1. Executive Summary
This report provides a detailed analysis of a massive dataset of cyber security incidents, predominantly recorded between May 5th and 6th, 2026. The data encompasses a wide array of cyber threats, including high-impact data breaches, widespread distribution of credential combo lists, systematic website defacements, the sale of advanced malware, and the illicit trade of initial network access and financial fraud services. The incidents are sourced from various dark web forums, specialized cybercrime marketplaces, and Telegram channels, underscoring a thriving, sophisticated, and highly compartmentalized underground economy centered around compromised data and unauthorized access.
2. Incident Categorization and Tactical Analysis
The threat landscape observed in this dataset is highly diverse. The incidents can be categorized into several primary threat vectors:
A. Combo Lists and Credential Stuffing Resources
The most frequent type of incident in the dataset is the distribution and sale of “combo lists”—massive collections of username or email and password pairs. These lists are the lifeblood of credential stuffing attacks, where automated tools test these pairs against various websites to hijack accounts.
- Scale and Scope: Threat actors routinely distribute lists containing millions of records. For instance, actor
MetaCloud3distributed a 15.6 million URL:login:password (ULP) combo list and a 7.2 million ULP list. Another actor,MrCOMBOROBOA, sold multiple lists ranging from 1.4 million to 2.7 million records, specifically targeting European services, corporate accounts, and gaming platforms. - Targeted Platforms: While many lists are generalized email dumps (especially targeting Hotmail, Gmail, and Yahoo), actors also curate highly specific lists. The data shows lists curated for streaming services (Netflix, HBO Go, Disney+, Hulu), gaming (Minecraft, Uplay, Steam, Epic Games, Supercell, PSN, Xbox), adult entertainment (XNXX, Chaturbate), and shopping (Amazon, Walmart, eBay).
- Geographic Targeting: Lists are frequently categorized by the victims’ origin countries to facilitate localized attacks. Datasets specifically targeting users in the USA, UK, Germany, France, Italy, Brazil, Japan, Australia, South Korea, and Argentina were prominently advertised.
B. High-Impact Data Breaches and Leaks
The dataset reveals several catastrophic data breaches involving massive corporations and government entities, resulting in the exposure of highly sensitive Personally Identifiable Information (PII), financial data, and internal corporate intelligence.
- Corporate Breaches: The most severe claims come from the actor
ShinyHunters. They allegedly breached AT&T Corporation, offering 200 million records containing SSNs, biometric data, financial histories, and real-time location data. Furthermore,ShinyHuntersclaimed a supply-chain breach via Salesforce, potentially exposing up to 1 billion records affecting 36+ major organizations, including Toyota, FedEx, Disney, UPS, and Home Depot. Other notable corporate breaches include NVIDIA GeForce Now (1.3 million user records), Adelante Soluciones Financieras (16 million records), and Truist Bank/SunTrust (employee and customer banking data with IVR source code). - Government and National Infrastructure: Significant leaks affecting national infrastructure were observed. Actor
alwayschinaclaimed access to 280 million records from BPJS Kesehatan (Indonesia’s national health insurance), covering 98% of the population. ActorCC-GuRuoffered an 850 million record database of Indian identities linked to Aadhaar numbers. Other government-related leaks included the US Chamber of Commerce (7.58 million records), the Algerian Ministry of Pharmaceutical Industry, the Indonesian Ministry of Home Affairs (Kemendagri), and the Formosa Judicial Branch in Argentina. - Cryptocurrency Platforms: Crypto exchanges are heavily targeted. Breaches or leaks were claimed against platforms like Binance, OKEx, Coinpanda, Edge.App, and Bitmart, exposing user PII, wallet addresses, and trading pairs, making these users vulnerable to targeted phishing and physical robberies.
C. Website Defacements and Hacktivism
A high volume of website defacements was recorded, indicating continuous, automated, or semi-automated opportunistic attacks against vulnerable web infrastructure.
- Prolific Actors: Actors such as
DimasHxR,chinafans(operating under the group0xteam),LOSTK!D, andMr Exsploit Wmc(BONDOWOSO BLACK HAT) are responsible for dozens of defacements. - Targets: These attacks rarely show a specific ideological target, hitting a wide range of global sites including Turkish pharmacy software (Eczanesoft), Indian government portals (Regional Science Centre Nagpur), European recreational sites, and various small businesses. The attacks primarily target Linux-based servers and often compromise specific subpages or WordPress instances rather than the main homepage.
D. Malware, Tools, and Initial Access
The underground market provides the tools necessary to execute the attacks that generate the aforementioned data.
- Malware Sales: Advanced tools are readily available. Examples include the
Dolphin X RAT(featuring HVNC, credential stealing, and bootkit functionality),Agent Tesla(version 3.2.5.5 with builder and panel), theAthena HTTP Botnet Builder, and theAsacube Android Banking Botnet. Threat actors also sell collections, such as a “94-in-1 Hacking Tools Pack”. - Initial Access Brokers (IABs): Actors are selling “keys to the kingdom.” One actor offered critical API access to a major financial transactions company for $10,000, which enables transactions across 20+ countries. Another claimed to sell verified access keys, source code, and employee accounts from Vercel Inc., with the stated intent of facilitating a supply chain attack. Groups like
World Of Shells VIPoffer daily drops of WordPress logins, cPanel credentials, and webshells on a subscription basis.
E. Cyber-Physical and Kinetic Threats
A deeply concerning trend is the compromise of systems that intersect with the physical world.
- SCADA and Infrastructure: The
Infrastructure Destruction Squadclaimed to have shut down the integrated SCADA platform ofNew Ecology System srl, an Italian waste treatment company, disabling plant monitoring and motor parameters. - Surveillance Systems: Russian threat actor
NoName057(16)claimed to have compromised the CCTV surveillance system of a Ukrainian construction materials warehouse, gaining real-time access to 15 cameras to monitor logistics and personnel. - Smart Homes: The
DDoSia Projectclaimed full access to a luxury residential smart home control system in Austria, allowing them to manipulate heating, water systems, and garage access, framing it as retaliation for European support of Ukraine.
3. Threat Actor Profiling
The intelligence reveals distinct personas and groups driving the cybercrime ecosystem.
- ShinyHunters: A top-tier threat actor responsible for the most devastating corporate breaches in the dataset (AT&T, Salesforce, NVIDIA). They actively engage in extortion and are deeply involved in the politics of dark web forums, notably leaking admin credentials for
breachforums.rsand migrating topwnforums.st. - The Data Aggregators (MetaCloud3, Lavivalda13, CC-GuRu): These actors specialize in immense volume.
MetaCloud3andLavivalda13flood forums with massive, categorized combo lists, using them to advertise premium, paid “cloud” access services.CC-GuRuacts as a massive data broker, leaking or selling databases from global sources (Mexican public servants, Australian personal data, Indian Aadhaar data, Chinese social networks). - The Defacers (chinafans/0xteam, DimasHxR, LOSTK!D): These actors prioritize visibility and volume of compromised sites over deep network penetration. They appear to utilize automated scanners to find and exploit common web vulnerabilities, leaving their signatures on hundreds of minor websites globally.
- Regional Specialists (JAX7, xyph0rix): Certain actors heavily target specific regions.
JAX7andxyph0rixalmost exclusively target Indonesian infrastructure, breaching national police databases, ministries, local regencies, and the national QRIS payment system.
4. The Underground Economy and Monetization
The dataset provides a clear view into how threat actors monetize their activities.
- Platform Ecosystem: Operations are decentralized across various platforms. Public-facing cybercrime forums (e.g.,
patched.to,breached.st,demonforums.net,altenens.is,darkforums.su,xforums.st) act as advertising boards and marketplaces for low-tier goods. High-value transactions, negotiations, and VIP services are heavily migrated to Telegram channels, XMPP, and Session messaging apps for operational security. - Subscription Models (The “Cloud” Era): Instead of one-off sales, many actors (
D4rkNetHub,MetaCloud3,BradMax) monetize data via subscription-based “Private Clouds” or VIP Telegram channels. For a monthly fee, buyers gain continuous access to fresh daily drops of stealer logs, combo lists, and webmail access. - Information Stealers (Infostealers): The prevalence of URL:Login:Password (ULP) lists and explicit sales of “Stealer Logs” (e.g., 2.1GB and 1.7GB drops, or subscriptions to logs from Lumma C2, RedLine, and Raccoon) proves that infostealer malware is the primary engine feeding the credential ecosystem. Millions of endpoints are compromised, their data extracted, packaged, and sold to other actors who specialize in fraud or account takeover.
- Carding and Fraud-as-a-Service: The end goal of much of this data gathering is financial fraud. Actors like
MNC,Milore, andSogosstate23sell “Fullz” (complete identity profiles), non-VBV credit cards, bank logs with email access, and offer services to fraudulently transfer money via CashApp, Zelle, and PayPal. Services likeMirrorHubeven offer KYC (Know Your Customer) bypass using deepfake/neural network technology to create verified financial accounts for money laundering.
5. Conclusion
The intelligence analyzed from May 2026 portrays an alarming, industrialized cyber threat landscape. The barrier to entry for cybercrime continues to lower as sophisticated tools (like botnet builders and AI-driven mass-mailing platforms) and immense volumes of stolen credentials are made available cheaply or freely on forums.
Simultaneously, top-tier actors are successfully executing supply-chain attacks and breaching the core infrastructure of global telecommunications, SaaS providers, and government databases, resulting in the exposure of hundreds of millions of individuals’ private data. Furthermore, the willingness of threat actors to target and manipulate cyber-physical systems (SCADA, smart homes, surveillance) signifies a dangerous escalation where digital intrusions carry immediate physical consequences. Defending against this ecosystem requires aggressive mitigation of infostealer infections, strict multi-factor authentication policies to defeat combo lists, and heightened security around API and supply-chain vulnerabilities.
Detected Incidents Draft Data
- Alleged data breach of Punjab National Bank India
Category: Data Breach
Content: A threat actor is selling an alleged database dump of Punjab National Bank (India) containing 100,000 records in CSV and JSON formats. The dataset reportedly includes account numbers, account holder names, IFSC codes, phone numbers, and email addresses. The full set is offered for $1,200 in BTC or XMR, with a 1,000-record sample provided.
Date: 2026-05-05T23:54:51Z
Network: openweb
Published URL: https://breached.st/threads/punjab-national-bank-india-100-000-fresh-leak-account-phone-email.86835/unread
Screenshots:
None
Threat Actors: momo78
Victim Country: India
Victim Industry: Finance
Victim Organization: Punjab National Bank
Victim Site: pnbindia.in - Combo List: 667 Hotmail Credentials (100% Hits)
Category: Combo List
Content: A threat actor is distributing a combo list of 667 Hotmail credentials, marketed as 100% valid hits. The content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-05T23:42:38Z
Network: openweb
Published URL: https://patched.to/Thread-667-hotmail-100-hits-%E2%9C%85
Screenshots:
None
Threat Actors: dzplayer2211
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of cracked MyeTool credential checker for RGH
Category: Combo List
Content: A forum user shared a cracked version of MyeTool, a credential-checking tool associated with RGH, along with sample credentials. The post includes a username and password pair and links to download the tool with source code included.
Date: 2026-05-05T23:41:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-MyeTool-for-RGH-Cracked
Screenshots:
None
Threat Actors: TeamBubbles
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List — 1.1K Hotmail Fresh Hits
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 1,100 Hotmail credentials marketed as fresh hits. The content is gated behind registration or login on the forum. These credentials are intended for credential stuffing against Hotmail accounts.
Date: 2026-05-05T23:15:19Z
Network: openweb
Published URL: https://patched.to/Thread-1-1k-hotmail-fresh-hits-299214
Screenshots:
None
Threat Actors: MimoData
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List of Hotmail Credentials
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 2,200 Hotmail credentials, marketed as fresh and high quality. The content is hidden behind a forum registration or login requirement.
Date: 2026-05-05T23:14:49Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-2200x-%E2%AD%90%E2%AD%90-fresh-hq-hotmails-%E2%AD%90%E2%AD%90
Screenshots:
None
Threat Actors: Pirate999
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List: 4K Hotmail Fresh Hits
Category: Combo List
Content: A forum member is distributing a combo list of approximately 4,000 Hotmail credentials marketed as fresh hits. The content is gated behind forum registration or login. Hotmail is the credential-stuffing target, not the breach source.
Date: 2026-05-05T23:14:24Z
Network: openweb
Published URL: https://patched.to/Thread-4k-hotmail-fresh-hits
Screenshots:
None
Threat Actors: MimoData
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of Flingster accounts
Category: Combo List
Content: A threat actor shared 38 Flingster account credentials on a forum, claiming they are real accounts but not verified as premium. The post encourages users with checkers to verify the accounts themselves.
Date: 2026-05-05T23:13:40Z
Network: openweb
Published URL: https://nulledbb.com/thread-Flingster-Account-38x
Screenshots:
None
Threat Actors: icarus2
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Free Gmail combo list with 47.5K credentials
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub has shared a combo list containing approximately 47,500 Gmail credentials via a hidden download link on a leak forum. The content is gated behind registration or login. No further details about the data origin or validity are provided.
Date: 2026-05-05T23:13:02Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-47-5k-Gmail-D4RKNETHUB-CLOUD
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Gmail combo list by D4RKNETHUB
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub is offering a combo list of approximately 47,500 Gmail email and password pairs via a hidden forum post. The credentials are distributed through a paid cloud service with subscription tiers ranging from $10 for a 3-day trial to $50 for 30-day access. The actor promotes the service via a Telegram channel and an associated shop at darknethub.top.
Date: 2026-05-05T23:12:47Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-47-5k-Gmail-D4RKNETHUB-CLOUD
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Distribution of URL:Login:Password credential lines extracted from stealer logs
Category: Logs
Content: A threat actor is distributing 1.6GB of URL:login:password credential lines sourced from stealer logs, including mixed, Hotmail, Live, Outlook, and MSN accounts across multiple European countries. The post advertises a Telegram channel offering free daily releases of logs, cookies, and leaked data. The actor also indicates willingness to sell additional material via Telegram.
Date: 2026-05-05T23:07:54Z
Network: openweb
Published URL: https://altenens.is/threads/1-6gb-url-login-pass-lines-from-logs.2935151/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale and distribution of mixed credential logs including Hotmail and regional combos
Category: Logs
Content: A threat actor is advertising 1.4GB of mixed stealer logs including cookies, credentials (ULP format), and leak data targeting multiple regions (EU, UK, FR, PL, DE, IT) and mail providers including Hotmail, Live, Outlook, and MSN. Content is distributed daily via a Telegram channel with some items available for purchase. Hidden download links are gated behind forum replies.
Date: 2026-05-05T23:07:28Z
Network: openweb
Published URL: https://altenens.is/threads/1-4gb-full-logs.2935152/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail combo list with approximately 6,000 lines
Category: Combo List
Content: A threat actor is distributing approximately 6,000 Hotmail/Live/Outlook credential lines (ULP format) via Telegram. The post advertises a mix of European regions including UK, FR, PL, DE, and IT. The actor claims to share free combo lists, logs, and cookies daily via a Telegram channel.
Date: 2026-05-05T23:04:17Z
Network: openweb
Published URL: https://altenens.is/threads/6k-hotmail-lines-mail-access.2935149/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Mass Defacement of picassolife.com by Threat Actor LOSTK!D
Category: Defacement
Content: Threat actor LOSTK!D conducted a mass defacement attack targeting picassolife.com, a website likely associated with arts or lifestyle content. The defacement was executed on a Linux-based server on May 6, 2026, affecting a specific page (uid.html) rather than the homepage. This incident is part of a broader mass defacement campaign attributed to the same actor.
Date: 2026-05-05T22:57:57Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248880
Screenshots:
None
Threat Actors: LOSTK!D
Victim Country: Unknown
Victim Industry: Arts and Entertainment
Victim Organization: Picasso Life
Victim Site: picassolife.com - Website Defacement of MyWayShop by LOSTK!D
Category: Defacement
Content: On May 6, 2026, a threat actor operating under the alias LOSTK!D defaced a page on mywayshop.qa, a Qatari e-commerce website. The attack targeted a specific URL path rather than the homepage and was conducted as a single, non-mass defacement on a Linux-based server. The incident was archived and mirrored via haxor.id as evidence of the compromise.
Date: 2026-05-05T22:55:43Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248878
Screenshots:
None
Threat Actors: LOSTK!D
Victim Country: Qatar
Victim Industry: E-commerce / Retail
Victim Organization: MyWayShop
Victim Site: mywayshop.qa - Mass Website Defacement of Lipno Park by Threat Actor LOSTK!D
Category: Defacement
Content: Threat actor LOSTK!D conducted a mass defacement attack targeting lipnopark.cz, a recreational or tourism-related website hosted on a Linux server in the Czech Republic. The defacement was part of a broader mass defacement campaign carried out on May 6, 2026, with the compromised page archived via haxor.id. No specific motive or team affiliation was attributed to the attacker.
Date: 2026-05-05T22:53:47Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248879
Screenshots:
None
Threat Actors: LOSTK!D
Victim Country: Czech Republic
Victim Industry: Tourism / Recreation
Victim Organization: Lipno Park
Victim Site: lipnopark.cz - SIP/DID provider offering VoIP services for USA, Australia, UK, and Canada
Category: Services
Content: A forum user is advertising a SIP/DID provider service offering local and toll-free DID channels across the USA, Australia, UK, and Canada. The service includes 20 inbound DID channels, full 3CX setup, and accepts escrow payments. Contact is provided via Telegram.
Date: 2026-05-05T22:52:53Z
Network: openweb
Published URL: https://darkforums.su/Thread-Source-Code-SIP-%F0%9F%87%BA%F0%9F%87%B8-USA-%F0%9F%87%A6%F0%9F%87%BA-Australia-%F0%9F%87%AC%F0%9F%87%A7-UK-%F0%9F%87%A8%F0%9F%87%A6-Canada-DID
Screenshots:
None
Threat Actors: Muslim
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of Eczanesoft by Mr Exsploit Wmc (BONDOWOSO BLACK HAT)
Category: Defacement
Content: On May 6, 2026, the website eczanesoft.com, a Turkish pharmacy software provider, was defaced by threat actor Mr Exsploit Wmc operating under the group BONDOWOSO BLACK HAT. The attack targeted a Linux-based web server and resulted in a single-page defacement of the website. The incident was not classified as a mass or redefacement event.
Date: 2026-05-05T22:47:55Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248876
Screenshots:
None
Threat Actors: Mr Exsploit Wmc, BONDOWOSO BLACK HAT
Victim Country: Turkey
Victim Industry: Healthcare / Pharmacy Software
Victim Organization: Eczanesoft
Victim Site: eczanesoft.com - Combo List: Hotmail credentials (1.1K)
Category: Combo List
Content: A threat actor shared a combo list of approximately 1,100 Hotmail credentials, marketed as suitable for credential stuffing. The content is hidden behind a login/registration wall on the forum.
Date: 2026-05-05T22:46:53Z
Network: openweb
Published URL: https://patched.to/Thread-1-1kx-hotmail-war-cloud
Screenshots:
None
Threat Actors: AnXme
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Mass Defacement of Pharmacy Software Platform by Mr Exsploit Wmc of BONDOWOSO BLACK HAT
Category: Defacement
Content: On May 6, 2026, the Turkish pharmacy software platform eczanesoft.net was defaced by threat actor Mr Exsploit Wmc operating under the hacktivist group BONDOWOSO BLACK HAT. The incident was classified as a mass defacement, targeting the Linux-based web server. A mirror of the defaced page was archived at haxor.id.
Date: 2026-05-05T22:45:15Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248877
Screenshots:
None
Threat Actors: Mr Exsploit Wmc, BONDOWOSO BLACK HAT
Victim Country: Turkey
Victim Industry: Healthcare / Pharmacy Software
Victim Organization: Eczanesoft
Victim Site: eczanesoft.net - Alleged distribution of private mail access credentials
Category: Logs
Content: User Bo is promoting access to private mail accounts through a Telegram channel, offering free drops of mail access credentials. The post is repeated multiple times across IDs 76308-76310.
Date: 2026-05-05T22:41:17Z
Network: telegram
Published URL: https://t.me/c/2613583520/76308
Screenshots:
None
Threat Actors: Bo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of Eczanesoft by Mr Exsploit Wmc (BONDOWOSO BLACK HAT)
Category: Defacement
Content: On May 6, 2026, the website eczanesoft.com, a Turkish pharmacy software provider, was defaced by threat actor Mr Exsploit Wmc operating under the group BONDOWOSO BLACK HAT. The attack targeted the homepage and was a singular, non-mass defacement incident, with a mirror of the defaced page archived on zone-xsec.com.
Date: 2026-05-05T22:39:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917643
Screenshots:
None
Threat Actors: Mr Exsploit Wmc, BONDOWOSO BLACK HAT
Victim Country: Turkey
Victim Industry: Software / Pharmacy Technology
Victim Organization: Eczanesoft
Victim Site: eczanesoft.com - Sale of 87K mixed email credential combo list including Hotmail, Live, Outlook, and MSN
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 87,000 mixed email credentials including Hotmail, Live, Outlook, and MSN accounts sourced from multiple European countries. The post advertises daily free releases of ULP, logs, cookies, and mail access via a Telegram channel. The actor also offers additional content for purchase via Telegram.
Date: 2026-05-05T22:39:04Z
Network: openweb
Published URL: https://altenens.is/threads/87k-mix-lines-mail-access.2935148/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of compromised SMTP and AWS SES accounts with high sending limits
Category: Services
Content: A threat actor is selling compromised SMTP and AWS SES accounts from providers including SendGrid, Mailgun, SparkPost, Brevo, Postmark, and others, with sending limits ranging from 40K to 100K emails. Accounts are priced between $150 and $700 depending on provider and limit, with full login credentials provided upon purchase. Payment is accepted exclusively in cryptocurrency.
Date: 2026-05-05T22:31:00Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-SMTP-AWS-SES-Accounts-50K-100K-Limits-Crypto-Only
Screenshots:
None
Threat Actors: ric007
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged defacement of Creative71Academy websites by Mr.PIMZZZXploit
Category: Defacement
Content: Multiple websites associated with Creative71Academy have been defaced. The attacker left a signature claiming responsibility under the handle Mr.PIMZZZXploit. Three domains were compromised: ecommerce21.creative71academy.com, ecommerce1.creative71academy.com, and job.creative71academy.com.
Date: 2026-05-05T22:23:02Z
Network: telegram
Published URL: https://t.me/c/3865526389/822
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Creative71Academy
Victim Site: creative71academy.com - Sale of 170K email:password combo list targeting multiple streaming and gaming platforms
Category: Combo List
Content: A threat actor is distributing and selling a combo list of approximately 170,000 email:password credential pairs marketed as fresh and high quality. The list is advertised as suitable for credential stuffing against platforms including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. The actor also promotes additional combo lists by region and email provider via Telegram.
Date: 2026-05-05T22:20:27Z
Network: openweb
Published URL: https://demonforums.net/Thread-170k-Fresh-HQ-Combolist-Email-Pass-Netflix-Minecraft-Uplay-Steam-Hulu-spotify–202975
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of 170K mixed email:password combo list
Category: Combo List
Content: A threat actor is offering a 170,000-record mixed email:password combo list for free download (with reply gate) and also selling higher-quality combo lists via Telegram. The list reportedly includes credentials from multiple email providers and countries including the US, UK, France, Germany, Italy, Canada, and Australia.
Date: 2026-05-05T22:17:48Z
Network: openweb
Published URL: https://altenens.is/threads/170k-fresh-hq-combolist-email-pass-mixed.2935144/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Forum request for free RDP access
Category: Alert
Content: A forum user is requesting free RDP access. The post contains no threat activity, breach data, or actionable intelligence.
Date: 2026-05-05T22:16:16Z
Network: openweb
Published URL: https://altenens.is/threads/ineed-rdp-free-pleaseeee.2935142/unread
Screenshots:
None
Threat Actors: revaldoxx123
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged sale of fresh database with email credentials and inbox access across multiple countries
Category: Combo List
Content: Threat actor offering sale of fresh database containing email credentials with inbox access for multiple countries including UK, Germany, Japan, Netherlands, Brazil, Poland, Spain, US, and Italy. Seller claims to have private cloud infrastructure with valid webmails and offers keyword-based searches for major e-commerce and payment platforms (eBay, Amazon, PayPal, Walmart, Alibaba, Mercari, Kleinanzeigen, Neosurf, PSN, Uber, Poshmark, Booking). Requests direct message for specific requests and credential verification.
Date: 2026-05-05T22:14:07Z
Network: telegram
Published URL: https://t.me/c/2613583520/76274
Screenshots:
None
Threat Actors: Num
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy
Victim Industry: Multiple (e-commerce, payment platforms, webmail providers)
Victim Organization: Unknown
Victim Site: Unknown - Alleged leak of Claude API tokens
Category: Data Leak
Content: A threat actor is distributing a claimed collection of 1.2 million Claude API tokens for free on a forum. The post offers a free sample and links to hidden content requiring registration or login to access.
Date: 2026-05-05T21:57:00Z
Network: openweb
Published URL: https://patched.to/Thread-nova-%E2%9D%A4%EF%B8%8F-claude-api-tokens-1-2-million-ai-tokies-%E2%9D%A4%EF%B8%8F
Screenshots:
None
Threat Actors: JVZU
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Anthropic
Victim Site: anthropic.com - Alleged data breach of AT&T Corporation – 200M records with PII, financial data, and health information
Category: Data Breach
Content: ShinyHunters threat actor claims to have breached AT&T Corporation and obtained 200 million records containing personal identifiable information (full names, addresses, phone numbers, emails, dates of birth, SSNs, AT&T account numbers), communication metadata, financial data (credit/debit cards, bank accounts, transaction history), login credentials, internal documents including business strategy and API keys, health/medical records, biometric data, and real-time location data. The actor is selling access for 2.1 BTC and can be contacted via XMPP, Telegram, or email.
Date: 2026-05-05T21:47:56Z
Network: telegram
Published URL: https://t.me/c/3500620464/7727
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Telecommunications
Victim Organization: AT&T Corporation
Victim Site: att.com - Sale of 3 million mixed streaming service combo list
Category: Combo List
Content: A threat actor shared a combo list containing approximately 3 million credential pairs targeting mixed streaming services, distributed via a MediaFire link. The list is intended for credential stuffing against various streaming platforms.
Date: 2026-05-05T21:46:56Z
Network: openweb
Published URL: https://breachforums.rs/Thread-3M-STREAMING-MIXED-COMBOLIST
Screenshots:
None
Threat Actors: gerekssiz
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List: Mixed Mail Access Credentials (3,648 entries)
Category: Combo List
Content: A combo list containing 3,648 mixed mail access credentials has been shared on a public forum. The content is hidden behind a registration or login requirement. No specific breached organization is identified.
Date: 2026-05-05T21:31:36Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%94%A5-3648x-mix-mail-access-vault-%F0%9F%94%A5
Screenshots:
None
Threat Actors: RyuuMaster
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Hotmail Mail Access Combo List (0.4K)
Category: Combo List
Content: A threat actor is sharing a combo list of approximately 400 Hotmail credentials marketed as high quality mail access. The content is gated behind registration or login on the forum.
Date: 2026-05-05T21:31:19Z
Network: openweb
Published URL: https://patched.to/Thread-0-4k-hq-hotmail-mail-access-combolist-299180
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - France Email:Password Combo List
Category: Combo List
Content: A threat actor known as ShroudX is sharing a France-targeted email:password combo list on a cybercrime forum. The content is hidden behind a login/registration wall, limiting visibility into record count or specific services targeted.
Date: 2026-05-05T21:30:49Z
Network: openweb
Published URL: https://patched.to/Thread-hq-france-emailpass-combolist-shroud20-txt-299189
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Free France email:password combo list
Category: Combo List
Content: A user on NulledBB shared a combo list of French email and password pairs. The list is described as high quality and is likely intended for credential stuffing attacks.
Date: 2026-05-05T21:30:42Z
Network: openweb
Published URL: https://nulledbb.com/thread-HQ-FRANCE-EMAILPASS-COMBOLIST-SHROUD20-txt–2290437
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Germany email:password combo list shared on cracking forum
Category: Combo List
Content: A threat actor shared a combo list of Germany-based email and password pairs on a cracking forum. The list is marketed as high quality and intended for credential stuffing purposes. No specific breached organization is identified.
Date: 2026-05-05T21:30:20Z
Network: openweb
Published URL: https://nulledbb.com/thread-HQ-GERMANY-EMAILPASS-COMBOLIST-SHROUD20-txt–2290438
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Italy Email:Password Combo List
Category: Combo List
Content: A threat actor is distributing an Italian email:password combo list. The post targets Italian email credentials, likely for credential stuffing purposes.
Date: 2026-05-05T21:29:59Z
Network: openweb
Published URL: https://nulledbb.com/thread-HQ-ITALY-EMAILPASS-COMBOLIST-SHROUD20-txt
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of HQ USA email:password combo list
Category: Combo List
Content: A forum member is sharing a combo list of USA-based email:password credentials. No further details are available from the post content.
Date: 2026-05-05T21:29:38Z
Network: openweb
Published URL: https://nulledbb.com/thread-HQ-USA-EMAILPASS-COMBOLIST-SHROUD20-txt–2290440
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail combo list with 3,000 credentials
Category: Combo List
Content: A threat actor shared a link to a Hotmail combo list containing approximately 3,000 email and password pairs. The list is marketed as usable for credential stuffing against Hotmail accounts. The content is hosted on an external paste site.
Date: 2026-05-05T21:28:54Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-3k-Good-Hotmail-Combolist
Screenshots:
None
Threat Actors: VegaM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Truist Bank/SunTrust – employee and customer banking data with source code
Category: Data Breach
Content: Threat actor shinyc0rpsss is offering for sale a data breach allegedly from Truist Bank/SunTrust containing 65,000 employee records, customer banking information including account numbers and balances, and IVR funds transfer source code. The asking price is $20,000 USD. Contact details provided via XMPP, Telegram, and email.
Date: 2026-05-05T21:28:43Z
Network: telegram
Published URL: https://t.me/c/3500620464/7714
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: United States
Victim Industry: Financial Services/Banking
Victim Organization: Truist Bank/SunTrust
Victim Site: truist.com - Alleged sale of critical API access to major financial transactions company
Category: Initial Access
Content: Threat actor offering sale of critical API access from a major financial transactions company for $10,000 USD. The compromised API enables transactions across 20+ countries and multiple financial systems including Brazil, Colombia, Argentina, Ecuador, Peru, Chile, Venezuela, United States, Indonesia, Bangladesh, Philippines, India, Thailand, Kenya, Nigeria, Tanzania, Malaysia, United Arab Emirates, Pakistan, Turkey, and Vietnam. The API also includes access to 2FA systems and global card payment infrastructure. The company reportedly has over 95,000 employees worldwide. Seller claims this represents a gold mine for high-impact supply chain attack.
Date: 2026-05-05T21:28:32Z
Network: telegram
Published URL: https://t.me/c/3500620464/7712
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Major financial transactions company
Victim Site: Unknown - Alleged sale of access keys and credentials from Vercel Inc.
Category: Initial Access
Content: Threat actor claiming to possess verified access keys, source code, database credentials, and employee accounts from Vercel Inc. (vercel.com). Actor claims to have multiple employee accounts with access to internal deployments, NPM tokens, and GitHub tokens. Offering to sell access with stated intent to conduct supply chain attack targeting Next.js and other Vercel-maintained packages (6M+ weekly downloads). Actor references prior disclosure of breach stemming from third-party compromise (Context.ai) and OAuth token misuse, claims to possess additional undisclosed data, and indicates involvement of Mandiant and law enforcement investigation.
Date: 2026-05-05T21:25:37Z
Network: telegram
Published URL: https://t.me/c/3500620464/7699
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: United States
Victim Industry: Cloud Computing / Web Development Platform
Victim Organization: Vercel Inc.
Victim Site: vercel.com - Alleged Salesforce data breach affecting 36+ organizations including Toyota, FedEx, Disney, UPS, Home Depot by ShinyHunters
Category: Data Breach
Content: ShinyHunters threat actor claims to have obtained approximately 989.45 million to 1 billion+ records from Salesforce and is offering stolen data from 36+ major organizations for sale. Victims include Toyota Motor Corporation (64GB), FedEx (1.1TB), Disney/Hulu (36GB), UPS (91.34GB), Home Depot (19.43GB), Marriott (7GB), Vietnam Airlines (63.62GB), Walgreens (11GB), Qantas Airways (153GB), Air France & KLM (51GB), Adidas (37GB), Instacart (32GB), and numerous others across retail, aviation, technology, and hospitality sectors.
Date: 2026-05-05T21:25:15Z
Network: telegram
Published URL: https://t.me/c/3500620464/7688
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Multiple (SaaS, Retail, Aviation, Hospitality, Technology, Finance)
Victim Organization: Salesforce, Inc. and 36+ organizations
Victim Site: salesforce.com - Alleged data leak of BMW M Registry database
Category: Data Leak
Content: A threat actor has shared a scraped dataset from bmwmregistry.com containing 8,112 records. The data includes member names, email addresses, BMW vehicle details such as model, VIN, production date, country of origin, paint and interior color, and options. The dataset was made available behind a registration/login gate on the forum.
Date: 2026-05-05T21:09:33Z
Network: openweb
Published URL: https://spear.cx/Thread-Database-BMW-Registry-database
Screenshots:
None
Threat Actors: ant
Victim Country: United States
Victim Industry: Automotive
Victim Organization: BMW M Registry
Victim Site: bmwmregistry.com - Sale of Hotmail combo list with 698 valid credentials
Category: Combo List
Content: A threat actor is distributing a combo list containing 698 Hotmail credentials, marketed as valid and high quality. The content is gated behind registration or login on the forum. This appears to be a credential stuffing resource targeting Hotmail accounts.
Date: 2026-05-05T21:00:11Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-698-hotmail-access-acrtixx1-update-05-05
Screenshots:
None
Threat Actors: Flexedz
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Hotmail combo list allegedly available on forum
Category: Combo List
Content: A forum post on PT advertises a Hotmail combo list under the thread title X6871 HOTMAIL COMBOLIST. The actual content is hidden behind a login/registration wall, so no further details about record count or data format are available.
Date: 2026-05-05T20:59:52Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-x6871-hotmail-combolist
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of fresh URL:Login:Password combo list
Category: Combo List
Content: A threat actor is offering a private URL:login:password combo list marketed as fresh. The content is hidden behind a registration or login wall, limiting visibility into the scope or targeted services.
