[April-23-2026] Daily Cybersecurity Threat Report

Executive Summar

This report synthesizes a massive influx of cybersecurity incidents recorded primarily between April 22 and April 23, 2026. The threat landscape detailed in the data reveals a highly commoditized cybercrime ecosystem heavily reliant on platforms like Telegram and dark web forums (e.g., CrackingX, DemonForums, Altenens, Breached, DarkForums, PwnForums).

Key trends observed include:

Massive Credential Harvesting: The distribution of billions of credential pairs (combolists) targeting major e-commerce, streaming, gaming, and email platforms.
Government & Critical Infrastructure Targeting: Severe breaches affecting national databases (Indonesia, Iraq, Israel, Australia) and critical infrastructure (power plants, SCADA systems).
Proliferation of Initial Access & Zero-Days: The sale of VPN accesses, zero-day exploits, and even proprietary AI models.
Active Carding Ecosystems: The continuous, high-volume sharing of stolen payment cards (both high-balance and low-balance, VBV and non-VBV) across specialized forums.

1. High-Impact Data Breaches and Leaks

Threat actors have successfully exfiltrated and monetized massive datasets spanning corporate, government, and educational sectors globally.

1.1 Government and State-Level Breaches

State infrastructure remains a prime target for extortion and data brokering.

Indonesian Government (Multiple Databases): Threat actor “Bjorkanism” listed multiple massive databases for sale ($5K-$10K each), including KPU Indonesia (105M records), BPJS Ketenagakerjaan (19M), BPJS Kesehatan (273M), DUKCAPIL (217M), NPWP (6M), SIM Card Registration (1.3B), and PeduliLindungi (94M user accounts).
Iraqi Citizen Database: Actor “MasonicAR” offered a database containing personal data, exact locations, and IDs of 44.6 million Iraqi citizens (spanning 2011-2026) for $1,000.
Australian National Data: Actor “RubiconH4ck” claimed to sell a 14GB database containing PII (names, dates of birth, addresses) of 483,000 Australian individuals.
Israeli Citizen Data: Actor “HtCvZBos” leaked a 3.9 million record database of Israeli citizens, including phone numbers, emails, social media metadata, and employment details.
Belgian Social Security: “Databroker1” sold an alleged database from socialsecurity.be containing ~482,000 records detailing personal identifiers, salaries, employer contributions, and social benefits data.
United States NOAA: Actor “l33tfg” breached the National Oceanic and Atmospheric Administration (NOAA) emergency beacon registry. The leak exposed beacon identifiers, owner PII, emergency contacts, and aircraft/vessel registration details.
Paraguay DINAC (Civil Aviation): Actors “NyxarGroup”, “ArcRaidersPlayer”, and “Petro_Escobar” sold data from ifis.dinac.gov.py, exposing pilot PII, medical certificates, aircraft registrations, and rural airstrip information.
French National Business Register (INPI): A 150GB dataset containing 26 million rows of company information and 6.5 million financial reports was leaked by actor “[Mod] Tanaka”.

1.2 Corporate and Financial Breaches

Carnival Corporation & plc: Following a failed ransom negotiation, “ShinyHunters” leaked over 8.7 million records containing PII and terabytes of internal corporate data.
Crypto.com: “Chinahacker” sold an enriched database of 185,742 trader profiles (Forex/CFD) extracted between April 1–12, 2026. Data includes KYC levels, trading history, hashed passwords, and device fingerprints, priced between $180 and $4,200.
PDVSA (Venezuela): Actor “GordonFreeman” leaked ~10,000 employee records from the state-owned oil company, exposing tax IDs (RIF), emails, and passwords.
Banco Unión (Colombia): “Petro_Escobar” and “NyxarGroup” sold a database of over 1 million customer records (including debt obligations and payment statuses) linked to the EmergiaCC/Conalcreditos platform.

1.3 Educational Sector Breaches

Neoskool (India): Actor “ShadowByt3S” sold 4GB of data from the Ellucian PowerCampus platform, exposing student Aadhaar numbers, medical records, academic results, and AWS cloud access credentials.
Indian Union Academy: “MDGhost” claimed a 103GB data breach containing student records, payroll, and financial information.
Corporacion Universitaria Cenda (Colombia): A database of 12,955 records containing student and management profiles was offered by “Petro_Escobar”.

2. Initial Access Brokerage (IAB) and Vulnerabilities

Threat actors are actively trading initial access to highly sensitive environments and proprietary technologies.

2.1 Critical Infrastructure & Corporate Access

Jeongsan Country Club (SCADA): The “Z-Pentest Alliance” established full control over the SCADA/HMI platform of an elite South Korean golf club. The actor claimed control over water supply tanks, irrigation valves, and emergency systems, threatening to cause artificial droughts or flooding.
Russian Government Regulator: Actor “0m0nRa” sold full administrative access (IPMI, ESXi root, Webmin) to a major Russian construction and energy regulator.
FortiGate VPN Access: “GhostByte” sold super admin access to a Colombian company’s FortiGate VPN and Active Directory network for $700.
Anthropic Mythos AI: An unknown actor offered rental access to “Mythos,” an alleged Claude internal/experimental model, for $5,000-$25,000, alongside a 3,000-file internal document package priced at $250,000.

2.2 Exploits and Zero-Days

AnyLink PPX VPN Zero-Day: Actor “berz0k” listed a pre-authentication Remote Code Execution (RCE) zero-day exploit for AnyLink PPX VPNs for $70,000, claiming 26.2 million exposed targets.
Apple Secure Kernel (cL4): Security researchers “RedQueen” demonstrated via the GLx Research Platform that Apple’s Secure Kernel guarding Exclaves on iOS/macOS can be crashed by executing code in userland.
Xiaomi TEE Privilege Escalation: Researchers disclosed a full privilege escalation chain (CVE-2023-32835) targeting the Trusted Execution Environment (TEE) on Xiaomi Redmi Note 11s devices, achieving code execution to S-EL3 Secure Monitor.
ASP.NET Core Privilege Escalation: Microsoft patched a critical vulnerability in the ASP.NET Core data protection library (versions up to 10.0.6) that allowed attackers to escalate to SYSTEM level using forged cookies.

3. The Combolist and Credential Ecosystem

The dataset reveals an industrialized credential-stuffing economy. Threat actors aggregate and distribute massive “combolists” (Email:Password or URL:Login:Password pairs) to facilitate account takeovers.

3.1 Prominent Combolist Distributors

Threat Actor	Key Distributions & Targets	Scope/Volume
CODER	Multi-brand retail (Nike, Adidas, SHEIN). E-commerce (Amazon, Etsy, eBay, Temu, Walmart). Corporate leads. Cryptocurrency platforms. Yahoo Japan / Outlook Japan gaming.	Tens of millions of records (e.g., 11M E-commerce , 13M Gaming , 12M Corporate ). Uses Telegram extensively.
HQcomboSpace	Gmail, Yahoo. European Education sector. German gaming and casino sectors. Social media and shopping.	Millions of records (e.g., 1.74M Yahoo , 922K German/Europe ). Primarily uses Mega.nz links on CrackingX.
CobraEgy	Country-specific targeted lists: Italy , Japan , Latvia , Israel , Kenya , Lithuania , Ireland.	Hundreds of thousands of records (e.g., 988K Italy ). Distributed on DemonForums via the “Maxi_Leaks” Telegram channel.
el_capitan	Shopping and Social Media. Education (EDU) sector. Gmail targeted. India targeted.	Over 1.2 million combined records. Distributed on DemonForums.
thejackal101	Country-specific targets: Netherlands , Mexico , Montenegro , Malaysia , New Zealand , Micronesia , Nepal.	Hundreds of thousands of records (e.g., 372K Netherlands , 150K Mexico ). Distributed via DemonForums and Telegram (@elite_cloud1).
Ebbicloud	Curated packs: Italy “Platinum Pack” , “Mix Gold Edition” , Spain “Diamond Tier” , UK fresh emails , Corporate/Business , Bank/Crypto.	Tens of thousands of high-quality records. Distributed via Pasteview on the AE combo list forum.
mu	E-commerce (eBay, OfferUp, PSN, Booking, Uber, Alibaba, Walmart, Amazon) with inbox access across UK, DE, JP, NL, BR, PL, ES, US, IT.	Volume unspecified; claims to operate private cloud infrastructure and solicits requests via Telegram DMs.

3.2 Stealer Logs & ULP Formats

Threat actors frequently package credentials obtained directly from infostealer malware (often formatted as URL:Login:Password or ULP).

Massive ULP Dumps: Actor “Gektor009” dumped 11.88 million lines of ULP combinations. “StarLinkClub” shared multiple dumps containing 5.97 million and 6 million ULP lines.
Fresh Stealer Output: “UP_DAISYCLOUD” shared 11,040 password-protected stealer logs collected within a 48-hour window.

4. Carding and Financial Fraud Operations

The dark web carding economy is highly active, with specialized forums (like “AE / Altenens”) dedicated to the distribution, validation, and monetization of stolen payment data.

4.1 Payment Card Distribution

Massive Aggregation: Actor “mrdurden” listed a 9GB compiled dataset of 330 million stolen payment card records for $10,000, aggregating data from private channels, checkers, and leaks globally.
Targeted Drops: * US Targets: Actors “totoww”, “POSEIDONN”, and “Babuska” frequently dropped live US Visa and Mastercard details (Fullz), including cardholder names, addresses, and CVVs.
- International Targets: Cards were dropped targeting the UK (HSBC Business accounts) , UAE , Australia , Brazil , Spain , and Turkey.
Non-VBV Cards: Actor “Jazz” explicitly advertised Chase Visa cards as “non-VBV” (non-Verified by Visa), indicating they lack two-factor authentication and are prime targets for immediate fraudulent transactions.

4.2 Carding Infrastructure and Services

CVV Checkers: Actor “totoww” sold a CVV checker tool for $0.10 per check, specifically tailored for validating low-balance cards prior to fraud execution.
Carding-as-a-Service: Telegram actor “@StyleCarding” offered stolen dumps (Track 101/201), compromised PayPal/CashApp/Coinbase accounts, and physical good procurement from Apple and Amazon at 20-60% of retail value.
Phishing Infrastructure: Actor “cherif02” sold Binance Name Service (.bnb) domains (e.g., whales.bnb, rugpull.bnb) for $600 each, explicitly marketed for cryptocurrency phishing and rug-pull operations.
SMS Spoofing: “Youngjn123” offered Sender ID spoofing services targeting major financial institutions globally (Coinspot, Binance, PayPal) to bypass MFA and execute phishing.

5. Malware, DDoS-as-a-Service, and Defacement

5.1 Malware and Tools

KernelGhost820: A Chinese-language malware framework offered for $2,500. It features an EDR killer engine (disabling CrowdStrike, SentinelOne, Defender), AES-256 ransomware capabilities, lateral movement via WMI, and network scanning modules.
GoGra Malware: Attributed to the “Harvester” group, this Linux-targeting malware uses the Microsoft Graph API and Outlook for Command & Control (C2), reading commands from emails and deleting them to evade traditional network detection.
NPM Supply Chain Attack: Malware infected npm software packages (e.g., @automagik/genie, pgserve) to steal developer tokens and API keys, auto-propagating by republishing malicious packages via compromised accounts.
STORM Captcha Solver: Actor “Starip” distributed “STORM v2.6.0.2”, a modular captcha-solving and automation engine used for credential stuffing at scale.

5.2 DDoS-as-a-Service (Stressers)

Goofystresse.st: Heavily advertised DDoS platform claiming 1.5M-2M pps TCP and 6M-10M pps UDP flood capabilities. Features bypasses for CAPTCHA/UAM and game-specific targeting (Fortnite, COD, Roblox). Claims 1,500 customers and 3+ years in operation.
Deep Stresser: Advertised Layer 4/7 capabilities through promotional giveaways ($50 USDT prizes) on Telegram (deepstresser.su).

5.3 Website Defacements and Hacktivism

Defacement remains a common tactic for low-tier actors to gain notoriety.

Irene (XmrAnonye.id): Defaced Indonesian educational portal kelulusansd.yski.info , statistics site lingkarcijambe.terasstatistik.net , and executed a mass defacement against mdtv-news.com.
Zod: Defaced Israeli business meexgroup.ussl.co.il and logistics site faithlogistic.net.
Mr.PIMZZZXploit: Claimed mass defacements of over 25+ government and corporate websites across Romania, Pakistan, India, Bangladesh, and Malaysia.
DEWATA BLACKHAT: Exploited a reflected XSS vulnerability to deface envyhairsalons.com in India.

Conclusion

The cybersecurity events analyzed spanning April 22-23, 2026, paint a stark picture of a highly organized, segmented, and professionalized cybercrime economy.

The Telegram Nexus: A vast majority of threat actors (e.g., CODER, mu, Bjorkanism, Goofystress) are shifting away from relying solely on dark web forums, utilizing Telegram channels for direct sales, infrastructure hosting, and C2 operations.
Credential Commoditization: The sheer volume of combolists available for free or low cost—amounting to billions of records—indicates that basic credential stuffing attacks are practically zero-cost for threat actors. This severely undermines the efficacy of single-factor authentication globally.
Critical Infrastructure Peril: The ease with which actors are selling zero-day VPN exploits , accessing federal emergency registries , and taking over SCADA systems for physical infrastructure underscores a terrifying reality: critical national infrastructure is routinely traded on public cybercrime forums.

Detected Incidents Draft Data

Alleged leak of mixed-country Gmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 427,203 Gmail credential pairs via a Mega.nz file link. The combolist is described as mixed-country in origin and is labeled for 2026, suggesting recently compiled or aggregated credentials. The post was shared on the cracking forum CrackingX in the Combolists & Dumps section.
Date: 2026-04-22T23:58:39Z
Network: openweb
Published URL: https://crackingx.com/threads/72931/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Multiple Countries
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of Gmail credential combolist on cracking forum
Category: Combo List
Content: A threat actor operating under the alias ValidMail has made available an alleged combolist of approximately 60,000 Gmail credentials on the cracking forum CrackingX. The post is gated behind registration, limiting full visibility into the content and its authenticity. The combolist appears to be sourced from forum-related credential harvesting activity.
Date: 2026-04-22T23:58:23Z
Network: openweb
Published URL: https://crackingx.com/threads/72934/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of stealer-derived credential combolist (ULP format, 2 million lines)
Category: Logs
Content: A threat actor known as MrKordy has made available a ULP (URL:Login:Password) combolist containing approximately 2 million lines, purportedly harvested from stealer malware and dated April 23. The credentials are offered as a free download on a dark web forum, requiring registration or login to access. No specific victim organization or country has been identified, suggesting the data spans multiple targets.
Date: 2026-04-22T23:48:53Z
Network: openweb
Published URL: https://darkforums.su/Thread-%E2%AD%90ULP-2M-LINES-23-APRIL-FROM-STEALER
Screenshots:
None
Threat Actors: MrKordy
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of cloned payment cards and linkable financial account credentials
Category: Combo List
Content: A threat actor operating under the alias Vapp09 is advertising cloned payment cards and addable credit cards linkable to major platforms including Google Pay, eBay, Cash App, PayPal, and Booking.com. The actor is also offering Apple ID logs, cash-out methods, and credit card fraud techniques. Contact is facilitated via Telegram (@vapp09) and a WhatsApp number.
Date: 2026-04-22T23:37:33Z
Network: openweb
Published URL: https://crackingx.com/threads/72930/
Screenshots:
None
Threat Actors: Vapour
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Cloned Payment Cards and Linkable Financial Account Credentials
Category: Carding
Content: A threat actor operating under the alias Vapour (Telegram: vapp09) is advertising cloned payment cards and addable credit cards with linkable access to multiple financial platforms including Google Pay, eBay, Cash App, PayPal, and Booking.com. The actor also claims to offer Apple ID logs, credit card cashout methods, and direct contact via Telegram and WhatsApp. This activity is consistent with a carding operation offering fraudulent payment instruments for financial fraud.
Date: 2026-04-22T23:37:24Z
Network: openweb
Published URL: https://crackingx.com/threads/72929/
Screenshots:
None
Threat Actors: Vapour
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged Free Distribution of IPTV M3U Playlist Links on Cracking Forum
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a list of 30 M3U links for free IPTV access, dated April 17, 2026. The post is associated with an external link (linktr.ee/iptvregion) suggesting an ongoing distribution operation. The shared M3U links likely provide unauthorized access to paid IPTV streaming services.
Date: 2026-04-22T22:59:11Z
Network: openweb
Published URL: https://crackingx.com/threads/72922/
Screenshots:
None
Threat Actors: ouaaka_06
Victim Country: Unknown
Victim Industry: Media & Entertainment
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German credential combolist by D4rkNetHub
Category: Combo List
Content: A threat actor known as D4rkNetHub has shared a combolist purportedly containing 6,782 credential entries associated with German accounts on the cracking forum CrackingX. The post is categorized under combolists and dumps and references a cloud-hosted file via an image link. The content is gated behind forum registration or sign-in, suggesting it may be a restricted free release.
Date: 2026-04-22T22:58:55Z
Network: openweb
Published URL: https://crackingx.com/threads/72923/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of 150,000 fresh credential combolist targeting streaming and gaming platforms
Category: Combo List
Content: A threat actor operating under the alias Ra-Zi has made available a combolist containing approximately 150,000 email:password credential pairs allegedly associated with popular streaming and gaming platforms including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. The content is distributed via a hidden download link on the forum, with the actor also advertising a Telegram channel and associated website. Additionally, the actor is separately selling high-quality combolists segmented by e
Date: 2026-04-22T22:58:39Z
Network: openweb
Published URL: https://demonforums.net/Thread-150k-Fresh-HQ-Combolist-Email-Pass-Netflix-Minecraft-Uplay-Steam-Hulu-spotify–201372
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: Unknown
Victim Industry: Entertainment and Gaming
Victim Organization: Netflix, Minecraft, Uplay, Steam, Hulu, Spotify
Victim Site: Unknown
Alleged sale and leak of 150,000 mixed email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias alex12 is offering a mixed combolist of approximately 150,000 email:password and user:password credential pairs for sale via Telegram (@KOCsupport). The combolist includes credentials from multiple email providers such as AOL, Yahoo, Hotmail, and Outlook, spanning multiple countries including the United States, United Kingdom, France, Germany, Italy, Canada, and Australia. A free download link is also made available to registered forum users, suggesting
Date: 2026-04-22T22:58:34Z
Network: openweb
Published URL: https://crackingx.com/threads/72924/
Screenshots:
None
Threat Actors: alex12
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of compromised account databases across multiple countries and platforms
Category: Combo List
Content: Threat actor offering fresh database access for multiple countries (UK, DE, JP, NL, BR, PL, ES, US, IT) with inbox access. Targeting popular e-commerce and service platforms including eBay, OfferUp, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, and Kleinanzeigen. Claims to have private cloud infrastructure with valid webmail access. Soliciting direct messages for specific requests.
Date: 2026-04-22T22:54:55Z
Network: telegram
Published URL: https://t.me/c/2613583520/67804
Screenshots:
None
Threat Actors: mu
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy
Victim Industry: E-commerce, Travel, Gaming, Marketplace
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of MM Mega Market Vietnam Online Platform
Category: Data Breach
Content: A threat actor has shared a database dump allegedly originating from online.mmvietnam.com, the official e-commerce platform of MM Mega Market Vietnam. The dataset contains approximately 98,461 records with fields including login name, email address, full name, and phone number. The data appears to belong to Vietnamese retail customers and business accounts registered on the platform.
Date: 2026-04-22T22:16:45Z
Network: openweb
Published URL: https://spear.cx/Thread-Database-online-mmvietnam-com
Screenshots:
None
Threat Actors: [Mod] Tanaka
Victim Country: Vietnam
Victim Industry: Retail / E-Commerce
Victim Organization: MM Mega Market Vietnam
Victim Site: online.mmvietnam.com
Alleged sale of compromised account credentials and database access across multiple platforms and countries
Category: Combo List
Content: Threat actor mu is advertising fresh database access and compromised account credentials for multiple countries (UK, DE, JP, NL, BR, PL, ES, US, IT) with inbox access. Platforms targeted include eBay, Offerup, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, Neosurf, and ntlworld webmails. Seller claims to own a private cloud and offers custom searches by keyword. Contact via DM for requests.
Date: 2026-04-22T22:05:50Z
Network: telegram
Published URL: https://t.me/c/2613583520/67782
Screenshots:
None
Threat Actors: mu
Victim Country: Unknown
Victim Industry: E-commerce, Travel, Gaming, Payment Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Chinese PLA Data by Threat Actor mosad
Category: Data Breach
Content: A threat actor operating under the handle mosad on the Breached forum is selling data allegedly obtained from the Chinese Peoples Liberation Army (PLA). Sample data has been released via the Telegram channel @Dazer, and interested buyers are directed to contact the actor via Telegram at @mosad. No further details regarding the volume, type of data, or price have been specified in the post.
Date: 2026-04-22T21:59:31Z
Network: openweb
Published URL: https://breached.st/threads/chinese-pla-data-for-sale.86204/unread
Screenshots:
None
Threat Actors: mosad
Victim Country: China
Victim Industry: Military / Defense
Victim Organization: Chinese Peoples Liberation Army (PLA)
Victim Site: Unknown
Alleged leak of URL:Login:Password credential combolist via Cloudberry ULP
Category: Data Leak
Content: A threat actor on the AlteNens forum has made available a free combolist containing over 535,176 URL:login:password credential pairs, dated April 26, 2022. The post is formatted as a daily free lines share associated with the Cloudberry ULP (URL:Login:Password) tool or service. Access to the download requires forum users to reply to the thread.
Date: 2026-04-22T21:42:32Z
Network: openweb
Published URL: https://altenens.is/threads/url-login-pass-22-04-26-daily-free-lines-535-176-fresh-cloudberry-ulp.2928551/unread
Screenshots:
None
Threat Actors: idsfgofdu213
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Italian credential combolist
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has shared an alleged combolist targeting Italian users, containing approximately 9,506 credential pairs. The dataset is described as a Platinum Pack and First Class, suggesting curated or high-quality credentials. The content was made available via Pasteview on the AE combo list forum.
Date: 2026-04-22T21:41:11Z
Network: openweb
Published URL: https://altenens.is/threads/gem-stone-italy-platinum-pack-9506-glowing-star-first-class-glowing-star-ebbi_cloud-glowing-star.2928548/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Italy
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist (Mix Gold Edition)
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has made available a credential combolist titled Mix Gold Edition containing approximately 10,610 entries on the AE forum. The combolist was shared via Pasteview, a text-sharing platform, and appears to be a compilation of mixed credentials from various sources. No specific victim organization or country has been identified.
Date: 2026-04-22T21:40:36Z
Network: openweb
Published URL: https://altenens.is/threads/star-mix-gold-edition-10610-direct-hit-gold-glowing-star-ebbi_cloud-glowing-star.2928550/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Spain combolist with 2,900 credentials
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has shared a combolist described as Diamond Tier targeting Spain, containing approximately 2,900 credential pairs. The list was made available via Pasteview, a text-sharing platform, and was posted on the AE combo list forum. No specific victim organization or domain has been identified.
Date: 2026-04-22T21:40:02Z
Network: openweb
Published URL: https://altenens.is/threads/collision-spain-diamond-tier-2-9k-direct-hit-vip-direct-hit-ebbi_cloud-direct-hit.2928552/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Spain
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of UK email credential combolist
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has made available a combolist reportedly containing 2,500 fresh UK email credentials on the AE forum. The list was shared via Pasteview, a public text-sharing platform. No specific victim organization or targeted service has been identified.
Date: 2026-04-22T21:39:29Z
Network: openweb
Published URL: https://altenens.is/threads/fire-uk-fresh-mails-2-5k-collision-fresh-collision-ebbi_cloud-collision.2928553/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist containing 17,504 records
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has made available a mixed combolist containing 17,504 credential pairs on the AE forum. The collection, referred to as Mix Master Collection, was shared via Pasteview and appears to aggregate credentials from multiple sources. No specific victim organization or targeted service has been identified.
Date: 2026-04-22T21:38:45Z
Network: openweb
Published URL: https://altenens.is/threads/star-mix-master-collection-17504-star-top-rank-high-voltage-ebbi_cloud-high-voltage.2928555/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 9,200 company business email credentials
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has made available a combolist containing approximately 9,200 company and business email credentials on the AE forum. The data was shared via Pasteview, a text-sharing platform. The targeted organizations and their geographic locations are unknown at this time.
Date: 2026-04-22T21:38:13Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltage-9-2k-company-business-mails-top-fire-ebbi_cloud.2928557/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of bank and cryptocurrency account credentials
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has made available a combolist of approximately 6,700 email credentials allegedly associated with bank and cryptocurrency accounts. The list was shared via Pasteview, a text-sharing platform. No specific organizations or countries have been identified as victims.
Date: 2026-04-22T21:37:35Z
Network: openweb
Published URL: https://altenens.is/threads/gem-stone-6-7k-bank-and-crypto-mails-new-money-bag-ebbi_cloud.2928561/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Banking and Cryptocurrency
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Netherlands credential combolist
Category: Combo List
Content: A threat actor operating as Elite_Cloud1 has made available a combolist of approximately 372,000 email and password credential pairs associated with Netherlands-based accounts. The list is described as fresh and high quality, suggesting recently obtained or validated credentials. The content is shared via a hidden download link on DemonForums and promoted through a Telegram channel.
Date: 2026-04-22T21:35:23Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-372-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Netherlands-%E2%9C%AA-22-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Netherlands
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email and password credentials (combolist)
Category: Combo List
Content: A threat actor operating under the alias COYTO has shared a mixed combolist containing email and password credentials on DemonForums. The data was made available as a free download via an external paste service. No specific victim organization, country, or record count was identified in the post.
Date: 2026-04-22T21:35:02Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-HQ-MIXED
Screenshots:
None
Threat Actors: COYTO
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Mexican email credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 150,000+ email:password credential pairs allegedly sourced from Mexico. The list is described as fresh and high quality and is shared via a hidden download link on the forum. The actor promotes additional credential material through a Telegram channel at t.me/elite_cloud1.
Date: 2026-04-22T21:34:42Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-150-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Mexico-%E2%9C%AA-22-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Mexico
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Montenegro credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 60,000+ email and password credentials associated with Montenegro. The list is described as fresh and high quality and is shared as hidden content on the forum. The actor also promotes a Telegram channel (@elite_cloud1) for additional credential logs.
Date: 2026-04-22T21:34:22Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-60-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Montenegro-%E2%9C%AA-22-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Montenegro
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Malaysian credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 53,000 email and password credential pairs allegedly associated with Malaysian users. The list is described as fresh and high quality and was shared on DemonForums with a link to a Telegram channel (@elite_cloud1) for additional credential lists. No specific organization or platform is identified as the source.
Date: 2026-04-22T21:34:03Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-53-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Malaysia-%E2%9C%AA-22-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Malaysia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of New Zealand email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 23,000+ email:password credential pairs associated with New Zealand users. The list is described as fresh and high quality and is shared via a hidden download link on the forum. The actor also promotes a Telegram channel (@elite_cloud1) for additional credential logs.
Date: 2026-04-22T21:33:39Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-23-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-New-Zealand-%E2%9C%AA-22-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: New Zealand
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Micronesia credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 13,000+ email:password credential pairs allegedly associated with Micronesia, dated April 22, 2026. The credentials are described as fresh and high quality and are shared via hidden content on the forum. The actor promotes additional credential logs through a Telegram channel (@elite_cloud1).
Date: 2026-04-22T21:33:14Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-13-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Micronesia-%E2%9C%AA-22-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Micronesia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Nepal credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 10,000+ email:password credential pairs allegedly sourced from Nepal, dated April 22, 2026. The content is described as fresh and high quality and is accessible to registered forum members. The actor promotes additional credential logs via a Telegram channel (@elite_cloud1).
Date: 2026-04-22T21:32:56Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-10-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Nepal-%E2%9C%AA-22-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Nepal
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist purportedly containing 275,696 Yahoo credential pairs on a cracking forum. The combolist, described as high quality, was shared via a Mega.nz file link at no cost. The authenticity and origin of the credentials have not been verified.
Date: 2026-04-22T21:32:39Z
Network: openweb
Published URL: https://crackingx.com/threads/72920/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: United States
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged sale of 23,000 valid email credentials across multiple regions
Category: Combo List
Content: A threat actor operating as MegaCloudshop is offering a combolist of approximately 23,000 validated email credentials allegedly sourced from users across the United States, Europe, Asia, Russia, and corporate environments. The credentials are advertised as fully valid mail access and are dated April 23. The post directs buyers to an external storefront at megacloudshop.top, indicating this is a commercial offering.
Date: 2026-04-22T21:32:27Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-23K-Usa-Eu-Asia-Ru-Corp-Full-Valid-Mail-Access-23-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 23,000 valid email access credentials across multiple regions
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a combolist containing approximately 23,000 allegedly valid email access credentials. The credentials reportedly span multiple regions including the United States, Europe, Asia, Russia, and corporate accounts. The post restricts access to registered users, suggesting the content is shared within the forum community rather than sold publicly.
Date: 2026-04-22T21:32:24Z
Network: openweb
Published URL: https://crackingx.com/threads/72921/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Threat Actor Post with No Specific Target Identified
Category: Data Breach
Content: A forum post titled test was made by user mosad on the Breached forum in the Sellers Place section. The post contains no meaningful content beyond the word test, providing no identifiable threat intelligence, victim information, or data details. This appears to be a test post with no actionable threat data.
Date: 2026-04-22T21:27:39Z
Network: openweb
Published URL: https://breached.st/threads/test.86203/unread
Screenshots:
None
Threat Actors: mosad
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Evolucao Cursos by D0R4H4X0R of Manado Cyber Team
Category: Defacement
Content: On April 23, 2026, threat actor D0R4H4X0R, operating under the Manado Cyber Team, defaced a page on the Brazilian online courses platform evolucaocursos.com. The attack targeted a specific page (hoah.htm) and was not classified as a mass or home defacement. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-04-22T21:24:14Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912014
Screenshots:
None
Threat Actors: D0R4H4X0R, Manado Cyber Team
Victim Country: Brazil
Victim Industry: Education
Victim Organization: Evolucao Cursos
Victim Site: evolucaocursos.com
Alleged Sharing of Stolen US Credit Card Data
Category: Carding
Content: A threat actor on the carding forum AE shared two allegedly live US VISA credit card records. The leaked data includes full card numbers, expiration dates, CVV codes, cardholder names, addresses, and ZIP codes. The cards appear to belong to individuals located in the United States.
Date: 2026-04-22T21:12:28Z
Network: openweb
Published URL: https://altenens.is/threads/2x-us-cc-live.2928545/unread
Screenshots:
None
Threat Actors: totoww
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of URL:Login:Password credential combolist
Category: Combo List
Content: A threat actor operating under the alias WashingtonDC has made available a credential combolist containing approximately 480,000 URL:login:password combinations via a public file-sharing link on MediaFire. The post was shared on the cracking forum CrackingX under the combolists and dumps section. The targeted organizations and affected countries are unknown, as the combolist likely aggregates credentials from multiple sources.
Date: 2026-04-22T21:08:47Z
Network: openweb
Published URL: https://crackingx.com/threads/72916/
Screenshots:
None
Threat Actors: WashingtonDC
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed-domain credential combolist
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared a mixed-domain combolist containing approximately 311,000 credential pairs on the cracking forum CrackingX. The post, dated April 26, 2023, claims the credentials are valid. The full content is restricted to registered forum members.
Date: 2026-04-22T21:08:06Z
Network: openweb
Published URL: https://crackingx.com/threads/72917/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-brand retail credential combolist including Nike, Adidas, SHEIN and others
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist of approximately 8.4 million email and password combinations allegedly associated with major retail and e-commerce brands including Uniqlo, Lululemon, Nike, Adidas, Puma, Reebok, Crocs, SHEIN, and StockX. The credentials are being distributed freely via Telegram channels and a cracking forum. The actor also promotes additional free combolists and tools through dedicated Telegram groups.
Date: 2026-04-22T21:07:35Z
Network: openweb
Published URL: https://crackingx.com/threads/72918/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Retail & E-Commerce
Victim Organization: Multiple (Uniqlo, Lululemon, Nike, Adidas, Puma, Reebok, Crocs, SHEIN, StockX)
Victim Site: Unknown
Alleged sale of fresh database credentials and compromised accounts (UK, DE, JP, NL, BR, PL, ES, US, IT) with e-commerce platform access
Category: Combo List
Content: Threat actor offering fresh database credentials and compromised accounts from multiple countries (UK, Germany, Japan, Netherlands, Brazil, Poland, Spain, US, Italy) with inbox access. Claims to have access to credentials for eBay, OfferUp, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, and Neosurf accounts. Also claims to operate a private cloud with valid webmail access (ntlworld). Soliciting direct messages for specific requests.
Date: 2026-04-22T21:04:12Z
Network: telegram
Published URL: https://t.me/c/2613583520/67768
Screenshots:
None
Threat Actors: mu
Victim Country: Unknown
Victim Industry: E-commerce, Payment Services, Travel, Social Commerce
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of jobwebuganda.com User Database
Category: Data Leak
Content: A threat actor on a dark web forum has publicly shared what appears to be a WordPress user database dump from jobwebuganda.com, a Ugandan online job portal. The leaked data includes user IDs, login names, hashed passwords (phpass format), email addresses, display names, and account registration dates. The post was categorized under Germany databases, though the victim organization and user data are predominantly associated with Uganda.
Date: 2026-04-22T20:55:15Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Database-Germany-jobwebuganda-com
Screenshots:
None
Threat Actors: Richard2002
Victim Country: Uganda
Victim Industry: Online Job Portal / Recruitment
Victim Organization: Jobweb Uganda
Victim Site: jobwebuganda.com
Alleged sale of fresh Hotmail and service combolists across multiple countries
Category: Combo List
Content: Seller Yìchén is advertising fresh valid private Hotmail combolists and credential lists for multiple platforms including Amazon, eBay, Walmart, Poshmark, Marriott and others across multiple countries (FR, IT, BR, UK, US, AU, JP, NL, PL, ES, MX, CA, SG). Seller claims to offer custom keyword searches. Posted in Squad Chat Marketplace with #WTS tag indicating intent to sell.
Date: 2026-04-22T20:52:56Z
Network: telegram
Published URL: https://t.me/c/2613583520/67751
Screenshots:
None
Threat Actors: Yìchén
Victim Country: Unknown
Victim Industry: Multiple (Email, E-commerce, Hospitality)
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of French National Business Register (INPI/RNE) Data via HexDex
Category: Data Leak
Content: A threat actor using the handle Tanaka has made available a 150 GB dataset allegedly sourced from HexDex, containing data from Frances National Business Register (RNE) managed by INPI. The leak includes approximately 26 million rows of company information (covering roughly 7 million individuals) and 6.5 million rows of corporate financial reports, totaling over 182 GB of uncompressed data. The data reportedly includes legal entity registrations, modifications, dissolutions, annual financial s
Date: 2026-04-22T20:37:44Z
Network: openweb
Published URL: https://spear.cx/Thread-FR-leak-from-HexDex%C2%A0-150-GB-26M-rows-French-Company
Screenshots:
None
Threat Actors: [Mod] Tanaka
Victim Country: France
Victim Industry: Government / Public Administration
Victim Organization: Institut National de la Propriété Industrielle (INPI)
Victim Site: inpi.fr
Alleged leak of mixed access combolist containing 10,000 credentials
Category: Combo List
Content: A threat actor using the handle wingoooW has made available a combolist of approximately 10,000 mixed access credentials on DemonForums. The post includes a free download link hosted on pasteview.com. The list is described as mixed access, suggesting credentials spanning multiple services or platforms, though no specific victims or organizations have been identified.
Date: 2026-04-22T20:24:06Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-10K-MIXED-ACCESS
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias karaokecloud has made available a combolist containing approximately 1,400 credential pairs associated with Hotmail accounts from mixed countries. The list was shared as a free download on a cracking and combolist forum. The credentials may be used for account takeover or further exploitation.
Date: 2026-04-22T20:23:57Z
Network: openweb
Published URL: https://crackingx.com/threads/72911/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged data breach of Krispy Kreme Panama customer database
Category: Data Breach
Content: A threat actor operating under the alias RuskiNet is selling a database allegedly stolen from krispykremepanama.com, the official Krispy Kreme website for Panama. The dataset contains approximately 22,000 records including customer names, addresses, company details, and geographic identifiers, available in SQL and CSV formats. The seller is accepting cryptocurrency payments (XMR or LTC) and can be contacted via Telegram.
Date: 2026-04-22T20:17:53Z
Network: openweb
Published URL: https://breached.st/threads/krispykremepanama-com-22k.86201/unread
Screenshots:
None
Threat Actors: RuskiNet
Victim Country: Panama
Victim Industry: Food & Beverage
Victim Organization: Krispy Kreme Panama
Victim Site: krispykremepanama.com
Alleged leak of stealer logs distributed via cloud file sharing
Category: Logs
Content: A threat actor operating under the alias UP_DAISYCLOUD has made available approximately 11,040 stealer logs dated April 21-22, via two Pixeldrain file-sharing links. The logs appear to be freshly collected infostealer output, likely containing credentials and other sensitive data harvested from compromised systems. The files are password-protected with the actors handle serving as the password.
Date: 2026-04-22T20:12:41Z
Network: openweb
Published URL: https://darkforums.su/Thread-%F0%9F%9A%80-11040-LOGS-CLOUD-%E2%98%81-21-22-APRIL-%E2%9D%A4%EF%B8%8F-FRESH-LOGS%E2%9D%97%EF%B8%8F
Screenshots:
None
Threat Actors: UP_DAISYCLOUD
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data
Category: Carding
Content: A threat actor operating under the alias DelusionG0D shared a stolen payment card record on a carding forum. The post contains a single card number, expiration date, and CVV in a standard carding format. The origin and associated victim organization of the card are unknown.
Date: 2026-04-22T20:08:22Z
Network: openweb
Published URL: https://altenens.is/threads/card-cc.2928525/unread
Screenshots:
None
Threat Actors: DelusionG0D 3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Carding Data Shared Involving United States Cardholder
Category: Carding
Content: A threat actor operating under the alias DelusionG0D shared what appears to be a stolen payment card record on a carding forum. The data includes a full card number, expiration date, CVV, cardholder name, billing address in Groves, Texas, phone number, and an associated email address. The record pertains to a single individual in the United States.
Date: 2026-04-22T20:00:41Z
Network: openweb
Published URL: https://altenens.is/threads/ccc.2928516/unread
Screenshots:
None
Threat Actors: DelusionG0D 3
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data
Category: Carding
Content: A threat actor shared a stolen payment card record on a carding forum. The post contains a card number, expiration date, CVV, and cardholder name associated with a Morgan-branded card. The data appears to be a single credit or debit card record shared publicly on the forum.
Date: 2026-04-22T19:59:53Z
Network: openweb
Published URL: https://altenens.is/threads/ccccc.2928518/unread
Screenshots:
None
Threat Actors: DelusionG0D 3
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Morgan
Victim Site: Unknown
Alleged leak of multi-platform e-commerce credential combolist across multiple countries
Category: Combo List
Content: A threat actor using the alias CODER has made available a mixed combolist of approximately 11 million email and password combinations targeting multiple major e-commerce platforms including Amazon, Etsy, eBay, AliExpress, Alibaba, Shein, ASOS, Zalando, and Wildberries. The combolist is distributed for free via two Telegram channels and covers accounts from multiple countries. The actor promotes additional combo and tool resources through their Telegram presence.
Date: 2026-04-22T19:54:34Z
Network: openweb
Published URL: https://crackingx.com/threads/72902/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: E-Commerce
Victim Organization: Amazon, Etsy, eBay, AliExpress, Alibaba, Shein, ASOS, Zalando, Wildberries
Victim Site: amazon.com, etsy.com, ebay.com, aliexpress.com, alibaba.com, shein.com, asos.com, zalando.com, wildberries.ru
Alleged leak of European Education sector combolist with 106,312 credentials
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing 106,312 credential pairs purportedly sourced from European educational institutions. The combolist is described as mixed and is being distributed freely via a Mega.nz file sharing link. No specific organizations or domains have been identified as victims.
Date: 2026-04-22T19:53:55Z
Network: openweb
Published URL: https://crackingx.com/threads/72903/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Europe
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of credential combolists for major e-commerce platforms including Temu, Walmart, and Best Buy
Category: Combo List
Content: A threat actor operating under the alias CODER has made available an alleged 9 million record combolist containing email and password credentials associated with multiple major e-commerce platforms including Temu, Wish, Joom, Banggood, Gearbest, Newegg, Best Buy, Walmart, and Target. The combolists are being distributed for free via Telegram channels and groups managed by the actor. The actor also solicits direct contact via Telegram handle CODER5544 for additional combo requests.
Date: 2026-04-22T19:53:19Z
Network: openweb
Published URL: https://crackingx.com/threads/72904/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: E-Commerce & Retail
Victim Organization: Temu, Wish, Joom, Banggood, Gearbest, Newegg, Best Buy, Walmart, Target
Victim Site: Unknown
Alleged leak of credential combolists for multiple e-commerce platforms including Mercari, Poshmark, and Costco
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist of approximately 7 million email and password combinations targeting users of multiple e-commerce platforms including Mercari, Poshmark, Depop, Vinted, Taobao, DHgate, Overstock, Wayfair, and Costco. The credential lists are being made available for free via Telegram channels and groups associated with the actor. Access is facilitated through the Telegram handle CODER5544 and associated group channels.
Date: 2026-04-22T19:52:14Z
Network: openweb
Published URL: https://crackingx.com/threads/72906/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: E-Commerce
Victim Organization: Mercari, Poshmark, Depop, Vinted, Taobao, DHgate, Overstock, Wayfair, Costco
Victim Site: Unknown
Alleged leak of 1.3 million URL-login-password credentials
Category: Combo List
Content: A threat actor operating under the alias RandomUpload on the cracking forum CrackingX has made available a combolist containing approximately 1.3 million URL, login, and password combinations. The post is restricted to registered users, limiting visibility of additional details. The credentials appear to span multiple sites and services, though specific victims are not identified.
Date: 2026-04-22T19:51:30Z
Network: openweb
Published URL: https://crackingx.com/threads/72907/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Private Database Collections Including PII, Documents, and Financial Data
Category: Data Breach
Content: A threat actor operating under the alias jannatmirza11 is advertising private database collections for sale via Telegram, including company databases, scanned identity documents (ID cards, drivers licenses, passports), SSN/SIN records, consumer information, phone lists, email lists, credential lists, and large-site database dumps. No specific victim organizations or countries are identified. Contact is facilitated through Telegram handle @jannat646500.
Date: 2026-04-22T19:51:14Z
Network: openweb
Published URL: https://crackingx.com/threads/72908/
Screenshots:
None
Threat Actors: jannatmirza11
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 42,000 German email account credentials
Category: Data Leak
Content: A threat actor known as Megacloud has made available a combolist containing approximately 42,000 allegedly valid German email account credentials. The 1.52 MB file was shared freely via MEGA file hosting. The post claims the credentials are fully valid and include mail access, suggesting active account takeover potential.
Date: 2026-04-22T19:34:56Z
Network: openweb
Published URL: https://altenens.is/threads/42k-germany-full-valid-mail-access-22-04.2928513/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data with personal information
Category: Carding
Content: A threat actor on a carding forum shared what appears to be a stolen payment card record belonging to an individual in Jamaica, New York, United States. The leaked data includes a full card number, expiration date, CVV, cardholder name, billing address, phone number, email address, and IP address. The data was made available on the forum without any apparent price, suggesting it was freely shared.
Date: 2026-04-22T19:22:41Z
Network: openweb
Published URL: https://altenens.is/threads/wwwwwwwwwwwwww.2928511/unread
Screenshots:
None
Threat Actors: POSEIDONN
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data with personal information
Category: Carding
Content: A threat actor on a carding forum shared a stolen payment card record belonging to an individual in Stuart, Florida, United States. The exposed data includes a full card number, expiration date, CVV, cardholder name, billing address, phone number, email address, and an IPv6 address. The post appears to be a sample or single-record dump shared on a carding-focused forum.
Date: 2026-04-22T19:22:05Z
Network: openweb
Published URL: https://altenens.is/threads/wwwwwwwww.2928512/unread
Screenshots:
None
Threat Actors: POSEIDONN
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data with personal information
Category: Carding
Content: A threat actor on a carding forum shared what appears to be a stolen payment card record belonging to a US individual. The shared data includes full card details (card number, expiration, CVV), personally identifiable information (full name, address, phone number), an associated email address, and an IPv6 address. The victim appears to be located in Silver Spring, Maryland, United States.
Date: 2026-04-22T19:14:24Z
Network: openweb
Published URL: https://altenens.is/threads/wwwwwww.2928508/unread
Screenshots:
None
Threat Actors: POSEIDONN
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen credit card data belonging to United States cardholder
Category: Carding
Content: A threat actor operating under the alias Babuska shared a stolen credit card record on a carding forum. The exposed data includes a Mastercard credit card number, expiration date, CVV, full name, address, phone number, and email address belonging to a United States resident in Illinois. The cardholder is identified as Ray Markovic residing in the Chicago suburb area.
Date: 2026-04-22T19:13:52Z
Network: openweb
Published URL: https://altenens.is/threads/kill.2928509/unread
Screenshots:
None
Threat Actors: Babuska
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed combolist targeting multiple platforms including Facebook, LinkedIn, and Amazon
Category: Combo List
Content: A threat actor operating under the alias CODER has made available an alleged mixed combolist containing approximately 13 million credential pairs targeting multiple platforms including Facebook, Twitter, Instagram, LinkedIn, Amazon, eBay, gaming, shopping, adult, and cryptocurrency services. The combolist is being distributed freely via Telegram channels and groups associated with the actor. No price is mentioned, suggesting the credentials are being shared at no cost.
Date: 2026-04-22T19:00:46Z
Network: openweb
Published URL: https://crackingx.com/threads/72898/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple (Facebook, Twitter, Instagram, LinkedIn, Amazon, eBay)
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a combolist purportedly containing fresh Hotmail credentials on the cracking forum CrackingX. The credential list is being distributed for free via an external paste site and a Telegram channel. The post does not specify the number of records or the origin of the data.
Date: 2026-04-22T19:00:10Z
Network: openweb
Published URL: https://crackingx.com/threads/72900/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed combolist data shared by D4rkNetHub
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub has shared a mixed combolist containing approximately 40,752 records on the cracking forum CrackingX. The post, titled MIXED GOODS D4RKNETHUB CLOUD, appears to offer free access to credential data, though the specific targeted organizations or countries are unknown. The content requires forum registration or sign-in to access.
Date: 2026-04-22T18:59:34Z
Network: openweb
Published URL: https://crackingx.com/threads/72901/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credentials combolist by D4rkNetHub
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub has shared a mixed combolist containing approximately 40,752 email:password credential pairs on a cybercrime forum. The content is hidden behind a registration/login wall, suggesting restricted access to the credentials. The actor also promotes a paid Premium Cloud service via their shop at darknethub.top and a Telegram channel, offering tiered subscription access to additional resources.
Date: 2026-04-22T18:58:56Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-40-752-Good-MIXED-GOODS-D4RKNETHUB-CLOUD
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sharing of Stolen HSBC Payment Card Data
Category: Carding
Content: A threat actor on a carding forum shared what appears to be a stolen HSBC credit or debit card record, including the card number (5434709000747114), expiration date (11/26), and CVV (339). The post claims the card is live and associated with a UK-based HSBC account. No price was mentioned, suggesting the card details were shared freely.
Date: 2026-04-22T18:55:54Z
Network: openweb
Published URL: https://altenens.is/threads/uk-hsbc-live-hb.2928504/unread
Screenshots:
None
Threat Actors: Jazz
Victim Country: United Kingdom
Victim Industry: Banking & Finance
Victim Organization: HSBC
Victim Site: hsbc.co.uk
Alleged sharing of stolen US payment card data on carding forum
Category: Carding
Content: A threat actor operating under the alias totoww shared stolen US payment card data on the carding forum Altenens. The shared record includes a full card number, expiration date, CVV, cardholder name, and billing address. The post is labeled low bal, suggesting the associated account carries a low balance.
Date: 2026-04-22T18:55:19Z
Network: openweb
Published URL: https://altenens.is/threads/usa-low-bal.2928506/unread
Screenshots:
None
Threat Actors: totoww
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data linked to United Arab Emirates cardholder
Category: Carding
Content: A threat actor operating on the Altenens carding forum shared what appears to be a stolen payment card record belonging to a United Arab Emirates cardholder. The post includes full card details such as card number, expiry date, CVV, cardholder name, and billing address. The data was shared under a thread titled UAE visa HIGH BAL, suggesting the card may carry a high balance.
Date: 2026-04-22T18:54:54Z
Network: openweb
Published URL: https://altenens.is/threads/uae-visa-high-bal.2928505/unread
Screenshots:
None
Threat Actors: totoww
Victim Country: United Arab Emirates
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of unauthorized access to Mythos AI system and internal documents
Category: Initial Access
Content: Threat actor offering rental access to Mythos (described as Claude Mythos AI internal/experimental model) at tiered pricing ($5,000-$25,000 for access periods) and selling internal documents package (~3,000 files) including Mythos AI technical details and restricted model access for $250,000
Date: 2026-04-22T18:54:11Z
Network: telegram
Published URL: https://t.me/c/3500620464/7217
Screenshots:
None
Threat Actors: Unknown
Victim Country: United States
Victim Industry: Artificial Intelligence/Technology
Victim Organization: Anthropic
Victim Site: Unknown
Alleged leak of 800 Hotmail credential combos
Category: Data Leak
Content: A threat actor operating under the alias Megacloud has shared a combolist containing approximately 800 allegedly valid Hotmail credentials on the forum AE – Combo List. The post, dated April 22, requires forum members to reply in order to access the hidden download link. The credentials are described as fresh and valid, suggesting recent collection or validation.
Date: 2026-04-22T18:52:43Z
Network: openweb
Published URL: https://altenens.is/threads/800x-fresh-just-valid-hotmail-access-22-04.2928503/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of corporate business combolist by threat actor CODER
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist allegedly containing 12 million corporate and business leads/credentials. The content is gated behind registration on the forum, with free distribution offered via Telegram channels and direct contact. No specific victim organization or country has been identified.
Date: 2026-04-22T18:33:21Z
Network: openweb
Published URL: https://crackingx.com/threads/72897/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of 1.2 Billion USA Business and Personal Contact Records
Category: Data Breach
Content: A threat actor operating under the alias GenesisZ is allegedly selling a collection of 1.2 billion USA business and personal contact records in CSV format across multiple industries. The dataset purportedly includes B2B leads, phone leads, people databases, and industry-specific contact lists sourced from platforms such as Apollo and LinkedIn. The actor is open to negotiations and can be contacted via Telegram at @GenesisHax.
Date: 2026-04-22T18:33:14Z
Network: openweb
Published URL: https://crackingx.com/threads/72896/
Screenshots:
None
Threat Actors: GenesisZ
Victim Country: United States
Victim Industry: Multiple Industries
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen US payment card details with PII
Category: Carding
Content: A threat actor shared stolen debit card details for a United States-based individual on a carding forum. The leaked data includes full card number, expiration date, CVV, along with personally identifiable information such as full name, address, email, phone number, and zip code. The cardholder is identified as Leopold Wilkes, located in South Carolina.
Date: 2026-04-22T18:30:30Z
Network: openweb
Published URL: https://altenens.is/threads/kil.2928500/unread
Screenshots:
None
Threat Actors: Babuska
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor known as Jelooos has made available on the cracking forum CrackingX an alleged combolist containing approximately 1,100 Hotmail credentials, described as UHQ (ultra-high quality) and untouched. The post is gated behind registration, limiting visibility into the full contents and validity of the claims.
Date: 2026-04-22T18:08:53Z
Network: openweb
Published URL: https://crackingx.com/threads/72894/
Screenshots:
None
Threat Actors: Jelooos
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed private log pack distributed on cybercrime forum
Category: Data Leak
Content: A threat actor on DemonForums shared a free download link via Mega.nz containing a mixed private pack of logs. The archive is password-protected and distributed under the Project Logs Planet branding. No specific victim organization, country, or record count was disclosed in the post.
Date: 2026-04-22T18:07:57Z
Network: openweb
Published URL: https://demonforums.net/Thread-Mix-private-pack-logs
Screenshots:
None
Threat Actors: niven938644
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data with personal information
Category: Carding
Content: A threat actor on a carding forum shared a stolen payment card record belonging to a US individual named Joseph Salgado. The shared data includes a full card number, expiration date, CVV, billing address in Mountain View, CA, phone number, and an associated email address. The post appears to be a sample or single-record share of compromised financial and personal data.
Date: 2026-04-22T18:05:25Z
Network: openweb
Published URL: https://altenens.is/threads/wwwwwwwwwwwwwwwbalance.2928493/unread
Screenshots:
None
Threat Actors: POSEIDONN
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged CVV Checker Tool Offered for Carding Operations
Category: Carding
Content: A threat actor on a carding forum is selling a CVV checker tool priced at $0.10 per check, designed for validating stolen payment card details including low-balance cards. The tool is intended to facilitate payment card fraud by verifying card validity before use in fraudulent transactions.
Date: 2026-04-22T18:03:59Z
Network: openweb
Published URL: https://altenens.is/threads/cvv-checker-for-low-bal-cards.2928497/unread
Screenshots:
None
Threat Actors: totoww
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of premium mix combolist with inbox-verified credentials
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a combolist described as 2970x Premium Mix UHQ Hits along with inbox-verified targets. The post includes download links for both the credential list and associated inboxed targets, suggesting the credentials have been verified as valid. No specific victim organization or country has been identified.
Date: 2026-04-22T17:48:36Z
Network: openweb
Published URL: https://crackingx.com/threads/72887/
Screenshots:
None
Threat Actors: Hotmail Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of fake identity documents including drivers licenses, passports, and credit cards
Category: Carding
Content: A threat actor operating under the IDEAL team is advertising fraudulent identity documents including drivers licenses, passports, credit cards, and selfie verification sets on a cracking forum. The actor claims to have been operating since 2016 and promotes high-quality forgeries produced with professional equipment. Contact is facilitated via Telegram handle @DroneBott2.
Date: 2026-04-22T17:48:13Z
Network: openweb
Published URL: https://demonforums.net/Thread-IDEAL-BEST-QUALITY-FAKE-DOCUMENTS-DL-PP-CC-SELFIE
Screenshots:
None
Threat Actors: Boeesijj
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 8 million cryptocurrency credentials combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has shared an alleged combolist containing approximately 8 million credential pairs targeting cryptocurrency platforms. The post was made on the cracking forum CrackingX in the Combolists & Dumps section. No additional details regarding the source, affected platforms, or data composition are available.
Date: 2026-04-22T17:48:05Z
Network: openweb
Published URL: https://crackingx.com/threads/72888/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Cryptocurrency
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: A threat actor known as StrawHatBase shared a combolist containing approximately 12,000 email and password combinations on DemonForums. The post is described as a good mix of mail access credentials, suggesting it aggregates accounts across multiple email providers. The content is hidden behind a registration or login requirement, indicating it is shared freely within the forum community.
Date: 2026-04-22T17:47:42Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-12K-GOOD-MIX-MAIL-ACCESS
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of gaming and casino credential combolist targeting Germany
Category: Combo List
Content: A threat actor using the handle HQcomboSpace has made available a combolist of approximately 370,608 lines targeting gaming and casino platforms in Germany. The credential list was shared via a Mega.nz link on the crackingx.com forum. No specific organizations or domains were identified as victims.
Date: 2026-04-22T17:47:30Z
Network: openweb
Published URL: https://crackingx.com/threads/72890/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Gaming and Gambling
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 480,000 shopping and social media credentials
Category: Combo List
Content: A threat actor operating under the alias el_capitan has made available a combolist of approximately 480,000 URL:login:password credential pairs purportedly valid for shopping and social media platforms. The content is hidden behind a registration or login requirement on the forum. The actor also advertises services including combo sales, spamming, dumping, and cracking tools via Telegram channels.
Date: 2026-04-22T17:47:09Z
Network: openweb
Published URL: https://demonforums.net/Thread-480K-URL-LOGIN-PASS-Good-For-Shopping-Social-Media
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Retail and Social Media
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 300,000 EDU sector email credentials
Category: Combo List
Content: A threat actor operating under the alias el_capitan has made available a combolist containing approximately 300,000 email and password credential pairs associated with educational institutions. The content is hidden behind a registration or login requirement on the forum. The actor also promotes services including combo sales, spamming, dumping, and cracking tools via Telegram channels.
Date: 2026-04-22T17:46:45Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-300K-EDU-Good-Quality-Fresh-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of iCloud credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing an iCloud-themed combolist via Telegram channels and a cracking forum. The actor promotes free combo and program distribution through two Telegram groups and offers direct contact for additional combos. No specific record count or pricing was mentioned, suggesting the credentials are being freely shared.
Date: 2026-04-22T17:46:33Z
Network: openweb
Published URL: https://crackingx.com/threads/72892/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Apple iCloud
Victim Site: icloud.com
Alleged leak of 245,000 Gmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias el_capitan has made available a combolist containing approximately 245,000 Gmail email and password combinations on DemonForums. The post is described as semi-private and high quality, with hidden content accessible upon registration or login. The actor also promotes services including spamming, combolist sales, and cracking tools via Telegram.
Date: 2026-04-22T17:46:23Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-245K-GMAIL-Semi-Private-HQ-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of 210,000 Indian email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias el_capitan has made available a combolist containing approximately 210,000 email:password credential pairs allegedly associated with Indian users. The content is hidden behind a registration or login requirement on the forum. The actor promotes additional services including spamming, dumping, and cracking tools via their Telegram channel and group.
Date: 2026-04-22T17:46:00Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-210K-INDIA-EmailPass-Good-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: India
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed forum credentials combolist
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist containing approximately 100,000 mixed credentials described as valid forum account logins. The post was made on the cracking forum CrackingX under the Combolists & Dumps section. The content of the post is gated behind registration or login, limiting further verification of the claims.
Date: 2026-04-22T17:45:57Z
Network: openweb
Published URL: https://crackingx.com/threads/72893/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data with personal information
Category: Carding
Content: A threat actor on the carding forum AE shared a stolen payment card record belonging to an individual identified as Michael Woods from Stamford, Connecticut. The data includes full card details (PAN, expiration, CVV), billing address, phone number, email address, and an IPv6 address. The post appears to be a free share or sample of compromised financial data.
Date: 2026-04-22T17:42:51Z
Network: openweb
Published URL: https://altenens.is/threads/wwwww.2928481/
Screenshots:
None
Threat Actors: POSEIDONN
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyber attack on Tel Aviv power plant by MDGhost threat actor
Category: Cyber Attack
Content: A threat actor group named MDGhost (ام‌دی‌گوست) has claimed responsibility for infiltrating the control systems of a power plant in Tel Aviv and gaining access to portions of Israels electrical infrastructure.
Date: 2026-04-22T17:40:10Z
Network: telegram
Published URL: https://t.me/c/1283513914/21337
Screenshots:
None
Threat Actors: MDGhost
Victim Country: Israel
Victim Industry: Energy/Critical Infrastructure
Victim Organization: Power plant in Tel Aviv
Victim Site: Unknown
Alleged leak of mixed email credentials including Hotmail accounts
Category: Data Leak
Content: A threat actor operating under the alias alphacloud has made available a combolist of 5,713 mixed email credentials, including verified Hotmail accounts, on the AE combo list forum. The post references a private cloud storage source and directs users to a Telegram contact for access. No price was mentioned, suggesting the content is being freely shared with forum members who reply to the thread.
Date: 2026-04-22T17:39:37Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltagehigh-voltage-5713x-premium-mix-mail-hitshigh-voltagehigh-voltage.2928485/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: hotmail.com
Alleged leak of Hotmail targeted combolist with 143K credentials
Category: Data Leak
Content: A threat actor operating under the alias carlos080 has made available a combolist of approximately 143,000 Hotmail-targeted email and password credentials on the AE forum. The post offers a free download via a hidden reply-gated link. The same actor also advertises the sale of additional combolists covering multiple email providers and geographic regions via Telegram handle @KOCsupport.
Date: 2026-04-22T17:39:10Z
Network: openweb
Published URL: https://altenens.is/threads/143k-hotmail-targeted-combolist.2928487/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged self-propagating malware attack on npm supply chain targeting developer credentials
Category: Malware
Content: Security researchers discovered a new attack on the npm (Node Package Manager) supply chain where malware infects software packages to steal publishing tokens, API keys, and sensitive developer information. The malware uses stolen tokens to republish additional packages through compromised accounts, enabling automatic propagation. Multiple packages related to AI tools and databases including @automagik/genie and pgserve have been reported as compromised.
Date: 2026-04-22T17:32:18Z
Network: telegram
Published URL: https://t.me/c/1283513914/21336
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: Unknown
Victim Industry: Software Development
Victim Organization: npm
Victim Site: npmjs.com
Alleged defacement of multiple websites by Mr.PIMZZZXploit
Category: Defacement
Content: Threat actor claiming responsibility for defacement of approximately 20 websites across multiple domains including Romanian, Hungarian, and Pakistani hosting providers. Sites listed include government portals, software platforms, and business websites. Defacement claims attributed to Mr.PIMZZZXploit with Babayo Eror System group affiliation.
Date: 2026-04-22T17:29:48Z
Network: telegram
Published URL: https://t.me/c/3865526389/532
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: Unknown
Victim Industry: multiple
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 8 million cryptocurrency-related credentials
Category: Combo List
Content: A threat actor operating under the alias CODER has made available an 8 million record cryptocurrency-focused combolist via Telegram channels. The post directs users to contact the actor via Telegram handle CODER5544 or join free combo and tools groups at t.me/Combo445544 and t.me/Coder554455. No specific victim organization or platform has been identified, and the combolist appears to target cryptocurrency service users.
Date: 2026-04-22T17:16:59Z
Network: openweb
Published URL: https://crackingx.com/threads/72888/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Cryptocurrency
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 480K URL:Login:Password combolist targeting Shopping and Social Media platforms
Category: Combo List
Content: A threat actor known as el_capitan has made available a combolist of approximately 480,000 URL:login:password credential pairs, reportedly suitable for use against shopping and social media platforms. The content is hidden behind a registration or login requirement on the forum. The actor also promotes services including HQ combos, spamming, dumping, and cracking tools via Telegram channels.
Date: 2026-04-22T17:16:52Z
Network: openweb
Published URL: https://demonforums.net/Thread-480K-URL-LOGIN-PASS-Good-For-Shopping-Social-Media
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Multiple (Retail, Social Media)
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 300,000 EDU email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias el_capitan has made available a combolist of approximately 300,000 email and password credential pairs targeting educational institutions. The content is shared via a hidden forum post requiring registration or login to access. The actor also promotes services including combo sales, spamming, dumping, and cracking tools via Telegram channels.
Date: 2026-04-22T17:16:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-300K-EDU-Good-Quality-Fresh-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 245,000 Gmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias el_capitan has made available a combolist containing approximately 245,000 Gmail email and password combinations on a cybercrime forum. The content is hidden behind registration or login, suggesting controlled distribution. The actor also advertises services including spamming, data dumping, and cracking tools via Telegram channels.
Date: 2026-04-22T17:16:17Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-245K-GMAIL-Semi-Private-HQ-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of German gaming and casino sector credential combolist
Category: Combo List
Content: A threat actor known as HQcomboSpace has made available a combolist containing approximately 370,608 credential entries targeting the gaming and casino sector in Germany. The data was shared via a Mega.nz link on a known cracking and combolist forum. The specific organizations affected are not identified in the post.
Date: 2026-04-22T17:16:12Z
Network: openweb
Published URL: https://crackingx.com/threads/72890/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Gaming and Gambling
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 210,000 Indian email credentials combolist
Category: Combo List
Content: A threat actor known as el_capitan has made available a combolist containing approximately 210,000 email address and password credential pairs associated with Indian users. The combolist was shared on a cybercrime forum specializing in credential lists. The origin and specific services affected by this credential exposure are unknown.
Date: 2026-04-22T17:15:55Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-210K-INDIA-EmailPass-Good-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: India
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials combolist (5,713 entries)
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 5,713 alleged premium mixed email credentials, including validated Hotmail accounts, via a free download on the cracking forum CrackingX. The post references private cloud storage and promotes a Telegram contact alphaaxd for further communication. No specific victim organization or targeted service beyond mixed mail providers is identified.
Date: 2026-04-22T17:15:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72891/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials combolist including Hotmail accounts
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 5,713 mixed email credentials, described as premium hits including validated Hotmail accounts. The content is hosted as hidden content on the forum requiring registration or login to access. The actor also references a Telegram handle alphaaxd for further contact.
Date: 2026-04-22T17:15:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-5713x-PREMIUM-MIX-MAIL-HITS%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data with personal information
Category: Carding
Content: A threat actor on a carding forum shared what appears to be a stolen payment card record belonging to a US individual. The data includes a full card number, expiration date, CVV, cardholder name, physical address in Stamford, Connecticut, phone number, and associated email address. The post appears to be a sample or small dump of card data shared freely on the forum.
Date: 2026-04-22T17:12:43Z
Network: openweb
Published URL: https://altenens.is/threads/wwwwwwwwwww-huge-fast.2928479/unread
Screenshots:
None
Threat Actors: POSEIDONN
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data linked to United States cardholder
Category: Carding
Content: A threat actor operating under the alias POSEIDONN shared what appears to be a stolen payment card record on a carding forum. The data includes full card details (PAN, expiration, CVV), the cardholders name, billing address in Stamford, Connecticut, phone number, email address, and an IPv6 address. The exposed record is associated with a Visa or Mastercard account belonging to an individual identified as Michael Woods.
Date: 2026-04-22T17:12:07Z
Network: openweb
Published URL: https://altenens.is/threads/wwwww.2928481/unread
Screenshots:
None
Threat Actors: POSEIDONN
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Logs
Content: A threat actor operating under the alias UniqueCombo has shared an alleged combolist of approximately 28,000 unique Hotmail credentials on an underground forum. The post is categorized under Mail Access & Combolists, suggesting the list contains email and password combinations targeting Microsofts Hotmail service. The content appears to be freely distributed rather than sold.
Date: 2026-04-22T17:08:05Z
Network: openweb
Published URL: https://xforums.st/threads/hotmail-unique-combo_4_28000.609293/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged DDoS Stresser Service Advertisement – Deep Stresser
Category: Malware
Content: Deep Stresser is advertising a DDoS stresser service with a giveaway promotion offering free trial packages and $50 USDT prizes. The service claims to provide Layer 4 (TCP/UDP flood) and Layer 7 (HTTP) DDoS attack capabilities with bypasses for protection systems (CAPTCHA, CACHE, UAM). Website: deepstresser.su
Date: 2026-04-22T16:59:57Z
Network: telegram
Published URL: https://t.me/c/1669509146/94674
Screenshots:
None
Threat Actors: Deep Stresser
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 11.8 million URL:Login:Password credential lines
Category: Logs
Content: A threat actor operating under the alias Gektor009 has made available a combolist containing approximately 11.887 million lines of URL, username, and password combinations on a dark web forum. The dataset is approximately 600MB in size and is offered as hidden content requiring forum registration or login to access. No specific victim organization or country has been identified, suggesting this is a compilation of stealer logs from multiple sources.
Date: 2026-04-22T16:58:40Z
Network: openweb
Published URL: https://darkforums.su/Thread-Document-Url-Log-Pass-11-887-391-M%C4%B1ll%C4%B1on-L%C4%B1nes-600mb
Screenshots:
None
Threat Actors: Gektor009
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of FortiGate VPN and Firewall Super Admin Access to Colombian Company
Category: Initial Access
Content: A threat actor identified as GhostByte is selling super admin access to a Colombian companys FortiGate VPN and firewall infrastructure for $700. The compromised environment includes an Active Directory network, and the victim organization reportedly has annual revenue of $49.3 million. The actor is conducting outreach via private message for further details.
Date: 2026-04-22T16:57:52Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-VPN-FORTIGATE-AND-FIREWALL-SUPER-ADMIN-ACCESS-COLOMBIAN-COMPANY
Screenshots:
None
Threat Actors: GhostByte
Victim Country: Colombia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Initial Access and Data from NOAA Emergency Beacon Registration System
Category: Initial Access
Content: A threat actor on a dark web forum claims to be selling bulk access to approximately 90-100 login credentials for multiple NOAA government portals, including the emergency beacon registration system (beaconregistration.noaa.gov). The actor claims the access allows full control over critical emergency beacon infrastructure used by vehicles, vessels, and aircraft, and includes sensitive data such as beacon identifiers, owner PII, emergency contact information, and vehicle/vessel/aircraft registrat
Date: 2026-04-22T16:57:18Z
Network: openweb
Published URL: https://darkforums.su/Thread-Noaa-gov-access-and-data
Screenshots:
None
Threat Actors: l33tfg
Victim Country: United States
Victim Industry: Government – Atmospheric and Oceanic Administration
Victim Organization: National Oceanic and Atmospheric Administration (NOAA)
Victim Site: noaa.gov
Alleged Sale of Full Infrastructure Access to Russian Government Construction and Energy Regulator
Category: Initial Access
Content: A threat actor operating under the alias 0m0nRa is selling full administrative access to the infrastructure of a major Russian government regulator overseeing construction and design. The access includes IPMI/Supermicro admin, ESXi root, Webmin root, 1C accounting admin credentials and backups containing PII, contracts, and financial records spanning nearly 10 years, as well as 400+ GB MySQL databases and 500+ intercepted corporate credential pairs. The seller markets the access as an entry po
Date: 2026-04-22T16:56:31Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-GOV-RU-140kk-GOV-FULL-ACCESS-IPMI-ESXI-TO-CONSTRUCTION-ENERGY-REGAULATOR
Screenshots:
None
Threat Actors: 0m0nRa
Victim Country: Russia
Victim Industry: Government / Construction & Energy Regulation
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of USA Permanent Residents KYC and PII Data Including SSNs
Category: Data Breach
Content: A threat actor operating under the alias zSenior is selling a dataset purportedly containing KYC and personally identifiable information of 2,389 USA permanent residents. The dataset, totaling 8GB across 7,167 files, includes Permanent Resident Card images, SSN card scans, and PDF documents containing full names, SSNs, phone numbers, addresses, dates of birth, email addresses, and W-4 tax forms. The seller is accepting offers with a price cap of $800 and supports escrow transactions.
Date: 2026-04-22T16:55:27Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-USA-Permanent-Residents-Leads-KYC-SSN-and-more
Screenshots:
None
Threat Actors: zSenior
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Crypto.com Forex and CFD Trader Database
Category: Data Breach
Content: A threat actor operating under the alias Chinahacker is selling an alleged database of 185,742 enriched trader profiles purportedly extracted from Crypto.coms forex and CFD trading platform between April 1–12, 2026. The database reportedly includes full names, verified emails, phone numbers, KYC levels, deposit and trading volume history, hashed passwords, device fingerprints, and recent trade snippets. The seller is offering tiered pricing ranging from $180 for a test pack to $4,200 for the
Date: 2026-04-22T16:54:55Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Exclusive-April-2026-Crypto-com-Forex-CFD-Trader-Leads-Database
Screenshots:
None
Threat Actors: Chinahacker
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Crypto.com
Victim Site: crypto.com
Alleged Data Breach of Bureau of Transportation Statistics (BTS.GOV)
Category: Data Breach
Content: A threat actor operating under the alias Ashborn is selling an alleged database containing 20 million rows of PII data attributed to BTS.GOV, the official website of the U.S. Bureau of Transportation Statistics, a federal agency under the Department of Transportation. The data is being offered for $5,000 worth of cryptocurrency, with proof of the breach shared via an external file hosting link. Contact is facilitated exclusively through the Session messaging platform.
Date: 2026-04-22T16:54:25Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-USA-20-000-000-rows-PII-Data-of-BTS-GOV–74260
Screenshots:
None
Threat Actors: Ashborn
Victim Country: United States
Victim Industry: Government
Victim Organization: Bureau of Transportation Statistics
Victim Site: bts.gov
Alleged Sale of Access to BATFE, ATF, FBI, CIA, and Intelligence Agency Weapons Search Systems
Category: Initial Access
Content: A threat actor on a dark web forum claims to be selling access to international weapons search tools allegedly linked to U.S. and allied intelligence and law enforcement agencies including BATFE/ATF, FBI, CIA, SIS, and MI6, for 60,000 in cryptocurrency. The actor further claims the access enables ordering military-grade weapons including fighter jets, rocket launchers, and nuclear missiles for delivery to any country. Contact is provided via Telegram handle @stoppled; the claims are highly dubio
Date: 2026-04-22T16:53:36Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-BATFE-ATF-F-B-I-Firearms-and-Explosives-ACCES
Screenshots:
None
Threat Actors: Thread
Victim Country: United States
Victim Industry: Government
Victim Organization: Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), FBI, CIA, SIS, MI6
Victim Site: Unknown
Alleged Data Breach and Defacement of Aman-Iraq Semi-Governmental Platform
Category: Data Breach
Content: A threat actor operating under the alias KurdFemboys and affiliated with FEMBOYSec Intelligence Team claims to be selling approximately 108GB of data exfiltrated from Aman-Iraq, an Iraqi semi-governmental platform offering insurance, financial, legal, and public services. The stolen data allegedly includes customer images, ID cards, drivers licenses, and full database contents. The actor also claims to have defaced multiple associated domains including aman-org.org, aman-iraq.com, and syste
Date: 2026-04-22T16:53:03Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Aman-Iraq-2026-108GB
Screenshots:
None
Threat Actors: KurdFemboys
Victim Country: Iraq
Victim Industry: Financial Services & Insurance
Victim Organization: Aman-Iraq
Victim Site: aman-iraq.com
Alleged Sale of Android Remote Access Trojan (RAT) Tool
Category: Initial Access
Content: A threat actor identified as OnarDev is advertising an Android Remote Access Trojan (RAT) on a dark web forum, directing potential buyers to a Telegram channel at t.me/Ratxs. The tool is described as a Chinese-origin Android RAT capable of remote control of infected devices. No pricing details or specific capabilities were disclosed in the post.
Date: 2026-04-22T16:52:34Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Chainese-Android-Remote-Control-Trojan
Screenshots:
None
Threat Actors: OnarDev
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Neoskool (India) Exposing Ellucian PowerCampus Client School Data
Category: Data Breach
Content: A threat actor identified as ShadowByt3S claims to be selling approximately 4GB of data stolen from Neoskool, an Indian managed service provider operating the Ellucian PowerCampus platform for multiple schools. The stolen data allegedly includes student and staff PII (including Aadhaar numbers, photos, and ID cards), financial records, academic results, medical information, and cloud infrastructure credentials (AWS access). The actor is selling the dataset for $500 in Bitcoin or Monero, with pro
Date: 2026-04-22T16:51:53Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Full-4GB-Ellucian-Powercampus
Screenshots:
None
Threat Actors: ShadowByt3S
Victim Country: India
Victim Industry: Education
Victim Organization: Neoskool
Victim Site: Unknown
Alleged Sale of 100 Million Russian Citizens Personal Data Including Phone Numbers, Full Names, and Dates of Birth
Category: Data Breach
Content: A threat actor operating under the alias GenesisZ is allegedly selling a database containing over 100 million Russian mobile phone records. The structured dataset includes phone numbers in Russian mobile format, full names with patronymics, and dates of birth in YYYY-MM-DD format. The seller is advertising the database for targeted marketing, demographic research, and outreach purposes, and can be contacted via Telegram (@GenesisHax) or Session.
Date: 2026-04-22T16:51:15Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-100-Million-Russian-Phone-Numbers-database-Phone-Numbers-Full-Name-DOB–74123
Screenshots:
None
Threat Actors: IntelHead
Victim Country: Russia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Corporacion Universitaria Cenda via EmergiaCC Platform
Category: Data Breach
Content: Threat actor Petro_Escobar, in collaboration with NyxarGroup, is selling database records associated with Corporacion Universitaria Cenda hosted on the EmergiaCC platform. The data includes two datasets: a general database with 2,390 management records and a unified management profiling database with 10,565 records, totaling approximately 12,955 records. Exposed fields include full names, document numbers, phone numbers, contact statuses, payment dates, and call management details pertaining
Date: 2026-04-22T16:50:43Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Cenda-EmergiaCC-Conalcreditos-Colombia
Screenshots:
None
Threat Actors: Petro_Escobar
Victim Country: Colombia
Victim Industry: Education
Victim Organization: Corporacion Universitaria Cenda
Victim Site: emergiacc.com
Alleged Data Breach of Mercadeo Efectivo S.A.S – Diageo Colombia Business Intelligence Database
Category: Data Breach
Content: Threat actors Petro_Escobar and NyxarGroup are selling a database allegedly sourced from Mercadeo Efectivo S.A.S (Emergia), a Colombian business analytics firm contracted by Diageo Colombia. The database reportedly contains approximately 1 million records with detailed business profiling data including point-of-sale information, GPS coordinates, distributor details, establishment characteristics, and segmentation data collected through Diageo mystery shopper and merchant programs across Colo
Date: 2026-04-22T16:50:11Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Mercadeo-Efectivo-S-A-S-DIAEGO-COLOMBIA
Screenshots:
None
Threat Actors: Petro_Escobar
Victim Country: Colombia
Victim Industry: Market Research / Business Analytics
Victim Organization: Mercadeo Efectivo S.A.S (Emergia)
Victim Site: emergiacc.com
Alleged Sale of Pre-Authentication RCE Zero-Day Exploit for AnyLink PPX VPN
Category: Initial Access
Content: A threat actor known as berz0k is selling an alleged zero-day pre-authentication remote code execution (RCE) vulnerability affecting AnyLink PPX VPN appliances, claiming it achieves root-level access without requiring authentication. The exploit is advertised as 100% reliable with no crash, and is listed exclusively for $70,000 USD. According to the seller, approximately 26.2 million potentially vulnerable targets are exposed and indexed on ZoomEye.
Date: 2026-04-22T16:49:42Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-0day-AnyLink-PPX-Preauth-RCE
Screenshots:
None
Threat Actors: berz0k
Victim Country: Unknown
Victim Industry: Multiple Sectors (VPN Users)
Victim Organization: Unknown
Victim Site: Unknown
Alleged Google Review Manipulation and Removal Service Offered via Dark Forum
Category: Initial Access
Content: A threat actor operating under the alias israinsolutions is selling a Google review removal service on a dark web forum, claiming to use policy-based methods to remove 1-star reviews for businesses. Pricing ranges from $75 to $190 per review depending on content type, with a turnaround time of 3-8 days. The service is marketed as confidential and manual, accepting multiple payment methods including cryptocurrency and bank transfers.
Date: 2026-04-22T16:49:09Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-%E2%9A%A1%EF%B8%8F1-Star-Google-Review-Removal-ORM-Reputation-Management-Pay-On-Success%E2%9C%85
Screenshots:
None
Threat Actors: israinsolutions
Victim Country: Unknown
Victim Industry: Online Reputation / Review Platforms
Victim Organization: Google
Victim Site: google.com
Alleged Data Breach of Paraguays DINAC Aviation Authority (ifis.dinac.gov.py)
Category: Data Breach
Content: Threat actors NyxarGroup, ArcRaidersPlayer, and Petro_Escobar are selling a database allegedly exfiltrated from Paraguays Dirección Nacional de Aeronáutica Civil (DINAC) aviation authority portal ifis.dinac.gov.py. The leaked data includes structured records for pilots (containing national ID numbers, full names, license numbers, medical certificate dates, and aircraft types), registered aircraft (including registration, insurance expiry, and maintenance records), and rural airstrip information
Date: 2026-04-22T16:48:36Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-PY-IFIS-DINAC-GOV-PY
Screenshots:
None
Threat Actors: NyxarGroup
Victim Country: Paraguay
Victim Industry: Government – Civil Aviation Authority
Victim Organization: DINAC (Dirección Nacional de Aeronáutica Civil)
Victim Site: ifis.dinac.gov.py
Alleged data breach of Indonesian agricultural and government personnel database
Category: Data Breach
Content: A threat actor operating under the alias 053o has shared a database allegedly containing personal information of Indonesian agricultural and government personnel. The exposed data includes full names, email addresses, phone numbers, and institutional affiliations, with individuals linked to organizations such as the Directorate General of Horticulture, regional agriculture offices, and universities. The actor directed interested parties to contact them via Telegram, suggesting potential moneti
Date: 2026-04-22T16:48:06Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-INDONESIA
Screenshots:
None
Threat Actors: 053o
Victim Country: Indonesia
Victim Industry: Government & Agriculture
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Belgian Social Security Portal (socialsecurity.be) Exposing ~482,000 Records
Category: Data Breach
Content: A threat actor known as Databroker1 is selling an alleged database dump from the Belgian Social Security portal (socialsecurity.be) containing approximately 482,000 records. The dataset includes three interconnected sections covering personal identifiers (INSZ numbers, full names, birthdates, postal codes, gender, phone numbers), employment records (salaries, employer contributions, worker contributions), and social benefits data (benefit types, daily amounts, review dates). The data is availa
Date: 2026-04-22T16:47:06Z
Network: openweb
Published URL: https://darkforums.su/Thread-https-www-socialsecurity-be-%E2%89%88482k-records-leaks-personaldata-IDs-contact-location
Screenshots:
None
Threat Actors: Databroker1
Victim Country: Belgium
Victim Industry: Government / Social Services
Victim Organization: Belgian Social Security
Victim Site: socialsecurity.be
Alleged Data Breach of Banco Unión (Giros y Finanzas) Colombia Customer Records via EmergiaCC and Conalcreditos
Category: Data Breach
Content: Threat actor Petro_Escobar, in collaboration with NyxarGroup, is selling a database allegedly containing over 1 million customer records from Banco Unión (formerly Giros y Finanzas), a Colombian financial institution and authorized Western Union agent. The structured dataset includes full names, national ID numbers, phone numbers, addresses, debt obligation details, payment statuses, contact history, and economic activity information, associated with a Conalcreditos June 2025 portfolio assig
Date: 2026-04-22T16:46:36Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Banco-Uni%C3%B3n-Giros-y-Finanzas-EmergiaCC-Conalcreditos-Colombia
Screenshots:
None
Threat Actors: Petro_Escobar
Victim Country: Colombia
Victim Industry: Banking & Financial Services
Victim Organization: Banco Unión (Giros y Finanzas)
Victim Site: bancounion.com
Alleged Data Breach of Servimotos Yamaha Colombia (EmergiaCC/Conalcreditos) with 1 Million Records
Category: Data Breach
Content: Threat actors Petro_Escobar and NyxarGroup are selling a database allegedly containing 1 million records from Servimotos Yamaha, an authorized Yamaha motorcycle dealer and distributor in Colombia operating through the EmergiaCC/Conalcreditos platform. The structured database includes personally identifiable information such as full names, identification numbers, phone numbers, addresses, and detailed financial/debt collection records including payment agreements, outstanding balances, and ac
Date: 2026-04-22T16:46:05Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-SERVIMOTOS-YAMAHA-EmergiaCC-Conalcreditos-Colombia
Screenshots:
None
Threat Actors: Petro_Escobar
Victim Country: Colombia
Victim Industry: Automotive / Motorcycle Dealership
Victim Organization: Servimotos Yamaha
Victim Site: servimotosyamaha.com
Alleged Sale of Verified Coinbase Accounts with KYC Bypass
Category: Carding
Content: A threat actor operating on DarkForums is selling fully verified Coinbase accounts associated with French and Luxembourgish identities, obtained via manual selfie/KYC bypass. Each account includes full email access, Google Authenticator credentials, KYC-verified status, and a linked PayPal account, with daily withdrawal limits up to $20,000 via PayPal and $1,000 via physical card ATM withdrawals. Accounts are advertised as at least six months old with email history provided as proof of stability
Date: 2026-04-22T16:45:33Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Coinbase-Verified-Accounts-for-Sale-Selfie-Bypass
Screenshots:
None
Threat Actors: Jusious23
Victim Country: France
Victim Industry: Financial Services
Victim Organization: Coinbase
Victim Site: coinbase.com
Alleged data breach of GoldUnion.fr (GoldInfo.fr)
Category: Data Breach
Content: A threat actor operating under the alias 3ndGames is offering a database allegedly sourced from GoldUnion (goldunion.fr), a French financial/gold services platform. The dataset reportedly contains approximately 8,000 lines of user data. The actor has provided a proof image and can be contacted via the Session messaging protocol.
Date: 2026-04-22T16:45:04Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-FR-GoldInfo-fr
Screenshots:
None
Threat Actors: 3ndGames
Victim Country: France
Victim Industry: Financial Services
Victim Organization: GoldUnion
Victim Site: goldunion.fr
Alleged Data Leak of Adda.io India Database
Category: Data Leak
Content: A threat actor known as CrxsMods has made available an alleged database dump from Adda.io, an India-based platform. The data is being distributed for free via an external file hosting link. No further details regarding the volume or specific contents of the database were provided in the post.
Date: 2026-04-22T16:43:56Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Adda-io-India-Database-Leak
Screenshots:
None
Threat Actors: CrxsMods
Victim Country: India
Victim Industry: Unknown
Victim Organization: Adda.io
Victim Site: adda.io
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor known as klyne05 has made available a mixed email combolist described as private and freshly checked. The post was shared on the cracking forum CrackingX and includes a download link for the credential list. No specific victim organization or record count was disclosed.
Date: 2026-04-22T16:40:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72881/
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a combolist purportedly containing 163 high-quality Hotmail account credential hits. The post offers a free download of the credential list, which likely consists of verified email and password combinations for Microsoft Hotmail accounts. No additional context or data fields were provided in the post.
Date: 2026-04-22T16:40:25Z
Network: openweb
Published URL: https://crackingx.com/threads/72882/
Screenshots:
None
Threat Actors: Hotmail Cloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail, Yahoo, and Orange FR credentials targeting Casino platforms
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist of approximately 3 million credentials via Telegram channels, targeting Hotmail, Yahoo, and Orange FR email accounts for use against Casino platforms. The actor promotes free combo distribution through two Telegram groups and offers additional combolists via direct Telegram contact. No price is mentioned, indicating the credentials are being freely shared.
Date: 2026-04-22T16:39:59Z
Network: openweb
Published URL: https://crackingx.com/threads/72884/
Screenshots:
None
Threat Actors: CODER
Victim Country: France
Victim Industry: Gambling & Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 1,420 alleged valid Hotmail credentials on the cracking forum CX. The post claims the credentials are premium hits sourced from a private cloud mix of email accounts. The actor can be contacted via Telegram handle alphaaxd for access to the download.
Date: 2026-04-22T16:39:43Z
Network: openweb
Published URL: https://crackingx.com/threads/72885/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email access combolist
Category: Combo List
Content: A threat actor known as MarkVesto has shared a mixed mail access combolist containing approximately 52,000 email credentials on the crackingx.com forum. The combolist appears to aggregate credentials from multiple sources across various email providers. The content is made available to registered forum users and promoted via a Telegram channel.
Date: 2026-04-22T16:39:24Z
Network: openweb
Published URL: https://crackingx.com/threads/72886/
Screenshots:
None
Threat Actors: MarkVesto
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen VISA payment card data targeting United States
Category: Carding
Content: A threat actor on a carding forum shared what appears to be a stolen VISA credit card record belonging to a United States cardholder. The record includes full card number, expiration date, CVV, cardholder name, and billing address. The data was posted under the label USA LIVE, suggesting the card may be currently active.
Date: 2026-04-22T16:36:01Z
Network: openweb
Published URL: https://altenens.is/threads/usa-live.2928465/
Screenshots:
None
Threat Actors: totoww
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of QuillBot Education Premium account credentials
Category: Carding
Content: A threat actor operating under the alias MINDHUNTER on the carding forum Altenens shared alleged QuillBot Education Premium accounts, claimed to be 100% working. The post also promotes a LinkedIn Premium upgrading service. No specific record count or pricing details were provided in the visible post content.
Date: 2026-04-22T16:35:20Z
Network: openweb
Published URL: https://altenens.is/threads/sparkles-quillbot-sparkles-high-voltagequillbot-education-premium-accounts-star-quillbot-star-100-working-sparkles.2928471/unread
Screenshots:
None
Threat Actors: MINDHUNTER
Victim Country: Unknown
Victim Industry: Education Technology
Victim Organization: QuillBot
Victim Site: quillbot.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as KiwiShio has made available a combolist of 720 Hotmail credentials on the cracking forum CrackingX. The post advertises the list as fresh and high quality, suggesting recently obtained or verified email and password combinations. The credentials are being distributed for free via a download link.
Date: 2026-04-22T16:15:01Z
Network: openweb
Published URL: https://crackingx.com/threads/72883/
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias KiwiShio shared a combolist of approximately 720 Hotmail email and password combinations on the DemonForums cybercrime forum. The post, categorized under combolists, claims the credentials are fresh and high quality. No additional details regarding the origin or method of collection were available in the post content.
Date: 2026-04-22T16:14:26Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-720x-%E2%AD%90%E2%AD%90-FRESH-HQ-HOTMAIL-%E2%AD%90%E2%AD%90–201319
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged security research exposing Apple Secure Kernel (cL4) vulnerability via GLx Research Platform
Category: Initial Access
Content: Security researchers from Antid0te SG Pte. Ltd. published findings demonstrating that Apples Secure Kernel (cL4), the microkernel guarding the Exclaves environment on iOS and macOS, can be crashed by any code executing in Exclaves userland. Using their GLx Research Platform, which runs the Secure Kernel inside a controlled hypervisor, researchers showed that memory corruption or code execution in any Exclaves userland component could trigger a kernel panic, raising significant security implicat
Date: 2026-04-22T16:11:54Z
Network: openweb
Published URL: https://tier1.life/thread/165
Screenshots:
None
Threat Actors: RedQueen
Victim Country: United States
Victim Industry: Technology
Victim Organization: Apple
Victim Site: apple.com
Alleged full TEE privilege escalation chain demonstrated against Xiaomi Redmi Note 11s
Category: Initial Access
Content: Researchers from FuseSecurity presented at 39C3 a full privilege escalation chain targeting the Trusted Execution Environment (TEE) on Xiaomi Redmi Note 11s devices running MediaTek SoCs. The exploit chain leverages rollback attacks on Trusted Applications, a type confusion bug in the keyinstall TA (CVE-2023-32835) rooted in the GlobalPlatform TEE specification, and a novel compromise of the Fiasco microkernel in BeanPod TEE, achieving code execution from N-EL0 user space all the way to S-EL3 Se
Date: 2026-04-22T16:11:02Z
Network: openweb
Published URL: https://tier1.life/thread/166
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Xiaomi
Victim Site: xiaomi.com
Alleged sharing of stolen UK payment card data
Category: Carding
Content: A threat actor on the carding forum AE shared stolen UK payment card data under the thread UK low balance. The post includes a MasterCard number with expiration date, CVV, cardholder name, and billing address associated with a United Kingdom-based individual. The card appears to be a low-balance account, shared freely on the forum.
Date: 2026-04-22T16:09:56Z
Network: openweb
Published URL: https://altenens.is/threads/uk-low-balance.2928451/unread
Screenshots:
None
Threat Actors: totoww
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sharing of Stolen American Express Card Details Belonging to Turkish Cardholder
Category: Carding
Content: A threat actor on the carding forum Altenens shared a stolen American Express card record belonging to a cardholder in Turkey. The post includes full card details such as card number, expiration date, CVV, cardholder name, and billing address. The actor noted the card was tested and worked for approximately $50 USD, suggesting a low remaining balance.
Date: 2026-04-22T16:09:31Z
Network: openweb
Published URL: https://altenens.is/threads/tr-amex-worked-for-50-usd-maybe-low-balance.2928453/unread
Screenshots:
None
Threat Actors: totoww
Victim Country: Turkey
Victim Industry: Financial Services
Victim Organization: American Express
Victim Site: americanexpress.com
Alleged sharing of stolen US payment card data
Category: Carding
Content: A threat actor on the AE carding forum shared what appears to be a live US VISA credit card record including full card number, expiration date, CVV, cardholder name, and billing address. The post is labeled USA LIVE, suggesting the card data may be active and valid. The shared record belongs to an individual in the United States with ZIP code 61837-9443.
Date: 2026-04-22T16:09:05Z
Network: openweb
Published URL: https://altenens.is/threads/usa-live.2928465/unread
Screenshots:
None
Threat Actors: totoww
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mauston hospital reports cyberattack disrupting phone and computer systems
Category: Cyber Attack
Content: Mile Bluff Medical Center is currently experiencing disruptions to its computer and telephone systems following a cybersecurity incident involving data encryption. The organization immediately activated its security protocols and launched an investigation with the assistance of internal experts and third-party partners. Management is actively working to assess the situation in order to fully restore the impacted functionalities.
Date: 2026-04-22T16:07:57Z
Network: openweb
Published URL: https://www.wkow.com/news/mauston-hospital-reports-cyberattack-disrupting-phone-and-computer-systems/article_e7710203-4b57-49ef-8052-007b3dd4f58e.html
Screenshots:
None
Threat Actors:
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Mile Bluff Medical Center
Victim Site: milebluff.com
病院にサイバー攻撃か外来と救急停止奈良（ANNニュース）
Category: Cyber Attack
Content: The Nara Municipal Hospital has suspended its emergency services and outpatient consultations following a suspected cyberattack. The incident, detected on April 21 by network monitoring devices, rendered several computer systems inoperable, including electronic medical records. Local authorities are currently collaborating with police to analyze data logs in order to identify the origin of the attack.
Date: 2026-04-22T16:07:53Z
Network: openweb
Published URL: https://www.nagoyatv.com/news/1000/syakai.html?id=000500459
Screenshots:
None
Threat Actors:
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Nara City Hospital
Victim Site: nara-jadecom.jp
Alleged leak of mixed email access credentials (6,313 records)
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared a mixed mail access combolist containing 6,313 credential pairs. The post is gated behind registration but appears to offer free access to email credentials from multiple providers. No specific victim organization or country has been identified, suggesting this is a mixed/multi-source credential list.
Date: 2026-04-22T15:29:49Z
Network: openweb
Published URL: https://crackingx.com/threads/72878/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail and mixed credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Roronoa044 has shared what is claimed to be a combolist containing valid Hotmail credentials and a mixed set of email:password combinations, described as UHQ (ultra-high quality). The content is hidden behind a forum registration wall and promoted via a Telegram channel (@noiraccesss). No record count or specific victim organization has been identified.
Date: 2026-04-22T15:28:55Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X1397-Valid-UHQ-Mix-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: hotmail.com
Alleged leak of mixed email credentials including Hotmail combolist
Category: Combo List
Content: A threat actor operating under the alias noir on the cracking forum CrackingX has made available a combolist containing approximately 1,397 allegedly valid mixed credentials, including Hotmail accounts and private cloud access. The post advertises the content as UHQ (ultra-high quality), suggesting the credentials have been verified. A Telegram contact (@noiraccesss) is provided alongside a download link for free distribution.
Date: 2026-04-22T15:28:33Z
Network: openweb
Published URL: https://crackingx.com/threads/72880/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data targeting Australian cardholder
Category: Carding
Content: A threat actor on a carding forum shared payment card details belonging to an Australian cardholder named Ray Cassin. The leaked data includes a full card number, expiration date, CVV, billing address, and zip code. The post was made available on the AE carding forum under the thread lb cc usa.
Date: 2026-04-22T15:21:02Z
Network: openweb
Published URL: https://altenens.is/threads/lb-cc-usa.2928447/unread
Screenshots:
None
Threat Actors: totoww
Victim Country: Australia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Logs
Content: A threat actor operating under the alias UniqueCombo has shared a combolist allegedly containing 28,000 unique Hotmail credentials on an underground forum. The post, titled Hotmail Unique Combo_3_28000, suggests the credential list consists of email and password pairs targeting Microsofts Hotmail service. No price was mentioned, indicating the combolist was made available for free.
Date: 2026-04-22T15:17:15Z
Network: openweb
Published URL: https://xforums.st/threads/hotmail-unique-combo_3_28000.609288/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Website Defacement of MEEX Group by Threat Actor Zod
Category: Defacement
Content: On April 22, 2026, a threat actor operating under the alias Zod defaced a web page hosted on the MEEX Group domain in Israel. The targeted page (zod.html) was hosted on a Linux-based server. The incident was a single targeted defacement, not part of a mass or repeated defacement campaign.
Date: 2026-04-22T15:06:51Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248618
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Israel
Victim Industry: Business Services
Victim Organization: MEEX Group
Victim Site: meexgroup.ussl.co.il
Website Defacement of Faith Logistic by Threat Actor Zod
Category: Defacement
Content: On April 22, 2026, threat actor Zod defaced the website faithlogistic.net, targeting a logistics company running on a Linux-based server. The attack involved the creation of a defacement page at the URL path /zod.html, with the incident archived and mirrored by the haxor.id defacement archive service.
Date: 2026-04-22T15:03:43Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248617
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Unknown
Victim Industry: Logistics and Transportation
Victim Organization: Faith Logistic
Victim Site: faithlogistic.net
Alleged leak of Hotmail credential samples
Category: Combo List
Content: A threat actor operating under the alias HollowKnight07 has made available a sample combolist of 365 Hotmail credentials on the cracking forum CrackingX. The post offers a free download link to the credential list. The origin and validity of the credentials have not been verified.
Date: 2026-04-22T15:02:54Z
Network: openweb
Published URL: https://crackingx.com/threads/72875/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of GMX credentials targeting German shopping sites
Category: Combo List
Content: A threat actor known as CODER is distributing a combolist of GMX email credentials allegedly targeting German shopping websites. The credentials are being made available for free via Telegram channels and groups operated by the actor. The post promotes two Telegram groups offering free combolists and tools.
Date: 2026-04-22T15:02:25Z
Network: openweb
Published URL: https://crackingx.com/threads/72876/
Screenshots:
None
Threat Actors: CODER
Victim Country: Germany
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: gmx.de
Alleged leak of Yahoo credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a mixed-target Yahoo combolist containing approximately 1.74 million lines via a Mega.nz file sharing link. The combolist likely contains email and password credential pairs associated with Yahoo accounts. The content was shared freely on the cracking forum CrackingX without any stated price.
Date: 2026-04-22T15:01:44Z
Network: openweb
Published URL: https://crackingx.com/threads/72877/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged leak of mixed email:password combolist (X1816 HQ Mix)
Category: Combo List
Content: A threat actor operating under the alias Steveee36 and posted by user erwinn91 has made available a combolist labeled X1816 HQ Mix on DemonForums. The list reportedly contains 1,816 high-quality email:password credential pairs of mixed origin. The content is gated behind forum registration or login, suggesting it is being shared freely within the community.
Date: 2026-04-22T15:01:29Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X1816-HQ-Mix-%E2%9A%A1%E2%9A%A1-BY-Steveee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged DDoS Stresser Service Advertisement – Goofystresse.st
Category: Malware
Content: Goofystresse.st is advertising a DDoS stresser service offering Layer 4 (TCP/UDP flood up to 10M pps) and Layer 7 attack capabilities with bypasses for CAPTCHA, cache, and UAM protections. Service includes game-specific bypasses for Fortnite, Minecraft, Apex, COD, Roblox, and Battlefield. Claims 3+ years of operation with 1000-1500 customers. Website domain recently migrated to goofystresse.st with auto-payment system.
Date: 2026-04-22T14:55:20Z
Network: telegram
Published URL: https://t.me/c/1669509146/94668
Screenshots:
None
Threat Actors: Goofystresse / Goofyorg
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Credit Card Checker Tool at Low Cost
Category: Carding
Content: A threat actor on the carding forum Altenens is selling a credit card checker tool for $0.10 per check. The tool is advertised as a low-cost service for validating stolen payment card data. No further technical details about the tools capabilities or targets are provided in the post.
Date: 2026-04-22T14:53:47Z
Network: openweb
Published URL: https://altenens.is/threads/cc-checker-low-charge.2928442/unread
Screenshots:
None
Threat Actors: totoww
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of kelulusansd.yski.info by Irene of XmrAnonye.id
Category: Defacement
Content: On April 22, 2026, a threat actor known as Irene operating under the team XmrAnonye.id defaced the website kelulusansd.yski.info, an Indonesian educational portal associated with elementary school graduation results. The attack targeted a Linux-based server and was a single targeted defacement rather than a mass or redefacement campaign. A mirror of the defaced page was archived at haxor.id.
Date: 2026-04-22T14:46:55Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248616
Screenshots:
None
Threat Actors: Irene, XmrAnonye.id
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: YSKI (Yayasan Sosial Kemanusiaan Indonesia) – SD Graduation Portal
Victim Site: www.kelulusansd.yski.info
Alleged cyberattack on Swedish power plants by NoName057(16)
Category: Cyber Attack
Content: NoName057(16) claims responsibility for attacking Swedish thermal power plants in 2025. The post references a Swedish government officials statement about pro-Russian hacker group attacks and includes hashtags #FuckEastwood #TimeOfRetribution #OpSweden. The group appears to be re-sharing attack video content from a previously deleted Telegram channel.
Date: 2026-04-22T14:42:18Z
Network: telegram
Published URL: https://t.me/c/3584758467/798
Screenshots:
None
Threat Actors: NoName057(16)
Victim Country: Sweden
Victim Industry: Energy/Critical Infrastructure
Victim Organization: Swedish thermal power plants
Victim Site: Unknown
Alleged data breach of car rental company – 26k customer records
Category: Data Breach
Content: A database breach from a car rental company has been shared containing 6,800+ clear drivers license images and 26k customer data records. The exposed data includes full names, gender, email addresses, phone numbers, national ID numbers, dates of birth, marital status, drivers license expiration dates, front-facing drivers license photos, and national ID expiration dates.
Date: 2026-04-22T14:31:50Z
Network: telegram
Published URL: https://t.me/c/2613583520/67613
Screenshots:
None
Threat Actors: Squad Chat Marketplace
Victim Country: Saudi Arabia
Victim Industry: Transportation/Car Rental
Victim Organization: Car rental company
Victim Site: Unknown
Alleged distribution of Malwarebytes keygen tool by threat actor IIIOH
Category: Initial Access
Content: A threat actor known as IIIOH has made available a console-based keygen tool targeting Malwarebytes license key formats, shared freely on a cracking forum by user Starip. The tool is designed to generate bulk license key-style strings and is flagged as potentially malicious by antivirus software. Users are instructed to disable antivirus protections to run the tool, suggesting it may contain embedded malware or be used to bypass software licensing controls.
Date: 2026-04-22T14:30:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-Malwarebytes-Keygen-By-IIIOH
Screenshots:
None
Threat Actors: Starip
Victim Country: Unknown
Victim Industry: Cybersecurity Software
Victim Organization: Malwarebytes
Victim Site: malwarebytes.com
Alleged distribution of STORM Captcha Solver automation tool on cracking forum
Category: Carding
Content: A threat actor operating under the alias Starip has made available on DemonForums a tool called STORM v2.6.0.2, described as a modular captcha-solving and automation engine. The tool features worker configs, task controllers, real-time execution tracking, debug mode, and encryption support for configs, designed to automate repeated tasks at scale. Such tools are commonly used to facilitate credential stuffing, account takeover, or automated fraud workflows on targeted platforms.
Date: 2026-04-22T14:30:09Z
Network: openweb
Published URL: https://demonforums.net/Thread-STORM-Captcha-Solver
Screenshots:
None
Threat Actors: Starip
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub shared a combolist containing approximately 1,274 Hotmail credentials on the cracking forum CrackingX. The post was made in the Combolists & Dumps section and references a D4rkNetHub cloud storage source. The actual content of the post is restricted to registered/signed-in users, limiting full verification of the claim.
Date: 2026-04-22T14:29:58Z
Network: openweb
Published URL: https://crackingx.com/threads/72868/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged sale of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub is selling a combolist containing 1,274 Hotmail email and password credential pairs on a cybercrime forum. The content is hosted on a private cloud service branded as D4RKNETHUB CLOUD, with tiered subscription access ranging from $10 for a 3-day trial to $50 for 30 days. The actor also promotes an associated shop and Telegram channel for purchase inquiries.
Date: 2026-04-22T14:29:49Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1-274-Good-HOTMAIL-GOODS-D4RKNETHUB-CLOUD
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of mixed credential combolist with 54,027 lines
Category: Combo List
Content: A threat actor operating under the alias stormtrooper has shared a mixed combolist containing 54,027 email:password credential pairs on DemonForums. The content is gated behind forum registration or login, and the actor promotes a Telegram channel (@BossBrowz) likely used for further distribution. The combolist is described as fresh and appears to aggregate credentials from multiple unspecified sources.
Date: 2026-04-22T14:29:30Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-54-027-Lines-Fresh-Mix-Combolist
Screenshots:
None
Threat Actors: stormtrooper
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist containing 54,027 lines
Category: Combo List
Content: A threat actor known as Browzchel has made available a mixed combolist containing 54,027 lines on the cracking forum CrackingX. The content appears to be a free leak distributed via a Telegram channel (@BossBrowz). No specific victim organization or targeted service has been identified, suggesting the list is an aggregation of credentials from multiple sources.
Date: 2026-04-22T14:29:20Z
Network: openweb
Published URL: https://crackingx.com/threads/72872/
Screenshots:
None
Threat Actors: Browzchel
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of SoftwareOnlineKaufen.EU with Database and Email Archive for Sale
Category: Data Breach
Content: A threat actor operating under the alias Schneider claims to be selling a complete database and IMAP server email backup (over 50GB) stolen from SoftwareOnlineKaufen.EU, a German gift card and software license retailer, following an alleged hack in March 2026. The data reportedly includes over 25,000 delivery emails containing visible software activation keys, many of which remain unused, particularly bulk purchases from companies. The threat actor is selling the data exclusively once for 500
Date: 2026-04-22T14:29:03Z
Network: openweb
Published URL: https://crackingx.com/threads/72869/
Screenshots:
None
Threat Actors: Schneider
Victim Country: Germany
Victim Industry: E-Commerce / Software Retail
Victim Organization: SoftwareOnlineKaufen.EU
Victim Site: softwareonlinekaufen.eu
Alleged Sharing of Live United States Payment Card Data
Category: Carding
Content: A threat actor on the AE carding forum shared four allegedly live United States payment card records, including full card numbers, expiration dates, and CVV codes, all marked as approved. The post invites others to comment if they successfully use the cards, suggesting the data is being freely distributed for fraudulent purposes.
Date: 2026-04-22T14:21:42Z
Network: openweb
Published URL: https://altenens.is/threads/live-usa-card-100.2928432/unread
Screenshots:
None
Threat Actors: seduk31
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Free Sharing of Stolen Payment Card Data
Category: Carding
Content: A threat actor on a carding forum shared what appears to be a stolen payment card record for free. The post includes a card number (4090132944435464), an expiration date (05/32), and a CVV (145). The card appears to be a Visa card based on the BIN prefix.
Date: 2026-04-22T14:21:09Z
Network: openweb
Published URL: https://altenens.is/threads/cc-gratis.2928435/unread
Screenshots:
None
Threat Actors: Antonio5454
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data
Category: Carding
Content: A threat actor on a carding forum shared what appears to be a stolen payment card record, including a full card number (4599962095140117), expiration date (30/07), and CVV (853). The post is titled cc 100×100, which may indicate a batch or quality claim related to stolen card data. No victim organization or country could be identified from the available information.
Date: 2026-04-22T14:20:38Z
Network: openweb
Published URL: https://altenens.is/threads/cc-100×100.2928436/unread
Screenshots:
None
Threat Actors: Antonio5454
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen Spanish payment card data
Category: Carding
Content: A threat actor operating under the alias Antonio5454 shared what appears to be a stolen Spanish payment card on a carding forum. The post includes a full card number, expiration date (07/32), and CVV (988). The data was made available on the AE carding forum without indication of a price.
Date: 2026-04-22T14:20:07Z
Network: openweb
Published URL: https://altenens.is/threads/cc-spain.2928439/unread
Screenshots:
None
Threat Actors: Antonio5454
Victim Country: Spain
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen credit card data
Category: Carding
Content: A threat actor posted what appears to be a stolen credit card record on a carding forum. The post includes a full card number (4343580000270222), expiration date (01/28), and CVV (266). The card number prefix suggests it may be associated with Visa or a related card network.
Date: 2026-04-22T14:19:40Z
Network: openweb
Published URL: https://altenens.is/threads/cc-viva.2928434/unread
Screenshots:
None
Threat Actors: Antonio5454
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Arkansas State Crime Lab
Category: Data Breach
Content: KittyKatKrew (KKK) claims successful breach of Arkansas State Crime Lab via web portal at https://lasso.crimelab.arkansas.gov. Two data sets allegedly exfiltrated: (1) complete court calendar export containing case information, defendant names, court dates, contact details, and case dispositions; (2) entire personnel directory with login credentials, email addresses, account status, last login timestamps, job titles, phone numbers, and approval statuses for all users and legal professionals.
Date: 2026-04-22T14:19:06Z
Network: telegram
Published URL: https://t.me/c/3400865010/54
Screenshots:
None
Threat Actors: KittyKatKrew
Victim Country: United States
Victim Industry: Law Enforcement / Government
Victim Organization: Arkansas State Crime Lab
Victim Site: crimelab.arkansas.gov
Alleged Data Leak of Regional Investment Center Rabat-Salé-Kénitra
Category: Data Leak
Content: A threat actor known as kutam_dz has made available a database dump allegedly belonging to the Regional Investment Center of the Rabat-Salé-Kénitra region in Morocco. The leaked data reportedly contains personal and business information including names, phone numbers, fax numbers, postal addresses, email addresses, province/prefecture, and occupation fields. The data was shared as a free download via AnonFiles, compressed in a ZIP archive of approximately 36.57 KB.
Date: 2026-04-22T14:13:39Z
Network: openweb
Published URL: https://breached.st/threads/morocco-data-center-regional-dinvestement-rabat-salla-kenitra.86199/unread
Screenshots:
None
Threat Actors: kutam_dz
Victim Country: Morocco
Victim Industry: Government
Victim Organization: Regional Investment Center of Rabat-Salé-Kénitra
Victim Site: Unknown
Alleged distribution of 9 million credential combolist by threat actor CODER
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist claimed to contain 9 million credential entries via Telegram channels. The post promotes free access to combo lists and cracking tools through two Telegram groups. No specific victim organization or targeted industry has been identified.
Date: 2026-04-22T13:56:06Z
Network: openweb
Published URL: https://crackingx.com/threads/72866/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of ULP combolist shared via Telegram
Category: Combo List
Content: A threat actor operating under the alias zod has shared a ULP (URL:Login:Password) combolist on the CrackingX forum. The content is restricted to registered members and the password for the archive is distributed via a Telegram channel (t.me/zoooddddd). No specific victim organization or record count has been identified.
Date: 2026-04-22T13:55:23Z
Network: openweb
Published URL: https://crackingx.com/threads/72867/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Blockchain Name Service (BNB) Domains for Phishing and Fraud Operations
Category: Carding
Content: A threat actor on a carding forum is selling 10 Binance Name Service (.bnb) domains for $600 each, explicitly marketed for use in scamming cryptocurrency users or conducting fraudulent money transfers. The domains include high-value names such as whales.bnb, rugpull.bnb, and marketcap.bnb, suggesting intended use in phishing, rug pull schemes, or impersonation attacks targeting crypto investors. The seller accepts ATN escrow and notes the domains can be resold or used directly for fraud.
Date: 2026-04-22T13:48:16Z
Network: openweb
Published URL: https://altenens.is/threads/domain-bnb-for-sale-with-atn-escrow-accepted.2928427/unread
Screenshots:
None
Threat Actors: cherif02
Victim Country: Unknown
Victim Industry: Cryptocurrency / Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email provider credential combolist
Category: Data Leak
Content: A threat actor operating under the alias Larry_Uchiha has shared a mixed email provider combolist on the AE forum, containing credentials for accounts across multiple platforms including Hotmail, Outlook, AOL, GMX, Inbox, iCloud, and Live. The combolist is gated behind a reply requirement and distributed via Telegram. The exact record count is unknown.
Date: 2026-04-22T13:45:53Z
Network: openweb
Published URL: https://altenens.is/threads/mix-mail-combo-hotmail-outlook-aol-gmx-inbox-icloud-live-2026-4-19.2928425/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Multiple Email Providers (Hotmail, Outlook, AOL, GMX, Inbox, iCloud, Live)
Victim Site: Unknown
Alleged leak of mixed platform credential combolist including Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, and Facebook
Category: Data Leak
Content: A threat actor known as Larry_Uchiha has shared a mixed account combolist on the AE forum, allegedly containing credentials for multiple platforms including Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, and Facebook. The content is gated behind a reply requirement, suggesting it is freely distributed to forum members. The combolist appears to be aggregated from multiple sources targeting various consumer-facing services.
Date: 2026-04-22T13:45:17Z
Network: openweb
Published URL: https://altenens.is/threads/mix-account-combo-netflix-onlyfans-chatgpt-xbox-sony-discord-facebook-2026-4-19.2928424/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, Facebook
Victim Site: Unknown
Website Defacement of Lingkar Cijambe Teras Statistik by Irene of XmrAnonye.id
Category: Defacement
Content: On April 22, 2026, a threat actor known as Irene, affiliated with the group XmrAnonye.id, defaced the website hosted at lingkarcijambe.terasstatistik.net. The attack targeted a Linux-based server and resulted in a page replacement indicating unauthorized access. The incident was a targeted single-site defacement with a mirror archived on haxor.id.
Date: 2026-04-22T13:45:13Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248615
Screenshots:
None
Threat Actors: Irene, XmrAnonye.id
Victim Country: Indonesia
Victim Industry: Statistics / Government Data Services
Victim Organization: Lingkar Cijambe Teras Statistik
Victim Site: www.lingkarcijambe.terasstatistik.net
Alleged SMS spoofing service targeting financial institutions globally
Category: Phishing
Content: Threat actor offering fraudulent SMS routes (SID – Sender ID spoofing) targeting major financial institutions, payment platforms, and banks across Australia, Italy, Spain, France, Germany, Sweden, and UK. Services advertised include spoofed SMS impersonating Coinspot, Google, Binance, PayPal, banking institutions, and other financial services. Operator soliciting customers via Telegram handle @Youngjn123 and offering free tests.
Date: 2026-04-22T13:28:07Z
Network: telegram
Published URL: https://t.me/YoungJNCrossBulksms0285/4
Screenshots:
None
Threat Actors: Youngjn123
Victim Country: Multiple (Australia, Italy, Spain, France, Germany, Sweden, United Kingdom)
Victim Industry: Financial Services, Banking, Payment Processing
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 28,000 valid email credentials (combolist)
Category: Combo List
Content: A threat actor operating under the alias TeraCloud1 shared a combolist on DemonForums containing approximately 28,000 allegedly valid email address and password combinations. The post was made in the Combolists section of the forum. No specific victim organization or targeted service was identified in the available post content.
Date: 2026-04-22T13:25:17Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-28K-VALID-MAIL-ACCESS–201305
Screenshots:
None
Threat Actors: TeraCloud1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared an alleged Hotmail credential combolist on a cracking forum. The post, titled Hotmail Unique Combo_2_28000, suggests the list contains approximately 28,000 unique email and password combinations. The content is restricted to registered or signed-in forum members, limiting public visibility.
Date: 2026-04-22T13:24:33Z
Network: openweb
Published URL: https://crackingx.com/threads/72863/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email access combolist
Category: Combo List
Content: A threat actor operating under the alias StrawHatBase has made available a combolist containing approximately 25,000 email address and password credential pairs on Demonforums. The content is described as a mixed and fresh mail access list, suggesting credentials from multiple providers. Access to the post requires registration or login to the forum.
Date: 2026-04-22T13:24:13Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-25K-MAIL-ACCESS-MIX-FRESH
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available an alleged combolist of 1,800 Hotmail credentials described as full valid hits. The post references an API mode for retrieving the credential list as a .txt file, suggesting use of an automated checker or account-takeover tool. The content is gated behind forum registration, indicating it is shared within the cracking community rather than being publicly accessible.
Date: 2026-04-22T13:23:42Z
Network: openweb
Published URL: https://crackingx.com/threads/72864/
Screenshots:
None
Threat Actors: Jelooos
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor operating under the alias NotSellerxd has made available a mixed email combolist containing approximately 6,030 credential pairs on the cracking forum CrackingX. The post offers a free download link with no price or payment mentioned. No specific victim organization or country has been identified, suggesting the combolist aggregates credentials from multiple sources.
Date: 2026-04-22T13:23:00Z
Network: openweb
Published URL: https://crackingx.com/threads/72865/
Screenshots:
None
Threat Actors: NotSellerxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist targeting multiple regions
Category: Data Leak
Content: A threat actor operating under the alias Larry_Uchiha has made available a combolist of approximately 2,200 Hotmail credentials on the AE forum. The combolist reportedly includes accounts from multiple regions including the United States, Europe, Asia, and Russia. Access to the hidden content requires forum engagement, suggesting a gated free distribution model via Telegram.
Date: 2026-04-22T13:13:16Z
Network: openweb
Published URL: https://altenens.is/threads/2-200x-hotmail-access-combo-usa-europe-asia-russian.2928423/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged DDoS Stresser Service Deep Stresser – Prize Giveaway Campaign
Category: Malware
Content: Deep Stresser is advertising a DDoS stresser service with a prize giveaway campaign offering free trial packages and $50 USDT rewards. The service claims to provide Layer 4 and Layer 7 DDoS attack capabilities with TCP/UDP flood options and game server bypasses. Multiple promotional messages posted across the channel with links to Telegram bot, website (deepstresser.su), and support channels.
Date: 2026-04-22T13:07:46Z
Network: telegram
Published URL: https://t.me/c/1669509146/94624
Screenshots:
None
Threat Actors: Deep Stresser
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged DDoS Stresser Service Operations – Deep Stresser and Goofystresse
Category: Malware
Content: Multiple promotional messages advertising DDoS stresser services. Deep Stresser is promoting a giveaway with packages (Start, Dream, Noxis) and $50 USDT prizes. Goofystresse.st advertises Layer 4/7 DDoS capabilities including TCP/UDP floods (1.5-2M and 6-10M pps respectively), game server bypasses (Fortnite, Minecraft, Apex, COD, Roblox, Battlefield), and protection bypasses (CAPTCHA, CACHE, UAM). Service claims 3+ years operation, 1000-1500 customers, and 190-200 monthly active users. Website migration to new domain goofystresse.st announced with 1-day plan extensions as compensation.
Date: 2026-04-22T13:06:13Z
Network: telegram
Published URL: https://t.me/c/1669509146/94639
Screenshots:
None
Threat Actors: Deep Stresser
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed combolist with 143,318 credentials
Category: Combo List
Content: A threat actor known as zod has shared a mixed combolist containing 143,318 lines on the cracking forum CrackingX. The combolist appears to be freely available to registered members of the forum. The post is associated with a Telegram channel (t.me/zoooddddd), suggesting the actor distributes credential lists via that channel as well.
Date: 2026-04-22T12:54:13Z
Network: openweb
Published URL: https://crackingx.com/threads/72858/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German domain credentials combolist
Category: Combo List
Content: A threat actor on CrackingX forum has made available a combolist containing approximately 314,190 lines of credentials associated with German (.de) domains. The combolist was shared via a Mega.nz link as a free download. The post claims the data is high-quality (HQ), suggesting a higher ratio of valid email and password combinations.
Date: 2026-04-22T12:53:19Z
Network: openweb
Published URL: https://crackingx.com/threads/72861/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of GMX Germany credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist of approximately 1 million credentials allegedly targeting GMX Germany users with a social media focus. The combolist is being distributed for free via Telegram channels and groups associated with the actor. The actor also promotes additional free combo and tool resources through dedicated Telegram channels.
Date: 2026-04-22T12:52:20Z
Network: openweb
Published URL: https://crackingx.com/threads/72862/
Screenshots:
None
Threat Actors: CODER
Victim Country: Germany
Victim Industry: Internet Services / Email Provider
Victim Organization: GMX
Victim Site: gmx.de
Alleged Sale of Streaming Service Credentials Including Hulu, Netflix, and Disney+
Category: Carding
Content: A threat actor operating under the username wellix is advertising the sale of streaming service account credentials, including Hulu, Netflix, Disney+, and other platforms, via an external storefront at 9tail.store and a Discord server. The post promotes cheap access to these accounts, suggesting credential stuffing or account takeover activity. No specific record counts or pricing details are provided in the forum post itself.
Date: 2026-04-22T12:51:52Z
Network: openweb
Published URL: https://crackingx.com/threads/72859/
Screenshots:
None
Threat Actors: wellix
Victim Country: Unknown
Victim Industry: Entertainment / Streaming
Victim Organization: Hulu, Netflix, Disney+
Victim Site: 9tail.store
Alleged sharing of stolen HSBC credit card data with personal information
Category: Carding
Content: A threat actor on a carding forum shared what appears to be a stolen HSBC Business credit card record belonging to an individual in Southampton, Hampshire, United Kingdom. The shared data includes full card number, expiration date, CVV, cardholder name, billing address, email address, and phone number. The post title references a value of 350 GBP, suggesting the card may have usable credit or balance.
Date: 2026-04-22T12:44:20Z
Network: openweb
Published URL: https://altenens.is/threads/live-work-for-350gbp.2928417/unread
Screenshots:
None
Threat Actors: Richman
Victim Country: United Kingdom
Victim Industry: Banking & Financial Services
Victim Organization: HSBC Bank PLC
Victim Site: hsbc.co.uk
Alleged Sale of Fresh Compromised Account Databases Across Multiple Countries
Category: Combo List
Content: Threat actor mu is advertising the sale of fresh database credentials spanning multiple countries (UK, Germany, Japan, Netherlands, Brazil, Poland, Spain, US, Italy) with inbox access. The seller claims to have credentials for major platforms including eBay, Uber, PSN, Booking, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, and Neosurf. The actor mentions owning a private cloud infrastructure and ntlworld valid webmails, offering to check credentials upon request.
Date: 2026-04-22T12:33:05Z
Network: telegram
Published URL: https://t.me/c/2613583520/67547
Screenshots:
None
Threat Actors: mu
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy
Victim Industry: Multiple (e-commerce, ride-sharing, gaming, travel, payment services)
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of stolen Indonesian government databases (KPU, BPJS, DUKCAPIL, NPWP, SIM card registration)
Category: Data Breach
Content: Threat actor Bjorkanism is offering multiple stolen Indonesian government and institutional databases for sale at specified prices ranging from $5K-$10K per database. Databases include: KPU Indonesia (105M records), BPJS Ketenagakerjaan (19M), BPJS Kesehatan (273M), DUKCAPIL (217M), NPWP (6M), SIM Card Registration (1.3B), and PeduliLindungi (94M user accounts). Contact provided via Telegram handle @bjorqa. Databases allegedly available at netleaks.net.
Date: 2026-04-22T12:28:36Z
Network: telegram
Published URL: https://t.me/c/1836417537/7
Screenshots:
None
Threat Actors: Bjorkanism
Victim Country: Indonesia
Victim Industry: Government, Healthcare, Social Security
Victim Organization: KPU Indonesia, BPJS Ketenagakerjaan, BPJS Kesehatan, DUKCAPIL, NPWP, SIM Card Registration Authority, PeduliLindungi
Victim Site: Unknown
Alleged sharing of live stolen credit card details on carding forum
Category: Carding
Content: A threat actor on a carding forum shared a live Visa credit card record including full card number, expiration date, CVV, and BIN details. The card was verified as active via a payment gate checker ([email protected]), confirming a successful charge. The post includes card details associated with a Visa credit card with BIN 414720.
Date: 2026-04-22T12:19:03Z
Network: openweb
Published URL: https://altenens.is/threads/live-cc.2928413/unread
Screenshots:
None
Threat Actors: fakeidentity
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen HSBC VISA debit card data
Category: Carding
Content: A threat actor shared a stolen HSBC Bank PLC VISA business debit card record on a carding forum. The data includes full card number, expiration date, CVV, cardholder name, billing address in Richmond, North Yorkshire, and associated contact details including email and phone number. The cardholder appears to be associated with Browson Bank Dalton.
Date: 2026-04-22T12:18:23Z
Network: openweb
Published URL: https://altenens.is/threads/huge-bal-use-quickkkkk.2928414/unread
Screenshots:
None
Threat Actors: Richman
Victim Country: United Kingdom
Victim Industry: Banking & Finance
Victim Organization: HSBC Bank PLC
Victim Site: hsbc.co.uk
Alleged DDoS Stresser Service Advertisement – Goofystresse.st
Category: Malware
Content: Advertisement for Goofystresse.st, a DDoS stresser service offering Layer 4 and Layer 7 attack capabilities. Service claims to provide TCP/UDP flood attacks (1.5-2M pps TCP, 6-10M pps UDP), protection bypasses (CAPTCHA, CACHE, UAM), and game-specific DDoS bypasses (Fortnite, Minecraft, Apex, COD, Roblox, Battlefield). Operators claim 3+ years of operation, 1000-1500 customers, and 190-200 monthly active users. Service includes auto-payment system and operates via website goofystresse.st with Telegram support.
Date: 2026-04-22T12:17:14Z
Network: telegram
Published URL: https://t.me/c/1669509146/94625
Screenshots:
None
Threat Actors: Goofystresse
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of URL:Login:Password credential combolist with 5.97 million lines
Category: Logs
Content: A threat actor operating under the alias StarLinkClub has shared a credential combolist containing approximately 5.97 million lines in URL:Login:Password format, totaling around 400MB in size. The content is hidden behind a forum registration or login wall, suggesting it is available to registered members of the forum. No specific victim organization or targeted sector has been identified, indicating this is likely an aggregated stealer log dump.
Date: 2026-04-22T12:04:06Z
Network: openweb
Published URL: https://pwnforums.st/Thread-URL-LOGIN-PASS-Url-Log-Pass-5-978-026-M%C4%B1ll%C4%B1on-L%C4%B1nes-400mb
Screenshots:
None
Threat Actors: StarLinkClub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of credential lists (Email:Password format) targeting multiple countries
Category: Combo List
Content: Buyer actively seeking to purchase credential lists in Email:Password or Phone:Password format from multiple countries including Japan, Taiwan, Singapore, South Korea, United States, and United Kingdom. Buyer specifies daily budget of 5,000-10,000 USDT and requests 10,000-50,000 test records with commitment to provide payment quotes within 30 minutes.
Date: 2026-04-22T12:01:28Z
Network: telegram
Published URL: https://t.me/c/2613583520/67550
Screenshots:
None
Threat Actors: Douglas
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed forum credentials combolist
Category: Combo List
Content: A threat actor known as ValidMail has made available a mixed combolist of approximately 100,000 credential pairs purportedly valid for various forums. The post was shared on the cracking forum CrackingX under the Combolists & Dumps section. Full content requires registration or sign-in to access, limiting further detail extraction.
Date: 2026-04-22T11:55:15Z
Network: openweb
Published URL: https://crackingx.com/threads/72854/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo Japan and Outlook Japan gaming-targeted combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist of approximately 13 million credential pairs targeting Yahoo Japan and Outlook Japan accounts, with a focus on gaming users. The combolist is being made available via Telegram channels and direct contact. No price is mentioned, suggesting the content is being freely shared.
Date: 2026-04-22T11:53:56Z
Network: openweb
Published URL: https://crackingx.com/threads/72857/
Screenshots:
None
Threat Actors: CODER
Victim Country: Japan
Victim Industry: Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Israeli Government Website
Category: Data Leak
Content: A threat actor known as popfizz has shared what is claimed to be leaked data from an Israeli government website on the Altenens forum. The post requires users to reply before accessing the hidden content, limiting visibility into the specific nature and scope of the leaked data. The full details regarding the victim organization, data type, and record count remain unverified.
Date: 2026-04-22T11:45:02Z
Network: openweb
Published URL: https://altenens.is/threads/israel-gov-website-leak.2928400/unread
Screenshots:
None
Threat Actors: popfizz
Victim Country: Israel
Victim Industry: Government
Victim Organization: Israeli Government
Victim Site: Unknown
Alleged leak of 75,000 mixed-country domain credentials
Category: Data Leak
Content: A threat actor known as NmChk has shared a combolist containing approximately 75,000 validated credential pairs associated with mixed-country domains. The list was made available via Pasteview, a text-sharing platform. The post appears on the AE – Combo List forum section, indicating the credentials have been verified as valid.
Date: 2026-04-22T11:43:52Z
Network: openweb
Published URL: https://altenens.is/threads/75k-mixed-country-domains-valids.2928403/unread
Screenshots:
None
Threat Actors: NmChk
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of session cookies for multiple platforms including Reddit, Mega, and eBay
Category: Data Leak
Content: A threat actor operating under the alias bluestarcrack has shared what are alleged session cookies for multiple online platforms including Reddit, Mega, and eBay via an external paste service. The leaked data appears to contain authentication cookies that could be used for account takeover. No pricing was mentioned, suggesting the content was made available for free.
Date: 2026-04-22T11:41:00Z
Network: openweb
Published URL: https://breached.st/threads/cookies-reddit-mega-ebay-more.86197/unread
Screenshots:
None
Threat Actors: bluestarcrack
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple (Reddit, Mega, eBay)
Victim Site: Unknown
Alleged Sale of 330 Million Stolen Payment Card Records
Category: Carding
Content: A threat actor known as mrdurden is selling a compiled dataset of 330 million payment card records for $10,000, spanning multiple geographic regions including the United States, Europe, and South America. The dataset, approximately 9 GB uncompressed, aggregates data from private Telegram channels, forums, checkers, and previous leaks, with some records including full cardholder details (fullz). The seller claims all BINs from all geographies are represented and is selling the complete dataset
Date: 2026-04-22T11:39:34Z
Network: openweb
Published URL: https://breached.st/threads/creditgate-330m-credit-cards.86195/unread
Screenshots:
None
Threat Actors: mrdurden
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged critical vulnerability in ASP.NET Core data protection library enabling privilege escalation
Category: Vulnerability
Content: Microsoft released an emergency patch for a critical vulnerability in ASP.NET Core (versions up to 10.0.6) in the data protection library. The vulnerability allows attackers to escalate privileges to SYSTEM level using forged cookies. Fixed in version 10.0.7. Microsoft warns that access tokens issued during the vulnerability window may remain valid unless security keys are regenerated.
Date: 2026-04-22T11:32:06Z
Network: telegram
Published URL: https://t.me/c/1283513914/21332
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: Unknown
Victim Industry: Software/Technology
Victim Organization: Microsoft
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor known as klyne05 has shared what is claimed to be a fresh, checked combolist of Hotmail credentials on the crackingx.com forum. The post advertises the list as private and fresh, suggesting recently verified email and password combinations. The content appears to be available as a free download with no price mentioned.
Date: 2026-04-22T11:22:05Z
Network: openweb
Published URL: https://crackingx.com/threads/72853/
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Sharing of Live Chase Bank Payment Card Data
Category: Carding
Content: A threat actor on a carding forum shared what appears to be a live Chase Bank payment card record, including a full card number, expiration date, and CVV. The post is titled hb usa chase live, suggesting the card is from a US-based Chase cardholder and is currently active. No price was mentioned, indicating the data was freely shared.
Date: 2026-04-22T11:14:35Z
Network: openweb
Published URL: https://altenens.is/threads/hb-usa-chase-live.2928395/unread
Screenshots:
None
Threat Actors: Jazz
Victim Country: United States
Victim Industry: Banking & Financial Services
Victim Organization: Chase Bank
Victim Site: chase.com
Alleged leak of Hotmail credential combolist
Category: Logs
Content: A threat actor operating under the alias UniqueCombo has shared an alleged Hotmail credential combolist on an underground forum. The post, titled Hotmail Unique Combo_1_28000, suggests the list contains approximately 28,000 unique email and password combinations targeting Hotmail accounts. No price was mentioned, indicating the combolist was made available for free.
Date: 2026-04-22T11:10:58Z
Network: openweb
Published URL: https://xforums.st/threads/hotmail-unique-combo_1_28000.609265/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Sale of 44.6 Million Iraqi Citizens Personal Data
Category: Data Breach
Content: A threat actor operating under the alias MasonicAR is selling a database allegedly containing personal data of 44.6 million Iraqi individuals, including exact location and ID information spanning the years 2011 to 2026. The database is being offered for $1,000. The origin and source of the data have not been identified.
Date: 2026-04-22T11:09:10Z
Network: openweb
Published URL: https://breached.st/threads/44-6m-iraqi-data-consists-of-exact-location-id-2011-2026-1000.86194/unread
Screenshots:
None
Threat Actors: MasonicAR
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Digital Ocean $200 credits
Category: Initial Access
Content: User Mail posted an offer for Digital Ocean $200 credits available for 1 year in a marketplace channel, suggesting potential sale of compromised or fraudulently obtained cloud service credits.
Date: 2026-04-22T11:05:36Z
Network: telegram
Published URL: https://t.me/c/2613583520/67515
Screenshots:
None
Threat Actors: Squad Chat Marketplace
Victim Country: Unknown
Victim Industry: Cloud Infrastructure
Victim Organization: Digital Ocean
Victim Site: digitalocean.com
Alleged GoGra Malware Targeting Linux Systems Using Outlook for Command & Control
Category: Malware
Content: A new variant of the GoGra malware, attributed to the Harvester threat group, has been identified targeting Linux systems. The malware uses an unconventional command-and-control method via Microsoft Graph API and Outlook email instead of traditional C2 servers. Attackers send commands through email, and the malware executes them and returns results via email, then deletes messages to avoid detection. Reported by Symantec.
Date: 2026-04-22T10:58:53Z
Network: telegram
Published URL: https://t.me/c/1283513914/21331
Screenshots:
None
Threat Actors: Harvester
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged SCADA/HMI System Compromise at Jeongsan Country Club – Critical Infrastructure Attack
Category: Cyber Attack
Content: Z-Pentest Alliance claims to have established full control over the outdoor equipment monitoring and control system (SCADA/HMI platform) at Jeongsan Country Club, a 27-hole elite golf club in Gimhae, Gyeongsangnam-do, South Korea, operated by TKG Taekwang Group. The threat actor claims control over water supply tank management (WT-1, WT-2), irrigation valve control and switching, real-time monitoring of levels and flow rates, and emergency notification systems. The post outlines potential consequences including disruption of irrigation systems, artificial drought or flooding of golf course areas, material damage to turf infrastructure, reputational damage to the club and parent company, and potential lateral movement to other club systems.
Date: 2026-04-22T10:49:25Z
Network: telegram
Published URL: https://t.me/ogorodniki_Z/82
Screenshots:
None
Threat Actors: Z-Pentest Alliance
Victim Country: South Korea
Victim Industry: Hospitality/Recreation (Golf Club)
Victim Organization: Jeongsan Country Club (정산컨트리클럽)
Victim Site: jeongsancc.co.kr
Alleged database breach of Desa Randuwatang
Category: Data Breach
Content: Threat actor Xyph0rix has posted a database breach of Desa Randuwatang on Breachforums. Multiple references provided including clearnet and onion URLs to the user profile and breach thread, plus a Forums404 marketplace listing.
Date: 2026-04-22T10:48:24Z
Network: telegram
Published URL: https://t.me/Xyph0rix/180
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Unknown
Victim Organization: Desa Randuwatang
Victim Site: Unknown
Alleged leak of German mixed-target combolist with 266,112 credentials
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a mixed-target combolist containing 266,112 lines of credentials allegedly associated with German users. The combolist was shared via a Mega.nz link on the cracking forum CrackingX. No specific targeted organization or industry has been identified, suggesting the credentials originate from multiple sources.
Date: 2026-04-22T10:47:27Z
Network: openweb
Published URL: https://crackingx.com/threads/72851/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Website Defacement of mdtv-news.com by Irene of XmrAnonye.id
Category: Defacement
Content: On April 22, 2026, threat actor Irene operating under the group XmrAnonye.id conducted a mass defacement campaign targeting mdtv-news.com, a media and news outlet hosted on a Linux server. The defacement was confirmed as part of a broader mass defacement operation, with a mirror of the attack archived at haxor.id. No specific motive or reason was disclosed for the attack.
Date: 2026-04-22T10:47:08Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248614
Screenshots:
None
Threat Actors: Irene, XmrAnonye.id
Victim Country: Unknown
Victim Industry: Media and News
Victim Organization: MDTV News
Victim Site: mdtv-news.com
Alleged sale of channel access with DDoS tools and unauthorized control capabilities
Category: Initial Access
Content: A channel named CY8ER AGENCY INDONESIA is being sold for 250,000 IDR. The sale includes free DDoS tools, unauthorized system takeover capabilities, ability to recruit members, free training, and VIP tools. Contact via @cy8ern4ti0n.
Date: 2026-04-22T10:41:39Z
Network: telegram
Published URL: https://t.me/cyberagencyindonesia/56
Screenshots:
None
Threat Actors: CY8ER AGENCY INDONESIA
Victim Country: Indonesia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Carding Activity Targeting United States Payment Cards
Category: Carding
Content: A post was made on the AE carding forum by user Mostafa12 in a thread titled USA LIVE, suggesting the sharing or distribution of live United States payment card data. The post content is minimal, containing only ddd, providing no further details about the nature or volume of the data. Based on the forum context and thread title, the post likely relates to live US payment card information.
Date: 2026-04-22T10:40:09Z
Network: openweb
Published URL: https://altenens.is/threads/usa-live.2928390/unread
Screenshots:
None
Threat Actors: Mostafa12
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sharing of Live USA Carding Data
Category: Carding
Content: A threat actor operating under the handle Mostafa12 posted on a carding forum allegedly sharing live USA payment card data. The post content is minimal and lacks detail, containing only the text dddd and the number 303, which may reference card BINs or other carding-related identifiers. The exact nature and volume of the data remain unclear due to the limited information provided.
Date: 2026-04-22T10:39:28Z
Network: openweb
Published URL: https://altenens.is/threads/usa-live.2928392/unread
Screenshots:
None
Threat Actors: Mostafa12
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Randuwatang Village Government Database
Category: Data Leak
Content: A threat actor known as Xyph0rix claims to have obtained and made available for free download a database belonging to the Randuwatang village government in Indonesia. The database was shared on the Breached forum with a download link. No further details regarding the number of records or specific data types contained within the database were provided.
Date: 2026-04-22T10:34:18Z
Network: openweb
Published URL: https://breached.st/threads/database-desa-randuwatang.86193/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Desa Randuwatang (Randuwatang Village Government)
Victim Site: randuwatang.desa.id
Alleged compromise of Bangladesh government websites (HRMS, CIP Probashi)
Category: Initial Access
Content: Threat actor claims to have compromised multiple Bangladesh government domains including hrms.bmd.gov.bd and cip.probashi.gov.bd. Post indicates government websites were hacked and access is being offered for sale via direct message. Domain authority metrics provided (DA 51 PA 26 for HRMS; DA 35 PA 31 for CIP Probashi).
Date: 2026-04-22T10:34:07Z
Network: telegram
Published URL: https://t.me/c/3205199875/507
Screenshots:
None
Threat Actors: Pharaohs Team
Victim Country: Bangladesh
Victim Industry: Government
Victim Organization: Bangladesh Ministry of Defence; Bangladesh Ministry of Expatriates Welfare and Overseas Employment
Victim Site: bmd.gov.bd; probashi.gov.bd
Alleged leak of 5.8 million URL:Login:Password credential logs
Category: Logs
Content: A threat actor operating under the alias StarLinkClub on PwnForums has made available a combolist containing approximately 5.85 million lines of URL:Login:Password credential pairs, totaling around 400MB in size. The post requires forum registration or login to access the hidden download content. No specific victim organization or country has been identified, suggesting this is an aggregated stealer log compilation.
Date: 2026-04-22T10:25:55Z
Network: openweb
Published URL: https://pwnforums.st/Thread-URL-LOGIN-PASS-Url-Log-Pass-5-847-332-M%C4%B1ll%C4%B1on-L%C4%B1nes-400mb
Screenshots:
None
Threat Actors: StarLinkClub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of self-created AWS SES accounts with 50k sending limit
Category: Initial Access
Content: A threat actor on PwnForums is selling self-created AWS Simple Email Service (SES) accounts with an approved 50,000 email sending limit. The accounts are advertised as coming with full access including email credentials, with flexible regional configurations available. Pricing is set at $600 per account, with a promotional rate of $500 for the first five buyers from the forum.
Date: 2026-04-22T10:24:20Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-AWS-SES-Created-ROOT-50k
Screenshots:
None
Threat Actors: saiphalale
Victim Country: Unknown
Victim Industry: Cloud Services
Victim Organization: Amazon Web Services
Victim Site: aws.amazon.com
Alleged sale of stolen LinkedIn, email, and Gmail credentials with cookies
Category: Logs
Content: Threat actor best_ is offering purchase and processing of stolen credentials including LinkedIn account credentials, email account credentials, and Gmail cookies. The post lists specific credential types available for acquisition through what appears to be a marketplace transaction.
Date: 2026-04-22T10:05:13Z
Network: telegram
Published URL: https://t.me/c/2613583520/67483
Screenshots:
None
Threat Actors: best_
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of KernelGhost820 malware framework with EDR evasion and ransomware capabilities
Category: Malware
Content: KernelGhost820 is a Chinese-language malware tool advertised with six core modules: (1) EDR killer engine supporting 40+ security products including CrowdStrike, SentinelOne, Microsoft Defender, and Kaspersky with kernel-mode execution and Windows Defender disabling; (2) AES-256-CBC and RSA-2048 encryption module targeting 70+ file types with Volume Shadow Copy deletion and ransom note generation; (3) Remote operations module for lateral movement via WMI; (4) Network scanning and batch deployment for discovering and compromising SMB/445 devices; (5) Process manager for system control; (6) Operation logging. Offered at $2,500 USD including full source code.
Date: 2026-04-22T10:04:48Z
Network: telegram
Published URL: https://t.me/c/2735908986/4021
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Forex Platform User and Transaction Database with 623,000 Records
Category: Data Breach
Content: A threat actor operating under the alias dbcollector23 is selling a database allegedly obtained from a Forex trading platform, comprising 438,000 user records and 185,000 transaction entries. The dataset includes sensitive fields such as email addresses, hashed passwords, IP addresses, account statuses, and detailed financial transaction data including deposit amounts, currency types, and payment system references. The seller is asking a starting price of $3,000, accepts Monero and Bitcoin, an
Date: 2026-04-22T10:04:30Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-623k-Lines-Forex-User-Transaction-Data
Screenshots:
None
Threat Actors: dbcollector23
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Hotmail credential combolist across multiple countries
Category: Combo List
Content: Threat actor Wěilóng is offering for sale private cloud Hotmail UHQ (Ultra High Quality) credential combolists across multiple countries (DE, FR, IT, BR, UK, US, JP, PL, RU, ES, NL, MX, CA, SG) along with credentials for various e-commerce and social platforms including kleinanzeigen, eBay, Reddit, Poshmark, Depop, Walmart, and Amazon. Seller claims ability to verify credentials by keyword and targets serious buyers only.
Date: 2026-04-22T10:03:10Z
Network: telegram
Published URL: https://t.me/c/2613583520/67475
Screenshots:
None
Threat Actors: Wěilóng
Victim Country: Multiple (Germany, France, Italy, Brazil, United Kingdom, United States, Japan, Poland, Russia, Spain, Netherlands, Mexico, Canada, Singapore)
Victim Industry: Email, E-commerce, Social Media
Victim Organization: Unknown
Victim Site: hotmail.com, ebay.com, reddit.com, poshmark.com, depop.com, walmart.com, amazon.com
Alleged Sharing of Stolen Chase Visa Non-VBV Payment Card Data
Category: Carding
Content: A threat actor on a carding forum has shared what appears to be a stolen Chase Visa credit card number with expiration date and CVV. The card is described as non-VBV (non-Verified by Visa), meaning it lacks additional authentication, making it more susceptible to fraudulent use. The post includes full card details: a 16-digit card number, expiration date of 10/28, and CVV of 815.
Date: 2026-04-22T09:53:03Z
Network: openweb
Published URL: https://altenens.is/threads/hb-vis-usa-chase-non-vbv.2928384/unread
Screenshots:
None
Threat Actors: Jazz
Victim Country: United States
Victim Industry: Banking & Finance
Victim Organization: Chase
Victim Site: chase.com
Alleged sharing of stolen Chase Bank non-VBV credit card data
Category: Carding
Content: A threat actor shared stolen Chase Bank VISA credit card data on a carding forum, including a full card number, expiration date, CVV, and cardholder personal information. The card is described as non-VBV (non-Verified by Visa), making it easier to use for fraudulent online transactions. The exposed data includes the cardholders name, billing address, and ZIP code located in Mountain Top, Pennsylvania.
Date: 2026-04-22T09:52:22Z
Network: openweb
Published URL: https://altenens.is/threads/hb-usa-chase-bank-non-vbv.2928386/unread
Screenshots:
None
Threat Actors: Jazz
Victim Country: United States
Victim Industry: Financial Services
Victim Organization: Chase Bank
Victim Site: chase.com
Alleged data breach of Carnival Corporation & plc – 8.7M records compromised
Category: Data Breach
Content: Carnival Corporation & plc suffered a data breach exposing over 8.7 million records containing personally identifiable information (PII) and terabytes of internal corporate data. The threat actor claims the company failed to reach a ransom agreement and has made the data available for download, threatening public release.
Date: 2026-04-22T09:40:40Z
Network: telegram
Published URL: https://t.me/c/3500620464/7194
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Travel & Leisure
Victim Organization: Carnival Corporation & plc
Victim Site: carnivalcorp.com
Alleged Data Breach of premmiere.co.id Indonesian Government Directory Platform
Category: Data Breach
Content: A threat actor operating under the alias Kyyzo is selling an 18GB+ database dump allegedly exfiltrated from premmiere.co.id, an Indonesian platform containing records of government and public institutions in DKI Jakarta. The sample data includes structured records with organization codes, names, regional classifications, administrative categories, and timestamps, indicating a comprehensive backend database exposure. The total claimed size of the dataset is 19.3GB.
Date: 2026-04-22T09:37:07Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-18GB-DATABASE-PREMMIERE-CO-ID
Screenshots:
None
Threat Actors: Kyyzo
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Premmiere
Victim Site: premmiere.co.id
Alleged leak of Italian email credentials combolist
Category: Combo List
Content: A threat actor known as CobraEgy has made available a combolist containing approximately 988,000 email address and password credential pairs targeting Italian users. The post, dated April 22, 2026, is shared on DemonForums under the combolists section and is described as fresh. No specific victim organization or platform is identified.
Date: 2026-04-22T09:26:16Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-988-K-%E2%9C%A6-Italy-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Italy
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Japanese email and password credentials
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist of approximately 156,000 email and password credential pairs reportedly associated with Japanese users. The list is described as fresh and high quality, and is being distributed for free via the DemonForums platform. The post references a Telegram channel Maxi_links for additional combolists.
Date: 2026-04-22T09:24:00Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-156-K-%E2%9C%A6-Japan-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Latvian email credentials combolist
Category: Combo List
Content: A threat actor known as CobraEgy has made available a combolist of approximately 62,000 email and password credential pairs associated with Latvian users on the DemonForums cybercrime forum. The list is described as fresh and high quality, and is shared via a hidden content link requiring forum registration. The post also promotes a Telegram channel (Maxi_links) for additional combolists.
Date: 2026-04-22T09:20:07Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-62-K-%E2%9C%A6-Latvia-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Latvia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Israeli email and password credentials
Category: Combo List
Content: A threat actor known as CobraEgy has shared a combolist of approximately 25,000 email and password credential pairs allegedly belonging to Israeli users on the DemonForums cybercrime forum. The credentials are described as fresh and high quality. The post references a Telegram channel Maxi_links for additional combolists, suggesting an ongoing distribution campaign.
Date: 2026-04-22T09:18:45Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-25-K-%E2%9C%A6-Israel-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Israel
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Kenya email credentials combolist
Category: Combo List
Content: A threat actor known as CobraEgy has made available a combolist of over 18,000 email and password credential pairs allegedly associated with Kenyan users on Demonforums. The credentials are described as fresh and high quality. The post references a Telegram channel (Maxi_links) for additional combolists, suggesting an ongoing credential distribution operation.
Date: 2026-04-22T09:17:43Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-18-K-%E2%9C%A6-Kenya-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Kenya
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Lithuanian email and password credentials
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist of approximately 18,000 email and password credential pairs associated with Lithuanian users on the DemonForums cybercrime forum. The credentials are described as fresh and high quality. The post references the Telegram channel Maxi_links as a source for additional combolists.
Date: 2026-04-22T09:16:44Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-18-K-%E2%9C%A6-Lithuania-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Lithuania
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged free distribution of corporate email combolists
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing free combolists containing corporate email credentials via Telegram channels and a cracking forum. The actor promotes two Telegram groups offering free combos and tools, and invites users to contact them directly via Telegram handle CODER5544. No specific victim organization or record count has been identified.
Date: 2026-04-22T09:16:11Z
Network: openweb
Published URL: https://crackingx.com/threads/72849/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Ireland email credential combolist
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist of approximately 13,000+ email and password credential pairs allegedly associated with Irish users. The content is described as fresh and high quality, and is being distributed for free via the DemonForums platform. Additional combolists are promoted through a Telegram channel linked to Maxi_links.
Date: 2026-04-22T09:15:49Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-13-K-%E2%9C%A6-Ireland-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Ireland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of compromised accounts and database access across multiple countries
Category: Initial Access
Content: Threat actor offering fresh database access and compromised accounts from multiple countries (UK, DE, JP, NL, BR, PL, ES, US, IT) with inbox access. Specifically targeting e-commerce and service platforms including eBay, PayPal, PSN, Booking.com, Uber, Poshmark, Amazon, Walmart, Mercari, and Kleinanzeigen. Claims to have private cloud infrastructure with valid webmail access. Soliciting direct messages for account requests.
Date: 2026-04-22T08:58:15Z
Network: telegram
Published URL: https://t.me/c/2613583520/67465
Screenshots:
None
Threat Actors: mu
Victim Country: Unknown
Victim Industry: E-commerce, Financial Services, Gaming, Travel, Marketplace
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Japanese email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has shared an alleged combolist of approximately 156,000 email address and password credential pairs associated with Japanese users on the DemonForums cybercrime forum. The post, dated April 22, 2026, is attributed to the Maxi_Leaks collection and claims the data is fresh. No specific victim organization or platform has been identified.
Date: 2026-04-22T08:54:18Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-156-K-%E2%9C%A6-Japan-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Latvian email credentials combolist
Category: Combo List
Content: A threat actor known as CobraEgy shared a combolist containing approximately 62,000 email:password credential pairs allegedly associated with Latvian users on the DemonForums cybercrime forum. The post is dated April 22, 2026, and attributed to a user or group called Maxi_Leaks. No further details about the source or targeted organizations are available.
Date: 2026-04-22T08:53:32Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-62-K-%E2%9C%A6-Latvia-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Latvia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Israeli email and password credentials
Category: Combo List
Content: A threat actor known as CobraEgy has made available a combolist of approximately 25,000 email and password credential pairs allegedly associated with Israeli users. The content is described as fresh and high quality, and is being distributed for free via the DemonForums platform. The post references a Telegram channel, Maxi_links, for additional combolists.
Date: 2026-04-22T08:52:10Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-25-K-%E2%9C%A6-Israel-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Israel
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Kenyan email credential combolist
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist of approximately 18,000 email and password credential pairs allegedly associated with Kenyan users. The list is described as fresh and high quality, and is being distributed freely via the DemonForums platform. The post also references a Telegram channel (Maxi_links) for additional combolists.
Date: 2026-04-22T08:50:32Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-18-K-%E2%9C%A6-Kenya-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Kenya
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Lithuanian email and password credentials
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist of approximately 18,000 email and password credentials associated with Lithuanian users on the DemonForums cybercrime forum. The list is described as fresh and high quality, suggesting recently harvested or compiled credentials. The post directs users to a Telegram channel (Maxi_links) for additional combolists.
Date: 2026-04-22T08:49:29Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-18-K-%E2%9C%A6-Lithuania-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Lithuania
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Ireland email credential combolist
Category: Combo List
Content: A threat actor known as CobraEgy has shared a combolist of approximately 13,000 email and password credential pairs associated with Irish users on DemonForums. The content is described as fresh and high quality, and is made available for free behind a registration/login wall. The post references a Telegram channel (Maxi_links) for additional combolists.
Date: 2026-04-22T08:48:18Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-13-K-%E2%9C%A6-Ireland-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-22-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Ireland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German domain credential combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has freely shared a combolist on a cracking forum containing approximately 326,604 lines of credentials associated with German domain accounts. The combolist was made available via a Mega.nz file link. The affected organizations and specific domains targeted remain unspecified.
Date: 2026-04-22T08:46:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72848/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Leadership Transition and Operational Update on Breached Forum
Category: Data Breach
Content: The forum operator HasanBroker announced a peace agreement with a rival group identified as SLH, citing mutual interest in avoiding escalation. HasanBroker also announced their upcoming resignation as forum owner, with leadership to be transferred to diencracked and other established staff members. An escrow service and other platform updates were noted as forthcoming prior to the transition.
Date: 2026-04-22T08:44:00Z
Network: openweb
Published URL: https://breached.st/threads/peace-community-and-resignation.86192/unread
Screenshots:
None
Threat Actors: HasanBroker
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of 3.9 Million Israeli Citizens Personal Data
Category: Data Leak
Content: A threat actor has made available a database allegedly containing personal data of approximately 3.9 million Israeli citizens in CSV format. The dataset includes fields such as phone numbers, email addresses, full names, gender, date of birth, location, relationship status, education, employment, and social media metadata. Sample records suggest the data may originate from a social media platform, with phone numbers bearing Israeli country code (+972).
Date: 2026-04-22T08:30:27Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-3-9M-Israeli-Citizens
Screenshots:
None
Threat Actors: HtCvZBos
Victim Country: Israel
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged promotion of residential proxy service on cracking forum
Category: Initial Access
Content: A forum post on CrackingX promotes Thordata, a residential proxy service offering a pool of 100 million+ IPs across 195 countries with anti-bot bypass, CAPTCHA circumvention, and geo-targeting capabilities. The service is advertised with rotating and static ISP options, unlimited concurrent connections, and a free trial with no credit card required. A 20% discount code is provided, suggesting the service is being marketed to threat actors for malicious automation and fraud evasion purposes.
Date: 2026-04-22T08:15:50Z
Network: openweb
Published URL: https://crackingx.com/threads/72847/
Screenshots:
None
Threat Actors: eve0
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: thordata.com
Alleged Data Breach of Zirconite.es, Official Iberdrola Collaborator
Category: Data Breach
Content: A threat actor operating under the alias yatusabe_py is selling a database dump allegedly obtained from zirconite.es, an official collaborator of Spanish energy company Iberdrola. The dataset contains approximately 153,000 rows of highly sensitive customer and contract data, including bank account numbers, NIF/CIF identifiers, energy contract details (CUPS), personal contact information, agent details, and email addresses. The actor advertises additional databases for sale via private messagin
Date: 2026-04-22T08:03:19Z
Network: openweb
Published URL: https://darkforums.su/Thread-zirconite-es-153K-rows
Screenshots:
None
Threat Actors: yatusabe_py
Victim Country: Spain
Victim Industry: Energy
Victim Organization: Zirconite
Victim Site: zirconite.es
Alleged Data Leak of Hele Corporation Database
Category: Data Leak
Content: A threat actor operating under the alias LolForum has made available an alleged database dump of Hele Corporation on a dark web forum. The post offers a download link to the purported database contents. No further details regarding the volume of records or specific data types have been disclosed.
Date: 2026-04-22T08:02:49Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-HELE-DUMP-DATABASE-NEW
Screenshots:
None
Threat Actors: LolForum
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Hele Corporation
Victim Site: Unknown
Alleged data leak of Universidad Facultad de Ciencias Veterinarias Buenos Aires
Category: Data Leak
Content: A threat actor operating under the alias Lvn4t1k0 has leaked a database allegedly belonging to the Facultad de Ciencias Veterinarias, a veterinary sciences faculty in Buenos Aires, Argentina. The leaked data reportedly contains over 8,000 records including full names, phone numbers, national identity document numbers (DNI), email addresses, usernames, and passwords. The database has been made available for free download via a file-sharing platform.
Date: 2026-04-22T08:02:18Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Argentina-Universidad-Facultad-de-Ciencias-Veterinarias-Buenos-Aires-Argentina
Screenshots:
None
Threat Actors: Lvn4t1k0
Victim Country: Argentina
Victim Industry: Education
Victim Organization: Universidad Facultad de Ciencias Veterinarias
Victim Site: Unknown
Alleged Data Leak of 3.9 Million Israeli Citizens Personal Data
Category: Data Leak
Content: A threat actor operating under the alias HtCvZBos has made available a database allegedly containing personal information of approximately 3.9 million Israeli citizens. The data, shared in CSV format, includes fields such as phone numbers, email addresses, full names, gender, date of birth, location, relationship status, education, work details, and account metadata. Sample records indicate the dataset contains information associated with individuals from Israel and Palestinian territories, wi
Date: 2026-04-22T07:58:01Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-%EF%BC%9A390%E4%B8%87%E4%BB%A5%E8%89%B2%E5%88%97%E5%85%AC%E6%B0%91
Screenshots:
None
Threat Actors: HtCvZBos
Victim Country: Israel
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor known as alphacloud has shared a combolist allegedly containing 1,007 valid Hotmail credentials on the forum AE – Combo List. The post claims the credentials are premium hits sourced from a private cloud environment and includes mixed email formats. The actor provides a Telegram contact (alphaaxd) and requires forum replies to access the hidden content.
Date: 2026-04-22T07:52:23Z
Network: openweb
Published URL: https://altenens.is/threads/snowflakesnowflake-1007x-premium-hotmail-hits-snowflakesnowflake.2928379/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Data Leak of NOAA Emergency Beacon Registry by Threat Actor l33tfg
Category: Data Leak
Content: A threat actor known as l33tfg claims to have breached NOAAs emergency beacon registry database and has freely leaked the data on a dark web forum. The leaked dataset allegedly contains sensitive personal information tied to registered emergency distress beacons, including owner names, addresses, contact details, and emergency contacts, as well as vessel and aircraft registration details such as MMSI numbers, tail numbers, and call signs. The actor also claims to retain write access to the da
Date: 2026-04-22T07:32:06Z
Network: openweb
Published URL: https://darkforums.su/Thread-Noaa-gov-DATA-LEAK
Screenshots:
None
Threat Actors: l33tfg
Victim Country: United States
Victim Industry: Government
Victim Organization: National Oceanic and Atmospheric Administration (NOAA)
Victim Site: noaa.gov
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias @Steveee36 has made available a combolist containing approximately 1,963 Hotmail credentials on the cracking forum CrackingX. The post offers a free download of the alleged high-quality (HQ) credential list. The origin and validity of the credentials have not been verified.
Date: 2026-04-22T07:21:17Z
Network: openweb
Published URL: https://crackingx.com/threads/72842/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged distribution of cryptocurrency seed phrase generator and multi-network balance checker tool
Category: Carding
Content: A threat actor on the AE cracking forum shared a cryptocurrency seed phrase generator and balance checker tool capable of processing over 5 million phrases per hour across 23 blockchain networks. The tool reportedly separates results into files containing empty wallets and wallets with balances, enabling automated theft of cryptocurrency funds. This tool is designed to facilitate large-scale brute-force attacks against cryptocurrency wallets by generating and validating mnemonic seed phrases.
Date: 2026-04-22T07:04:23Z
Network: openweb
Published URL: https://altenens.is/threads/seed-phrase-generator-and-balance-checker-2026.2928375/unread
Screenshots:
None
Threat Actors: ananalbzoor
Victim Country: Unknown
Victim Industry: Cryptocurrency / Blockchain
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Pakistan Provincial Intelligence Fusion and Threat Assessment Centre (PIFTAC) secret documents
Category: Data Leak
Content: A threat actor operating under the alias Jester01 claims to have obtained secret documents belonging to Pakistans Provincial Intelligence Fusion and Threat Assessment Centre (PIFTAC). The post offers samples upon contact, suggesting the data may be available for sale or distribution. The nature and volume of the leaked documents remain unverified.
Date: 2026-04-22T06:53:04Z
Network: openweb
Published URL: https://breached.st/threads/provincial-intelligence-fusion-and-threat-assessment-centre.86191/unread
Screenshots:
None
Threat Actors: Jester01
Victim Country: Pakistan
Victim Industry: Government
Victim Organization: Provincial Intelligence Fusion and Threat Assessment Centre (PIFTAC)
Victim Site: Unknown
Alleged distribution of mail checker tools and cracking utilities
Category: Initial Access
Content: A forum post on DemonForums in the Cracking Tools section advertises multiple mirror links for AIO mail checker tools and related cracking utilities. The post appears to be spam or low-quality content, as the only identifiable link leads to an adult dating site (SecreLocal.com) unrelated to the stated tools. No actual cracking tools, credentials, or structured threat data could be confirmed from the post content.
Date: 2026-04-22T06:32:19Z
Network: openweb
Published URL: https://demonforums.net/Thread-AIO-Mail-Checkers-VM-etc-2026
Screenshots:
None
Threat Actors: makitabosch
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of social and shopping platform combolists
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 181,059 credential entries via a Mega.nz link on the cracking forum CrackingX. The leaked data is described as targeting social media and shopping platforms, suggesting it consists of email and password combinations suited for credential stuffing attacks. No specific victim organizations or countries have been identified.
Date: 2026-04-22T06:30:51Z
Network: openweb
Published URL: https://crackingx.com/threads/72838/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: E-commerce / Social Media
Victim Organization: Unknown
Victim Site: Unknown
Alleged XSS defacement of Envy Hair Salons website by DEWATA BLACKHAT
Category: Defacement
Content: DEWATA BLACKHAT posted evidence of an XSS (Cross-Site Scripting) vulnerability exploitation on envyhairsalons.com. The payload demonstrates a reflected XSS vulnerability in the product search parameter that executes JavaScript with the message HACKED BY DEWATA BLACKHAT, indicating website defacement.
Date: 2026-04-22T06:25:06Z
Network: telegram
Published URL: https://t.me/c/3841736872/290
Screenshots:
None
Threat Actors: DEWATA BLACKHAT
Victim Country: India
Victim Industry: Beauty/Salon Services
Victim Organization: Envy Hair Salons
Victim Site: envyhairsalons.com
Alleged Data Breach of Indian Union Academy
Category: Data Breach
Content: A threat actor known as MDGhost claims to have fully compromised the Indian Union Academy, a technical and vocational training institute founded in 2015. The actor alleges to have obtained 103GB of data including student and faculty records, financial information, assets, and payroll data. Portions of the data are reportedly set to be made public, with sample data already shared on the forum.
Date: 2026-04-22T06:05:09Z
Network: openweb
Published URL: https://breached.st/threads/103gb-indian-union-accadmy-2026.86190/unread
Screenshots:
None
Threat Actors: MDGhost
Victim Country: India
Victim Industry: Education
Victim Organization: Union Academy
Victim Site: Unknown
Alleged OSINT Telegram Bot Offering Unauthorized Personal Data Lookups via Sherlok Bot
Category: Data Breach
Content: A threat actor is advertising Sherlok Bot, an OSINT-focused Telegram bot that claims to aggregate and expose personal data including phone numbers, email addresses, social media accounts, facial recognition results, and vehicle information. The service is marketed as a successor to the known OSINT tool Eye of God and offers free trial searches to new users without registration. The bot operates via mirrors due to repeated bans and directs users to access its website via VPN, suggesting aware
Date: 2026-04-22T05:47:25Z
Network: openweb
Published URL: https://crackingx.com/threads/72837/
Screenshots:
None
Threat Actors: Sherlok_bot
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: bot-sherlok.com
Alleged sharing of stolen payment card data belonging to Canadian cardholder
Category: Carding
Content: A threat actor operating under the alias NightFury01 shared a stolen payment card record on a carding forum. The data includes full card details (card number, expiry, CVV), along with the cardholders name and billing address located in Guelph, Ontario, Canada. The post is titled 100% HIGH BUSINESS SIGNATURE, suggesting the card may be associated with a business or premium account.
Date: 2026-04-22T05:32:02Z
Network: openweb
Published URL: https://altenens.is/threads/100-high-business-signature.2928364/unread
Screenshots:
None
Threat Actors: NightFury01
Victim Country: Canada
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed forum credentials combolist
Category: Combo List
Content: A threat actor operating under the alias ValidMail has made available a mixed combolist of approximately 100,000 credential pairs allegedly sourced from various forums. The post, shared on the cracking forum CrackingX, is gated behind registration, limiting full content visibility. The combolist is described as containing valid email and password combinations targeting forum accounts.
Date: 2026-04-22T05:22:38Z
Network: openweb
Published URL: https://crackingx.com/threads/72836/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged DDoS Stresser Service Advertisement – Goofystresse.st
Category: Malware
Content: Goofystresse.st is advertising a DDoS stresser service offering Layer 4 and Layer 7 attack capabilities. The service claims to provide TCP/UDP flood attacks (1.5-2M pps TCP, 6-10M pps UDP), protection bypasses (CAPTCHA, CACHE, UAM), and game-specific DDoS bypasses (Fortnite, Minecraft, Apex, COD, Roblox, Battlefield). The operator claims 3+ years of operation, 1000-1500 customers, and 190-200 monthly active users. Service includes auto-payment system and operates via website goofystresse.st with Telegram support.
Date: 2026-04-22T04:40:51Z
Network: telegram
Published URL: https://t.me/c/1669509146/94545
Screenshots:
None
Threat Actors: Goofystresse
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of European (Germany Mixed) combolist with 922K credentials
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 922,549 lines of credentials on the cracking forum CrackingX. The combolist is described as a Europe Germany Mixed collection, suggesting it contains email:password pairs from various German and European sources. The data was shared via a Mega.nz file link at no cost.
Date: 2026-04-22T04:29:07Z
Network: openweb
Published URL: https://crackingx.com/threads/72835/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Indian University of Yeniboya
Category: Data Breach
Content: A threat actor operating under the alias MDGhost claims to have breached the database of the Indian University of Yeniboya. The actor alleges to have obtained student usernames and passwords, email addresses, confidential research results, and exclusive ideas. The post appears to advertise the data for sale or exchange, though no explicit price is mentioned.
Date: 2026-04-22T04:23:45Z
Network: openweb
Published URL: https://breached.st/threads/indian-university-of-yeniboya-2026.86189/unread
Screenshots:
None
Threat Actors: MDGhost
Victim Country: India
Victim Industry: Education
Victim Organization: University of Yeniboya
Victim Site: Unknown
Alleged leak of 6 million URL:Login:Password credential lines
Category: Logs
Content: A threat actor operating under the alias StarLinkClub has shared a combolist containing approximately 6 million lines of URL, login, and password credentials on a cybercrime forum. The data totals around 400MB and is made available to registered or logged-in forum members at no apparent cost. No specific victim organization or country has been identified, suggesting the dataset may be an aggregation of stealer log data from multiple sources.
Date: 2026-04-22T04:13:06Z
Network: openweb
Published URL: https://pwnforums.st/Thread-URL-LOGIN-PASS-Url-Log-Pass-6-013-350-M%C4%B1ll%C4%B1on-L%C4%B1nes-400mb
Screenshots:
None
Threat Actors: StarLinkClub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of RDP access and compromised email accounts
Category: Initial Access
Content: Threat actor offering rental of RDP access to cloud infrastructure providers (Azure, AWS, DigitalOcean) at $200, along with compromised domain email accounts, Gmail, Yahoo accounts, and GitHub student accounts. Service advertised as available for daily/monthly rental with escrow payment option.
Date: 2026-04-22T04:05:49Z
Network: telegram
Published URL: https://t.me/c/2613583520/67322
Screenshots:
None
Threat Actors: PORTAL
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Email Validation and Bouncing Service Advertised on Cybercrime Forum
Category: Initial Access
Content: A threat actor on a cybercrime forum is advertising a Telegram-based email validation service called EmailDebouncerBot, priced at $1 per 1,000 emails. The service claims to detect invalid emails, identify risky and catch-all addresses, and reduce bounce rates, likely intended to improve deliverability for spam, phishing, or malicious email campaigns. The bot is accessible via Telegram and includes a separate updates channel.
Date: 2026-04-22T03:59:12Z
Network: openweb
Published URL: https://breached.st/threads/validate-your-emails-before-you-hit-send-debounce.86187/unread
Screenshots:
None
Threat Actors: comia
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Chinese Hospital Backup Data by SnowSoul
Category: Data Leak
Content: The threat actor group SnowSoul has freely distributed approximately 15GB of backup data allegedly stolen from a hospital in China, identified internally as ID-1300. The data, split across multiple 7z archives and including an MSSQL database backup, was made available after the victim organization reportedly refused to pay a $3,000 USD ransom demand. The leak appears to be a retaliatory publication following non-payment.
Date: 2026-04-22T03:58:31Z
Network: openweb
Published URL: https://breached.st/threads/chinese-data-zhong-guo-shu-ju-snowsoul-id-1300-free-download-15g-bak.86186/unread
Screenshots:
None
Threat Actors: 元帅*
Victim Country: China
Victim Industry: Healthcare
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Stolen Payment Cards, Dumps, and Compromised Financial Accounts
Category: Carding
Content: A threat actor operating under the Telegram handle @StyleCarding is allegedly selling stolen credit/debit card data (CC+CVV), track dumps (101/201 with and without PIN), and compromised financial accounts including PayPal, CashApp, Monese, Monzo, Revolut, and Coinbase. The actor also claims to offer carding-as-a-service including procurement of goods from major retailers (Apple, Amazon, eBay) at 20-60% of retail value, cashout services for stolen funds in exchange for Bitcoin, and carding tutori
Date: 2026-04-22T03:38:39Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9C%94%EF%B8%8FDUMPS-CC-CVV-CLONE-CARDS-PAYPAL-CASHAPP-ACCOUNTS%E2%9C%94%EF%B8%8F–201269
Screenshots:
None
Threat Actors: Freiuh
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of phone number and password credential list
Category: Combo List
Content: A threat actor on the cracking forum CrackingX shared a credential list described as HQ Private containing phone number and password pairs. The post is titled as high-quality private content, suggesting the combolist may originate from previously unreleased or premium sources. No specific victim organization, country, or record count was identified in the post.
Date: 2026-04-22T03:38:26Z
Network: openweb
Published URL: https://crackingx.com/threads/72833/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of WordPress credentials (URL:Login:Password combolist)
Category: Combo List
Content: A threat actor operating under the alias gsmfix has shared a combolist on the cracking forum CrackingX containing alleged valid WordPress credentials in URL:Login:Password format. The post claims the credentials are valid and includes login details for WordPress-based websites. No specific victim organization, country, or record count was disclosed.
Date: 2026-04-22T03:38:02Z
Network: openweb
Published URL: https://crackingx.com/threads/72834/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Xcaret Group Customer and Transaction Records
Category: Data Leak
Content: A threat actor using the handle s1ethx7z has made available what appears to be a database dump belonging to Xcaret, a Mexican tourism and hospitality group. The leaked data reportedly includes customer personal information such as names, emails, group affiliations, and status, as well as detailed transactional records including ticket details, property, sale dates, transaction numbers, room numbers, guest names, and financial transaction data. The data is being distributed for free via hidden do
Date: 2026-04-22T03:22:31Z
Network: openweb
Published URL: https://pwnforums.st/Thread-XCARET-xperienciasxcaret
Screenshots:
None
Threat Actors: s1ethx7z
Victim Country: Mexico
Victim Industry: Tourism & Hospitality
Victim Organization: Xcaret
Victim Site: xperienciasxcaret.com
Alleged leak of Europe and USA combolists on cybercrime forum
Category: Data Leak
Content: A threat actor operating under the handle hangover934 has made available a collection of combolists on the cybercrime forum AE (altenens.is), claiming the credentials are fully valid and high quality. The combolists are described as targeting victims from Europe and the United States. No specific organizations, record counts, or pricing details were provided in the post.
Date: 2026-04-22T03:19:39Z
Network: openweb
Published URL: https://altenens.is/threads/star100-full-validstarhigh-qualitystareurope-usa-combolists-star.2928357/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub has made available a combolist containing 1,108 Hotmail credentials on the cracking forum CrackingX. The post is gated behind registration/login, suggesting the content is shared within the forum community. The origin and validity of the credentials are unverified.
Date: 2026-04-22T03:13:23Z
Network: openweb
Published URL: https://crackingx.com/threads/72828/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of URL:Login:Password credential combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared a collection of credentials in URL:Login:Password (ULP) format, described as high-quality and private. The post contains a combolist made available to forum members with no specific victim organization or record count disclosed.
Date: 2026-04-22T03:12:56Z
Network: openweb
Published URL: https://crackingx.com/threads/72829/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed USA and Europe credential combolists
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared a combolist described as containing credential hits from both the United States and Europe. The post markets the content as exclusive and organized by country. No specific organizations, record counts, or pricing details are mentioned.
Date: 2026-04-22T03:12:25Z
Network: openweb
Published URL: https://crackingx.com/threads/72830/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of BeNaughty.com user accounts
Category: Carding
Content: A threat actor on a carding forum has made available approximately 182 BeNaughty.com user accounts at no charge. The post appears to offer a free download of credential data associated with the adult dating platform. The origin of the accounts and the method of compromise are not specified.
Date: 2026-04-22T02:48:38Z
Network: openweb
Published URL: https://altenens.is/threads/182x-benaughty-com-accounts.2928351/unread
Screenshots:
None
Threat Actors: suciferous
Victim Country: Unknown
Victim Industry: Online Dating
Victim Organization: BeNaughty
Victim Site: benaughty.com
Alleged Data Leak of UK-Exhibitionist.com User Database
Category: Data Leak
Content: A threat actor known as Seacoat has leaked a database allegedly stolen from UK-Exhibitionist.com, an adult content and discussion platform, in July 2023. The leaked database reportedly contains approximately 168,000 user records including usernames, email addresses, IP addresses, and passwords. The data has been made available for free download on a hacking forum.
Date: 2026-04-22T02:35:18Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-UK-Exhibitionist-com-Database-Leaked-Download
Screenshots:
None
Threat Actors: Seacoat
Victim Country: United Kingdom
Victim Industry: Adult Entertainment
Victim Organization: UK-Exhibitionist
Victim Site: uk-exhibitionist.com
Alleged sale of compromised email account access to multiple platforms
Category: Initial Access
Content: Threat actor offering for sale valid compromised email account access including Hotmail, Yahoo, and access to various service platforms (Walmart, eBay, Uber, Marriott, Poshmark, etc.) across multiple countries (USA, UK, Canada, Germany, France, Italy, Brazil, Japan, Poland, Spain, Netherlands, Mexico, Singapore). Seller claims UHQ (ultra high quality) and fresh credentials available for serious buyers.
Date: 2026-04-22T02:06:33Z
Network: telegram
Published URL: https://t.me/c/2613583520/67264
Screenshots:
None
Threat Actors: Yuze
Victim Country: Multiple (United States, United Kingdom, Canada, Germany, France, Italy, Brazil, Japan, Poland, Spain, Netherlands, Mexico, Singapore)
Victim Industry: Multiple (Email providers, E-commerce, Travel, Social platforms)
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias noir has made available a combolist of 2,240 allegedly valid Hotmail credentials on a cracking forum. The post describes the credentials as UHQ (ultra-high quality) and references a private cloud storage source. The actors Telegram handle (@noiraccesss) is provided for further contact, and a download link is included.
Date: 2026-04-22T02:02:42Z
Network: openweb
Published URL: https://crackingx.com/threads/72825/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Leak of Hotmail Credential Combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist of approximately 523,233 credential pairs targeting the Hotmail email domain. The list was shared via a Mega.nz file link on the cracking forum CrackingX. This combolist likely contains email and password combinations that could be used for credential stuffing or account takeover attacks against Hotmail/Microsoft accounts.
Date: 2026-04-22T02:02:13Z
Network: openweb
Published URL: https://crackingx.com/threads/72827/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed valid email access credentials (26,800 records)
Category: Data Leak
Content: A threat actor known as redcloud has made available a combolist of approximately 26,800 allegedly valid mixed email credentials, described as private and ultra-high quality (UHQ). The post is dated April 22, 2026, and the content is accessible via a reply-to-reveal mechanism on the AE combo list forum. A Telegram contact (@tutuba5m) is also associated with the post.
Date: 2026-04-22T01:58:52Z
Network: openweb
Published URL: https://altenens.is/threads/26-8k-sparkles-mix-sparkles-valid-mail-access-22-04.2928349/unread
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Australian National Personal Records
Category: Data Breach
Content: A threat actor known as RubiconH4ck is claiming to sell a database allegedly containing personal data of approximately 483,000 Australian individuals. The dataset reportedly includes full names, gender, email addresses, dates of birth, phone numbers, and physical address details totaling 14GB in size. The actor has directed interested parties to contact them via Telegram for samples, suggesting the data is being offered for sale.
Date: 2026-04-22T01:54:44Z
Network: openweb
Published URL: https://breached.st/threads/australia-national-personal-data.86184/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: Australia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of West Java Province Employee Records
Category: Data Breach
Content: A threat actor operating under the alias BabayoErorSystem has allegedly obtained and is sharing a database containing personal data of approximately 37,350 employees of the West Java Provincial Government in Indonesia. The post was published on the Breached forum and includes a sample of the alleged data. The full extent of the exposed fields and the method of compromise have not been disclosed.
Date: 2026-04-22T01:54:11Z
Network: openweb
Published URL: https://breached.st/threads/data-seluruh-pegawai-provinsi-jawa-barat-37-35-thousand.86185/unread
Screenshots:
None
Threat Actors: BabayoErorSystem
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Provinsi Jawa Barat (West Java Provincial Government)
Victim Site: Unknown
Alleged Leak of Hotmail Credential Combolist
Category: Combo List
Content: A threat actor known as GGsMan shared a link on the CrackingX forum containing an alleged combolist of Hotmail credentials. The post, attributed to user Rxnki, made the credential list freely available via an external paste site. The exact number of records is unknown as the external link would require verification.
Date: 2026-04-22T01:36:45Z
Network: openweb
Published URL: https://crackingx.com/threads/72824/
Screenshots:
None
Threat Actors: GGsMan
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of stolen payment card data by threat actor BATTMAN
Category: Carding
Content: A threat actor operating under the alias BATTMAN is offering stolen payment card data on a carding forum. The post includes a sample card record containing a full card number, expiration date, and CVV. The actor is directing potential buyers to contact them via Telegram at @BATTMANATN to purchase additional credit cards or dumps.
Date: 2026-04-22T01:35:29Z
Network: openweb
Published URL: https://altenens.is/threads/kill.2928346/unread
Screenshots:
None
Threat Actors: BATTMAN
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor known as redcloud has made available a combolist of approximately 7,500 allegedly valid Hotmail credentials on the AE combo list forum. The post, dated April 22, 2026, claims the credentials are private and of ultra-high quality (UHQ), suggesting they have been verified for active mail access. The content is accessible via a reply-gated download link, with the actor also providing a Telegram contact handle.
Date: 2026-04-22T01:33:03Z
Network: openweb
Published URL: https://altenens.is/threads/7-5k-high-voltagehotmailhigh-voltagevalid-mail-access-22-04.2928348/unread
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Unauthorized Access to Israeli Power Plant Control Systems in Tel Aviv
Category: Initial Access
Content: A threat actor operating under the alias MDGhost claims to have gained complete control over the operational control systems of an Israeli power plant located in Tel Aviv. The actor frames the intrusion as a politically motivated act in support of Palestinians amid the conflict in Gaza. No specific data exfiltration was mentioned, and the claim remains unverified.
Date: 2026-04-22T01:29:18Z
Network: openweb
Published URL: https://breached.st/threads/access-israeli-power-plant-tel-aviv.86183/unread
Screenshots:
None
Threat Actors: MDGhost
Victim Country: Israel
Victim Industry: Energy & Utilities
Victim Organization: Unknown
Victim Site: Unknown
Alleged DDoS-as-a-Service (Stresser) Advertisement – Goofystress
Category: Malware
Content: Goofystress.st is advertising a DDoS-as-a-Service platform offering Layer 4 (TCP/UDP flood up to 10 million PPS) and Layer 7 attack capabilities with bypasses for CAPTCHA, CACHE, and UAM protections. The service includes game-specific DDoS options (Fortnite, Minecraft, Apex, COD, Roblox, Battlefield). Claims 3+ years of operation with 1000-1500 customers. Operates with auto-payment system and active Telegram support channel.
Date: 2026-04-22T01:11:03Z
Network: telegram
Published URL: https://t.me/c/1669509146/94511
Screenshots:
None
Threat Actors: Goofystress
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged DDoS-as-a-Service Platform Goofystress Offering Layer 4/7 Attack Services
Category: Malware
Content: Goofystress.st is advertising a commercial DDoS stressing service offering Layer 4 (TCP/UDP flood up to 10M pps) and Layer 7 (CAPTCHA/cache bypass) attack capabilities. The service claims 3+ years of operation, 1000-1500 customers, and includes game server targeting (Fortnite, Minecraft, Apex, COD, Roblox, Battlefield). Auto-payment system and registration available on their website.
Date: 2026-04-22T01:03:17Z
Network: telegram
Published URL: https://t.me/c/1669509146/94510
Screenshots:
None
Threat Actors: Goofystress
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: goofystresse.st
Alleged Data Breach of TruCompare.in Indian Financial Comparison Portal
Category: Data Breach
Content: A threat actor identified as MDGhost is selling 30GB of customer data allegedly stolen from TruCompare.in, an Indian online financial product comparison portal based in Delhi. The dataset reportedly contains customer names, dates of birth, email addresses, phone numbers, and state information, described as new data from 2026. The actor is demanding $10,000 for the full dataset and can be contacted via Telegram.
Date: 2026-04-22T00:41:43Z
Network: openweb
Published URL: https://breached.st/threads/sell-trucompare-in-30gb-customer-data.86182/unread
Screenshots:
None
Threat Actors: MDGhost
Victim Country: India
Victim Industry: Financial Services
Victim Organization: TruCompare
Victim Site: trucompare.in
Alleged website defacements by Mr.PIMZZZXploit
Category: Defacement
Content: Threat actor claiming responsibility for defacing multiple websites across various domains. Post lists approximately 25+ compromised sites with defacement claims. Domains span multiple countries including India, Bangladesh, Malaysia, Croatia, and Hungary.
Date: 2026-04-22T00:25:53Z
Network: telegram
Published URL: https://t.me/c/3865526389/526
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of PDVSA Exposing Employee PII Including Emails, Phone Numbers, and Tax IDs
Category: Data Leak
Content: A threat actor using the alias GordonFreeman has leaked a database allegedly extracted from PDVSA (Petróleos de Venezuela, S.A.), Venezuelas state-owned oil company, containing approximately 10,000 employee records. The exposed data includes full names, national ID numbers, tax IDs (RIF), usernames, email addresses, phone numbers, and password reset indicators. The actor claims the data was obtained by exploiting a critical vulnerability in Venezuelan state digital infrastructure, and suggests
Date: 2026-04-22T00:08:32Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-PDVSA-2026-10k-Data-Emails-Phone-Numbers-ID-Numbers-Tax-IDs
Screenshots:
None
Threat Actors: GordonFreeman
Victim Country: Venezuela
Victim Industry: Oil & Gas
Victim Organization: PDVSA
Victim Site: pdvsa.com
Alleged Malware-as-a-Service Offering by Threat Actor beac0x on Pwnforums
Category: Services
Content: Threat actor beac0x is advertising a Malware-as-a-Service (MaaS) operation on Pwnforums, offering custom malware development including C2 agents, ransomware, stealers, shellcode injectors, and Beacon Object Files. The actor claims 5+ years of experience, specializes in evasion tradecraft, and codes primarily in Rust and C with Windows XP through Windows 11 compatibility. Services are available as source code, binaries, or community-oriented Pwn-Kit packages, with mentorship and malware devel
Date: 2026-04-22T00:07:16Z
Network: openweb
Published URL: https://pwnforums.st/Thread-Malware-as-a-Service-MAAS
Screenshots:
None
Threat Actors: beac0x
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a mixed-target Yahoo combolist containing approximately 1.24 million lines via a Mega.nz file sharing link. The combolist likely contains email and password combinations associated with Yahoo accounts. The content is being distributed freely on the cracking forum CrackingX.
Date: 2026-04-22T00:03:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72822/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged sharing of stolen Brazilian payment card data
Category: Carding
Content: A threat actor shared two alleged Brazilian payment card records on a carding forum. The data includes full card numbers, expiration dates, and CVV codes consistent with Mastercard BINs. The cards appear to have been posted as samples or freebies within the carding community.
Date: 2026-04-22T00:02:15Z
Network: openweb
Published URL: https://altenens.is/threads/approved-br.2928331/unread
Screenshots:
None
Threat Actors: balkisksouri
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of stolen payment card data on carding forum
Category: Carding
Content: A threat actor on a carding forum shared what appears to be a single stolen payment card record, including the full card number, expiration date, and CVV. The card number prefix (5115) suggests it is a Mastercard. No victim organization or country has been identified from the available data.
Date: 2026-04-22T00:01:50Z
Network: openweb
Published URL: https://altenens.is/threads/approveddd.2928330/unread
Screenshots:
None
Threat Actors: balkisksouri
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown