Nullsec Philippines claims to have defaced multiple Brazilian government websites, primarily associated with cultural mapping platforms (Mapa Cultural) across several Brazilian states including Ceará, Paraná, Rio de Janeiro, Sergipe, Santa Catarina, Pará, Amapá, Espírito Santo, and Rio Grande do Norte. The defacement pages display Hacked By Nullsec Philippines!! #StopWar messaging, indicating a hacktivist motivation. The primary target appears to be the federal Ministério da Cultura (mapa.cultura.gov.br) along with numerous state and municipal cultural government portals.
Date: 2026-04-18T17:00:25Z
Network: telegram
Published URL: https://t.me/c/2590737229/912
Screenshots:
None
Threat Actors: Nullsec Philippines
Victim Country: Brazil
Victim Industry: Government
Victim Organization: Ministério da Cultura and multiple Brazilian state/municipal cultural government portals
Victim Site: mapa.cultura.gov.br
Website Defacement of Novo Banco by QATAR911
Category: Defacement
Content: On April 18, 2026, the threat actor QATAR911 defaced a web page associated with Novo Banco, a Portuguese banking institution. The attack was carried out via a compromised Chilean domain (sotek.cl) hosting a spoofed or injected path referencing novobanco.pt. This was a targeted single-site defacement, not part of a mass defacement campaign.
Date: 2026-04-18T16:59:22Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/888769
Screenshots:
None
Threat Actors: QATAR911, QATAR911
Victim Country: Portugal
Victim Industry: Banking and Financial Services
Victim Organization: Novo Banco
Victim Site: novobanco.pt
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias HollowKnight07 has made available a sample combolist of 745 Hotmail credentials on the cracking forum CrackingX. The post offers a free download link, suggesting this is a sample release, potentially to attract attention or verify credential quality. The data likely consists of email and password pairs associated with Hotmail accounts.
Date: 2026-04-18T16:45:44Z
Network: openweb
Published URL: https://crackingx.com/threads/72497/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 836 alleged valid Hotmail credentials on a cracking forum. The post, which includes a link to an external paste site for download, claims the credentials are premium hits mixed with private cloud access. The actor also references a Telegram handle for further contact.
Date: 2026-04-18T16:45:20Z
Network: openweb
Published URL: https://crackingx.com/threads/72499/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of 32,000 German email account credentials
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a combolist of approximately 32,000 allegedly valid German email account credentials. The post, dated April 18, claims the credentials are fully valid mail access entries. The content is restricted to registered forum users.
Date: 2026-04-18T16:44:55Z
Network: openweb
Published URL: https://crackingx.com/threads/72501/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Postel Indonesia (postel.go.id) – 15,677 Thousand Records
Category: Data Breach
Content: A threat actor has shared or listed a database allegedly belonging to postel.go.id, an Indonesian government postal/telecommunications training portal. The post on breached.st claims to contain data of 15,677 thousand training participants (peserta latihan). The exact nature of the data fields is not specified in the message.
Date: 2026-04-18T16:44:13Z
Network: telegram
Published URL: https://t.me/c/3865526389/495
Screenshots:
None
Threat Actors: BABAYO EROR SYSTEM
Victim Country: Indonesia
Victim Industry: Government / Telecommunications Regulation
Victim Organization: Postel Indonesia
Victim Site: postel.go.id
Alleged cyber attack on Honduras Integrated Health Information System (SIIS) by Keymous+
Category: Cyber Attack
Content: Threat actor group Keymous+ claims an attack against Hondurass Integrated Health Information System (Sistema Integrado de Información en Salud). The post lacks technical details but is consistent with the groups pattern of targeting government and critical infrastructure systems.
Date: 2026-04-18T16:23:21Z
Network: telegram
Published URL: https://t.me/KeymousTG/1119
Screenshots:
None
Threat Actors: Keymous+
Victim Country: Honduras
Victim Industry: Healthcare / Government
Victim Organization: Sistema Integrado de Información en Salud (SIIS)
Victim Site: Unknown
Alleged leak of mixed Hotmail credentials and combolist
Category: Combo List
Content: A threat actor operating under the alias noir has made available a combolist allegedly containing 2,436 valid mixed credentials, with specific mention of Hotmail accounts and private cloud access. The content is shared on the crackingx.com forum and promoted via Telegram handle @NoirAccesss. No price is mentioned, suggesting the credentials are being freely distributed to registered forum members.
Date: 2026-04-18T16:03:06Z
Network: openweb
Published URL: https://crackingx.com/threads/72496/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of Indonesian government portal info-dev.layanan.go.id
Category: Defacement
Content: Threat actor posted a photo allegedly showing a defacement of the Indonesian government website at https://info-dev.layanan.go.id/forum/show/13. The domain layanan.go.id is an official Indonesian government service portal.
Date: 2026-04-18T16:02:59Z
Network: telegram
Published URL: https://t.me/c/3865526389/493
Screenshots:
None
Threat Actors: BABAYO EROR SYSTEM
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Indonesian Government (layanan.go.id)
Victim Site: info-dev.layanan.go.id
Alleged cyber attack on University of Burgundy by LunarisSec
Category: Cyber Attack
Content: The threat actor group LunarisSec, apparently Algeria-affiliated, claims to have attacked the University of Burgundy in France. The post includes a photo as proof and links to an X (Twitter) post. The group uses signature messaging typical of hacktivist operations.
Date: 2026-04-18T15:46:41Z
Network: telegram
Published URL: https://t.me/c/3733257070/46
Screenshots:
None
Threat Actors: LunarisSec
Victim Country: France
Victim Industry: Education
Victim Organization: University of Burgundy
Victim Site: Unknown
Alleged cyber attack on Malaria Elimination Centre, Zambia by Keymous+
Category: Cyber Attack
Content: Threat actor group Keymous+ claims to have targeted the Malaria Elimination Centre in Zambia. The post includes channel links and hashtags consistent with their attack announcement pattern, though specific attack details (defacement, DDoS, breach) are not explicitly stated in the forwarded message.
Date: 2026-04-18T15:45:41Z
Network: telegram
Published URL: https://t.me/KeymousTG/1117
Screenshots:
None
Threat Actors: Keymous+
Victim Country: Zambia
Victim Industry: Healthcare / Public Health
Victim Organization: Malaria Elimination Centre
Victim Site: Unknown
Alleged leak of mixed email access combolist across multiple countries
Category: Combo List
Content: A threat actor known as karaokecloud has made available a mixed combolist containing 11,395 email credentials on the cracking forum CrackingX. The combolist reportedly includes email access credentials from multiple countries. The data is being offered as a free download with no price mentioned.
Date: 2026-04-18T15:28:38Z
Network: openweb
Published URL: https://crackingx.com/threads/72495/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of giguy.net
Category: Defacement
Content: A defacement of giguy.net/blog.php has been claimed, with a photo posted as proof. The post credits multiple groups/individuals including DEFACER INDONESIA TEAM, BABAYO ERROR SYSTEM, AKATSUKI CYBER TEAM, ANONM_GHOST_TRACK, PASKO CYBER REXOR, and DREAM HACK.
Date: 2026-04-18T15:25:06Z
Network: telegram
Published URL: https://t.me/c/3841736872/275
Screenshots:
None
Threat Actors: DEFACER INDONESIA TEAM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: giguy.net
Alleged cyber attack halted by targets rapid security response – 313 Team
Category: Cyber Attack
Content: The Iraqi Islamic cyber resistance group 313 Team announced that an ongoing attack was halted due to the targets rapid response and adjustments to their websites security measures. The post implies a prior offensive cyber operation (likely DDoS or similar) was conducted but ultimately countered by the victims defenses.
Date: 2026-04-18T15:06:35Z
Network: telegram
Published URL: https://t.me/c/2250158203/1026
Screenshots:
None
Threat Actors: 313 Team
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Xcaret Group Customer and Transaction Records
Category: Data Leak
Content: A threat actor operating under the alias s1ethx7z has made available on Breached Forums what is claimed to be a database dump belonging to Xcaret, a Mexican tourism and entertainment group. The leaked data allegedly includes user information such as names, emails, company group, and status, as well as detailed transaction records including ticket images, property details, sale dates, transaction numbers, room numbers, guest names, and financial amounts charged. The data has been shared via Gof
Date: 2026-04-18T15:05:29Z
Network: openweb
Published URL: https://breached.st/threads/xcaret-xperienciasxcaret.86067/unread
Screenshots:
None
Threat Actors: s1ethx7z
Victim Country: Mexico
Victim Industry: Tourism & Hospitality
Victim Organization: Xcaret
Victim Site: xperienciasxcaret.com
Alleged leak of Hotmail credential combolist with forum-validated accounts
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist of approximately 40,000 Hotmail email credentials on the crackingx.com forum. The post claims the accounts have been validated against forums, suggesting active and working credentials. The full content requires forum registration or sign-in to access.
Date: 2026-04-18T14:52:00Z
Network: openweb
Published URL: https://crackingx.com/threads/72486/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of education sector credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a free education-sector combolist via Telegram channels. The post directs users to Telegram groups (t.me/Combo445544 and t.me/Coder554455) where credential lists and related tools are shared at no cost. The specific victim organizations, record count, and origin of the credentials are unknown.
Date: 2026-04-18T14:51:45Z
Network: openweb
Published URL: https://crackingx.com/threads/72487/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist (X1453 HQ Mix)
Category: Combo List
Content: A threat actor operating under the alias Steveee36 and posted by user erwinn91 on DemonForums has shared a combolist referred to as X1453 HQ Mix. The content is hidden behind a registration or login requirement, limiting visibility into the specific data included. No victim organization, country, or record count could be determined from the available post content.
Date: 2026-04-18T14:51:42Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9A%A1%E2%9A%A1-X1453-HQ-Mix-%E2%9A%A1%E2%9A%A1-BY-Steveee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist (X1453 HQ Mix)
Category: Combo List
Content: A threat actor using the alias @Steveee36 has made available a credential combolist titled X1453 HQ Mix as a free download on the crackingx.com forum. The post contains a download link but provides no additional details regarding the origin, targeted organizations, or specific record count. The combolist appears to be a mixed compilation of credentials of unspecified provenance.
Date: 2026-04-18T14:51:26Z
Network: openweb
Published URL: https://crackingx.com/threads/72488/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor operating under the alias NotSellerxd has made available a mixed email combolist containing approximately 5,555 or more credential entries on the cracking forum CrackingX. The post offers a free download of the combolist with no price or specific victim organization identified. The origin and composition of the credentials are unknown.
Date: 2026-04-18T14:51:13Z
Network: openweb
Published URL: https://crackingx.com/threads/72489/
Screenshots:
None
Threat Actors: NotSellerxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of AT&T targeted credential combolist
Category: Combo List
Content: A threat actor operating under the alias Ra-Zi has made available a targeted combolist of approximately 159,000 AT&T (att.net) email credentials in email:password format on a cybercrime forum. The post includes a hidden download link requiring forum registration and also advertises the sale of additional credential combolists covering multiple email providers and geographic regions via Telegram. The actor promotes associated cracking and credential-selling services through external channels.
Date: 2026-04-18T14:50:54Z
Network: openweb
Published URL: https://demonforums.net/Thread-159K-ATT-NET-TARGETED-COMBOLIST
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: United States
Victim Industry: Telecommunications
Victim Organization: AT&T
Victim Site: att.net
Alleged leak of European Education and Shopping sector combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has shared a combolist containing approximately 161,636 lines of credentials on the cracking forum CrackingX. The data is claimed to target European education and shopping sectors. The combolist is being distributed freely via a Mega.nz file sharing link.
Date: 2026-04-18T14:50:47Z
Network: openweb
Published URL: https://crackingx.com/threads/72490/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Europe
Victim Industry: Education, Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor operating under the alias Lexser has made available a mixed-mail combolist containing approximately 8,400 credential pairs on a cracking forum. The post describes the list as fresh and UHQ (Ultra High Quality), suggesting recently obtained and likely valid credentials. The combolist was shared via an external paste service and targets multiple email providers.
Date: 2026-04-18T14:50:19Z
Network: openweb
Published URL: https://crackingx.com/threads/72491/
Screenshots:
None
Threat Actors: Lexser
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist by threat actor NightFall
Category: Combo List
Content: A threat actor operating under the alias NightFall has made available a mixed-email combolist containing approximately 3.3 million credential pairs via a paste sharing site. The combolist, described as fresh and UHQ (ultra-high quality), spans multiple email providers and domains. No specific victim organization or targeted service has been identified.
Date: 2026-04-18T14:49:52Z
Network: openweb
Published URL: https://crackingx.com/threads/72492/
Screenshots:
None
Threat Actors: NightFall
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 11,000 mixed valid access credentials
Category: Logs
Content: A threat actor operating under the alias Cir4Dk has made available an alleged combolist containing approximately 11,000 mixed valid access credentials on the XF Mail Access & Combolists forum. The list is described as high quality (HQ) with valid entries across multiple unspecified services or platforms. No victim organization, country, or industry has been identified from the available post content.
Date: 2026-04-18T14:46:55Z
Network: openweb
Published URL: https://xforums.st/threads/11k-mixed-valid-access-hq-list.608824/
Screenshots:
None
Threat Actors: Cir4Dk
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of ppdi.co.in by SILENT ERROR SYSTEM and affiliated groups
Category: Defacement
Content: A defacement attack was carried out against ppdi.co.in. The post includes a photo as proof and credits multiple groups: DEFACER INDONESIA TEAM, BABAYO ERROR SYSTEM, AKATSUKI CYBER TEAM, ANONM_GHOST_TRACK, PASKO CYBER REXOR, and DREAM HACK.
Date: 2026-04-18T14:39:43Z
Network: telegram
Published URL: https://t.me/c/3841736872/274
Screenshots:
None
Threat Actors: SILENT ERROR SYSTEM
Victim Country: India
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: ppdi.co.in
Alleged initial access credentials leaked for Sidoarjo Regency Government Portal (Indonesia)
Category: Initial Access
Content: A post shared login credentials (username: taman, password: TAMANSIDOARJO27282920) for the Sidoarjo Regency Governments RDS portal at rds.sidoarjokab.go.id, labeled as Vuln Access, suggesting exposed or compromised government system credentials.
Date: 2026-04-18T14:36:29Z
Network: telegram
Published URL: https://t.me/CinCauGhast405/68
Screenshots:
None
Threat Actors: BABAYO EROR SYSTEM
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Sidoarjo Regency Government
Victim Site: rds.sidoarjokab.go.id
Alleged Data Breach of Bol.com Exposing 400,000 Belgian Customer Records
Category: Data Breach
Content: A threat actor is selling an alleged database dump of Bol.com, the largest online marketplace in Belgium and the Netherlands, containing approximately 400,000 customer records. The dataset includes extensive personally identifiable information such as customer IDs, full names, email addresses, phone numbers, dates of birth, national ID numbers, and detailed shipping and order data. The actor is offering the data for a negotiable price via Telegram and Session, accepting escrow or trusted middlem
Date: 2026-04-18T14:28:49Z
Network: openweb
Published URL: https://breached.st/threads/400k-belgium-bol-com-pii-dataset-that-includes-username-email-phone.86065/unread
Screenshots:
None
Threat Actors: Jeffrey Epstein
Victim Country: Belgium
Victim Industry: E-Commerce
Victim Organization: Bol.com
Victim Site: bol.com
Alleged XSS Attack on lepassagetoindia.com by DEWATA BLACKHAT
Category: Vulnerability
Content: Threat actor DEWATA BLACKHAT claims to have successfully executed a Cross-Site Scripting (XSS) attack against lepassagetoindia.com. A proof URL is shared demonstrating a reflected XSS payload injected via the search parameter, displaying an alert with HACKED BY DEWATA BLACKHAT.
Date: 2026-04-18T14:23:22Z
Network: telegram
Published URL: https://t.me/c/3841736872/273
Screenshots:
None
Threat Actors: DEWATA BLACKHAT
Victim Country: India
Victim Industry: Travel & Hospitality
Victim Organization: Le Passage to India
Victim Site: lepassagetoindia.com
Alleged leak of mixed access combolist with 10,000 credentials
Category: Combo List
Content: A threat actor known as wingoooW has freely shared a mixed-access combolist containing approximately 10,000 email and password credential pairs via an external paste site. The combolist is described as valid and contains mixed access, suggesting credentials spanning multiple services or platforms. No specific victim organization or country has been identified.
Date: 2026-04-18T14:15:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-10K-MIXED-ACCESS-VALID
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Russian email credentials combolist
Category: Combo List
Content: A threat actor known as COYTO has made available a combolist containing approximately 4,000 alleged Russian email address and password combinations via a paste site. The credentials were shared freely on DemonForums in the Combolists section. The targeted email providers or organizations associated with the credentials are not specified in the post.
Date: 2026-04-18T14:14:57Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-4K-RUSSIAN-VALID-MAIL
Screenshots:
None
Threat Actors: COYTO
Victim Country: Russia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Zero-Day Vulnerability Discovery in ASUS Kernel Driver via Automated LLM Pipeline
Category: Initial Access
Content: A threat actor known as RedQueen claims to have built an automated pipeline called DeepZero using LangChain, Ghidra, Semgrep, and Google Gemini 2.5 to scan thousands of signed Windows kernel drivers for exploitable vulnerabilities. The pipeline processed approximately 12,000 .sys files, triaging 7,463 unique candidates with reachable IOCTL attack surfaces. On its first real-world run, the pipeline allegedly identified a zero-day vulnerability in a signed ASUS kernel driver, which could potential
Date: 2026-04-18T14:12:35Z
Network: openweb
Published URL: https://tier1.life/thread/155
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Japan
Victim Industry: Technology
Victim Organization: ASUS
Victim Site: asus.com
Alleged Living-off-the-Land Technique: DSCourier WinGet COM API EDR Bypass
Category: Initial Access
Content: Security researchers Dylan Davis and Matthew Schramm published a technique dubbed DSCourier that weaponizes Windows Desired State Configuration (DSC) via WinGets COM API to achieve arbitrary code execution inside a Microsoft-signed process. The technique bypasses EDR solutions including CrowdStrike Falcon, Microsoft Defender for Endpoint, and Elastic Security by eliminating winget.exe, powershell.exe, and cmd.exe from the process tree. By invoking WinGets configuration engine directly throug
Date: 2026-04-18T14:11:57Z
Network: openweb
Published URL: https://tier1.life/thread/156
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Multiple Zero-Day Vulnerabilities Discovered in ImageMagick Allowing File Read/Write and RCE
Category: Initial Access
Content: Security researchers at pwn.ai claim to have discovered multiple zero-day vulnerabilities in ImageMagick affecting millions of servers by default, including arbitrary file read/write and remote code execution (RCE) capabilities. The vulnerabilities bypass multiple ImageMagick security policies including limited and secure configurations, and impact major Linux distributions and WordPress installations worldwide. Attack chains were demonstrated via SVG, PDF, and EPT image format handlers, wit
Date: 2026-04-18T14:11:15Z
Network: openweb
Published URL: https://tier1.life/thread/157
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: ImageMagick
Victim Site: imagemagick.org
Alleged leak of Hotmail credential combolist (UHQ)
Category: Combo List
Content: A threat actor operating under the alias FlashCloud2 has made available a claimed UHQ (ultra-high quality) combolist of Hotmail credentials on the cracking forum CX. The post is gated behind registration or sign-in, limiting visibility into the full details, record count, or format of the data. UHQ designations typically indicate a high ratio of valid, unverified email and password pairs.
Date: 2026-04-18T13:34:04Z
Network: openweb
Published URL: https://crackingx.com/threads/72482/
Screenshots:
None
Threat Actors: FlashCloud2
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Reconnaissance Methodology and Tooling Guide Published on Cybercrime Forum
Category: Initial Access
Content: A threat actor operating under the alias RedQueen published a detailed reconnaissance methodology guide on the cybercrime forum Tier1. The guide outlines a comprehensive 23-step attack reconnaissance workflow covering subdomain enumeration, DNS exploitation, HTTP vulnerability scanning, subdomain takeover, secret harvesting, directory fuzzing, JavaScript analysis, and vulnerability scanning using tools such as amass, subfinder, httpx, nuclei, trufflehog, subzy, and others. The post appears int
Date: 2026-04-18T13:32:01Z
Network: openweb
Published URL: https://tier1.life/thread/154
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of credential combolist (ULP) distributed via Telegram
Category: Combo List
Content: A threat actor operating under the alias zod has shared what is described as VIP ULP 6, a credential combolist, on the cracking forum CrackingX. The content is gated behind registration or sign-in, with access credentials distributed via a Telegram channel. No specific victim organization, country, or record count has been identified from the available information.
Date: 2026-04-18T13:04:03Z
Network: openweb
Published URL: https://crackingx.com/threads/72475/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German mixed-domain credential combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared a combolist containing approximately 171,070 lines of credentials associated with mixed German domains. The data has been made available for free download via a Mega.nz link. The post does not specify targeted organizations or industries, suggesting the list aggregates credentials from multiple sources.
Date: 2026-04-18T13:03:34Z
Network: openweb
Published URL: https://crackingx.com/threads/72476/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor known as klyne05 has made available a combolist of alleged Hotmail credentials on the cracking forum CrackingX. The post claims the credentials are fresh and have been checked. No pricing was mentioned, suggesting this is a free distribution of the credential list.
Date: 2026-04-18T13:03:04Z
Network: openweb
Published URL: https://crackingx.com/threads/72477/
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email access credential list
Category: Combo List
Content: A threat actor operating under the alias Kommander0 has shared a combolist containing approximately 2,100 mixed email access credentials on the cracking forum CrackingX. The list was made available for free download via a Gofile link. No specific victim organization or country has been identified, suggesting the credentials may span multiple services or providers.
Date: 2026-04-18T13:02:22Z
Network: openweb
Published URL: https://crackingx.com/threads/72479/
Screenshots:
None
Threat Actors: Kommander0
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist with sorted targets
Category: Combo List
Content: A threat actor operating under the alias He_Cloud has made available on DemonForums a combolist of 247 alleged Hotmail credential hits described as UHQ (ultra-high quality). The post includes free downloads for the credential hits, keyword targets, and country-sorted lists, suggesting the credentials have been validated and organized by geographic region.
Date: 2026-04-18T13:01:43Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-247x-HOTMAIL-UHQ-HITS-INBOXES-TARGETS-SORTED-COUNTRIE
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias HollowKnight07 has made available a sample combolist containing 925 Hotmail credentials on the cracking forum CrackingX. The post offers a free download link, suggesting this is a sample release likely intended to attract attention or establish reputation. The credentials appear to be email and password pairs targeting Microsofts Hotmail service.
Date: 2026-04-18T13:01:37Z
Network: openweb
Published URL: https://crackingx.com/threads/72481/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email and password credentials combolist
Category: Combo List
Content: A threat actor operating under the alias He_Cloud has made available a mixed combolist containing 4,359 email and password credential pairs on DemonForums. The post offers a free download of the credential list, described as good and valid. The origin, affected organizations, and industries associated with the credentials are unknown.
Date: 2026-04-18T13:01:16Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-4359x-GOOD-VALID-MIXED
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of Bangladesh Navy Military website by Pharaohs Team
Category: Defacement
Content: Pharaohs Team claims to have defaced the Bangladesh Navy military website at bsddhaka.navy.mil.bd. The post includes Domain Authority (DA36) and Page Authority (PA29) metrics, which are commonly shared in defacement posts to indicate the significance of the target. Contact is directed to @phteam_s.
Date: 2026-04-18T12:52:07Z
Network: telegram
Published URL: https://t.me/c/3205199875/494
Screenshots:
None
Threat Actors: Pharaohs Team
Victim Country: Bangladesh
Victim Industry: Government / Military
Victim Organization: Bangladesh Navy / BSD Dhaka
Victim Site: bsddhaka.navy.mil.bd
Alleged Unauthorized Access Service Offering Intel X Account for Hire
Category: Initial Access
Content: A threat actor known as Chamane99 is offering a paid screen-sharing service using their Intelligence X (Intelx.io) account, allowing clients to conduct OSINT searches for $15 per query. The actor claims to share their screen during the search and deliver full results as a ZIP archive. This service effectively monetizes unauthorized or shared access to a premium OSINT platform to retrieve potentially sensitive data on behalf of third parties.
Date: 2026-04-18T12:37:56Z
Network: openweb
Published URL: https://breached.st/threads/rent-intelx-account.86061/unread
Screenshots:
None
Threat Actors: Chamane99
Victim Country: Unknown
Victim Industry: Technology / OSINT
Victim Organization: Intelligence X (Intelx.io)
Victim Site: intelx.io
Alleged Data Leak of Electronic City Indonesia Customer Database
Category: Data Leak
Content: A threat actor known as gloriouspurposes has made available a free sample of 54,000 customer records allegedly stolen from Electronic City, an Indonesian electronics retailer, following a claimed backend compromise on 10 March 2026. The leaked database dump contains personally identifiable information including full names, NIK identity numbers, email addresses, phone numbers, physical addresses, and detailed order history. The actor claims to possess the full dataset of approximately 618,000 u
Date: 2026-04-18T12:37:06Z
Network: openweb
Published URL: https://breached.st/threads/eci-id-indonesia-electronic-city-website-customer-breach-database.86062/unread
Screenshots:
None
Threat Actors: gloriouspurposes
Victim Country: Indonesia
Victim Industry: Retail
Victim Organization: Electronic City
Victim Site: eci.id
Alleged sale of real-time delivery orders database from Indonesian e-commerce platform
Category: Data Breach
Content: A threat actor operating under the alias gloriouspurposes (Telegram: @Caosho) claims to have persistent access to the private admin portal of an Indonesian delivery/e-commerce platform and is selling real-time daily order data. The actor offers 1,500–2,500 delivery orders per day, representing an estimated $20,000–$40,000 in daily transaction revenue, and is seeking long-term buyers or revenue-sharing partners. A sample CSV file containing next-day delivery orders was shared via vikingfile.com
Date: 2026-04-18T12:36:36Z
Network: openweb
Published URL: https://breached.st/threads/indonesia-real-time-orders-database-daily-revenue-20000-40000.86063/unread
Screenshots:
None
Threat Actors: gloriouspurposes
Victim Country: Indonesia
Victim Industry: E-commerce / Delivery Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of business combolist claimed to contain 7 million corporate leads
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist purportedly containing 7 million business/corporate leads via Telegram channels. The content is offered for free through two Telegram groups (t.me/Combo445544 and t.me/Coder554455), with direct contact available via Telegram handle CODER5544. No specific victim organization or country has been identified.
Date: 2026-04-18T12:21:43Z
Network: openweb
Published URL: https://crackingx.com/threads/72474/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of 7-Eleven by ShinyHunters with Extortion Demand
Category: Data Breach
Content: ShinyHunters claims to have compromised over 600,000 Salesforce records from 7-Eleven (7-eleven.com) containing PII and internal corporate data. The group is issuing a final extortion warning demanding payment by April 21, 2026, threatening to leak the data and cause additional digital problems if demands are not met. Proof is hosted on their .onion blog.
Date: 2026-04-18T12:20:00Z
Network: telegram
Published URL: https://t.me/c/3737716184/1349
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Retail
Victim Organization: 7-Eleven, Inc.
Victim Site: 7-eleven.com
Alleged open-source Rust malware development toolkit published on underground forum
Category: Initial Access
Content: A forum post on tier1.life, authored by RedQueen, promotes and describes an open-source Rust-based malware development repository maintained by Whitecat18 (Smukx), containing over 60 offensive security techniques targeting Windows systems. The repository covers process injection, shellcode execution, EDR/AMSI bypass, payload encryption, persistence, C2, and credential theft, organized as self-contained modules under an MIT license. The toolkit is presented as both an educational resource and a p
Date: 2026-04-18T12:19:35Z
Network: openweb
Published URL: https://tier1.life/thread/153
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed combolist with 85,228 credentials
Category: Combo List
Content: A threat actor operating under the alias zod has shared a mixed combolist containing 85,228 lines on the CrackingX forum. The credential list was distributed via a Telegram bot (@hello_zod_bot) and is available for free download. No specific victim organization or targeted service has been identified, suggesting the combolist aggregates credentials from multiple sources.
Date: 2026-04-18T11:47:33Z
Network: openweb
Published URL: https://crackingx.com/threads/72472/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged SSRF-Based Internal Network Access to Starbucks Infrastructure
Category: Initial Access
Content: A bug bounty researcher discovered a Server-Side Request Forgery (SSRF) vulnerability on ideas.starbucks.com by sending HTTP requests with absolute URIs, which caused the server to act as a bidirectional HTTP proxy forwarding full requests including all HTTP methods to internal network targets. The researcher leveraged historical DNS hostname reconnaissance via ArgosDNS to identify internal hostnames that do not resolve publicly, enabling access to internal Starbucks infrastructure. The vulnerab
Date: 2026-04-18T11:45:01Z
Network: openweb
Published URL: https://tier1.life/thread/151
Screenshots:
None
Threat Actors: RedQueen
Victim Country: United States
Victim Industry: Food & Beverage / Retail
Victim Organization: Starbucks
Victim Site: ideas.starbucks.com
Alleged publication of SilentMoonwalk dynamic call stack spoofing PoC technique
Category: Initial Access
Content: A forum post by RedQueen on tier1.life presents a technical article detailing SilentMoonwalk, a proof-of-concept implementation of a dynamic call stack spoofer developed by researchers Alessandro Magnosi (klezVirus), Arash Parsa (waldo-irc), and Athanasios Tserpelis (trickster0). The technique allows malicious code to spoof arbitrary call stack frames, concealing the true origin of execution not only during sleep but also during active execution, enabling evasion of EDR and anti-cheat memory a
Date: 2026-04-18T11:44:22Z
Network: openweb
Published URL: https://tier1.life/thread/152
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Cyber Attack on Mossad by Anonymous for Justice
Category: Data Breach
Content: A group calling itself Anonymous for Justice has claimed to have gained access to databases, laboratories, and weapons-related plans associated with the Israeli regime (Mossad). The group has also published a collection of documents, images, and information related to certain Israeli officials and scientists. No price was mentioned; the content appears to have been leaked/shared publicly.
Date: 2026-04-18T11:32:17Z
Network: telegram
Published URL: https://t.me/c/1283513914/21264
Screenshots:
None
Threat Actors: Anonymous for Justice
Victim Country: Israel
Victim Industry: Government / Intelligence
Victim Organization: Mossad
Victim Site: Unknown
Alleged sale of access to Peruvian educational institutions
Category: Initial Access
Content: Threat actor from Pharaohs Team market posted two Peruvian educational institution domains (iriosanta.edu.pe and independencia.edu.pe) marked as #sold, indicating these were sold, likely as initial access or defacement targets.
Date: 2026-04-18T11:13:57Z
Network: telegram
Published URL: https://t.me/c/3205199875/491
Screenshots:
None
Threat Actors: Pharaohs Team
Victim Country: Peru
Victim Industry: Education
Victim Organization: Iriosanta / Independencia Educational Institutions
Victim Site: iriosanta.edu.pe, independencia.edu.pe
Alleged leak of shopping and corporate combolist credentials
Category: Combo List
Content: A threat actor known as HQcomboSpace has made available a combolist containing approximately 50,514 credential pairs via a Mega.nz link. The combolist is advertised as suitable for shopping and corporate business targets. No specific victim organization or country has been identified.
Date: 2026-04-18T11:03:18Z
Network: openweb
Published URL: https://crackingx.com/threads/72468/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Retail / E-Commerce
Victim Organization: Unknown
Victim Site: Unknown
Alleged XSS and Session Hijacking Vulnerability Disclosure in Telegram WebK (CVE-2024-33905)
Category: Initial Access
Content: A researcher disclosed CVE-2024-33905, a cross-site scripting (XSS) vulnerability in Telegram WebK versions 2.0.0 (486) and below, exploitable via a malicious Mini App using the web_app_open_link postMessage event with a URI scheme. The flaw allowed arbitrary JavaScript execution in the web.telegram.org parent context, enabling full session hijacking by extracting session tokens from localStorage. Telegram patched the vulnerability within two days of the report by implementing a safe
Date: 2026-04-18T11:00:34Z
Network: openweb
Published URL: https://tier1.life/thread/150
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Telegram
Victim Site: web.telegram.org
Website Defacement of UMS Services by L4663R666H05T (Umbra Community)
Category: Defacement
Content: On April 18, 2026, the website umsservices.com was defaced by threat actor L4663R666H05T, operating under the group Umbra Community. The attack targeted a subdirectory of the site and was neither a mass nor a redefacement incident. No specific motive or vulnerability details were disclosed by the attacker.
Date: 2026-04-18T10:59:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/852230
Screenshots:
None
Threat Actors: L4663R666H05T, Umbra Community
Victim Country: Unknown
Victim Industry: Professional Services
Victim Organization: UMS Services
Victim Site: umsservices.com
Alleged Data Breach and Extortion of Aman Resorts by ShinyHunters
Category: Data Breach
Content: Threat actor group ShinyHunters claims to have compromised over 500,000 Salesforce records containing PII belonging to Aman Resorts (aman.com). The group issued a final warning demanding payment by 21 April 2026, threatening to leak the data and cause additional digital problems if demands are not met. Proof and further details are referenced on their .onion blog.
Date: 2026-04-18T10:42:30Z
Network: telegram
Published URL: https://t.me/c/3737716184/1343
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Switzerland
Victim Industry: Hospitality
Victim Organization: Aman Resorts
Victim Site: aman.com
Alleged data breach of Alert 360 Opco Inc. (alert360.com) exposing 2.5M+ records
Category: Data Breach
Content: Threat actor ShinyHunters claims to have breached Alert 360 Opco Inc. (alert360.com), a home security and alarm monitoring company, allegedly exposing over 2.5 million records. The data is being advertised on BreachForums.
Date: 2026-04-18T10:41:35Z
Network: telegram
Published URL: https://t.me/c/3737716184/1362
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Home Security / Alarm Monitoring
Victim Organization: Alert 360 Opco Inc.
Victim Site: alert360.com
Alleged Data Leak of City of Los Angeles Police Department Data
Category: Data Leak
Content: A threat actor operating under the handle Tanaka has shared what is alleged to be sample data from a leak affecting the City of Los Angeles Police Department. The post was made on the forum SP under the Other Leaks section. No further details regarding the nature, volume, or specific content of the leaked data are available from the post.
Date: 2026-04-18T10:38:26Z
Network: openweb
Published URL: https://spear.cx/Thread-City-of-Los-Angeles-police-data-leak-samples
Screenshots:
None
Threat Actors: [Mod] Tanaka
Victim Country: United States
Victim Industry: Law Enforcement
Victim Organization: City of Los Angeles Police Department
Victim Site: lapdonline.org
Alleged data leak of Alert 360 Opco Inc. by ShinyHunters
Category: Data Leak
Content: Threat actor ShinyHunters claims to have compromised Alert 360 Opco Inc. (alert360.com), exfiltrating over 2.5 million records containing PII and internal corporate data (10GB+ compressed). Unlike other victims issued Pay or Leak warnings, Alert 360s data has already been publicly leaked with a direct download link at http://91.215.85.22/pay_or_leak/alert360/, reportedly after failed ransom negotiations. A negotiation chatlog is included. Data was updated/published on 18 April 2026.
Date: 2026-04-18T10:36:42Z
Network: telegram
Published URL: https://t.me/c/3500620464/7003
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Security Services
Victim Organization: Alert 360 Opco Inc.
Victim Site: alert360.com
Website Defacement of zybox.in by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website zybox.in, targeting a domain registered under Indias .in TLD. The defacement was a targeted single-site incident, with the compromised page archived at zone-xsec.com. No specific motive or server details were disclosed in connection with the attack.
Date: 2026-04-18T10:31:38Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/851688
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Unknown
Victim Organization: Zybox
Victim Site: zybox.in
Website Defacement of West Hill Interior by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website of West Hill Interior at westhillinterior.com. The defacement targeted a specific index file and was neither a mass nor a redefacement incident. A mirror of the defaced page was archived on zone-xsec.com.
Date: 2026-04-18T10:25:24Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/851618
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Interior Design / Home Furnishings
Victim Organization: West Hill Interior
Victim Site: westhillinterior.com
Alleged Data Extortion of Carnival Corporation by ShinyHunters
Category: Data Breach
Content: Threat actor group ShinyHunters claims to have compromised Carnival Corporation & plc (carnivalcorp.com), exfiltrating over 8.7 million records containing PII along with terabytes of internal corporate data. The group is issuing a final warning with a deadline of April 21, 2026 to pay or face public data leak and additional digital problems. The threat is posted on their onion site and forwarded across multiple channels.
Date: 2026-04-18T10:23:09Z
Network: telegram
Published URL: https://t.me/c/3500620464/6999
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Travel & Hospitality
Victim Organization: Carnival Corporation & plc
Victim Site: carnivalcorp.com
Alleged data leak of Alert 360 Opco Inc. by ShinyHunters
Category: Data Leak
Content: Threat actor ShinyHunters claims to have compromised Alert 360 Opco Inc. (alert360.com), exfiltrating over 2.5 million records containing PII and internal corporate data totaling 10GB+ compressed. The data has been made available for free download following a failed ransom negotiation. A download link hosted at 91.215.85.22 is provided along with a chat log of the negotiation.
Date: 2026-04-18T10:20:58Z
Network: telegram
Published URL: https://t.me/c/3737716184/1355
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Security Services
Victim Organization: Alert 360 Opco Inc.
Victim Site: alert360.com
Alleged Data Breach and Extortion of 7-Eleven by ShinyHunters
Category: Data Breach
Content: The ShinyHunters threat group claims to have compromised over 600,000 Salesforce records from 7-Eleven, Inc. (7-eleven.com) containing PII and internal corporate data. The group is issuing a final extortion warning demanding payment by 21 Apr 2026, threatening to leak the data and cause additional digital problems if the ransom is not paid. The claim was posted on their Telegram channel and references their onion blog site.
Date: 2026-04-18T10:19:41Z
Network: telegram
Published URL: https://t.me/c/3737716184/1325
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Retail
Victim Organization: 7-Eleven, Inc.
Victim Site: 7-eleven.com
Alleged Data Breach of Canada Life Assurance Company by ShinyHunters
Category: Data Breach
Content: Threat actor ShinyHunters claims to have compromised over 5.6 million Salesforce records containing PII belonging to The Canada Life Assurance Company (canadalife.com). The group is issuing a Pay or Leak extortion ultimatum with a deadline of 21 April 2026, threatening to publicly leak the data and cause additional digital problems if payment is not received. The claim is posted on their onion blog.
Date: 2026-04-18T10:19:27Z
Network: telegram
Published URL: https://t.me/c/3737716184/1321
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Canada
Victim Industry: Insurance
Victim Organization: The Canada Life Assurance Company
Victim Site: canadalife.com
Website Redefacement of thetsquare.co by Nicotine of Umbra Community
Category: Defacement
Content: The website thetsquare.co was redefaced on April 18, 2026, by a threat actor known as Nicotine, affiliated with the group Umbra Community. This incident is classified as a redefacement, indicating the site had been previously compromised. The attack targeted the sites index page, and a mirror of the defacement was archived via zone-xsec.com.
Date: 2026-04-18T10:19:10Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/851337
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: The T Square
Victim Site: thetsquare.co
Alleged data breach and extortion of Pitney Bowes Inc. by ShinyHunters
Category: Data Breach
Content: ShinyHunters claims to have compromised over 25 million Salesforce records containing PII belonging to Pitney Bowes Inc. (pb.com). The group is issuing a final warning with a deadline of 21 April 2026 to pay or face public data leak, along with additional digital problems. The threat is posted on their onion site.
Date: 2026-04-18T10:18:46Z
Network: telegram
Published URL: https://t.me/c/3737716184/1323
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Logistics/Shipping
Victim Organization: Pitney Bowes Inc.
Victim Site: pb.com
Alleged Data Breach and Extortion of Aman Resorts by ShinyHunters
Category: Data Breach
Content: The ShinyHunters threat group claims to have compromised over 500,000 Salesforce records containing PII belonging to Aman Resorts (aman.com). The group is issuing a final warning with a deadline of 21 April 2026, threatening to publicly leak the data and cause additional digital problems if the victim does not make contact. The threat is posted on their onion blog and repeated across multiple messages.
Date: 2026-04-18T10:18:02Z
Network: telegram
Published URL: https://t.me/c/3737716184/1319
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Hospitality
Victim Organization: Aman Resorts
Victim Site: aman.com
Website Defacement of Top Boys Boarding School by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website of Top Boys Boarding School, an educational institution based in India. The attack was a targeted single-site defacement, with the compromised page mirrored at zone-xsec.com. No specific motivation or technical details regarding the server environment were disclosed.
Date: 2026-04-18T10:15:47Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/851367
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Education
Victim Organization: Top Boys Boarding School
Victim Site: topboysboardingschool.in
Alleged leak of 504,000 United Kingdom email credentials
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist containing over 504,000 email and password credential pairs allegedly associated with United Kingdom users. The content is described as fresh and high quality, and is being freely distributed via a hidden download link on the forum. The actor also promotes additional combolists through a Telegram channel linked to Maxi_links.
Date: 2026-04-18T10:05:51Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-504-K-%E2%9C%A6-United-Kingdom-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-18-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Vietnamese email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has shared a combolist of approximately 78,000 email address and password credential pairs associated with Vietnamese users on Demonforums. The content is described as fresh and high quality, and is made available for free via a hidden download link. The post also promotes a Telegram channel Maxi_links for additional combolists.
Date: 2026-04-18T10:05:14Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-78-K-%E2%9C%A6-Vietnam-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-18-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Vietnam
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of United States email and password combolist
Category: Combo List
Content: A threat actor known as CobraEgy has made available a combolist of approximately 43,000 email and password credential pairs allegedly belonging to United States users on Demonforums. The list is described as fresh and high quality, and is offered as hidden content requiring forum registration or login to access. The post also references a Telegram channel, Maxi_links, for additional combolists.
Date: 2026-04-18T10:04:26Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-43-K-%E2%9C%A6-United-States-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-18-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Silver Heaven Travels by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, successfully defaced the website of Silver Heaven Travels at silverheaventravels.com. The attack was a targeted single-site defacement rather than a mass or repeated defacement campaign. No specific motive or server details were disclosed in connection with this incident.
Date: 2026-04-18T10:04:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850944
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Travel and Tourism
Victim Organization: Silver Heaven Travels
Victim Site: silverheaventravels.com
Website Defacement of Shreeyafineries by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website of Shreeya Fineries, an Indian fineries/manufacturing company. The defacement targeted the index page of the site and was recorded as a single, non-mass, non-redefacement incident. A mirror of the defaced page was archived at zone-xsec.com.
Date: 2026-04-18T10:01:22Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850916
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Manufacturing / Refined Products
Victim Organization: Shreeya Fineries
Victim Site: shreeyafineries.in
Website Defacement of saipay.in by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor identified as Nicotine, affiliated with the group Umbra Community, defaced the website saipay.in, an apparent payment or financial services platform based in India. The defacement targeted a specific page (index.txt) and was neither a mass nor a redefacement incident. The attack was documented and mirrored via zone-xsec.com.
Date: 2026-04-18T09:55:18Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850734
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Financial Services
Victim Organization: SaiPay
Victim Site: saipay.in
Website Redefacement of prognamik.in by Nicotine of Umbra Community
Category: Defacement
Content: The threat actor Nicotine, affiliated with the group Umbra Community, conducted a redefacement of the Indian website prognamik.in on April 18, 2026. This incident represents a repeated compromise of the target, indicating persistent unauthorized access or unresolved vulnerabilities. The defacement was a targeted single-site attack, with the mirrored content archived on zone-xsec.com.
Date: 2026-04-18T09:49:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850469
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Technology/Software
Victim Organization: Prognamik
Victim Site: prognamik.in
Website Defacement of Pure Living Science by Nicotine (Umbra Community)
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website purelivingscience.com. The incident was a targeted single-site defacement with no mass or repeat defacement indicators. The server environment and attacker motivation were not disclosed.
Date: 2026-04-18T09:46:23Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850491
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Science/Media
Victim Organization: Pure Living Science
Victim Site: purelivingscience.com
Website Defacement of NexDPTech by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website nexdptech.com by altering the index.txt file. The attack was a targeted single-site defacement with no mass defacement or redefacement indicators. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-18T09:40:14Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850251
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: NexDP Tech
Victim Site: nexdptech.com
Website defacement of nooriik.com by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor operating under the alias Nicotine, affiliated with the group Umbra Community, defaced the website nooriik.com. The defacement targeted a specific text file (index.txt) rather than the main homepage, suggesting a targeted file-level intrusion. The incident was recorded and mirrored by zone-xsec.com with no stated motive or proof of concept provided.
Date: 2026-04-18T09:37:44Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850261
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: nooriik.com
Alleged Data Breach and Extortion of Pitney Bowes by ShinyHunters
Category: Data Breach
Content: The ShinyHunters threat group claims to have compromised over 25 million Salesforce records containing PII belonging to Pitney Bowes (pb.com). The group is issuing a final warning with a deadline of April 21, 2026, threatening to publicly leak the data if payment is not received. The threat also includes unspecified digital problems if demands are not met. A dark web blog is referenced for verification.
Date: 2026-04-18T09:36:32Z
Network: telegram
Published URL: https://t.me/c/3500620464/6994
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Technology / Logistics
Victim Organization: Pitney Bowes Inc.
Victim Site: pb.com
Website Defacement of neelnayak.online by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website neelnayak.online by altering the index.txt file. The attack was a targeted, non-mass defacement with no stated motive. The incident was mirrored and recorded by zone-xsec.com under mirror ID 850247.
Date: 2026-04-18T09:36:02Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850247
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Neel Nayak
Victim Site: neelnayak.online
Alleged Data Breach and Leak of Alert360 Opco Inc. by ShinyHunters
Category: Data Breach
Content: The ShinyHunters threat group claims to have breached Alert360 Opco Inc. (alert360.com), exfiltrating over 2.5 million records containing PII and internal corporate data totaling 10GB+ compressed. Unlike other victims listed in the same campaign, Alert360s data has already been leaked publicly via a direct download link (http://91.215.85.22/pay_or_leak/alert360/), reportedly due to failed ransom negotiations. A negotiation chat log is also included in the leak.
Date: 2026-04-18T09:34:42Z
Network: telegram
Published URL: https://t.me/c/3737716184/1331
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Security Services
Victim Organization: Alert360 Opco Inc.
Victim Site: alert360.com
Alleged leak of Japanese drivers license data
Category: Data Leak
Content: A threat actor operating under the alias Arnoldsudney has made available a dataset purportedly containing Japanese drivers license records dated 2026. The dataset allegedly contains over 20,000 records and was shared via a free file-hosting service. The source organization or system from which the data originated has not been identified.
Date: 2026-04-18T09:33:44Z
Network: openweb
Published URL: https://darkforums.su/Thread-Document-Latest-data-on-Japanese-driver-s-licenses-in-2026
Screenshots:
None
Threat Actors: Arnoldsudney
Victim Country: Japan
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Mawaared by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the Saudi Arabian website mawaared.sa. The attack targeted a specific page (index.txt) rather than the homepage and was not part of a mass defacement campaign. The incident was mirrored and archived by zone-xsec.com for documentation purposes.
Date: 2026-04-18T09:29:57Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850171
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Saudi Arabia
Victim Industry: Unknown
Victim Organization: Mawaared
Victim Site: mawaared.sa
Website Defacement of MarketMaroc by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website marketmaroc.net by altering its index page. The attack was a targeted, single-site defacement with no indication of mass or repeated compromise. The mirror of the defacement was archived via zone-xsec.com.
Date: 2026-04-18T09:27:49Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850166
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Morocco
Victim Industry: E-Commerce / Marketplace
Victim Organization: Market Maroc
Victim Site: marketmaroc.net
Website Defacement of Mawhoob by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the Saudi Arabian website mawhoob.org.sa. The attack targeted a specific page (index.txt) rather than the sites homepage, indicating a targeted but non-mass defacement. No specific motive or reason was provided for the attack.
Date: 2026-04-18T09:26:28Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850172
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Saudi Arabia
Victim Industry: Unknown
Victim Organization: Mawhoob
Victim Site: mawhoob.org.sa
Alleged distribution of mixed corporate combolists by threat actor CODER
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing mixed corporate combolists for free via Telegram channels. The post promotes two Telegram groups offering free combolists and cracking tools, with no specific victim organization or record count disclosed. The content is gated behind forum registration, limiting full visibility into the scope of the leak.
Date: 2026-04-18T09:22:38Z
Network: openweb
Published URL: https://crackingx.com/threads/72466/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials and private cloud access data
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of alleged valid Hotmail credentials with associated private cloud access on a cracking forum. The post includes a link to an external paste site for download. No price was mentioned, suggesting the credentials are being freely distributed.
Date: 2026-04-18T09:22:10Z
Network: openweb
Published URL: https://crackingx.com/threads/72467/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Website Defacement of Khara Volleyball by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, the website kharavolleyball.com was defaced by a threat actor operating under the alias Nicotine, affiliated with the group Umbra Community. The attack targeted the index page of a volleyball-related organizations website. The incident was a standalone defacement, not classified as mass or redefacement.
Date: 2026-04-18T09:20:03Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850090
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Sports
Victim Organization: Khara Volleyball
Victim Site: kharavolleyball.com
Website Defacement of khleangsbaek.com by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website khleangsbaek.com. The defacement targeted a single page (index.txt) and was not classified as a mass or home page defacement. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-18T09:19:00Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850091
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Cambodia
Victim Industry: Unknown
Victim Organization: Khleangs Baek
Victim Site: khleangsbaek.com
Website Defacement of Key Elevators by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website of Key Elevators, an elevator company based in India. The defacement targeted the index page of the domain keyelevators.in and was recorded as a singular, non-mass defacement event. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-18T09:17:32Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850087
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Manufacturing / Engineering
Victim Organization: Key Elevators
Victim Site: keyelevators.in
Website Defacement of Kalas Dance Academy by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor identified as Nicotine, affiliated with the group Umbra Community, defaced the website of Kalas Dance Academy. The attack targeted the index page of the domain and was recorded as a single, non-mass defacement incident. No specific motive or server details were disclosed in connection with this incident.
Date: 2026-04-18T09:16:16Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850079
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Arts & Entertainment
Victim Organization: Kalas Dance Academy
Victim Site: kalasdanceacademy.com
Website Defacement of Kanthi Resorts by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, threat actor Nicotine operating under the group Umbra Community defaced the website of Kanthi Resorts, a hospitality organization, targeting the index page. The attack was a singular, targeted defacement rather than a mass or redefacement incident, with a mirror of the defaced page archived on zone-xsec.com.
Date: 2026-04-18T09:15:12Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850081
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Hospitality & Tourism
Victim Organization: Kanthi Resorts
Victim Site: kanthiresorts.com
Website Defacement of Jefferson Land Properties by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website of Jefferson Land Properties, a real estate organization. The attack was a targeted single-site defacement, with the mirrored evidence of the defacement archived at zone-xsec.com. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-18T09:13:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850066
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: United States
Victim Industry: Real Estate
Victim Organization: Jefferson Land Properties
Victim Site: jeffersonlandproperties.com
Website Defacement of huda-kh.org by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, successfully defaced the website huda-kh.org. The attack was a targeted single-site defacement, with the defaced page archived at zone-xsec.com. No specific motive or server details were disclosed in connection with this incident.
Date: 2026-04-18T09:07:46Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850022
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Huda KH
Victim Site: huda-kh.org
Website Redefacement of Horizon AE by Nicotine of Umbra Community
Category: Defacement
Content: The threat actor Nicotine, affiliated with Umbra Community, carried out a redefacement of horizon-ae.com on April 18, 2026. This incident marks a repeated compromise of the target, indicating the attacker has maintained or regained access to the web server. The defacement was a targeted, non-mass attack with a mirror archived at zone-xsec.com.
Date: 2026-04-18T09:05:40Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/850011
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: United Arab Emirates
Victim Industry: Unknown
Victim Organization: Horizon AE
Victim Site: horizon-ae.com
Website Defacement of fspac.online by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website fspac.online by altering its index page. The attack was a targeted single-site defacement with no specific reason disclosed. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-04-18T08:59:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849898
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: fspac.online
Website Defacement of Forexailtd by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website forexailtd.com. The defacement targeted what appears to be a forex or financial services company, with the attacker leaving their signature on the index page. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-18T08:58:35Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849889
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Forexai Ltd
Victim Site: forexailtd.com
Website Defacement of fristdream.store by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor operating under the alias Nicotine, affiliated with the group Umbra Community, defaced the website fristdream.store. The attack targeted a single page (index.txt) and was not classified as a mass or redefacement incident. No specific motive or server details were disclosed in association with this defacement.
Date: 2026-04-18T08:57:22Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849892
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: E-commerce/Retail
Victim Organization: Frist Dream Store
Victim Site: fristdream.store
Website Defacement of Garuda News by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor identified as Nicotine, affiliated with the group Umbra Community, defaced the website garudanews.in, an Indian news outlet. The defacement targeted a specific page (index.txt) rather than the home page, indicating a targeted intrusion. The incident was recorded and mirrored by zone-xsec.com.
Date: 2026-04-18T08:56:10Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849909
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: News & Media
Victim Organization: Garuda News
Victim Site: garudanews.in
Website Defacement of Geographic Travel by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website of Geographic Travel, a travel-related organization based in Georgia. The defacement targeted the index page of the site and was recorded as a singular, non-mass incident. No specific motive or proof-of-concept details were disclosed.
Date: 2026-04-18T08:54:52Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849917
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Georgia
Victim Industry: Travel and Tourism
Victim Organization: Geographic Travel
Victim Site: geographictravel.ge
Alleged Data Breach of Iranian Insurance Database Pisheaz with Personal and Vehicle Data
Category: Data Breach
Content: A threat actor operating under the alias Yakohomot is selling a 500MB database allegedly obtained from Iranian insurance platform Pisheaz for $15,000. The database, available in CSV/SQL format, contains sensitive personal and vehicle-related information including full names, national codes, dates of birth, mobile phone numbers, vehicle details (brand, model, VIN, engine number, chassis number, plate number), and insurance policy information such as policy numbers, expiry dates, and insurance c
Date: 2026-04-18T08:48:45Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Iran-Pisheaz-Database-Insurance-Personal-Data
Screenshots:
None
Threat Actors: Yakohomot
Victim Country: Iran
Victim Industry: Insurance
Victim Organization: Pisheaz
Victim Site: Unknown
Website Redefacement of drsivaprakash.com by Nicotine of Umbra Community
Category: Defacement
Content: The website drsivaprakash.com, associated with a medical practitioner, was defaced by threat actor Nicotine operating under the Umbra Community group on April 18, 2026. This incident is classified as a redefacement, indicating the site had been previously compromised and targeted again. The defacement was a targeted attack rather than a mass defacement campaign, with the mirror archived at zone-xsec.com.
Date: 2026-04-18T08:48:10Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849806
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Healthcare
Victim Organization: Dr. Sivaprakash (Medical Practice)
Victim Site: drsivaprakash.com
Alleged Data Breach of Correios (ECT) – Financials, Blueprints & Logistics Data
Category: Data Breach
Content: A threat actor known as breach3d is selling a dataset allegedly obtained from Brazils national postal service, Correios (ECT), containing thousands of internal documents. The data purportedly includes financial and logistics records, mailing receipts involving Banco do Brasil SA, operational tracking data with employee and workstation IDs, and detailed architectural blueprints of postal facility infrastructure including security-sensitive areas. Records appear to date from late 2021, with sam
Date: 2026-04-18T08:47:36Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-BR-Massive-Correios-ECT-Leak-Financials-Blueprints-Logistics-Data
Screenshots:
None
Threat Actors: breach3d
Victim Country: Brazil
Victim Industry: Postal & Logistics Services
Victim Organization: Correios (Empresa Brasileira de Correios e Telégrafos)
Victim Site: correios.com.br
Website Defacement of drkapendra.com.np by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the Nepalese website drkapendra.com.np. The attack targeted what appears to be a personal or professional medical website, as suggested by the dr prefix in the domain name. The defacement was a targeted single-site attack with no indication of mass or prior redefacement activity.
Date: 2026-04-18T08:46:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849804
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Nepal
Victim Industry: Healthcare
Victim Organization: Dr. Kapendra
Victim Site: drkapendra.com.np
Alleged Data Leak of MTs Kabupaten Bintan Student and Parent Records
Category: Data Leak
Content: A threat actor known as CyphieNesia has made available a database allegedly containing personal information from MTs (Islamic junior high school) institutions in Kabupaten Bintan, Indonesia. The leaked data reportedly includes personal information of students and their parents, as well as institutional information about the schools. The data was shared via a free download link on an anonymous file hosting service.
Date: 2026-04-18T08:46:06Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Data-MTS-Kabupaten-Bintan
Screenshots:
None
Threat Actors: CyphieNesia
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: MTs Kabupaten Bintan
Victim Site: Unknown
Website Defacement of drsudip.com.np by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor identified as Nicotine, affiliated with the group Umbra Community, defaced the website drsudip.com.np, likely belonging to a medical professional or healthcare provider in Nepal. The defacement targeted a specific page (index.txt) rather than the homepage, indicating a targeted file-level intrusion. No specific motive or proof of concept was disclosed.
Date: 2026-04-18T08:45:45Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849808
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Nepal
Victim Industry: Healthcare
Victim Organization: Dr. Sudip
Victim Site: drsudip.com.np
Alleged Data Leak of Thailand Travel and Tourism Website Database
Category: Data Leak
Content: A threat actor identified as Anonymous2090 claims to have hacked a Thailand-based travel and tourism website, exfiltrating all databases before taking the site offline. The actor has made the stolen data freely available for download via MediaFire, protected by a password. The leaked archive appears to contain multiple MariaDB databases including tour-related and system databases such as data_tour, tour_system, and query_zego.
Date: 2026-04-18T08:45:24Z
Network: openweb
Published URL: https://darkforums.su/Thread-Thailand-travel-website
Screenshots:
None
Threat Actors: Anonymous2090
Victim Country: Thailand
Victim Industry: Travel and Tourism
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Lebanese University Student Database
Category: Data Leak
Content: A threat actor operating under the alias Anonymous2090 has freely distributed a database dump allegedly belonging to Lebanese University in Lebanon. The leaked data includes student personal information such as full names, email addresses, phone numbers, residential addresses, marital status, insurance type, enrollment dates, specializations, and academic course codes. The database appears to contain records from the Faculty of Law and Political Science, with data structured in Arabic and Englis
Date: 2026-04-18T08:44:41Z
Network: openweb
Published URL: https://darkforums.su/Thread-Lebanese-University-Lebanon
Screenshots:
None
Threat Actors: Anonymous2090
Victim Country: Lebanon
Victim Industry: Education
Victim Organization: Lebanese University
Victim Site: ul.edu.lb
Website Defacement of drugrats.com by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website drugrats.com. The attacker replaced the sites index page with a defacement message. The incident was a singular targeted defacement, not part of a mass or repeated defacement campaign.
Date: 2026-04-18T08:44:12Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849809
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: DrugRats
Victim Site: drugrats.com
Alleged Data Leak of Lagos State University (LASU) Database
Category: Data Leak
Content: A threat actor operating under the alias NullsecNg has leaked data allegedly belonging to Lagos State University (LASU) on a dark web forum. The leaked data reportedly includes staff names, lecturer names, Gmail addresses and phone numbers, as well as student matriculation numbers. The data has been made freely available via an external file-sharing link.
Date: 2026-04-18T08:43:59Z
Network: openweb
Published URL: https://darkforums.su/Thread-LASU-DBS
Screenshots:
None
Threat Actors: NullsecNg
Victim Country: Nigeria
Victim Industry: Education
Victim Organization: Lagos State University (LASU)
Victim Site: Unknown
Website Defacement of Eagle Eye Drone by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, the website eagleyedrone.com was defaced by a threat actor operating under the alias Nicotine, affiliated with the hacking group Umbra Community. The defacement targeted the index page of the drone services website and was recorded as a single, non-mass defacement event. No specific motive or server details were disclosed in the available intelligence.
Date: 2026-04-18T08:42:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849816
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: United States
Victim Industry: Technology / Drone Services
Victim Organization: Eagle Eye Drone
Victim Site: eagleyedrone.com
Website Defacement of CBSE Residential School by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor identified as Nicotine, affiliated with the group Umbra Community, defaced the website of CBSE Residential School, an educational institution in India. The attack targeted the index page of the domain cbseresidentialschool.in and was neither a mass defacement nor a redefacement. A mirror of the defaced page was archived at zone-xsec.com.
Date: 2026-04-18T08:36:39Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849693
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Education
Victim Organization: CBSE Residential School
Victim Site: cbseresidentialschool.in
Website Defacement of Classic Pearls Parlour by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website of Classic Pearls Parlour, an Indian beauty or jewelry-related business. The attack targeted the sites index page and was neither a mass defacement nor a redefacement. No specific motivation or technical details regarding the server were disclosed.
Date: 2026-04-18T08:34:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849714
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Retail / Beauty & Personal Care
Victim Organization: Classic Pearls Parlour
Victim Site: classicpearlsparlour.in
Website Defacement of Coeducational Boarding School by Nicotine (Umbra Community)
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website of an Indian coeducational boarding school. The attack was a targeted single-site defacement, and a mirror of the defaced page has been archived at zone-xsec.com. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-18T08:33:30Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849718
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Education
Victim Organization: Coeducational Boarding School
Victim Site: coeducationalboardingschool.in
Alleged leak of European Education sector combolist with 117,226 credentials
Category: Combo List
Content: A threat actor known as HQcomboSpace has made available a mixed combolist containing 117,226 credential lines targeting the European education sector. The combolist was shared freely via a Mega.nz download link on the crackingx.com forum. The credentials appear to be aggregated from multiple education-related sources across Europe.
Date: 2026-04-18T08:33:04Z
Network: openweb
Published URL: https://crackingx.com/threads/72463/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Europe
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist with forum-validated accounts
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared a combolist of approximately 40,000 Hotmail email credentials on the cracking forum CrackingX. The post claims the accounts have been validated against forums, suggesting active and working credentials. The content is restricted to registered or signed-in forum members.
Date: 2026-04-18T08:32:39Z
Network: openweb
Published URL: https://crackingx.com/threads/72464/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Website Defacement of Cinnamon Isle Travels by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website of Cinnamon Isle Travels. The attack targeted the index page of the travel companys website and was not classified as a mass or home defacement. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-18T08:32:00Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849711
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Travel and Tourism
Victim Organization: Cinnamon Isle Travels
Victim Site: cinnamonisletravels.com
Alleged credential leak for topgradesonline.com
Category: Logs
Content: A username and plaintext password pair has been shared for topgradesonline.com targeting the login portal at /tlogin.php. The credentials (username: rakesh, password: ishu1133) were posted publicly, potentially enabling unauthorized access to the platform.
Date: 2026-04-18T08:31:29Z
Network: telegram
Published URL: https://t.me/c/3841736872/268
Screenshots:
None
Threat Actors: SILENT ERROR SYSTEM
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Top Grades Online
Victim Site: topgradesonline.com
Website Defacement of Aquatic Animals Info Site by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website aquaticanimals.info. The attack targeted an informational website focused on aquatic animals, with the defacement recorded and mirrored on zone-xsec.com. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-18T08:25:49Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849582
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Information/Education
Victim Organization: Aquatic Animals Info
Victim Site: aquaticanimals.info
Website Defacement of Artisans Essence by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website artisansessence.com. The defacement targeted a single page and was not classified as a mass or home page defacement. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-18T08:24:39Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849591
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Retail / Artisan Goods
Victim Organization: Artisans Essence
Victim Site: artisansessence.com
Website Redefacement of Asset Lifeguard by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, conducted a redefacement of assetlifeguard.com, indicating the site had been previously compromised. The attack targeted a text file on the domain and was not classified as a mass defacement. The incident has been archived and mirrored via zone-xsec.com for forensic reference.
Date: 2026-04-18T08:23:25Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849595
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Financial Services / Asset Management
Victim Organization: Asset Lifeguard
Victim Site: assetlifeguard.com
Website Defacement of ATS School by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website of ATS School, an educational institution based in India. The defacement targeted a specific page (index.txt) rather than the homepage, indicating a targeted but limited-scope intrusion. The incident was recorded and mirrored by zone-xsec.com as part of defacement tracking efforts.
Date: 2026-04-18T08:22:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849605
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Education
Victim Organization: ATS School
Victim Site: atsschool.in
Website Defacement of ArqMiguel3D by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor identified as Nicotine, operating under the group Umbra Community, defaced the website arqmiguel3d.com, targeting what appears to be an architecture or 3D design firm. The defacement was a targeted, single-site attack with no mass or re-defacement characteristics noted. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-04-18T08:21:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849588
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Architecture / Design Services
Victim Organization: ArqMiguel3D
Victim Site: arqmiguel3d.com
Website Defacement of Astha Ayurveda by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website of Astha Ayurveda, an Ayurvedic healthcare organization. The defacement targeted a specific page (index.txt) rather than the homepage, indicating a targeted file-level compromise. The incident was recorded and mirrored by zone-xsec.com with reference ID 849597.
Date: 2026-04-18T08:19:53Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849597
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Healthcare / Alternative Medicine
Victim Organization: Astha Ayurveda
Victim Site: asthaayurveda.com
Website Defacement of ayurock.in by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website ayurock.in by altering a text file on the server. The defacement targeted an Indian domain and was a singular, non-mass incident with no stated motive recorded. The mirror of the defaced page was archived at zone-xsec.com.
Date: 2026-04-18T08:19:01Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849613
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Unknown
Victim Organization: Ayurock
Victim Site: ayurock.in
Website Defacement of Baama Consultant by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website of Baama Consultant, a consulting firm based in Nepal. The attack targeted the index page of the domain baamaconsultant.com.np and was not classified as a mass or home defacement. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-04-18T08:17:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849615
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Nepal
Victim Industry: Consulting Services
Victim Organization: Baama Consultant
Victim Site: baamaconsultant.com.np
Website Defacement of 247analporn.com by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the adult entertainment website 247analporn.com. The defacement targeted the sites index page and was recorded as a singular, non-mass defacement event. A mirror of the defaced page was archived at zone-xsec.com.
Date: 2026-04-18T08:11:46Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849474
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Adult Entertainment
Victim Organization: 247 Anal Porn
Victim Site: 247analporn.com
Website Defacement of 3downloadfile.com by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website 3downloadfile.com by altering the index.txt file. The incident was a targeted defacement and was not classified as a mass or redefacement event. No specific motive or vulnerability details were disclosed.
Date: 2026-04-18T08:10:23Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849476
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: File Hosting / Download Services
Victim Organization: 3downloadfile
Victim Site: 3downloadfile.com
Website Defacement of 10x Capital by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the group Umbra Community, defaced the website of 10x Capital, an Indian financial services organization. The defacement targeted the index page of the domain 10xcapital.co.in and was recorded as a singular, non-mass defacement incident. The attack was mirrored and documented at zone-xsec.com.
Date: 2026-04-18T08:09:15Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849472
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: India
Victim Industry: Financial Services
Victim Organization: 10x Capital
Victim Site: 10xcapital.co.in
Website Defacement of AA LED by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, operating under the team Umbra Community, defaced the website of AA LED, a Canadian lighting products company. The defacement targeted a specific index file (index.txt) and was neither a mass defacement nor a redefacement. No specific motivation or server details were disclosed in relation to the attack.
Date: 2026-04-18T08:08:02Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849483
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Canada
Victim Industry: Retail / Lighting Products
Victim Organization: AA LED
Victim Site: aa-led.ca
Website Defacement of 3 Musketeers Fitness by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website of 3 Musketeers Fitness. The attack targeted an internal page rather than the home page and was not part of a mass defacement campaign. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-18T08:06:55Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849477
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Health & Fitness
Victim Organization: 3 Musketeers Fitness
Victim Site: 3musketeersfitness.com
Website Defacement of 3D Agro Solutions by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor identified as Nicotine, affiliated with the group Umbra Community, defaced the website of 3D Agro Solutions, a Nigerian agricultural company. The incident was a targeted single-site defacement, not part of a mass defacement campaign. No specific motive or reason was disclosed by the attacker.
Date: 2026-04-18T08:05:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849475
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Nigeria
Victim Industry: Agriculture
Victim Organization: 3D Agro Solutions
Victim Site: 3dagrosolutions.com.ng
Alleged cyber attack and data breach of Claro El Salvador by Anonymous Swiss
Category: Data Breach
Content: A Telegram channel affiliated with the group Anonymous Swiss claims to have infiltrated Claro El Salvadors telecommunications network, gaining access to portions of its internal infrastructure. Approximately 200GB of data is alleged to have been exfiltrated, including sensitive documents such as contracts, subscriber information, and internal company files. The group has indicated that up to 5GB of this data may be publicly released in the future.
Date: 2026-04-18T08:05:15Z
Network: telegram
Published URL: https://t.me/c/1283513914/21259
Screenshots:
None
Threat Actors: Anonymous Swiss
Victim Country: El Salvador
Victim Industry: Telecommunications
Victim Organization: Claro El Salvador
Victim Site: Unknown
Website Defacement of 9archesbridge.com by Nicotine of Umbra Community
Category: Defacement
Content: On April 18, 2026, a threat actor known as Nicotine, affiliated with the group Umbra Community, defaced the website 9archesbridge.com. The defacement targeted the index page of the site, which appears to be associated with a bridge-related tourism or heritage organization. No specific motive or technical details were disclosed in the available data.
Date: 2026-04-18T08:04:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849480
Screenshots:
None
Threat Actors: Nicotine, Umbra Community
Victim Country: Unknown
Victim Industry: Tourism / Heritage
Victim Organization: 9 Arches Bridge
Victim Site: 9archesbridge.com
Alleged sale of private channel access containing combolists, stealer logs, and credential data
Category: Logs
Content: A private Telegram channel (Whale Private) is being advertised offering approximately 75TB of CDN/BF data and 10TB of combo/mail:pass lists, stealer logs, bank logs, and other files. Subscription pricing ranges from $250 for 3 months to $750 for lifetime access. The post references threat actor ShinyHunters as associated with the offering, with contact handles @shinyc0rpsss and @whalesgleitsman provided for the channel admin.
Date: 2026-04-18T08:02:44Z
Network: telegram
Published URL: https://t.me/c/3500620464/6988
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of private channel access offering 75TB of stolen data, combolists, stealer logs, and databases
Category: Logs
Content: ShinyHunters is advertising a paid private channel (Whale Private) offering approximately 75TB of CDN/BF data and 10TB of combo lists (mail:pass), stealer logs, bank logs, and database files. Subscription tiers are priced at $250 for 3 months, $350 for 6 months, $550 for 12 months, and $750 for lifetime access. Contact is via Telegram handle @whalesgleitsman. Members are prohibited from redistributing content under threat of removal.
Date: 2026-04-18T08:01:22Z
Network: telegram
Published URL: https://t.me/c/3737716184/1316
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of ICMR Aadhaar Data
Category: Data Breach
Content: A threat actor operating under the alias Solonik is allegedly selling data from ICMR (Indian Council of Medical Research) linked to Aadhaar records at a promotional price of $200, reduced from $1000. The post includes vouches from previous customers, suggesting an active sales operation for sensitive Indian biometric identity data.
Date: 2026-04-18T08:00:44Z
Network: telegram
Published URL: https://t.me/SolonikVouches/246
Screenshots:
None
Threat Actors: Solonik
Victim Country: India
Victim Industry: Healthcare / Government
Victim Organization: ICMR (Indian Council of Medical Research)
Victim Site: Unknown
Website Defacement of srocezinternet.sk by XYZ (Alpha Wolf)
Category: Defacement
Content: On April 18, 2026, the website srocezinternet.sk, a Slovak internet services provider, was defaced by threat actor XYZ operating under the team name Alpha Wolf. The attack targeted the homepage in a single, non-mass defacement operation. A mirror of the defacement was archived at zone-xsec.com.
Date: 2026-04-18T07:58:32Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/849467
Screenshots:
None
Threat Actors: XYZ, Alpha wolf
Victim Country: Slovakia
Victim Industry: Internet Services / Telecommunications
Victim Organization: Srocez Internet
Victim Site: srocezinternet.sk
Alleged leak of 1,000 USA email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias wingoooW has made available a combolist containing approximately 1,000 email address and password combinations allegedly associated with United States-based users. The credential list is being freely distributed via an external paste site. No specific victim organization or industry has been identified.
Date: 2026-04-18T07:55:56Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1K-USA-VALID–200831
Screenshots:
None
Threat Actors: wingoooW
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mail.com credentials
Category: Combo List
Content: A threat actor operating under the alias COYTO has shared a combolist of approximately 1,000 mail.com email and password combinations via a public paste site. The credential list was made available as a free download on the DemonForums combolists section. No price or ransom demand was mentioned, suggesting this is a freely distributed leak.
Date: 2026-04-18T07:54:43Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1K-MAIL-COM
Screenshots:
None
Threat Actors: COYTO
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: mail.com
Victim Site: mail.com
Alleged leak of United Kingdom email credentials combolist
Category: Combo List
Content: A threat actor known as COYTO has made available a combolist of email and password combinations allegedly associated with United Kingdom users. The credential list was shared as a free download via an external paste site. No specific organization or victim count has been identified.
Date: 2026-04-18T07:53:54Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-UNITED-KINGDOM-PRIVATE
Screenshots:
None
Threat Actors: COYTO
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 16,000 United States credentials
Category: Combo List
Content: A threat actor known as RandomUpload has made available a combolist containing approximately 16,000 credential pairs purportedly associated with United States users on the cracking forum CrackingX. The post offers the content behind a registration wall, requiring forum membership to access. No specific victim organization or platform has been identified.
Date: 2026-04-18T07:53:12Z
Network: openweb
Published URL: https://crackingx.com/threads/72460/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 11 million email credentials across multiple providers
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist of approximately 11 million credentials allegedly sourced from Hotmail, Yahoo, Orange, and social shopping platforms. The combolist is being made available for free via Telegram channels and a cracking forum. The actor also promotes associated Telegram groups offering free combolists and tools.
Date: 2026-04-18T07:52:57Z
Network: openweb
Published URL: https://crackingx.com/threads/72461/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Hotmail, Yahoo, Orange
Victim Site: hotmail.com, yahoo.com, orange.fr
Alleged leak of mixed credential combolist
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has made available a mixed unique combolist containing approximately 41,000 credential pairs on the cracking forum CrackingX. The post is gated behind registration or sign-in, limiting full visibility into the contents. No specific victim organization, industry, or country has been identified, suggesting the combolist is aggregated from multiple sources.
Date: 2026-04-18T07:52:40Z
Network: openweb
Published URL: https://crackingx.com/threads/72462/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Cyber Attack on South Korean Municipal Wastewater Treatment Plant CCTV System by Z-Pentest Alliance
Category: Cyber Attack
Content: The threat actor group Z-Pentest Alliance claims to have gained full unauthorized access to the video surveillance system of a South Korean municipal wastewater treatment plant. The group states they can navigate the entire CCTV network in real time, viewing water quality analyzers, pumping stations, sludge tanks, control panels, and the control room. They claim access was obtained in minutes without complex exploits, attributing the breach to poor security comparable to a home router. The post includes apparent real footage from facility cameras. The group frames this as a demonstration of critical infrastructure vulnerability rather than an immediate destructive action, using hashtags referencing #OpSouthKorea.
Date: 2026-04-18T07:35:51Z
Network: telegram
Published URL: https://t.me/ogorodniki_Z/79
Screenshots:
None
Threat Actors: Z-Pentest Alliance
Victim Country: South Korea
Victim Industry: Water & Wastewater / Critical Infrastructure
Victim Organization: South Korean Municipal Wastewater Treatment Plant
Victim Site: Unknown
Alleged Cyber Attack on Istanbuls Largest Pumping Station ICS/SCADA Systems
Category: Cyber Attack
Content: A threat actor operating under Armenian code claims to have gained unauthorized access to the industrial control systems of the largest pumping station in Istanbul, Turkey. The actor claims to have disabled all pumps and disrupted all operational systems, potentially impacting critical water/energy infrastructure.
Date: 2026-04-18T07:34:55Z
Network: telegram
Published URL: https://t.me/c/3628793212/141
Screenshots:
None
Threat Actors: Armenian code
Victim Country: Turkey
Victim Industry: Critical Infrastructure / Utilities
Victim Organization: Istanbul Pumping Station (largest)
Victim Site: Unknown
Alleged acquisition request for phone number database targeting New York
Category: Data Breach
Content: A threat actor operating under the alias cuba001 posted on the Breached forum seeking to acquire a phone number database specific to New York, United States. The actor provided a Telegram contact handle (cuba00001) for further communication. No specific organization, pricing, or data volume was mentioned in the post.
Date: 2026-04-18T07:27:02Z
Network: openweb
Published URL: https://breached.st/threads/looking-phone-number-database-new-york.86060/unread
Screenshots:
None
Threat Actors: cuba001
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of large-scale URL-login-password credential database with search access
Category: Combo List
Content: A threat actor on CrackingX is offering access to a claimed 1.3TB URL-login-password (ULP) combolist, described as a private and continuously updated credential collection. Rather than providing direct file downloads, the actor offers access to an online search robot allowing queries against the dataset. The offering includes historical records, automatic updates, and country-based filtering, suggesting a credential stealer log aggregation service.
Date: 2026-04-18T07:12:56Z
Network: openweb
Published URL: https://crackingx.com/threads/72458/
Screenshots:
None
Threat Actors: Mustukaral
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias @Steveee36 has made available a combolist containing 2,432 alleged Hotmail credentials on the cracking forum CrackingX. The post offers a free download of the credential list, described as HQ (high quality), suggesting active or verified accounts. No additional context or victim details were provided.
Date: 2026-04-18T07:12:42Z
Network: openweb
Published URL: https://crackingx.com/threads/72459/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Sale of Dubai Health Authority Data Including Passports and Medical Records
Category: Data Breach
Content: A dataset allegedly belonging to the Dubai Health Authority (DHA) has been listed for sale on an unofficial platform. The package reportedly contains approximately 836 files including passports, Emirates ID cards, medical and employment documents, personal signatures, internal documents, and maps of healthcare facilities. The origin and authenticity of the data have not been verified.
Date: 2026-04-18T07:07:04Z
Network: telegram
Published URL: https://t.me/c/1283513914/21257
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: United Arab Emirates
Victim Industry: Healthcare
Victim Organization: Dubai Health Authority
Victim Site: Unknown
Alleged data breach of Pakistan Nuclear Regulatory Authority (PNRA)
Category: Data Breach
Content: A threat actor claims to have infiltrated the Pakistan Nuclear Regulatory Authority (PNRA) and is offering internal data for sale. The alleged stolen data includes employee records, technical documents, and information related to nuclear facilities. The claim was reported by Cyberban News.
Date: 2026-04-18T07:01:34Z
Network: telegram
Published URL: https://t.me/c/1283513914/21256
Screenshots:
None
Threat Actors: Unknown
Victim Country: Pakistan
Victim Industry: Government / Nuclear Regulatory
Victim Organization: Pakistan Nuclear Regulatory Authority (PNRA)
Victim Site: Unknown
Alleged massive aggregation of stolen identity data in centralized DBIntelligence project with 11 billion records
Category: Data Leak
Content: Reports indicate the formation of a project called DBIntelligence that has aggregated leaked user data from around the world into a single centralized database. The system combines identity information with facial images, enabling rapid identification of individuals and linking them to online accounts. Over 11 billion records are stored in this collection — exceeding the worlds population — as multiple data types are stored per individual.
Date: 2026-04-18T06:51:21Z
Network: telegram
Published URL: https://t.me/c/1283513914/21252
Screenshots:
None
Threat Actors: DBIntelligence
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged massive data aggregation platform DBIntelligence consolidating 11 billion leaked identity records globally
Category: Data Leak
Content: Reports indicate the formation of a project called DBIntelligence that aggregates leaked user data from around the world into a centralized database. The system combines identity information with facial images, enabling rapid identification of individuals and linking them to online accounts. Over 11 billion records have been compiled — exceeding the worlds population — as multiple data types are stored per individual. Security experts warn this level of data aggregation poses a serious threat to user privacy and security.
Date: 2026-04-18T06:50:28Z
Network: telegram
Published URL: https://t.me/c/1283513914/21249
Screenshots:
None
Threat Actors: DBIntelligence
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: DBIntelligence
Victim Site: Unknown
Alleged Data Leak of Lagos State University Databases
Category: Data Leak
Content: A threat actor known as ki4t claims to have leaked databases belonging to Lagos State University (LASU). The databases were reportedly hacked and made available on the Breached forum. No further details regarding the volume of records or specific data types were provided in the post.
Date: 2026-04-18T06:44:11Z
Network: openweb
Published URL: https://breached.st/threads/hacked-lasu-dbs.86059/unread
Screenshots:
None
Threat Actors: ki4t
Victim Country: Nigeria
Victim Industry: Education
Victim Organization: Lagos State University
Victim Site: Unknown
Alleged Data Breach of Conviasa Airlines with 165GB of Exfiltrated Operational and Passenger Data
Category: Data Breach
Content: A threat actor operating under the alias GordonFreeman claims to have conducted a joint operation compromising Conviasa Airlines MAPAS-2 network and KIU terminal systems, exfiltrating approximately 165GB of sensitive data including passenger name records (PNR), SQL databases, flight plans, manifests, and internal reports. The actors claim to have established firmware-level persistence on edge devices including ZyXEL and MikroTik equipment, compromised SAN controllers and the Switch Core, and
Date: 2026-04-18T06:41:11Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-CONVIASA-AIRLINES-VENEZUELA-2026-165GB-Exfiltrated-Data
Screenshots:
None
Threat Actors: GordonFreeman
Victim Country: Venezuela
Victim Industry: Aviation / Airlines
Victim Organization: Conviasa Airlines
Victim Site: conviasa.aero
Alleged leak of German shopping credential combolist
Category: Combo List
Content: A threat actor known as HQcomboSpace has shared a combolist containing approximately 266,029 credential entries allegedly targeting German shopping platforms. The combolist was made available for free download via a Mega.nz link. The post describes the content as high-quality (HQ) credentials focused on the German retail sector.
Date: 2026-04-18T06:27:19Z
Network: openweb
Published URL: https://crackingx.com/threads/72457/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed stealer logs by threat actor fatetraffic
Category: Logs
Content: A threat actor operating under the alias fatetraffic has made available a collection of 1,257 mixed stealer logs dated April 18, 2026, shared via a Pixeldrain file hosting link. The logs likely contain credentials and browser-harvested data captured by infostealer malware. No specific victim organization or country has been identified, suggesting a broad, indiscriminate collection.
Date: 2026-04-18T06:05:49Z
Network: openweb
Published URL: https://darkforums.su/Thread-%F0%9F%93%97-FATETRAFFIC-1257-MIX-18-04-2026-STEALER-LOGS
Screenshots:
None
Threat Actors: fatetraffic
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Cyber Attacks on US Oil, Gas, and Water Infrastructure
Category: Cyber Attack
Content: CNN reported that in recent weeks, facilities related to oil, gas, and water in the United States have been targeted by cyberattacks. According to sources cited by the outlet, the attacks exceeded conventional military tools in scope. Industrial systems were disrupted, operational processes were halted or restricted in some cases, and some facilities were forced to revert to manual controls outside digital systems. The post is tagged with Iran and the United States, suggesting suspected Iranian involvement.
Date: 2026-04-18T05:59:14Z
Network: telegram
Published URL: https://t.me/c/1283513914/21245
Screenshots:
None
Threat Actors: Iran
Victim Country: United States
Victim Industry: Energy & Utilities
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of phone number and password credential list
Category: Combo List
Content: A threat actor operating under the alias gsmfix on the cracking forum CrackingX has shared what is claimed to be a high-quality private combolist containing phone number and password credential pairs. The post is labeled as HQ PRIVATE, suggesting the credentials may be of higher quality or exclusivity. No specific victim organization, country, or record count has been identified from the available information.
Date: 2026-04-18T05:50:17Z
Network: openweb
Published URL: https://crackingx.com/threads/72454/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Gmail credential combolist by threat actor D4rkNetHub
Category: Combo List
Content: Threat actor D4rkNetHub is allegedly selling a combolist containing over 100,000 Gmail credentials on the cracking forum CrackingX. The post is listed under the Combolists & Dumps section with a price indicator of $5. Full content requires forum registration, limiting verification of the claim.
Date: 2026-04-18T05:16:02Z
Network: openweb
Published URL: https://crackingx.com/threads/72450/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of mixed USA and Europe combolist credentials
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared what they claim to be an exclusive combolist containing credential hits from mixed sources across the United States and Europe. The post advertises the content as high-quality verified hits. No specific victim organization, record count, or pricing details are mentioned in the available post content.
Date: 2026-04-18T05:15:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72452/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Europe and USA combolists
Category: Combo List
Content: A threat actor on CrackingX forum has made available combolists claimed to be of high validity, targeting users from Europe and the United States. The post advertises the credential lists as 100% full valid and high quality. No specific organizations, record counts, or pricing details were provided in the post.
Date: 2026-04-18T05:15:05Z
Network: openweb
Published URL: https://crackingx.com/threads/72453/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyber attack on NASA by Xyph0rix
Category: Cyber Attack
Content: Threat actor Xyph0rix claims to have conducted an attack against NASA, shared via Rakyat Digital Crew channel. A photo was included as alleged proof. Details are limited but the target is identified as NASA.
Date: 2026-04-18T04:45:36Z
Network: telegram
Published URL: https://t.me/Xyph0rix_CaypbaraXploit/140
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: United States
Victim Industry: Government / Space Agency
Victim Organization: NASA
Victim Site: nasa.gov
Website Defacement of Elevate Advisors by Threat Actor maw3six
Category: Defacement
Content: On April 18, 2026, threat actor maw3six defaced a page on theelevateadvisors.com, a financial advisory firm. The attack targeted a specific subpage (maw.html) rather than the homepage, indicating a targeted page-level defacement. The attacker operated without a known affiliated team, and the server was hosted on a cloud infrastructure.
Date: 2026-04-18T04:26:55Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248592
Screenshots:
None
Threat Actors: maw3six
Victim Country: United States
Victim Industry: Financial Services / Advisory
Victim Organization: Elevate Advisors
Victim Site: theelevateadvisors.com
Website Defacement of AUX Malaysia Dealers Conference 2026 by maw3six
Category: Defacement
Content: On April 18, 2026, the threat actor known as maw3six defaced a page hosted on the AUX Malaysia Dealers Conference 2026 website, targeting a specific HTML file (maw.html) rather than the homepage. The defacement was carried out on a cloud-hosted platform and was neither a mass nor a redefacement incident. No specific motivation or proof of concept was publicly disclosed.
Date: 2026-04-18T04:25:14Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248593
Screenshots:
None
Threat Actors: maw3six
Victim Country: Malaysia
Victim Industry: Events / Corporate Conference
Victim Organization: AUX Malaysia Dealers Conference 2026
Victim Site: auxmalaysiadealersconference2026.twiport.com
Website Defacement of jega.vn by Threat Actor maw3six
Category: Defacement
Content: On April 18, 2026, threat actor maw3six defaced a page on the Vietnamese website jega.vn, targeting a specific URL rather than the homepage. The attack was conducted against a cloud-hosted environment and is recorded as a singular, non-mass defacement event. The incident was archived and mirrored via haxor.id.
Date: 2026-04-18T04:19:23Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248591
Screenshots:
None
Threat Actors: maw3six
Victim Country: Vietnam
Victim Industry: Unknown
Victim Organization: Jega
Victim Site: jega.vn
Website Defacement of Ticketsupp by Threat Actor maw3six
Category: Defacement
Content: On April 18, 2026, a threat actor identified as maw3six defaced a page on ticketsupp.cc, a domain associated with ticketing support services. The defacement targeted a specific subpage (maw.html) rather than the sites homepage, indicating a targeted page-level intrusion. The attacker operated without an affiliated group and the incident was recorded as a single, non-mass defacement hosted on a cloud-based infrastructure.
Date: 2026-04-18T04:08:07Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248590
Screenshots:
None
Threat Actors: maw3six
Victim Country: Unknown
Victim Industry: Ticketing / Event Services
Victim Organization: Ticketsupp
Victim Site: ticketsupp.cc
Alleged leak of German mixed-target combolist with over 1 million credentials
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing over 1.17 million credential pairs targeting German users across mixed targets. The combolist was shared via a Mega.nz file link on the cracking forum CrackingX. No specific organizations or industries are identified, suggesting the credentials were aggregated from multiple sources.
Date: 2026-04-18T04:05:10Z
Network: openweb
Published URL: https://crackingx.com/threads/72449/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of hg86c.com by SAM PABLO of AKATSUKI REBORN
Category: Defacement
Content: On April 18, 2026, threat actor SAM PABLO, affiliated with the group AKATSUKI REBORN, defaced the homepage of www.hg86c.com. The attack was a targeted single-site defacement, replacing the home page content. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-18T03:45:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845979
Screenshots:
None
Threat Actors: SAM PABLO, AKATSUKI REBORN
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: www.hg86c.com
Alleged sale of Brazilian CPF national identity database containing 251 million records
Category: Data Breach
Content: A threat actor known as Buddha is selling a database allegedly containing 251,720,444 Brazilian CPF (Cadastro de Pessoas Físicas) records, exceeding Brazils living population as it includes deceased individuals. The 25.1 GB database in .db format contains personally identifiable information including CPF numbers, full names, gender, date of birth, parents names, death flags, race, and birthplace data. The seller is offering the full dataset for 500 USD in Bitcoin via Signal contact, with a f
Date: 2026-04-18T03:44:34Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-251-MILLION-CPFs-FROM-BRAZIL-%E2%80%94-MORGUE
Screenshots:
None
Threat Actors: Buddha
Victim Country: Brazil
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Kraken Cryptocurrency Exchange Affecting US Users
Category: Data Breach
Content: A threat actor operating under the alias Luckiest is allegedly selling a dataset purportedly obtained from Kraken, a US-based cryptocurrency exchange, containing approximately 5.3 million records. The post includes a sample link and contact details via Telegram, Discord, and Session messenger. The nature and authenticity of the data remain unverified.
Date: 2026-04-18T03:43:29Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Kraken-crypto-data-USA-2026
Screenshots:
None
Threat Actors: Luckiest
Victim Country: United States
Victim Industry: Financial Services / Cryptocurrency
Victim Organization: Kraken
Victim Site: kraken.com
Alleged Data Breach of Argentine Air Force Personnel Database
Category: Data Breach
Content: A threat actor operating under the alias overdose4u is selling a database allegedly containing records of 72 Argentine Air Force (FAA) personnel, including active and retired members. The data purportedly includes full names, phone numbers, military ranks, updated medical information, and group status, and was claimed to have been obtained via physical access to FAA facilities rather than a remote intrusion. The complete database is being offered for $200 USD in cryptocurrency, with the actor
Date: 2026-04-18T03:42:45Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-EXCLUSIVE-SALE-COMPLETE-DATABASE-OF-ARGENTINE-AIR-FORCE-INTERNAL-ACCESS
Screenshots:
None
Threat Actors: overdose4u
Victim Country: Argentina
Victim Industry: Government & Defense
Victim Organization: Argentine Air Force (Fuerza Aérea Argentina)
Victim Site: Unknown
Alleged Sale of Unauthenticated Remote Code Execution (0day) Affecting Calix GPON Devices
Category: Initial Access
Content: A threat actor operating under the alias berz0k is selling an alleged pre-authenticated remote code execution (RCE) zero-day vulnerability targeting Calix GPON devices. The exploit is claimed to achieve root-level access without authentication, with no device crash, and is listed at an exclusive price of $40,000. Approximately 10,000 exposed targets are reportedly identifiable via Shodan, with the seller accepting escrow or middleman arrangements for the transaction.
Date: 2026-04-18T03:42:02Z
Network: openweb
Published URL: https://darkforums.su/Thread-0day-Calix-GPON-Preauth-RCE
Screenshots:
None
Threat Actors: berz0k
Victim Country: Unknown
Victim Industry: Telecommunications
Victim Organization: Calix
Victim Site: calix.com
Alleged data leak of CECyTE San Luis Potosi database including administrator credentials
Category: Data Leak
Content: A threat actor known as Lvn4t1k0 has leaked the full database of CECyTE San Luis Potosi, a Mexican educational institution, via a file-sharing link on Gofile. The leaked data reportedly includes administrator credentials. The database was made available for free download on a dark web forum.
Date: 2026-04-18T03:40:13Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Mexico-Database-CECyTE-San-Luis-Potosi
Screenshots:
None
Threat Actors: Lvn4t1k0
Victim Country: Mexico
Victim Industry: Education
Victim Organization: CECyTE San Luis Potosi
Victim Site: Unknown
Alleged data leak of student photos from Sergio Bernales Garcia Institute
Category: Data Leak
Content: A threat actor using the handle 0xsurf has made available a collection of student photos from Sergio Bernales Garcia Institute via a ZIP file download shared on DarkForums. The post includes a sample and a download link, suggesting the data has been freely distributed. No price or payment was mentioned, indicating this is a free leak rather than a sale.
Date: 2026-04-18T03:39:30Z
Network: openweb
Published URL: https://darkforums.su/Thread-SERGIO-BERNALES-GARCIA-STUDENT-PHOTOS
Screenshots:
None
Threat Actors: 0xsurf
Victim Country: Peru
Victim Industry: Education
Victim Organization: Sergio Bernales Garcia Institute
Victim Site: Unknown
Website Defacement of Nettunome.it by DimasHxR
Category: Defacement
Content: On April 18, 2026, the Italian website nettunome.it was defaced by a threat actor operating under the alias DimasHxR. The attacker targeted a subdirectory of the site, specifically within the pub/media path, suggesting a possible content management system or e-commerce platform vulnerability was exploited. The incident was a targeted single-site defacement with no team affiliation reported.
Date: 2026-04-18T03:33:35Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845950
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Italy
Victim Industry: Unknown
Victim Organization: Nettunome
Victim Site: www.nettunome.it
Website Defacement of Bioline by DimasHxR
Category: Defacement
Content: The website bioline.com was defaced by the threat actor DimasHxR on April 18, 2026. The attacker targeted a media/customer directory path, suggesting exploitation of a publicly accessible file upload or media management vulnerability. The incident was a targeted single-site defacement with no team affiliation reported.
Date: 2026-04-18T03:32:37Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845870
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Life Sciences / Biotechnology
Victim Organization: Bioline
Victim Site: bioline.com
Website Defacement of IGE.ie by DimasHxR
Category: Defacement
Content: On April 18, 2026, a threat actor identified as DimasHxR defaced a web resource hosted on ige.ie, targeting a media/customer address path. The attack was a singular, non-mass defacement with no stated motive or team affiliation. Technical details including server software and IP address were not disclosed.
Date: 2026-04-18T03:31:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845892
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Ireland
Victim Industry: Unknown
Victim Organization: IGE
Victim Site: ige.ie
Website Defacement of Falcon Kuwait by DimasHxR
Category: Defacement
Content: On April 18, 2026, the attacker known as DimasHxR defaced a subpath of falcon.com.kw, a Kuwaiti website. The defacement targeted a specific media directory rather than the homepage and was carried out as a single targeted incident. No group affiliation, stated motive, or technical server details were disclosed in connection with this attack.
Date: 2026-04-18T03:30:17Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845888
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Kuwait
Victim Industry: Unknown
Victim Organization: Falcon Kuwait
Victim Site: falcon.com.kw
Website Defacement of EgyGamer by DimasHxR
Category: Defacement
Content: On April 18, 2026, threat actor DimasHxR defaced a page on egygamer.com, an Egyptian gaming website. The attack targeted a media/custom directory path and was executed as a solo, non-mass defacement. No specific motive or technical details were disclosed by the attacker.
Date: 2026-04-18T03:29:25Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845885
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Egypt
Victim Industry: Gaming / Entertainment
Victim Organization: EgyGamer
Victim Site: egygamer.com
Website Defacement of Haude.at by DimasHxR
Category: Defacement
Content: On April 18, 2026, a threat actor identified as DimasHxR defaced a web page hosted on www.haude.at, an Austrian website. The attack targeted a subdirectory within the sites media folder and was conducted as a single, targeted defacement rather than a mass or home page defacement. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-18T03:28:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845947
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Austria
Victim Industry: Unknown
Victim Organization: Haude
Victim Site: www.haude.at
Website Defacement of The Flag Company India by DimasHxR
Category: Defacement
Content: On April 18, 2026, a threat actor identified as DimasHxR defaced a subdirectory of theflagcompany.in, an Indian flag and promotional merchandise company. The attack targeted a media directory within the sites public content path, suggesting possible exploitation of a content management system vulnerability. The incident was recorded as a single, non-mass defacement with no affiliated team or stated motive.
Date: 2026-04-18T03:26:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845934
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: India
Victim Industry: Retail / Manufacturing
Victim Organization: The Flag Company
Victim Site: theflagcompany.in
Website Defacement of Rootways by DimasHxR
Category: Defacement
Content: On April 18, 2026, a threat actor identified as DimasHxR defaced a web page on rootways.com, targeting a directory within the sites public media path typically associated with Magento or similar e-commerce platforms. The defacement was a targeted, non-mass incident with no attributed team affiliation. No specific motive or server details were disclosed.
Date: 2026-04-18T03:25:48Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/845925
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-commerce / Technology
Victim Organization: Rootways
Victim Site: rootways.com
Alleged leak of multi-platform credential combolist (Part 29) by X Forums
Category: Data Leak
Content: A threat actor operating under X FORUMS has freely distributed a credential combolist containing over 1.3 million URL:username:password combinations as part 29 of an ongoing series. The 78.95 MB file includes credentials targeting multiple platforms and industries, including banking, government tax portals, social media, ride-sharing services, and Microsoft Online authentication. The combolist appears to aggregate credentials from various sources and is available for free download via the foru
Date: 2026-04-18T03:24:16Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-29-by-x-forums.608613/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Multiple Organizations
Victim Site: Unknown
Website Defacement of Zhicuhui by Threat Actor maw3six
Category: Defacement
Content: On April 18, 2026, threat actor maw3six defaced a page on www.zhicuhui.com, a Chinese website. The attack targeted a specific subpage rather than the homepage and was carried out on a Linux-based server. The incident was not part of a mass defacement campaign and appears to be an isolated intrusion.
Date: 2026-04-18T03:19:33Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248588
Screenshots:
None
Threat Actors: maw3six
Victim Country: China
Victim Industry: Unknown
Victim Organization: Zhicuhui
Victim Site: www.zhicuhui.com
Website Defacement of British Estate Mosque by maw3six
Category: Defacement
Content: On April 18, 2026, a threat actor operating under the handle maw3six defaced a page on the British Estate Mosque website, targeting the URL britishestatemosque.org/maw.html. The defacement was a single-page, non-mass incident hosted on a cloud-based infrastructure. No specific motive or team affiliation was reported in connection with this attack.
Date: 2026-04-18T03:17:40Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248589
Screenshots:
None
Threat Actors: maw3six
Victim Country: United Kingdom
Victim Industry: Religious Organization
Victim Organization: British Estate Mosque
Victim Site: britishestatemosque.org
Website Defacement of Millennials CRM by maw3six
Category: Defacement
Content: On April 18, 2026, a threat actor operating under the handle maw3six defaced a page on the development subdomain of Millennials CRM, an Indian CRM software platform. The attacker targeted a specific page (maw.html) on a Linux-based server, indicating a focused intrusion rather than a mass or home page defacement. The incident was archived and mirrored via haxor.id, suggesting intent to publicize the compromise.
Date: 2026-04-18T03:11:55Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248587
Screenshots:
None
Threat Actors: maw3six
Victim Country: India
Victim Industry: Technology / Software (CRM)
Victim Organization: Millennials CRM
Victim Site: dev.millennialscrm.in
Alleged Sale of Compromised Credit Cards and Financial Transfer Services
Category: Data Breach
Content: A threat actor operating under the alias gadek is selling allegedly live and linkable credit cards claimed to be available for multiple countries, along with fraudulent financial transfer services via CashApp, PayPal, Skrill, Zelle, and Western Union. The actor also advertises cloned physical cards and solicits victims payment account details. All transactions and contact are directed through a Telegram channel at t.me/jammysim.
Date: 2026-04-18T03:07:49Z
Network: openweb
Published URL: https://demonforums.net/Thread-I-HAVE-SOME-LINKABLE-AND-LIVE-CC-FOR-ONLY–200810
Screenshots:
None
Threat Actors: gadek
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Cloned ATM Cards with Cashout Services
Category: Combo List
Content: A threat actor operating under the Telegram handle @ColdApollo is advertising cloned ATM cards with cashout values ranging from $2,000 to $6,000. The actor claims the cards are functional for ATM withdrawals and is soliciting buyers via Telegram. This activity is consistent with card skimming or payment card fraud operations involving compromised financial account data.
Date: 2026-04-18T03:06:47Z
Network: openweb
Published URL: https://crackingx.com/threads/72447/
Screenshots:
None
Threat Actors: hallcityhub4
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed valid email access credentials (14,800 records)
Category: Combo List
Content: A threat actor operating under the alias redcloud has made available a combolist of approximately 14,800 alleged valid email credentials via a Mediafire download link. The post, dated April 18, 2026, describes the content as UHQ (ultra-high quality) and private, suggesting the credentials have been verified for validity. The actor also provides a Telegram contact handle (@tutuba5m) for further communication.
Date: 2026-04-18T02:20:34Z
Network: openweb
Published URL: https://crackingx.com/threads/72439/
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of large-scale URL-login-password credential combolist (900GB)
Category: Combo List
Content: A threat actor on CrackingX is making available a claimed 900GB collection of URL-login-password (ULP) credential combolists in TXT format. The offering includes access to an online search tool to query the data without downloading the full archive, auto-updates, historical records, and the ability to filter results by country. No specific victim organization or price is mentioned, suggesting the data is being freely shared or distributed.
Date: 2026-04-18T02:20:17Z
Network: openweb
Published URL: https://crackingx.com/threads/72440/
Screenshots:
None
Threat Actors: Mustukaral
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German shopping credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist of approximately 1.1 million credential pairs via a Mega.nz link on the cracking forum CrackingX. The combolist is described as high-quality (HQ) and specifically targeted at German shopping platforms. No specific victim organization or website has been identified.
Date: 2026-04-18T02:20:00Z
Network: openweb
Published URL: https://crackingx.com/threads/72441/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 88,000 United States credential combos on cracking forum
Category: Combo List
Content: A threat actor known as Immanuel_Kant has shared a combolist containing approximately 88,000 credential lines targeting United States-based accounts on the cracking forum CrackingX. The post describes the content as high quality and suitable for multiple targets. The download is available to registered forum members at no stated cost.
Date: 2026-04-18T02:19:44Z
Network: openweb
Published URL: https://crackingx.com/threads/72442/
Screenshots:
None
Threat Actors: Immanuel_Kant
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias noir has made available a combolist of allegedly valid Hotmail credentials on the cracking forum CX. The post claims the credentials are UHQ (ultra-high quality) and valid, with access to full content requiring forum registration. The actor promotes a Telegram channel (@NoirAccesss) for further contact.
Date: 2026-04-18T02:19:27Z
Network: openweb
Published URL: https://crackingx.com/threads/72443/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of Polish credential combolist
Category: Combo List
Content: A threat actor operating under the alias Immanuel_Kant has shared a combolist allegedly containing approximately 134,000 Polish credentials on the cracking forum CrackingX. The content is made available as a free download for registered forum users. The actor appears to be fulfilling community requests for country-specific credential lists.
Date: 2026-04-18T02:19:10Z
Network: openweb
Published URL: https://crackingx.com/threads/72444/
Screenshots:
None
Threat Actors: Immanuel_Kant
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 8 million mixed corporate domain credentials
Category: Combo List
Content: A threat actor known as CODER is distributing a combolist containing approximately 8 million credential pairs targeting mixed corporate domains. The list is being made available for free via Telegram channels and groups operated by the actor. No specific victim organization or country has been identified, suggesting the combolist aggregates credentials from multiple sources.
Date: 2026-04-18T02:18:53Z
Network: openweb
Published URL: https://crackingx.com/threads/72445/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of New York Drivers License data
Category: Data Leak
Content: A threat actor operating under the alias znper55 on the SP forum has allegedly made available New York drivers license data, claimed to be valid and current. The post was shared freely on the forum under the Other Leaks category. No further details regarding record count or source organization are available from the post content.
Date: 2026-04-18T01:59:29Z
Network: openweb
Published URL: https://spear.cx/Thread-Free-New-york-DL-vaild-and-Fresh
Screenshots:
None
Threat Actors: znper55
Victim Country: United States
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of former Chief of Staff personal photos and videos
Category: Data Leak
Content: A forum post on SP – Other Leaks by moderator Tanaka claims to share personal photos and videos belonging to a former Chief of Staff. The specific individual, country, and organization have not been identified due to lack of post content. The nature and volume of the leaked material remain unknown.
Date: 2026-04-18T01:50:52Z
Network: openweb
Published URL: https://spear.cx/Thread-former-Chief-of-Staff-Personal-photos-and-videos
Screenshots:
None
Threat Actors: [Mod] Tanaka
Victim Country: Unknown
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist with 1.27 million lines
Category: Data Leak
Content: A threat actor operating under X FORUMS has made available a credential combolist containing approximately 1.27 million URL:login:password combinations, totaling 75.63 MB. The combolist contains credentials for multiple platforms including Walmart, Mail.ru, Polsat Box, and SEAGM, spanning various countries and industries. The file is being distributed as a free download via the XForums threat actor community.
Date: 2026-04-18T01:16:38Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-1-by-x-forums.608593/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 1 million credential combos across multiple platforms
Category: Data Leak
Content: A threat actor operating under X FORUMS has made available a combolist titled 1M Lines URL LOGIN PASS PART 3 containing over 1 million URL:username:password credential pairs. The 63.81 MB text file includes credentials associated with multiple organizations and services across various countries, including government portals, food delivery platforms, and web hosting services. The combolist is freely distributed via the XForums forum with a Telegram backup channel.
Date: 2026-04-18T01:11:13Z
Network: openweb
Published URL: https://xforums.st/threads/1m-lines-url-login-pass-part-3-by-x-forums.608615/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 4 million URL:Login:Password credential combos
Category: Data Leak
Content: A threat actor operating under X FORUMS has made available a combolist containing over 4.1 million URL:login:password credential pairs as a free download. The 288 MB file includes credentials targeting multiple services across various domains, including Apple, Gmail, and iCloud accounts. Sample entries suggest the data may originate from infostealer malware logs, with multiple credentials sharing the same password, indicating possible credential harvesting activity.
Date: 2026-04-18T01:08:18Z
Network: openweb
Published URL: https://xforums.st/threads/4m-lines-url-login-pass-part-1-by-x-forums.608665/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 562K URL:Login:Password credential combolist across multiple platforms
Category: Data Leak
Content: A threat actor on XF Forums has made available a combolist containing 562,523 lines of URL:login:password credential combinations totaling 42.59 MB. Sample entries include credentials targeting Facebook, Google, and various other sites. The file was freely shared for download by registered forum members.
Date: 2026-04-18T00:59:40Z
Network: openweb
Published URL: https://xforums.st/threads/562k-lines-url-login-pass-by-x-forums.608666/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 4.3 million URL:Login:Password credential combos across multiple platforms
Category: Data Leak
Content: A threat actor on XForums has made available a combolist containing approximately 4.3 million URL:email:password credential combinations in a 308 MB text file. Sample entries include credentials associated with Brazilian platforms such as JusBrasil and KaBuM, as well as LinkedIn accounts. The combolist appears to aggregate credentials from multiple websites and is being distributed freely to registered forum members.
Date: 2026-04-18T00:49:04Z
Network: openweb
Published URL: https://xforums.st/threads/4m-lines-url-login-pass-by-x-forums.608667/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Unknown
Alleged leak of multi-platform credential combolist with 568K lines
Category: Data Leak
Content: A threat actor operating under X FORUMS has freely distributed a credential combolist containing 568,754 lines in URL:login:password format across multiple platforms. Sample entries include credentials for Shopee Vietnam, Giao Hang Tiet Kiem, Facebook, and Zoom, suggesting a broad geographic and industry scope. The 42.24 MB text file appears to aggregate previously compromised credentials from various services, primarily targeting Vietnamese-language platforms among others.
Date: 2026-04-18T00:45:16Z
Network: openweb
Published URL: https://xforums.st/threads/568k-lines-url-login-pass-by-x-forums.608668/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Multiple
Alleged leak of multi-site credential combolist with 620K lines
Category: Data Leak
Content: A threat actor on XForums has made available a combolist containing approximately 620,179 URL:email:password credential combinations across multiple websites and services. The 46.56 MB file includes credentials for various platforms spanning multiple countries and industries, including financial services, gaming, and consumer sites. The combolist appears to aggregate stolen credentials from multiple sources and is being distributed freely via the forum.
Date: 2026-04-18T00:39:05Z
Network: openweb
Published URL: https://xforums.st/threads/620k-lines-url-login-pass-by-x-forums.608669/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-site credential combolist with 651K lines
Category: Data Leak
Content: A threat actor operating as X Forums Bot has freely distributed a credential combolist containing 651,728 lines of URL:login:password combinations via the XF forum. Sample entries include credentials associated with Brazilian government and utility portals (caixa.gov.br, eneldistribuicao.com.br), a local network device, and Facebook accounts. The combolist, sized at 51.55 MB, appears to aggregate credentials from multiple sources across various organizations and countries.
Date: 2026-04-18T00:36:15Z
Network: openweb
Published URL: https://xforums.st/threads/651k-lines-url-login-pass-by-x-forums.608670/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist with 624K entries
Category: Data Leak
Content: A threat actor operating under X FORUMS has freely distributed a combolist containing 624,584 URL:login:password credential combinations via the XF forum. The file (46.40 MB) includes credentials targeting multiple major platforms including Google, Instagram, and Facebook, in both standard and Android app URI formats. The combolist is available for free download to registered forum members, with a Telegram backup channel referenced.
Date: 2026-04-18T00:27:03Z
Network: openweb
Published URL: https://xforums.st/threads/624k-lines-url-login-pass-by-x-forums.608671/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple (Google, Instagram, Facebook)
Victim Site: accounts.google.com, instagram.com, facebook.com
Alleged leak of 668K credential combolist across multiple platforms
Category: Data Leak
Content: A threat actor affiliated with X Forums has freely distributed a combolist containing 668,623 URL:username:password credential pairs targeting multiple platforms including Google, Netflix, and various e-commerce and consumer sites. The 38.76 MB text file appears to aggregate credentials from multiple sources spanning several countries, including the United Kingdom and Italy. The combolist was made available for free download via the X Forums platform with a Telegram backup channel.
Date: 2026-04-18T00:25:05Z
Network: openweb
Published URL: https://xforums.st/threads/668k-lines-url-login-pass-by-x-forums.608672/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Multiple
Alleged leak of multi-platform credential combolist with 766K entries
Category: Data Leak
Content: A threat actor operating under X Forums has made available a combolist containing approximately 766,392 URL:login:password credential combinations. The file, sized at 59.12 MB, includes credentials for multiple platforms such as Lazada, eBay, Microsoft Live, and various other services. The combolist is being freely distributed via the XForums marketplace with a Telegram backup channel.
Date: 2026-04-18T00:15:54Z
Network: openweb
Published URL: https://xforums.st/threads/766k-lines-url-login-pass-by-x-forums.608673/
Screenshots:
None
Threat Actors: X Forum Bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias RedCloud has made available a combolist of approximately 5,500 alleged valid Hotmail email credentials, dated April 18, 2026. The content is described as private and ultra-high quality (UHQ), suggesting the credentials have been verified as active. The list is accessible via a hidden download link requiring forum registration, with the actor also promoting a Telegram contact for further engagement.
Date: 2026-04-18T00:15:19Z
Network: openweb
Published URL: https://demonforums.net/Thread-5-5K-%E2%9A%A1Hotmail%E2%9A%A1Valid-Mail-Access-18-04
Screenshots:
None
Threat Actors: RedCloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of 68,000 mixed-domain credential combolist
Category: Combo List
Content: A threat actor operating under the alias Cir4d has made available a combolist containing approximately 68,000 credential pairs described as high-quality and spanning mixed domains. The list was shared freely via an external paste site on a cracking forum. No specific victim organization or country has been identified, suggesting the credentials originate from multiple sources.
Date: 2026-04-18T00:14:52Z
Network: openweb
Published URL: https://crackingx.com/threads/72437/
Screenshots:
None
Threat Actors: Cir4d
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias redcloud has made available a combolist of approximately 5,500 alleged valid Hotmail credentials, described as UHQ (ultra-high quality) and private. The credential list was shared via a Mediafire download link and the actor provided a Telegram contact for further communication. No price was mentioned, suggesting this is a free leak.
Date: 2026-04-18T00:14:36Z
Network: openweb
Published URL: https://crackingx.com/threads/72438/
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com