Date: 2026-05-05T20:59:21Z
Network: openweb
Published URL: https://patched.to/Thread-fresh-url-login-pass-private-299171
Screenshots:
None
Threat Actors: ZAMPARA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail combo list by Tokyo Cloud
Category: Combo List
Content: A threat actor operating under the name Tokyo Cloud is distributing a combo list of 1,550 Hotmail credentials via a hidden download link on a forum. The content is gated behind registration or login, with additional distribution promoted through a Telegram channel.
Date: 2026-05-05T20:59:04Z
Network: openweb
Published URL: https://patched.to/Thread-1550-private-hotmail-tokyo-cloud
Screenshots:
None
Threat Actors: T0kyo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Hotmail combo list with 1,400 fresh valid credentials
Category: Combo List
Content: A threat actor shared a combo list of 1,400 Hotmail credentials marketed as fresh and valid. The list was made available via an external paste link. The post promotes a channel for additional drops.
Date: 2026-05-05T20:58:23Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-x1400-hotmail-fresh-valid
Screenshots:
None
Threat Actors: Aweex
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of mixed combo list with claimed high quality credentials
Category: Combo List
Content: A threat actor is distributing a mixed combo list of approximately 9,917 credentials, marketed as UHQ (ultra-high quality) and valid. The content is gated behind forum registration or login.
Date: 2026-05-05T20:58:05Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-9917-mix-access-acrtixx1-update-05-05
Screenshots:
None
Threat Actors: Flexedz
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo list of Outlook and Hotmail credentials
Category: Combo List
Content: A threat actor is sharing a combo list of 1,516 Outlook and Hotmail credentials, marketed as good hits. The content is gated behind registration or login on the forum.
Date: 2026-05-05T20:57:47Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-1-516-good-logs-combo-outlook-hotmail
Screenshots:
None
Threat Actors: cloudkaraoke
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of discounted YouTube Premium subscriptions via activation links
Category: Services
Content: A forum seller is offering one-year YouTube Premium subscriptions at discounted prices via activation links. The seller claims no user credentials are required and that subscriptions are obtained through official channels. The service is advertised as globally compatible and available via an autobuy storefront.
Date: 2026-05-05T20:57:23Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%90youtube-premium-1-year%E2%AD%90upgrade-your-account%E2%AD%90100-legal%E2%9C%85fast-delivery%E2%AD%90
Screenshots:
None
Threat Actors: pollymydolly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List: Hotmail Credentials (2,085 Accounts)
Category: Combo List
Content: A threat actor is distributing a combo list containing 2,085 Hotmail account credentials on a cybercrime forum. The content is gated behind registration or login. Hotmail is the credential-stuffing target, not the breach victim.
Date: 2026-05-05T20:57:07Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%94%A5-2085x-hotmail-access-vault-%F0%9F%94%A5
Screenshots:
None
Threat Actors: RyuuMaster
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of 126 Israeli passport documents
Category: Carding
Content: A threat actor is offering 126 Israeli passport documents for sale on a cybercrime forum. Prospective buyers are directed to contact the seller via Telegram for pricing. The origin or method of obtaining the passports is not disclosed in the post.
Date: 2026-05-05T20:41:24Z
Network: openweb
Published URL: https://breached.st/threads/126-israel-passports.86833/unread
Screenshots:
None
Threat Actors: DataSellers
Victim Country: Israel
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Blat Studio exposing PSD deputies personal data and Portuguese university student association credentials
Category: Data Breach
Content: A threat actor claims to have exfiltrated data from Blat Studio, a Lisbon-based digital agency, comprising 127 records of Portuguese Social Democratic Party (PSD) parliamentary deputies including names, phone numbers, email addresses, and positions, as well as 119 hashed credentials (bcrypt, Base64-encoded) belonging to student association members from multiple Portuguese universities. The data was posted on a dark web forum and includes samples of both datasets.
Date: 2026-05-05T20:34:55Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Portugal-PSD-Deputies-Data-Student-Association-Hashed-Credentials-Blat-Studio
Screenshots:
None
Threat Actors: Boogeymann
Victim Country: Portugal
Victim Industry: Government
Victim Organization: Blat Studio
Victim Site: blatstudio.com - Forum announcement regarding exit-scam claims
Category: Alert
Content: A forum announcement was posted by user Hollow on BreachForums addressing claims of an exit scam. No further content was available for analysis.
Date: 2026-05-05T20:31:28Z
Network: openweb
Published URL: https://breachforums.rs/Thread-IMPORTANT-READ-The-Truth-Behind-the-False-Exit-Scam-Claims
Screenshots:
None
Threat Actors: Hollow
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Dolphin X RAT — Multi-Function Remote Access Trojan
Category: Malware
Content: A threat actor is selling Dolphin X, a Windows-based remote access trojan (RAT) advertised with over 600 features including HVNC, credential stealing, DDoS botnet capability, a loader, and bootkit/metamorphic functionality. The seller accepts direct purchases via their website and offers middleman/contract arrangements on the forum. A Debian-compatible version is reportedly in development.
Date: 2026-05-05T20:28:25Z
Network: openweb
Published URL: https://hackforums.net/showthread.php?tid=6324958
Screenshots:
None
Threat Actors: Kontraktnik
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged sale of compromised email accounts and credential lists across multiple countries
Category: Combo List
Content: Threat actor offering fresh compromised email accounts and credential lists (combolists) from multiple countries including UK, DE, JP, NL, BR, PL, ES, US, IT. Specifically targeting accounts associated with popular platforms (eBay, OfferUp, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen). Seller claims to have private cloud access and valid webmail accounts. Also offering mail access, configs, scripts, tools, and combo lists.
Date: 2026-05-05T20:10:07Z
Network: telegram
Published URL: https://t.me/c/2613583520/76228
Screenshots:
None
Threat Actors: Dataxlogs
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy, France, Belgium, Australia, Canada
Victim Industry: Multiple (e-commerce, gaming, travel, payment platforms)
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of Consumer Goods Council of South Africa (CGCSA)
Category: Data Leak
Content: The Stormous Group claims to have leaked 20 GB of data from the Consumer Goods Council of South Africa (CGCSA), stating the release follows the organizations denial of a prior breach. The dump allegedly includes customer data, financial records (invoices, CEO reports), database backups, and scripts, made available for free via Mega file hosting.
Date: 2026-05-05T20:07:01Z
Network: openweb
Published URL: https://breached.st/threads/consumer-goods-council-of-south-africa-cgcsa-full-data-dump-customer-info-db.86828/unread
Screenshots:
None
Threat Actors: XOverStm
Victim Country: South Africa
Victim Industry: Retail
Victim Organization: Consumer Goods Council of South Africa
Victim Site: cgcsa.co.za - Alleged data breach of Clash of Kings Forum (2016)
Category: Data Breach
Content: A forum user is requesting a link or torrent to a reported 2016 database dump from the Clash of Kings forum. The user claims to have previously possessed the dump but lost it. No data has been shared or verified in this post.
Date: 2026-05-05T20:06:13Z
Network: openweb
Published URL: https://breached.st/threads/clash-of-kings-forum-breach-from-2016.86827/unread
Screenshots:
None
Threat Actors: PepeBusiness
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Clash of Kings
Victim Site: Unknown - Combo list targeting Uplay, Ubisoft, Eneba, G2A, and Epic Games accounts
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 858,000 credential pairs marketed as usable against gaming and digital goods platforms including Uplay, Ubisoft, Eneba, G2A, and Epic Games. The post advertises the data as a private base suitable for credential stuffing. The actor promotes a broader combo cloud service via their signature.
Date: 2026-05-05T19:30:03Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9A%A1858k-uplay-ubisoft-eneba-g2a-epicgames%E2%9A%A1private-base-good-on-anything-you-need%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of shopping combo list with 852K credentials
Category: Combo List
Content: A threat actor is offering a combo list of 852K credentials targeting shopping platforms, marketed as 100% private data with a high hit rate. The post is dated May 5 and is associated with a broader combo cloud service advertised by the author.
Date: 2026-05-05T19:29:31Z
Network: openweb
Published URL: https://patched.to/Thread-%E3%80%8C-852k-%E3%80%8D%E2%9A%A1-shopping-%E2%9A%A1-100-private-data-%E2%9A%A1impressive-hitrate%E2%9A%A1-05-05-new%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown - Sale of Facebook combo list with 806K credentials
Category: Combo List
Content: A threat actor is offering a combo list of approximately 806,000 credentials advertised as Facebook-targeted with a high hit rate. The post describes the data as 100% private and marketed as fresh. The actor promotes an ongoing combo cloud service offering similar datasets.
Date: 2026-05-05T19:28:59Z
Network: openweb
Published URL: https://patched.to/Thread-%E3%80%8C-806k-%E3%80%8D%E2%9A%A1-facebook-%E2%9A%A1-100-private-data-%E2%9A%A1impressive-hitrate%E2%9A%A1-05-05-new%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo list targeting adult entertainment platforms including XNXX, Xvideos, Chaturbate, and LiveJasmin
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 816,000 credentials marketed as a private base suitable for credential stuffing against adult entertainment platforms including XNXX, Xvideos, Chaturbate, and LiveJasmin. The post is associated with a self-described combo cloud service offering high-quality data.
Date: 2026-05-05T19:28:25Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9A%A1816k-xnxx-xvideos-chaturbate-livejasmin%E2%9A%A1private-base-good-on-anything-you-need%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor operating as NullShop is offering 1,500 alleged Hotmail credentials marketed as fresh and verified. The credentials are shared via hidden forum content requiring registration or login to access. Hotmail is the credential-stuffing target, not the breach victim.
Date: 2026-05-05T19:28:00Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-1-5-k-hotmail-access-valid-hit-fresh-%F0%9F%94%A5-299161
Screenshots:
None
Threat Actors: NullShop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of credential checker targeting Leboncoin.fr
Category: Combo List
Content: A threat actor is offering a paid credential checker tool targeting Leboncoin.fr, written in Python. The tool is advertised via Telegram and is designed to validate credentials against the platform.
Date: 2026-05-05T19:27:55Z
Network: openweb
Published URL: https://patched.to/Thread-non-auth-leboncoin-fr-vm-checker-python-anasxzerm-anasxzer00
Screenshots:
None
Threat Actors: anasxzer00
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged Disclosure of breachforums.rs Admin Credentials and Honeypot Claims by ShinyHunters
Category: Cyber Attack
Content: ShinyHunters threat actor publicly disclosed admin access credentials for breachforums.rs (username: ShinyHunters, PIN: 7x9mK2pQ4n) and alleged admin URL (https://breachforums.rs/admin_e5f9c2/index.php). Actor claims breachforums.rs is an unofficial clone/honeypot operated by law enforcement that logs user IPs and activity. ShinyHunters announced migration to pwnforums.st as the official forum and provided contact information including Telegram channels, email ([email protected]), XMPP, and Session ID.
Date: 2026-05-05T19:16:15Z
Network: telegram
Published URL: https://t.me/c/3500620464/7650
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: breachforums.rs
Victim Site: breachforums.rs - Sale of Boithebear.com crypto user database
Category: Data Breach
Content: A threat actor is selling a database allegedly sourced from Boithebear.com, containing over 150,000 user records including 41,234 unique addresses, wallet addresses, and Twitter usernames. The data is being offered for $500 with a single-buyer restriction. The post explicitly references the datas utility for in-real-life robberies targeting cryptocurrency holders.
Date: 2026-05-05T19:12:17Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-Boithebear-com-Crypto-Database-IRL-Robberies
Screenshots:
None
Threat Actors: [Manager]punk
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Boithebear
Victim Site: boithebear.com - Sale of 12K mixed mail access combo list
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 12,000 mixed email credentials, marketed as unverified valid hits. The content is hidden behind a registration or login wall on the forum.
Date: 2026-05-05T19:05:50Z
Network: openweb
Published URL: https://patched.to/Thread-royal-%E2%9C%A8%E2%8E%9D12k-mix-mail-acess-%E2%8E%A0%E2%9C%A8%E2%9C%85unraped-valids%E2%9C%85%E2%9A%A1mix-fa-private%E2%9A%A1
Screenshots:
None
Threat Actors: baguja1472
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged BreachForums Exitscam and Migration to PwnForums
Category: Cyber Attack
Content: BreachForums administrator N/A (alias Caine) allegedly conducted an exitscam on March 15, 2026, shutting down the forum and later relaunching with a February backup under a new alias. Former BreachForums moderation team and community members have launched PwnForums as an independent replacement forum, claiming to preserve user accounts and posts from the original platform. The alleged exitscammer has been publicly identified and documented on PwnForums Wall of Shame.
Date: 2026-05-05T19:05:40Z
Network: telegram
Published URL: https://t.me/PwnForums/6
Screenshots:
None
Threat Actors: N/A (alias: Caine, Angel Tsvetkov)
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: BreachForums community members
Victim Site: breachforums.rs, breachforums.fi, breachforums.sb - Sale of Australia combo list with 140K credentials
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 140,000 credentials purportedly from Australian users, marketed as high-quality and freshly dropped. The content is gated behind forum registration or login. No specific breached organization is identified.
Date: 2026-05-05T19:05:11Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-140k-hq-australia-combolist-fresh-drop
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Australia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of gaming combo list with 500K credentials
Category: Combo List
Content: A threat actor is distributing a combo list containing approximately 500,000 credentials marketed as high-quality and fresh, targeting gaming platforms. The content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-05T19:04:37Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-500k-hq-gaming-combolist-fresh-drop
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - France Combo List of 190K Credentials
Category: Combo List
Content: A threat actor has shared a combo list advertised as containing 190,000 high-quality French credentials. The content is gated behind registration or login on the forum. No specific breached organization is identified.
Date: 2026-05-05T19:04:01Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-190k-hq-france-combolist-fresh-drop
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - 700K HQ Corporate Combo List Free Release
Category: Combo List
Content: A threat actor has shared a combo list advertised as containing 700,000 high-quality corporate credentials. The content is hidden behind a registration/login wall on the forum. No specific victim organization or industry is identified.
Date: 2026-05-05T19:03:27Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-700k-hq-corp-combolist-fresh-drop
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - 5 million mix combo list free drop
Category: Combo List
Content: A threat actor shared a mixed combo list containing approximately 5 million credentials on a cybercrime forum. The content is gated behind registration or login. No specific target organization or service is identified.
Date: 2026-05-05T19:02:51Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-5m-mix-combolist-fresh-drop
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Hotmail credential combo list with claimed 100% hits
Category: Combo List
Content: A threat actor is distributing a combo list of 2,272 Hotmail credentials marketed as 100% valid hits. The content is hidden behind a registration or login wall on the forum.
Date: 2026-05-05T19:02:21Z
Network: openweb
Published URL: https://patched.to/Thread-2272-hotmail-100-hits-%E2%9C%85
Screenshots:
None
Threat Actors: dzplayer2211
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List: Mixed Mail Access Credentials (1.8K)
Category: Combo List
Content: A threat actor is distributing a combo list of 1,800 mixed mail access credentials on a cybercrime forum. The content is gated behind registration or login. No specific victim organization or country is identified.
Date: 2026-05-05T19:02:02Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%901-8k-mixed-mail-access-%E2%AD%90
Screenshots:
None
Threat Actors: agha24
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo list of 3,606 mixed mail credentials shared on forum
Category: Combo List
Content: A forum user shared a combo list containing 3,606 mixed email credentials behind a login wall. The content is described as a mix mail drop, suggesting a collection of email:password pairs from various sources.
Date: 2026-05-05T19:01:45Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%EF%B8%8F-3606x-verity-vault-mix-mail-drop-%E2%9A%A1%EF%B8%8F
Screenshots:
None
Threat Actors: VerityVault
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List: Hotmail credentials drop (983 records)
Category: Combo List
Content: A threat actor known as VerityVault is distributing a combo list of 983 Hotmail credentials. The content is gated behind registration or login on the forum. No further details about the data origin or composition are available from the post.
Date: 2026-05-05T19:01:13Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%EF%B8%8F-983x-verity-vault-hotmail-drop-%E2%9A%A1%EF%B8%8F
Screenshots:
None
Threat Actors: VerityVault
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo list targeting European services with 1.4 million credentials
Category: Combo List
Content: A threat actor shared a combo list purportedly containing 1.4 million credential pairs targeting European services. The post was made in the Dumps section of a known hacking forum. No additional details about the data source or composition were provided in the post content.
Date: 2026-05-05T19:00:28Z
Network: openweb
Published URL: https://nulledbb.com/thread-1-4M-EUROPA-COMBO
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of 1.4 million European combo list
Category: Combo List
Content: A threat actor is offering a 1.4 million record European email:password combo list for sale on a cybercrime forum. The actor also advertises access to a private combo group with tiered pricing and bulk combo purchases by volume and category including gaming and shopping credentials.
Date: 2026-05-05T19:00:21Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1-4M-EUROPA-COMBO
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of 1.4 million mixed-country combo list
Category: Combo List
Content: A threat actor is selling a mixed-country combo list containing approximately 1.4 million email:password credential pairs. The seller also advertises tiered access to additional combo lists via a private Telegram group, with pricing ranging from $50 per week to $500 for lifetime access. Bulk combo packages targeting gaming and shopping services are also offered for sale.
Date: 2026-05-05T18:59:56Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1-4M-COUNTRY-MIX-VALID-COMBOLIST
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of corporate email combo list containing 1.6 million credentials
Category: Combo List
Content: A threat actor is selling a corporate-focused email and password combo list containing approximately 1.6 million credentials. The seller advertises tiered pricing for bulk combo access including corporate, gaming, and shopping variants. A Telegram channel is also promoted for free combo distribution.
Date: 2026-05-05T18:59:30Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1-6M-CORPS-GOOD-COMBO
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of 2.7 million gaming combo list
Category: Combo List
Content: A threat actor is selling a gaming-focused combo list containing 2.7 million email and password pairs. The seller offers tiered pricing including 100K records for $30 and access to a private combo group at rates ranging from $50 per week to $500 lifetime. Content is hidden behind forum registration and login.
Date: 2026-05-05T18:59:06Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-2-7M-GAMING-COMBO
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of mixed email access combo list
Category: Combo List
Content: A threat actor is offering a combo list of 10,000 mixed valid email access credentials, dated 05.05. The content is gated behind registration or login and the actor directs users to an external store at megacloudshop.top.
Date: 2026-05-05T18:58:38Z
Network: openweb
Published URL: https://demonforums.net/Thread-10K-Mix-Full-Valid-Mail-Access-05-05
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List: 10K Germany Mail Access Credentials
Category: Combo List
Content: A threat actor is sharing a combo list of 10,000 German mail account credentials, marketed as fully valid. The post gates the content behind a reply requirement.
Date: 2026-05-05T18:51:11Z
Network: openweb
Published URL: https://altenens.is/threads/10k-germany-full-valid-mail-access-05-05.2935077/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of SQL injection vulnerability targeting French government website
Category: Vulnerability
Content: A threat actor is offering for sale a Boolean-based blind SQL injection vulnerability affecting an unidentified French government website. The seller claims the vulnerability targets a POST parameter and allows full database enumeration, including access to user credentials, PII, and internal configurations. The listing is offered exclusively to a single buyer for payment in BTC or XMR.
Date: 2026-05-05T18:47:16Z
Network: openweb
Published URL: https://breached.st/threads/selling-sqli-on-a-gov-french.86826/unread
Screenshots:
None
Threat Actors: equal./.
Victim Country: France
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown - Combo List — HQ Hotmail Mail Access
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 100 Hotmail credentials marketed as high quality mail access. The content is gated behind forum registration or login. No breach of a specific organization is claimed.
Date: 2026-05-05T18:26:31Z
Network: openweb
Published URL: https://patched.to/Thread-0-1k-hq-hotmail-mail-access-combolist-299083
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor is offering a combo list of 500 Hotmail login credentials, marketed as UHQ (ultra-high quality). The content is gated behind registration or login on the forum.
Date: 2026-05-05T18:26:13Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-500x-hotmail-login-uhq-299103
Screenshots:
None
Threat Actors: BuggracK
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail credential combo list with 742 hits
Category: Combo List
Content: A threat actor shared a combo list of 742 Hotmail credentials marketed as 100% valid hits. The content is hidden behind a registration/login wall on the forum. No additional details about the source or collection method are provided.
Date: 2026-05-05T18:25:43Z
Network: openweb
Published URL: https://patched.to/Thread-742-hotmail-100-hits
Screenshots:
None
Threat Actors: dzplayer2211
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - 90K Germany Combo List Free Release
Category: Combo List
Content: A threat actor has shared a combo list of approximately 90,000 credentials purportedly associated with German users. The content is gated behind registration or login on the forum. The post markets the list as a fresh drop.
Date: 2026-05-05T18:25:11Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-90k-germany-combolist-fresh-drop
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of HQ corporate combo list with 100K credentials
Category: Combo List
Content: A threat actor is distributing a combo list advertised as containing 100,000 high-quality corporate credentials. The content is hidden behind a registration or login wall. No specific victim organization or targeted service is identified in the post.
Date: 2026-05-05T18:24:31Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-100k-hq-corp-combolist-fresh-drop-299120
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Brazil Combo List with 205K Credentials
Category: Combo List
Content: A threat actor shared a combo list containing approximately 205,000 credentials, marketed as high-quality and fresh, targeting Brazilian users. The content is hidden behind a registration or login wall on the forum.
Date: 2026-05-05T18:24:01Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-205k-hq-brazil-combolist-fresh-drop
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - 220K HQ UK Combo List Free Drop
Category: Combo List
Content: A threat actor has shared a combo list of approximately 220,000 credentials claimed to be UK-origin and marketed as high quality. The content is gated behind forum registration or login. No specific breached organization is identified.
Date: 2026-05-05T18:23:30Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-220k-hq-uk-combolist-fresh-drop
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Free distribution of 15.6 million URL:login:password combo list
Category: Combo List
Content: A threat actor is distributing a combo list containing approximately 15.6 million URL:login:password credential pairs, marketed as high quality. The content is gated behind forum registration and the post promotes the authors commercial combo cloud service.
Date: 2026-05-05T18:23:05Z
Network: openweb
Published URL: https://patched.to/Thread-15-6m-%E2%9A%A1-url-login-pass-hq-%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - 200K HQ Japan Fresh Combo List Drop
Category: Combo List
Content: A threat actor has shared what is claimed to be a 200,000-record high-quality Japan combo list. The content is hidden behind a registration or login wall. No specific targeted organization or service is identified in the post.
Date: 2026-05-05T18:22:59Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-200k-hq-japan-fresh-combolist-drop-299131
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - 160K HQ Italy Combo List
Category: Combo List
Content: A threat actor is distributing a combo list purportedly containing 160,000 credentials associated with Italian users. The content is gated behind registration or login on the forum. No specific breached organization is identified.
Date: 2026-05-05T18:22:41Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-160k-hq-italy-combolist-fresh-drop
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of 5.7 million ULP combo list mix (USA, UK, BR, DE, PL)
Category: Combo List
Content: A threat actor is sharing a combo list of 5.7 million URL:login:password (ULP) credentials described as private and high quality, drawn from a mix of users across the United States, United Kingdom, Brazil, Germany, and Poland. The post is associated with a self-advertised combo cloud service offering access to similar datasets.
Date: 2026-05-05T18:22:32Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%8E%9D-5-7m-ulp-%E2%8E%A0%E2%9A%A1100-private%E2%9A%A1high-quality%E2%9A%A1mix-usa-uk-br-de-pl%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of SQL injection vulnerability on French government website
Category: Vulnerability
Content: A threat actor is offering for sale an unpatched Boolean-based blind SQL injection vulnerability targeting a high-traffic French government website. The vulnerability reportedly affects a POST parameter and enables full database enumeration, exposing user credentials, PII, and internal configurations. The seller is offering exclusivity to a single buyer, accepting BTC, LTC, or XMR.
Date: 2026-05-05T18:19:22Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Selling-a-SQLI-on-a-gov-french
Screenshots:
None
Threat Actors: nighttt
Victim Country: France
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Coinbase France
Category: Data Breach
Content: A threat actor is offering for sale an alleged dataset linked to Coinbase France, purportedly containing 500,000 records. No further details are available from the post content.
Date: 2026-05-05T18:15:54Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-France-Crypto-Coinbase-Data-500K
Screenshots:
None
Threat Actors: Mikhel
Victim Country: France
Victim Industry: Finance
Victim Organization: Coinbase
Victim Site: coinbase.com - Alleged data breach of OKEx (Canada users)
Category: Data Breach
Content: A threat actor is offering for sale data allegedly sourced from OKEx, containing Canadian user records. The sample includes fields such as serial number, full name, email address, phone number, country, and cryptocurrency trading pair information. The seller is soliciting contact via Telegram and claims to be ready to provide a sample upon request.
Date: 2026-05-05T18:14:32Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-Canada-okex-data-available
Screenshots:
None
Threat Actors: Nauan
Victim Country: Canada
Victim Industry: Finance
Victim Organization: OKEx
Victim Site: okex.com - Alleged data leak of DCBank
Category: Data Leak
Content: A threat actor has freely shared an alleged database dump attributed to DCBank on a leak forum. The dataset reportedly contains fields including UUID, first and last name, gender, phone number, INN, birth date, passport number, and KYC status. No record count or pricing was specified in the post.
Date: 2026-05-05T18:10:00Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-DCBANK-LEAKED-DATABASE
Screenshots:
None
Threat Actors: zixy11
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: DCBank
Victim Site: Unknown - Sale of personal data of high-income individuals in Portugal
Category: Data Breach
Content: A threat actor is offering for sale a dataset purportedly containing personal information of high-income individuals in Portugal. The sample includes full names, birth dates, gender, nationality, addresses, email addresses, and phone numbers. The source organization of the data is not disclosed.
Date: 2026-05-05T18:08:21Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-Fast-Hand-Portugal-High-Income-People-Data
Screenshots:
None
Threat Actors: remarose772
Victim Country: Portugal
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Senzing.com CRM exposing detailed PII
Category: Data Breach
Content: A threat actor is selling an alleged database of 100,000 records sourced from Senzings CRM system for $1,000. The dataset purportedly includes full PII such as SSN, name, phone, address, date of birth, drivers license number, passport number, and credit card account numbers. Contact is via Telegram handle @voxagon.
Date: 2026-05-05T18:03:33Z
Network: openweb
Published URL: https://breached.st/threads/100-000-detailed-pii-on-senzing-com-crm-ssn-name-phone-addr-dob-dl-number-passport-number.86823/unread
Screenshots:
None
Threat Actors: decipher
Victim Country: United States
Victim Industry: Technology
Victim Organization: Senzing
Victim Site: senzing.com - Alleged data breach of BPJS Kesehatan Indonesia with 280 million records
Category: Data Breach
Content: A threat actor claims to have gained unauthorized access to BPJS Kesehatans database, allegedly compromising approximately 280 million records covering 98.25% of Indonesias population. The database reportedly includes personal identifiers (NIK, name, date of birth, phone), insurance details, medical record numbers, diagnosis codes, chronic risk scores, and social aid information. The actor claims live access to the database is still active and is offering samples and verification via Telegram.
Date: 2026-05-05T18:02:37Z
Network: openweb
Published URL: https://breached.st/threads/access-db-bpjs-kesehatan-indonesia-280m-records-98-national-coverage-live-verification.86825/unread
Screenshots:
None
Threat Actors: alwayschina
Victim Country: Indonesia
Victim Industry: Healthcare
Victim Organization: BPJS Kesehatan
Victim Site: bpjs-kesehatan.go.id - Alleged data breach of Indian education portal शैक्षिक.भारत
Category: Data Breach
Content: A threat actor known as MDGhost is selling an alleged database dump from an Indian education portal containing 28 million records of students and parents. The dataset includes usernames, student and parent names, contact details, school information, addresses, hashed passwords, and plaintext passwords in XLSX format.
Date: 2026-05-05T18:01:49Z
Network: openweb
Published URL: https://breached.st/threads/28-millions-saiksika-bharata-in-education-portal-sector-trainees.86824/unread
Screenshots:
None
Threat Actors: MDGhost
Victim Country: India
Victim Industry: Education
Victim Organization: शैक्षिक.भारत (Shaiksik.Bharat)
Victim Site: xn--h2brj9c.xn--h2brj9c - Sale of vehicle emissions control documents (208GB, 2025)
Category: Data Breach
Content: A threat actor is offering for sale 208GB of documents described as vehicle emissions control data from 2025, priced at $3,500. The post does not identify the specific organization or country of origin. Prospective buyers are directed to contact the seller via Telegram.
Date: 2026-05-05T18:01:18Z
Network: openweb
Published URL: https://breached.st/threads/208gb-vehicle-emissions-control-2025.86822/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: Unknown
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Adelante Soluciones Financieras (Addi.com) – 16M+ records leaked by ShinyHunters
Category: Data Breach
Content: ShinyHunters threat actor claims to have breached Adelante Soluciones Financieras (Addi.com), a financial services company. The actor alleges exfiltration of over 16 million unique person records containing personally identifiable information (PII), financial/transaction data including credit cards, KYC documents, and background check data from TransUnion and Experian. The compressed data is claimed to be 518GB+. The actor states the company refused to reach an agreement and has made the data available for download via a direct link, claiming it was previously available only for purchase on breachforums.rs.
Date: 2026-05-05T17:52:55Z
Network: telegram
Published URL: https://t.me/c/3500620464/7667
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Colombia
Victim Industry: Financial Services
Victim Organization: Adelante Soluciones Financieras (Addi.com)
Victim Site: addi.com - Website Defacement of Universidad Continental by Mr Exsploit Wmc / BONDOWOSO BLACK HAT
Category: Defacement
Content: On May 6, 2026, the threat actor Mr Exsploit Wmc, affiliated with the group BONDOWOSO BLACK HAT, defaced a page on the Universidad Continental website hosted in Peru. The attack targeted a Linux-based web server and resulted in unauthorized modification of a secondary page rather than the homepage. The incident was archived via the haxor.id mirror service.
Date: 2026-05-05T17:52:48Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248875
Screenshots:
None
Threat Actors: Mr Exsploit Wmc, BONDOWOSO BLACK HAT
Victim Country: Peru
Victim Industry: Education
Victim Organization: Universidad Continental
Victim Site: ucontinental.edu.pe - Alleged data breach of NVIDIA GeForce Now – 1.3 million user records
Category: Data Breach
Content: Threat actor ShinyHunters claims to have stolen the entire user database from NVIDIAs GeForce Now service containing approximately 1.3 million user records. The stolen data includes first names, last names, email addresses, usernames, dates of birth, membership status, 2FA/TOTP status, internal roles, access flags, and account creation dates. The data was allegedly posted for sale on breachforums.rs. ShinyHunters later claimed to have discontinued use of the breach forum platform.
Date: 2026-05-05T17:47:02Z
Network: telegram
Published URL: https://t.me/c/3500620464/7653
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Technology/Software
Victim Organization: NVIDIA
Victim Site: nvidia.com - Sale of Bulgarian email combo list
Category: Combo List
Content: A threat actor is selling a combo list of Bulgarian email credentials, including Hotmail and mixed account types. The post advertises access available for purchase via direct message and links to an external channel for distribution.
Date: 2026-05-05T17:41:28Z
Network: openweb
Published URL: https://patched.to/Thread-fresh-bulgaria-%F0%9F%87%A7%F0%9F%87%AC-mail-by-antalya-h
Screenshots:
None
Threat Actors: cloudantalya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Brazilian email combo list
Category: Combo List
Content: A threat actor is offering for sale a combo list of Brazilian email credentials, described as including Hotmail and mixed account types. The post directs interested buyers to contact via Telegram and includes a download link.
Date: 2026-05-05T17:41:11Z
Network: openweb
Published URL: https://patched.to/Thread-fresh-brazil-%F0%9F%87%A7%F0%9F%87%B7-mail-by-antalya-h
Screenshots:
None
Threat Actors: cloudantalya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of German email combo list
Category: Combo List
Content: A threat actor is offering for sale a combo list of German email credentials described as fresh, including Hotmail and mixed account types. The post directs interested buyers to contact via Telegram and provides a download link.
Date: 2026-05-05T17:40:39Z
Network: openweb
Published URL: https://patched.to/Thread-fresh-germany-%F0%9F%87%A9%F0%9F%87%AA-mail-by-antalya-h
Screenshots:
None
Threat Actors: cloudantalya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Japan combo list including Hotmail and mixed credentials
Category: Combo List
Content: A threat actor is selling a combo list of email credentials targeting Japan, including Hotmail and mixed providers. The post directs prospective buyers to a Telegram handle and advertises a download link. No record count or pricing details are specified.
Date: 2026-05-05T17:40:10Z
Network: openweb
Published URL: https://patched.to/Thread-fresh-japan-%F0%9F%87%AF%F0%9F%87%B5-mail-by-antalya-h
Screenshots:
None
Threat Actors: cloudantalya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of discounted subscription service upgrades including Spotify, YouTube, ChatGPT, and Claude AI
Category: Services
Content: A threat actor operating under the handle ApexFled is offering discounted subscription upgrades for services including YouTube Premium, ChatGPT, Spotify, IPTV, and Claude AI Pro at prices significantly below retail. Services are advertised as 100% legal and are available for purchase via an automated storefront. Contact is offered through Discord and Telegram.
Date: 2026-05-05T17:40:01Z
Network: openweb
Published URL: https://patched.to/Thread-nova-%E2%AD%90cheapest-upgrades%E2%AD%90spotify%E2%AD%90youtube%E2%AD%90chatgpt%E2%AD%90claude%E2%AD%90and-more-100-legal
Screenshots:
None
Threat Actors: ApexFled
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Switzerland combo list targeting Hotmail and mixed services
Category: Combo List
Content: A threat actor is offering for sale a combo list of Switzerland-based email credentials, including Hotmail and mixed service accounts. The post advertises the list as fresh and directs interested buyers to contact the seller via Telegram.
Date: 2026-05-05T17:39:43Z
Network: openweb
Published URL: https://patched.to/Thread-fresh-switzerland-%F0%9F%87%A8%F0%9F%87%AD-mail-by-antalya-h
Screenshots:
None
Threat Actors: cloudantalya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Free sharing of 7.2 million ULP combo list
Category: Combo List
Content: A threat actor is distributing a combo list of 7.2 million username:login:password (ULP) entries, marketed as private lines of high quality suitable for credential stuffing. The post is associated with a combo cloud service advertised in the authors signature.
Date: 2026-05-05T17:39:27Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%8E%9D-7-2m-ulp-%E2%8E%A0%E2%9A%A1100-private-lines%E2%9A%A1high-quality%E2%9A%A1use-for-anything-you-need-many-hits%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List: 7K Hotmail credentials shared on forum
Category: Combo List
Content: A threat actor shared approximately 7,000 Hotmail credentials described as high-quality hits on a combolist forum. The content is hidden behind a registration or login requirement. These credentials are intended for credential stuffing against Hotmail accounts and do not represent a breach of Microsoft or Hotmail infrastructure.
Date: 2026-05-05T17:39:13Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85-7k-hq-hotmail-hit-%E2%9C%85-299092
Screenshots:
None
Threat Actors: RetroCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Agent Tesla RAT Builder and Panel
Category: Malware
Content: A forum user is distributing Agent Tesla version 3.2.5.5, a well-known RAT and keylogger, along with its builder and administration panel. The package supports payload customization, keylogging, clipboard and credential theft, screenshot capture, and data exfiltration via SMTP, FTP, HTTP, and Telegram. The post claims a VirusTotal detection rate of 0/100 and includes anti-analysis evasion features.
Date: 2026-05-05T17:37:36Z
Network: openweb
Published URL: https://demonforums.net/Thread-Agent-Tesla-3-2-5-5-with-Builder-Panel
Screenshots:
None
Threat Actors: TechNow043
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of mixed email credential combo list with 3,627 hits
Category: Combo List
Content: A threat actor is distributing a combo list of 3,627 mixed email credentials, including Hotmail hits, marketed as premium and valid. The post requires a reply to access the hidden download link and references a Telegram contact for further communication.
Date: 2026-05-05T17:36:09Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltagehigh-voltage-3627x-premium-mix-mail-hitshigh-voltagehigh-voltage.2935050/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged cyber attack on Turkish poultry farm microclimate control system
Category: Cyber Attack
Content: Armenian code group claims to have compromised a poultry farms microclimate control system in Turkey, allegedly raising temperatures to maximum levels. The post references weak credentials used in the attack.
Date: 2026-05-05T17:35:20Z
Network: telegram
Published URL: https://t.me/c/3628793212/180
Screenshots:
None
Threat Actors: Armenian code
Victim Country: Turkey
Victim Industry: Agriculture
Victim Organization: Turkish poultry farm
Victim Site: Unknown - Alleged data leak of com23.ru Russian delivery service including Sberbank transaction logs
Category: Data Leak
Content: A threat actor leaked an alleged database from com23.ru, a Russian delivery service, containing Sberbank transaction logs and customer data. The exposed information includes full names, phone numbers, order details, payment amounts, masked card details (BIN/last 4), and internal system timestamps. The leak is attributed to an unsecured directory and the data was made freely available via an external file-sharing link.
Date: 2026-05-05T17:35:02Z
Network: openweb
Published URL: https://breachforums.rs/Thread-LEAK-com23-ru-Russian-Delivery-Service-Sberbank-Transaction-Logs-Customer-Dat
Screenshots:
None
Threat Actors: AAB20
Victim Country: Russia
Victim Industry: Logistics
Victim Organization: com23.ru
Victim Site: com23.ru - Alleged leak of 150k user records from database
Category: Data Leak
Content: Threat actor sharing database samples containing 150k records. Full SQL database file exceeds 100GB in size. User table screenshot provided as proof. This appears to be a significant database breach with structured data being distributed.
Date: 2026-05-05T17:23:58Z
Network: telegram
Published URL: https://t.me/c/3793980891/3308
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of QRIS Indonesia — 1.5 million records
Category: Data Leak
Content: A threat actor using the handle Xyph0rix has leaked an alleged database attributed to QRIS Indonesia, a QR-based payment system. The post offers a download link for the database, claimed to contain 1.5 million records. No further details about the data fields or breach method were provided in the post.
Date: 2026-05-05T17:23:23Z
Network: openweb
Published URL: https://breached.st/threads/1-5-million-qris-database-leaks-qris-indonesia.86820/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Finance
Victim Organization: QRIS Indonesia
Victim Site: Unknown - Alleged data breach of Meriah4D
Category: Data Breach
Content: A threat actor is sharing or selling an alleged database dump of Meriah4D members. The post includes a sample but provides limited details about the data fields or record count.
Date: 2026-05-05T17:22:49Z
Network: openweb
Published URL: https://breached.st/threads/database-member-slot-meriah4d.86821/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Meriah4D
Victim Site: meriah4d.com - Alleged data breaches of Indonesian organizations by JAX7
Category: Data Breach
Content: Threat actor JAX7 has posted multiple database breaches on Breachforums including: database of Kota Magelang, collection of all member data from Indonesia, and database of members from Meriah4D slot platform. Posts include links to Breachforums user profile and specific breach threads.
Date: 2026-05-05T17:17:29Z
Network: telegram
Published URL: https://t.me/byjax7/510
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Government/Municipal, Gaming
Victim Organization: Multiple Indonesian organizations (Kota Magelang, Meriah4D)
Victim Site: Unknown - Sale of UK mail combo list including Hotmail and mixed credentials
Category: Combo List
Content: A threat actor is offering for sale a combo list of UK email credentials, including Hotmail and mixed accounts. The seller advertises the list as fresh and directs buyers to contact via Telegram for purchase.
Date: 2026-05-05T16:54:28Z
Network: openweb
Published URL: https://patched.to/Thread-fresh-uk-%F0%9F%87%AC%F0%9F%87%A7-mail-by-antalya-h
Screenshots:
None
Threat Actors: cloudantalya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Free distribution of stealer logs and ULP credentials
Category: Logs
Content: A forum user is freely distributing stealer logs and URL:Login:Password (ULP) credential data via an external file-sharing link. The post is dated 05.05.2026 and requires forum registration to access the hidden stealer log content.
Date: 2026-05-05T16:54:23Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%90%E2%AD%90%E2%AD%90-stealer-logs-and-u-l-p-05-05-2026
Screenshots:
None
Threat Actors: WaterCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Free combo list of mixed mail access credentials
Category: Combo List
Content: A threat actor shared a combo list of approximately 2,430 mixed mail access credentials on a leak forum. The content is hidden behind a registration or login requirement. No specific victim organization is identified.
Date: 2026-05-05T16:53:22Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-2-43K-%E2%80%8D%E2%AC%9BMIX-MAIL-%E2%80%8D%E2%AC%9BACCESS-%E2%80%8D%E2%AC%9B
Screenshots:
None
Threat Actors: MeiMisaki
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List targeting Hotmail accounts
Category: Combo List
Content: A threat actor is distributing a combo list of 1,906 alleged valid Hotmail credentials, marketed as premium hits. The content is hidden behind a registration/login gate on the forum. The credentials are described as a mix of mail accounts stored in a private cloud.
Date: 2026-05-05T16:52:59Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F-1906x-PREMIUM-HOTMAIL-HITS-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F
Screenshots:
None
Threat Actors: alphaaxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail combo list with 1,906 credential hits
Category: Combo List
Content: A threat actor is sharing a combo list of 1,906 Hotmail credentials described as valid hits. The post indicates credentials are from mixed mail sources and stored on a private cloud. Access to the list is gated behind forum registration or login.
Date: 2026-05-05T16:52:45Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F-1906x-PREMIUM-HOTMAIL-HITS-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged leak of 1.5 million QRIS database records – Indonesia
Category: Data Leak
Content: Threat actor xyph0rix posted on Breachforums claiming a leak of 1.5 million records from QRIS (Quick Response Code Indonesian Standard), Indonesias national QR code payment system. This represents a critical compromise of financial transaction infrastructure.
Date: 2026-05-05T16:45:20Z
Network: telegram
Published URL: https://t.me/Xyph0rix/302
Screenshots:
None
Threat Actors: xyph0rix
Victim Country: Indonesia
Victim Industry: Financial Services/Payment Systems
Victim Organization: QRIS
Victim Site: Unknown - Combo List: 1,888 Fresh Hotmail Credential Hits
Category: Combo List
Content: A threat actor is distributing a combo list of 1,888 Hotmail credential hits, marketed as fresh and private. The list is gated behind a reply requirement on the forum. This appears to be a credential stuffing list targeting Hotmail accounts.
Date: 2026-05-05T16:43:29Z
Network: openweb
Published URL: https://altenens.is/threads/check-mark-buttoncheck-mark-button-1888x-fresh-private-hotmail-hits-check-mark-button-check-mark-button.2935018/unread
Screenshots:
None
Threat Actors: Angiecrax
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail combo list with 600 fresh valid credentials
Category: Combo List
Content: A forum user is distributing a combo list containing 600 Hotmail credentials marketed as fresh and valid. Access to the list is gated behind a reply requirement. The credentials are intended for credential stuffing rather than representing a breach of Hotmail itself.
Date: 2026-05-05T16:43:01Z
Network: openweb
Published URL: https://altenens.is/threads/sparkles-600x-fresh-hotmail-valid-sparkles.2935020/unread
Screenshots:
None
Threat Actors: Sellix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of Adelante Soluciones Financieras (Addi.com)
Category: Data Leak
Content: Threat actor ShinyHunters claims to have leaked over 16 million records from Adelante Soluciones Financieras (Addi.com), comprising PII, financial/transaction data including credit cards, KYC data, and background check data sourced from TransUnion and Experian. The data, reportedly 518GB compressed, was made freely available on BreachForums after the company allegedly failed to reach an agreement with the actors. The post implies a prior extortion attempt.
Date: 2026-05-05T16:42:16Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-Adelante-Soluciones-Financieras-Addi-com
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Adelante Soluciones Financieras
Victim Site: addi.com - Alleged data breach of US Chamber of Commerce
Category: Data Breach
Content: A threat actor is selling an alleged database of US Chamber of Commerce members containing 7.58 million records. The dataset reportedly includes full names, addresses, phone numbers, email addresses, dates of birth, gender, IP addresses, and asset class information. The data is offered in XLSX format via private message.
Date: 2026-05-05T16:37:48Z
Network: openweb
Published URL: https://breached.st/threads/uschamber-com-us-chamber-of-commerce-members-type-usa-business-registry-professional-identity.86818/unread
Screenshots:
None
Threat Actors: DataSellers
Victim Country: United States
Victim Industry: Government
Victim Organization: US Chamber of Commerce
Victim Site: uschamber.com - Combo List: Hotmail credentials (485 accounts)
Category: Combo List
Content: A threat actor is sharing a combo list of 485 Hotmail email account credentials. The content is hidden behind a registration or login wall on the forum. These credentials are intended for use in credential stuffing or account takeover attempts against Hotmail accounts.
Date: 2026-05-05T16:17:31Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%90485-hotmail-mail-access-%E2%AD%90
Screenshots:
None
Threat Actors: agha24
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Hotmail combo list of 1.5K valid email addresses
Category: Combo List
Content: A threat actor shared a combo list containing 1,500 Hotmail email addresses marketed as valid. The content is hidden behind a reply gate on the forum.
Date: 2026-05-05T16:11:25Z
Network: openweb
Published URL: https://altenens.is/threads/1-5k-hotmail-just-valid-mail-05-05.2935001/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Advertisement for money-making tutorials via Telegram
Category: Alert
Content: A forum post advertises free money-making tutorials shared via a private Telegram group, claiming proven methods and access to a mentor. No specific threat activity, victim organization, or stolen data is referenced. The post appears to be a promotional or social engineering recruitment advertisement.
Date: 2026-05-05T16:06:29Z
Network: openweb
Published URL: https://altenens.is/threads/discover-free-money-making-tutorials-fire.2934995/unread
Screenshots:
None
Threat Actors: Bedggood
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of VPS and RDP hosting services
Category: Services
Content: A forum user is advertising VPS and RDP hosting services available across multiple global locations. The seller claims instant delivery, high performance, low latency, and 99.9% uptime at competitive prices. Orders are fulfilled via a Telegram bot or direct contact.
Date: 2026-05-05T16:05:26Z
Network: openweb
Published URL: https://altenens.is/threads/vps-rdp-for-sale-all-locations.2935000/unread
Screenshots:
None
Threat Actors: Aleroo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Free South Korea Email Combo List (Batch 22/100)
Category: Combo List
Content: A threat actor has freely distributed a batch of South Korean email credentials, labeled as batch 22 of 100, on a cybercrime forum. The content is hidden behind a registration/login wall. No further details on record count or targeted services are provided.
Date: 2026-05-05T15:44:26Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-free-premium-south-korea-email-list-batch-22-100
Screenshots:
None
Threat Actors: emaildbpro
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo list of 1,729 Hotmail credentials distributed on forum
Category: Combo List
Content: A threat actor shared a combo list of 1,729 Hotmail credentials on a forum. The content is gated behind registration or login. No further details about the data origin or verification status are available.
Date: 2026-05-05T15:43:18Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%EF%B8%8F-1729x-verity-vault-hotmail-drop-%E2%9A%A1%EF%B8%8F
Screenshots:
None
Threat Actors: RyuuMaster
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor is distributing a combo list of over 2,000 Hotmail credentials described as valid and verified through a checker tool. The content is gated behind registration or login on the forum.
Date: 2026-05-05T15:42:37Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-uhq-hotmails-2k-valid-straight-from-checker
Screenshots:
None
Threat Actors: SASUKE756
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List: Hotmail UHQ credentials by NightFallCloud
Category: Combo List
Content: A threat actor known as NightFallCloud is distributing a combo list of approximately 900,000 Hotmail credentials, marketed as fresh and updated with 10,000–20,000 new lines daily. The content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-05T15:42:06Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9A%A1900k-hotmail-uhq-nightfall-cloud
Screenshots:
None
Threat Actors: NightFallCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Free distribution of Hotmail combo list by @Kommander0
Category: Combo List
Content: A combo list of approximately 2,000 Hotmail credentials, marketed as fully valid, was shared on a forum by AnticaCloud and attributed to @Kommander0. The content is hidden behind a registration/login wall.
Date: 2026-05-05T15:41:34Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-2k-hotmail-full-valid-by-kommander0-05-05
Screenshots:
None
Threat Actors: AnticaCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Free Hotmail combo list with 1,980 credentials
Category: Combo List
Content: A threat actor is distributing a combo list containing 1,980 Hotmail credentials marketed as fresh. The content is gated behind registration or login on the forum. Hotmail is a credential-stuffing target, not the breach victim.
Date: 2026-05-05T15:40:45Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A1-1980x-FRESH-HOTMAIL-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Nulled07
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of UHQ mix combo list including Hotmail and private cloud credentials
Category: Combo List
Content: A threat actor is offering a combo list of 1,653 claimed valid credentials described as a UHQ mix including Hotmail and private cloud accounts. The content is gated behind forum registration or login and the seller directs interested parties to a Telegram contact.
Date: 2026-05-05T15:40:16Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A1-X1653-Valid-UHQ-Mix-%E2%9A%A1%E2%9A%A1–20109
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of UHQ mixed credential combo list
Category: Combo List
Content: A threat actor is offering a combo list of 1,653 claimed valid mixed credentials, including Hotmail accounts, marketed as UHQ (ultra-high quality). The content is gated behind a forum login and promoted via a Telegram channel.
Date: 2026-05-05T15:40:06Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X1653-Valid-UHQ-Mix-%E2%9A%A1%E2%9A%A1–202920
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail combo list
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 980 Hotmail credentials, marketed as private and fresh. The content is gated behind forum registration or login. The actor references a Telegram handle for further contact.
Date: 2026-05-05T15:39:43Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-980x-%E2%AD%90%E2%AD%90-FRESH-HQ-HOTMAIL-%E2%AD%90%E2%AD%90
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - La Ville de Quiberon victime d’une cyberattaque
Category: Cyber Attack
Content: La Ville de Quiberon a été victime dune cyberattaque qui a affecté son système informatique, comme la annoncé la commune. Des perturbations temporaires des services municipaux sont signalées, incitant les usagers à reporter leurs démarches non urgentes., précisent les autorités locales qui ont mobilisé des équipes pour maintenir la continuité du service public.
Date: 2026-05-05T15:39:35Z
Network: openweb
Published URL: https://www.letelegramme.fr/morbihan/quiberon-56170/la-ville-de-quiberon-victime-dune-cyberattaque-7038733.php
Screenshots:
None
Threat Actors:
Victim Country: France
Victim Industry: Unknown
Victim Organization: Ville de Quiberon
Victim Site: quiberon.fr - ATT.NET targeted combo list of 139K credentials
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 139,000 credentials targeted at ATT.NET accounts. The post offers a download link requiring forum replies and also advertises broader credential sales including AOL, Yahoo, Hotmail, and regional lists via Telegram.
Date: 2026-05-05T15:31:38Z
Network: openweb
Published URL: https://altenens.is/threads/139k-att-net-targeted-combolist.2934960/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of WordPress Hosting Instance by CAC./Ohang of CyberOprationCulture
Category: Defacement
Content: On May 5, 2026, a threat actor identified as CAC./Ohang, affiliated with the group CyberOprationCulture, defaced a WordPress instance hosted on the iContainer Cloud platform. The targeted subdomain appears to be a VPS panel hosted environment rather than a primary organizational website. The defacement was not classified as a mass or home defacement, suggesting a targeted compromise of this specific hosted instance.
Date: 2026-05-05T15:27:22Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248874
Screenshots:
None
Threat Actors: CAC./Ohang, CyberOprationCulture
Victim Country: Unknown
Victim Industry: Web Hosting / Cloud Services
Victim Organization: iContainer Cloud
Victim Site: wordpress.vps7284.panel.icontainer.cloud - Alleged data leak of Indonesian citizen records
Category: Data Leak
Content: A threat actor claims to be freely distributing a collection of personal data belonging to Indonesian citizens. The post includes a sample and a free download link, but no further details about the source or record count are provided.
Date: 2026-05-05T15:25:54Z
Network: openweb
Published URL: https://breached.st/threads/collection-of-all-data-of-members-of-the-country-of-indonesia.86817/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown - Alleged collection and distribution of personal data of Indonesian citizens
Category: Data Leak
Content: A user identified as jax7 on Breachforums has posted a thread claiming to have collected and is distributing personal data of members/citizens from Indonesia. The breach thread is hosted on breached.st and appears to contain aggregated personal information.
Date: 2026-05-05T15:20:48Z
Network: telegram
Published URL: https://t.me/byjax7/511
Screenshots:
None
Threat Actors: jax7
Victim Country: Indonesia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged distribution of 4 million URL-login-password credential records
Category: Combo List
Content: A forum user on XF shared a post advertising a collection of approximately 4 million URL, login, and password credential pairs. The content appears to be a combo list made available to registered forum members. No specific victim organization or targeted service was identified in the post.
Date: 2026-05-05T15:12:02Z
Network: openweb
Published URL: https://xforums.st/threads/4-million-url-login-pass.612266/
Screenshots:
None
Threat Actors: roseulp
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Mass Website Defacement of demonext.net by Threat Actor maw3six
Category: Defacement
Content: Threat actor maw3six conducted a mass defacement attack against demonext.net, targeting the page at /maw.html on May 5, 2026. The attack is classified as a mass defacement, suggesting multiple pages or sites were compromised as part of the same campaign. The attacker operated independently without an affiliated team, and technical details regarding the server environment remain unknown.
Date: 2026-05-05T15:10:08Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248872
Screenshots:
None
Threat Actors: maw3six
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Demonext
Victim Site: demonext.net - Alleged leak of 98,962 Twitter Premium user records with ENS domains and Ethereum wallet addresses
Category: Data Leak
Content: A dataset containing 98,962 Twitter Premium user records has been shared, including display names, Twitter handles, follower counts, verification status, and associated Ethereum wallet addresses. The dataset was curated by @xorcat and includes 455 verified accounts with a combined follower reach of 200+ million. This represents a significant privacy breach exposing both social media and cryptocurrency wallet information.
Date: 2026-05-05T15:10:03Z
Network: telegram
Published URL: https://t.me/c/3793980891/3307
Screenshots:
None
Threat Actors: xorcat
Victim Country: Unknown
Victim Industry: Social Media
Victim Organization: Twitter
Victim Site: twitter.com - Website Defacement of RSC Nagpur Government Portal by maw3six
Category: Defacement
Content: On May 5, 2026, a threat actor operating under the alias maw3six defaced a page on the Indian government website rscnagpur.gov.in, which belongs to the Regional Science Centre Nagpur. The attack targeted a non-homepage URL on a Linux-based server and was a standalone, non-mass defacement incident with no stated motive. A mirror of the defacement was archived at haxor.id.
Date: 2026-05-05T15:08:02Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248873
Screenshots:
None
Threat Actors: maw3six
Victim Country: India
Victim Industry: Government
Victim Organization: Regional Science Centre Nagpur
Victim Site: rscnagpur.gov.in - Alleged Data Leak of Kota Magelang Database
Category: Data Leak
Content: A threat actor operating under the alias JAX7 has shared what is alleged to be a database belonging to Kota Magelang, a municipal government entity in Indonesia. The post includes a sample code section, though the content of the sample is not specified in the available post data. No pricing information is mentioned, suggesting the data may have been freely distributed.
Date: 2026-05-05T15:03:22Z
Network: openweb
Published URL: https://breached.st/threads/database-kota-magelang.86816/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kota Magelang
Victim Site: Unknown - Alleged Hotmail combo list shared on cybercrime forum
Category: Combo List
Content: A threat actor on the PT – Combolist forum shared what is described as a high-quality Hotmail combo list containing approximately 6,554 credential pairs. The post provides a hidden download link for the alleged access credentials. This is a credential stuffing list targeting Hotmail accounts and does not represent a breach of the Hotmail service itself.
Date: 2026-05-05T14:44:14Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-6554x%F0%9F%8C%B8hq-hotmail%F0%9F%8C%B8access%F0%9F%8C%B8
Screenshots:
None
Threat Actors: MeiMisaki
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 1.3K Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias TraxGod shared a combo list purportedly containing approximately 1,300 Hotmail email account credentials on the PT – Combolist forum. The post describes the content as HOTMAIL VIP CLOUD and references old data. Access to the content requires forum registration or login.
Date: 2026-05-05T14:43:24Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%8D%80%E2%9C%A81-3k-hotmail-mail-access%E2%9C%A8%F0%9F%8D%80-04-05-299042
Screenshots:
None
Threat Actors: TraxGod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Fresh Stealer Logs (1.7 GB)
Category: Logs
Content: A threat actor operating under the alias blackcloudd is offering 1.7 GB of stealer logs dated 05-05-2026 on the PT forum. The content is hidden behind a registration or login wall, limiting visibility into specific targets or data fields. The logs are marketed as fresh, suggesting recently harvested stealer output.
Date: 2026-05-05T14:43:15Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%90%EF%B8%8Flogs-fresh-1-7-gb-from-05-05-2026%E2%AD%90%EF%B8%8F-%E2%98%81
Screenshots:
None
Threat Actors: blackcloudd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sample Hotmail combo list shared on cybercrime forum
Category: Combo List
Content: A threat actor using the alias Stevejobs shared a sample combo list of 960 Hotmail credentials on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting visibility into the datas format or origin. The post is consistent with credential stuffing list distribution targeting Hotmail accounts.
Date: 2026-05-05T14:42:27Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A1-960x-SAMPLE-HOTMAIL-%E2%9A%A1%E2%9A%A1–20104
Screenshots:
None
Threat Actors: Stevejobs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged Hotmail combo list offered via GoodTimes Cloud
Category: Combo List
Content: A threat actor operating under the alias Lexser is sharing a combo list of approximately 700 Hotmail credentials, marketed as fresh and UHQ (ultra-high quality). The content is hosted on GoodTimes Cloud and distributed via a public Telegram channel, with access gated behind forum registration or login.
Date: 2026-05-05T14:42:05Z
Network: openweb
Published URL: https://leakforum.io/Thread-%E2%8E%9D-700-%E2%8E%A0-HOTMAIL-FRESH-UHQ%E2%9C%A8GOODTIMES-CLOD
Screenshots:
None
Threat Actors: Lexser
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo list of mixed credentials shared on cybercrime forum
Category: Combo List
Content: A user identified as erwinn91, attributed to @Stevee36, shared a combo list described as HQ Mix containing approximately 1,765 credential pairs on a cybercrime forum. The content is hidden behind a registration or login wall, limiting direct inspection of the data. No specific targeted organization or service is identified in the post.
Date: 2026-05-05T14:41:26Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X1765-HQ-Mix-%E2%9A%A1%E2%9A%A1-BY-Stevee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged compromise of Ukrainian construction materials warehouse surveillance system by NoName057(16)
Category: Cyber Attack
Content: Russian threat actor NoName057(16) claims successful intrusion into CCTV surveillance system of Ukrainian construction materials warehouse. Attacker claims full real-time access to 15 cameras monitoring logistics operations, personnel, and vehicle movements. Post indicates ongoing surveillance of Ukrainian rear-area infrastructure as part of coordinated cyber operations against Ukraine.
Date: 2026-05-05T14:41:09Z
Network: telegram
Published URL: https://t.me/nnm05716rusvers/371
Screenshots:
None
Threat Actors: NoName057(16)
Victim Country: Ukraine
Victim Industry: Logistics/Supply Chain/Construction Materials
Victim Organization: Ukrainian construction materials warehouse (unnamed)
Victim Site: Unknown - Sale of URL:Login:Pass Credential Log Dataset Containing 18.8 Million Lines
Category: Logs
Content: A threat actor on BreachForums is offering a URL:Login:Pass dataset advertised as containing approximately 18.856 million lines totaling 1GB in size. The post is categorized as stealer logs, indicating the credentials were likely harvested via info-stealer malware. No specific victim organization or targeted service is identified in the available post content.
Date: 2026-05-05T14:38:57Z
Network: openweb
Published URL: https://breachforums.rs/Thread-URL-LOGIN-PASS-Url-Log-Pass-18-856-659-M%C4%B1ll%C4%B1on-L%C4%B1nes-1gb
Screenshots:
None
Threat Actors: Marat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Fraudulent Money Transfers and Stolen Payment Cards Across Multiple Platforms
Category: Carding
Content: A threat actor operating under the alias Sogosstate23 is advertising fraudulent money transfers via CashApp, PayPal, Western Union, Apple Pay, and Revolut targeting multiple countries, with transfer tiers ranging from $25 to $650 input for purported $250 to $6,500 output. The actor is also selling stolen credit and debit cards for $10 each, advertised as having balances between $1,000 and $8,000 and suitable for online purchases, bill payments, and phone orders. Payments are accepted exclusive
Date: 2026-05-05T14:36:49Z
Network: openweb
Published URL: https://altenens.is/threads/hello-im-active-envelopeand-i-am-doing-transfers-to-all-countries-seven-oclock-cashapp-credit-cardtransfers-usa-uk-25-250-test-run-35-350-45-450-55-550-65-650-g.2934920/unread
Screenshots:
None
Threat Actors: Sogosstate23
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of automated cryptocurrency faucet bot supporting 24+ faucets and 8 cryptocurrencies
Category: Services
Content: A threat actor on AE – Cracking Tools forum is advertising a desktop application called Crypto Faucet Bot designed to automate interactions with over 24 cryptocurrency faucets across 8 supported cryptocurrencies including BTC, ETH, DOGE, LTC, USDT, XRP, ADA, and SOL. The tool is advertised as capable of intelligent request distribution and simulation of stable network activity to harvest faucet rewards. Download links are provided within the post.
Date: 2026-05-05T14:36:01Z
Network: openweb
Published URL: https://altenens.is/threads/faucet-bot-24-connected-faucets-btc-eth-doge-ltc-usdt-xrp-ada-sol.2934894/unread
Screenshots:
None
Threat Actors: ananalbzoor
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor known as liamgoat is sharing a combo list purportedly containing approximately 200 Hotmail email:password credential pairs. The content is described as high quality (HQ) and is intended for mail access use, consistent with credential stuffing activity. The actual post content is hidden behind a registration or login requirement.
Date: 2026-05-05T14:07:52Z
Network: openweb
Published URL: https://patched.to/Thread-0-2k-hq-hotmail-mail-access-combolist-299013
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 54 million URL-login-password credentials shared across mixed categories
Category: Combo List
Content: A threat actor operating under the alias dadazone shared an alleged combo list containing approximately 54 million URL-login-password (ULP) credential pairs described as covering mixed categories. The post was published on the Patched.to forum and requires registration or login to access the hidden content. No specific victim organization or targeted service was identified in the visible post metadata.
Date: 2026-05-05T14:07:32Z
Network: openweb
Published URL: https://patched.to/Thread-54m-ulp-target-url-logg-pass-mix-categories-by-dadazone-v2
Screenshots:
None
Threat Actors: dadazone
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Mixed Mail Access Combo List
Category: Combo List
Content: A threat actor operating under the alias liamgoat is advertising a combo list of approximately 500 mixed mail access credentials on a cybercrime forum. The list is described as high quality and contains credentials across multiple mail providers. The actual content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-05T14:07:24Z
Network: openweb
Published URL: https://patched.to/Thread-0-5k-hq-mixed-mail-access-combolist-299018
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Mixed Mail Access Combo List
Category: Combo List
Content: A threat actor operating under the alias agha24 is offering a mixed mail access combo list containing approximately 4,000 entries on a cybercrime forum. The list is described as mixed, suggesting credentials spanning multiple email providers. The actual content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-05T14:07:05Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%904k-mixed-mail-access-%E2%AD%90
Screenshots:
None
Threat Actors: agha24
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail combo list with 6,000 credentials
Category: Combo List
Content: A threat actor on a leak forum is offering a combo list of approximately 6,000 Hotmail credentials, advertised as high quality. The content is gated behind forum registration or login, limiting visibility into specifics. This represents a credential stuffing resource targeting Hotmail accounts, not a breach of the email provider itself.
Date: 2026-05-05T14:06:37Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-6000x-%E2%9A%A1HQ-HOTMAIL%E2%9A%A1ACCESS%E2%9A%A1
Screenshots:
None
Threat Actors: RedHat29
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Mixed Mail Access Combo List
Category: Combo List
Content: A threat actor operating under the alias RedHat29 is offering a mixed mail access combo list containing approximately 2,400 entries on a leak forum. The post is gated behind a registration or login requirement, limiting visibility into specific details such as targeted services or pricing. The listing appears to advertise credential pairs sourced from multiple mail providers.
Date: 2026-05-05T14:06:13Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-2400x%E2%9A%A1MIX-MAIL%E2%9A%A1ACCESS%E2%9A%A1
Screenshots:
None
Threat Actors: RedHat29
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged mixed combo list on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Flexedz is sharing a mixed combo list described as UHQ (ultra-high quality) and valid on the PT forum. The content is hidden behind a registration or login requirement, limiting visibility into specifics such as record count or targeted services. No further details regarding origin, scope, or associated breach are provided in the post.
Date: 2026-05-05T14:06:00Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-good-mix-valid-private-uhq-05-05-2026-299030
Screenshots:
None
Threat Actors: Flexedz
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of mixed mail access credentials
Category: Combo List
Content: A forum user on a leak forum is sharing a combo list advertised as containing approximately 6,100 mixed mail access credentials described as UHQ (ultra-high quality). The content is hidden behind a registration or login requirement, limiting visibility into specific targets or data fields.
Date: 2026-05-05T14:05:48Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-6-1K-UHQ-MIX-MAIL-ACCESS
Screenshots:
None
Threat Actors: MeiMisaki
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of HQ Mixed Mail Access Combo List
Category: Combo List
Content: A threat actor operating under the alias RedHat29 is offering a combo list described as HQ MIX MAIL ACCESS containing approximately 4,607 entries on a leak forum. The post is gated behind a login or registration wall, limiting visibility into specific details. The listing appears to advertise mixed email credentials marketed for account access purposes.
Date: 2026-05-05T14:05:27Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-4607x%E2%9A%A1HQ-MIX-MAIL%E2%9A%A1ACCESS%E2%9A%A1
Screenshots:
None
Threat Actors: RedHat29
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of Hotmail credentials advertised on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias MeiMisaki is distributing a combo list of approximately 1,900 Hotmail credentials on a cybercrime forum. The post is gated behind a registration or login requirement, limiting visibility into the full contents. The credentials are marketed as ultra-high quality (UHQ) and presented as valid for access to Hotmail accounts.
Date: 2026-05-05T14:04:55Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-1-9K-%E2%80%8D%E2%AC%9BUHQ-HOTMAIL-%E2%80%8D%E2%AC%9BACCESS-%E2%80%8D%E2%AC%9B
Screenshots:
None
Threat Actors: MeiMisaki
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of stealer logs (300 MB, dated May 2026)
Category: Logs
Content: A threat actor operating under the alias blackcloud is offering approximately 300 MB of stealer logs on an underground forum, claimed to be dated May 5, 2026. The post is gated behind a registration requirement, limiting visibility into specific victims or data fields. No further details regarding targeted organizations, geographic scope, or pricing are available from the post.
Date: 2026-05-05T14:02:28Z
Network: openweb
Published URL: https://xforums.st/threads/logs-fresh-300-mb-from-05-05-2026.612263/
Screenshots:
None
Threat Actors: blackcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Stealer Logs (2.1 GB)
Category: Logs
Content: A threat actor operating under the alias blackcloud is offering 2.1 GB of stealer logs dated 05-05-2026 on an underground forum. The post is gated behind registration, limiting visibility into specific contents or targeted services. The logs are marketed as fresh, suggesting recent collection.
Date: 2026-05-05T14:01:54Z
Network: openweb
Published URL: https://xforums.st/threads/logs-fresh-2-1-gb-from-05-05-2026.612264/
Screenshots:
None
Threat Actors: blackcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of hzco.com.pk by Muynakhackers00
Category: Data Breach
Content: A threat actor identified as Muynakhackers00 claims to have breached hzco.com.pk and has shared a partial SQL database dump on a breach forum. The exposed data includes records from an address book table containing contact names, phone numbers, email addresses, company names, and associated metadata such as creation timestamps and user accounts. The dump references multiple real individuals and organizations, including entries with email addresses tied to the hzco.com.pk domain.
Date: 2026-05-05T13:55:26Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-hzco-com-pk-hacked-by-Muynakhackers00
Screenshots:
None
Threat Actors: muynakhackers00
Victim Country: Pakistan
Victim Industry: Unknown
Victim Organization: HZCO
Victim Site: hzco.com.pk - Sale of stolen payment cards, bank logs, and fraudulent transfer services
Category: Carding
Content: A threat actor operating under the alias BigB0ris is selling stolen credit cards with full personal information, skimmed card dumps (101/201 bases), and bank logs with email access for institutions including Bank of America, Chase, Wells Fargo, Barclays, and NatWest. The actor also claims to offer fraudulent cash transfers via Cash App, Zelle, Western Union, and PayPal, as well as carding and online shopping services. Contact is solicited via Telegram handle @BigB0ris.
Date: 2026-05-05T13:52:16Z
Network: openweb
Published URL: https://altenens.is/threads/i-sell-fresh-update-cc-with-good-and-high-balance-of-7500-with-full-information-including-online-access-good-for-carding-online-shopping-online-and.2934856/unread
Screenshots:
None
Threat Actors: Milore
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown - Sale of 41K mail access combo list
Category: Logs
Content: A threat actor operating under the alias VegaMoon is distributing a combo list claimed to contain approximately 41,000 mail access credentials. The post is gated behind registration, limiting visibility into further details such as pricing or targeted mail providers. The credentials are advertised as valid mail account accesses.
Date: 2026-05-05T13:50:26Z
Network: openweb
Published URL: https://xforums.st/threads/41k-good-mail-access-combolist.612262/
Screenshots:
None
Threat Actors: VegaMoon
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of Indosains by Threat Actor Zod
Category: Defacement
Content: On May 5, 2026, threat actor Zod defaced the website indosains.co.id, an Indonesian science or education-related platform, by replacing a page with attacker-controlled content. The attack targeted a Linux-based server and was a targeted single-page defacement rather than a mass or home page compromise. A mirror of the defaced page was archived at haxor.id.
Date: 2026-05-05T13:49:41Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248871
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Indonesia
Victim Industry: Education / Science
Victim Organization: Indosains
Victim Site: indosains.co.id - Website Defacement of ICE Computer by Threat Actor Zod
Category: Defacement
Content: On May 5, 2026, threat actor Zod defaced a page on icecomputer.com.mm, a computer services company based in Myanmar. The attack targeted a specific subpage rather than the homepage and was conducted on a Linux-based server. The defacement was an isolated, single-site incident attributed solely to the actor known as Zod.
Date: 2026-05-05T13:46:41Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248870
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Myanmar
Victim Industry: Technology / Computer Services
Victim Organization: ICE Computer
Victim Site: icecomputer.com.mm - Alleged Compromise of Ukrainian Warehouse Video Surveillance System with Real-Time Camera Access
Category: Cyber Attack
Content: Threat actor claims successful penetration of a Ukrainian building materials warehouses video surveillance system, gaining full real-time access to 15 cameras. The actor states they are monitoring logistics operations, personnel movement, and material handling. The post includes derogatory comments about Ukrainian security and references to ongoing surveillance of enemy rear facilities, suggesting state-sponsored or state-aligned cyber operations targeting Ukrainian infrastructure.
Date: 2026-05-05T13:31:08Z
Network: telegram
Published URL: https://t.me/c/3087552512/1885
Screenshots:
None
Threat Actors: NoName057(16)
Victim Country: Ukraine
Victim Industry: Logistics/Warehousing
Victim Organization: Ukrainian building materials warehouse
Victim Site: Unknown - Combo List of Alleged Valid Hotmail Credentials Shared on Forum
Category: Combo List
Content: A threat actor operating under the alias Katanat shared a combo list advertised as containing approximately 700 valid Hotmail credentials on a cybercrime forum. The content is hidden behind a registration or login wall, limiting direct verification. The post markets the credentials as fully valid, suggesting prior testing against the Hotmail service.
Date: 2026-05-05T13:28:53Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9C%85%E2%9C%85full-valid-hotmail-0-7k%E2%9C%85%E2%9C%85%E2%9C%85
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias TraxGod shared a combo list purportedly containing 964 Hotmail email credentials on a cybercrime forum. The content is described as old data and is gated behind registration or login. The post encourages community engagement via likes and reputation points.
Date: 2026-05-05T13:28:22Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%EF%B8%8F%F0%9F%8D%80×964-hotmail-mail-access%F0%9F%8D%80%E2%9A%A1%EF%B8%8F-03-05
Screenshots:
None
Threat Actors: TraxGod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 3,268 Hotmail credentials shared on forum
Category: Combo List
Content: A threat actor operating under the alias martcloud shared a combo list purportedly containing 3,268 Hotmail credentials marketed as fresh. The content is hidden behind a registration or login requirement on the forum. This represents a credential stuffing resource targeting Hotmail accounts, not a breach of Microsoft or Hotmail infrastructure.
Date: 2026-05-05T13:28:04Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-3268-full-fresh-hotmails
Screenshots:
None
Threat Actors: martcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List Drop Targeting Gaming, Social Media, Crypto, and Shopping Platforms
Category: Combo List
Content: A threat actor operating under the alias Lavivalda13 shared a combo list of approximately 500,000 credentials on the PT – Combolist forum. The list is marketed as fresh and claimed to cover gaming, social media, cryptocurrency, and shopping platforms. The actual content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-05T13:27:36Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-500k-gaming-social-media-crypto-shopping-combolist-fresh-drop
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 1,700 Hotmail credentials offered on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias MeiMisaki is sharing a combo list purportedly containing approximately 1,700 Hotmail account credentials on a cybercrime forum. The post is gated behind a registration or login requirement, limiting visibility of the full content. Hotmail is referenced as the credential-stuffing target, not as the source of a breach.
Date: 2026-05-05T13:26:41Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-1700x-HOTMAIL-ACCESS
Screenshots:
None
Threat Actors: MeiMisaki
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged UHQ mixed mail access combo list (18K credentials)
Category: Combo List
Content: A threat actor on a leakforum is offering what they claim to be 18,000 ultra-high-quality (UHQ) mixed mail access credentials. The content is gated behind registration or login, limiting visibility into specific details. The post is categorized as a combo list targeting mixed email services.
Date: 2026-05-05T13:26:15Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-18K-UHQ-MIX-MAIL-ACCESS
Screenshots:
None
Threat Actors: MeiMisaki
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged Data Leak of kbroapp.com – Full CRM and Accounting Database Including 326,000+ Customer Records
Category: Data Leak
Content: A threat actor operating under the alias CC-GuRu claims to have leaked a full MySQL database dump from kbroapp.com, a CRM and accounting platform serving auto hail repair businesses in the United States. The approximately 3GB dataset allegedly contains 326,000+ customer property records including full names, addresses, phone numbers, email addresses, GPS coordinates, property values, and insurance claim numbers, as well as affiliate company profiles and accounts payable/receivable data. The data
Date: 2026-05-05T13:26:01Z
Network: openweb
Published URL: https://darkpro.net/threads/database-kbroapp-com-%E2%80%93-full-crm-accounting-database-leak-hail-valet-auto-hail-repair-40-000.23038/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: United States
Victim Industry: Automotive Services
Victim Organization: KBro App
Victim Site: kbroapp.com - Sale of Hotmail combo list on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias RedHat29 is offering a combo list of approximately 3,000 Hotmail credentials on a cybercrime forum. The post is gated behind a login or registration wall, limiting visibility into the full contents or validity of the data. The credentials are marketed as high quality and intended for use against Hotmail accounts.
Date: 2026-05-05T13:25:48Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-3000x%E2%9A%A1HQ-HOTMAIL%E2%9A%A1ACCESS%E2%9A%A1
Screenshots:
None
Threat Actors: RedHat29
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of Blue Sea Service cargo company emails
Category: Data Leak
Content: A threat actor known as CC-GuRu leaked 8,161 emails and 59 attachments allegedly retrieved from blueseaservice.com, a US-based cargo shipping company. The data was made available for free download on the DP – Database Leaks forum. The post includes extraction logs indicating the data was obtained via an automated harvesting process completed in approximately 1,101 seconds with no errors reported.
Date: 2026-05-05T13:25:44Z
Network: openweb
Published URL: https://darkpro.net/threads/documents-8161-emails-from-a-us-cargo-ship.23039/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: United States
Victim Industry: Transportation
Victim Organization: Blue Sea Service
Victim Site: blueseaservice.com - Alleged data leak of Bitmart cryptocurrency platform email database
Category: Data Leak
Content: A threat actor on a dark web forum has made available an alleged email database associated with Bitmart, a cryptocurrency exchange platform, containing approximately 657,000 records. The post includes a download link for the dataset. No additional details regarding the data fields, breach vector, or timeline are provided in the post.
Date: 2026-05-05T13:25:26Z
Network: openweb
Published URL: https://darkpro.net/threads/database-657k-bitmart-crypto-email-database.23040/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Bitmart
Victim Site: bitmart.com - Sale of alleged worldwide email database containing 107.8 million records
Category: Combo List
Content: A threat actor operating under the aliases RoulettGun and RevangantEng360 is offering for sale a self-described worldwide mail database containing approximately 107.8 million records. The dataset is reported to be 3.5GB in size and is priced at $500. No specific breached organization is identified; the post is consistent with a compiled email-based combo list.
Date: 2026-05-05T13:25:09Z
Network: openweb
Published URL: https://darkpro.net/threads/107-8m-worldwide-mail-database.23041/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo list of Hotmail credentials targeting users from USA, Europe, Asia, and Russia
Category: Combo List
Content: A threat actor operating under the alias Larry_Uchiha shared a combo list on the AE forum containing approximately 2,600 Hotmail credentials. The list reportedly includes accounts associated with users from the United States, Europe, Asia, and Russia. Access to the combo list is gated behind a reply requirement, with distribution linked via Telegram.
Date: 2026-05-05T13:22:16Z
Network: openweb
Published URL: https://altenens.is/threads/2-600x-hotmail-access-combo-usa-europe-asia-russian.2934816/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Mix email combo list shared on underground forum
Category: Combo List
Content: A threat actor operating under the alias Larry_Uchiha shared a mixed email combo list on the AE forum, reportedly containing credentials for multiple email providers including Hotmail, Outlook, AOL, GMX, Inbox, iCloud, and Live. The content is gated behind a reply requirement and distributed via Telegram. No specific record count or breach source was disclosed.
Date: 2026-05-05T13:21:42Z
Network: openweb
Published URL: https://altenens.is/threads/mix-mail-combo-hotmail-outlook-aol-gmx-inbox-icloud-live-2026-5-2.2934819/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo list of 35,000 mixed email access credentials shared on forum
Category: Combo List
Content: A threat actor operating under the alias Megacloud shared a combo list advertised as containing 35,000 fully valid mixed email access credentials on the AE forum. The post is dated May 5 and requires forum engagement to access the hidden download link. No specific targeted organization or service is identified in the post.
Date: 2026-05-05T13:21:10Z
Network: openweb
Published URL: https://altenens.is/threads/35k-full-valid-mail-access-mix-05-05.2934821/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged sale of shell access, cPanel/WHM admin panels, and hacking tools
Category: Initial Access
Content: Threat actor advertising the sale of shell access, WordPress admin credentials, cPanel/WHM administrative access, and class privilege escalation tools. Contact available via Telegram (@person131) for direct messaging to purchase.
Date: 2026-05-05T13:13:02Z
Network: telegram
Published URL: https://t.me/DeepCoreNetwork/85
Screenshots:
None
Threat Actors: person131
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged database breach of Kabupaten Gresik
Category: Data Breach
Content: A Breachforums user (JAX7) has posted a thread claiming to have breached and leaked a database belonging to Kabupaten Gresik (Gresik Regency), an Indonesian local government administrative division. The breach is being discussed and shared on the Breachforums platform.
Date: 2026-05-05T13:12:56Z
Network: telegram
Published URL: https://t.me/byjax7/509
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kabupaten Gresik
Victim Site: Unknown - Alleged data leak of Kabupaten Gresik government database
Category: Data Leak
Content: A threat actor identified as Jax7 leaked a database allegedly belonging to Kabupaten Gresik, a regional government entity in Indonesia. The data was shared in XLSX format and made available for free download via MediaFire. No record count or specific data fields were disclosed in the post.
Date: 2026-05-05T13:12:40Z
Network: openweb
Published URL: https://breached.st/threads/database-kabupaten-gresik.86813/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kabupaten Gresik
Victim Site: Unknown - Alleged data leak of Adcash
Category: Data Leak
Content: A threat actor operating under the alias Mr.ZeroPhx100 claims to have leaked a database associated with Adcash, an online advertising platform. The post was shared on the Breached forum under the Databases section. No further details regarding record count, data fields, or method of compromise are provided in the post.
Date: 2026-05-05T13:12:06Z
Network: openweb
Published URL: https://breached.st/threads/database-adcash.86814/unread
Screenshots:
None
Threat Actors: Mr.ZeroPhx100
Victim Country: Unknown
Victim Industry: Advertising
Victim Organization: Adcash
Victim Site: adcash.com - Alleged sale of mail access, RDP accounts, and stolen payment card data
Category: Initial Access
Content: Multiple threat actors advertising illegal access and stolen data services including: mail access (Gmail, Yahoo, domain accounts) across multiple countries (FR, BE, AU, CA, UK, US, NL, PL, DE, JP); RDP rental for Azure, AWS, DigitalOcean; and stolen payment card data (75-95% validity) with daily inventory of 100,000+ cards from US, Canada, UK and global regions. Pepecard operating as card shop with pricing starting at $1 USD cards and $1.50 for international cards.
Date: 2026-05-05T12:57:59Z
Network: telegram
Published URL: https://t.me/c/2613583520/76014
Screenshots:
None
Threat Actors: Dataxlogs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged distribution of mixed mail access combo list
Category: Combo List
Content: A threat actor operating under the alias @Kommander0 shared a combo list consisting of approximately 6,100 mixed email access credentials, distributed via the PT-Combolist forum. The content is hidden behind a registration or login requirement. No specific targeted organization or service is identified in the post.
Date: 2026-05-05T12:51:12Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-6-1k-mix-mail-access-by-kommander0-05-05
Screenshots:
None
Threat Actors: AnticaCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged mixed corporate and personal mail access combo list targeting USA and EU
Category: Combo List
Content: A threat actor operating under the alias TraxGod is offering a combo list of approximately 2,300 email access credentials described as a mix of USA, EU, and corporate mail accounts. The content is gated behind registration or login on the forum. The post is dated 03.05 and the actor characterizes the data as private and sourced from their own collection.
Date: 2026-05-05T12:50:21Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%EF%B8%8F%F0%9F%8D%802-3k-usa-eu-corp-mail-access-mix%F0%9F%8D%80%E2%9A%A1%EF%B8%8F-03-05
Screenshots:
None
Threat Actors: TraxGod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged Hotmail combo list distribution
Category: Combo List
Content: A threat actor operating under the alias TraxGod is distributing a combo list of approximately 670 Hotmail mail access credentials, described as old data from a VIP cloud source. The content is hidden behind a forum registration or login requirement, suggesting it is offered as a free resource to registered members.
Date: 2026-05-05T12:50:02Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%EF%B8%8F%F0%9F%8D%80×670-hotmail-mail-access%F0%9F%8D%80%E2%9A%A1%EF%B8%8F-03-05
Screenshots:
None
Threat Actors: TraxGod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail Combo List with 49,000 Credentials
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo is offering a Hotmail-targeted combo list containing approximately 49,000 email and password pairs via a hidden content gate on a cybercrime forum. The post references a commercial storefront at unique-combo.shop, advertising combo lists for multiple countries and accepting custom requests. This material is intended for credential stuffing and is not indicative of a breach of Hotmail or Microsoft infrastructure.
Date: 2026-05-05T12:48:37Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-Hotmail-Unique-Combo-2-49000
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of 500 Alleged Fresh Hotmail Credentials
Category: Combo List
Content: A threat actor on the AE forum is sharing a combo list containing 500 alleged valid Hotmail credentials, marketed as fresh. The content is gated behind a reply requirement, consistent with common forum-based credential distribution tactics.
Date: 2026-05-05T12:42:58Z
Network: openweb
Published URL: https://altenens.is/threads/sparkles-500x-fresh-hotmail-valid-sparkles.2934793/unread
Screenshots:
None
Threat Actors: Sellix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged sale of compromised email accounts and database access across multiple countries
Category: Logs
Content: Threat actor offering sale of fresh database access including UK, DE, JP, NL, BR, PL, ES, US, IT and other countries with inbox access. Specifically advertising eBay, Offerup, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, and Neosurf account access. Also offering private cloud HQ database with premium Hotmail and geo-specific datasets. Pricing mentioned: US cards at 1.2-2 per valid, other countries at 2.5-3 per valid.
Date: 2026-05-05T12:42:25Z
Network: telegram
Published URL: https://t.me/c/2613583520/76006
Screenshots:
None
Threat Actors: Num
Victim Country: Multiple countries (United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy, France, Belgium, Australia, Canada, Russia, Mexico, Singapore)
Victim Industry: Multiple (eBay, Amazon, Walmart, Uber, PSN, Booking, Poshmark, Alibaba, Mercari, Kleinanzeigen, Neosurf, Hotmail)
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged 28,000 valid German email credentials
Category: Logs
Content: A threat actor on XF forums is offering a combo list of approximately 28,000 alleged valid email access credentials targeting Germany, dated May 5. The post markets the credentials as fully valid mail access. No specific email provider or organization is identified as the breach source.
Date: 2026-05-05T12:39:58Z
Network: openweb
Published URL: https://xforums.st/threads/28k-germay-full-valid-mail-access-05-05.612259/
Screenshots:
None
Threat Actors: MegaCloud
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged mixed credential combo list with 250,000 entries
Category: Combo List
Content: A threat actor operating under the alias NullShop is offering a collection of approximately 250,000 mixed access credentials described as verified and fresh on a cybercrime forum. The content is gated behind registration or login, with an external paste link provided for additional releases. The credentials are marketed as high-quality hits suitable for testing or analysis.
Date: 2026-05-05T12:17:08Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-250-k-mix-access-valid-hit-fresh-%F0%9F%94%A5
Screenshots:
None
Threat Actors: NullShop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Katanat shared a combo list purportedly containing approximately 500 valid Hotmail credentials on the PT-Combolist forum. The content is hidden behind a registration or login requirement, limiting direct verification. The credentials are marketed as fully valid and may be intended for use in credential stuffing or account takeover activity.
Date: 2026-05-05T12:16:39Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9C%85%E2%9C%85full-valid-hotmail-0-5k%E2%9C%85%E2%9C%85%E2%9C%85
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list distribution targeting European mixed credentials
Category: Combo List
Content: A threat actor operating under the alias Katanat is sharing a combo list described as Full Valid EU Mix containing approximately 1,100 credential pairs. The content is hidden behind a registration or login requirement on the forum. The post targets European accounts with credentials marketed as valid.
Date: 2026-05-05T12:16:09Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9C%85%E2%9C%85full-valid-eu-mix-1-1k%E2%9C%85%E2%9C%85%E2%9C%85
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Distribution of EU Mixed Combo List
Category: Combo List
Content: A threat actor on the Patched.to forum has shared a combo list described as EU Mix containing approximately 1,400 entries. The content is hidden behind a login/registration gate. The post is marketed as fully valid credentials targeting European users.
Date: 2026-05-05T12:15:41Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9C%85%E2%9C%85full-valid-eu-mix-1-4k%E2%9C%85%E2%9C%85%E2%9C%85
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Distribution of EU Mixed Combo List
Category: Combo List
Content: A threat actor on a cybercrime forum is distributing a combo list described as EU Mix containing approximately 1,600 entries. The content is hidden behind a login or registration requirement. The credentials are advertised as fully valid and appear to target European users across mixed services.
Date: 2026-05-05T12:15:24Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9C%85%E2%9C%85full-valid-eu-mix-1-6k%E2%9C%85%E2%9C%85%E2%9C%85
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged distribution of mixed-access combo list with 9,000 valid credentials
Category: Combo List
Content: A threat actor operating under the alias JOYK shared a combo list on the PT – Combolist forum, claiming it contains approximately 9,000 valid mixed-access credentials. The content is hidden behind a registration or login requirement, limiting visibility into the specific services or platforms targeted. No further details regarding the origin or composition of the credentials were provided in the post.
Date: 2026-05-05T12:14:54Z
Network: openweb
Published URL: https://patched.to/Thread-9k-valid-mixed-access
Screenshots:
None
Threat Actors: JOYK
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo List of Hotmail Credentials Shared on Cybercrime Forum
Category: Combo List
Content: A threat actor operating under the handle Pirate999 shared a combo list purportedly containing 1,500 Hotmail credentials on the PT – Combolist forum. The credentials are marketed as high-quality and fresh. Access to the content requires registration or login on the forum.
Date: 2026-05-05T12:14:38Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%98%A2%EF%B8%8F-uhq-%E2%98%A2%EF%B8%8F-1-5k-prvt-hotmails-%E2%9C%A8-valid-fresh-%E2%9C%A8-298975
Screenshots:
None
Threat Actors: Pirate999
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 1,430 Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias ELJOKER1 shared a combo list of 1,430 Hotmail email credentials on the PT – Combolist forum, described as valid mail access. The content is hidden behind a registration or login requirement. The credentials appear intended for use in credential stuffing or account takeover activity targeting Hotmail accounts.
Date: 2026-05-05T12:13:58Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%A8%E2%9A%9C%EF%B8%8Fx1430-hotmail-mail-access-full-vaild-%E2%9A%9C%EF%B8%8F%E2%9C%A8-05-05
Screenshots:
None
Threat Actors: ELJOKER1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 5,000 Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias RetroCloud has shared a combo list purportedly containing 5,000 high-quality Hotmail credential hits on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting direct verification of the claims. The credentials are marketed as high quality and intended for use in credential stuffing or account takeover activity against Hotmail accounts.
Date: 2026-05-05T12:13:27Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85-5k-hq-hotmail-hit-%E2%9C%85-298974
Screenshots:
None
Threat Actors: RetroCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias @Kommander0 has shared or is distributing a combo list of 715 allegedly valid Hotmail credentials, dated May 5. The content is hidden behind a registration or login wall on the forum. These credentials are marketed as fully valid and are intended for use in credential stuffing against Hotmail accounts.
Date: 2026-05-05T12:12:58Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-715x-hotmail-full-valid-by-kommander0-05-05
Screenshots:
None
Threat Actors: AnticaCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Athena HTTP Botnet Builder Malware Tool
Category: Malware
Content: A threat actor on DemonForums is advertising the Athena HTTP Botnet Builder (2026), a malware builder tool designed to create and manage HTTP-based botnets. The tool reportedly includes capabilities for DDoS attacks, remote command execution, data harvesting, and stealth techniques to blend malicious traffic within normal HTTP requests. A download link is provided in the post.
Date: 2026-05-05T12:11:36Z
Network: openweb
Published URL: https://demonforums.net/Thread-Athena-HTTP-Botnet-Builder-2026
Screenshots:
None
Threat Actors: theo_bennett88
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged exposure of Gianyar Regency government portal credentials and website defacements
Category: Initial Access
Content: Credentials for sipd.gianyarkab.go.id (Gianyar Regency government portal) were shared in the channel. Additionally, a defacement claim attributed to Mr.PIMZZZXploit lists approximately 20 compromised websites across multiple domains including real estate, news, and educational platforms.
Date: 2026-05-05T12:09:48Z
Network: telegram
Published URL: https://t.me/c/3865526389/809
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Gianyar Regency Government
Victim Site: sipd.gianyarkab.go.id - Sale of Hotmail Combo List
Category: Combo List
Content: A forum post on AE offers 400 allegedly valid Hotmail credentials as a combo list. The credentials are marketed as fresh and are accessible after replying to the thread. No specific breach source or victim organization is identified.
Date: 2026-05-05T12:05:46Z
Network: openweb
Published URL: https://altenens.is/threads/sparkles-400x-fresh-hotmail-valid-sparkles.2934782/unread
Screenshots:
None
Threat Actors: Sellix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of BlackMail mass email marketing platform with inbox bypass and AI-powered campaign tools
Category: Services
Content: A threat actor identified as Lefty is advertising a mass email sending tool called BlackMail on a cybercrime forum. The software is offered for sale starting at $20 (lifetime license) and features inbox bypass across major email providers, multi-system clustering, proxy rotation, SMTP marketplace integration, AI-generated email composition, and a remote web dashboard for campaign management. The tool is marketed for high-volume unsolicited email campaigns with personalization capabilities an
Date: 2026-05-05T12:02:22Z
Network: openweb
Published URL: https://hackforums.net/showthread.php?tid=6163394
Screenshots:
None
Threat Actors: Lefty
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of Kualakurun government database
Category: Data Leak
Content: A threat actor operating under the alias MrJupiter claims to have obtained and is freely sharing a database belonging to the Kualakurun government. The post is framed as a politically motivated message directed at government officials, criticizing the handling of citizens personal data. No specific record count or data fields are disclosed in the post.
Date: 2026-05-05T11:56:59Z
Network: openweb
Published URL: https://breached.st/threads/free-kualakurun-government-database.86811/unread
Screenshots:
None
Threat Actors: MrJupiter
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kualakurun Government
Victim Site: Unknown - Alleged data breach of coinpanda.io with hashed user credentials
Category: Data Breach
Content: Threat actor claims breach of coinpanda.io dated 05/05/26. Post includes sample of 14 user accounts hashed with argon1 algorithm, indicating access to user credential database. Actor states full database unhashing process is underway.
Date: 2026-05-05T11:54:10Z
Network: telegram
Published URL: https://t.me/c/3793980891/3299
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: Unknown
Victim Industry: Cryptocurrency/Finance
Victim Organization: coinpanda.io
Victim Site: coinpanda.io - Alleged combo list of 1.1 million US credentials
Category: Combo List
Content: A threat actor operating under the alias moser is sharing a combo list purportedly containing 1.1 million US-based credentials, advertised as private. The content is hidden behind a registration or login requirement on the forum, limiting direct verification of the datas scope or validity.
Date: 2026-05-05T11:36:55Z
Network: openweb
Published URL: https://patched.to/Thread-1-1ml-usa-private-298961
Screenshots:
None
Threat Actors: moser
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 182K mixed credentials shared on forum
Category: Combo List
Content: A forum post by user moser on the PT – Combolist forum advertises a mixed combo list containing approximately 182,000 credential pairs, described as private. The content is hidden behind a registration or login wall, limiting further detail on the composition or targeted services.
Date: 2026-05-05T11:36:38Z
Network: openweb
Published URL: https://patched.to/Thread-182k-mix-private-298960
Screenshots:
None
Threat Actors: moser
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged valid Hotmail combo list
Category: Combo List
Content: A threat actor using the handle Flexedz is offering a combo list described as valid Hotmail credentials on a cybercrime forum. The content is gated behind registration or login, and no record count or pricing details are disclosed in the visible portion of the post. The credentials are marketed as UHQ and private, suggesting they are presented as high-quality and not previously circulated publicly.
Date: 2026-05-05T11:36:07Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-good-hotmail-valid-private-uhq-05-05-2026
Screenshots:
None
Threat Actors: Flexedz
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Mix email combo list shared on cybercrime forum
Category: Combo List
Content: A threat actor on the PT forum shared a mixed email combo list containing approximately 3,670 credential pairs. The content is hidden behind a login/registration wall and requires forum engagement (likes) to access. No specific targeted organization or service is identified.
Date: 2026-05-05T11:35:05Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%94%A5%F0%9F%94%A5-3670x-mix-mail-%F0%9F%94%A5%F0%9F%94%A5-298967
Screenshots:
None
Threat Actors: NotSellerXd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Kementerian Sosial Republik Indonesia (Indonesian Ministry of Social Affairs)
Category: Data Breach
Content: A user profile mr-hanz-xploit on Breachforums has posted a thread claiming access to a database from Kementerian Sosial Republik Indonesia (Indonesian Ministry of Social Affairs). The breach details are being shared on the Breachforums platform.
Date: 2026-05-05T11:34:38Z
Network: telegram
Published URL: https://t.me/DeepCoreNetwork/84
Screenshots:
None
Threat Actors: mr-hanz-xploit
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kementerian Sosial Republik Indonesia
Victim Site: Unknown - Sale of fresh mixed combo list on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Nulled07 is advertising a mixed combo list containing 1,680 entries on a cybercrime forum. The credentials are marketed as fresh. The post requires forum registration or login to access the content, suggesting it is gated to verified members.
Date: 2026-05-05T11:34:09Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A11680x-FRESH-MIX-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Nulled07
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Combo list of 600 mixed email credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor shared a combo list containing 600 mixed email and password credential pairs, marketed as fresh. The content is hidden behind forum registration or login, suggesting it is distributed to registered members only.
Date: 2026-05-05T11:33:45Z
Network: openweb
Published URL: https://leakforum.io/Thread-%E2%9A%A1%EF%B8%8F600-LINE-MIXMAIL-ONE-CLOUD-%E2%9A%A1%EF%B8%8F
Screenshots:
None
Threat Actors: ALVIN
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of public servant records from San Luis Potosí, Mexico
Category: Data Leak
Content: A threat actor operating under the alias CC-GuRu has allegedly leaked a database containing sensitive personal and institutional information belonging to public servants in the state of San Luis Potosí, Mexico. The exposed data reportedly includes full names, Unique Population Registry Codes (CURP), and Federal Taxpayer Registry numbers (RFC with homoclave). The post claims the data was made available freely and notes the combination of identity fields poses significant risk for fraud and identi
Date: 2026-05-05T11:32:57Z
Network: openweb
Published URL: https://darkpro.net/threads/database-leak-declaration-mexico-by-carding-forum.23037/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: Mexico
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown - Sale of Asacube Android Banking Trojan and Botnet Tool
Category: Malware
Content: A forum post on DemonForums advertises the Asacube Android Banking Botnet (2026), a malware toolkit targeting Android devices with capabilities including banking credential theft via phishing overlays, SMS and OTP interception, remote device control, and financial fraud. The tool is described as combining banking trojan functionality with botnet infrastructure to enable coordinated attacks against mobile banking users. A download link is included alongside a VirusTotal scan reference.
Date: 2026-05-05T11:32:34Z
Network: openweb
Published URL: https://demonforums.net/Thread-Asacube-Android-banking-Botnet-2026
Screenshots:
None
Threat Actors: phoebe_knight46
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged valid Hotmail credential combo list
Category: Logs
Content: A threat actor operating under the alias MegaCloud is sharing a combo list advertised as containing 2,000 fully validated Hotmail credential hits, dated May 5. The post requires forum registration to access the linked content. These credentials represent tested email and password pairs for Hotmail accounts, not a breach of Microsoft or Hotmail infrastructure.
Date: 2026-05-05T11:26:08Z
Network: openweb
Published URL: https://xforums.st/threads/2k-full-valid-hotmail-hits-05-05.612257/
Screenshots:
None
Threat Actors: MegaCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged Hotmail combo list containing 49,000 credentials
Category: Logs
Content: A threat actor using the handle UniqueCombo shared a combo list on an underground forum advertised as containing 49,000 unique Hotmail credentials. The post is titled Hotmail Unique Combo_1_49000, suggesting the credentials are marketed as unique or deduplicated. No pricing details or additional context were provided in the post content.
Date: 2026-05-05T11:25:33Z
Network: openweb
Published URL: https://xforums.st/threads/hotmail-unique-combo_1_49000.612258/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of four Moroccan organizations (2M, IAM, IRES, HACA)
Category: Data Leak
Content: A threat actor using the handle C1PH3RX shared what is claimed to be email address lists for four well-known Moroccan organizations: television network 2M, telecommunications provider IAM, strategic studies institute IRES, and media regulatory authority HACA. The content is offered as a free download, gated behind forum engagement or account upgrade. No record counts or further data field details were disclosed in the post.
Date: 2026-05-05T11:15:04Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-MOROCCO-4-Moroccan-Companies-2M-IAM-IRES-HACA
Screenshots:
None
Threat Actors: C1PH3RX
Victim Country: Morocco
Victim Industry: Media and Telecommunications
Victim Organization: 2M, IAM, IRES, HACA
Victim Site: 2m.ma, iam.ma, ires.ma, haca.ma - Alleged data leak of email lists from four Moroccan organizations (2M, IAM, IRES, HACA)
Category: Data Leak
Content: A threat actor operating under the alias C1PH3RX has freely shared a collection of email addresses allegedly belonging to four Moroccan organizations: 2M (television network), IAM (telecommunications provider), IRES (strategic studies institute), and HACA (media regulatory authority). The data is made available via an external file-sharing link. No record count or method of acquisition was disclosed in the post.
Date: 2026-05-05T11:14:27Z
Network: openweb
Published URL: https://darkforums.su/Thread-MOROCCO-Email-List-%E2%80%93-4-Moroccan-Companies-2M-IAM-IRES-HACA
Screenshots:
None
Threat Actors: C1PH3RX
Victim Country: Morocco
Victim Industry: Unknown
Victim Organization: 2M, IAM, IRES, HACA
Victim Site: 2m.ma, iam.ma, ires.ma, haca.ma - Sale of alleged 862K shopping-themed combo list targeting Walmart and Amazon
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is advertising a combo list of approximately 862,000 credential pairs purportedly suited for credential stuffing against shopping platforms including Walmart and Amazon. The post claims the lines are private and high-quality, and promotes an associated combo cloud service offering similar datasets. Content is gated behind forum registration or login.
Date: 2026-05-05T11:01:20Z
Network: openweb
Published URL: https://patched.to/Thread-shopping-%E2%8E%9D-862k-shopping%E2%8E%A0%E2%9A%A1100-private-lines%E2%9A%A1high-quality-combo%E2%9A%A1walmart-amazon%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged 503K USA combo list marketed for credential stuffing
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is offering a combo list purportedly containing 503,000 US-based credentials on the Patched.to forum. The list is marketed as a private base suitable for credential stuffing against Reddit, Tinder, Twitter, and other platforms. The actor also advertises an ongoing combo cloud service described as affordable and powered by private data lines.
Date: 2026-05-05T11:00:48Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9A%A1503k-usa-%E2%9A%A1private-base-good-on-reddit-tinder-twitter-and-other-targets%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged high-quality streaming service combo list
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is advertising a combo list of approximately 814,000 credential pairs marketed as suitable for credential stuffing against streaming services including HBO Go, Disney+, and Hulu. The post promotes the list as high-quality and sourced from private lines. The content itself is gated behind forum registration or login, and the actor also advertises an ongoing combo cloud service in their signature.
Date: 2026-05-05T11:00:05Z
Network: openweb
Published URL: https://patched.to/Thread-streaming-%E2%8E%9D-814k-streaming%E2%8E%A0%E2%9A%A1100-private-lines%E2%9A%A1high-quality-combo%E2%9A%A1hbogo-disney-hulu%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged 60,000-record PayPal combo list
Category: Combo List
Content: A forum user operating under the alias capitan911 is sharing a combo list purportedly containing 60,000 credential pairs marketed as valid for PayPal. The content is hidden behind a registration or login gate on the forum. No information about the origin of the credentials or their verification status is provided in the visible post.
Date: 2026-05-05T10:59:34Z
Network: openweb
Published URL: https://patched.to/Thread-legendary-60k-paypal-good-combolist
Screenshots:
None
Threat Actors: capitan911
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Alleged 240K Cryptocurrency and Social Media Targeted Combo List
Category: Combo List
Content: A threat actor identified as capitan911 is offering a combo list of approximately 240,000 credentials allegedly targeted toward cryptocurrency and social media platforms. The list is described as high quality (HQ) and is posted on the Patched.to forum. The actual content is hidden behind a registration or login requirement.
Date: 2026-05-05T10:59:15Z
Network: openweb
Published URL: https://patched.to/Thread-legendary-240k-crypto-social-targeted-hq-combolist
Screenshots:
None
Threat Actors: capitan911
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list targeting Argentina distributed on cybercrime forum
Category: Combo List
Content: A threat actor operating under the handle capitan911 has shared a combo list purportedly containing 280,000 credential pairs associated with Argentine users on a cybercrime forum. The content is gated behind registration or login, limiting direct verification of the claims. The list is marketed as high-quality and fresh, suggesting it may be intended for credential stuffing operations.
Date: 2026-05-05T10:58:55Z
Network: openweb
Published URL: https://patched.to/Thread-legendary-280k-argentina-hq-fresh-combolist
Screenshots:
None
Threat Actors: capitan911
Victim Country: Argentina
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged leak of 7 million URL logs with credentials
Category: Logs
Content: A forum user on PT – Other Leaks is distributing a collection of approximately 7 million URL-log credential pairs. The post is gated behind registration or login, limiting visibility into the full contents or origin of the logs. No specific victim organization or geographic scope is identified.
Date: 2026-05-05T10:58:51Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%907-million-url-log-pass%E2%AD%90
Screenshots:
None
Threat Actors: agha24
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 905,000 France credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias capitan911 has shared a combo list purportedly containing 905,000 credential pairs targeting French users, marketed as UHQ (ultra-high quality) and fresh. The content is hidden behind a registration or login requirement on the forum. No specific breached organization is identified; the list appears to be aggregated credentials intended for credential stuffing.
Date: 2026-05-05T10:58:36Z
Network: openweb
Published URL: https://patched.to/Thread-legendary-905k-france-uhq-fresh-combolist
Screenshots:
None
Threat Actors: capitan911
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged sale of India nationwide identity dataset containing 850 million records
Category: Data Breach
Content: A threat actor on a dark web forum is offering for sale an alleged 109GB dataset claimed to contain 850 million Indian identity records linked to Aadhaar numbers and telecom data. The dataset is advertised as containing full PII including names, fathers names, Aadhaar numbers, full addresses, mobile numbers, alternative mobile numbers, and email addresses. The seller is asking $250 for the dataset and references an unspecified entity named HITEK as the source.
Date: 2026-05-05T10:58:22Z
Network: openweb
Published URL: https://darkpro.net/threads/database-109gb-850m-india-nationwide-identity-dataset-hitek.23031/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: India
Victim Industry: Government
Victim Organization: HITEK
Victim Site: Unknown - Alleged Data Leak of 51.com (xx5-in.com) Chinese Social Network Database
Category: Data Leak
Content: A threat actor on a darknet forum has made available an alleged database dump from 51.com (now xx5-in.com), a Chinese social network, purportedly originating from a 2019 breach. The shared file contains 321,752,993 records including fields such as user email, name, hashed password, ID card number, IP addresses, login history, and geographic data. The poster notes uncertainty about the record count discrepancy relative to previously reported figures of 56.2 million total records.
Date: 2026-05-05T10:58:03Z
Network: openweb
Published URL: https://darkpro.net/threads/database-51-com-xx5-in-com-2019-databreach-321-752-993-records-by-database.23032/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: China
Victim Industry: Social Media
Victim Organization: 51.com
Victim Site: xx5-in.com - Alleged data leak of ICAB-CA Bangladesh chartered accountants database
Category: Data Leak
Content: A threat actor operating under the alias CC-GuRu has shared an alleged database belonging to the Institute of Chartered Accountants of Bangladesh (ICAB), reportedly containing personal data of chartered accountants in Bangladesh. The database was posted on a dark web forum and made available for free download. No record count or specific data fields were disclosed in the post.
Date: 2026-05-05T10:57:46Z
Network: openweb
Published URL: https://darkpro.net/threads/database-icab-ca-of-bangladesh-by-cardigan-forum.23033/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: Bangladesh
Victim Industry: Finance
Victim Organization: Institute of Chartered Accountants of Bangladesh (ICAB)
Victim Site: Unknown - Alleged Data Leak of 9Lives.be Belgian Gaming Forum (2014)
Category: Data Leak
Content: A threat actor on a dark web forum has shared a database allegedly obtained from the now-defunct Belgian gaming news forum 9Lives, purportedly stemming from a breach that occurred in October 2014. The leaked dataset contains approximately 109,837 records including usernames, email addresses, and salted MD5 password hashes. The data is being made available as a single CSV file at no stated cost.
Date: 2026-05-05T10:57:28Z
Network: openweb
Published URL: https://darkpro.net/threads/database-9lives-be-databreach-2014-109-837-records.23034/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: Belgium
Victim Industry: Media and Entertainment
Victim Organization: 9Lives
Victim Site: 9lives.be - Alleged sale of Australian personal data affecting 438,522 individuals
Category: Data Breach
Content: A threat actor operating under the alias CC-GuRu is offering for sale a dataset purportedly containing 438,522 rows of personal data belonging to Australian individuals. The dataset is provided in CSV format and includes fields such as full name, gender, email address, date of birth, phone number, and physical address. The asking price is $300, and a sample of records is provided in the post to substantiate the claim.
Date: 2026-05-05T10:56:59Z
Network: openweb
Published URL: https://darkpro.net/threads/australia-438k-personal-data-price-300.23035/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: Australia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of 151 company databases from multiple organizations worldwide
Category: Data Leak
Content: A threat actor on BreachForums claims to be sharing databases from approximately 151 companies across multiple countries, made available via a hidden download link accessible through the Tor browser. The post does not disclose the specific organizations affected, the nature of the data contained, or the total record count. The content is gated behind forum registration or login, limiting visibility into the actual scope of the leak.
Date: 2026-05-05T10:51:32Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-151-Company-Leak-database-from-world-Leaks
Screenshots:
None
Threat Actors: Data_Center
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Dienstleister für Webshops, 4SELLERS, Opfer eines Cyberangriffs
Category: Cyber Attack
Content: Le prestataire de services 4SELLERS, spécialisé dans les solutions e-commerce allemandes, a été victime dune cyberattaque par rançongiciel (ransomware) en pleine nuit du 30 avril 2026.
Date: 2026-05-05T10:39:18Z
Network: openweb
Published URL: https://borncity.com/blog/2026/05/05/dienstleister-fuer-webshops-4sellers-opfer-eines-cyberangriffs/
Screenshots:
None
Threat Actors:
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: 4SELLERS
Victim Site: 4sellers.de - ALS reports cyber incident but restores most operations – TipRanks.com
Category: Cyber Attack
Content: ALS Limited a révélé avoir détecté une activité cybernétique malveillante impliquant un accès non autorisé à certains de ses systèmes informatiques, provoquant une perturbation temporaire de certaines opérations. Lentreprise a mis en place des mesures de confinement et de remédiation, tout en informant le Centre australien pour la cybersécurité. ALS travaille actuellement à déterminer létendue de la violation et ses impacts potentiels sur les données des clients.
Date: 2026-05-05T10:39:15Z
Network: openweb
Published URL: https://www.tipranks.com/news/company-announcements/als-reports-cyber-incident-but-restores-most-operations
Screenshots:
None
Threat Actors:
Victim Country: Australia
Victim Industry: Unknown
Victim Organization: ALS Limited
Victim Site: alsglobal.com - Alleged data breach of Uniswap (app.uniswap.org) – 33k records
Category: Data Breach
Content: A threat actor claims to have obtained a fresh database dump from app.uniswap.org containing approximately 33,000 records dated from the previous day.
Date: 2026-05-05T10:32:56Z
Network: telegram
Published URL: https://t.me/c/3793980891/3295
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: Unknown
Victim Industry: Cryptocurrency/DeFi
Victim Organization: Uniswap
Victim Site: app.uniswap.org - Alleged DDoSia Project Compromise of Austrian Heating Infrastructure – ETA Heiztechnik GmbH Facility
Category: Cyber Attack
Content: DDoSia Project claims successful unauthorized access to heating control systems at an Austrian facility using ETA Heiztechnik GmbH equipment in Hofkirchen. The post includes video evidence allegedly showing full system access including boiler, buffer tank, fans, and temperature controls. The threat actors claim capability to manipulate heating systems and frame the intrusion as political retaliation against Austrian government support for Ukraine. Post includes hashtags referencing retribution and infrastructure targeting.
Date: 2026-05-05T10:28:49Z
Network: telegram
Published URL: https://t.me/c/3087552512/1882
Screenshots:
None
Threat Actors: DDoSia Project
Victim Country: Austria
Victim Industry: Heating/HVAC Manufacturing
Victim Organization: ETA Heiztechnik GmbH
Victim Site: etaheating.com - Alleged unauthorized access to ETA Heiztechnik GmbH heating facility in Austria by DDoSia Project
Category: Cyber Attack
Content: DDoSia Project volunteers claim to have gained full access to a heating facility (boiler, buffer tank, fans, system controls) operated by ETA Heiztechnik GmbH in Hofkirchen, Austria. The post includes video evidence showing control panel access with ability to modify temperatures, standby times, and heating parameters. The attack is framed as retaliation against Austrian government support for Ukraine, with implicit threats to escalate from reconnaissance to actual system manipulation affecting residents.
Date: 2026-05-05T10:26:11Z
Network: telegram
Published URL: https://t.me/c/3087552512/1881
Screenshots:
None
Threat Actors: DDoSia Project
Victim Country: Austria
Victim Industry: HVAC/Heating Systems Manufacturing
Victim Organization: ETA Heiztechnik GmbH
Victim Site: etaheating.com - Sale of Hotmail Mail Access Combo List
Category: Combo List
Content: A threat actor operating under the alias liamgoat is distributing a combo list advertised as containing approximately 500 high-quality Hotmail email account credentials. The content is gated behind forum registration or login, limiting direct verification of the claims. This list is marketed as valid for mail access, suggesting use in credential stuffing or account takeover activity.
Date: 2026-05-05T10:24:37Z
Network: openweb
Published URL: https://patched.to/Thread-0-5k-hq-hotmail-mail-access-combolist-298938
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged free distribution of South Korea email combo list (Batch 21/100)
Category: Combo List
Content: A threat actor operating under the handle emaildbpro is distributing a free email list allegedly associated with South Korean users, identified as batch 21 of a 100-part series. The content is gated behind forum registration or login, suggesting it is being shared within a restricted community. No specific breached organization or record count is identified in the post.
Date: 2026-05-05T10:24:21Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-free-premium-south-korea-email-list-batch-21-100
Screenshots:
None
Threat Actors: emaildbpro
Victim Country: South Korea
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail credential combo list with 300 entries
Category: Combo List
Content: A threat actor operating under the alias agha24 is distributing a combo list purportedly containing 300 Hotmail email account credentials. The content is hidden behind a registration or login requirement on the forum. This represents a credential stuffing resource targeting Hotmail accounts, not a breach of the email provider itself.
Date: 2026-05-05T10:23:52Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%90×300-hotmail-mail-access-%E2%AD%90
Screenshots:
None
Threat Actors: agha24
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 1,570 Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias ELJOKER1 shared a combo list on the PT forum claiming to contain 1,570 valid Hotmail email account credentials. The post is dated May 5 and markets the credentials as fully valid mail access. The actual content is gated behind forum registration or login.
Date: 2026-05-05T10:23:24Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%A8%E2%9A%9C%EF%B8%8Fx1570-hotmail-mail-access-full-vaild-%E2%9A%9C%EF%B8%8F%E2%9C%A8-05-05
Screenshots:
None
Threat Actors: ELJOKER1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of CoinPanda – user transactions and wallet data leaked
Category: Data Leak
Content: A threat actor claims to have breached CoinPanda and is leaking user transaction data, wallet information, and other sensitive data. The leak is described as in progress, suggesting ongoing data exfiltration.
Date: 2026-05-05T10:23:17Z
Network: telegram
Published URL: https://t.me/c/3793980891/3291
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: Unknown
Victim Industry: Cryptocurrency/Finance
Victim Organization: CoinPanda
Victim Site: coinpanda.com - Alleged Hotmail combo list shared on dark web forum
Category: Combo List
Content: A forum user known as klyne05 is sharing a Hotmail email and password combo list described as private and fresh, with access gated behind a like/registration requirement. The credentials are marketed as checked by the poster, suggesting they have been validated against Hotmail accounts.
Date: 2026-05-05T10:21:53Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1HOTMAIL%E2%9A%A1%E2%9A%A1PRIVATE%E2%9A%A1%E2%9A%A1FRESH%E2%9A%A1%E2%9A%A1CHEKED-BY-klyne05-%E2%9A%A1%E2%9A%A1–202893
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged distribution of BirdCall Android spyware by APT37 (ScarCruft) via sqgame[.]net
Category: Malware
Content: North Korean threat actor APT37, also known as ScarCruft, distributed the Android version of BirdCall spyware through a gaming platform (sqgame[.]net) via malicious APK files. The malware has capabilities including device information collection, audio recording, screenshot capture, and file theft, according to ESET research.
Date: 2026-05-05T10:21:40Z
Network: telegram
Published URL: https://t.me/c/1283513914/21572
Screenshots:
None
Threat Actors: APT37
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: sqgame[.]net - Alleged data breach of Coinpanda cryptocurrency platform with user PII exposure
Category: Data Breach
Content: Threat actor claims to be actively dumping data from coinpanda.io onto their servers. Post includes exposed user information including name, email, country, currency preferences, timezone, and wallet/transaction counts. At least one user record (Raphael Lipka) is provided as proof of breach. Actor claims breach was conducted at clients request.
Date: 2026-05-05T10:18:53Z
Network: telegram
Published URL: https://t.me/c/3793980891/3288
Screenshots:
None
Threat Actors: Unknown
Victim Country: Unknown
Victim Industry: Cryptocurrency/Finance
Victim Organization: Coinpanda
Victim Site: coinpanda.io - Alleged data breach of Edge.App cryptocurrency platform – 330,000 records for sale
Category: Data Breach
Content: Threat actor claims to have compromised Edge.App cryptocurrency platform and obtained 330,000 database records. The data is being offered for sale at $2,600 with claims of exclusivity (only one copy available).
Date: 2026-05-05T10:13:20Z
Network: telegram
Published URL: https://t.me/c/3793980891/3286
Screenshots:
None
Threat Actors: Unknown
Victim Country: Unknown
Victim Industry: Cryptocurrency/Financial Services
Victim Organization: Edge.App
Victim Site: edge.app - Alleged global resume document data leak affecting users across 200+ countries
Category: Data Leak
Content: A threat actor operating under the alias attackercompany has freely shared a dataset purportedly containing resume and profile records spanning over 200 countries, with the largest concentrations from France (11,480), the Philippines (5,098), the United Kingdom (4,105), the United States (3,848), and Germany (2,773). The sample data includes fields such as full name, address, city, postal code, phone number, customer ID, subscription ID, account role, and country code, suggesting the data orig
Date: 2026-05-05T10:09:53Z
Network: openweb
Published URL: https://breached.st/threads/police-car-light-resume-docs-data-leak-across-globally-flag-france-fr-flag-philippines-ph-flag-united-kingdom-gb-flag-united-states-us-flag-germany-de.86809/unread
Screenshots:
None
Threat Actors: attackercompany
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of Kementerian Sosial Republik Indonesia (Indonesian Ministry of Social Affairs)
Category: Data Leak
Content: A threat actor operating under the alias Mr. Hanz Xploit claims to have obtained and shared a database belonging to the Indonesian Ministry of Social Affairs. The post includes a sample and code section, though specific record counts and data field details are not provided. The content is posted on the Breached forums database section, suggesting a free leak rather than a sale.
Date: 2026-05-05T10:09:20Z
Network: openweb
Published URL: https://breached.st/threads/database-kementerian-sosial-republik-indonesia.86810/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kementerian Sosial Republik Indonesia (Ministry of Social Affairs of the Republic of Indonesia)
Victim Site: Unknown - Sale of Hotmail combo list with 331 alleged valid credentials
Category: Combo List
Content: A threat actor on the forum Patched is offering a combo list of 331 alleged valid Hotmail credentials, marketed as ultra-high quality (UHQ). The content is hidden behind a registration or login requirement, limiting visibility into the specific data fields or format included.
Date: 2026-05-05T09:46:57Z
Network: openweb
Published URL: https://patched.to/Thread-331x-uhq-valid-hotmial
Screenshots:
None
Threat Actors: randiman11
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail credential combo list marketed for Supercell, PSN, and Xbox credential stuffing
Category: Combo List
Content: A threat actor operating under the alias baguja1472 is distributing a combo list of approximately 3,200 Hotmail credentials, described as unverified valid hits with full capture. The list is marketed as suitable for credential stuffing against Supercell, PlayStation Network (PSN), and Xbox platforms. The content is gated behind forum registration or login, and the post is sponsored by the actors own combo and cloud service.
Date: 2026-05-05T09:46:38Z
Network: openweb
Published URL: https://patched.to/Thread-royal-%E2%9C%A8%E2%8E%9D3-2k-hotmail-valids-%E2%8E%A0%E2%9C%A8%E2%9C%85unraped-full-capture-%E2%9C%85%E2%9A%A1supercell-psn-xbox%E2%9A%A1
Screenshots:
None
Threat Actors: baguja1472
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged Hotmail credential combo list distributed on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Psyho70244 shared a combo list on a cybercrime forum advertised as containing 2,014 Hotmail premium hits. The content is hidden behind a registration or login wall, limiting direct verification. The credentials are marketed as high-quality and appear intended for credential stuffing or account takeover use against Hotmail accounts.
Date: 2026-05-05T09:46:07Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%AD%902014x-hotmail-premium-hits%E2%9C%85%E2%AD%90
Screenshots:
None
Threat Actors: Psyho70244
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of Take-A-Break by DimasHxR
Category: Defacement
Content: On May 5, 2026, a threat actor known as DimasHxR defaced a page on the Mexican website take-a-break.com.mx, targeting the file /b.html. The attack was carried out as a solo operation with no affiliated team, and was not classified as a mass or home page defacement. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-05-05T09:43:46Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917636
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Mexico
Victim Industry: Leisure / Travel
Victim Organization: Take-A-Break
Victim Site: take-a-break.com.mx - Request for DMCA-Resistant File Hosting Service
Category: Services
Content: A forum user is seeking a file hosting and sharing service that ignores DMCA takedown requests, citing removal of PC game mod download links on platforms such as Buzzheavier, Modsfire, and FileDitch. The post does not involve a breach, data leak, or malicious tooling, but reflects interest in bulletproof or abuse-tolerant hosting for copyright-sensitive content distribution.
Date: 2026-05-05T09:42:49Z
Network: openweb
Published URL: https://hackforums.net/showthread.php?tid=6314757
Screenshots:
None
Threat Actors: Tʏʟᴇʀ
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of RC Globetrotters by DimasHxR
Category: Defacement
Content: On May 5, 2026, a threat actor identified as DimasHxR defaced a page on rcglobetrotters.org, targeting the file /b.html. The attack was a singular, non-mass defacement with no affiliation to a known hacking team. Technical details such as the server OS, IP address, and attack vector remain unknown.
Date: 2026-05-05T09:41:34Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917638
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Sports / Recreation
Victim Organization: RC Globetrotters
Victim Site: rcglobetrotters.org - Sale of stolen payment cards, fullz, dumps, and financial transfer services by threat actor MNC
Category: Carding
Content: A threat actor operating under the alias MNC is advertising a range of carding and fraud services on the AE – Cracking Tools forum, including the sale of stolen credit cards (CVV/CCV) for multiple countries, dumps with Track 1/2 and PIN, full identity information (Fullz) including SSN and drivers license data, compromised PayPal and internet accounts, and RBC logs for Canada. The actor also offers Western Union and Bitcoin money transfer and exchange services, accepting payment via Bitcoin, Mon
Date: 2026-05-05T09:41:21Z
Network: openweb
Published URL: https://altenens.is/threads/my-name-mnc-im-30-years-old-i-have-service-online-and-im-looking-for-good-buyer-to-work-together-for-long-im-a-hacker-and-legit-businessman-i.2934715/unread
Screenshots:
None
Threat Actors: Vegel
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of SaldosUSA by DimasHxR
Category: Defacement
Content: On May 5, 2026, a threat actor identified as DimasHxR defaced a page on the website saldosusa.us, targeting the URL www.saldosusa.us/b.html. The attack was a single-page defacement, not classified as a mass or home page defacement. No specific motive, team affiliation, or server details were disclosed in association with this incident.
Date: 2026-05-05T09:39:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917637
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: E-Commerce / Retail
Victim Organization: SaldosUSA
Victim Site: www.saldosusa.us - Alleged data breach of Teespring Canada
Category: Data Breach
Content: A forum post on BreachForums references a Teespring Canada dataset. No post content is available to confirm the nature, scope, or authenticity of the alleged breach.
Date: 2026-05-05T09:38:15Z
Network: openweb
Published URL: https://breachforums.rs/Thread-teespring-CANADA
Screenshots:
None
Threat Actors: courtika
Victim Country: Canada
Victim Industry: Retail
Victim Organization: Teespring
Victim Site: teespring.com - Alleged Data Breach of Ukraine Citizen Database
Category: Data Breach
Content: A threat actor on BreachForums is offering for sale an alleged database of Ukrainian citizens, claimed to contain 8.5 million records including full names, dates of birth, and phone numbers, with approximately 500,000 entries also including birth dates. The seller is asking $200 and provides a Telegram handle for contact. No specific breached organization or source is identified.
Date: 2026-05-05T09:34:28Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-2026-Ukraine-Citizen-Database
Screenshots:
None
Threat Actors: Darkode1
Victim Country: Ukraine
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of JTI Corporations by DimasHxR
Category: Defacement
Content: On May 5, 2026, threat actor DimasHxR defaced a page on jticorporations.com, targeting the file b.html. The attack was carried out as an individual defacement rather than a mass or home page defacement, with no stated motivation or team affiliation recorded.
Date: 2026-05-05T09:33:32Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917630
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Corporate/Business
Victim Organization: JTI Corporations
Victim Site: jticorporations.com - Website Defacement of Kokua Life by DimasHxR
Category: Defacement
Content: On May 5, 2026, a threat actor identified as DimasHxR defaced a page on kokualife.org, a website associated with a health or wellness-oriented organization. The defacement targeted a specific subpage (b.html) rather than the homepage and was not conducted as part of a mass defacement campaign. No team affiliation, motive, or technical details regarding the server were disclosed.
Date: 2026-05-05T09:32:29Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917631
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Non-Profit / Health & Wellness
Victim Organization: Kokua Life
Victim Site: kokualife.org - Website Defacement of STM Tech by DimasHxR
Category: Defacement
Content: On May 5, 2026, a threat actor operating under the alias DimasHxR defaced a page on the Indian technology website stmtech.in. The attacker targeted a specific subpage (b.html) rather than the sites homepage, indicating a selective defacement. No team affiliation, stated motive, or technical details regarding the server or exploitation method were disclosed.
Date: 2026-05-05T09:31:23Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917635
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: India
Victim Industry: Technology
Victim Organization: STM Tech
Victim Site: stmtech.in - Website Defacement of West Acupuncture by DimasHxR
Category: Defacement
Content: On May 5, 2026, the attacker DimasHxR defaced a subpage of west-acupuncture.com, a website associated with an acupuncture healthcare provider. The incident was a targeted single-page defacement with no team affiliation reported. No specific motivation or technical details regarding the server environment were disclosed.
Date: 2026-05-05T09:29:39Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917632
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Healthcare / Alternative Medicine
Victim Organization: West Acupuncture
Victim Site: west-acupuncture.com - Website Defacement of mcperu.pe by DimasHxR
Category: Defacement
Content: On May 5, 2026, a threat actor known as DimasHxR defaced a page on the Peruvian website mcperu.pe, targeting a file within the WordPress content directory. The attacker operated without an affiliated team and the incident was a targeted single-site defacement rather than a mass or repeated attack. No specific motive or server details were disclosed in connection with this intrusion.
Date: 2026-05-05T09:28:17Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917634
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Peru
Victim Industry: Unknown
Victim Organization: MC Peru
Victim Site: mcperu.pe - Sale of Vidar Stealer logs targeting UK Windows 10 Enterprise users
Category: Logs
Content: A threat actor on a dark web forum is offering 5,000 Vidar Stealer log files reportedly collected from UK-based Windows 10 Enterprise (21H2) systems running Chrome 122.x. The logs are advertised as containing credentials and cookies. The content is hosted on a Tor-based infrastructure and requires account access or a reply to retrieve.
Date: 2026-05-05T09:26:35Z
Network: openweb
Published URL: https://darkforums.su/Thread-ULP-Vidar-Stealer-5000-logs-UK-Windows-10-Enterprise
Screenshots:
None
Threat Actors: BigTuna
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of iwl.hk financial services platform
Category: Data Breach
Content: A threat actor operating under the alias Tamnaamm is selling a database allegedly stolen from iwl.hk, a Hong Kong-based cross-border remittance and micropayment services company. The purported dataset contains over 14,500 records including personal user information (names, dates of birth, phone numbers, email addresses, physical addresses), bank account details such as IBAN numbers and BIC/SWIFT codes, and identification documents including passports and ID cards. Sample SQL INSERT statements
Date: 2026-05-05T09:25:19Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-iwl-hk-Financial-Services
Screenshots:
None
Threat Actors: Tamnaamm
Victim Country: China
Victim Industry: Finance
Victim Organization: iwl.hk
Victim Site: iwl.hk - Sale of alleged ECOMMPAY source code and backend infrastructure
Category: Data Breach
Content: A threat actor on a dark web forum is selling what they claim to be the entire backend infrastructure of ECOMMPAY, a global payment service provider. The offering allegedly includes 100+ microservices, 600+ payment integrations, PSP architecture, transaction ledger and audit data, and an initial database with all tables and data. The seller is asking 300 XMR via escrow for approximately 40GB of data.
Date: 2026-05-05T09:24:44Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-ECOMMPAY-COM-Payment-provider-entire-Backend-2026
Screenshots:
None
Threat Actors: mritcat
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: ECOMMPAY
Victim Site: ecommpay.com - Alleged data breach of Social Democratic Party of Germany (SPD)
Category: Data Breach
Content: A threat actor claims to have obtained over 200,000 email addresses belonging to members or contacts of the Social Democratic Party of Germany (SPD). The data is being offered via private message on a dark web forum. No price or additional data fields were disclosed in the public post.
Date: 2026-05-05T09:22:42Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Social-Democratic-Party-of-Germany-SPD-Data-Breach
Screenshots:
None
Threat Actors: awedlocust7
Victim Country: Germany
Victim Industry: Government
Victim Organization: Social Democratic Party of Germany (SPD)
Victim Site: spd.de - Website Defacement of diegodelacruz.com by DimasHxR
Category: Defacement
Content: On May 5, 2026, the website diegodelacruz.com was defaced by a threat actor operating under the alias DimasHxR. The attacker targeted a specific page (b.html) rather than the homepage, indicating a targeted subpage defacement. No team affiliation, stated motive, or technical details about the compromised server were disclosed.
Date: 2026-05-05T09:22:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917627
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Diego de la Cruz
Victim Site: diegodelacruz.com - Website Defacement of Dreamland Park by DimasHxR
Category: Defacement
Content: On May 5, 2026, the website dreamlandpark.es was defaced by a threat actor operating under the alias DimasHxR, acting independently without team affiliation. The attacker placed a defacement file at dreamlandpark.es/readme.txt, targeting what appears to be a Spanish entertainment or amusement park organization. No specific motive, proof of concept, or additional technical details were disclosed in relation to this incident.
Date: 2026-05-05T09:19:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917628
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Spain
Victim Industry: Entertainment / Recreation
Victim Organization: Dreamland Park
Victim Site: dreamlandpark.es - Alleged data breach of Canvas educational platform by ShinyHunters
Category: Data Breach
Content: ShinyHunters claimed responsibility for a cyberattack against an educational company in the United States that provides the Canvas platform. The breach allegedly exposed user information including names, emails, and messages. The company responded by closing suspicious access points and increasing security measures.
Date: 2026-05-05T09:16:35Z
Network: telegram
Published URL: https://t.me/c/1283513914/21570
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Education/EdTech
Victim Organization: Canvas (educational platform provider)
Victim Site: Unknown - Website Defacement of 3PattiUnionGame by DimasHxR
Category: Defacement
Content: On May 5, 2026, a threat actor identified as DimasHxR defaced a file on the domain 3pattiuniongame.com, an online card gaming platform. The defacement targeted a specific file path rather than the site homepage, indicating a targeted file-level intrusion. No team affiliation, stated motive, or technical details regarding the server environment were disclosed.
Date: 2026-05-05T09:13:03Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917615
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Online Gaming / Gambling
Victim Organization: 3 Patti Union Game
Victim Site: 3pattiuniongame.com - Sale of initial access to undisclosed Indian telecommunications provider following alleged infrastructure compromise
Category: Initial Access
Content: A threat actor claims to have breached the internal network of a major Indian telecommunications company, exploiting an unauthenticated VNC vulnerability and a file transfer protocol server vulnerability to gain access to critical infrastructure and a UNIX-based server containing over 200 gigabytes of data. The actor alleges that industrial systems including cooling controls and safety systems were disrupted, and that DNS, email, and firewall infrastructure were compromised. The actor is offerin
Date: 2026-05-05T09:12:32Z
Network: openweb
Published URL: https://pwnforums.st/Thread-COLLECTION-Telecommunications-company-The-internal-network-Breached
Screenshots:
None
Threat Actors: blacknet00
Victim Country: India
Victim Industry: Telecommunications
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of pkrwin.net by DimasHxR
Category: Defacement
Content: On May 5, 2026, a threat actor identified as DimasHxR defaced a file on pkrwin.net, a domain associated with online gaming or gambling services. The defacement targeted a specific text file (d.txt) rather than the homepage, suggesting a partial or targeted file compromise. No team affiliation, stated motive, or technical details regarding the attack vector were disclosed.
Date: 2026-05-05T09:11:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917625
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Gaming/Gambling
Victim Organization: PKR Win
Victim Site: pkrwin.net - Website Defacement of jj804game.org by DimasHxR
Category: Defacement
Content: On May 5, 2026, a threat actor operating under the alias DimasHxR defaced the website jj804game.org, targeting a file at the path /d.txt. The attack was carried out as a solo operation with no affiliated team, and the incident was neither a mass defacement nor a redefacement. Technical details such as server software and IP address remain unknown.
Date: 2026-05-05T09:10:33Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917621
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Gaming / Entertainment
Victim Organization: JJ804 Game
Victim Site: jj804game.org - Website Defacement of match777game.com by DimasHxR
Category: Defacement
Content: On May 5, 2026, a threat actor identified as DimasHxR defaced the website match777game.com, targeting a file at the path /d.txt. The attacker operated independently without affiliation to a known group or team. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-05-05T09:08:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917623
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Gaming / Entertainment
Victim Organization: Match777 Game
Victim Site: match777game.com - Website Defacement of VSP777Games by DimasHxR
Category: Defacement
Content: On May 5, 2026, a threat actor operating under the alias DimasHxR defaced the website vsp777games.com, targeting a file path (d.txt) on the server. The attack was an individual defacement, not part of a mass or coordinated campaign. No specific motivation or technical details regarding the server environment were disclosed.
Date: 2026-05-05T09:07:55Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917626
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Gaming / Online Entertainment
Victim Organization: VSP777 Games
Victim Site: vsp777games.com - Alleged infiltration and document theft from Institute for National Security Studies (INSS) by Handala
Category: Data Breach
Content: Threat actor Handala claims to have conducted a years-long infiltration of the Institute for National Security Studies (INSS) in Israel, including physical breach on April 22, 2025, theft of classified documents from sublevel -2, access to surveillance footage, monitoring of senior intelligence officials from Mossad, Shin Bet, and Aman, and recording of confidential Zoom meetings. The post includes a photo and archive link as alleged evidence.
Date: 2026-05-05T09:07:37Z
Network: telegram
Published URL: https://t.me/c/3686754935/95
Screenshots:
None
Threat Actors: Handala
Victim Country: Israel
Victim Industry: Government/National Security
Victim Organization: Institute for National Security Studies (INSS)
Victim Site: Unknown - Free distribution of URL:Log:Pass combo list with over 8 million lines
Category: Combo List
Content: A threat actor operating under the alias lexityfr shared a free combo list advertised as containing over 8 million URL:Log:Pass credential pairs, designated as part 318 of an ongoing series. The content is gated behind forum registration or login. No specific victim organization or breach source is identified in the post.
Date: 2026-05-05T09:03:36Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-url-log-pass-free-best-lines-8-million-lines-part-318
Screenshots:
None
Threat Actors: lexityfr
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 49,000+ Pakistan email:password credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor known as CobraEgy has shared a combo list containing over 49,000 email and password pairs purportedly associated with Pakistani users. The credentials are marketed as fresh and high quality. Access to the content is restricted to registered forum members, with an additional Telegram channel referenced for further combolists.
Date: 2026-05-05T09:02:28Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-49-K-%E2%9C%A6-Pakistan-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-5-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Pakistan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of Pakistan-based email credentials
Category: Combo List
Content: A threat actor operating under the handle Maxleak has shared a combo list purportedly containing approximately 49,000 email and password pairs associated with Pakistan. The credentials are marketed as fresh and high quality, with a stated date of May 5, 2026. The content is accessible to registered forum members only.
Date: 2026-05-05T09:02:21Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-49-K-%E2%9C%A6-Pakistan-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-5-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: Pakistan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list distribution targeting Montenegro-associated email credentials
Category: Combo List
Content: A threat actor operating under the alias CobraEgy shared a combo list purportedly containing over 52,000 email and password pairs associated with Montenegro. The credentials are marketed as fresh and high quality, with access restricted to registered forum members. The post also references a Telegram channel for additional combolist distribution.
Date: 2026-05-05T09:02:06Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-52-K-%E2%9C%A6-Montenegro-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-5-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Montenegro
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list distribution targeting Montenegro-based email credentials
Category: Combo List
Content: A threat actor operating under the alias Maxleak is sharing a combo list purportedly containing over 52,000 email and password pairs associated with Montenegro. The credentials are marketed as fresh and high quality, with a stated date of May 5, 2026. The content is gated behind forum registration or login.
Date: 2026-05-05T09:01:57Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-52-K-%E2%9C%A6-Montenegro-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-5-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: Montenegro
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list targeting New Zealand email accounts shared on leak forum
Category: Combo List
Content: A threat actor operating under the alias Maxleak has shared a combo list on a leak forum containing approximately 26,000 email and password pairs attributed to New Zealand accounts. The credentials are marketed as fresh and high quality, with a stated date of May 5, 2026. The content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-05T09:01:35Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-26-K-%E2%9C%A6-New-Zealand-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-5-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: New Zealand
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 26,000+ New Zealand email and password credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has shared a combo list containing over 26,000 email and password pairs purportedly associated with New Zealand users on a cybercrime forum. The credentials are marketed as fresh and high quality. The post directs users to a Telegram channel for additional combolists.
Date: 2026-05-05T09:01:31Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-26-K-%E2%9C%A6-New-Zealand-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-5-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: New Zealand
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of Norwegian email and password credentials
Category: Combo List
Content: A threat actor operating under the alias Maxleak has shared a combo list purportedly containing over 23,000 email and password pairs associated with Norwegian users. The credentials are marketed as fresh and high quality, with a stated date of May 5, 2026. The content is gated behind forum registration or login, consistent with standard combolist distribution practices on leak forums.
Date: 2026-05-05T09:01:11Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-23-K-%E2%9C%A6-Norway-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-5-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: Norway
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of Norwegian email and password credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has shared a combo list containing approximately 23,000 email and password pairs purportedly associated with Norwegian users. The credentials are marketed as fresh and high quality. The post directs users to a Telegram channel for additional combolists.
Date: 2026-05-05T09:01:01Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-23-K-%E2%9C%A6-Norway-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-5-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Norway
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of Netherlands email and password credentials
Category: Combo List
Content: A threat actor operating under the alias Maxleak has shared a combo list purportedly containing over 394,000 email and password pairs attributed to Netherlands-based accounts. The credentials are marketed as fresh and high quality, with a stated date of 5 May 2026. The content is gated behind forum registration or login.
Date: 2026-05-05T09:00:19Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-394-K-%E2%9C%A6-Netherlands-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-5-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: Netherlands
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of Nigerian email and password credentials
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has shared a combo list purportedly containing over 16,000 email and password pairs associated with Nigerian users. The credentials are marketed as fresh and high quality. The post directs users to a Telegram channel for additional combolists.
Date: 2026-05-05T09:00:14Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-16-K-%E2%9C%A6-Nigeria-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-5-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Nigeria
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of Nepal email and password credentials
Category: Combo List
Content: A threat actor operating under the alias CobraEgy is sharing a combo list purportedly containing over 10,000 email and password credential pairs associated with Nepal. The credentials are marketed as fresh and high quality, dated 5-5-2026. The post directs users to a Telegram channel for additional combolists.
Date: 2026-05-05T08:59:53Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-10-K-%E2%9C%A6-Nepal-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-5-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Nepal
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of 50,000 Luxembourg B2B records
Category: Data Leak
Content: A threat actor operating under the alias courtika shared a file via MediaFire purportedly containing 50,000 business-to-business (B2B) records associated with Luxembourg. No specific organization or industry is identified in the post, and no price is mentioned, indicating a free release.
Date: 2026-05-05T08:59:00Z
Network: openweb
Published URL: https://breachforums.rs/Thread-50K-LUXEMBOUR-B2B
Screenshots:
None
Threat Actors: courtika
Victim Country: Luxembourg
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of B2B US dataset
Category: Data Leak
Content: A threat actor using the handle courtika shared a CSV file purportedly containing B2B (business-to-business) data related to US entities via a MediaFire link. No specific victim organization, record count, or data fields were disclosed in the post. The file appears to have been made available for free download on BreachForums.
Date: 2026-05-05T08:57:24Z
Network: openweb
Published URL: https://breachforums.rs/Thread-B2B-US
Screenshots:
None
Threat Actors: courtika
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of Quebec restaurant and hotel customers
Category: Data Leak
Content: A threat actor on BreachForums shared a file purportedly containing customer data from restaurants and hotels in Quebec, Canada. The data is being made available via a MediaFire link in CSV format. No specific organization or record count was identified in the post.
Date: 2026-05-05T08:55:48Z
Network: openweb
Published URL: https://breachforums.rs/Thread-QUEBEC-RESTO-HOTEL-CUSTMERS
Screenshots:
None
Threat Actors: courtika
Victim Country: Canada
Victim Industry: Hospitality
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of 首航高科能源技术股份有限公司 (Shouhang Hi-Tech Energy Technology) by threat actor SnowSoul
Category: Data Leak
Content: Threat actor group SnowSoul (ID-1309) has publicly leaked internal documents allegedly belonging to 首航高科能源技术股份有限公司天津分公司 (Shouhang Hi-Tech Energy Technology Tianjin Branch), citing refusal to pay 1,000 USDT. The leaked archive (19.70 MB) includes procurement request forms, invoices, fixed asset records, supplier ledgers, and engineering-related files. The files were made available via the file-hosting platform qu.ax.
Date: 2026-05-05T08:44:20Z
Network: openweb
Published URL: https://breached.st/threads/chinese-data-zhong-guo-shu-ju-snowsoul-id-1309.86807/unread
Screenshots:
None
Threat Actors: 元帅*
Victim Country: China
Victim Industry: Energy
Victim Organization: 首航高科能源技术股份有限公司 (Shouhang Hi-Tech Energy Technology Co., Ltd.)
Victim Site: Unknown - Alleged cryptocurrency fraud and payment facilitation scheme
Category: Cyber Attack
Content: Multiple threat actors operating in Squad Chat Marketplace soliciting assistance to purchase USDT cryptocurrency at inflated rates (10-20% above market price) while claiming inability to purchase due to Chinese policy restrictions. Scheme involves transferring funds first with promises of long-term partnership, classic advance-fee fraud indicators. Operators using Telegram handles for coordination.
Date: 2026-05-05T08:36:13Z
Network: telegram
Published URL: https://t.me/c/2613583520/75885
Screenshots:
None
Threat Actors: Levan
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of 4VPS
Category: Data Breach
Content: A threat actor operating under the alias blv claims to be selling data obtained from an infrastructure-wide breach of 4VPS, a virtual private server provider. The actor alleges that all client data was exposed and is offering the dataset for 20,000 USD payable in Bitcoin. Contact is offered via Tox ID for sample requests.
Date: 2026-05-05T08:21:34Z
Network: openweb
Published URL: https://nulledbb.com/thread-4VPS-Breach-sensitive-information-compromised
Screenshots:
None
Threat Actors: blv
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: 4VPS
Victim Site: 4vps.su - Sale of malware toolkit bundle including crypters, keyloggers, RATs, and stealers
Category: Malware
Content: A threat actor on a cracking forum is distributing a bundle of 94 malware development tools described as a 94-in-1 Hacking Tools Pack 2026, including crypters, binders, keyloggers, password stealers, RATs, loaders, and obfuscators. The pack is advertised as suitable for creating FUD payloads, running botnet operations, and conducting surveillance. The bundle is made available via Mediafire and marketed toward beginner and intermediate threat actors.
Date: 2026-05-05T08:21:29Z
Network: openweb
Published URL: https://nulledbb.com/thread-94-Hack-Pack-of-Crypters-Binders-Keyloggers-2026
Screenshots:
None
Threat Actors: NeovixPro
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Distribution of Hotmail credential combo list on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias alphacloud shared a combo list of 1,616 alleged Hotmail credential hits on a cybercrime forum. The post describes the credentials as premium and sourced from a private cloud with mixed mail types. The actor directs interested parties to a Telegram handle for further access.
Date: 2026-05-05T08:19:41Z
Network: openweb
Published URL: https://altenens.is/threads/snowflakesnowflake-1616x-premium-hotmail-hits-snowflakesnowflake.2934681/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - San Diego Community College District fighting major cyberattack
Category: Cyber Attack
Content: The San Diego Community College District is currently facing a major cyberattack that began on Saturday, causing certain digital services such as email and enrollment platforms to go offline. Although all campuses remain open and the majority of classes continue, some ancillary operations are affected. The district states that despite the incident, no data has been compromised and is maintaining communication with students via various platforms.
Date: 2026-05-05T08:09:06Z
Network: openweb
Published URL: https://www.sandiegouniontribune.com/2026/05/04/san-diego-community-college-district-fighting-major-cyber-attack/
Screenshots:
None
Threat Actors:
Victim Country: United States
Victim Industry: Unknown
Victim Organization: San Diego Community College District
Victim Site: sdccd.edu - San Diego Community College District fighting major cyberattack
Category: Cyber Attack
Content: Le District des Collèges Communautaires de San Diego est actuellement confronté à une cyberattaque majeure débutée samedi, entraînant la mise hors ligne de certains services numériques tels que le-mail et les plateformes dinscription. Bien que tous les campus restent ouverts et la majorité des cours se poursuivent, certaines opérations annexes sont affectées. Le district assure que malgré lincident, aucune donnée na été compromise et maintient la communication avec les étudiants via diverses plateformes.
Date: 2026-05-05T08:09:04Z
Network: openweb
Published URL: https://www.sandiegouniontribune.com/2026/05/04/san-diego-community-college-district-fighting-major-cyber-attack/
Screenshots:
None
Threat Actors:
Victim Country: United States
Victim Industry: Unknown
Victim Organization: San Diego Community College District
Victim Site: sdccd.edu - Alleged sale of compromised email account access to multiple platforms
Category: Initial Access
Content: Threat actor offering for sale valid, fresh compromised email account access to multiple platforms and services including Hotmail, Yahoo, AT&T, cloud services, and various retail/social platforms (Kleinanzeigen, Walmart, Reddit, eBay, Uber, Marriott, Poshmark, Grailed, Vinted). Advertises top quality and unrape quality access with targeting capabilities available.
Date: 2026-05-05T08:00:30Z
Network: telegram
Published URL: https://t.me/c/2613583520/75875
Screenshots:
None
Threat Actors: Yuze
Victim Country: United States, United Kingdom, Canada
Victim Industry: Multiple (cloud services, retail, social media, travel, financial)
Victim Organization: Unknown
Victim Site: Unknown - Alleged Data Leak of Kimyo International University in Tashkent
Category: Data Leak
Content: A threat actor operating under the handle hackerxyx claims to have breached the internal systems of Kimyo International University in Tashkent and is freely distributing a sample dataset of over 10,000 records. The leaked data allegedly includes passport details, student and teacher login credentials, and student selfie photos. The actor states no price is being sought and characterizes the release as a warning to Uzbek institutions, with promises of additional data to follow.
Date: 2026-05-05T07:39:12Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-Uzbekistan-KIUT-%C2%A0Kimyo-International-University-in-Tashkent-Database-Leaked
Screenshots:
None
Threat Actors: hackerxyx
Victim Country: Uzbekistan
Victim Industry: Education
Victim Organization: Kimyo International University in Tashkent
Victim Site: kiut.uz - Alleged sale of Hotmail and e-commerce credential combolists across multiple countries
Category: Combo List
Content: Seller Wěilóng is offering private cloud Hotmail UHQ (Ultra High Quality) credential combolists and combo lists for multiple countries (DE, FR, IT, BR, UK, US, JP, PL, RU, ES, NL, MX, CA, SG) as well as credentials for Kleinanzeigen, eBay, Reddit, Poshmark, Depop, Walmart, and Amazon. Seller claims ability to verify credentials by keyword and is seeking serious buyers only.
Date: 2026-05-05T07:38:36Z
Network: telegram
Published URL: https://t.me/c/2613583520/75850
Screenshots:
None
Threat Actors: Wěilóng
Victim Country: Multiple (Germany, France, Italy, Brazil, United Kingdom, United States, Japan, Poland, Russia, Spain, Netherlands, Mexico, Canada, Singapore)
Victim Industry: Technology, E-commerce
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of Hotmail credentials shared on underground forum
Category: Combo List
Content: A threat actor identified as @Stevee36 and posted by forum user erwinn91 shared a combo list advertised as containing 2,505 high-quality Hotmail credentials on the DemonForums combolist section. The content is hidden behind a registration or login requirement, limiting direct verification of the data. This is a credential stuffing list targeting Hotmail accounts and does not represent a breach of Microsoft or Hotmail infrastructure.
Date: 2026-05-05T07:09:55Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X2505-HQ-Hotmail-%E2%9A%A1%E2%9A%A1-BY-Stevee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged leak of ULP combo list (11GB)
Category: Logs
Content: A threat actor operating under the alias themaster12 shared what is described as an 11GB ULP (URL:Login:Password) combo list on BreachForums. The post contains no additional details regarding the origin, targeted services, or verification status of the credentials. The dataset appears to be a second version of a previously distributed combo list.
Date: 2026-05-05T07:05:47Z
Network: openweb
Published URL: https://breachforums.rs/Thread-11gb-ULP-v2
Screenshots:
None
Threat Actors: themaster12
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged Data Leak of Kepolisian Negara Republik Indonesia (Indonesian National Police)
Category: Data Leak
Content: A threat actor operating under the alias JAX7 posted a thread on a known breach forum claiming to leak data attributed to the Indonesian National Police (Kepolisian Negara Republik Indonesia). The post references a sample, a download link, and attachments, though specific details regarding record count and data fields are not provided in the available content. The nature and authenticity of the alleged data have not been independently verified.
Date: 2026-05-05T06:55:26Z
Network: openweb
Published URL: https://breached.st/threads/data-kepolisian-negara-republik-indonesia.86805/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kepolisian Negara Republik Indonesia (Indonesian National Police)
Victim Site: Unknown - Alleged data breach of Kepolisian Negara Republik Indonesia (Indonesian National Police)
Category: Data Breach
Content: User JAX7 posted on Breachforums regarding a data breach affecting Kepolisian Negara Republik Indonesia (the national police force of Indonesia). The breach thread indicates stolen police data has been made available on the forum.
Date: 2026-05-05T06:38:20Z
Network: telegram
Published URL: https://t.me/byjax7/504
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Law Enforcement
Victim Organization: Kepolisian Negara Republik Indonesia
Victim Site: Unknown - Alleged sale of credit card fullz and random card data
Category: Combo List
Content: Threat actor operating as xiaoyuenans shop is advertising the sale of credit card fullz (complete card information) and random card data at $6-8 per piece, with minimum purchase of 6 pieces. Contact via Telegram @vklmaythangcho for main account transactions.
Date: 2026-05-05T06:32:16Z
Network: telegram
Published URL: https://t.me/vklmtc/169
Screenshots:
None
Threat Actors: xiaoyuenans shop
Victim Country: Unknown
Victim Industry: Financial/Banking
Victim Organization: Unknown
Victim Site: Unknown - Alleged free distribution of Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias mrglitchxxxx shared a combo list purportedly containing 1,653 Hotmail credentials, marketed as fresh. The content is hosted behind a hidden link requiring forum registration or login to access. The post encourages likes and reputation in exchange for the free leak.
Date: 2026-05-05T06:31:57Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-1653-fresh-hotmails-by-glitch
Screenshots:
None
Threat Actors: mrglitchxxxx
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged sale of email credential combos (Hotmail, Yahoo, Mail) with cookies and access
Category: Combo List
Content: Seller _emanthy is offering combos containing email credentials (Email+Pass+Cookies) for Hotmail, Yahoo, and Mail providers with valid access. Targets include major platforms: Amazon, Facebook, eBay, PayPal, and Kleinanzeigen. Seller offers various geographic bases (EU, USA, MIX, Germany, CORP) and cloud access by week/month. Pricing structure mentioned but specific prices not detailed in excerpt.
Date: 2026-05-05T06:31:30Z
Network: telegram
Published URL: https://t.me/c/2613583520/75821
Screenshots:
None
Threat Actors: Squad Chat Marketplace
Victim Country: Unknown
Victim Industry: Multiple (e-commerce, social media, payment platforms)
Victim Organization: Unknown
Victim Site: Unknown - Combo list of Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias NovaCloudx shared a combo list containing 1,224 Hotmail credentials on a cybercrime forum. The content is hidden behind a registration or login requirement, with the author warning that failing to engage with the post may result in a ban. The credentials are marketed as verified good hits, likely intended for credential stuffing against Hotmail or associated Microsoft services.
Date: 2026-05-05T06:31:27Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9A%A11224x-good-hotmail%E2%9A%A1%E2%9C%85
Screenshots:
None
Threat Actors: NovaCloudx
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged distribution of mixed credential combo list
Category: Combo List
Content: A threat actor operating under the alias LordOfSea91 shared a mixed combo list containing approximately 3,793 credential pairs, referred to as a Hydra Mix, on a cybercrime forum. The content is gated behind forum registration or login and no specific target service or victim organization is identified. No price is mentioned, indicating the list is being distributed freely to forum members.
Date: 2026-05-05T06:30:56Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%94%B1-3793x-hydra-mix-%F0%9F%94%B1
Screenshots:
None
Threat Actors: LordOfSea91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged hacked data from The Gentlemen
Category: Data Breach
Content: A threat actor operating under the handle n789 is offering alleged hacked data purportedly belonging to The Gentlemen for sale at 10,000 USD in Bitcoin. The actor provides a Tox ID for contact and states samples are available upon request. No details regarding the volume, type of data, or victim domain were disclosed in the post.
Date: 2026-05-05T06:30:08Z
Network: openweb
Published URL: https://nulledbb.com/thread-The-Gentlemen-hacked-data-for-sale
Screenshots:
None
Threat Actors: n789
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: The Gentlemen
Victim Site: Unknown - Alleged leak of URL:Login:Password combo list (11GB ULP)
Category: Logs
Content: A threat actor on BreachForums shared a link to an 11GB URL:Login:Password (ULP) combo list via a Gofile file-hosting service. The dataset appears to be a large collection of credentials formatted with associated URLs, usernames, and passwords. No specific victim organization or breach source was identified in the post.
Date: 2026-05-05T06:28:51Z
Network: openweb
Published URL: https://breachforums.rs/Thread-URL-LOGIN-PASS-11gb-ULP
Screenshots:
None
Threat Actors: themaster12
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of laparoleeternelle.com by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website laparoleeternelle.com was defaced by threat actor chinafans, operating under the group 0xteam. The attacker placed a defacement file at the path /0x.txt on the target server. The incident was a targeted, single-site defacement with no indication of mass or repeated compromise.
Date: 2026-05-05T06:09:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917589
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Religion / Media
Victim Organization: La Parole Eternelle
Victim Site: laparoleeternelle.com - Website Defacement of camaranegra.org by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website camaranegra.org was defaced by threat actor chinafans, operating under the group 0xteam. The defacement was a targeted, non-mass incident affecting a specific file path on the domain. No server details or explicit motivation were disclosed.
Date: 2026-05-05T06:07:53Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917602
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Camara Negra
Victim Site: camaranegra.org - Website Defacement of Hope Integrated Clinic by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website hopeintegratedclinic.com was defaced by threat actor chinafans, operating under the group 0xteam. The attack was a targeted single-site defacement, with a mirror of the defaced page archived at zone-xsec.com. No specific motivation or technical details regarding the server environment were disclosed.
Date: 2026-05-05T06:07:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917605
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Healthcare
Victim Organization: Hope Integrated Clinic
Victim Site: hopeintegratedclinic.com - Website Defacement of Publication International Limited by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor identified as chinafans, operating under the group 0xteam, defaced the website of Publication International Limited. The attack was a targeted single-site defacement, not part of a mass defacement campaign. Server and infrastructure details were not disclosed in the available threat data.
Date: 2026-05-05T06:06:29Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917586
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Publishing / Media
Victim Organization: Publication International Limited
Victim Site: publicationinternationallimite… - Website Defacement of Shiesh Creations by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website of Shiesh Creations by uploading a defacement file at shieshcreations.com/0x.txt. The incident was a targeted single-site defacement with no additional technical indicators such as server software or IP address recorded. The defacement was mirrored and archived by zone-xsec.com.
Date: 2026-05-05T06:05:44Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917606
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Creative Services
Victim Organization: Shiesh Creations
Victim Site: shieshcreations.com - Website Defacement of French Site Les Petites Mélodies by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor using the handle chinafans, affiliated with 0xteam, defaced a French website identified as Les Petites Mélodies (xn--lespetitesmlodies-ltb.fr). The incident was a targeted, single-site defacement with no indication of mass or repeated defacement activity. The mirror of the defaced page was archived at zone-xsec.com.
Date: 2026-05-05T06:05:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917591
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: France
Victim Industry: Entertainment / Music
Victim Organization: Les Petites Mélodies
Victim Site: xn--lespetitesmlodies-ltb.fr - Website Defacement of tonugamu.com by chinafans (0xteam)
Category: Defacement
Content: The website tonugamu.com was defaced by threat actor chinafans, operating under the team 0xteam, on May 5, 2026. The defacement targeted a specific file path (/0x.txt) rather than the homepage, indicating a targeted file-level intrusion. The incident was neither a mass defacement nor a redefacement, and limited technical details regarding the server environment are available.
Date: 2026-05-05T06:04:18Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917604
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: tonugamu.com - Website Defacement of zebexit.com by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website zebexit.com was defaced by a threat actor using the handle chinafans, operating under the group 0xteam. The defacement was a targeted single-site attack, with a mirror of the defaced page archived at zone-xsec.com. No additional technical details regarding the server infrastructure or motive were disclosed.
Date: 2026-05-05T06:03:37Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917584
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Zebexit
Victim Site: zebexit.com - Website Defacement of schillcristian.ro by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Romanian website schillcristian.ro by uploading a defacement file (0x.txt). The incident was a targeted single-site defacement with no indication of mass or repeated defacement activity. The attackers motivation and server details remain unknown.
Date: 2026-05-05T06:02:54Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917575
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Romania
Victim Industry: Unknown
Victim Organization: Schill Cristian
Victim Site: schillcristian.ro - Alleged data breach of CEMIG with sale of IBM Watson conversational AI instance dump
Category: Data Breach
Content: A threat actor is selling a 72GB compressed dump of CEMIGs IBM Watson virtual assistant instance, allegedly obtained by compromising an admin credential. The dataset reportedly includes over 6 million customer conversations containing CPFs, phone numbers, email addresses, names, debt status, utility bill amounts, and parent names. The sale bundle also includes Prometheus stats, employee exports, and API keys from the Watson panel.
Date: 2026-05-05T06:02:37Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-Brazil-CEMIG-1-6M-phone-numbers-full-Watson-export
Screenshots:
None
Threat Actors: tarot
Victim Country: Brazil
Victim Industry: Energy & Utilities
Victim Organization: CEMIG
Victim Site: cemig.com.br - Website Defacement of donastorg.com by chinafans (0xteam)
Category: Defacement
Content: The website donastorg.com was defaced by a threat actor using the handle chinafans, operating under the group 0xteam. The defacement was recorded on May 5, 2026, with the defaced content hosted at the path /0x.txt. The incident was a targeted, non-mass defacement with no specific motive publicly stated.
Date: 2026-05-05T06:02:16Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917585
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Donastorg
Victim Site: donastorg.com - Website Defacement of eminegun.com by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website eminegun.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement was a targeted single-site attack, with a mirror of the defaced page archived at zone-xsec.com. No specific motivation or server details were disclosed in connection with the incident.
Date: 2026-05-05T06:01:33Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917601
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Eminegun
Victim Site: eminegun.com - Website Defacement of Evolve Spaces by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website evolvespaces.in was defaced by a threat actor identified as chinafans, operating under the group 0xteam. The defacement was a targeted single-site attack, with a mirror of the defaced page archived at zone-xsec.com. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-05-05T06:00:45Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917587
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: India
Victim Industry: Unknown
Victim Organization: Evolve Spaces
Victim Site: evolvespaces.in - Website Defacement of lineofpurpose.com by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website lineofpurpose.com was defaced by a threat actor identified as chinafans, operating under the group 0xteam. The defacement was a targeted, single-site attack with no indication of mass or repeat defacement activity. The incident was archived and mirrored via zone-xsec.com for record purposes.
Date: 2026-05-05T06:00:05Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917588
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Line of Purpose
Victim Site: lineofpurpose.com - Website Defacement of BrandRetreat by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor identified as chinafans, operating under the group 0xteam, defaced the website brandretreat.in, a branding and retreat services domain registered under Indias .in TLD. The defacement was a targeted, non-mass incident with the attacker leaving a text file at the path /0x.txt as evidence of compromise. No specific motive or additional technical details were disclosed.
Date: 2026-05-05T05:59:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917594
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: India
Victim Industry: Marketing / Branding Services
Victim Organization: Brand Retreat
Victim Site: brandretreat.in - Alleged data leak of CEMIG via IBM Watson AI agent export
Category: Data Leak
Content: A threat actor using the alias tarot claims to have taken control of CEMIGs IBM Watson AI agent and exported customer interaction data spanning September 2022 to April 2026. The leaked dataset allegedly contains 474,519 unique PII entries including 243,328 unique conversations, 30,053 CPF numbers, 158,388 phone numbers, and 42,750 email addresses, with the released sample representing approximately 0.7% of a purported 72GB full export. The data was made available for free on the forum and inc
Date: 2026-05-05T05:59:07Z
Network: openweb
Published URL: https://pwnforums.st/Thread-Brazil-CEMIG-s-partial-Watson-export-400K-PII
Screenshots:
None
Threat Actors: tarot
Victim Country: Brazil
Victim Industry: Energy & Utilities
Victim Organization: CEMIG
Victim Site: cemig.com.br - Website Defacement of Barbets Nest by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, threat actor chinafans, operating under the group 0xteam, defaced the South African website barbetsnest.co.za. The defacement was a targeted single-site attack, as indicated by the non-mass, non-home page nature of the incident. A mirror of the defacement has been archived at zone-xsec.com.
Date: 2026-05-05T05:58:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917597
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: South Africa
Victim Industry: Unknown
Victim Organization: Barbets Nest
Victim Site: barbetsnest.co.za - Website Defacement of Divine Power Global by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the team 0xteam, defaced the website divinepowerglobal.org by uploading a text file (0x.txt) to the server. The incident was a targeted, single-site defacement with no indication of mass or repeat defacement activity. The attack was archived and mirrored via zone-xsec.com.
Date: 2026-05-05T05:57:48Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917611
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Religious/Spiritual Organizations
Victim Organization: Divine Power Global
Victim Site: divinepowerglobal.org - Website Defacement of VitaTrialConnect by chinafans (0xteam)
Category: Defacement
Content: The website vitatrialconnect.com was defaced by threat actor chinafans, operating under the group 0xteam, on May 5, 2026. The defacement targeted a specific file path (0x.txt) rather than the homepage, suggesting a targeted file-level intrusion. The incident was recorded as a singular, non-mass defacement event with no prior redefacement history.
Date: 2026-05-05T05:57:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917576
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Healthcare / Clinical Trials
Victim Organization: VitaTrialConnect
Victim Site: vitatrialconnect.com - Website Defacement of gxreveal.com by chinafans (0xteam)
Category: Defacement
Content: The website gxreveal.com was defaced by a threat actor known as chinafans, operating under the group 0xteam, on May 5, 2026. The defacement was recorded as a standard single-page defacement, not classified as mass or home page defacement. A mirror of the defaced content is archived at zone-xsec.com.
Date: 2026-05-05T05:56:28Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917612
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: GX Reveal
Victim Site: gxreveal.com - Website Defacement of Marquee Hire London by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website marqueehirelondon.co was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement was a targeted single-site attack, with the defaced content accessible via a text file path (0x.txt) on the domain. The incident was archived and mirrored by zone-xsec.com for record-keeping purposes.
Date: 2026-05-05T05:55:45Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917581
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United Kingdom
Victim Industry: Event Services / Hospitality
Victim Organization: Marquee Hire London
Victim Site: marqueehirelondon.co - Website Defacement of Dar Al-Mahi by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website dar-almahi.com. The defacement was a targeted, non-mass attack affecting a specific page on the domain. A mirror of the defacement was archived at zone-xsec.com.
Date: 2026-05-05T05:54:57Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917579
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Dar Al-Mahi
Victim Site: dar-almahi.com - Website Defacement of Top Choice Cleaners by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website of Top Choice Cleaners, a cleaning services company based in Kenya. The defacement targeted the file 0x.txt on the victims domain and was recorded as a single, non-mass, non-home page defacement. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-05-05T05:54:18Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917580
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Kenya
Victim Industry: Cleaning Services / Consumer Services
Victim Organization: Top Choice Cleaners
Victim Site: topchoicecleaners.co.ke - Website Defacement of aboodpress.qtechdemo.website by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor using the handle chinafans, affiliated with 0xteam, defaced the website hosted at aboodpress.qtechdemo.website. The incident was a targeted single-site defacement, not part of a mass defacement campaign. The targeted domain appears to be associated with a demo or development hosting environment operated by QTech.
Date: 2026-05-05T05:53:37Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917590
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology/Web Hosting
Victim Organization: Aboodpress on QTech Demo
Victim Site: aboodpress.qtechdemo.website - Website Defacement of Aya Estilistes by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website ayaestilistes.com, belonging to Aya Estilistes, a hair/beauty salon business, was defaced by threat actor chinafans operating under the group 0xteam. The defacement was a targeted single-site incident, with the attacker leaving a marker file (0x.txt) as evidence of compromise. No specific motivation or technical details regarding the server infrastructure were disclosed.
Date: 2026-05-05T05:52:51Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917577
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Spain
Victim Industry: Beauty & Personal Care
Victim Organization: Aya Estilistes
Victim Site: ayaestilistes.com - Distribution of pirated film content via file-sharing link
Category: Cyber Attack
Content: A forum post on NulledBB shares a file-hosting link to what appears to be a pirated copy of the 2010 film Trust in 1080p BluRay format. The post contains no indicators of a data breach, cyberattack, credential leak, or other traditional cyber threat activity. This content represents potential copyright infringement rather than a cybersecurity threat.
Date: 2026-05-05T05:52:17Z
Network: openweb
Published URL: https://nulledbb.com/thread-Liana-Liberato-Catherine-Keener-Trust-2010-1080p-BluRay
Screenshots:
None
Threat Actors: gerrick54
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of NYC Waterfalls by chinafans (0xteam)
Category: Defacement
Content: The threat actor chinafans, operating under the group 0xteam, defaced the website nycwaterfalls.org on May 5, 2026. The defacement targeted a specific file path (0x.txt) rather than the homepage, suggesting a targeted file drop rather than a full site takeover. The incident was not classified as a mass or redefacement event.
Date: 2026-05-05T05:52:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917582
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Arts & Culture / Tourism
Victim Organization: NYC Waterfalls
Victim Site: nycwaterfalls.org - Alleged data breach of Fujairah Port (UAE) by Hanzalah threat group – 430,000+ confidential documents
Category: Data Breach
Content: Threat actor group Hanzalah claims to have conducted a cyber operation against Fujairah Port in the United Arab Emirates, allegedly extracting over 430,000 confidential documents. The claimed stolen data includes contract details, vessel traffic information, financial transactions, and detailed infrastructure maps of oil pipelines and port facilities. The threat actor claims to have shared these documents publicly on their website and states the information has been provided to resistance-aligned missile units for targeting purposes. The post includes political messaging regarding UAE-Israel-US cooperation.
Date: 2026-05-05T05:51:12Z
Network: telegram
Published URL: https://t.me/c/1283513914/21554
Screenshots:
None
Threat Actors: Hanzalah
Victim Country: United Arab Emirates
Victim Industry: Port/Maritime Infrastructure
Victim Organization: Fujairah Port
Victim Site: Unknown - Website Defacement of Mavis Studio by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the Estonian website mavistuudio.ee was defaced by threat actor chinafans operating under the group 0xteam. The defacement was a targeted single-site intrusion, with the attacker leaving a defacement file at the path /0x.txt. No specific motive or exploitation method was disclosed in the available intelligence.
Date: 2026-05-05T05:45:53Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917552
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Estonia
Victim Industry: Creative Services / Studio
Victim Organization: Mavis Studio
Victim Site: mavistuudio.ee - Website Defacement of Ruijie Network Vietnam by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Vietnamese website of Ruijie Network, a networking technology company. The defacement was a targeted single-site attack, with the defaced content placed at the path /0x.txt. A mirror of the defacement was archived by zone-xsec.com.
Date: 2026-05-05T05:45:03Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917518
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Vietnam
Victim Industry: Technology / Networking
Victim Organization: Ruijie Network Vietnam
Victim Site: ruijienetwork.com.vn - Website Defacement of World of the Office Qatar by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website of World of the Office Qatar. The attack targeted a specific page on the domain and was neither a mass defacement nor a redefacement. No specific motive or server details were disclosed in association with the incident.
Date: 2026-05-05T05:44:13Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917541
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Qatar
Victim Industry: Retail / Office Supplies
Victim Organization: World of the Office Qatar
Victim Site: worldoftheofficeqatar.com - Website Defacement of roseandpetals.xyz by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor operating under the handle chinafans affiliated with 0xteam defaced the website roseandpetals.xyz, a likely floral or retail-themed website. The incident was a targeted, non-mass defacement with no stated motivation recorded. A mirror of the defacement was archived via zone-xsec.com.
Date: 2026-05-05T05:43:30Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917529
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Retail / Floral
Victim Organization: Rose and Petals
Victim Site: roseandpetals.xyz - Website Defacement of Swiss Initiative by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website swissinitiative.org was defaced by threat actor chinafans operating under the group 0xteam. The attacker uploaded a defacement file (0x.txt) to the target server. The incident was a targeted single-site defacement with no indication of mass or repeated defacement activity.
Date: 2026-05-05T05:42:39Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917544
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Switzerland
Victim Industry: Non-Profit / Civil Society
Victim Organization: Swiss Initiative
Victim Site: swissinitiative.org - Website Defacement of Folktale Entertainment by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, threat actor chinafans operating under the group 0xteam defaced the website of Folktale Entertainment. The attack was a targeted single-site defacement, not part of a mass defacement campaign. No specific motivation or server details were disclosed in the reported incident.
Date: 2026-05-05T05:41:54Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917550
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Entertainment
Victim Organization: Folktale Entertainment
Victim Site: folktaleentertainment.com - Website Defacement of Sell Indian Arrowheads by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website sellindianarrowheads.com, an e-commerce site likely dealing in Native American arrowhead collectibles, was defaced by threat actor chinafans operating under the group 0xteam. The attack was a targeted single-page defacement, not classified as a mass or home page defacement. No specific motive or server details were disclosed.
Date: 2026-05-05T05:41:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917525
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Retail / E-Commerce
Victim Organization: Sell Indian Arrowheads
Victim Site: sellindianarrowheads.com - Website Defacement of Madagascar Nosy Vanona Tours by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor operating under the alias chinafans, affiliated with 0xteam, defaced the website of Nosy Vanona Tours, a tourism company based in Madagascar. The incident was a targeted, single-site defacement with no mass or repeat defacement indicators. The attack was recorded and mirrored by zone-xsec.com.
Date: 2026-05-05T05:40:27Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917533
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Madagascar
Victim Industry: Travel and Tourism
Victim Organization: Nosy Vanona Tours
Victim Site: madagascar-nosyvanona-tours.mg - Website Defacement of Japanese Hospitality Site by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website of Suzume no Oyado, a hospitality or lodging establishment located in the Sendai, Miyagi region of Japan. The incident was a targeted single-site defacement with no indication of mass or repeated defacement activity. Technical details regarding the server infrastructure and attack vector were not disclosed.
Date: 2026-05-05T05:39:39Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917523
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Japan
Victim Industry: Hospitality / Tourism
Victim Organization: Suzume no Oyado (Sendai Miyagi)
Victim Site: sendai-miyagi-suzumenooyado.jp - Website defacement of SPON Indonesia by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website spon-indonesia.com was defaced by a threat actor using the handle chinafans, operating under the group 0xteam. The defacement was a targeted single-site intrusion, with a mirror of the defaced page archived at zone-xsec.com. No specific motive or server details were disclosed in connection with the attack.
Date: 2026-05-05T05:38:53Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917530
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Indonesia
Victim Industry: Unknown
Victim Organization: SPON Indonesia
Victim Site: spon-indonesia.com - Website defacement of sc887.asia by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website sc887.asia, leaving a defacement file at the path /0x.txt. The incident was a targeted single-site defacement with no indication of mass or repeated defacement activity. Server and infrastructure details were not disclosed.
Date: 2026-05-05T05:38:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917543
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: sc887.asia - Website Defacement of yzthai.com by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, threat actor chinafans operating under the group 0xteam defaced the website yzthai.com, leaving a defacement file at the path /0x.txt. The incident was a targeted single-site defacement with no mass or repeated defacement indicators noted.
Date: 2026-05-05T05:37:28Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917517
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Thailand
Victim Industry: Unknown
Victim Organization: YZ Thai
Victim Site: yzthai.com - Website Defacement of UAE NLP Academy by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website uaenlpacademy.com was defaced by a threat actor identified as chinafans, operating under the group 0xteam. The attack targeted the UAE NLP Academy, an organization likely involved in natural language processing or neuro-linguistic programming education in the United Arab Emirates. The defacement was a targeted, single-site compromise and does not appear to be part of a mass defacement campaign.
Date: 2026-05-05T05:36:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917516
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United Arab Emirates
Victim Industry: Education / Training
Victim Organization: UAE NLP Academy
Victim Site: uaenlpacademy.com - Website Defacement of punkworx.org.uk by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website punkworx.org.uk was defaced by a threat actor identified as chinafans, operating under the group 0xteam. The defacement was a targeted single-site incident with a mirror archived at zone-xsec.com. No specific motivation or server details were disclosed in the available intelligence.
Date: 2026-05-05T05:35:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917528
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Punkworx
Victim Site: punkworx.org.uk - Website Defacement of purwomp.com by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website purwomp.com was defaced by threat actor chinafans operating under the group 0xteam. The defacement targeted a specific file path (0x.txt) and was neither a mass defacement nor a homepage defacement. The incident has been archived and mirrored by zone-xsec.com.
Date: 2026-05-05T05:35:16Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917531
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Purwomp
Victim Site: purwomp.com - Website Defacement of daisakusen-gig.com by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the 0xteam group, defaced the website daisakusen-gig.com. The defacement targeted a Japanese entertainment or event-related website, with the attack artifact hosted at the path /0x.txt. The incident was a targeted single-site defacement with no indication of mass or repeated defacement activity.
Date: 2026-05-05T05:34:29Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917549
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Japan
Victim Industry: Entertainment
Victim Organization: Daisakusen Gig
Victim Site: daisakusen-gig.com - Website defacement of Mizushima Town by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced a page on the official website of Mizushima Town, a Japanese municipal government entity. The defacement targeted the file 0x.txt on the domain mizushima-town.jp. This was a single, targeted defacement rather than a mass or home page defacement event.
Date: 2026-05-05T05:33:45Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917527
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Japan
Victim Industry: Government
Victim Organization: Mizushima Town
Victim Site: mizushima-town.jp - Website Defacement of Transformare Saude Integrada by chinafans (0xteam)
Category: Defacement
Content: The threat actor chinafans, operating under the team 0xteam, defaced the website of Transformare Saude Integrada, a Brazilian healthcare organization, on May 5, 2026. The incident was a targeted single-site defacement, not classified as a mass or redefacement event. No specific motive or server details were disclosed in the available intelligence.
Date: 2026-05-05T05:32:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917537
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Healthcare
Victim Organization: Transformare Saude Integrada
Victim Site: transformaresaudeintegrada.com - Website Defacement of aaa-dfg.jp by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the team 0xteam, defaced the Japanese website aaa-dfg.jp. The defacement was a targeted single-site attack, with the defaced content accessible at the path /0x.txt. No additional details regarding the attackers motive or the server configuration were disclosed.
Date: 2026-05-05T05:32:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917546
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: aaa-dfg.jp - Website Defacement of Afyon Sigorta by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the Turkish insurance company Afyon Sigorta had its website defaced by a threat actor operating under the handle chinafans, affiliated with the group 0xteam. The defacement was a targeted single-site attack, with the defaced content accessible via a text file hosted on the victims domain. No specific motivation or exploitation method was disclosed.
Date: 2026-05-05T05:31:22Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917524
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Turkey
Victim Industry: Insurance / Financial Services
Victim Organization: Afyon Sigorta
Victim Site: afyonsigorta.com - Website Defacement of knotyet.jp by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor known as chinafans, operating under the team 0xteam, defaced the Japanese website knotyet.jp. The defacement was a targeted, single-site incident with no mass defacement or redefacement indicators. The attacker left a file at knotyet.jp/0x.txt as evidence of the intrusion.
Date: 2026-05-05T05:30:37Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917538
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Knotyet
Victim Site: knotyet.jp - Website Defacement of Sevilla Technical Service by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, a threat actor identified as chinafans, affiliated with the group 0xteam, defaced the website of Sevilla Servicio Tecnico, a technical services company based in Spain. The incident was a targeted single-site defacement, not part of a mass defacement campaign. A mirror of the defaced page was archived via zone-xsec.com.
Date: 2026-05-05T05:29:47Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917539
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Spain
Victim Industry: Technical Services / Repair Services
Victim Organization: Sevilla Servicio Tecnico
Victim Site: sevilla-servicio-tecnico.es - Website Defacement of BG Data Builders by chinafans (0xteam)
Category: Defacement
Content: On May 5, 2026, the website bgdatabuilders.com was defaced by a threat actor identified as chinafans, operating under the team name 0xteam. The defacement targeted a specific file path (0x.txt) rather than the homepage, suggesting a targeted file-level intrusion. No specific motivation or proof-of-concept details were disclosed in association with this incident.
Date: 2026-05-05T05:29:02Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917551
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology / Data Services
Victim Organization: BG Data Builders
Victim Site: bgdatabuilders.com - Alleged Hotmail credential combo list shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias RetroCloud shared a combo list on the forum PT – Combolist, advertising approximately 6,000 Hotmail credential hits described as high quality. The content is hidden behind a registration or login wall, limiting direct verification of the claims. This post represents a credential stuffing asset targeting Hotmail accounts, not a breach of the Hotmail or Microsoft platform itself.
Date: 2026-05-05T05:19:26Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85-6k-hq-hotmail-hit-%E2%9C%85-298898
Screenshots:
None
Threat Actors: RetroCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 2,000 Hotmail credentials marketed as fresh
Category: Combo List
Content: A threat actor on the PT – Combolist forum shared a link to an external paste site containing approximately 2,000 Hotmail credential pairs. The credentials are marketed as UHQ (ultra-high quality) and fresh hits, suggesting they have been tested and verified against Hotmail. No price is mentioned, indicating the list was freely distributed.
Date: 2026-05-05T05:18:56Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-2k-hotmail-hits-uhq-fresh
Screenshots:
None
Threat Actors: ayelmay
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Alleged High-Quality Europe and USA Combo Lists
Category: Combo List
Content: A threat actor operating under the handle hangover934 is advertising combo lists claimed to be fully valid and high quality, targeting users from Europe and the United States. The post markets the credentials as suitable for credential stuffing or account takeover activity. No specific organizations, record counts, or pricing details are disclosed in the post.
Date: 2026-05-05T05:16:22Z
Network: openweb
Published URL: https://altenens.is/threads/star100-full-validstarhigh-qualitystareurope-usa-combolists-star.2934611/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged unauthorized access to Austrian residential smart home infrastructure by DDoSia Project
Category: Cyber Attack
Content: DDoSia Project claims to have gained full access to a luxury residential smart home control system in Austria, including automated heating systems, floor heating, water collection systems, whirlpool controls, garage access, and energy monitoring. The group frames the intrusion as retaliation for European support to Ukraine and explicitly acknowledges the risks of system disruption (heating shutdown, pump failure). This represents a confirmed intrusion into critical residential infrastructure with acknowledged capability to cause physical harm.
Date: 2026-05-05T04:59:46Z
Network: telegram
Published URL: https://t.me/c/3087552512/1879
Screenshots:
None
Threat Actors: DDoSia Project
Victim Country: Austria
Victim Industry: Residential/Smart Home Infrastructure
Victim Organization: Private residential property owner
Victim Site: Unknown - Alleged leak of Chinese personal identity and financial data including ID cards and credit cards
Category: Carding
Content: A threat actor on a cybercrime forum is sharing an 11.7GB archive purportedly containing Chinese national ID cards, credit card data, contracts, and business information. The content is gated behind a reply requirement, a common forum engagement tactic. No specific source organization or breach origin is identified in the post.
Date: 2026-05-05T04:48:37Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DOCUMENTS-Part-2-CHINA-ID-Cards-Credit-Cards-Business-Information-11-7GB
Screenshots:
None
Threat Actors: ALTGIANT
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged Data Leak of More Ideas General Trading LLC (moreideas.ae)
Category: Data Leak
Content: A threat actor on PwnForums claims to have leaked a database allegedly obtained from More Ideas General Trading LLC, a Dubai-based company operating in the GCC region. The post states the breach occurred in May 2026 and exposed 631,605 customer email addresses. The data is being made available for free via a reply-gated hidden download link.
Date: 2026-05-05T04:47:18Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-moreideas-ae-Emails-Database-Download
Screenshots:
None
Threat Actors: fuckiewuckie
Victim Country: United Arab Emirates
Victim Industry: Retail
Victim Organization: More Ideas General Trading LLC
Victim Site: moreideas.ae - Distribution of mixed credential combo list targeting USA and European accounts
Category: Combo List
Content: A threat actor on NulledBB is sharing or selling a mixed combo list advertised as containing credential hits from the United States and Europe. The post markets the content as exclusive and organized by country. No specific victim organization, record count, or price is stated in the available post content.
Date: 2026-05-05T04:40:04Z
Network: openweb
Published URL: https://nulledbb.com/thread-%E2%AD%90%EF%B8%8FBY-COUNTRIES%E2%AD%90%EF%B8%8FHITS-MIX-USA%E2%AD%90%EF%B8%8FEUROPE%E2%AD%90%EF%B8%8FEXCLUSIVE-COMBOLIST%E2%98%81%E2%AD%90%EF%B8%8F–2290380
Screenshots:
None
Threat Actors: hangover2055
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list distribution targeting mixed USA and Europe credentials
Category: Combo List
Content: A forum user on NulledBB shared a combo list advertised as containing credential hits from the United States and Europe. The post markets the content as an exclusive mix organized by country. No specific victim organization, record count, or data format details were provided in the post.
Date: 2026-05-05T04:39:51Z
Network: openweb
Published URL: https://nulledbb.com/thread-%E2%AD%90%EF%B8%8FBY-COUNTRIES%E2%AD%90%EF%B8%8FHITS-MIX-USA%E2%AD%90%EF%B8%8FEUROPE%E2%AD%90%EF%B8%8FEXCLUSIVE-COMBOLIST%E2%98%81%E2%AD%90%EF%B8%8F–2290381
Screenshots:
None
Threat Actors: hangover2055
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail and Mix Inbox Checker Tool on Criminal Forum
Category: Combo List
Content: A threat actor operating under the alias hunterX is advertising a credential-checking tool called Hunter Mix Inbox Checker v8 on a criminal forum. The tool is marketed with features including inbox viewing without login, email deletion, and multi-keyword inbox scanning, targeting Hotmail and Mix email accounts. This tool is consistent with credential stuffing and account takeover operations leveraging combolist data.
Date: 2026-05-05T04:39:23Z
Network: openweb
Published URL: https://leakforum.io/Thread-Hunter-Mix-Inbox-Checker-v8–20078
Screenshots:
None
Threat Actors: hunterX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of Japanese mail credentials shared on cybercrime forum
Category: Logs
Content: A threat actor operating under the alias D4rkNetHub shared what is described as a combo list of approximately 2,988 Japanese mail credentials on the XF forum. The post includes two download links accessible to registered forum members. The credentials are marketed as good, suggesting some level of validity testing.
Date: 2026-05-05T04:36:55Z
Network: openweb
Published URL: https://xforums.st/threads/2-988-good-japan-d4rknethub-cloud.612255/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged sale of unauthorized access credentials and webshells via World Of Shells VIP group
Category: Initial Access
Content: Threat actor operating World Of Shells VIP group offering daily drops of unauthorized access tools including WordPress logins, cPanel credentials, webmail access, SMTP credentials, and webshells. Pricing model: $20 for 2 weeks or $50 for 1 month. Accepts cryptocurrency payments (TRC20 USDT, LTC, BTC, ETH, SOL). Contact: @Rici144
Date: 2026-05-05T04:31:19Z
Network: telegram
Published URL: https://t.me/worldofshells/50
Screenshots:
None
Threat Actors: World Of Shells
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of Tanikomadagascar by CAC./Ohang (CyberOprationCulture)
Category: Defacement
Content: On May 5, 2026, the WordPress admin interface of tanikomadagascar.manidina.me was defaced by threat actor CAC./Ohang, operating under the group CyberOprationCulture. The attack targeted a cloud-hosted website, compromising its wp-admin endpoint. This was a single targeted defacement, not part of a mass or repeated defacement campaign.
Date: 2026-05-05T04:11:09Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248868
Screenshots:
None
Threat Actors: CAC./Ohang, CyberOprationCulture
Victim Country: Madagascar
Victim Industry: Unknown
Victim Organization: Tanikomadagascar
Victim Site: tanikomadagascar.manidina.me - Sale of stolen cookies and credentials for multiple online services
Category: Logs
Content: A threat actor operating under the alias bluestarcrack is distributing stolen cookies and credentials for multiple online platforms including Netflix, Ramble, Reddit, and Funpay, among others. The content is hosted on an external file sharing service (uploadery.com). The post appears on a cracked accounts forum section, indicating the shared material consists of session cookies or stealer log outputs targeting these services.
Date: 2026-05-05T03:51:29Z
Network: openweb
Published URL: https://breached.st/threads/cookie-netflix-ramble-reddit-funpay-more.86804/unread
Screenshots:
None
Threat Actors: bluestarcrack
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of Formosa Judicial Branch employee database
Category: Data Leak
Content: A threat actor operating under the alias LaPampaLeaks has freely shared a database allegedly obtained from the Formosa Judicial Branch in Argentina. The leaked dataset purportedly contains records for more than 2,000 official employees, including fields such as ID, first and last name, national identity document number (DNI), department name, department ID, and jurisdiction. The actor claims the access was initially conducted to locate a specific individual and is now distributing the data via
Date: 2026-05-05T03:44:25Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Argentina-jusformosa-gob-ar-Databases-Court-of-Justice
Screenshots:
None
Threat Actors: LaPampaLeaks
Victim Country: Argentina
Victim Industry: Government
Victim Organization: Formosa Judicial Branch
Victim Site: jusformosa.gob.ar - Alleged distribution of South Korea email combo list (Batch 20/100)
Category: Combo List
Content: A threat actor operating under the alias emaildbpro is distributing a free email list purportedly associated with South Korean users, identified as batch 20 of a 100-part series. The content is gated behind forum registration or login. No record count, data source, or breach origin is specified in the post.
Date: 2026-05-05T03:26:22Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-free-premium-south-korea-email-list-batch-20-100
Screenshots:
None
Threat Actors: emaildbpro
Victim Country: South Korea
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail inbox checker tool with credential access capabilities
Category: Services
Content: A threat actor operating under the alias Jonycortes is offering a commercial Hotmail and MIX inbox checker tool (version 7.7) for sale on a cybercriminal forum. The tool advertises features including inbox viewing without login, email deletion, multi-keyword scanning, proxy support, and high-speed account processing at 60+ accounts per approximately 40 seconds using 15 threads. Subscription tiers are offered ranging from $10 for a one-day trial to $100 for a lifetime license, with an API rotat
Date: 2026-05-05T03:26:04Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9A%A1%EF%B8%8F-hunters-hotmail-inbox-checker%E2%9A%A1
Screenshots:
None
Threat Actors: Jonycortes
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 44,000 Hotmail credentials distributed on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias hunterX has shared a combo list purportedly containing 44,000 Hotmail credential pairs, described as valid hits, via an external paste service. The credentials are marketed as high-quality and tested against Hotmail, indicating possible credential stuffing activity. The post does not indicate a breach of Microsoft or Hotmail infrastructure; the named service is the credential-stuffing target, not the breach source.
Date: 2026-05-05T03:25:05Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A144k-HQ-Hotmail-Access-VAID-HITS%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: hunterX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Alleged Fresh Hotmail Combo List
Category: Combo List
Content: A threat actor operating under the alias KiwiShio is distributing a combo list marketed as containing approximately 800 fresh Hotmail credentials. The content is hidden behind a forum registration or login requirement, and the actor lists a Telegram handle for further contact. The credentials are described as private and fresh, though no verification of these claims is possible.
Date: 2026-05-05T03:24:50Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-800x-%E2%AD%90%E2%AD%90-FRESH-HQ-HOTMAIL-%E2%AD%90%E2%AD%90
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of initial access to undisclosed Brazilian accounting and business consulting firm
Category: Initial Access
Content: A threat actor operating under the alias vegitaxi is offering for sale alleged corporate access to an unnamed Brazilian accounting and business consulting firm with an estimated revenue of $0.5M to $2M. The listed price is $2,000 and the access purportedly includes accounting and financial records, payroll and HR data, legal and compliance files, client systems, and backup storage totaling approximately 325.01 GB. Contact is advertised via Session messenger using a provided public key.
Date: 2026-05-05T03:08:42Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-sell-corps-access-BR–75524
Screenshots:
None
Threat Actors: vegitaxi
Victim Country: Brazil
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown - Sale of IMAP email monitoring and manipulation tool with IBAN replacement capability
Category: Services
Content: A threat actor is advertising a commercial tool called OMNITRIX IMAP that provides IMAP-based email account monitoring, attachment interception, inbox manipulation, and automated IBAN detection and replacement within PDF and DOCX files. The tool supports bulk operations across multiple compromised mailboxes and allows editing and re-uploading of email messages with modified attachments or bodies to the mail server. Functionality described includes filtering by metadata fields, bulk IBAN swapping
Date: 2026-05-05T03:08:04Z
Network: openweb
Published URL: https://darkforums.su/Thread-OMNITRIX-IMAP–75529
Screenshots:
None
Threat Actors: jinkusu
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Phishing-as-a-Service Platform Starkiller with Real-Time Browser Session Hijacking
Category: Phishing
Content: A threat actor operating under the alias jinkusu is advertising Starkiller, a phishing-as-a-service platform that deploys real Chromium browser instances inside Docker containers to serve real-time replicas of target websites for credential harvesting. The platform claims to bypass two-factor authentication, capture live sessions, provide full victim screen monitoring, and offer command and control over victim browsers via an admin panel. The service is accessible via starkiller.tokyo and pr
Date: 2026-05-05T03:07:27Z
Network: openweb
Published URL: https://darkforums.su/Thread-STARKILLER-GOD-MODE–75530
Screenshots:
None
Threat Actors: jinkusu
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Advertisement for Unrestricted AI Chatbot Service EmpireGPT
Category: Services
Content: A threat actor operating under the alias jinkusu is advertising an AI chatbot service called EmpireGPT on a dark web forum, claiming it operates without the content restrictions found in mainstream AI tools such as ChatGPT. The service is described as free to use and listed as coming soon. No specific victim, target organization, or malicious payload is identified in the post.
Date: 2026-05-05T03:06:50Z
Network: openweb
Published URL: https://darkforums.su/Thread-EMPIREGPT–75531
Screenshots:
None
Threat Actors: jinkusu
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged sale of French bank customer records with IBAN information
Category: Data Breach
Content: A threat actor on a dark web forum is selling an alleged dataset of over 6 million French bank customer records priced at $700. The data reportedly includes personally identifiable information such as full name, email, phone, date of birth, address, postal code, as well as financial identifiers including IBAN and SWIFT codes. The seller claims the data is fully untouched and provides a Session messenger handle for contact.
Date: 2026-05-05T03:05:29Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-France-%F0%9F%87%AB%F0%9F%87%B7-Bank-Leads-With-IBAN-Information–75501
Screenshots:
None
Threat Actors: dodyix
Victim Country: France
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown - Alleged sale of Binance user databases for United Kingdom, New Zealand, Denmark, and Australia
Category: Data Breach
Content: A threat actor on a dark web forum is selling alleged Binance user databases containing records from the United Kingdom, New Zealand, Denmark, and Australia, priced at $300 per 10,000 records. The dataset appears to include phone numbers, full names, and email addresses, as evidenced by a provided sample. The actor claims the data has been verified using a Binance checker and provides a Session messaging contact for transactions.
Date: 2026-05-05T03:04:55Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Crypto-Binance-Databases-United-Kingdom-New-Zealand-Denmark-Australia–75519
Screenshots:
None
Threat Actors: dodyix
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Binance
Victim Site: binance.com - Sale of Japanese SMTP services with inbox delivery evasion features
Category: Services
Content: A threat actor operating under the alias NoBadReviews is advertising Japanese SMTP-based email sending services on a dark web forum. Two packages are offered at $150 and $250 respectively, featuring sender/subject/reply-to rotation, proxy support, header and user-agent randomization, and sending limits of 50,000 to 100,000 emails. The service is marketed as capable of bypassing spam filters to ensure inbox delivery, with payment accepted in cryptocurrency via Telegram contact.
Date: 2026-05-05T03:03:14Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-SMTP-YOUR-JAPANESE-SMTP-SELLER-BEST-ON-MARKET
Screenshots:
None
Threat Actors: NoBadReviews
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of IMSS Blood Bank (Instituto Mexicano del Seguro Social)
Category: Data Breach
Content: A threat actor identified as ColdK3y is offering for sale an alleged database attributed to the IMSS Blood Bank, containing approximately 3.4 million records. The dataset purportedly includes NSS (social security) numbers, national ID numbers, full names, dates of birth, donor type, cell phone numbers, and other personal information. Data is offered in JSON and CSV formats, with a sample file linked and contact provided via Telegram.
Date: 2026-05-05T03:02:38Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-IMSS-BANCO-DE-SANGRE-3-4-MILLION-DATA-04-05-2026
Screenshots:
None
Threat Actors: ColdK3y
Victim Country: Mexico
Victim Industry: Healthcare
Victim Organization: IMSS Blood Bank (Instituto Mexicano del Seguro Social)
Victim Site: imss.gob.mx - Sale of stealer log collection attributed to Lumma C2, StealC, RedLine, and Raccoon on darknet forum
Category: Logs
Content: A threat actor operating under the alias BradMax is offering for sale a private cloud-hosted collection of stealer logs spanning 2020 to 2026, purportedly sourced from Lumma C2, StealC, RedLine, and Raccoon infostealers. Two subscription tiers are advertised — a Default tier (~7.65 million logs, 2024–2026) priced at $250/month and a PRO tier (30 million+ logs, all years) priced at $450/month — with a lifetime access option at $1,990. Logs are hosted on Mega.nz and the seller claims regular upd
Date: 2026-05-05T03:02:01Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-2-%E2%AD%90-BRADMAX-PRIVATE-LOGS-CLOUD%E2%AD%90-%E2%9A%A1%EF%B8%8F-REGULARLY-SUPPLEMENTED%E2%9A%A1%EF%B8%8F
Screenshots:
None
Threat Actors: BradMax
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Alleged Google Aluminium OS Full OTA Packages
Category: Data Leak
Content: A threat actor claims to possess a large collection of full OTA (Over-the-Air) update packages for Googles alleged internal operating system project, referred to as Aluminium OS. The actor is offering specific builds and bulk pricing exclusively for Monero (XMR) and has shared a sample ZIP file containing OTA files, excluding the payload.bin. No record count or specific build versions were disclosed in the post.
Date: 2026-05-05T03:01:11Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-EXCLUSIVE-Aluminium-OS-Full-OTA-Packages
Screenshots:
None
Threat Actors: kaeLer
Victim Country: United States
Victim Industry: Technology
Victim Organization: Google
Victim Site: google.com - Alleged data breach of Wingstop Mexico
Category: Data Breach
Content: A threat actor operating under the alias ColdK3y is advertising the sale of an alleged database belonging to Wingstop Mexico on a darknet forum. The purported dataset contains approximately 364,000 records including full names, email addresses, phone numbers, physical addresses, and order/purchase history in JSON and CSV formats. Sample files are provided via an anonymous file-sharing service, and contact is facilitated through Telegram.
Date: 2026-05-05T03:00:36Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-WINGSTOP-MEXICO-364K-RECORDS-04-05-2026
Screenshots:
None
Threat Actors: ColdK3y
Victim Country: Mexico
Victim Industry: Retail
Victim Organization: Wingstop Mexico
Victim Site: wingstop.com.mx - Alleged Data Leak of Algeria Ministry of Pharmaceutical Industry Internal Files
Category: Data Leak
Content: A threat actor operating under the alias kamalsheikhxx claims to have leaked approximately 34.3 GB of internal files allegedly extracted from the Algerian Ministry of Pharmaceutical Industrys systems. The alleged leak includes monthly import records for medical devices and drugs, customs declarations, commercial registers for pharmaceutical firms, personnel data of company managers, psychotropic drug discrepancy declarations, and inventory declarations from distributors, covering the period 2
Date: 2026-05-05T02:59:45Z
Network: openweb
Published URL: https://darkforums.su/Thread-Algeria-Ministry-of-Pharmaceutical-Industry-%E2%80%94-Full-Data-Dump
Screenshots:
None
Threat Actors: kamalsheikhxx
Victim Country: Algeria
Victim Industry: Government
Victim Organization: Algeria Ministry of Pharmaceutical Industry
Victim Site: Unknown - Sale of verified financial accounts, KYC bypass services, and identity fraud tools by MirrorHub
Category: Services
Content: A threat actor operating as MirrorHub is advertising a commercial service on a dark web forum offering verified accounts for crypto exchanges, e-wallets, and banks across multiple geographies including Europe, CIS, USA, and Asia. The service includes KYC bypass using deepfake/neural network technology, account warming, drop services, and company formation in the US, EU, and Asia. Payment is accepted via cryptocurrency or bank card, with claimed 14-day refund guarantees and daily stock replenis
Date: 2026-05-05T02:59:08Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-MirrorHub-Selfreg-Verified-Personal-Business-Accounts-%E2%80%A2-BA-%E2%80%A2-VCC-%E2%80%A2-Exchanges
Screenshots:
None
Threat Actors: MirrorHub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: mirrorhub.bgng.io - Alleged sale of Dubai Land Department property owners database with up to 1 million records
Category: Data Breach
Content: A threat actor operating under the alias Solana0011 is offering for sale an alleged database attributed to the Dubai Land Department, purportedly containing up to 1 million property owner records across approximately 100 Dubai areas, updated as of 2026. The dataset is organized into two folders covering numerous residential and commercial districts and appears to include fields such as full names, mobile numbers, passport details, UAE ID numbers, birth dates, nationality, property transaction va
Date: 2026-05-05T02:58:30Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Dubai-Land-Department-Dubai-Property-Owners-2026-Database
Screenshots:
None
Threat Actors: Solana0011
Victim Country: United Arab Emirates
Victim Industry: Government
Victim Organization: Dubai Land Department
Victim Site: dubailand.gov.ae - Alleged sale of Dubai Property Plot Owners database with up to 100,000 records
Category: Data Breach
Content: A threat actor operating under the handle Solana0011 is selling an alleged 2026 Dubai Property Plot Owners database containing up to 100,000 records. The dataset purportedly includes personal and transactional fields such as full names, mobile numbers, national ID numbers, passport details, birth dates, property plot information, and transaction types across 42 Dubai districts. The seller is directing potential buyers to a Telegram contact for purchase inquiries.
Date: 2026-05-05T02:57:55Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Dubai-Plot-Owners-2026-Database
Screenshots:
None
Threat Actors: Solana0011
Victim Country: United Arab Emirates
Victim Industry: Real Estate
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged USA property owners and cellular transaction database with 17 million records
Category: Data Breach
Content: A threat actor on a dark web forum is offering for sale an alleged database of 17 million US property owners and cellular transaction records for $3,000. The dataset includes personally identifiable information such as full names, addresses, phone numbers, email addresses, geolocation coordinates, household demographics, and detailed property records including deed history, assessed values, and tax data. Contact is provided via Telegram handle @dataincx, and files are available in CSV and JSON f
Date: 2026-05-05T02:57:06Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-17M-USA-Property-Owners-and-Cellular-Transaction-DB
Screenshots:
None
Threat Actors: datasellerx
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of document forgery service offering falsified digital documents
Category: Services
Content: A threat actor operating under the handle logicmaster666 is advertising a document forgery service on a darknet forum. The seller claims to be able to falsify any digital document, including altering personal information, photos, and signatures, upon submission of a sample by the buyer. No specific target organization or country is mentioned.
Date: 2026-05-05T02:56:30Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Fake-digital-documents-of-any-kind-your-cheapest-price
Screenshots:
None
Threat Actors: logicmaster666
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Angolan Government Email Accounts with Alleged Law Enforcement Access
Category: Initial Access
Content: A threat actor operating under the handle KayoTheDon is offering Angolan government email accounts for sale, priced between $5 for a single account and $45 for ten accounts. The seller claims these email accounts carry law enforcement access privileges. Contact is facilitated via Telegram handle @kangored.
Date: 2026-05-05T02:55:29Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Selling-Government-emails-for-cheap-law-enforcement-access
Screenshots:
None
Threat Actors: KayoTheDon
Victim Country: Angola
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown - Sale of PhishLab V1 phishing panel with 2FA bypass and multi-platform credential harvesting
Category: Phishing
Content: A threat actor is selling PhishLab V1, a phishing-as-a-service panel advertised as capable of bypassing all forms of two-factor authentication across multiple target platforms including cryptocurrency exchanges, banks, payment systems, shopping sites, and social media. The panel purportedly provides real-time credential and cookie harvesting with Telegram notifications, enabling session hijacking via cookie import. Pricing is listed at $759 for the first month and $250 for subsequent months, w
Date: 2026-05-05T02:54:54Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-%E2%9A%A1-PHISHLAB-V1-UNDETECTED-PHISHING-PANEL
Screenshots:
None
Threat Actors: PHISHLAB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Betterware Mexico
Category: Data Breach
Content: A threat actor operating under the alias ColdK3y is offering for sale an alleged dataset attributed to Betterware Mexico, a catalog-based home goods retailer. The post claims the dataset contains approximately 10 million records in JSON and CSV formats, including full names, addresses, email addresses, cell phone numbers, and dates of birth. A sample file link is provided, and interested parties are directed to contact the seller via Telegram.
Date: 2026-05-05T02:54:18Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-BETTERWARE-MEXICO-10M-RECORDS-04-05-26
Screenshots:
None
Threat Actors: ColdK3y
Victim Country: Mexico
Victim Industry: Retail
Victim Organization: Betterware
Victim Site: betterware.com.mx - Alleged Data Breach of NVIDIA GeForce Now
Category: Data Breach
Content: A threat actor operating under the alias associated with Shiny Hunters claims to be selling a full user database allegedly exfiltrated from NVIDIAs GeForce Now platform for $8,000 USD in cryptocurrency. The dataset purportedly includes millions of records containing first and last names, verified email addresses, usernames, dates of birth, membership status, 2FA/TOTP status, internal roles, access flags, and account creation timestamps. Sample records consistent with the described schema were i
Date: 2026-05-05T02:53:43Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-NVIDIA-s-GeForce
Screenshots:
None
Threat Actors: Luckiest
Victim Country: United States
Victim Industry: Technology
Victim Organization: NVIDIA GeForce Now
Victim Site: nvidia.com - List of Top Telegram Channels Published on Dark Forum
Category: Alert
Content: A forum post titled Top Telegram Channels list [2026] was published on a dark web forum by the user KINGOFKINGDOM. No content was available in the post body, preventing further analysis of intent or threat relevance. The post may reference a compilation of Telegram channels of potential intelligence interest.
Date: 2026-05-05T02:52:51Z
Network: openweb
Published URL: https://darkforums.su/Thread-Source-Code-Top-Telegram-Channels-list-2026
Screenshots:
None
Threat Actors: KINGOFKINGDOM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of Sistema de Citas de los Tribunales Agrarios México
Category: Data Leak
Content: A threat actor shared what is claimed to be a database from the appointment scheduling system of the Mexican Agrarian Courts (Tribunales Agrarios), reportedly containing over 20,000 records. The data allegedly includes full names, email addresses, phone numbers, and CURP (Mexican national ID numbers) of registered individuals. A sample download link was provided via Gofile, with contact offered via Signal for the full or more recent database.
Date: 2026-05-05T02:51:08Z
Network: openweb
Published URL: https://darkforums.su/Thread-Sistema-de-Citas-de-los-Tribunales-Agrarios-M%C3%A9xico
Screenshots:
None
Threat Actors: hackstage
Victim Country: Mexico
Victim Industry: Government
Victim Organization: Tribunales Agrarios México
Victim Site: Unknown - Alleged combo list of 1,200 Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor identified as @Kommander0 has shared a combo list of approximately 1,200 Hotmail credentials, described as fully valid, on a cybercrime forum. The content is gated behind registration or login to access. The credentials are intended for use in credential stuffing against Hotmail accounts and do not represent a breach of the Hotmail service itself.
Date: 2026-05-05T02:33:44Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-1-2k-hotmail-full-valid-by-kommander0-04-05
Screenshots:
None
Threat Actors: AnticaCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Discussion of AI model and Google bypass techniques on cybercrime forum
Category: Alert
Content: A forum thread titled How to bypass Google and all AI models? was posted on a cybercrime forum by user LukasWeber. The actual post content is hidden behind a registration or login wall, making the specific claims or techniques unverifiable. No actionable threat data can be extracted from the available content.
Date: 2026-05-05T02:32:42Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-How-to-bypass-Google-and-all-AI-models–20074
Screenshots:
None
Threat Actors: LukasWeber
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of SMTP spamming and cracking service advertised on cracking forum
Category: Services
Content: A threat actor operating under the handle @smtps4you is advertising an SMTP spamming and cracking service on a cracking forum, claiming to offer spam delivery capabilities including SMTP-to-SMS functionality. The service is promoted via a Telegram channel and positions itself as a leading SMTP cracking tool for 2026. No specific victim organization or breach data is referenced in the post.
Date: 2026-05-05T02:32:22Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%AD%90%EF%B8%8F%E2%9C%85SPAM-SERVICE-%E2%9C%85SMTPs-to-SMS-%E2%9C%85CONTACT-%E2%9C%89%EF%B8%8F-smtps4you-JOIN-%E2%AD%90%EF%B8%8F-TELEGRAM%E2%9C%85Now%E2%9C%85
Screenshots:
None
Threat Actors: smtps4foryou
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged cPanel credentials combo list shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias DexterCloud shared what is described as cPanel hits on a cybercrime forum. The post provides a download link for credentials purportedly valid for cPanel hosting control panels. No specific victim organization, record count, or geographic scope is identified in the post.
Date: 2026-05-05T02:28:13Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Cpanel-HITS
Screenshots:
None
Threat Actors: DexterCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of Kemendagri (Indonesian Ministry of Home Affairs)
Category: Data Leak
Content: A threat actor using the handle Xyph0rix posted a thread on the Breached forum claiming to leak a database associated with the Indonesian Ministry of Home Affairs (kemendagri.go.id). The post provides minimal detail beyond the organization name and a BIG DATABASE claim. No record count, data fields, or download links are specified in the available post content.
Date: 2026-05-05T02:18:18Z
Network: openweb
Published URL: https://breached.st/threads/big-database-kemendagri-go-id-leak.86803/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kemendagri (Ministry of Home Affairs of Indonesia)
Victim Site: kemendagri.go.id - Alleged data breach of DIGERCIC Ecuador
Category: Data Leak
Content: A threat actor group identifying as L4TAMFUCKERS, alongside individuals GordonFreeman, Izanagi, and YoSoyGroot, claims to have breached DIGERCIC, Ecuadors national civil registry authority, obtaining 14.8 million records and 10.6 million high-definition images associated with national ID cards. The alleged exfiltrated data includes approximately 10.8 GB of SQL data and 165 GB of images. The post does not indicate a sale price, suggesting the data is being freely disclosed or announced.
Date: 2026-05-05T02:11:44Z
Network: openweb
Published URL: https://darkforums.su/Thread-DIGERCIC-ECUADOR-2026-14-8M-data-10-6M-images
Screenshots:
None
Threat Actors: GordonFreeman
Victim Country: Ecuador
Victim Industry: Government
Victim Organization: DIGERCIC
Victim Site: Unknown - Alleged data breach of Kemendagri (Indonesian Ministry of Home Affairs) with admin credentials leaked
Category: Data Breach
Content: A threat actor operating under the handle xyph0rix on Breachforums has posted a thread claiming to have leaked a large database from Kemendagri (Kementerian Dalam Negeri – Indonesian Ministry of Home Affairs). The leaked data includes admin login credentials for Kemendagri systems, credentials for the Bandung regional office, PPID (Public Information Service) credentials, and multiple additional internal systems. The breach forum thread and user profile are publicly accessible.
Date: 2026-05-05T01:56:54Z
Network: telegram
Published URL: https://t.me/Xyph0rix/295
Screenshots:
None
Threat Actors: xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kemendagri (Kementerian Dalam Negeri)
Victim Site: kemendagri.go.id - Alleged sale of fresh compromised account databases and webmail credentials across multiple countries
Category: Combo List
Content: Threat actor offering sale of fresh database access and compromised credentials for multiple countries (UK, DE, JP, NL, BR, PL, ES, US, IT) with inbox access. Claims to have private cloud infrastructure and valid webmail accounts. Targeting e-commerce platforms (eBay, Poshmark, Alibaba, Walmart, Amazon, Mercari), booking services (Booking, Uber), gaming (PSN), and marketplace platforms (OLX/Kleinanzeigen). Seller requests direct contact for specific keyword searches and credential verification.
Date: 2026-05-05T01:55:37Z
Network: telegram
Published URL: https://t.me/c/2613583520/75679
Screenshots:
None
Threat Actors: Num
Victim Country: Unknown
Victim Industry: E-commerce, Booking Services, Gaming, Marketplaces
Victim Organization: Unknown
Victim Site: Unknown - Sale of UHQ Hotmail Combo List
Category: Combo List
Content: A threat actor operating under the alias SASUKE756 is advertising a UHQ (ultra-high quality) Hotmail combo list on a cybercrime forum. The post content is hidden behind a registration or login requirement, limiting visibility into specific details such as record count or credential quality claims. The listing is consistent with credential stuffing material targeting Microsoft Hotmail accounts.
Date: 2026-05-05T01:54:40Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-uhq-hotmails
Screenshots:
None
Threat Actors: SASUKE756
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of bulletproof VPS and RDP hosting service on cybercrime forum
Category: Services
Content: A forum user identified as kuna is advertising bulletproof VPS and RDP hosting services on a cybercrime forum. The offering includes servers with 12 vCores CPU, 24 GB RAM, and 720 GB NVMe SSD, supporting multiple OS images including Windows, Rocky Linux, Ubuntu, AlmaLinux, and Debian, with optional Plesk and n8n installations. Prospective buyers are directed to contact the seller via a Telegram handle.
Date: 2026-05-05T01:43:00Z
Network: openweb
Published URL: https://breached.st/threads/selling-bulletproof-vps-rdp.86801/unread
Screenshots:
None
Threat Actors: kuna
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Website Defacement of Indonesian KKP Library Portal by Mr.spongebob of Anonsec Team
Category: Defacement
Content: On May 5, 2026, a threat actor operating under the alias Mr.spongebob, affiliated with Anonsec Team, defaced the library portal of Sekolah Tinggi Perikanan (STP) Bogor, hosted under Indonesias Ministry of Marine Affairs and Fisheries (KKP) government domain. The attack targeted a subdomain of the kkp.go.id government infrastructure and was not classified as a mass or home page defacement. A mirror of the defacement was archived at haxor.id.
Date: 2026-05-05T01:40:30Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248867
Screenshots:
None
Threat Actors: Mr.spongebob, Anonsec team
Victim Country: Indonesia
Victim Industry: Government – Education / Library Services
Victim Organization: Sekolah Tinggi Perikanan Bogor – Ministry of Marine Affairs and Fisheries (KKP)
Victim Site: perpustakaan-stpbogor.kkp.go.id - Sale of alleged valid Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the handle Roronoa044 is sharing a combo list advertised as containing 1,428 valid Hotmail credentials, described as UHQ (ultra-high quality). The post references a private cloud storage location for the content and directs users to a Telegram account (@noiraccesss) for access. The credentials are marketed as validated and are shared via hidden forum content requiring registration or login.
Date: 2026-05-05T01:17:34Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X1428-Valid-UHQ-Hotmail-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged sale/distribution of WordPress logins, cPanel credentials, webshells, and SMTP access
Category: Initial Access
Content: Threat actor announced upcoming release of multiple cybercrime tools and credentials in a VIP channel, including WordPress login credentials, cPanel administrative access, webshells, SMTP credentials, and webmail access. This represents a collection of initial access vectors and credential compromise materials.
Date: 2026-05-05T01:15:26Z
Network: telegram
Published URL: https://t.me/worldofshells/49
Screenshots:
None
Threat Actors: World Of Shells
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Distribution of mixed email combo list via Telegram channel
Category: Combo List
Content: A threat actor operating under the alias WhiteMelly is distributing a mixed combo list of approximately 8,000 lines, including Hotmail, Live, Outlook, and MSN credentials, via a Telegram channel. The post advertises daily free releases of ULP, logs, cookies, and mail-access data targeting multiple European regions including EU, UK, FR, PL, DE, and IT. The actor also promotes paid offerings through the Telegram handle @hoodsuppbot.
Date: 2026-05-05T01:14:51Z
Network: openweb
Published URL: https://altenens.is/threads/8k-mix-lines-mail-access.2934427/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of mixed valid email access combo list
Category: Combo List
Content: A threat actor operating under the alias redcloud is distributing a combo list of approximately 9,100 entries advertised as mixed valid email access credentials. The post is dated 05.05.2026 and marketed as private and ultra-high quality (UHQ). A Telegram handle (@tutuba5m) is provided for contact, with download access gated behind a forum reply requirement.
Date: 2026-05-05T01:14:22Z
Network: openweb
Published URL: https://altenens.is/threads/9-1k-sparkles-mix-sparkles-valid-mail-access-05-05.2934435/unread
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Distribution of Hotmail Combo List via Telegram Channel
Category: Combo List
Content: A threat actor operating under the alias WhiteMelly is distributing a combo list of approximately 10,000 Hotmail credential pairs on the AE forum. The post advertises a Telegram channel offering daily free releases of mixed credentials, logs, cookies, and leaked data covering multiple regions including EU, UK, France, Poland, Germany, and Italy. The actor also solicits private purchases via the Telegram handle @hoodsuppbot.
Date: 2026-05-05T01:13:53Z
Network: openweb
Published URL: https://altenens.is/threads/10k-hotmail-lines-mail-access.2934428/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail credential combo list on AE forum
Category: Combo List
Content: A threat actor operating under the alias redcloud is sharing a combo list of approximately 7,100 Hotmail credentials, advertised as valid and of ultra-high quality (UHQ), dated 05.05.2026. The post requires forum replies to access the hidden download link and references a Telegram contact for further communication. This represents a credential stuffing resource targeting Hotmail accounts, not a breach of Microsoft or Hotmail infrastructure.
Date: 2026-05-05T01:13:26Z
Network: openweb
Published URL: https://altenens.is/threads/7-1k-high-voltagehotmailhigh-voltagevalid-mail-access-05-05.2934443/unread
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Fullz and Non-VBV Credit Card Details with Carding Tutorial
Category: Carding
Content: A threat actor is offering stolen credit card fullz — including SSN, name, date of birth, phone number, mothers maiden name, and address — priced at approximately $50 each on underground markets. The post also serves as a carding tutorial, explaining the distinction between VBV and non-VBV cards and their utility for bypassing 3D Secure fraud controls. The actor references specific vendors and markets for acquiring non-VBV cards and claims fullz can be used for background checks and fraudulent
Date: 2026-05-05T01:11:33Z
Network: openweb
Published URL: https://altenens.is/threads/fullz-card-details-cc-details-include-personal-info-like-ssn-name-dob-phone-mmn-fullz-address-this-is-great-you-can-easily-create-almost-any.2934456/unread
Screenshots:
None
Threat Actors: Rotten
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Punjab National Bank India with 100,000 records offered for sale
Category: Data Breach
Content: A threat actor operating under the handle momo78 is offering for sale an alleged database dump attributed to Punjab National Bank (India), claiming it contains 100,000 records described as a fresh 2026 dump. The advertised data fields include account numbers, account holder names, IFSC codes, phone numbers, and email addresses in CSV and JSON formats. The full dataset is priced at $1,200 payable in BTC or XMR, with a 1,000-record sample available via Telegram.
Date: 2026-05-05T01:03:01Z
Network: openweb
Published URL: https://breached.st/threads/punjab-national-bank-india-100-000-fresh-leak-account-phone-email.86800/unread
Screenshots:
None
Threat Actors: momo78
Victim Country: India
Victim Industry: Finance
Victim Organization: Punjab National Bank
Victim Site: pnbindia.in - Alleged data breach of Punjab National Bank
Category: Data Breach
Content: A threat actor identified as momo78 is offering for sale an alleged database dump attributed to Punjab National Bank, India, claiming it contains 100,000 records. The dataset purportedly includes account numbers, account holder names, IFSC codes, phone numbers, and email addresses in CSV and JSON formats. The full dataset is priced at $1,200 payable in BTC or XMR, with a sample of 1,000 records advertised as available via Telegram.
Date: 2026-05-05T01:02:06Z
Network: openweb
Published URL: https://breached.st/threads/punjab-national-bank-india-100-000-fresh-leak-account-phone-email.86799/unread
Screenshots:
None
Threat Actors: momo78
Victim Country: India
Victim Industry: Finance
Victim Organization: Punjab National Bank
Victim Site: pnbindia.in - Alleged distribution of private mail access
Category: Logs
Content: User Bo is promoting access to private mail accounts, offering free drops via a Telegram channel link. This appears to be distribution of compromised email credentials or unauthorized mail access.
Date: 2026-05-05T01:01:25Z
Network: telegram
Published URL: https://t.me/c/2613583520/75670
Screenshots:
None
Threat Actors: Bo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Counter-Strike 2 Bot-Farming Accounts, Top-Ups, and Setup Services
Category: Services
Content: A threat actor operating under the alias CSFarmHub is offering a commercial bot-farming service targeting Counter-Strike 2, including the sale of ready-made Steam accounts at various ranks, instant Steam credit top-ups, and Prime Status upgrades. The seller also provides step-by-step setup manuals covering account registration, PC configuration, software selection, and drop collection to facilitate automated in-game item farming for profit. Contact is conducted exclusively via Telegram under t
Date: 2026-05-05T00:53:39Z
Network: openweb
Published URL: https://pwnforums.st/Thread-Counter-Strike-2-Bot-Farming-Services
Screenshots:
None
Threat Actors: CSFarmhub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Egypt Ministry of Health e-portal
Category: Data Breach
Content: A threat actor operating under the handle CrowStealer, in collaboration with quellostanco, is selling an alleged dataset from Egypts Ministry of Health e-portal containing approximately 3.8 million records in a 2.12GB CSV file priced at $400. The dataset reportedly includes sensitive patient information such as national IDs, patient names, telephone numbers, addresses, diagnoses, treatment providers, and decision statuses. The post claims the data was leaked on February 16, 2026, and notes
Date: 2026-05-05T00:47:22Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-Egypt-Ministry-of-health-e-portal-data-3-8M
Screenshots:
None
Threat Actors: CrowStealer
Victim Country: Egypt
Victim Industry: Healthcare
Victim Organization: Egypt Ministry of Health
Victim Site: Unknown - Sale of BLACKNET-00 Ransomware Builder Platform with Full Source Code
Category: Malware
Content: A threat actor operating as blacknet00 is selling a ransomware builder platform called BLACKNET-00 for $2,000, including full source code, lifetime support, and lifetime updates, with payment accepted only in cryptocurrency. The platform features a GUI-based builder supporting multiple encryption algorithms (AES-256, RSA, ChaCha20, and others), output formats (EXE, DLL, JS, etc.), C2 configuration with Tor and DGA support, persistence mechanisms, anti-analysis capabilities, and triple extortio
Date: 2026-05-05T00:45:41Z
Network: openweb
Published URL: https://pwnforums.st/Thread-RANSOMWARE-FOR-SALE
Screenshots:
None
Threat Actors: blacknet00
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Cyprus Airways
Category: Data Breach
Content: A threat actor operating under the alias justcyprus is advertising the sale of approximately 50,000 records allegedly sourced from Cyprus Airways. The dataset appears to contain passenger personally identifiable information including full names, email addresses, gender, dates of birth, and passport or national ID numbers from multiple nationalities. The seller references a Telegram bot for contact and states escrow is accepted.
Date: 2026-05-05T00:45:10Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-cyprus-airways-fresh-50k-e-mail
Screenshots:
None
Threat Actors: justcyprus
Victim Country: Cyprus
Victim Industry: Transportation
Victim Organization: Cyprus Airways
Victim Site: cyprusairways.com - Alleged sale of French personal records database containing approximately 35,000 entries
Category: Data Breach
Content: A threat actor operating under the alias ARPANET7666 is offering for sale a database referred to as FF TIR containing approximately 35,000 records belonging to French individuals. The dataset includes full names, gender, date of birth, place of birth, residential address, postal code, city, and email address fields, as demonstrated by sample records shared in the post. The seller is accepting offers and requests contact via Telegram handle @virus881.
Date: 2026-05-05T00:44:39Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-FR-FF-TIR-35K
Screenshots:
None
Threat Actors: ARPANET7666
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Afghanistan Ministry of Finance with infrastructure exposure
Category: Data Breach
Content: A threat actor operating under the alias Cyballz is offering for sale an alleged 1.4 TB+ dataset purportedly obtained from the cPanel account of a user shamshad at Afghanistans Ministry of Finance. The actor claims the dump includes private keys, live databases, email infrastructure, backend configurations, and data from associated government platforms including AFMIS and PPP systems. The asking price is $800, with contact facilitated via a Session messaging identifier.
Date: 2026-05-05T00:44:01Z
Network: openweb
Published URL: https://pwnforums.st/Thread-AFGHANISTAN-MINISTRY-OF-FINANCE-COMPLETE-INFRASTRUCTURE-BREACH-%E2%80%93-1-4-TB-LEAKED
Screenshots:
None
Threat Actors: Cyballz
Victim Country: Afghanistan
Victim Industry: Government
Victim Organization: Ministry of Finance of Afghanistan
Victim Site: mof.gov.af - Sale of alleged cryptocurrency investor lead database
Category: Data Breach
Content: A threat actor on PwnForums is selling a dataset of approximately 46,000 cryptocurrency-related leads, attributed to France (FR), for 35,000 EUR. The data fields include email, country, total value, transactions, gain/loss, date, and asset/crypto type, with the seller suggesting additional personal identifiers such as name and address may be available. Contact is offered via a Telegram handle.
Date: 2026-05-05T00:43:30Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-FR-Leads-Crypto
Screenshots:
None
Threat Actors: shabat
Victim Country: France
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown - Alleged data breach of Evalang.fr with over 3 million records offered for sale
Category: Data Breach
Content: A threat actor operating under the name Anssi is claiming to be selling exclusive access to a database from evalang.fr containing over 3 million records. The post references a prior leak of ars.sante.fr and claims an ongoing collection effort targeting an additional 19 million French records. Payment is accepted in cryptocurrency only, with a 100,000-record sample offered to serious buyers upon request.
Date: 2026-05-05T00:42:57Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-3M-EVALANG-FR-another-messaage-for-french-gov-cuz-I-love-them-3
Screenshots:
None
Threat Actors: Anssi
Victim Country: France
Victim Industry: Government
Victim Organization: Evalang
Victim Site: evalang.fr - Alleged release of DATA GHOST v1.0 C2 malware by Infrastructure Destruction Squad
Category: Malware
Content: Infrastructure Destruction Squad announced the free release of DATA GHOST v1.0, a command and control (C2) tool designed for remote device control and file access. The tool supports payload generation in multiple formats (Python, Windows, Linux) with promised weekly updates.
Date: 2026-05-05T00:42:38Z
Network: telegram
Published URL: https://t.me/c/2735908986/4183
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of unauthorized access methods to French law enforcement systems (NEOFIC, PVE, TAJ) via social engineering and VPN configuration
Category: Services
Content: A threat actor operating under the alias shabat is advertising paid services to obtain unauthorized access to French law enforcement databases and systems, including NEOFIC, PVE, MAIM MCE, and TAJ. The post details social engineering techniques to impersonate law enforcement personnel over the phone to extract criminal records, as well as VPN configuration parameters allegedly enabling access to restricted police network infrastructure at minint.fr. The actor offers to perform these lookups on
Date: 2026-05-05T00:41:45Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DOCUMENTS-FR-Police-FPR-TAJ-Etc
Screenshots:
None
Threat Actors: shabat
Victim Country: France
Victim Industry: Government
Victim Organization: French National Police (Police Nationale)
Victim Site: police.interieur.gouv.fr - Alleged Release of DATA GHOST v1.0 C2 Malware Tool by Infrastructure Destruction Squad
Category: Malware
Content: Infrastructure Destruction Squad announced the free release of DATA GHOST v1.0, a command and control (C2) tool designed for remote device control and file access. The tool will support payload generation in multiple formats (Python, Windows, Linux) with weekly updates planned. This represents a significant threat as it enables attackers to distribute malware with full remote control capabilities.
Date: 2026-05-05T00:41:38Z
Network: telegram
Published URL: https://t.me/c/2735908986/4182
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged cyber attack on New Ecology System srl – SCADA system shutdown
Category: Cyber Attack
Content: Infrastructure Destruction Squad claimed responsibility for a cyber attack against New Ecology System srl, an Italian waste treatment company. The attack targeted the Municipal Solid Waste (RSU) treatment plant in Tito, Potenza province, exploiting remote access servers to achieve complete shutdown of the integrated SCADA platform. Critical systems including plant monitoring, motor parameters, bio-cell treatment units, maintenance systems, and wireless monitoring infrastructure were rendered offline. The attack resulted in operational paralysis, waste accumulation, and disabled environmental monitoring systems.
Date: 2026-05-05T00:40:30Z
Network: telegram
Published URL: https://t.me/c/2735908986/4181
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Italy
Victim Industry: Waste Management / Industrial Control Systems
Victim Organization: New Ecology System srl
Victim Site: Unknown - Sale of alleged combo list targeting German shopping platforms Payback.de and Zalando.de
Category: Combo List
Content: A threat actor on the Patched.to forum is sharing a combo list of approximately 15,000 email and password pairs claimed to be valid for credential stuffing against German shopping platforms Payback.de and Zalando.de. The credentials are marketed as high-validity and private. Access to the content requires forum registration or login.
Date: 2026-05-05T00:34:38Z
Network: openweb
Published URL: https://patched.to/Thread-shopping-15k-germany-full-valid-combo-private-uhq-premium-combo
Screenshots:
None
Threat Actors: BaggerraYZ
Victim Country: Germany
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 3,600 mixed USA and EU mail credentials
Category: Combo List
Content: A threat actor operating under the alias TraxGod is distributing a combo list of approximately 3,600 email access credentials purportedly sourced from the United States and Europe. The content is described as private data and is shared via hidden forum content requiring registration or login. No specific breached organization is identified.
Date: 2026-05-05T00:34:21Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%A8%E2%9A%9C%EF%B8%8F3-6k-usa-eu-mail-access-mix%E2%9A%9C%EF%B8%8F%E2%9C%A8-01-05
Screenshots:
None
Threat Actors: TraxGod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Hotmail combo list advertised as UHQ private
Category: Combo List
Content: A threat actor operating under the alias BaggerraYZ is advertising a combo list of approximately 62,000 Hotmail credentials on a cybercrime forum. The list is described as UHQ private with low valid rate and marketed as premium for 2026. Full content is gated behind forum registration or login.
Date: 2026-05-05T00:34:03Z
Network: openweb
Published URL: https://patched.to/Thread-gaming-62k-combolist-hotmail-uhq-private-low-valid-premium-2026
Screenshots:
None
Threat Actors: BaggerraYZ
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged 9,000-record USA combo list advertised as UHQ mix with private hits
Category: Combo List
Content: A forum user on PT – Combolist is distributing a combo list purportedly containing approximately 9,000 email and password credential pairs targeting USA-based accounts. The post markets the content as UHQ (ultra-high quality) with private hits, suggesting the credentials have been tested against one or more services. Full content is gated behind forum registration or login.
Date: 2026-05-05T00:33:31Z
Network: openweb
Published URL: https://patched.to/Thread-shopping-corps-9k-usa-combolist-uhq-mix-hits-private-2026-may
Screenshots:
None
Threat Actors: BaggerraYZ
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Facebook email:password combo list on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias BaggerraYZ has shared a combo list of approximately 1,200 email:password credential pairs on a cybercrime forum, marketed as fresh and private for May 2026 and targeted for use against Facebook accounts. The content is gated behind forum registration or login. This post represents a credential stuffing resource, not a breach of Facebook itself.
Date: 2026-05-05T00:33:00Z
Network: openweb
Published URL: https://patched.to/Thread-streaming-1-2k-facebook-combo-emailpass-fresh-private-may-2026
Screenshots:
None
Threat Actors: BaggerraYZ
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Alleged Walmart Credential Combo List Targeting United States Users
Category: Combo List
Content: A threat actor operating under the alias BaggerraYZ is distributing a combo list of approximately 1,300 email-password credential pairs purportedly sourced from United States-based accounts and marketed as effective for use against Walmart. The post advertises the credentials as UHQ (ultra-high quality) and premium private, with access to the content gated behind forum registration or login. This represents a credential stuffing resource and not a direct breach of Walmarts systems.
Date: 2026-05-05T00:32:41Z
Network: openweb
Published URL: https://patched.to/Thread-shopping-1-3k-usa-walmart-uhq-emailpass-premium-private-acss-2026
Screenshots:
None
Threat Actors: BaggerraYZ
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of bulk email verification service via Telegram bot
Category: Services
Content: A threat actor operating under the handle comia is advertising a Telegram-based bulk email verification service (@EmailDebouncerBot) priced at $1 per 1,000 emails. The service performs SMTP-level MX handshakes to classify submitted email addresses as valid, invalid, or unverifiable, and accepts anonymous cryptocurrency payments including USDT, BTC, ETH, BNB, LTC, and SOL. The service explicitly supports no KYC requirements and claims auto-deletion of result files, positioning it as a privacy-p
Date: 2026-05-05T00:32:10Z
Network: openweb
Published URL: https://patched.to/Thread-nova-bulk-email-verification-%E2%80%94-smtp-level-%E2%80%94-1-1k-%E2%80%94-telegram-298870
Screenshots:
None
Threat Actors: comia
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of alleged valid Hotmail credential combo list
Category: Combo List
Content: A threat actor known as NullShop is distributing a combo list advertised as containing approximately 1,900 valid Hotmail credentials, marketed as fresh and verified. The content is gated behind forum registration or login. The actor references a Telegram handle (@NullShop0X) and an external paste link for additional releases.
Date: 2026-05-05T00:31:51Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-1-9-k-1-k-full-valid-hotmail-access-valid-hit-fresh-%F0%9F%94%A5
Screenshots:
None
Threat Actors: NullShop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Claude Opus API Keys with High Token Allowance
Category: Services
Content: A threat actor on a leak forum is distributing what are claimed to be Claude Opus 4.7 API keys with access to 1 million tokens, offered as a free sample. The post prompts users to register or log in to view the hidden content, suggesting the keys may be shared upon engagement.
Date: 2026-05-05T00:31:42Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9C%A8-1-million-tokens-claude-opus-4-7-and-more-api-key-%E2%9C%A8-298852
Screenshots:
None
Threat Actors: JVZU
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of stolen payment card data including dumps, PINs, and EBT cards
Category: Combo List
Content: A threat actor operating under the Telegram handle @jammysim is advertising stolen financial data for sale, including credit and debit card transfers and deposits, card dumps with PINs, and EBT cards with PINs. The post solicits direct contact via Telegram for transactions. No specific victim organization or record count is disclosed.
Date: 2026-05-05T00:30:13Z
Network: openweb
Published URL: https://demonforums.net/Thread-You-Can%E2%80%99t-Be-Broke-%E2%9D%8CWhen-I%E2%80%99m-Active–202837
Screenshots:
None
Threat Actors: general
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of stolen payment card data including dumps, PINs, and EBT cards
Category: Carding
Content: A threat actor operating under the Telegram handle @jammysim is advertising stolen financial data for sale, including credit and debit card dumps with PINs, EBT cards with PINs, and transfer or deposit services. The post promotes availability of these carding services to forum members via Telegram contact.
Date: 2026-05-05T00:30:09Z
Network: openweb
Published URL: https://demonforums.net/Thread-You-Can%E2%80%99t-Be-Broke-%E2%9D%8CWhen-I%E2%80%99m-Active–202841
Screenshots:
None
Threat Actors: general
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of stolen credit and debit cards with PINs on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias royce is advertising stolen Visa and Mastercard credit cards, as well as debit cards with associated PINs, for sale on a cybercrime forum. The actor claims the cards can be used for online payments, carding, ATM cashouts, and linking to virtual payment applications. Contact is directed to a Telegram handle at t.me/kirkjnr.
Date: 2026-05-05T00:29:54Z
Network: openweb
Published URL: https://demonforums.net/Thread-I%E2%80%99m-here-to-save-y%E2%80%99all-from-rippers-don%E2%80%99t-waste-ya-time-and-money-with-goofy-ass-nigg–202856
Screenshots:
None
Threat Actors: royce
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of Stolen Credit and Debit Cards with PINs on Underground Forum
Category: Carding
Content: A threat actor operating under the alias royce is advertising stolen Visa and Mastercard credit cards claimed to be usable for online payments, carding, and booking services. The actor also claims to possess debit cards with PINs that can be cashed out at ATMs, banks, and gas stations. Contact is solicited via a Telegram handle at t.me/kirkjnr.
Date: 2026-05-05T00:29:50Z
Network: openweb
Published URL: https://demonforums.net/Thread-I%E2%80%99m-here-to-save-y%E2%80%99all-from-rippers-don%E2%80%99t-waste-ya-time-and-money-with-goofy-ass-nigg–202855
Screenshots:
None
Threat Actors: royce
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Sale of US Fullz SSN Database
Category: Data Breach
Content: A threat actor operating under the alias popfizz is offering a database of US fullz including Social Security Numbers on the AE leaked databases forum. The post requires a reply to access the hidden content, obscuring details about record count, pricing, and the specific source of the data. The dataset likely contains personally identifiable information such as names, SSNs, and associated personal details based on the fullz designation.
Date: 2026-05-05T00:27:00Z
Network: openweb
Published URL: https://altenens.is/threads/us-fullz-ssn-db.2934414/unread
Screenshots:
None
Threat Actors: popfizz
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged data leak of Netherlands individuals
Category: Data Leak
Content: A threat actor on the AE forum has shared what is claimed to be a dataset of Netherlands individuals, made available for free upon replying to the thread. The exposed fields reportedly include initials, middle names, last name, street address, house number, email address, phone number, mobile number, gender, and date of birth. No specific breached organization or record count was disclosed in the post.
Date: 2026-05-05T00:26:39Z
Network: openweb
Published URL: https://altenens.is/threads/data-breached-netherlands.2934421/unread
Screenshots:
None
Threat Actors: popfizz
Victim Country: Netherlands
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged leak of 1 million US mortgage leads
Category: Data Leak
Content: A threat actor operating under the alias popfizz is distributing a dataset allegedly containing approximately 1 million US mortgage leads on the AE forum. The dataset includes personally identifiable and financial information such as names, addresses, phone numbers, property details, lender names, mortgage amounts, loan types, and interest types. The data appears to be shared freely upon forum reply, with no specific victim organization identified.
Date: 2026-05-05T00:26:20Z
Network: openweb
Published URL: https://altenens.is/threads/1-million-usa-mortgage-leads.2934423/unread
Screenshots:
None
Threat Actors: popfizz
Victim Country: United States
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown - Alleged PayPal extracted logs shared on cybercrime forum
Category: Logs
Content: A threat actor operating under the alias popfizz shared alleged stealer log data associated with PayPal accounts on the AE cybercrime forum. The post requires forum interaction to access the hidden content, suggesting the data is gated behind a reply wall. The exact volume and nature of the logs could not be determined from the post preview.
Date: 2026-05-05T00:26:00Z
Network: openweb
Published URL: https://altenens.is/threads/paypal-extracted-logs.2934419/unread
Screenshots:
None
Threat Actors: popfizz
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: PayPal
Victim Site: paypal.com - Alleged leak of 1.3GB full logs
Category: Logs
Content: A forum post on AE – Leaked Databases by user WhiteMelly references a 1.3GB collection described as full logs, consistent with stealer log output. No further details regarding targeted organizations, affected countries, or specific data contents are available from the post content.
Date: 2026-05-05T00:25:17Z
Network: openweb
Published URL: https://altenens.is/threads/1-3gb-full-logs.2934430/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged distribution of URL:Login:Password credential logs
Category: Logs
Content: A threat actor operating under the alias WhiteMelly shared what is described as 7GB of URL:login:password lines reportedly sourced from stealer logs. No specific victim organization or targeted service was identified in the post. The data appears to consist of credential pairs extracted from infostealer log outputs.
Date: 2026-05-05T00:24:14Z
Network: openweb
Published URL: https://altenens.is/threads/7gb-url-login-pass-lines-from-logs.2934429/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 1,057 UHQ mixed credentials shared on forum
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud shared a combo list advertised as containing 1,057 ultra-high-quality (UHQ) mixed credentials on the AE forum. The post is associated with the Telegram channel @ebbi_cloud. No further details regarding the targeted services or data composition are available from the post content.
Date: 2026-05-05T00:11:31Z
Network: openweb
Published URL: https://altenens.is/threads/1057x-uhq-mix-firesparkles-ebbi_cloud.2934389/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list distribution of 1,071 mixed credentials
Category: Combo List
Content: A forum post on AE (altenens.is) by threat actor Ebbicloud distributes a combo list advertised as containing 1,071 ultra-high quality (UHQ) mixed credentials. The post references the actors Telegram handle @ebbi_cloud. No further details about the content, targeted services, or origin of the credentials are available from the post.
Date: 2026-05-05T00:09:09Z
Network: openweb
Published URL: https://altenens.is/threads/1071x-uhq-mix-hundred-pointsgem-stone-ebbi_cloud.2934390/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list of 1,285 mixed credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud shared a combo list described as 1285x UHQ Mix on the AE forum. The post advertises the credentials as ultra-high quality (UHQ) and of mixed origin. No specific target service or victim organization was identified in the available post content.
Date: 2026-05-05T00:06:38Z
Network: openweb
Published URL: https://altenens.is/threads/1285x-uhq-mix-crownsparkles-ebbi_cloud.2934392/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Alleged combo list sharing of 1,645 UHQ mixed credentials
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud shared a combo list described as 1645x UHQ Mix on the AE forum. The post advertises the credentials as ultra-high quality mixed combo entries. No specific target organization or service was identified in the available post content.
Date: 2026-05-05T00:04:13Z
Network: openweb
Published URL: https://altenens.is/threads/1645x-uhq-mix-rocketwrapped-gift-ebbi_cloud.2934393/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown - Distribution of UHQ Mixed Combo List
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud shared a mixed combo list advertised as UHQ (ultra-high quality) containing approximately 2,505 credential pairs on the AE forum. The post lacks detailed content, but the thread title suggests the list is formatted as email or username and password combinations. No specific targeted service or origin breach is identified.
Date: 2026-05-05T00:01:45Z
Network: openweb
Published URL: https://altenens.is/threads/2505x-uhq-mix-high-voltagesparkles-ebbi_cloud.2934394/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown