[April-16-2026] Daily Cybersecurity Threat Report

1. Executive Summary

This report details a series of recent cyber incidents, providing key information for each event, including published URLs and associated screenshots, strictly based on the provided data. The threat landscape observed between April 16 and April 17, 2026, reveals a highly active and mature cybercriminal ecosystem operating across open web forums, dark web platforms, and Telegram channels.

The intelligence data encompasses 341 distinct cybersecurity events, highlighting a massive proliferation of stolen credential combinations (Combo Lists), high-profile corporate and government data breaches, and widespread website defacement campaigns. A significant portion of the observed activity is driven by established threat actors and hacktivist groups who are actively monetizing stolen data, selling initial access to corporate networks, and exploiting zero-day vulnerabilities.

Key findings from the reporting period include:

The Dominance of ShinyHunters: The threat actor group ShinyHunters demonstrated immense capability, actively advertising the sale of multi-terabyte databases from global corporations, including a 4.51TB Ticketmaster database , over 9.1 million Salesforce records , and extensive data from AT&T, Cisco, and McGraw-Hill.
Prolific Defacement Operations: Individual actors and hacktivist collectives engaged in widespread defacement campaigns. The actor “DimasHxR” alone accounted for dozens of targeted single-page defacements across retail, healthcare, and IT sectors globally.
The Credential Stuffing Epidemic: The distribution of “combolists” (email and password combinations) reached staggering volumes. Actors like “CODER,” “Megatron,” and “HQcomboSpace” distributed tens of millions of valid credentials targeting platforms like Hotmail, Yahoo, Gmail, and various regional domains.
Critical Vulnerabilities: Zero-day vulnerabilities were actively discussed and sold, including a critical privilege escalation flaw in Windows Defender and a pre-authentication Remote Code Execution (RCE) exploit for ASUS AiCloud priced at $80,000.

2. Deep Dive: Mega Breaches and Data Extortion Operations

The most significant financial and operational threats documented in the intelligence data stem from massive data breaches orchestrated by sophisticated threat actors. These actors utilize a combination of underground forums and Telegram channels to extort victims, sell data to other criminals, or publicly leak information to damage corporate reputations.

2.1 The ShinyHunters Campaigns

The threat actor known as “ShinyHunters” represents the most prominent data broker in the provided intelligence. Operating through Telegram (via handles like @shinyc0rpsss) and Tor hidden services, the group offers tiered subscription access to a cloud Content Delivery Network (CDN) containing stolen databases. Pricing for their services is structured at $10,000 USD for lifetime access, $5,000 for a 1-year VIP access, and $2,500 for a 9-month access period. Furthermore, the group offers hacking, pentesting, and developer services for $10,000 USD.

ShinyHunters’ operations during this period targeted an extensive list of high-profile global entities:

Ticketmaster Entertainment, LLC: ShinyHunters is selling an alleged 4.51TB database archive from Ticketmaster for $10,000 to $25,000. The dataset purportedly contains 980 million sales orders, 680 million order details, 1.2 billion party lookup records, 440 million unique email addresses, 560 million AVS detail records, and 400 million encrypted credit card details with partial information. The data fields include names, addresses, IP addresses, dates of birth, and credit card expiration dates. In a separate but related incident, the group leaked Ticketmaster event barcodes specifically related to Taylor Swift events for free on BreachForums.
AT&T: The group re-uploaded and provided free download access to an AT&T 70M database from 2021. This dataset contains 73,481,539 records (15.1GiB uncompressed), including Social Security Numbers (SSNs) and Dates of Birth (DOB) for over 29 million individuals.
Salesforce & Cisco: ShinyHunters advertised access to 9.1 million files from Salesforce databases spanning 2024 to 2026, priced at $10,000 for lifetime access[cite: 1772]. [cite_start]Additionally, they referenced a scattered LAPSUS$ hunters chat containing over 3 million Cisco source code files.
Du Xiaoman Pay (dxmpay.com): The actor is selling 500,000+ records allegedly stolen from the Chinese digital payment platform Du Xiaoman Pay. The breach includes user financial data, Personally Identifiable Information (PII), login credentials, API keys, and internal system data. ShinyHunters claims to have super admin access to the platform’s control panel and is selling a sample for $20,000 USD, with the full dataset priced at $100,000 USD.
Waltio.com: A dataset containing 150,000+ records from the French crypto tax platform Waltio is being sold. The data, which is 100% focused on French users, includes full names, emails, phone numbers, and tax residency information.
Ransom Rejections & Subsequent Leaks: ShinyHunters demonstrated a clear extortion pattern by leaking data from organizations that refused to pay ransoms. This included:
- Abrigo, Inc.: Over 1.75 million Salesforce records were exposed, including usernames, full names, emails, and phone numbers. The data was leaked on April 15, 2026, after Abrigo refused ransom demands.
- Kemper Corporation: Over 13 million records (29GB+ compressed) were leaked.
- National Railroad Passenger Corporation (Amtrak): Over 9.4 million Salesforce records (19GB+ compressed) containing PII and internal corporate data were leaked via a direct IP-hosted download link.
- Mytheresa: Sensitive customer PII and transactional history from the German luxury fashion e-commerce platform were leaked after failed ransom negotiations.
Other Targets: The group also claimed to have data from Victorias Secret, CrowdStrike, Santander, and CIC Vietnam. They also leaked a dataset from DarkForums containing over 420,000 records, including posts, user data, and IP addresses.

2.2 Government and Nation-State Database Leaks

Cybercriminal forums featured numerous listings of massive databases belonging to government entities, intelligence agencies, and national infrastructure. These leaks pose severe national security and privacy risks.

China – Shanghai National Police: A threat actor operating under the alias “RubiconH4ck” claimed to be selling a Chinese Shanghai National Police database containing 1.2 billion records and 5TB of data. The data allegedly includes citizen databases, police records, and food delivery orders with highly sensitive personal information.
Russia – Federal Border Service: A threat actor known as “gosee” claimed to sell access to the compromised “Kordon” system database of the Russian Federal Border Service, dated September 2023. The database allegedly contains over 1 billion border crossing records spanning 2014-2023, exposing the personal information and travel documents of citizens from 195 countries.
Indonesia – Korps Brimob Police: A threat actor identifying as “N1KA” (and listed under the actor name “INSOMNIAX”) allegedly leaked a database containing 2,490,272 personnel records from Indonesia’s Korps Brimob (Mobile Brigade Corps) police unit. Furthermore, a separate actor leaked a population database from Bandung, Indonesia, containing nearly 1 billion records in CSV format.
United States – NSA & Submarine Tech: “RubiconH4ck” also claimed to sell 281GB of data from the National Security Agency (NSA), including document data and sensitive member information. Another threat actor, “PhotonPool,” shared documents on a dark web forum allegedly containing critical quiet technology information related to U.S. Virginia-class submarines.
France – ANTS Agency: Threat actor “breach3d” claimed to sell a database containing 18-19 million records from ANTS (Agence Nationale des Titres Sécurisés), the French government agency responsible for secure identification. The data allegedly includes full names, contact details, birth data, addresses, and government verification status.
Turkey – MİT Intelligence: A threat actor named “SiberSLX” shared detailed personal information—including national ID numbers, family details, and addresses—of 12 personnel from the Turkish intelligence agency MİT (Milli İstihbarat Teşkilatı).
Mexico – Fiscalia General del Estado de Morelos: Politically motivated actor “Straightonumberone” leaked 12,619 files from Mexico’s Fiscalia General del Estado de Morelos. The leak, aimed at criticizing government corruption, included payroll receipts, employee selfies, and data on approximately 1,521 active employees.
Israel – Political Figures: Multiple incidents targeted Israeli political figures and institutions. A forum user claimed to have leaked the emails of former Israeli Prime Minister Ehud Barak. Another actor shared the personal information (phone number, address, national ID) of Israeli politician Itamar Ben-Gvir.

2.3 Additional Corporate Data Breaches

Beyond the ShinyHunters operations, various other threat actors successfully breached or claimed to possess data from large corporations.

McGraw-Hill: Threat actor “thelastwhitehat” claimed that McGraw-Hill’s Salesforce-hosted data was breached on April 11, 2026, compromising over 45 million records. When the education company refused to pay the ransom, the group publicly released 44.6 GB of data, including names, emails, phone numbers, and addresses.
Live Nation/Ticketmaster (Alternative Claim): A separate threat actor named “OnarDev” claimed to possess a 1.3TB database containing personal information of 100 million Live Nation/Ticketmaster customers. This highlights the high demand and potential multi-actor compromise of the ticketing giant.
American Airlines: Actor “RubiconH4ck” claimed to have full administrator access to American Airlines systems, along with a 3TB database containing 500 million records related to passenger services, crew management, and customer loyalty data. The access was offered for $10,000.
Kenya Airports Authority: “RubiconH4ck” also sold a 2TB database dump from the Kenya Airports Authority, containing information systems and user data, for $4,000.
Google: “RubiconH4ck” further claimed to be selling 3TB of alleged Google data for $8,000, though the authenticity of this claim remains unverified.
10bis (Israel): Threat actor “TheAshborn” offered a 1.4 million record database from the Israeli food delivery platform 10bis for $2,500.
Financial & Retail Targets: Actor “secur3rat” sold a combolist of 32,092 Ally Bank credentials for $499 and 26,554 Deutsche Bank credentials for $200. A B2B database of 499 contacts from the Italian plastics industry was sold by “boltak” for $1,899. An employee database dump from Venezuelan electronics retailer SmartBuy was leaked by “BaphyHack”. Finally, 6,600 records of French automotive businesses from E.T.A.I were leaked by “ChimeraZ”.

3. The Credential Stuffing Epidemic: Combolists and Logs

The vast majority of the incidents recorded on April 16-17, 2026, involve the distribution, sale, and exchange of “combolists”. These lists contain massive volumes of paired credentials (typically Email:Password or URL:Login:Password), which are systematically harvested via infostealer malware or aggregated from previous breaches. These lists are heavily utilized in automated credential stuffing attacks.

3.1 Prolific Combolist Distributors

Several distinct threat actors emerged as prolific distributors of credential lists, often offering them for free to build reputation or drive traffic to paid Telegram channels and cracking tools.

3.1.1 The “CODER” Network

The threat actor “CODER” operates multiple Telegram groups and channels, acting as a massive nexus for credential distribution. During the reporting period, CODER released:

A 13 million record Gmail credential combolist.
An 11 million record Yahoo credential combolist (covering yahoo.com, ymail.com, and yahoo.co.uk).
A 7 million record automotive industry combolist (including Toyota, Honda, BMW, Mercedes-Benz).
A 5.4 million record business-related email combolist.
A 4 million record gaming credential combolist.
A 9 million mixed credential combolist targeting PlayStation, Facebook, X (Twitter), and LinkedIn.
An 8 million record German email provider list (web.de, gmx.de, t-online.de).
Various corporate IMAP/SMTP lists and educational institution credentials.

3.1.2 The “Megatron” Operations

Actor “Megatron” focuses on high-volume, geo-targeted, and platform-specific credential lists. Their activity included:

A 1 million record USA credential combolist.
A 1 million record French credential combolist.
A 1 million record German credential combolist.
A 1 million record list targeting PayPal, social media, and gaming services.
A 460,000 record mixed-country Yahoo credential list.
A 180,000 record gaming-focused combolist.
A 65,000 record private combolist specifically for the game Valorant.

3.1.3 The “CobraEgy” Maxi_Leaks Campaign

Operating under the “Maxi_Leaks” banner, threat actor “CobraEgy” focused entirely on distributing geographically specific credential lists. On April 16, they released:

Netherlands: 254,000 credentials.
Mexico: 121,000 credentials.
Montenegro: 39,000 credentials.
New Zealand: 25,000 credentials.
Micronesia: 17,000 credentials.
Nigeria: 14,000 credentials.
Nepal: 10,000 credentials.

3.1.4 “HQcomboSpace” Releases

The actor “HQcomboSpace” utilized file-sharing platforms to distribute large, targeted databases:

1.1 million credentials targeting social media and shopping platforms.
799,420 credentials targeting German (.de) email accounts.
751,874 credentials targeting Yahoo accounts.
300,000 credentials for social media and e-commerce platforms.
186,965 credentials targeting corporate business email accounts for SMTP spam campaigns.
160,466 credentials targeting German domains.
102,756 corporate email credentials marketed for lead targeting.

3.2 Target Platforms: The Assault on Microsoft (Hotmail) and Google

A highly notable pattern in the threat data is the overwhelming volume of leaks specifically targeting Microsoft’s Hotmail platform. Numerous actors continuously published small to medium-sized “fresh” lists of Hotmail accounts, indicating an ongoing, massive credential harvesting campaign against Microsoft users.

Notable Hotmail Leaks:

Actor “Vekkoo” claimed to leak access credentials for over 60 million Hotmail accounts.
Actors “MegaCloudshop” and “MailAccesss” both distributed combolists containing 770,000 Hotmail combinations.
Actor “KiwiShio” shared 765,000 Hotmail credentials.
Actor “el_capitan” leaked a 460,000 record Hotmail combolist.
Other actors, including “wingoooW” (16,000) , “RandomUpload” (18,000) , “NotSellerXd” (10,190) , “GhostCloud2” (6.9k) , “alphaxdd” (various lists of 3,735, 1,667, and 1,026) , and “D4rkNetHub” (3,272 and 782), continuously flooded forums with Hotmail data.

Notable Gmail Leaks: While less frequent than Hotmail, Gmail was also heavily targeted. Aside from CODER’s 13 million record list , actor “HQcomboSpace” leaked 1.39 million Gmail credentials , “el_capitan” leaked 760,000 Gmail credentials , “ValidMail” leaked 193,000 Gmail credentials , and “D4rkNetHub” shared over 100,000 Gmail credentials.

3.3 Mega-Packs and Multi-Platform Combolists

Many threat actors opted to release massive, multi-million record mega-packs or mixed combolists that defy specific categorization:

“Daxus” leaked a combolist with 17.53 million URL:username:password combinations.
“Blackcloud” shared a fresh credential combolist containing 3.6 million entries, and another with 1.6 million entries.
“RedCloud” shared a 3.7 million URL:LOG:PASS credential list.
“niven938644” and “maicolpg19” both leaked private packs containing approximately 1.8 million logs via Mega.nz.
“UniqueCombo” repeatedly shared mixed credential combolists containing exactly 172,000 records.
“Ra-Zi” distributed a 180,000 record combolist targeting Netflix, Minecraft, Steam, Hulu, and Spotify.

3.4 Infostealer Logs

Credentials harvested directly from active malware infections (Infostealer Logs) are considered highly valuable because they bypass password resets and often include active session cookies.

Threat actor “KazeFreak” sold 500 Lumma Stealer logs containing credentials, cookies, crypto wallets, and autofill data from Indian victims running Windows 11 Enterprise.
Threat actor “HighWayToShell” shared 250 Stealc credential logs targeting Windows Server 2019 systems in Japan.
Actor “watercloud” shared a combolist directly harvested from infostealer malware campaigns, distributed alongside stealer logs.

4. Website Defacement Campaigns

Website defacements serve as a highly visible form of cyber vandalism, often used by hacktivists to spread political messages or by individual attackers to build notoriety. The data from April 16-17 reveals several organized and highly prolific defacement campaigns.

4.1 The “DimasHxR” Campaign

The threat actor operating under the alias “DimasHxR” executed an extraordinary volume of defacements. Analysis of their Tactics, Techniques, and Procedures (TTPs) reveals a clear pattern: DimasHxR almost exclusively executed “targeted single-site defacements”. Rather than altering the homepage of the victim domains, the attacker systematically targeted subdirectories, specifically media directories or customer-facing paths (e.g., /media/customer/...). This suggests the actor likely exploited a specific vulnerability within a Content Management System (CMS) or an insecure file upload mechanism common to e-commerce platforms. DimasHxR operated independently, without claiming any team affiliation or specific political motive.

Table 1: Notable DimasHxR Defacement Targets

Organization	Country	Industry	Domain	Reference
Maxi-Cosi	United Kingdom	Retail	www.maxi-cosi.co.uk
Maxi-Cosi	Spain	Retail	www.maxi-cosi.es
Maxi-Cosi	Netherlands	Retail	www.maxi-cosi.nl
Maxi-Cosi	France	Retail	www.maxi-cosi.fr
Maxi-Cosi	Belgium	Retail	www.maxi-cosi.be
Bébé Confort	Portugal	Retail	www.bebeconfort.pt
Bébé Confort	Spain	Retail	www.bebeconfort.es
Carson & Quinn	Unknown	Prof. Services	www.carsonandquinn.com
Cromia	Italy	Fashion	cromia.jef.it
NovaSalud	Chile	Healthcare	www.novasalud.cl
Sweet Life Nutritionals	United States	Nutrition	www.sweetlifenutritionals.com
Wellness Within Reach	United States	Healthcare	www.wellnesswithinreach.com
Papeleria Estudio	Unknown	Retail	www.papeleriaestudio.com
Muff Haushalt	Switzerland	Retail	www.muff-haushalt.ch
Rainbow Club	United Kingdom	Entertainment	www.rainbowclub.co.uk
Mens Medical Store	Unknown	Healthcare	www.mensmedicalstore.com
São Francisco CEC	Brazil	Education	www.saofranciscocec.com.br
Brico-Reseau	France	Retail	www.brico-reseau.com
Carters Oshkosh	Israel	Retail	www.cartersoshkosh.co.il
Crucial Fitness	United Kingdom	Fitness	www.crucialfitness.co.uk
Cia das Mesas	Brazil	Furniture	www.ciadasmesas.com.br
Stack Systems	Uzbekistan	IT Services	stack-systems.uz
Medizina	Germany	Healthcare	medizina.de

DimasHxR’s extensive list of victims also included ShopForumHealth , ShopFWStore , silviagrandi.com , ShopTenPenny , ProSphere Fan Shop , Cards Direct UK , Casabill , Climazon , Cuban Cigar Plaza , Cheshire Paving Stones , Collect World (NL and UK) , ChargerTech , CMD.pl , CarTuningPoint.de , Chevignon Hong Kong , ChongoDC , Coverion UK , Broderie Plaisir , Cadeira e Cadeira , Colours of Mallorca , CMD Sistemas , Cloture Solution , Bud Racing , Candlein.eu , d-tack.de , Direct Lockers , eShopsHub , MrLiving , City Work Wear , De Feestspecialist , SaveCedis , Anna Crockery , Bemondi , Wibis.ch , RBD.se , Time and Tide Stores , Sappiamosolorubare.it , LV Guitars , Phytoab , Totvi.cat , Maquinas Online , World Car Parts UK , Zoye Glasses Parts , Vinos Wine , US Candle Co , Vape Density , ServiceMandi , Varlea , Spediti.de , Printalot , WooTiTights , Medikont , Strictly Ecig , and Seashell Co.

4.2 The “maw3six” Mass Defacement Operations

Unlike DimasHxR, the threat actor “maw3six” engaged primarily in “mass defacement” operations, which typically involve compromising a single server to simultaneously deface multiple websites hosted on it. maw3six heavily targeted Linux-based servers and exhibited a geographical focus on Africa and South America.

Nigerian Targets: maw3six conducted mass defacements against the Nigerian government agency, the Architects Registration Council of Nigeria (ARCON), hitting both its registration portal (register.arconigeria.gov.ng) and web portal (portal.arconigeria.gov.ng). The actor also targeted Nigerian educational institutions, including CHST Deba (chstdeba.edu.ng) and the Kano Dental Sciences College of Nursing and Midwifery (sms.kdscnm.edu.ng). An additional Nigerian target was aprn.pits.ng.
International Targets: Beyond Nigeria, maw3six defaced the Universidad de Los Llanos in Colombia (snies.ul.edu.co) , a Canadian website (amafric.ca) , a Tanzanian website (abstan.co.tz) , a Bosnian website (kupirasvjetu.ba) , and the domain nooris.me.

4.3 Other Defacement Campaigns and Hacktivism

T-XpLoiT: This actor focused on Indian educational institutions, carrying out mass defacements against PVPIT Sangli (diploma.pvpitsangli.edu.in) and C.B. Shah College (cbshahcollege.ac.in).
MR~TNT (QATAR911): Acting under the hacktivist banner “QATAR911,” the actor MR~TNT conducted mass defacements against Brazilian infrastructure, specifically targeting business solutions provider Soluções Mix (deliansseg.solucoesmix.com.br, artsystemsacadas.solucoesmix.com.br) and a site linked to the Brazilian energy sector, AEIT Itaipu (aeitaipu.com.br).
#OpsShadowStrike & Affiliates: An alliance of hacktivist groups, including TengkorakCyberCrew, MalaysiaHacktivist, and EagleCyberCrew, defaced the Indian telecom provider Dadri Telecom (dadritelecom.com) and the Rocball Federation of India (asianrocball.com). These attacks were explicitly motivated by pro-Palestine/anti-Israel sentiments, categorized under the #AllMuslimHackers banner.
NUCLIER-Y-C-C-M: This actor conducted targeted homepage defacements against Nepalese institutions, including the Hotel Association of Nepal (hotelassociationnepal.org.np) and Janakpur Buddhist University (jbu.com.np).
Babayo Eror System: This threat actor claimed to deface multiple domains, including Zimbabwean sites (mail.makandwa.co.zw) and several other platforms.
H4CKTHOR: Defaced the homepage of mydearsapinou.com.
Handala: In a highly sophisticated hacktivist operation, the group “Handala” claimed to have defaced the international website of GNS Cloud, Israel’s largest cloud provider. They alleged they had maintained persistent access for 18 months, backdooring 112,000 machines and extracting plaintext passwords across the GNS supply chain.

5. Vulnerabilities, Exploits, and Initial Access Brokering

The initial phase of the cyber kill chain—gaining a foothold into a target environment—is a highly monetized sector of the cyber underground. The intelligence data highlights the trade in zero-day exploits, Network Access Credentials, and specialized access tools.

5.1 Critical Zero-Day Vulnerabilities

Windows Defender Privilege Escalation: A critical zero-day security flaw was identified in Microsoft’s Windows Defender. The vulnerability resided in the cloud-based detection mechanism, allowing a malicious file to be restored to its original location rather than remaining quarantined. Threat actors could exploit this behavior to replace critical system files, ultimately achieving full administrative (SYSTEM-level) access on the target machine.
ASUS AiCloud RCE: The threat actor “berz0k” attempted to sell a zero-day pre-authentication Remote Code Execution (RCE) exploit for ASUS AiCloud. Priced at $80,000, the actor claimed the exploit provided root access, had 100% reliability without crashing the system, and could target over 32 million potential devices identified via Shodan.

5.2 Initial Access Brokers and Automation Tools

“Initial Access Brokers” (IABs) specialize in breaching networks and selling the resulting access to other threat actors, such as ransomware operators.

Targeting US & Canada: A threat actor operating as “Uriil” on the T1 forum actively sought to purchase network access credentials targeting organizations in the USA and Canada. They stipulated a minimum revenue threshold of $20 million for North American targets ($100 million for other regions) and required a minimum access level of “Domain User”. Transactions were facilitated via the TOX messenger.
Targeting Turkey & South Africa: The actor “KazeFreak” advertised network access credentials for organizations across the energy, education, construction, aerospace/defense, retail, and media sectors in Turkey and South Africa, targeting companies with revenues between $25 million and $5 billion.
Bulletproof RDP Hosting: Threat actor “XenonDesign” advertised bulletproof Remote Desktop Protocol (RDP) hosting services via vShield.com, offering dedicated Windows and Linux servers in the US, Canada, France, Germany, UK, Netherlands, and Singapore. This service was explicitly marketed for malicious use cases like credential checking and botting.
NetBot Mass Host Enumeration: An actor affiliated with “LulzSec Black” sold full access to “NetBot,” a platform claiming to allow users to download and export all internet-connected hosts globally with one click, marketing it as superior to Shodan and FoFa.
Industrial/ICS Access: The “Infrastructure Destruction Squad” offered a $500 bundle that included access to unspecified industrial systems in the Netherlands, a tool designed to target ICS (Industrial Control Systems), and a ransomware builder named “blacknet-00”.
Phishing and Communication Automation: Actor “Skybat” advertised a global SMS phishing service supporting up to 20,000 messages daily with custom sender IDs and automated sender rotation. Additionally, the actor “Starip” distributed a cracked WhatsApp Botmaster tool for bulk messaging operations , as well as “Work with Dorks by JohnDoe v2.1,” a desktop tool for generating search queries for web scraping.
Financial & Crypto Tools: Threat actor “TRD” advertised a Crypto.com validation module claiming “captchaless” functionality capable of 2000+ checks per minute. The actor “xiaoyuenans shop” sold financial account credentials and cloned cards across 180 countries, offering live-tested accounts and guarantor services. Actor “hallcityhub4” sold cloned credit cards, fresh dumps with PINs, and verified PayPal accounts on CrackingX. An actor “eSuppp” promoted an AML (Anti-Money Laundering) Detect Bot service to verify cryptocurrency wallets for darknet exposure.
Other Access Sales: An actor “zSenior” sold full access to an account on the elite Russian cybercrime forum “exploit.in” for $150 BTC. An actor named “Trap” solicited partners for carding and selling StockX gift cards.

6. Cyber Attacks and Geopolitical Threat Activity

The data reflects significant cyber activity motivated by geopolitics, hacktivism, and state-aligned operations.

Russian Operations against France: Threat intelligence reports indicated increased Russian-attributed cyber activity targeting sensitive French networks. The operations focused on the reconnaissance of communication infrastructure related to French nuclear deterrence, targeting technical centers and support companies to identify vulnerabilities.
Islamic Cyber Resistance (Iraq): The “313 Team,” identifying as the Islamic Cyber Resistance in Iraq and affiliated with the Beamed.SU service, announced escalating attacks on corporations, banks, and government infrastructure. Their messaging carried pro-Palestinian and pro-Iranian sentiments, and they offered discounts on their attack-for-hire/DDoS services.
Attacks on Israel:
- The group “M-17SEC” claimed to have successfully attacked the Israeli news portal tv7israelnews.com under the operation hashtag #OpsResurrect1, issuing threats directed at Israel.
- The hacker group “Nasir” claimed to have breached Yad Vashem, the Holocaust museum, allegedly obtaining PII of visitors, donors, and purported Mossad agents, timing the announcement with Holocaust memorial ceremonies.
- Threat actor “Golden Falcon” published a highly detailed doxing profile of an Israeli individual, Benaya Cherlow, including his academic records, professional background, and Israeli Defense Forces military service history (Armored Corps), likely to facilitate harassment.
Operations against Japan: The threat group “Z-Pentest Alliance” compromised Japanese surveillance camera systems, monitoring a parking lot for two days as part of a broader campaign tagged #OpJapan, demonstrating unauthorized access to physical security infrastructure.
Targeting Middle East Infrastructure: Security reports noted a significant surge in password spraying attacks targeting network security equipment (like SonicWall and Fortinet VPNs/firewalls) across the Middle East in Q1 2026.
Targeting Peruvian Domains: The threat actor “Pharaohs Team” listed multiple Peruvian educational and government domains on Telegram, indicating active targeting or compromised access.
Live SQLi Exploitation: The actor “NAZUNA | 008” associated with Tegal Cyber Team posted a live SQL injection challenge targeting the Sri Lankan academic institution Ruhuna University (sci.ruh.ac.lk), instructing participants to extract database credentials and chain attacks.

7. Geographic and Industry Threat Distribution

An analysis of the victims across the 341 events reveals widespread global impact, with distinct concentrations in specific regions and industries.

7.1 Industry Impact

Retail & E-commerce: Highly targeted by defacers (like DimasHxR) due to vulnerable CMS platforms and plugins. Victims ranged from baby products (Maxi-Cosi, Bébé Confort) to furniture, luxury fashion (Mytheresa), and general e-commerce. E-commerce databases were also heavily leaked in Chinese mega-collections.
Technology & Telecommunications: Major tech companies were targeted heavily. Microsoft (Hotmail), Google (Gmail), and Yahoo users suffered catastrophic credential stuffing leaks. Cisco and Salesforce were victims of the ShinyHunters breaches. AT&T suffered a 70 million record database leak.
Government & Defense: National security data was deeply compromised. Leaks affected the Russian Federal Border Service , Shanghai National Police , Indonesian Police , French ANTS , Turkish MİT , Mexican Fiscalia , and U.S. Submarine technology documents. ARCON in Nigeria was heavily defaced.
Financial Services: Entities like Abrigo Inc. , Kemper Corporation , Ally Bank , Deutsche Bank , Du Xiaoman Pay , and Waltio suffered severe database breaches.
Education: Educational institutions were frequent targets for mass defacements (especially in Nigeria and India) , while platforms like McGraw-Hill suffered massive data theft.
Entertainment: The multi-terabyte Ticketmaster breach dominated the entertainment threat landscape.

7.2 Geographic Impact

While many attacks were global or targeting unspecific “open web” assets, certain countries saw concentrated activity:

United States: High-profile data breaches (Ticketmaster, AT&T, Amtrak, McGraw-Hill, Abrigo, Kemper, US Candle Co). Initial Access Brokers actively sought US targets.
Europe (France, Germany, UK, Netherlands, Spain, Italy): Heavily targeted by the DimasHxR defacement campaign. France suffered the ANTS breach and Waltio breach. Germany saw millions of domain-specific credentials leaked.
Asia (China, Japan, India, Indonesia): China and Indonesia suffered billion-record government data breaches. Japan faced physical security/camera hacks and malware targeting. Indian telecom and educational sites were heavily defaced.
Middle East (Israel): Israel faced targeted hacktivism, doxing, and defacements from ideologically motivated groups, alongside a significant data breach involving the 10bis food delivery platform.
South America & Africa (Brazil, Colombia, Nigeria): Heavily targeted by the mass defacement campaigns of maw3six and MR~TNT.

8. Conclusion

The threat intelligence data collected between April 16 and April 17, 2026, paints a picture of a relentless, highly commodified cyber threat landscape. The barrier to entry for cybercrime continues to lower as massive volumes of validated credentials (combolists) are distributed for free on Telegram channels and forums, fueling automated credential stuffing attacks against major service providers like Microsoft, Google, and Yahoo.

Simultaneously, top-tier threat actors like ShinyHunters operate with impunity, acting as data brokers for multi-terabyte datasets stolen from critical infrastructure, finance, and technology giants. The shift towards extortion—evidenced by the release of data from Abrigo, Kemper, and Amtrak following failed ransom negotiations—highlights the aggressive financial motivations driving the ecosystem.

Furthermore, the underground economy facilitates the trade of everything from initial access vectors and bulletproof hosting to zero-day exploits (such as the ASUS AiCloud RCE) and critical vulnerabilities in core security products like Windows Defender. Hacktivist campaigns and nation-state reconnaissance continue to overlap with traditional cybercrime, resulting in widespread website defacements and the exposure of sensitive government databases. To mitigate these escalating threats, organizations must prioritize multi-factor authentication to combat credential stuffing, aggressively patch internet-facing infrastructure, and monitor the deep/dark web for signs of compromised data or initial access sales related to their networks.

Detected Incidents Draft Data

Alleged Sale of Bulletproof RDP Hosting Services via vShield.com
Category: Initial Access
Content: A threat actor operating under the alias XenonDesign is advertising bulletproof RDP hosting services via vShield.com on a cybercrime forum. The service offers dedicated Windows and Linux server instances across multiple countries including the United States, Canada, France, Germany, the United Kingdom, Netherlands, and Singapore, and is explicitly marketed for use cases such as credential checking and botting. A 10% discount code is provided, indicating active commercial operation targeting cybe
Date: 2026-04-16T23:56:42Z
Network: openweb
Published URL: https://breached.st/threads/star-vshield-com-high-voltage-1-rdp-hosting-high-voltage-instant-deployment-high-voltage-fr-ca-us-uk-de-sg-nl.86039/unread
Screenshots:
None
Threat Actors: XenonDesign
Victim Country: Unknown
Victim Industry: Hosting / Infrastructure
Victim Organization: vShield
Victim Site: vshield.com
Alleged leak of stealer logs and credential lists
Category: Logs
Content: A threat actor operating under the alias watercloud has made available stealer logs and a URL:Login:Password (ULP) combolist via Pixeldrain file-sharing links on a dark web forum. The data appears to be harvested from infostealer malware campaigns and is being distributed for free with a shared archive password. No specific victim organization or geographic scope has been identified.
Date: 2026-04-16T23:55:16Z
Network: openweb
Published URL: https://darkforums.su/Thread-%E2%AD%90%E2%AD%90%E2%AD%90-STEALER-LOGS-AND-U-L-P-17-04-2026
Screenshots:
None
Threat Actors: watercloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as wingoooW has made available a combolist of approximately 16,000 alleged valid Hotmail email and password combinations via a free download link on a paste site. The credentials were shared on the DemonForums combolist section with no price indicated, suggesting a free distribution. The validity and origin of the credentials have not been independently verified.
Date: 2026-04-16T23:45:01Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-16K-VALID-HOTMAIL
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email and password combolist
Category: Combo List
Content: A threat actor operating under the handle COYTO has made available a mixed combolist containing approximately 24,000 validated email and password credential pairs via a free download link. The post was shared on DemonForums in the combolists section. The origin, affected organizations, and targeted industries of the credentials are unknown.
Date: 2026-04-16T23:44:32Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-24K-VALID-MIXED
Screenshots:
None
Threat Actors: COYTO
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist targeting Netflix, Minecraft, Steam and other services
Category: Combo List
Content: A threat actor operating under the alias Ra-Zi has made available a combolist of approximately 180,000 email:password credential pairs on DemonForums, claimed to be fresh and high quality. The combolist targets users of multiple platforms including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. The actor also advertises paid credential sales via Telegram, offering various combo types including email:pass, user:pass, and maillists across multiple countries and providers.
Date: 2026-04-16T23:43:46Z
Network: openweb
Published URL: https://demonforums.net/Thread-180k-Fresh-HQ-Combolist-Email-Pass-Netflix-Minecraft-Uplay-Steam-Hulu-spotify–200692
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: Unknown
Victim Industry: Entertainment and Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of private pack logs shared on cybercrime forum
Category: Data Leak
Content: A threat actor operating under the alias niven938644 has made available approximately 1.8 million private pack logs via a Mega.nz file link on a cybercrime forum. The post includes a password-protected archive shared freely without any mention of a price. The nature and origin of the victims within the logs remain unknown.
Date: 2026-04-16T23:43:23Z
Network: openweb
Published URL: https://demonforums.net/Thread-1-8-private-pack-logs
Screenshots:
None
Threat Actors: niven938644
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of 180,000-record mixed email credential combolist
Category: Combo List
Content: A threat actor known as steeve75 has shared a combolist containing approximately 180,000 email and password credential pairs on the CrackingX forum. The combolist is described as high quality and includes credentials from multiple email providers such as AOL, Yahoo, Hotmail, and Outlook, spanning users from multiple countries including France, the United Kingdom, Germany, the United States, Spain, Italy, Canada, and Australia. The actor is also separately advertising the sale of additional c
Date: 2026-04-16T23:42:26Z
Network: openweb
Published URL: https://crackingx.com/threads/72340/
Screenshots:
None
Threat Actors: steeve75
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of private combolist pack (~1.8M credentials)
Category: Combo List
Content: A threat actor operating under the alias maicolpg19 has made available a private pack of approximately 1.8 million credential logs via a Mega.nz file link on the CrackingX forum. The post includes a password hint linking to a Telegram channel, suggesting the decryption key or additional details are distributed there. The origin, affected organizations, and targeted countries associated with the combolist are unknown.
Date: 2026-04-16T23:42:09Z
Network: openweb
Published URL: https://crackingx.com/threads/72341/
Screenshots:
None
Threat Actors: maicolpg19
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of financial fraud materials including cloned cards, dumps, and PayPal accounts
Category: Data Breach
Content: A threat actor operating under the alias hallcityhub4 and Telegram handle @ColdApollo is allegedly selling a range of financial fraud materials on the CrackingX forum. Offered items include cloned credit cards, non-VBV credit cards, linkable credit cards, fresh dumps with PINs (Track 101 and Track 201), verified PayPal accounts, PayPal transfers, and Western Union transfers. No specific victim organization or geographic target has been identified.
Date: 2026-04-16T23:41:57Z
Network: openweb
Published URL: https://crackingx.com/threads/72344/
Screenshots:
None
Threat Actors: hallcityhub4
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged Purchase of Network Access Credentials Targeting USA and Canada Organizations
Category: Initial Access
Content: A threat actor operating under the alias Uriil on the T1 forum is actively seeking to purchase network access credentials targeting organizations in the USA and Canada. The buyer requires a minimum revenue threshold of 20 million for US/Canada targets and 100 million for other regions, with a minimum access level of Domain User. Contact is facilitated via TOX messenger, and sellers are required to provide network descriptions or screenshots prior to any transaction.
Date: 2026-04-16T23:40:24Z
Network: openweb
Published URL: https://tier1.life/thread/147
Screenshots:
None
Threat Actors: Uriil
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Carson & Quinn by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a media-related page on the website of Carson & Quinn, a professional services organization. The incident was a targeted single-page defacement, not classified as a mass or home page defacement. Technical details regarding the server environment and attack vector were not disclosed.
Date: 2026-04-16T23:24:12Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836336
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Professional Services
Victim Organization: Carson & Quinn
Victim Site: www.carsonandquinn.com
Website Defacement of Cromia by DimasHxR
Category: Defacement
Content: On April 17, 2026, the attacker known as DimasHxR defaced a web page belonging to Cromia, an Italian fashion/accessories brand, hosted at cromia.jef.it. The incident was a targeted single-page defacement, not a mass or home page defacement. The attacker operated independently without an affiliated team, and technical details such as the server software and IP address were not disclosed.
Date: 2026-04-16T23:21:13Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836332
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Italy
Victim Industry: Retail / Fashion
Victim Organization: Cromia
Victim Site: cromia.jef.it
Alleged Data Leak of futuresmoking.ru User Credentials
Category: Data Leak
Content: A threat actor on Pwnforums has made available an alleged credential list from futuresmoking.ru, reportedly obtained in 2023. The dataset contains 13,160 records consisting of email and MD5-hashed password pairs, predominantly associated with Russian email providers such as mail.ru, yandex.ru, inbox.ru, and list.ru. The data is offered as a free download to registered forum members.
Date: 2026-04-16T22:50:07Z
Network: openweb
Published URL: https://pwnforums.st/Thread-futuresmoking-ru
Screenshots:
None
Threat Actors: jacka113
Victim Country: Russia
Victim Industry: Unknown
Victim Organization: futuresmoking.ru
Victim Site: futuresmoking.ru
Alleged leak of 230,000 URL:Login:Password credentials on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Seaborg has shared a combolist containing approximately 230,000 URL:login:password credential pairs on the cybercrime forum CrackingX. The credentials are described as fresh and high value, suggesting recently harvested or validated entries. The content is available to registered forum members at no explicit cost.
Date: 2026-04-16T22:43:04Z
Network: openweb
Published URL: https://crackingx.com/threads/72338/
Screenshots:
None
Threat Actors: Seaborg
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 230,000 URL:Log:Pass credential records
Category: Data Leak
Content: A threat actor operating under the alias Seaborg_p on XForums has made available an alleged collection of 230,000 URL:Log:Pass records, described as fresh and high value. The dataset appears to be a credential list containing URLs paired with usernames and passwords, likely sourced from infostealer logs. Access to the content requires registration or sign-in on the forum.
Date: 2026-04-16T22:40:37Z
Network: openweb
Published URL: https://xforums.st/threads/230k-fresh-high-value-url-log-pass.608561/
Screenshots:
None
Threat Actors: Seaborg_p
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of ShopForumHealth by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor known as DimasHxR defaced a media directory path on the website shopforumhealth.com, a health-related e-commerce or forum platform. The attack was a singular, targeted defacement rather than a mass or redefacement incident. Server and infrastructure details were not disclosed in the available intelligence.
Date: 2026-04-16T22:36:22Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836275
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Health & Wellness / E-Commerce
Victim Organization: Shop Forum Health
Victim Site: www.shopforumhealth.com
Website Defacement of Maxi-Cosi UK by DimasHxR
Category: Defacement
Content: On April 17, 2026, the attacker known as DimasHxR defaced a page on the official UK website of Maxi-Cosi, a well-known baby and child product brand. The attack targeted a media/customer-facing subdirectory and was carried out as a single, non-mass defacement. No team affiliation, motive, or technical details regarding the server environment were disclosed.
Date: 2026-04-16T22:35:36Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836288
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Retail / Consumer Goods
Victim Organization: Maxi-Cosi
Victim Site: www.maxi-cosi.co.uk
Website Defacement of NovaSalud by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a webpage belonging to NovaSalud, a healthcare-related organization based in Chile. The attack targeted a specific media directory path rather than the homepage, indicating a targeted sub-page defacement. No team affiliation, stated motive, or server details were disclosed in connection with this incident.
Date: 2026-04-16T22:34:48Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836270
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Chile
Victim Industry: Healthcare
Victim Organization: NovaSalud
Victim Site: www.novasalud.cl
Website Defacement of Bébé Confort Portugal by DimasHxR
Category: Defacement
Content: On April 17, 2026, the attacker known as DimasHxR defaced a media/customer-facing page on the Portuguese website of Bébé Confort, a baby products brand. The attack was a targeted single-site defacement with no team affiliation reported. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-16T22:33:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836292
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Portugal
Victim Industry: Retail / Baby Products
Victim Organization: Bébé Confort
Victim Site: www.bebeconfort.pt
Website Defacement of Sweet Life Nutritionals by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the alias DimasHxR defaced the website of Sweet Life Nutritionals, a health and nutrition-related organization. The incident was a targeted, single-site defacement with no team affiliation, mass defacement activity, or prior redefacement recorded. The attackers motive and technical vector remain unknown at this time.
Date: 2026-04-16T22:33:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836281
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Health & Nutrition / Retail
Victim Organization: Sweet Life Nutritionals
Victim Site: www.sweetlifenutritionals.com
Website Defacement of Wellness Within Reach by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a page on wellnesswithinreach.com, a health and wellness-oriented website. The attack was a targeted single-page defacement, not part of a mass or home page defacement campaign. No team affiliation, specific motive, or technical details regarding the server environment were disclosed.
Date: 2026-04-16T22:32:28Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836284
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Health and Wellness
Victim Organization: Wellness Within Reach
Victim Site: www.wellnesswithinreach.com
Website Defacement of Bébé Confort Spain by DimasHxR
Category: Defacement
Content: On April 17, 2026, the attacker known as DimasHxR defaced a media/customer-facing page on the Spanish website of Bébé Confort, a baby products brand. The incident was a targeted, single-site defacement with no team affiliation reported. No specific motivation or server details were disclosed.
Date: 2026-04-16T22:31:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836294
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Spain
Victim Industry: Retail / Baby Products
Victim Organization: Bébé Confort
Victim Site: www.bebeconfort.es
Website Defacement of ShopFWStore by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the alias DimasHxR defaced a media or customer-related subdirectory of www.shopfwstore.com, an e-commerce retail website. The incident was a targeted single-site defacement, not part of a mass defacement campaign. No team affiliation, specific motive, or server details were disclosed in connection with this attack.
Date: 2026-04-16T22:30:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836276
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: ShopFWStore
Victim Site: www.shopfwstore.com
Website Defacement of Maxi-Cosi Spain by DimasHxR
Category: Defacement
Content: On April 17, 2026, the Spanish web presence of Maxi-Cosi, a well-known baby and child product brand, was defaced by a threat actor operating under the handle DimasHxR. The attacker targeted a media/custom directory path rather than the sites homepage, suggesting a partial or subdirectory defacement. No team affiliation, specific motive, or technical details regarding the server environment were disclosed.
Date: 2026-04-16T22:30:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836291
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Spain
Victim Industry: Retail / Baby Products
Victim Organization: Maxi-Cosi
Victim Site: www.maxi-cosi.es
Website Defacement of silviagrandi.com by DimasHxR
Category: Defacement
Content: On April 17, 2026, threat actor DimasHxR defaced the website silviagrandi.com, targeting a subdirectory within the sites media path. The defacement was a targeted single-site attack with no team affiliation reported. The attackers motivation and technical details remain unknown, though the compromised path suggests possible exploitation of a content management system vulnerability.
Date: 2026-04-16T22:29:13Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836280
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Personal/Portfolio or Small Business
Victim Organization: Silvia Grandi
Victim Site: silviagrandi.com
Website Defacement of Maxi-Cosi Netherlands by DimasHxR
Category: Defacement
Content: On April 17, 2026, the attacker known as DimasHxR defaced a page on the Maxi-Cosi Netherlands website, a well-known baby and child product brand. The defacement targeted a media/custom directory path rather than the homepage, indicating a targeted subdirectory attack. No team affiliation, stated motive, or technical server details were disclosed.
Date: 2026-04-16T22:28:27Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836287
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Netherlands
Victim Industry: Retail / Consumer Goods
Victim Organization: Maxi-Cosi
Victim Site: www.maxi-cosi.nl
Website Defacement of Maxi-Cosi France by DimasHxR
Category: Defacement
Content: On April 17, 2026, the attacker known as DimasHxR defaced a page on the French website of Maxi-Cosi, a well-known baby and child products brand. The attack targeted a subdirectory of the media section of the site and was a standalone, non-mass defacement. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-16T22:27:35Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836286
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: France
Victim Industry: Retail / Consumer Goods
Victim Organization: Maxi-Cosi
Victim Site: www.maxi-cosi.fr
Website Defacement of ShopTenPenny by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a page on the e-commerce website shoptenpenny.com, targeting a media/customer directory path. The incident was a single targeted defacement with no team affiliation reported. No specific motivation or server details were disclosed.
Date: 2026-04-16T22:26:45Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836279
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Retail / E-Commerce
Victim Organization: Shop Ten Penny
Victim Site: www.shoptenpenny.com
Website Defacement of Papeleria Estudio by DimasHxR
Category: Defacement
Content: On April 17, 2026, the website of Papeleria Estudio, a stationery and office supplies retailer, was defaced by the threat actor DimasHxR acting independently without a team affiliation. The defacement targeted a media directory of the site and was not classified as a mass or home page defacement. The technical details of the server infrastructure remain unknown.
Date: 2026-04-16T22:25:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836271
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / Stationery
Victim Organization: Papeleria Estudio
Victim Site: www.papeleriaestudio.com
Website Defacement of Muff Haushalt by DimasHxR
Category: Defacement
Content: On April 17, 2026, the attacker known as DimasHxR defaced a media/customer-facing subdirectory of the Swiss home goods retailer Muff Haushalt at www.muff-haushalt.ch. The incident was a targeted single-site defacement with no team affiliation reported. Server and technical details were not disclosed in the available threat data.
Date: 2026-04-16T22:25:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836268
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Switzerland
Victim Industry: Retail / Home Goods
Victim Organization: Muff Haushalt
Victim Site: www.muff-haushalt.ch
Website Defacement of Rainbow Club by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a media subdirectory of the Rainbow Club website hosted in the United Kingdom. The attack was a targeted single-site defacement with no team affiliation reported. No specific motivation or server details were disclosed in connection with the incident.
Date: 2026-04-16T22:24:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836273
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Entertainment / Leisure
Victim Organization: Rainbow Club
Victim Site: www.rainbowclub.co.uk
Website Defacement of Mens Medical Store by DimasHxR
Category: Defacement
Content: On April 17, 2026, threat actor DimasHxR defaced the website of Mens Medical Store, a medical retail platform. The attack targeted a media directory path on the domain and does not appear to be part of a mass or coordinated defacement campaign. The attacker operated independently without an affiliated team.
Date: 2026-04-16T22:23:33Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836267
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Healthcare / Medical Retail
Victim Organization: Mens Medical Store
Victim Site: www.mensmedicalstore.com
Website Defacement of ProSphere Fan Shop by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced the website of ProSphere Fan Shop, a sports merchandise and fan apparel retailer. The defacement targeted a subdirectory of the site rather than the homepage and was not part of a mass defacement campaign. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-16T22:22:49Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836272
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / E-commerce
Victim Organization: ProSphere Fan Shop
Victim Site: www.prospherefanshop.com
Website Defacement of Maxi-Cosi Belgium by DimasHxR
Category: Defacement
Content: On April 17, 2026, the Belgian website of Maxi-Cosi, a well-known baby and child product brand, was defaced by a threat actor identified as DimasHxR. The defacement targeted a subdirectory path within the sites media folder rather than the homepage. The attacker operated independently without an affiliated team, and no specific motive was disclosed.
Date: 2026-04-16T22:22:01Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836290
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Belgium
Victim Industry: Retail / Consumer Goods
Victim Organization: Maxi-Cosi
Victim Site: www.maxi-cosi.be
Website Defacement of São Francisco CEC by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced the website of São Francisco CEC, a Brazilian educational institution. The incident was a targeted single-site defacement with no team affiliation reported. A mirror of the defaced page was archived via zone-xsec.com.
Date: 2026-04-16T22:21:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/836274
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Brazil
Victim Industry: Education
Victim Organization: São Francisco CEC
Victim Site: www.saofranciscocec.com.br
Website Defacement of Cards Direct UK by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a web page on cardsdirect.co.uk, a UK-based cards and stationery retail website. The attack targeted a media directory path and was neither a mass nor home page defacement. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-16T22:14:57Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835937
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Retail / E-commerce
Victim Organization: Cards Direct
Victim Site: www.cardsdirect.co.uk
Alleged sale of Crypto.com credential validation tool
Category: Initial Access
Content: Threat actor TRD allegedly advertises a Crypto.com validation module (VM) tool claiming captchaless functionality with 2000+ checks per minute capability on cybercriminal forum.
Date: 2026-04-16T22:14:22Z
Network: openweb
Published URL: https://spear.cx/Thread-Crypto-com-VM-Captchaless-2k-CPM
Screenshots:
None
Threat Actors: TRD
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Crypto.com
Victim Site: crypto.com
Website Defacement of Casabill by DimasHxR
Category: Defacement
Content: On April 17, 2026, threat actor DimasHxR defaced a media/customer directory path on casabill.com, a likely e-commerce platform. The attack was a targeted single-site defacement with no team affiliation reported. The incident was documented and mirrored by zone-xsec.com.
Date: 2026-04-16T22:14:12Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835940
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: Casabill
Victim Site: www.casabill.com
Website Defacement of Climazon by Threat Actor DimasHxR
Category: Defacement
Content: On April 17, 2026, threat actor DimasHxR defaced a media or custom content directory on the website climazon.net. The attack was a targeted single-site defacement, not part of a mass defacement campaign. Server and infrastructure details were not disclosed in the report.
Date: 2026-04-16T22:13:27Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835947
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: Climazon
Victim Site: www.climazon.net
Website Defacement of Cuban Cigar Plaza by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the handle DimasHxR defaced a media directory page on cubancigarplaza.com, a retail website specializing in Cuban cigars. The attack was a targeted, non-mass defacement with no stated motive or affiliated team. Technical details regarding the server environment and exploitation method were not disclosed.
Date: 2026-04-16T22:12:43Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835956
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / E-Commerce (Tobacco/Luxury Goods)
Victim Organization: Cuban Cigar Plaza
Victim Site: www.cubancigarplaza.com
Website Defacement of Brico-Reseau by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a web page hosted on brico-reseau.com, a French home improvement or DIY retail-related website. The defacement targeted a media directory path and was not classified as a mass or home page defacement. No specific motive or team affiliation was reported for this incident.
Date: 2026-04-16T22:12:03Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835929
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: France
Victim Industry: Retail / Home Improvement
Victim Organization: Brico-Reseau
Victim Site: www.brico-reseau.com
Website Defacement of Cheshire Paving Stones by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced the website of Cheshire Paving Stones, a UK-based paving and landscaping materials company. The attack was a targeted single-site defacement with no team affiliation reported. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-16T22:11:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835943
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Construction / Building Materials
Victim Organization: Cheshire Paving Stones
Victim Site: www.cheshirepavingstones.co.uk
Website Defacement of Collect World by DimasHxR
Category: Defacement
Content: On April 17, 2026, the attacker known as DimasHxR defaced a media/customer directory on the Dutch collectibles website collect-world.nl. The incident was a targeted single-page defacement, not a mass or home page defacement. No specific motive or exploitation technique was publicly disclosed.
Date: 2026-04-16T22:10:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835952
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Netherlands
Victim Industry: Retail / Collectibles
Victim Organization: Collect World
Victim Site: www.collect-world.nl
Website Defacement of ChargerTech by DimasHxR
Category: Defacement
Content: On April 17, 2026, the website chargertech.nl, a Netherlands-based technology company, was defaced by the threat actor DimasHxR. The attack targeted a subdirectory within the media/custom path and was carried out as a single, targeted defacement rather than a mass or home page defacement. No specific motive or team affiliation was reported for this incident.
Date: 2026-04-16T22:09:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835942
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Netherlands
Victim Industry: Technology / Electronics
Victim Organization: ChargerTech
Victim Site: www.chargertech.nl
Website Defacement of Carters Oshkosh Israel by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced the Israeli retail website of Carters OshKosh, a childrens clothing brand. The attack targeted a subdirectory of the site and does not appear to be part of a mass or coordinated defacement campaign. No specific motive or technical details were disclosed.
Date: 2026-04-16T22:09:16Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835938
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Israel
Victim Industry: Retail
Victim Organization: Carters OshKosh
Victim Site: www.cartersoshkosh.co.il
Website Defacement of CMD.pl by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a subpath of the Polish website cmd.pl, targeting the media/customer address directory. The attack was an isolated, non-mass defacement with no stated motive or team affiliation. Server and technical details remain unknown.
Date: 2026-04-16T22:08:38Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835950
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: CMD
Victim Site: www.cmd.pl
Website Defacement of Crucial Fitness by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the alias DimasHxR defaced the website of Crucial Fitness, a UK-based fitness organization. The attack targeted a subdirectory of the site and was carried out as a solo, non-mass defacement. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-16T22:08:00Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835955
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Health & Fitness
Victim Organization: Crucial Fitness
Victim Site: www.crucialfitness.co.uk
Website Defacement of CarTuningPoint.de by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a media directory page on cartuningpoint.de, a German automotive tuning website. The attack was a targeted single-site defacement with no team affiliation reported. No specific motivation or technical details regarding the server environment were disclosed.
Date: 2026-04-16T22:07:22Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835939
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Germany
Victim Industry: Automotive / E-Commerce
Victim Organization: Car Tuning Point
Victim Site: cartuningpoint.de
Website Defacement of Chevignon Hong Kong by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a subdirectory of the Chevignon Hong Kong website (www.chevignon.com.hk). The incident targeted a media/customer-related path and was not classified as a mass or home page defacement. No team affiliation, motive, or server details were disclosed for this attack.
Date: 2026-04-16T22:06:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835944
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Hong Kong
Victim Industry: Retail / Fashion
Victim Organization: Chevignon Hong Kong
Victim Site: www.chevignon.com.hk
Website Defacement of ChongoDC by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the handle DimasHxR defaced a page on www.chongodc.com, targeting a subdirectory path under the media folder. The attack was a single targeted defacement, not part of a mass defacement campaign. No specific motive, server details, or proof of concept were disclosed in the available intelligence.
Date: 2026-04-16T22:05:51Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835945
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: ChongoDC
Victim Site: www.chongodc.com
Website Defacement of Cia das Mesas by DimasHxR
Category: Defacement
Content: On April 17, 2026, the Brazilian website ciadasmesas.com.br was defaced by the threat actor DimasHxR. The attacker targeted a subdirectory of the site, leaving a defacement page as documented via the Zone-Xsec mirror. The incident was a targeted single-site defacement with no team affiliation reported.
Date: 2026-04-16T22:04:24Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835946
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Brazil
Victim Industry: Retail / Furniture
Victim Organization: Cia das Mesas
Victim Site: www.ciadasmesas.com.br
Website Defacement of Coverion UK by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the alias DimasHxR defaced a page on the UK-based website coverion.uk, targeting a media or customer-related directory. The attack was a singular, non-mass defacement with no team affiliation or stated motive recorded. A mirror of the defaced page was archived on zone-xsec.com.
Date: 2026-04-16T22:03:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835954
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Coverion
Victim Site: www.coverion.uk
Website Defacement of Collect World by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor known as DimasHxR defaced a page on the UK-based collectibles website Collect World (www.collect-world.co.uk). The attack targeted a media directory path and does not appear to be part of a mass or home page defacement campaign. No team affiliation, specific motive, or server details were disclosed in connection with the incident.
Date: 2026-04-16T22:02:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835951
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Retail / Collectibles
Victim Organization: Collect World
Victim Site: www.collect-world.co.uk
Website Defacement of Broderie Plaisir by DimasHxR
Category: Defacement
Content: On April 17, 2026, the attacker known as DimasHxR defaced a media directory page on broderieplaisir.com, a French embroidery and craft retail website. The incident was a targeted, non-mass defacement affecting a subpath rather than the homepage. No team affiliation, specific motive, or server details were disclosed.
Date: 2026-04-16T22:02:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835930
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: France
Victim Industry: Retail / Craft & Embroidery
Victim Organization: Broderie Plaisir
Victim Site: www.broderieplaisir.com
Alleged data breach of 10bis food delivery platform
Category: Data Breach
Content: Threat actor TheAshborn is selling a database allegedly containing 1.4 million records from 10bis.co.il, Israels leading food ordering platform. The data is being offered for $2,500 with proof files provided via file sharing service.
Date: 2026-04-16T22:01:37Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-Israel-DB-of%C2%A010bis-co-il-1-400-000-rows
Screenshots:
None
Threat Actors: TheAshborn
Victim Country: Israel
Victim Industry: Food Delivery
Victim Organization: 10bis
Victim Site: 10bis.co.il
Website Defacement of Cadeiraecadeira by DimasHxR
Category: Defacement
Content: On April 17, 2026, the Brazilian website cadeiraecadeira.com.br, a furniture retail business, was defaced by a threat actor operating under the alias DimasHxR. The attacker targeted a subdirectory of the site in a single, non-mass defacement operation. No team affiliation, stated motive, or technical exploitation details were disclosed.
Date: 2026-04-16T22:01:32Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835933
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Brazil
Victim Industry: Retail / Furniture
Victim Organization: Cadeira e Cadeira
Victim Site: www.cadeiraecadeira.com.br
Website Defacement of Colours of Mallorca by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a subdirectory of the website belonging to Colours of Mallorca, a tourism-related business based in Mallorca, Spain. The attack was an isolated, non-mass defacement with no stated motivation or team affiliation. Server and infrastructure details were not disclosed.
Date: 2026-04-16T22:00:46Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835953
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Spain
Victim Industry: Tourism / Hospitality
Victim Organization: Colours of Mallorca
Victim Site: www.colours-of-mallorca.com
Website Defacement of CMD Sistemas by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor operating under the alias DimasHxR defaced a page on the CMD Sistemas website, targeting a subdirectory of the domain. The attacker acted independently without affiliation to a known group. No specific motivation or technical details regarding the server environment were disclosed.
Date: 2026-04-16T22:00:00Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835949
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Brazil
Victim Industry: Technology / IT Services
Victim Organization: CMD Sistemas
Victim Site: www.cmd-sistemas.com
Website Defacement of Cloture Solution by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a subdirectory of cloturesolution.com, a website associated with fencing or enclosure solutions. The attack was a targeted, non-mass defacement affecting a specific media path rather than the homepage. No team affiliation, stated motivation, or server details were disclosed in connection with this incident.
Date: 2026-04-16T21:59:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835948
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Construction / Fencing & Enclosure Solutions
Victim Organization: Cloture Solution
Victim Site: www.cloturesolution.com
Website Defacement of Bud Racing by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a page on the Bud Racing website (www.bud-racing.com), targeting a subdirectory within the media section. The incident was a single targeted defacement, not part of a mass or repeated campaign. No specific motive or server details were disclosed.
Date: 2026-04-16T21:58:34Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835931
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Sports / Motorsports
Victim Organization: Bud Racing
Victim Site: www.bud-racing.com
Website Defacement of Candlein.eu by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced the website candlein.eu, targeting a media/customer directory path. The attack was a single-target defacement with no team affiliation reported. Technical details such as server software and exploit method were not disclosed.
Date: 2026-04-16T21:57:51Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835936
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: European Union
Victim Industry: Retail / E-commerce
Victim Organization: Candlein
Victim Site: candlein.eu
Website Defacement of d-tack.de by DimasHxR
Category: Defacement
Content: On April 17, 2026, a threat actor identified as DimasHxR defaced a subdirectory of the German website d-tack.de. The attack targeted a media/customer path and was carried out as a single, targeted defacement rather than a mass or home page defacement. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-16T21:57:12Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/835957
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: D-Tack
Victim Site: www.d-tack.de
Alleged leak of Hotmail credentials
Category: Combo List
Content: A threat actor shared a collection of 18,000 alleged valid Hotmail credentials on a cybercrime forum. The post indicates the credentials are fresh and valid, suggesting recent compromise of user accounts.
Date: 2026-04-16T21:52:38Z
Network: openweb
Published URL: https://crackingx.com/threads/72337/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of big data collection exceeding 5TB
Category: Data Breach
Content: Threat actor claims to be selling big data collection with volume exceeding 5TB. Actor states selective criteria apply and requests private contact for details.
Date: 2026-04-16T21:51:34Z
Network: openweb
Published URL: https://tier1.life/thread/146
Screenshots:
None
Threat Actors: Verified
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: A threat actor is distributing a combolist containing 770,000 Hotmail email and password combinations dated April 16th. The credentials are being shared on a cybercrime forum with hidden content requiring registration to access.
Date: 2026-04-16T21:18:24Z
Network: openweb
Published URL: https://demonforums.net/Thread-770X-HOTMAIL-Valid-Mail-Access-16-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials
Category: Combo List
Content: A threat actor shared a combolist containing 770,000 allegedly valid Hotmail email credentials on an underground forum. The credentials were made available for free download to registered forum users.
Date: 2026-04-16T21:17:05Z
Network: openweb
Published URL: https://crackingx.com/threads/72336/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of multiple identity databases including SSN and passport data
Category: Data Breach
Content: Threat actor claims to have access to multiple databases containing driver licenses, SSNs, passports, company EIN numbers, consumer information, phone lists, email lists, and credentials. Contact is provided via Telegram for interested parties.
Date: 2026-04-16T20:54:50Z
Network: openweb
Published URL: https://xforums.st/threads/i-have-driver-license-ssn-passports-llc-ein-ltd.608551/
Screenshots:
None
Threat Actors: jannat123
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Kenya Airports Authority
Category: Data Breach
Content: Threat actor RubiconH4ck is selling a claimed 2TB database dump from Kenya Airports Authority containing information systems, user data, services, and complete user addresses for an initial price of $4,000.
Date: 2026-04-16T20:48:40Z
Network: openweb
Published URL: https://breached.st/threads/kenya-airports-authority-database.86038/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: Kenya
Victim Industry: Transportation
Victim Organization: Kenya Airports Authority
Victim Site: Unknown
Alleged sale of multiple identity databases and personal information
Category: Data Breach
Content: Threat actor jannatmirza11 advertises access to multiple databases containing drivers licenses, SSNs, passports, company information, consumer data, phone lists, email lists, and citizen records via Telegram contact.
Date: 2026-04-16T20:34:00Z
Network: openweb
Published URL: https://crackingx.com/threads/72335/
Screenshots:
None
Threat Actors: jannatmirza11
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged SMS phishing service offering global message delivery with custom sender IDs
Category: Initial Access
Content: Threat actor Skybat advertises a global SMS sending service with custom sender ID capabilities, supporting up to 20,000 messages daily with API integration and link tracking functionality. The service enables SMS phishing campaigns across multiple countries with automated sender rotation to improve delivery rates.
Date: 2026-04-16T20:25:50Z
Network: openweb
Published URL: https://breached.st/threads/global-sms-sender-custom-sender-id.86036/unread
Screenshots:
None
Threat Actors: Skybat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of American Airlines database access and systems compromise
Category: Initial Access
Content: Threat actor RubiconH4ck claims to have full administrator access to American Airlines systems including a 3TB database containing 500M records covering passenger services, crew management, maintenance systems, and customer loyalty data. The access is being offered for sale at $10,000.
Date: 2026-04-16T20:25:03Z
Network: openweb
Published URL: https://breached.st/threads/access-db-500m-american-airlines.86033/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: United States
Victim Industry: Aviation
Victim Organization: American Airlines
Victim Site: Unknown
Alleged data breach of Shanghai National Police
Category: Data Breach
Content: Threat actor claims to be selling Chinese Shanghai National Police database containing 1.2 billion records and 5TB of data including citizens database, police records, and food delivery orders with personal information such as names, addresses, phone numbers, and ID card numbers.
Date: 2026-04-16T20:24:30Z
Network: openweb
Published URL: https://breached.st/threads/chinese-sanghai-national-police-shgh-data.86034/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: China
Victim Industry: Government
Victim Organization: Shanghai National Police
Victim Site: Unknown
Alleged data breach of Select Group Properties
Category: Data Breach
Content: Threat actor claims to be selling comprehensive personal and financial data of Select Group Properties owners, allegedly obtained through exploitation of a vulnerability in the companys admin portal 5 days prior. The data reportedly includes emails, phone numbers, addresses, banking information, vehicle details, parking information, and admin SMTP passwords, with the seller asking $8,000 for the dataset.
Date: 2026-04-16T20:18:48Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-Select-Grop-owners-and-rental-infos
Screenshots:
None
Threat Actors: ksa901
Victim Country: United Arab Emirates
Victim Industry: Real Estate
Victim Organization: Select Group Properties
Victim Site: Unknown
Alleged leak of Gmail credentials
Category: Combo List
Content: Forum post claims to contain over 100,000 Gmail credentials. The actual content is hidden behind registration requirements, making verification of the claims impossible.
Date: 2026-04-16T20:10:45Z
Network: openweb
Published URL: https://crackingx.com/threads/72334/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged data breach of Google
Category: Data Breach
Content: Threat actor RubiconH4ck claims to be selling 3TB of alleged Google data containing sensitive member and user information plus important documents for $8,000. The authenticity of this claim has not been verified.
Date: 2026-04-16T19:54:34Z
Network: openweb
Published URL: https://breached.st/threads/google-data-salesforce.86032/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: United States
Victim Industry: Technology
Victim Organization: Google
Victim Site: google.com
Alleged data breach of i-learn.vn Vietnamese education platform
Category: Data Breach
Content: A threat actor claims to possess a database dump from Vietnamese education platform i-learn.vn containing 40,000 user records. The data includes usernames, hashed passwords, email addresses, full names, personal information, and system metadata in CSV-SQL format.
Date: 2026-04-16T19:52:24Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-i-learn-vn-Database-Vietnam-40K
Screenshots:
None
Threat Actors: camillaDF
Victim Country: Vietnam
Victim Industry: Education
Victim Organization: i-learn.vn
Victim Site: i-learn.vn
Alleged leak of former Israeli Prime Minister Ehud Barak emails
Category: Data Leak
Content: Forum user claims to have leaked emails belonging to former Israeli Prime Minister Ehud Barak, sharing them via a Dropbox link for free download.
Date: 2026-04-16T19:50:53Z
Network: openweb
Published URL: https://darkforums.su/Thread-Document-Old-Israel-Prime-Minister-Ehud-Barak-Leaked-E-mails
Screenshots:
None
Threat Actors: BaveBishop666
Victim Country: Israel
Victim Industry: Government
Victim Organization: Israeli Prime Ministers Office
Victim Site: Unknown
Alleged data leak of Indonesian Police Korps Brimob personnel database
Category: Data Leak
Content: A threat actor claiming to be N1KA has allegedly leaked a database containing personnel data from Indonesias Korps Brimob (Mobile Brigade Corps) police unit. The leaked database reportedly contains 2,490,272 records of personnel data from August 2025 and is being distributed for free download.
Date: 2026-04-16T19:49:47Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Korps-Brimob-Police-Indonesia-Data-Breach-Leaked-Download–73697
Screenshots:
None
Threat Actors: INSOMNIAX
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Korps Brimob (Indonesian Police)
Victim Site: Unknown
Alleged resumption of database distribution service by PwnForums
Category: Alert
Content: PwnForums announced the restoration of their CDN service, making their collection of databases available for download again after a period of downtime. The forum operates on both clearnet and dark web domains.
Date: 2026-04-16T19:47:20Z
Network: openweb
Published URL: https://pwnforums.st/Thread-CDN-is-Now-Back-Online
Screenshots:
None
Threat Actors: John
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of corporate email credential lists
Category: Combo List
Content: Threat actor CODER is distributing corporate email credential lists (combolists) through Telegram channels, offering free access to compromised email accounts and related programs.
Date: 2026-04-16T19:38:27Z
Network: openweb
Published URL: https://crackingx.com/threads/72332/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Full Access to NetBot Mass Host Enumeration Platform
Category: Initial Access
Content: A threat actor affiliated with LulzSec Black is advertising full access to a platform called NetBot, which claims to allow users to download and export all internet-connected hosts globally with one click. The platform is described as more powerful than Shodan and FoFa, with daily updates of fresh hosts from around the world. Full platform access with no limits is being sold via a Telegram bot contact.
Date: 2026-04-16T19:29:34Z
Network: telegram
Published URL: https://t.me/c/2727439812/5756
Screenshots:
None
Threat Actors: LulzSec Black
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of NSA data breach
Category: Data Breach
Content: Threat actor RubiconH4ck claims to be selling 281GB of National Security Agency data including document data and sensitive member information. The actor provides Telegram and Twitter contact information for purchase inquiries.
Date: 2026-04-16T19:21:45Z
Network: openweb
Published URL: https://breached.st/threads/national-security-agency-nsa-data.86031/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: United States
Victim Industry: Government
Victim Organization: National Security Agency
Victim Site: Unknown
Alleged leak of 35M+ credential records via DataMonk channel
Category: Combo List
Content: Threat actor biglep shared a link to 35M+ credential records (ULP format) through the DataMonk Telegram channel, offering both free samples and premium data services with subscription pricing ranging from $200 to $1500.
Date: 2026-04-16T19:09:51Z
Network: openweb
Published URL: https://crackingx.com/threads/72331/
Screenshots:
None
Threat Actors: biglep
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Pakistani credentials combolist
Category: Combo List
Content: Threat actor shared a credential combolist containing over 40,000 email:password combinations allegedly from Pakistani sources. The data is being distributed for free through hidden forum content and Telegram channels.
Date: 2026-04-16T18:43:07Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-40-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Pakistan-%E2%9C%AA-16-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Pakistan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Portuguese credential combolist
Category: Combo List
Content: A threat actor shared a combolist containing over 84,000 email and password combinations allegedly from Portugal. The credentials are described as fresh and high quality, distributed through a Telegram channel.
Date: 2026-04-16T18:42:34Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-84-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Portugal-%E2%9C%AA-16-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Portugal
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Philippine credentials combolist
Category: Combo List
Content: Threat actor shared a combolist containing over 76,000 email and password combinations allegedly from Philippines users. The credentials are described as fresh and high quality.
Date: 2026-04-16T18:41:59Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-76-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Philippines-%E2%9C%AA-16-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Philippines
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Peruvian credential combolist
Category: Combo List
Content: Threat actor shared a credential combolist containing over 93,000 email:password combinations allegedly from Peru, described as fresh and high quality.
Date: 2026-04-16T18:41:22Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-93-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Peru-%E2%9C%AA-16-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Peru
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of educational institution credential lists
Category: Combo List
Content: Threat actor CODER is distributing educational institution credential lists (combolists) for free through Telegram channels. The actor offers additional combos and cracking tools through dedicated Telegram groups.
Date: 2026-04-16T18:41:01Z
Network: openweb
Published URL: https://crackingx.com/threads/72321/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Polish credential combolist
Category: Combo List
Content: Threat actor shared a combolist containing over 576,000 email and password combinations allegedly from Polish users. The credentials are claimed to be fresh and high quality, distributed through a cybercriminal forum.
Date: 2026-04-16T18:40:50Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-576-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Poland-%E2%9C%AA-16-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German domain credential list
Category: Combo List
Content: A threat actor shared a combolist containing 160,466 credential pairs allegedly targeting German domains (.de) through a file sharing platform.
Date: 2026-04-16T18:40:45Z
Network: openweb
Published URL: https://crackingx.com/threads/72322/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of PayPal credential combolist
Category: Combo List
Content: Forum post claims to share fresh PayPal email access credentials in email:password format dated 4.16.2026. The content is hidden and requires registration to view, suggesting distribution of a credential combolist targeting PayPal accounts.
Date: 2026-04-16T18:40:21Z
Network: openweb
Published URL: https://crackingx.com/threads/72324/
Screenshots:
None
Threat Actors: Kinglukeman
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: PayPal
Victim Site: paypal.com
Alleged leak of mixed credential combinations from multiple countries
Category: Combo List
Content: A threat actor shared a combolist containing 5,436 credential combinations from users in the United States, Italy, France, and Poland. The credentials are being distributed as a free download on a cybercriminal forum.
Date: 2026-04-16T18:40:05Z
Network: openweb
Published URL: https://crackingx.com/threads/72327/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of gaming platform credentials
Category: Combo List
Content: Threat actor CODER is distributing a 4 million record gaming credential combolist through Telegram channels. The actor operates multiple Telegram groups offering free credential lists and related tools.
Date: 2026-04-16T18:39:50Z
Network: openweb
Published URL: https://crackingx.com/threads/72328/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of credential logs and data collection
Category: Combo List
Content: Threat actor biglep is selling access to a collection of over 20,000 credential logs totaling 50GB+ of data through subscription packages ranging from $70 for one week to $1,500 for one year. The data is being distributed through Gofile and Telegram channels operated by the Datamonk network.
Date: 2026-04-16T18:39:36Z
Network: openweb
Published URL: https://crackingx.com/threads/72329/
Screenshots:
None
Threat Actors: biglep
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Israeli political figure personal information
Category: Data Leak
Content: Threat actor shares personal information including phone number, address, and national ID of Israeli politician Itamar Ben-Gvir, allegedly from a database breach. The actor offers additional tools via private message.
Date: 2026-04-16T18:24:38Z
Network: openweb
Published URL: https://breached.st/threads/gsm-israel-itamar-ben-gvir-phone-number-1.86029/unread
Screenshots:
None
Threat Actors: rape
Victim Country: Israel
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of financial account credentials and card data across 180 countries
Category: Combo List
Content: A threat actor operating as xiaoyuenans shop is selling financial account credentials and card data spanning 180 countries, with emphasis on US, UK, Canada, France, Turkey, Malaysia, Singapore, Philippines, and India. The seller offers live-tested accounts, selectable by bank or card type, with real-time validity verification. Contact via Telegram handle @vklmaythangcho. Guarantor and escrow services offered.
Date: 2026-04-16T18:21:01Z
Network: telegram
Published URL: https://t.me/c/2613583520/63856
Screenshots:
None
Threat Actors: xiaoyuenans shop
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Russian Federal Border Service database containing border crossing records
Category: Data Breach
Content: Threat actor claims to be selling access to the compromised Kordon system database of the Russian Federal Border Service from September 2023. The database allegedly contains over 1 billion border crossing records from 2014-2023 including personal information, travel documents, and border crossing details for citizens of 195 countries.
Date: 2026-04-16T18:13:57Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-Data-Leak-%D0%9A%D0%BE%D1%80%D0%B4%D0%BE%D0%BD-Russian-Federal-Border-Service-2023-FULL
Screenshots:
None
Threat Actors: gosee
Victim Country: Russia
Victim Industry: Government
Victim Organization: Russian Federal Border Service
Victim Site: Unknown
Alleged data leak of Sansei Paraguay customer database
Category: Data Leak
Content: A threat actor shared a free download of a Paraguay customer database from sansei.com.py containing personal information including names, emails, phone numbers, national ID numbers, and hashed passwords. The database appears to contain customer registration data with timestamps ranging from 2020 to 2025.
Date: 2026-04-16T18:12:11Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-sansei-com-py-Paraguay-Database-Free
Screenshots:
None
Threat Actors: camillaDF
Victim Country: Paraguay
Victim Industry: Unknown
Victim Organization: Sansei
Victim Site: sansei.com.py
Alleged leak of credential combolist targeting PayPal, social media and gaming platforms
Category: Combo List
Content: Actor Megatron shared a credential combolist containing 1 million username/password combinations allegedly suitable for credential stuffing attacks against PayPal, social media platforms, and gaming services.
Date: 2026-04-16T18:10:21Z
Network: openweb
Published URL: https://pwnforums.st/Thread-1M-URL-LOGINPASS-Good-For-PayPal-Social-Media-Gaming
Screenshots:
None
Threat Actors: Megatron
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of French credential combolist
Category: Combo List
Content: A threat actor allegedly made available a combolist containing 1 million French credentials on an underground forum.
Date: 2026-04-16T18:04:59Z
Network: openweb
Published URL: https://pwnforums.st/Thread-1M-FRANCE-Fresh-Good-Combolist
Screenshots:
None
Threat Actors: Megatron
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of USA combolist credentials
Category: Combo List
Content: A threat actor named Megatron allegedly leaked a 1 million record USA credential combolist on a cybercrime forum. The combolist is described as high quality and suitable for various targets.
Date: 2026-04-16T18:00:08Z
Network: openweb
Published URL: https://pwnforums.st/Thread-1M-USA-HQ-Combolist-Good-For-All-Targets
Screenshots:
None
Threat Actors: Megatron
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: Threat actor alphaxdd shared a combolist containing 3,735 Hotmail email and password combinations on DemonForums. The credentials are described as premium mix mail hits and appear to be distributed for free to registered forum members.
Date: 2026-04-16T17:48:03Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9A%A1%E2%9A%A1-3735x-PREMIUM-MIX-MAIL-HITS%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Norwegian credentials combolist
Category: Combo List
Content: Threat actor shared a combolist containing over 26,000 email and password combinations allegedly from Norway. The credentials are claimed to be fresh and high quality, distributed through a hidden content section and Telegram channel.
Date: 2026-04-16T17:46:56Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-26-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Norway-%E2%9C%AA-16-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Norway
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Romanian credential list
Category: Combo List
Content: User thejackal101 allegedly shared a credential list containing 39,000+ email:password combinations associated with Elite_Cloud1 Romania, dated April 16, 2026.
Date: 2026-04-16T17:45:37Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-39-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Romania-%E2%9C%AA-16-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Romania
Victim Industry: Unknown
Victim Organization: Elite_Cloud1
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor distributed a combolist containing 3,735 Hotmail email credentials described as premium mix mail hits. The credentials are being shared for free download on an underground forum.
Date: 2026-04-16T17:44:47Z
Network: openweb
Published URL: https://crackingx.com/threads/72319/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of French email service credentials
Category: Combo List
Content: Threat actor CODER is distributing free credential lists (combolists) targeting French email services including Hotmail, Yahoo, and Orange through Telegram channels. The actor operates multiple Telegram groups offering free credential lists and programs.
Date: 2026-04-16T17:44:24Z
Network: openweb
Published URL: https://crackingx.com/threads/72320/
Screenshots:
None
Threat Actors: CODER
Victim Country: France
Victim Industry: Technology
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of credential combolists via Telegram channels
Category: Combo List
Content: Threat actor CODER is distributing free credential combolists through Telegram channels and offering personalized combo requests. The actor operates multiple Telegram groups for sharing compromised credentials and related programs.
Date: 2026-04-16T17:13:11Z
Network: openweb
Published URL: https://crackingx.com/threads/72314/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of credential combolist containing 17.53 million records
Category: Combo List
Content: A threat actor named Daxus has made available a credential combolist containing 17.53 million URL:username:password combinations through their website and Telegram channel. The data is being distributed as a free leak rather than being sold.
Date: 2026-04-16T17:12:44Z
Network: openweb
Published URL: https://crackingx.com/threads/72316/
Screenshots:
None
Threat Actors: Daxus
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of GMX email credentials
Category: Combo List
Content: A threat actor shared a combolist containing 125,000 GMX email credentials for free download. The actor also advertises various other credential lists for sale via Telegram.
Date: 2026-04-16T17:12:24Z
Network: openweb
Published URL: https://crackingx.com/threads/72318/
Screenshots:
None
Threat Actors: steeve75
Victim Country: Germany
Victim Industry: Technology
Victim Organization: GMX
Victim Site: gmx.com
Alleged sale of Indian credentials via Lumma Stealer logs
Category: Logs
Content: Threat actor KazeFreak is allegedly selling 500 stealer logs containing credentials, cookies, crypto wallets, and autofill data from Indian victims infected with Lumma Stealer malware. The logs were obtained from Windows 11 Enterprise systems running Firefox browsers.
Date: 2026-04-16T16:52:04Z
Network: openweb
Published URL: https://darkforums.su/Thread-URL-LOGIN-PASS-Lumma-Stealer-500-logs-INDIA
Screenshots:
None
Threat Actors: KazeFreak
Victim Country: India
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Ally Bank credential combolist
Category: Data Breach
Content: Threat actor secur3rat is allegedly selling a combolist containing 32,092 Ally Bank credentials for $499. The sample shows username and password combinations for various Ally Bank services including online banking, savings accounts, and auto loan portals.
Date: 2026-04-16T16:50:08Z
Network: openweb
Published URL: https://darkforums.su/Thread-Ally-Bank-32K-HQ-Fresh-Combo
Screenshots:
None
Threat Actors: secur3rat
Victim Country: United States
Victim Industry: Financial Services
Victim Organization: Ally Bank
Victim Site: ally.com
Alleged sale of Deutsche Bank credential combolist
Category: Data Breach
Content: Threat actor secur3rat is selling a combolist containing 26,554 alleged Deutsche Bank credentials in email:password format for $200. The credentials appear to be from various international domains and services.
Date: 2026-04-16T16:49:23Z
Network: openweb
Published URL: https://darkforums.su/Thread-Deutsche-Bank-HQ-Fresh-Combo-26K
Screenshots:
None
Threat Actors: secur3rat
Victim Country: Germany
Victim Industry: Financial Services
Victim Organization: Deutsche Bank
Victim Site: db.com
Alleged data breach of ANTS (French government agency)
Category: Data Breach
Content: Threat actor breach3d claims to be selling a database containing 18-19 million records from ANTS, the French government agency responsible for secure identification and legal titles. The data allegedly includes full names, contact details, birth data, addresses, and account metadata with government verification status.
Date: 2026-04-16T16:48:39Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-FR-ANTS-Database-18-19M
Screenshots:
None
Threat Actors: breach3d
Victim Country: France
Victim Industry: Government
Victim Organization: ANTS (Agence Nationale des Titres Sécurisés)
Victim Site: Unknown
Website Defacement of Hotel Association of Nepal by NUCLIER-Y-C-C-M
Category: Defacement
Content: On April 16, 2026, the threat actor NUCLIER-Y-C-C-M defaced the homepage of the Hotel Association of Nepals official website (hotelassociationnepal.org.np). The attack was a targeted single-site defacement, replacing the homepage content with the attackers message. No specific motivation or technical details regarding the server were disclosed.
Date: 2026-04-16T16:48:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834775
Screenshots:
None
Threat Actors: NUCLIER-Y-C-C-M, NUCLIER-Y-C-C-M
Victim Country: Nepal
Victim Industry: Hospitality / Tourism
Victim Organization: Hotel Association of Nepal
Victim Site: hotelassociationnepal.org.np
Alleged leak of credential combolist targeting cloud services
Category: Logs
Content: Threat actor shared a credential combolist containing URLs, login credentials, and passwords, advertised as high quality and private content targeting cloud services.
Date: 2026-04-16T16:46:33Z
Network: openweb
Published URL: https://pwnforums.st/Thread-URL-LOGIN-PASS-%E2%AD%90%EF%B8%8FURL-LOG-PASS-cloud-t34
Screenshots:
None
Threat Actors: uhqboyz
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of credential lists on cybercriminal forum
Category: Logs
Content: Threat actor shared credential lists containing URL, login, and password combinations on a stealer logs forum. The content is hidden behind registration requirements but appears to be offered as a free download.
Date: 2026-04-16T16:46:07Z
Network: openweb
Published URL: https://pwnforums.st/Thread-URL-LOGIN-PASS-%E2%AD%90%EF%B8%8FURL-LOG-PASS-cloud-t35
Screenshots:
None
Threat Actors: uhqboyz
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German credential combolist
Category: Combo List
Content: A threat actor shared a combolist containing 1 million German credentials, claiming the list is high quality and suitable for various targets.
Date: 2026-04-16T16:44:57Z
Network: openweb
Published URL: https://pwnforums.st/Thread-1M-GERMANY-HQ-Combolist-Good-For-All-Targets
Screenshots:
None
Threat Actors: Megatron
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo credentials combolist
Category: Combo List
Content: A threat actor allegedly made available a combolist containing 460,000 Yahoo credentials from mixed countries on a cybercrime forum.
Date: 2026-04-16T16:44:31Z
Network: openweb
Published URL: https://pwnforums.st/Thread-460K-YAHOO-Mix-Countries-Good-Combolist
Screenshots:
None
Threat Actors: Megatron
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged gaming credential combolist leak affecting 180,000 accounts
Category: Combo List
Content: A threat actor allegedly leaked a gaming-focused credential combolist containing 180,000 email:password combinations on cybercriminal forums.
Date: 2026-04-16T16:44:07Z
Network: openweb
Published URL: https://pwnforums.st/Thread-180K-GAMING-High-Quality-Combolist
Screenshots:
None
Threat Actors: Megatron
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Valorant gaming credentials
Category: Combo List
Content: A threat actor shared a private combolist containing 65,000 Valorant gaming credentials on an underground forum. The credentials are being distributed for free to registered forum members.
Date: 2026-04-16T16:43:42Z
Network: openweb
Published URL: https://pwnforums.st/Thread-65K-VALORANT-Private-HQ-Combolist
Screenshots:
None
Threat Actors: Megatron
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Riot Games
Victim Site: valorant.com
Alleged data breach of McGraw-Hill education platform
Category: Data Breach
Content: ShinyHunters group allegedly breached McGraw-Hills Salesforce-hosted data on April 11, 2026, compromising over 45 million records including names, emails, phone numbers, and addresses. The group publicly released 44.6 GB of data after McGraw-Hill refused to pay ransom demands.
Date: 2026-04-16T16:41:21Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-Mc-GrawHill-mheducation-com-2026-04-11-13-5M-Users
Screenshots:
None
Threat Actors: thelastwhitehat
Victim Country: Unknown
Victim Industry: Education
Victim Organization: McGraw-Hill
Victim Site: mheducation.com
Alleged data breach of Abrigo, Inc.
Category: Data Breach
Content: ShinyHunters group allegedly breached Abrigo, Inc. on April 11, 2026 by gaining access to data stored within Salesforce, compromising over 1.75 million records including usernames, full names, email addresses, phone numbers, and employee details. When Abrigo refused to pay the ransom, the group released the stolen data on April 15, 2026.
Date: 2026-04-16T16:40:56Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-Abrigo-Inc-abrigo-com-2026-04-11-1-75M-Users
Screenshots:
None
Threat Actors: thelastwhitehat
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Abrigo, Inc.
Victim Site: abrigo.com
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: Threat actor klyne05 shared a mixed email credential combolist on cybercriminal forum, claiming the data is private, fresh, and verified. The content is hidden behind a like-to-unlock mechanism for free access.
Date: 2026-04-16T16:35:06Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1MIX-MAIL%E2%9A%A1%E2%9A%A1PRIVATE%E2%9A%A1%E2%9A%A1FRESH%E2%9A%A1%E2%9A%A1CHEKED-BY-klyne05-%E2%9A%A1%E2%9A%A1–200665
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: Threat actor KiwiShio shared a combolist containing 765,000 Hotmail email and password combinations on cybercrime forum DemonForums. The credentials are claimed to be fresh and high quality.
Date: 2026-04-16T16:34:26Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-765x-%E2%AD%90%E2%AD%90-FRESH-HQ-HOTMAIL-%E2%AD%90%E2%AD%90
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials
Category: Combo List
Content: User NotSellerXd shared a combolist containing 10,190 Hotmail email and password combinations on DemonForums. The credentials are being distributed for free to registered forum members.
Date: 2026-04-16T16:33:46Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-10190x-HOTMAIL
Screenshots:
None
Threat Actors: NotSellerXd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: Threat actor alphaxdd shared a combolist containing 1,667 valid Hotmail email credentials on cybercriminal forum. The credentials are described as premium hits from a private cloud with mixed email addresses.
Date: 2026-04-16T16:32:45Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F-1667x-PREMIUM-HOTMAIL-HITS-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F–200668
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credential lists
Category: Combo List
Content: Threat actor klyne05 made available mixed email credential lists described as private, fresh, and checked on underground forum. The post offers free download of combolists without specifying victim sources or record counts.
Date: 2026-04-16T16:32:42Z
Network: openweb
Published URL: https://crackingx.com/threads/72310/
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: Forum post advertising fresh high-quality Hotmail credentials containing 765,000 records made available for free download.
Date: 2026-04-16T16:31:58Z
Network: openweb
Published URL: https://crackingx.com/threads/72311/
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials
Category: Combo List
Content: A threat actor shared a combolist containing 10,190 Hotmail credentials for free download on a cybercrime forum.
Date: 2026-04-16T16:31:27Z
Network: openweb
Published URL: https://crackingx.com/threads/72312/
Screenshots:
None
Threat Actors: NotSellerxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Mass defacement of Nigerian educational institution by maw3six
Category: Defacement
Content: On April 16, 2026, the attacker known as maw3six conducted a mass defacement targeting chstdeba.edu.ng, a Nigerian educational institution. The defacement affected a specific page on the Linux-hosted server and was part of a broader mass defacement campaign. The incident was archived and mirrored via haxor.id.
Date: 2026-04-16T16:19:54Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248574
Screenshots:
None
Threat Actors: maw3six
Victim Country: Nigeria
Victim Industry: Education
Victim Organization: CHST Deba
Victim Site: chstdeba.edu.ng
Mass defacement of Nigerian government registration portal by maw3six
Category: Defacement
Content: The threat actor maw3six conducted a mass defacement campaign targeting the online registration portal of the Architects Registration Council of Nigeria (ARCON), a Nigerian government agency. The attack compromised a Linux-based web server, replacing the page content at the targeted URL. This incident is part of a broader mass defacement operation carried out by the attacker.
Date: 2026-04-16T16:16:38Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248573
Screenshots:
None
Threat Actors: maw3six
Victim Country: Nigeria
Victim Industry: Government
Victim Organization: Architects Registration Council of Nigeria (ARCON)
Victim Site: register.arconigeria.gov.ng
Mass defacement of Nigerian educational institution by maw3six
Category: Defacement
Content: On April 16, 2026, threat actor maw3six conducted a mass defacement targeting sms.kdscnm.edu.ng, a subdomain belonging to the Kano Dental Sciences College of Nursing and Midwifery in Nigeria. The attacker successfully defaced the web page hosted on a Linux server, replacing content with their own message. This incident was part of a broader mass defacement campaign carried out by the actor.
Date: 2026-04-16T16:10:48Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248571
Screenshots:
None
Threat Actors: maw3six
Victim Country: Nigeria
Victim Industry: Education
Victim Organization: Kano Dental Sciences College of Nursing and Midwifery (KDSCNM)
Victim Site: sms.kdscnm.edu.ng
Mass Website Defacement of Nigerian Government Portal by maw3six
Category: Defacement
Content: On April 16, 2026, a threat actor identified as maw3six conducted a mass defacement targeting the web portal of the Architects Registration Council of Nigeria (ARCON), a Nigerian government regulatory body. The attacker successfully defaced the Linux-hosted portal, replacing legitimate content with unauthorized material. This incident was part of a broader mass defacement campaign conducted by the same actor.
Date: 2026-04-16T16:09:29Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248572
Screenshots:
None
Threat Actors: maw3six
Victim Country: Nigeria
Victim Industry: Government
Victim Organization: Architects Registration Council of Nigeria (ARCON)
Victim Site: portal.arconigeria.gov.ng
Website Defacement of Universidad de Los Llanos by maw3six
Category: Defacement
Content: On April 16, 2026, threat actor maw3six defaced a web page on the subdomain snies.ul.edu.co, belonging to Universidad de Los Llanos, a public university in Colombia. The targeted URL was a specific page (maw.html) rather than the homepage, indicating a targeted single-page defacement. The attacker operated without an affiliated team, and no specific motive was disclosed.
Date: 2026-04-16T16:08:12Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248570
Screenshots:
None
Threat Actors: maw3six
Victim Country: Colombia
Victim Industry: Education
Victim Organization: Universidad de Los Llanos
Victim Site: snies.ul.edu.co
Alleged data leak of Fiscalia General del Estado de Morelos
Category: Data Leak
Content: Threat actor leaked 12,619 files from Mexicos Fiscalia General del Estado de Morelos containing payroll receipts and employee selfies. The leak includes data on approximately 1,521 active employees and was released with political motivations criticizing government corruption and incompetence.
Date: 2026-04-16T16:03:15Z
Network: openweb
Published URL: https://darkforums.su/Thread-Document-M%C3%A9xico-Fiscalia-General-del-Estado-de-Morelos-12-619-files
Screenshots:
None
Threat Actors: Straightonumberone
Victim Country: Mexico
Victim Industry: Government
Victim Organization: Fiscalia General del Estado de Morelos
Victim Site: Unknown
Website defacement of aprn.pits.ng by maw3six
Category: Defacement
Content: On April 16, 2026, a threat actor using the handle maw3six defaced a page on the Nigerian domain aprn.pits.ng, targeting a Linux-based web server. The defacement was a targeted single-page attack rather than a mass or home page defacement, with the compromised content archived at the attackers mirror site. No specific motive or team affiliation was disclosed in connection with this incident.
Date: 2026-04-16T16:02:25Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248569
Screenshots:
None
Threat Actors: maw3six
Victim Country: Nigeria
Victim Industry: Unknown
Victim Organization: APRN / PITS Nigeria
Victim Site: aprn.pits.ng
Alleged Zero-Day Vulnerability in Windows Defender Enabling Privilege Escalation
Category: Vulnerability
Content: A critical zero-day security flaw has been identified in Windows Defender. The vulnerability involves a flaw in the cloud-based detection mechanism where a malicious file, instead of remaining quarantined, may be restored to its original location. Attackers can exploit this behavior to replace critical system files and ultimately gain full administrative (SYSTEM-level) access. The vulnerability is described as a serious threat to Windows users.
Date: 2026-04-16T15:57:40Z
Network: telegram
Published URL: https://t.me/c/1283513914/21228
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: United States
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: microsoft.com
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: Threat actor shared a combolist containing valid email and password combinations described as UHQ Mix including Hotmail credentials and private cloud accounts through Telegram contact.
Date: 2026-04-16T15:53:38Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X2127-Valid-UHQ-Mix-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of email credential combolist
Category: Combo List
Content: TeraCloud1 shared a combolist containing 31,000 valid email credentials on DemonForums. The credentials are being distributed for free behind a registration wall.
Date: 2026-04-16T15:49:57Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-31K-VALID-MAIL-ACCESS–200657
Screenshots:
None
Threat Actors: TeraCloud1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials including Hotmail accounts
Category: Combo List
Content: Threat actor noir shared a collection of valid mixed email credentials including Hotmail accounts, described as UHQ (ultra high quality) through their Telegram channel. The post advertises valid credentials from private cloud services and mixed email providers.
Date: 2026-04-16T15:49:11Z
Network: openweb
Published URL: https://crackingx.com/threads/72303/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: A threat actor leaked a credential list containing 26,000 email and password combinations on a cybercrime forum.
Date: 2026-04-16T15:48:51Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-26K-GOOD-MAIL-ACCESS-MIX
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of corporate IMAP/SMTP credential combolists
Category: Combo List
Content: Threat actor CODER is distributing corporate IMAP and SMTP credential combolists through Telegram channels, offering both free access and custom combinations upon request.
Date: 2026-04-16T15:48:16Z
Network: openweb
Published URL: https://crackingx.com/threads/72304/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German email credentials combolist
Category: Combo List
Content: A threat actor shared a combolist containing 799,420 credential pairs targeting German (.de domain) email accounts. The data is being distributed for free via a file sharing service.
Date: 2026-04-16T15:47:37Z
Network: openweb
Published URL: https://crackingx.com/threads/72305/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of JBU by NUCLIER-Y-C-C-M
Category: Defacement
Content: On April 16, 2026, the threat actor NUCLIER-Y-C-C-M defaced the homepage of jbu.com.np, a website associated with an educational institution in Nepal. The attack was a targeted homepage defacement and was not part of a mass defacement campaign. The incident has been archived and mirrored via zone-xsec.com.
Date: 2026-04-16T15:28:38Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834774
Screenshots:
None
Threat Actors: NUCLIER-Y-C-C-M, NUCLIER-Y-C-C-M
Victim Country: Nepal
Victim Industry: Education
Victim Organization: Janakpur Buddhist University (JBU)
Victim Site: jbu.com.np
Alleged distribution of credential combolist by threat actor Steveee36
Category: Combo List
Content: Threat actor erwinn91 shared a credential combolist titled X1701 HQ Mix allegedly compiled by user Steveee36 on cybercriminal forum. The content is hidden behind registration requirements, indicating distribution of stolen login credentials.
Date: 2026-04-16T15:19:44Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9A%A1%E2%9A%A1-X1701-HQ-Mix-%E2%9A%A1%E2%9A%A1-BY-Steveee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential list
Category: Combo List
Content: A threat actor shared a credential list containing 9,020 mixed email accounts for free download on a cybercrime forum.
Date: 2026-04-16T15:19:06Z
Network: openweb
Published URL: https://crackingx.com/threads/72296/
Screenshots:
None
Threat Actors: NotSellerxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: Threat actor HollowKnight shared a sample combolist containing 535 Hotmail email and password combinations on a cybercriminal forum.
Date: 2026-04-16T15:19:00Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-535x-SAMPLE-HOTMAIL-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: HollowKnight
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged distribution of automotive industry credential combolist
Category: Combo List
Content: A threat actor is distributing a 7 million record credential combolist allegedly containing data from various automotive companies including Toyota, Honda, BMW, Mercedes-Benz, and others. The combolist is being shared through Telegram channels for free distribution.
Date: 2026-04-16T15:18:32Z
Network: openweb
Published URL: https://crackingx.com/threads/72297/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Automotive
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor shared a combolist containing 39,000 email and password combinations from various mail services. The credentials are being distributed for free through a forum post with hidden content requiring registration to access.
Date: 2026-04-16T15:18:22Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-39K-Mix-Mail-Access-Combo
Screenshots:
None
Threat Actors: MarkVesto
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist
Category: Combo List
Content: A threat actor shared a high-quality mixed credential combolist for free download on a cybercriminal forum. The post provides minimal details about the source or composition of the credential list.
Date: 2026-04-16T15:18:04Z
Network: openweb
Published URL: https://crackingx.com/threads/72298/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: A threat actor shared a sample combolist containing 535 Hotmail email and password combinations on a cybercrime forum. The credentials are being distributed as a free download.
Date: 2026-04-16T15:17:46Z
Network: openweb
Published URL: https://crackingx.com/threads/72299/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: A threat actor shared a combolist containing 39,000 mixed email and password credentials on a cybercrime forum, making the data available for free download to registered users.
Date: 2026-04-16T15:17:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72300/
Screenshots:
None
Threat Actors: MarkVesto
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of nooris.me by Attacker maw3six
Category: Defacement
Content: On April 16, 2026, the website nooris.me was defaced by the threat actor known as maw3six. The attack targeted a specific page (maw.html) rather than the homepage, indicating a targeted single-page defacement on a cloud-hosted server. No team affiliation, specific motive, or additional technical details were disclosed in connection with this incident.
Date: 2026-04-16T15:11:20Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248568
Screenshots:
None
Threat Actors: maw3six
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Nooris
Victim Site: nooris.me
Alleged leak of Chinese company internal documents and data
Category: Data Leak
Content: A threat actor shared a 10GB archive containing alleged Chinese company internal documents including operational procedures, circuit diagrams, supplier payment records, product specifications, and database backups spanning 2017-2021.
Date: 2026-04-16T15:03:42Z
Network: openweb
Published URL: https://breached.st/threads/chinese-data-zhong-guo-shu-ju-snowsoul-id-1294.86027/unread
Screenshots:
None
Threat Actors: 元帅*
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged initial access or targeting of multiple Peruvian educational and government domains
Category: Initial Access
Content: A threat actor operating as Pharaohs Team is listing multiple Peruvian domains including educational institutions (gospa.edu.pe, independencia.edu.pe, iriosanta.edu.pe, mariagoretticusco.edu.pe) and a government entity (ugelcajabamba.gob.pe), directing interested parties to contact via Telegram handle @phteam_s. This likely represents access sales, defacement targets, or compromised assets.
Date: 2026-04-16T15:02:26Z
Network: telegram
Published URL: https://t.me/c/3205199875/490
Screenshots:
None
Threat Actors: Pharaohs Team
Victim Country: Peru
Victim Industry: Education / Government
Victim Organization: Multiple Peruvian Educational Institutions and UGEL Cajabamba
Victim Site: gospa.edu.pe, independencia.edu.pe, iriosanta.edu.pe, mariagoretticusco.edu.pe, ugelcajabamba.gob.pe
Alleged data leak of MalindoAir
Category: Data Leak
Content: Forum user requests someone to reupload a previously leaked MalindoAir dataset, suggesting the airlines data was previously compromised and shared on underground forums.
Date: 2026-04-16T15:00:22Z
Network: openweb
Published URL: https://darkforums.su/Thread-request-for-MalindoAir
Screenshots:
None
Threat Actors: randomfool
Victim Country: Malaysia
Victim Industry: Aviation
Victim Organization: MalindoAir
Victim Site: malindoair.com
Alleged cyber activity claimed by 313 Team (Islamic Cyber Resistance – Iraq)
Category: Cyber Attack
Content: The 313 Team, identifying themselves as the Islamic Cyber Resistance in Iraq (المقاومة الاسلامية السيبرانية في العراق), shared a post referencing an X (Twitter) status link, likely as proof or announcement of a cyber operation. The group is affiliated with the Beamed Network and maintains multiple Telegram backup channels.
Date: 2026-04-16T14:56:29Z
Network: telegram
Published URL: https://t.me/c/2250158203/1011
Screenshots:
None
Threat Actors: 313 Team
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Amafric by maw3six
Category: Defacement
Content: On April 16, 2026, a threat actor operating under the alias maw3six defaced a page on the Canadian website amafric.ca, targeting the URL https://amafric.ca/maw.html. The defacement was carried out as a single targeted incident, not part of a mass defacement campaign, and was hosted on a cloud-based server environment. No specific motive or team affiliation was attributed to the attacker.
Date: 2026-04-16T14:48:56Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248566
Screenshots:
None
Threat Actors: maw3six
Victim Country: Canada
Victim Industry: Unknown
Victim Organization: Amafric
Victim Site: amafric.ca
Website Defacement of abstan.co.tz by maw3six
Category: Defacement
Content: On April 16, 2026, a threat actor operating under the alias maw3six defaced a page on the Tanzanian website abstan.co.tz. The attacker targeted a Linux-based web server, replacing the content of the page at /maw.html. The incident was a single targeted defacement with no team affiliation reported.
Date: 2026-04-16T14:45:37Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248567
Screenshots:
None
Threat Actors: maw3six
Victim Country: Tanzania
Victim Industry: Unknown
Victim Organization: Abstan
Victim Site: abstan.co.tz
Mass Defacement of Bosnian Website kupirasvjetu.ba by Attacker maw3six
Category: Defacement
Content: On April 16, 2026, the attacker known as maw3six defaced the Bosnian website kupirasvjetu.ba, targeting the page at /maw.html. This incident was identified as part of a mass defacement campaign conducted on a Linux-based server. No specific motive or team affiliation was disclosed by the attacker.
Date: 2026-04-16T14:39:51Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248565
Screenshots:
None
Threat Actors: maw3six
Victim Country: Bosnia and Herzegovina
Victim Industry: Unknown
Victim Organization: Kupirasvjetu
Victim Site: kupirasvjetu.ba
Alleged distribution of mixed credential combolist containing 172,000 records
Category: Combo List
Content: A threat actor shared a mixed credential combolist containing 172,000 email and password combinations through a cybercriminal forum. The actor also promoted their shop for custom combolists from various countries.
Date: 2026-04-16T14:30:44Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-MIX-Unique-Combo-5-172000
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: A threat actor shared a combolist containing 1,000 mixed email credentials described as fresh and high quality on a cybercriminal forum.
Date: 2026-04-16T14:29:27Z
Network: openweb
Published URL: https://crackingx.com/threads/72293/
Screenshots:
None
Threat Actors: Lexser
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of educational sector credential lists
Category: Combo List
Content: Threat actor CODER is distributing credential lists targeting educational institutions through Telegram channels, offering free access to combolists and related tools.
Date: 2026-04-16T14:29:13Z
Network: openweb
Published URL: https://crackingx.com/threads/72294/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of credential combolist containing 172,000 records
Category: Combo List
Content: A threat actor shared a credential combolist containing 172,000 email and password combinations on a cybercriminal forum.
Date: 2026-04-16T14:28:57Z
Network: openweb
Published URL: https://crackingx.com/threads/72295/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German email credentials
Category: Combo List
Content: A threat actor shared a combolist containing 27,000 mixed email credentials allegedly from German users on a cybercrime forum.
Date: 2026-04-16T13:58:38Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-27K-MIX-MAIL-ACCESS-GERMANY
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of WhatsApp automation tool for bulk messaging operations
Category: Initial Access
Content: Threat actor shares cracked WhatsApp Botmaster automation tool enabling bulk messaging campaigns, auto-replies, and contact management for large-scale messaging operations. The tool provides full automation capabilities for WhatsApp messaging workflows and campaign management.
Date: 2026-04-16T13:58:32Z
Network: openweb
Published URL: https://demonforums.net/Thread-WhatsApp-Botmaster-Cracked–200645
Screenshots:
None
Threat Actors: Starip
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: WhatsApp
Victim Site: whatsapp.com
Alleged distribution of dork generation tool for web scraping and search automation
Category: Initial Access
Content: A threat actor shared Work with Dorks by JohnDoe v2.1, a desktop tool designed for generating structured search queries and dorks for web scraping and search automation. The tool includes features for building targeted queries, translator and grabber modules, and is distributed through underground forums for potential reconnaissance activities.
Date: 2026-04-16T13:57:27Z
Network: openweb
Published URL: https://demonforums.net/Thread-Work-with-Dorks-by-JohnDoe-v2-1–200647
Screenshots:
None
Threat Actors: Starip
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: Threat actor HollowKnight shared a sample combolist containing 500 Hotmail email and password combinations on a cybercrime forum.
Date: 2026-04-16T13:56:42Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-500x-SAMPLE-HOTMAIL-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: HollowKnight
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sharing of credential list via VIP ULP 6 package
Category: Combo List
Content: Threat actor zod shared a credential package labeled VIP ULP 6 on CrackingX forum with password-protected access via Telegram channel. The post appears in the combolists and dumps section suggesting leaked credential data.
Date: 2026-04-16T13:55:22Z
Network: openweb
Published URL: https://crackingx.com/threads/72285/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of email credential combolists via PandaCloud service
Category: Combo List
Content: Threat actor is distributing free email credential combolists through a Telegram channel and file sharing service, claiming to add fresh databases daily with only valid and recent email credentials.
Date: 2026-04-16T13:55:06Z
Network: openweb
Published URL: https://crackingx.com/threads/72286/
Screenshots:
None
Threat Actors: Kokos2846q
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of mixed credential combolists targeting multiple platforms
Category: Combo List
Content: Threat actor distributes 9 million mixed credential combinations (email:password) targeting PlayStation, Facebook, X (Twitter), LinkedIn and other platforms through Telegram channels. The combolists are being shared for free via dedicated Telegram groups.
Date: 2026-04-16T13:54:53Z
Network: openweb
Published URL: https://crackingx.com/threads/72287/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Multiple platforms
Victim Site: Multiple domains
Alleged leak of German gaming and casino credentials
Category: Combo List
Content: A threat actor shared a combolist containing over 1 million credential pairs allegedly targeting German gaming and casino platforms. The data is being distributed for free via file sharing service.
Date: 2026-04-16T13:54:37Z
Network: openweb
Published URL: https://crackingx.com/threads/72288/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Gaming and Gambling
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: A threat actor is distributing a sample of 500 Hotmail credentials as a free download on a cybercriminal forum.
Date: 2026-04-16T13:54:21Z
Network: openweb
Published URL: https://crackingx.com/threads/72291/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged SQL Injection Challenge Targeting sci.ruh.ac.lk
Category: Vulnerability
Content: A threat actor operating under the alias NAZUNA | 008 affiliated with Tegal Cyber Team posted a SQL injection challenge targeting what appears to be sci.ruh.ac.lk (a Sri Lankan academic institution). The challenge tasks participants with extracting database users, passwords, privileges, table/column names, and chaining SQLi to XSS — all against a live website. Despite a disclaimer not to harm the site, the challenge explicitly instructs extraction of credentials and sensitive database information from a real target.
Date: 2026-04-16T13:33:35Z
Network: telegram
Published URL: https://t.me/c/3528849141/298
Screenshots:
None
Threat Actors: NAZUNA | 008
Victim Country: Sri Lanka
Victim Industry: Education
Victim Organization: Ruhuna University – Faculty of Science
Victim Site: sci.ruh.ac.lk
Alleged data breach involving three corporations
Category: Data Breach
Content: Threat actor TiMc is allegedly selling datasets from three corporations on underground forums. The actor provides contact information via Tox messaging for serious buyers and references a file listing with summary details.
Date: 2026-04-16T13:32:53Z
Network: openweb
Published URL: https://pwnforums.st/Thread-COLLECTION-3-Corps-dataset-sell
Screenshots:
None
Threat Actors: TiMc
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Imagerie Clinique Yvette medical database
Category: Data Leak
Content: Threat actor ntmpd shared a database dump from French medical imaging clinic Imagerie Clinique Yvette containing patient records with personal information, medical procedures, and administrative access credentials. The leaked data includes patient names, IDs, medical imaging records, and associated physician information.
Date: 2026-04-16T13:28:17Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-FR-Imagerie-Clinique-Yvette-Acces-Admin–188358
Screenshots:
None
Threat Actors: ntmpd
Victim Country: France
Victim Industry: Healthcare
Victim Organization: Imagerie Clinique Yvette
Victim Site: Unknown
Website Defacement of mydearsapinou.com by H4CKTHOR
Category: Defacement
Content: On April 16, 2026, the website www.mydearsapinou.com was defaced by a threat actor operating under the alias H4CKTHOR, acting without affiliation to any known group or team. The attack targeted the homepage of the site in a single, non-mass defacement incident. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-16T13:10:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834773
Screenshots:
None
Threat Actors: H4CKTHOR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: My Dear Sapinou
Victim Site: www.mydearsapinou.com
Alleged solicitation for carding of StockX gift cards
Category: Cyber Attack
Content: A user identified as Trap is seeking someone to card and sell StockX gift cards, indicating involvement in gift card fraud/carding operations targeting StockX.
Date: 2026-04-16T13:06:04Z
Network: telegram
Published URL: https://t.me/c/2613583520/63725
Screenshots:
None
Threat Actors: Trap
Victim Country: United States
Victim Industry: E-commerce / Retail
Victim Organization: StockX
Victim Site: stockx.com
Alleged leak of Hotmail/Outlook credentials
Category: Combo List
Content: A threat actor shared a combolist containing 6.9k Hotmail/Outlook email credentials via a free MediaFire download link. The actor claims the credentials are fresh, private, and have a high hit rate for account access.
Date: 2026-04-16T12:57:15Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-FRESH-6-9k-HOTMAIL-MAIL-ACCESS-100-PRIVATE-HIGH-HIT-RATE-GHOST-CLOUD
Screenshots:
None
Threat Actors: GhostCloud2
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of email credential combolist
Category: Combo List
Content: A threat actor shared a combolist containing 44,000 valid email and password combinations on a cybercriminal forum. The credentials appear to be made available for free download to registered forum members.
Date: 2026-04-16T12:56:13Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-44K-VALID-MAIL-ACCESS–200642
Screenshots:
None
Threat Actors: TeraCloud1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: User klyne05 shared Hotmail credentials on CrackingX forum, claiming they are private, fresh, and checked. The post offers free download access to the credential list.
Date: 2026-04-16T12:53:57Z
Network: openweb
Published URL: https://crackingx.com/threads/72281/
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail and mixed email credentials
Category: Combo List
Content: A threat actor is sharing a Telegram channel containing alleged fresh Hotmail and mixed email credential lists. The credentials are being distributed for free through the messaging platform.
Date: 2026-04-16T12:53:29Z
Network: openweb
Published URL: https://crackingx.com/threads/72282/
Screenshots:
None
Threat Actors: hotmailmixking1
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of credential combolist containing 172,000 records
Category: Combo List
Content: A threat actor shared a credential combolist containing 172,000 records on a cybercriminal forum. The post content is protected and requires forum registration to view full details.
Date: 2026-04-16T12:53:15Z
Network: openweb
Published URL: https://crackingx.com/threads/72283/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: Forum post claiming to contain valid Hotmail credentials, though the actual content is hidden behind registration requirements making verification impossible.
Date: 2026-04-16T12:53:00Z
Network: openweb
Published URL: https://crackingx.com/threads/72284/
Screenshots:
None
Threat Actors: FlashCloud2
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail access credentials
Category: Logs
Content: A threat actor claims to have leaked access credentials for over 60 million Hotmail accounts in a cybercrime forum. The credentials are allegedly being distributed as a text file containing fresh access logs.
Date: 2026-04-16T12:49:13Z
Network: openweb
Published URL: https://xforums.st/threads/60-436k-fresh-hotmail-access-logs-txt.608514/
Screenshots:
None
Threat Actors: Vekkoo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Cyber Attack on Israeli News Portal TV7 Israel News by M-17SEC
Category: Cyber Attack
Content: Threat actor group M-17SEC, forwarded via The Garuda Eye channel, claims to have successfully attacked Israeli news portal tv7israelnews.com. The group announces a phased attack campaign under the operation hashtag #OpsResurrect1, warning of imminent further attacks. The post includes threatening rhetoric directed at Israel and is framed with religious messaging. The nature of the attack (DDoS, defacement, etc.) is not explicitly specified.
Date: 2026-04-16T12:43:31Z
Network: telegram
Published URL: https://t.me/M171337/30
Screenshots:
None
Threat Actors: M-17SEC
Victim Country: Israel
Victim Industry: Media & News
Victim Organization: TV7 Israel News
Victim Site: tv7israelnews.com
Alleged Cyber Attack and Supply Chain Compromise of GNS Cloud by Handala
Category: Cyber Attack
Content: Hacktivist group Handala claims to have maintained persistent access to GNS Cloud (Israels largest cloud provider) for 18 months, extracting all client machine and virtual server passwords stored in plaintext, backdooring over 112,000 machines and servers, and achieving full control over operational and management layers. The group also claims to have defaced the international GNS website as a proof of continued access. They allege the entire GNS supply chain is compromised, exposing banks, tech companies, and ordinary users. PoC links include a Zone-H defacement mirror and a web archive. The group previously announced the breach in December 2024 during Operation Martyr Reza Awada and states full evidence will be released publicly soon.
Date: 2026-04-16T12:36:37Z
Network: telegram
Published URL: https://t.me/c/3548035165/318
Screenshots:
None
Threat Actors: Handala
Victim Country: Israel
Victim Industry: Cloud Computing / Managed Services
Victim Organization: GNS Cloud
Victim Site: Unknown
Alleged cyber attack claim by Keymous+ threat actor
Category: Defacement
Content: Threat actor Keymous+ shared a link to a post on the SonsOfAnarchyGrouppp Telegram channel, likely referencing a defacement or cyber attack claim associated with their group activity.
Date: 2026-04-16T12:27:19Z
Network: telegram
Published URL: https://t.me/c/2588114907/1090
Screenshots:
None
Threat Actors: Keymous+
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of USA email credentials
Category: Combo List
Content: Forum post claims to offer 2.2 thousand valid USA email credentials with full access, dated April 16th. The content is hidden behind registration requirements and links to an external shop.
Date: 2026-04-16T12:04:01Z
Network: openweb
Published URL: https://demonforums.net/Thread-2-2-K-Usa-Full-Valid-Mail-Access-16-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials on cybercriminal forum
Category: Combo List
Content: A threat actor shared a combolist containing 782 Hotmail email and password combinations on a cybercriminal forum. The credentials are being distributed through a premium cloud service with paid access tiers.
Date: 2026-04-16T12:00:14Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-782-Good-HOTMAIL-GOODS-D4RKNETHUB-CLOUD-16-04-26
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Gmail credential combolist
Category: Combo List
Content: Threat actor ValidMail shared a combolist containing 193,000 Gmail email and password combinations dated April 26, 2016. The credentials are being distributed through hidden content on cybercrime forums.
Date: 2026-04-16T11:59:06Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%99%8B-193k-GMAIL-DOMAIN-16-04-26-%E2%99%8B
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of USA email credentials
Category: Combo List
Content: A threat actor shared a combolist containing 2,200 valid email credentials allegedly from USA users on an underground forum.
Date: 2026-04-16T11:58:57Z
Network: openweb
Published URL: https://crackingx.com/threads/72273/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: Threat actor snowstormxd shared a fresh mixed email combolist for free download via Pasteview and Telegram channels on CrackingX forum.
Date: 2026-04-16T11:58:42Z
Network: openweb
Published URL: https://crackingx.com/threads/72274/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of email credentials combolist
Category: Combo List
Content: A threat actor shared a combolist containing 43,000 email credentials described as Full Valid Mail Access Mix dated April 16th. The credentials are being distributed for free to registered forum users.
Date: 2026-04-16T11:58:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72275/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of corporate email credentials targeting business SMTP systems
Category: Combo List
Content: A threat actor shared a combolist containing 186,965 credential pairs specifically targeting corporate business email accounts for SMTP spam campaigns. The credentials are distributed via a file-sharing platform for free download.
Date: 2026-04-16T11:58:12Z
Network: openweb
Published URL: https://crackingx.com/threads/72276/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German email provider credentials
Category: Combo List
Content: Threat actor distributes free German credential combolist containing 8 million records from web.de, gmx.de, and t-online.de email providers through Telegram channels.
Date: 2026-04-16T11:57:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72278/
Screenshots:
None
Threat Actors: CODER
Victim Country: Germany
Victim Industry: Technology
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist
Category: Combo List
Content: A threat actor shared a mixed credential combolist containing over 55,000 lines of stolen credentials. The data is distributed through a password-protected Telegram channel.
Date: 2026-04-16T11:57:15Z
Network: openweb
Published URL: https://crackingx.com/threads/72279/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of USA email credentials
Category: Logs
Content: A threat actor leaked approximately 2,200 valid email credentials allegedly belonging to USA users on a cybercrime forum.
Date: 2026-04-16T11:53:35Z
Network: openweb
Published URL: https://xforums.st/threads/2-2-k-usa-full-valid-mail-access-16-04.608507/
Screenshots:
None
Threat Actors: MegaCloud
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Doxing Profile of Israeli Individual Benaya Cherlow Published by Golden Falcon
Category: Cyber Attack
Content: A detailed doxing profile of an individual named Benaya Cherlow has been published, including personal contact information (email: [email protected], phone: +972509477662), academic records from Reichman University (IDC Herzliya) and Brandeis University, professional and research background, and Israeli Defense Forces military service history including rank (Lieutenant) and unit (Armored Corps, GOC Army Headquarters). The target is identified as a researcher with ties to Israeli strategic and diplomatic institutions. This appears to be a targeted intelligence profile likely intended to facilitate harassment, intimidation, or physical harm.
Date: 2026-04-16T11:37:13Z
Network: telegram
Published URL: https://t.me/c/2245031785/646
Screenshots:
None
Threat Actors: Golden Falcon
Victim Country: Israel
Victim Industry: Education / Defense
Victim Organization: Reichman University / IDF
Victim Site: Unknown
Alleged distribution of Gmail credential combolist
Category: Combo List
Content: Threat actor el_capitan distributed a combolist containing 760,000 Gmail email and password combinations on cybercriminal forum. The actor also advertises related cracking tools and spamming services via Telegram channels.
Date: 2026-04-16T11:35:22Z
Network: openweb
Published URL: https://pwnforums.st/Thread-760K-GMAIL-Fresh-HQ-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A forum post claims to contain a combolist of 460,000 Hotmail email and password combinations described as fresh and high quality.
Date: 2026-04-16T11:31:03Z
Network: openweb
Published URL: https://pwnforums.st/Thread-460K-HOTMAIL-Fresh-HQ-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Mexican credential list
Category: Combo List
Content: A threat actor shared a combolist containing 260,000 credentials allegedly from Mexico on a cybercriminal forum. The post also advertises related cracking tools and services through Telegram channels.
Date: 2026-04-16T11:26:42Z
Network: openweb
Published URL: https://pwnforums.st/Thread-260K-MEXICO-Semi-Private-Good-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Mexico
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Argentina credential combolist
Category: Combo List
Content: Threat actor shared a combolist containing 220,000 credentials allegedly from Argentina, described as high quality and fresh.
Date: 2026-04-16T11:22:23Z
Network: openweb
Published URL: https://pwnforums.st/Thread-220K-ARGENTINA-UHQ-Fresh-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Argentina
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of Japanese credential combolist
Category: Combo List
Content: A threat actor is distributing a combolist containing 500,000 Japanese credentials through a cybercrime forum. The actor is also advertising additional services including combo sales and cracking tools via Telegram channels.
Date: 2026-04-16T11:18:06Z
Network: openweb
Published URL: https://pwnforums.st/Thread-500K-JAPAN-Fresh-HQ-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of initial access to data and document servers
Category: Initial Access
Content: A threat actor in the Infrastructure Destruction Squad channel is offering to sell access to data and document servers for $200. No specific victim organization or country is mentioned.
Date: 2026-04-16T11:06:47Z
Network: telegram
Published URL: https://t.me/c/2735908986/4006
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Industrial System Access, ICS Attack Tool, and Ransomware Builder Targeting Netherlands
Category: Initial Access
Content: A threat actor operating under Infrastructure Destruction Squad is offering a bundle for $500 valid for 24 hours, including: access to unspecified industrial systems located in the Netherlands, a tool designed to target industrial/ICS systems, and a ransomware builder identified as blacknet-00. Contact handle provided as @Destructionsqua.
Date: 2026-04-16T11:04:06Z
Network: telegram
Published URL: https://t.me/c/2735908986/4003
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Netherlands
Victim Industry: Industrial / Critical Infrastructure
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of mixed credential combolist containing 172,000 records
Category: Combo List
Content: A threat actor shared a mixed credential combolist containing 172,000 email and password combinations on a cybercriminal forum.
Date: 2026-04-16T11:03:08Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-MIX-Unique-Combo-3-172000
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German email credentials
Category: Combo List
Content: A threat actor shared a combolist containing 24,000 German email credentials via a file sharing service. The credentials are described as fresh mail access from April 16th.
Date: 2026-04-16T10:59:11Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-24K-Germany-Fresh-Mail-Access-16-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Cyber Attack on Japanese Surveillance Camera Systems by Z-Pentest Alliance
Category: Cyber Attack
Content: The threat group Z-Pentest Alliance claims to have compromised Japanese surveillance camera systems, reportedly gaining access within minutes. The group monitored a parking lot via the hacked cameras for two days. The post is tagged with #OpJapan, suggesting a broader campaign targeting Japanese infrastructure. No data exfiltration was claimed, but unauthorized access to physical security systems was asserted.
Date: 2026-04-16T10:56:27Z
Network: telegram
Published URL: https://t.me/ogorodniki_Z/78
Screenshots:
None
Threat Actors: Z-Pentest Alliance
Victim Country: Japan
Victim Industry: Security/Surveillance Infrastructure
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist containing 48,309 records
Category: Combo List
Content: Threat actor stormtrooper shared a combolist containing 48,309 email and password combinations described as a Fresh Mix on cybercriminal forum. The credentials are being distributed for free to registered forum members.
Date: 2026-04-16T10:55:24Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-48-309-Lines-Fresh-Mix-Combolist
Screenshots:
None
Threat Actors: stormtrooper
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German email credentials
Category: Combo List
Content: A threat actor shared a collection of 24,000 German email credentials on an underground forum. The credentials are described as fresh and dated April 16th.
Date: 2026-04-16T10:52:53Z
Network: openweb
Published URL: https://crackingx.com/threads/72271/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of mixed credential combolist containing 48,309 records
Category: Combo List
Content: User Browzchel distributed a fresh mixed combolist containing 48,309 credential pairs on CrackingX forum. The threat actor also maintains a Telegram channel for additional distribution.
Date: 2026-04-16T10:52:39Z
Network: openweb
Published URL: https://crackingx.com/threads/72272/
Screenshots:
None
Threat Actors: Browzchel
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Stealc credential logs from Japan
Category: Data Leak
Content: Threat actor shared 250 credential logs allegedly obtained via Stealc malware targeting Windows Server 2019 systems in Japan. The logs contain URL, login, and password combinations.
Date: 2026-04-16T10:50:20Z
Network: openweb
Published URL: https://xforums.st/threads/url-login-pass-stealc-250-logs-jp-windows-server-2019.608498/
Screenshots:
None
Threat Actors: HighWayToShell
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cybercriminal services advertisement by ShinyHunters threat group
Category: Cyber Attack
Content: The ShinyHunters threat actor is advertising hacking, pentesting, and developer services priced at $10,000 USD. The post includes official contact channels (Telegram, email, Tox, Session), a clearnet website (shinyhunte.rs), a Tor hidden service, and a PGP key via Pastebin. The group also warns against impersonators and references individuals named Mattys Savoie & James who allegedly misused their PGP key for ransom. This represents active threat actor infrastructure advertisement.
Date: 2026-04-16T10:34:43Z
Network: telegram
Published URL: https://t.me/c/3737716184/1229
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Massive Breach Database Collection by ShinyHunters Threat Actor
Category: Data Breach
Content: A threat actor identifying themselves as ShinyHunters is offering tiered subscription access to a cloud CDN allegedly containing stolen databases from numerous high-profile organizations including Salesforce, Cisco, AT&T, Ticketmaster, Microsoft, Google, Victorias Secret, CrowdStrike, and Santander, among others. Pricing is structured as $10,000 for lifetime access, $5,000 for 1-year access, and $2,500 for 9-month access. The actor provides multiple Telegram channels, an email address, Tox ID, and Session ID as contact methods, and references known breach forums including BreachForums, RaidForums, and ExposeForums.
Date: 2026-04-16T10:15:25Z
Network: telegram
Published URL: https://t.me/c/3500620464/6862
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Multiple
Victim Industry: Multiple
Victim Organization: Salesforce, Cisco, AT&T, Ticketmaster, Microsoft, Google, Victorias Secret, CrowdStrike, Santander
Victim Site: Unknown
Alleged Sale of Stolen Database Collection by ShinyHunters Threat Actor
Category: Data Breach
Content: The ShinyHunters threat actor group is advertising tiered paid access to a cloud CDN allegedly containing stolen databases and breach data from numerous high-profile organizations including Salesforce, Cisco, AT&T, Ticketmaster, Microsoft, Google, Victorias Secret, CrowdStrike, Santander, CIC Vietnam, and others. Pricing is structured as $10,000 USD for lifetime access, $5,000 for 1-year VIP access, and $2,500 for 9-month access. The actor claims data originates from BreachForums, RaidForums, ExposeForums, PwnForums, and BreachStars. Contact details include Telegram (@shinyc0rpsss), email ([email protected]), Tox ID, and Session ID. An anti-impersonation warning with PGP key verification was also posted.
Date: 2026-04-16T10:15:18Z
Network: telegram
Published URL: https://t.me/c/3737716184/1238
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Multiple
Victim Industry: Multiple — Technology, Telecommunications, Finance, Retail
Victim Organization: Salesforce, Cisco, AT&T, Ticketmaster, Microsoft, Google, Victorias Secret, CrowdStrike, Santander
Victim Site: Unknown
Alleged Sale of Ticketmaster Database by ShinyHunters (4.51TB, 440M Emails, 400M Credit Cards)
Category: Data Breach
Content: The threat actor ShinyHunters is claiming to sell an approximately 4.51TB database allegedly containing Ticketmaster archives. The dataset purportedly includes 980 million sales orders, 680 million order details, 1.2 billion party lookup records, 440 million unique email addresses, 4 million deduped records, 560 million AVS detail records, and 400 million encrypted credit card details with partial information. The asking price is $10,000. Contact details provided include Telegram handle @shinyc0rpsss and email [email protected].
Date: 2026-04-16T10:08:10Z
Network: telegram
Published URL: https://t.me/c/3737716184/1237
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Entertainment / Ticketing
Victim Organization: Ticketmaster
Victim Site: ticketmaster.com
Alleged Sale of 4.51TB Ticketmaster Database with 440M Emails and 400M Credit Card Records
Category: Data Breach
Content: A threat actor operating under the handle @shinyc0rpsss is selling an alleged 4.51TB Ticketmaster database archive for $10,000. The dataset purportedly contains 980 million sales orders, 680 million order details, 1.2 billion party lookup records, 440 million unique email addresses, 4 million deduped records, 560 million AVS detail records, and 400 million encrypted credit card details with partial information. Contact provided via Telegram handle and Tutamail email address.
Date: 2026-04-16T10:08:00Z
Network: telegram
Published URL: https://t.me/c/3500620464/6855
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: United States
Victim Industry: Entertainment / Ticketing
Victim Organization: Ticketmaster
Victim Site: ticketmaster.com
Alleged defacement of multiple websites by Babayo Eror System
Category: Defacement
Content: Threat actor Babayo Eror System claims to have defaced multiple websites including mail.makandwa.co.zw, makandwa.co.zw, mega888.euro2020tips.com, sale-bird.alesharahfashions.com, and bizgamez.com.pikesway.com. The post includes a photo as proof of defacement.
Date: 2026-04-16T10:05:37Z
Network: telegram
Published URL: https://t.me/BabayoErorSyteam/473
Screenshots:
None
Threat Actors: Babayo Eror System
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: mail.makandwa.co.zw, makandwa.co.zw, mega888.euro2020tips.com, sale-bird.alesharahfashions.com, bizgamez.com.pikesway.com
Alleged defacement of multiple websites by Babayo Eror System
Category: Defacement
Content: Threat actor Babayo Eror System claims to have defaced multiple websites including mail.makandwa.co.zw, makandwa.co.zw, mega888.euro2020tips.com, sale-bird.alesharahfashions.com, and bizgamez.com.pikesway.com. The post includes a photo as proof of defacement.
Date: 2026-04-16T10:04:59Z
Network: telegram
Published URL: https://t.me/c/3865526389/473
Screenshots:
None
Threat Actors: Babayo Eror System
Victim Country: Zimbabwe
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: mail.makandwa.co.zw, makandwa.co.zw, mega888.euro2020tips.com, sale-bird.alesharahfashions.com, bizgamez.com.pikesway.com
Alleged leak of Turkish intelligence agency personnel data
Category: Data Leak
Content: Threat actor SiberSLX shared detailed personal information of 12 Turkish intelligence agency personnel including national ID numbers, family details, addresses, and other sensitive data. The actor claims this is an updated version of a previous leak and made the data available for free download.
Date: 2026-04-16T10:03:41Z
Network: openweb
Published URL: https://breached.st/threads/turkey-mit-milli-istihbarat-teskilati-fullz-12-personnel-leaked-download.86023/unread
Screenshots:
None
Threat Actors: SiberSLX
Victim Country: Turkey
Victim Industry: Government
Victim Organization: MİT (Milli İstihbarat Teşkilatı)
Victim Site: Unknown
Alleged leak of Virginia-class submarine critical technology documents
Category: Data Leak
Content: Threat actor PhotonPool shared documents allegedly containing critical quiet technology information related to Virginia-class submarines on a dark web forum. The post includes an onion link and session identifier for accessing the leaked materials.
Date: 2026-04-16T10:01:35Z
Network: openweb
Published URL: https://darkforums.su/Thread-Virginia-class-submarines-Critical-Quiet-Technology
Screenshots:
None
Threat Actors: PhotonPool
Victim Country: United States
Victim Industry: Defense
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of HQ combolists and credential hits
Category: Combo List
Content: A threat actor is offering high quality (HQ) combo lists and credential hits for specific targets. Contact-based sale with no price mentioned.
Date: 2026-04-16T10:01:13Z
Network: telegram
Published URL: https://t.me/c/2613583520/63667
Screenshots:
None
Threat Actors: Bo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Taiwan dating and matchmaking websites
Category: Data Breach
Content: User claims to possess personal data from Taiwan dating and matchmaking websites, comprising 32,000 male and 26,000 female user records. A sample of 2,000 male records has been shared via file hosting service.
Date: 2026-04-16T10:00:25Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-58k-User-Data-from-Taiwan-Dating-and-Matchmaking-Websites
Screenshots:
None
Threat Actors: Retro
Victim Country: Taiwan
Victim Industry: Dating and Social Media
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of exploit.in forum account access
Category: Initial Access
Content: Threat actor zSenior is selling full access to an exploit.in forum account for $150 BTC, including ability to change email and security questions.
Date: 2026-04-16T09:59:42Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-exploit-in-Account-full-access
Screenshots:
None
Threat Actors: zSenior
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: exploit.in
Victim Site: exploit.in
Alleged sale of initial access to multiple organizations in Turkey and South Africa
Category: Initial Access
Content: Threat actor KazeFreak is advertising network access credentials for sale on a dark web marketplace, targeting organizations across multiple sectors including energy, education, construction, aerospace/defense, retail, and media companies in Turkey and South Africa with revenues ranging from $25M to $5B.
Date: 2026-04-16T09:59:00Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-FRESH-LISTINGS-Turkey-and-South-Africa-companies
Screenshots:
None
Threat Actors: KazeFreak
Victim Country: South Africa
Victim Industry: Energy
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of SmartBuy employee database
Category: Data Leak
Content: Threat actor BaphyHack shared what appears to be a complete employee database dump from SmartBuy, a Venezuelan electronics retailer. The leaked data contains employee information including names, email addresses, hashed passwords, and system administration details.
Date: 2026-04-16T09:57:28Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-pepelmao-smartbuy-online-Complete-database-leak-Venezuela
Screenshots:
None
Threat Actors: BaphyHack
Victim Country: Venezuela
Victim Industry: Retail
Victim Organization: SmartBuy
Victim Site: smartbuy.online
Alleged Sale of ShinyHunters Stolen Data Including Salesforce Databases and Cisco Source Code
Category: Data Breach
Content: ShinyHunters threat actor is advertising paid Telegram channel access to multiple stolen data collections: (1) 9.1M+ files from Salesforce databases (2024-2026) priced at $10,000 lifetime; (2) 1M+ files from a ransom database (Pay or leaks) priced at $2,500 lifetime; (3) 3.39 billion files from a mixed CDN/RF/BF dataset priced at $1,000 lifetime or tiered subscriptions; and (4) a scattered LAPSUS$ hunters chat containing 3M+ Cisco source code files. An onion DLS site is also provided. The post claims this is ShinyHunters official channel with owner handle @shinyc0rpsss.
Date: 2026-04-16T09:57:11Z
Network: telegram
Published URL: https://t.me/c/3500620464/6854
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Technology, Cloud Services
Victim Organization: Salesforce, Cisco
Victim Site: salesforce.com, cisco.com
Alleged Sale of Stolen Data Collections by ShinyHunters Including Salesforce Databases and Ransom Data
Category: Data Breach
Content: The ShinyHunters threat actor is advertising multiple paid data access services: a Files Cloud containing 9.1M files from Salesforce databases (2024-2026) priced at $10,000 lifetime; a Pay or Leaks ransom database with 1M+ files at $2,500 lifetime; and a Whale Private collection of 3.39 billion files from various companies and countries at tiered pricing ($200-$1,000). The post also references 3M+ Cisco source code files. Contact details include a Telegram handle, Tutamail address, Tox ID, Session ID, and a Tor-based DLS site. The group claims affiliation with scattered LAPSUS$ hunters.
Date: 2026-04-16T09:57:07Z
Network: telegram
Published URL: https://t.me/c/3737716184/1230
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Salesforce, Cisco (among others)
Victim Site: Unknown
Alleged data leak of E.T.A.I database containing French automotive business information
Category: Data Leak
Content: Threat actor ChimeraZ leaked a 4.16 MB database containing 6,600 records of French automotive businesses including company information, contact details, SIRET numbers, and user credentials with hashed passwords.
Date: 2026-04-16T09:56:44Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-6-6K-E-T-A-I–73628
Screenshots:
None
Threat Actors: ChimeraZ
Victim Country: France
Victim Industry: Automotive
Victim Organization: E.T.A.I
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: A threat actor shared a list of 17,000 allegedly valid Hotmail credentials on a cybercrime forum. The credentials appear to be distributed as a free combolist for other forum members to access.
Date: 2026-04-16T09:47:22Z
Network: openweb
Published URL: https://crackingx.com/threads/72269/
Screenshots:
None
Threat Actors: Cir4d
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged promotion of AML detection service on underground forum
Category: Initial Access
Content: Threat actor promotes AML Detect Bot service on underground forum, claiming to verify cryptocurrency wallet addresses for fraud, darknet exposure, and sanctions compliance. Service offers 4 free checks for new users via Telegram bots.
Date: 2026-04-16T09:47:12Z
Network: openweb
Published URL: https://crackingx.com/threads/72270/
Screenshots:
None
Threat Actors: eSuppp
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of hacking and pentesting services by ShinyHunters
Category: Cyber Attack
Content: A threat actor operating under the ShinyHunters name is advertising pentesting, hacking, and developer services for $10,000 USD. The post includes multiple Telegram group links, a contact handle (@shinyc0rpsss), an email address ([email protected]), a Tox ID, and a Session ID. The actor claims to offer services targeting multiple countries.
Date: 2026-04-16T09:42:49Z
Network: telegram
Published URL: https://t.me/c/3500620464/6853
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Stack Systems by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor identified as DimasHxR defaced a media or custom content directory on the Uzbekistan-based IT company Stack Systems website (stack-systems.uz). The attack was a targeted, non-mass defacement with no stated motive or team affiliation. The incident was documented and mirrored by zone-xsec.com.
Date: 2026-04-16T09:11:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834737
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Uzbekistan
Victim Industry: Information Technology
Victim Organization: Stack Systems
Victim Site: stack-systems.uz
Alleged leak of Gmail credential combolist
Category: Combo List
Content: Threat actor distributes a Gmail credential combolist containing 13 million entries through Telegram channels. The actor offers free access to the combolist and related cracking tools via dedicated Telegram groups.
Date: 2026-04-16T09:11:22Z
Network: openweb
Published URL: https://crackingx.com/threads/72267/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of social media and e-commerce credentials
Category: Combo List
Content: Threat actor leaked a combolist containing approximately 300,000 credentials targeting social media and e-commerce platforms. The data is being distributed for free via a file-sharing service.
Date: 2026-04-16T09:11:08Z
Network: openweb
Published URL: https://crackingx.com/threads/72268/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Direct Lockers by DimasHxR
Category: Defacement
Content: On April 16, 2026, the website of Direct Lockers, a UK-based locker and storage solutions retailer, was defaced by the threat actor known as DimasHxR. The defacement was a targeted, non-mass attack affecting a subdirectory of the site rather than the homepage. No specific motive or team affiliation was attributed to the attacker.
Date: 2026-04-16T09:10:51Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834744
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Retail / Security Products
Victim Organization: Direct Lockers
Victim Site: www.directlockers.co.uk
Website Defacement of eShopsHub Staging Environment by DimasHxR
Category: Defacement
Content: On April 16, 2026, threat actor DimasHxR defaced a staging environment belonging to eShopsHub, an e-commerce platform. The defacement targeted a media directory path on the staging domain and was neither a mass nor home page defacement. No team affiliation, stated motive, or technical server details were disclosed in association with this incident.
Date: 2026-04-16T09:10:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834745
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: eShopsHub
Victim Site: www.eshopshubstging.com
Website Defacement of MrLiving by DimasHxR
Category: Defacement
Content: On April 16, 2026, the Taiwanese home living website MrLiving (www.mrliving.com.tw) was defaced by a threat actor identified as DimasHxR operating independently without a team affiliation. The attack targeted a subdirectory of the site rather than the homepage and was a single targeted defacement, with a mirror of the defaced content archived on zone-xsec.com.
Date: 2026-04-16T09:09:10Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834752
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Taiwan
Victim Industry: Retail / Home Living
Victim Organization: MrLiving
Victim Site: www.mrliving.com.tw
Website Defacement of Stack Systems by DimasHxR
Category: Defacement
Content: On April 16, 2026, the attacker known as DimasHxR defaced a media/custom directory page on stack-systems.uz, a technology services company based in Uzbekistan. The incident was a targeted single-site defacement with no team affiliation reported. Technical details regarding the server environment and attack vector were not disclosed.
Date: 2026-04-16T09:08:25Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834736
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Uzbekistan
Victim Industry: Technology / IT Services
Victim Organization: Stack Systems
Victim Site: stack-systems.uz
Website Defacement of Medizina.de by DimasHxR
Category: Defacement
Content: On April 16, 2026, threat actor DimasHxR defaced a subdirectory of medizina.de, a German medical or healthcare-related website. The attack targeted a specific media or customer directory path rather than the sites homepage. No team affiliation, stated motive, or technical details regarding the server environment were disclosed.
Date: 2026-04-16T09:07:37Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834750
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Germany
Victim Industry: Healthcare / Medical
Victim Organization: Medizina
Victim Site: medizina.de
Website Defacement of City Work Wear by DimasHxR
Category: Defacement
Content: On April 16, 2026, the attacker known as DimasHxR defaced a media/customer directory path on cityworkwear.com, a workwear retail website. The defacement was a targeted, non-mass incident affecting a subdirectory rather than the homepage. No specific motive or team affiliation was reported for this attack.
Date: 2026-04-16T09:06:38Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834719
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Australia
Victim Industry: Retail / Workwear Apparel
Victim Organization: City Work Wear
Victim Site: cityworkwear.com
Website Defacement of De Feestspecialist by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor identified as DimasHxR defaced a sub-path within the defeestspecialist.nl domain, a Dutch party and event supplies retailer. The defacement targeted a media directory path rather than the homepage, suggesting exploitation of a vulnerable web application component such as a CMS media upload directory. No team affiliation, stated motive, or server details were disclosed.
Date: 2026-04-16T09:05:40Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834720
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Netherlands
Victim Industry: Retail / Event Supplies
Victim Organization: De Feestspecialist
Victim Site: defeestspecialist.nl
Website Defacement of SaveCedis by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor identified as DimasHxR defaced a subdirectory of the website www.savecedis.com, targeting a media/custom path rather than the homepage. The attack was conducted as a solo operation with no team affiliation and was neither a mass defacement nor a redefacement. No motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-16T09:03:48Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834754
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: SaveCedis
Victim Site: www.savecedis.com
Website Defacement of Medizina.de by DimasHxR
Category: Defacement
Content: On April 16, 2026, the threat actor DimasHxR defaced a page on medizina.de, a German medical/healthcare-related website. The attack targeted a subdirectory within the sites public media directory and was neither a mass nor home page defacement. No specific motive or technical details were disclosed.
Date: 2026-04-16T09:02:54Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834751
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Germany
Victim Industry: Healthcare / Medical
Victim Organization: Medizina
Victim Site: medizina.de
Website Defacement of Medizina.de by DimasHxR
Category: Defacement
Content: On April 16, 2026, the threat actor DimasHxR defaced a subdirectory of medizina.de, a German healthcare-related website. The attack targeted a media/customer directory path and was a targeted single-site defacement rather than a mass or home page compromise. No team affiliation, stated motive, or technical details regarding the server environment were disclosed.
Date: 2026-04-16T09:02:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834749
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Germany
Victim Industry: Healthcare
Victim Organization: Medizina
Victim Site: medizina.de
Website Defacement of Anna Crockery by DimasHxR
Category: Defacement
Content: On April 16, 2026, the website anna-crockery.com was defaced by a threat actor operating under the handle DimasHxR. The defacement targeted a subdirectory of the site rather than the homepage and was carried out as a single, non-mass defacement. No team affiliation, motive, or technical details regarding the server environment were disclosed.
Date: 2026-04-16T09:01:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834706
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / Home Goods
Victim Organization: Anna Crockery
Victim Site: anna-crockery.com
Alleged leak of credential combolist containing 172,000 records
Category: Combo List
Content: A threat actor shared a combolist containing 172,000 credential pairs on a cybercriminal forum. The post requires registration to view the full content details.
Date: 2026-04-16T08:41:52Z
Network: openweb
Published URL: https://crackingx.com/threads/72266/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged ShinyHunters Database Request and Sales Service
Category: Data Breach
Content: ShinyHunters is advertising a database request service where users can request specific leaked or stolen databases. Free leaks will be provided at no cost, while sold databases require payment of $200 USD. Multiple Telegram channel links are shared for group access and backup channels.
Date: 2026-04-16T08:40:38Z
Network: telegram
Published URL: https://t.me/c/3737716184/1228
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Sourcescrub and Salesforce business records
Category: Data Leak
Content: Forum user shared samples of Sourcescrub and Salesforce business records via file hosting service, claiming to have thousands of such files available through accessible cloud storage buckets. The leaked data appears to contain business and consumer information that can be compiled into databases.
Date: 2026-04-16T08:21:17Z
Network: openweb
Published URL: https://pwnforums.st/Thread-Sourcescrub-Salesforce-records-for-those-who-want-to-WORK-to-get-them
Screenshots:
None
Threat Actors: OriginalCrazyOldFart
Victim Country: Unknown
Victim Industry: Business Services
Victim Organization: Sourcescrub
Victim Site: Unknown
Alleged leak of email credentials combolist
Category: Combo List
Content: Threat actor COYTO shared a combolist containing 2,000 valid email credentials through a free download link on underground forum.
Date: 2026-04-16T08:06:28Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-2K-VALID-MAIL-ACCESS–200626
Screenshots:
None
Threat Actors: COYTO
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: Threat actor alphaxdd shared a combolist containing 1,026 Hotmail email and password combinations on cybercriminal forum. The credentials are claimed to be valid and from a private cloud source.
Date: 2026-04-16T08:05:34Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F-1026x-PREMIUM-HOTMAIL-HITS-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of credential combolist
Category: Combo List
Content: A threat actor shared a fresh credential combolist containing 3.6 million entries on a cybercrime forum. The post advertises the credentials as ultra-high quality and fresh for April.
Date: 2026-04-16T08:03:47Z
Network: openweb
Published URL: https://crackingx.com/threads/72262/
Screenshots:
None
Threat Actors: Blackcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of credential combolist containing 1.6 million records
Category: Combo List
Content: A threat actor is distributing a fresh credential combolist containing 1.6 million records described as high quality. The data is being made available for free download on a cybercriminal forum.
Date: 2026-04-16T08:03:33Z
Network: openweb
Published URL: https://crackingx.com/threads/72263/
Screenshots:
None
Threat Actors: Blackcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: Threat actor allegedly leaked 1,026 Hotmail email credentials as a free download on cybercrime forum, claiming the accounts are valid and premium.
Date: 2026-04-16T08:03:17Z
Network: openweb
Published URL: https://crackingx.com/threads/72264/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Gmail credentials
Category: Combo List
Content: Threat actor D4rkNetHub allegedly shared a combolist containing over 100,000 Gmail credentials on a cybercriminal forum. The post content is restricted and requires forum registration to view details.
Date: 2026-04-16T08:03:03Z
Network: openweb
Published URL: https://crackingx.com/threads/72265/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged Threat Actor 313 Team Announces Escalating Attacks on Corporations, Banks, and Government Infrastructure
Category: Cyber Attack
Content: Threat actor group 313 Team, affiliated with the service Beamed.SU, issued a public statement announcing their intent to target larger corporations, banks, and government infrastructure. The post includes a promotional 30% discount offer on ALL plans using code 313Team, suggesting Beamed.SU is a monetized attack-for-hire or DDoS service. The message is politically motivated, referencing pro-Palestinian and pro-Iranian sentiments, and is signed by handle @thefergieferg.
Date: 2026-04-16T07:26:14Z
Network: telegram
Published URL: https://t.me/c/2250158203/1004
Screenshots:
None
Threat Actors: 313 Team
Victim Country: Unknown
Victim Industry: Government, Banking, Corporate
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Netherlands credential combolist
Category: Combo List
Content: Threat actor CobraEgy shared a credential combolist containing over 254,000 email and password combinations allegedly from Netherlands users. The data is described as fresh and high quality, distributed through the Maxi_Leaks operation.
Date: 2026-04-16T07:25:45Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-254-K-%E2%9C%A6-Netherlands-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-16-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Netherlands
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Mexican credentials combolist
Category: Combo List
Content: A threat actor shared a combolist containing over 121,000 email and password combinations allegedly from Mexico. The credentials are described as fresh and high quality, and were made available for free download on a cybercriminal forum.
Date: 2026-04-16T07:24:44Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-121-K-%E2%9C%A6-Mexico-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-16-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Mexico
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Montenegro credentials
Category: Combo List
Content: Threat actor CobraEgy shared a combolist containing over 39,000 email and password combinations allegedly from Montenegro. The credentials are claimed to be fresh and high quality.
Date: 2026-04-16T07:23:50Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-39-K-%E2%9C%A6-Montenegro-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-16-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Montenegro
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of New Zealand credential combolist
Category: Combo List
Content: Actor CobraEgy shared a credential combolist containing over 25,000 email and password combinations allegedly from New Zealand users. The data is described as fresh and high quality, distributed through hidden content requiring forum registration.
Date: 2026-04-16T07:22:56Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-25-K-%E2%9C%A6-New-Zealand-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-16-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: New Zealand
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Nigerian email credentials
Category: Combo List
Content: Threat actor CobraEgy shared a combolist containing over 14,000 Nigerian email and password combinations on DemonForums. The credentials are claimed to be fresh and high quality.
Date: 2026-04-16T07:21:43Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-14-K-%E2%9C%A6-Nigeria-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-16-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Nigeria
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: Forum post advertising a high-quality Hotmail credential combolist containing email and password combinations. The content is hidden behind registration requirements on the forum.
Date: 2026-04-16T07:20:35Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9A%A1%E2%9A%A1-X897-HQ-Hotmail-%E2%9A%A1%E2%9A%A1-BY-Steveee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Micronesian credentials
Category: Combo List
Content: User CobraEgy allegedly shared a combolist containing 17,000+ email:password credentials from Micronesia, labeled as fresh and dated April 16, 2026.
Date: 2026-04-16T07:19:28Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-17-K-%E2%9C%A6-Micronesia-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-16-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Micronesia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Nepal credentials combolist
Category: Combo List
Content: Threat actor CobraEgy shared a combolist containing over 10,000 email and password combinations allegedly from Nepal. The credentials are claimed to be fresh and high quality, distributed through the Maxi_Leaks operation.
Date: 2026-04-16T07:18:37Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-10-K-%E2%9C%A6-Nepal-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-16-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Nepal
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of PlayStation 2 BIOS files for emulation
Category: Data Leak
Content: Forum post provides guidance on using PlayStation 2 BIOS files for emulation purposes, discussing different regional versions and their compatibility with emulators.
Date: 2026-04-16T07:17:59Z
Network: openweb
Published URL: https://demonforums.net/Thread-Which-PS2-BIOS-to-Use-%E2%80%93-Complete-Guide-for-Best-Emulator-Performance
Screenshots:
None
Threat Actors: sambillings
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Sony
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: A threat actor shared a combolist containing 1,000 Hotmail email and password combinations through a free download link on a cybercriminal forum.
Date: 2026-04-16T07:17:22Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1K-HQ-HOTMAIL–200625
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials
Category: Combo List
Content: Forum post allegedly sharing a combolist containing Hotmail email and password combinations for free download.
Date: 2026-04-16T07:14:47Z
Network: openweb
Published URL: https://crackingx.com/threads/72259/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Yahoo credentials combolist
Category: Combo List
Content: A threat actor shared a combolist containing 751,874 credential pairs allegedly targeting Yahoo accounts. The data was distributed via a file sharing platform without any payment required.
Date: 2026-04-16T07:14:33Z
Network: openweb
Published URL: https://crackingx.com/threads/72260/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged surge in cyber intrusions targeting firewalls and VPNs across the Middle East
Category: Cyber Attack
Content: Security reports indicate a significant increase in password spraying attacks against network security equipment in Q1 2026. The attacks are primarily attributed to the Middle East region and target security devices including SonicWall and Fortinet appliances. Attackers are conducting repeated unauthorized login attempts against these systems. Experts recommend strong passwords, two-factor authentication, and monitoring of failed login attempts as countermeasures.
Date: 2026-04-16T06:57:56Z
Network: telegram
Published URL: https://t.me/c/1283513914/21221
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: Unknown
Victim Industry: Technology / Network Security
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo credentials combolist
Category: Combo List
Content: Threat actor distributes free 11 million credential combolist targeting Yahoo email domains including yahoo.com, ymail.com, and yahoo.co.uk through Telegram channels.
Date: 2026-04-16T06:35:54Z
Network: openweb
Published URL: https://crackingx.com/threads/72258/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged request for Netvision SMTP access with document modification services offered
Category: Combo List
Content: Threat actor seeking SMTP access to Israeli ISP Netvision, offering document modification services in exchange. This appears to be a request for email server access rather than a data breach claim.
Date: 2026-04-16T06:14:08Z
Network: openweb
Published URL: https://pwnforums.st/Thread-NEED-FOR-NETVISION-SMTP
Screenshots:
None
Threat Actors: zbones
Victim Country: Israel
Victim Industry: Telecommunications
Victim Organization: Netvision
Victim Site: netvision.co.il
Alleged leak of E.T.A.I database containing French business records
Category: Data Leak
Content: Threat actor ChimeraZ leaked a 4.16 MB database dump from E.T.A.I containing 6,600 records of French automotive repair businesses with client codes, SIRET numbers, contact details, and hashed passwords. The data is distributed free via multiple file hosting services in JSONL format.
Date: 2026-04-16T06:08:33Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-6-6K-E-T-A-I
Screenshots:
None
Threat Actors: ChimeraZ
Victim Country: France
Victim Industry: Technology Services
Victim Organization: E.T.A.I
Victim Site: Unknown
Alleged data breach of Yad Vashem Holocaust Museum by Nasir hacker group
Category: Data Breach
Content: The hacker group Nasir (نصیر) claims to have successfully breached Yad Vashem, the worlds largest Holocaust museum, coinciding with Holocaust memorial ceremonies. The group alleges they have obtained personal information of all visitors, donors, confidential delegations, and purported Mossad agents operating under false identities. No data samples or proof have been shared in this announcement.
Date: 2026-04-16T05:53:24Z
Network: telegram
Published URL: https://t.me/c/1283513914/21220
Screenshots:
None
Threat Actors: Nasir
Victim Country: Israel
Victim Industry: Cultural/Memorial Institution
Victim Organization: Yad Vashem
Victim Site: Unknown
Mass Defacement of Brazilian Business Site by MR~TNT of QATAR911
Category: Defacement
Content: On April 16, 2026, threat actor MR~TNT operating under the group QATAR911 conducted a mass defacement attack targeting deliansseg.solucoesmix.com.br, a Brazilian business solutions website hosted on a Linux server. The attack was part of a broader mass defacement campaign and was archived on haxor.id. This was not a re-defacement, indicating it was the first successful compromise of this target.
Date: 2026-04-16T05:51:32Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248561
Screenshots:
None
Threat Actors: MR~TNT, QATAR911
Victim Country: Brazil
Victim Industry: Business Services / Solutions
Victim Organization: Soluções Mix
Victim Site: deliansseg.solucoesmix.com.br
Mass defacement of Brazilian web hosting platform by MR~TNT of QATAR911
Category: Defacement
Content: On April 16, 2026, threat actor MR~TNT operating under the group QATAR911 conducted a mass defacement targeting a subdomain hosted on the Brazilian web solutions platform Soluções Mix. The attack affected a Linux-based server and was classified as a mass defacement, indicating multiple hosted sites may have been impacted. The defaced page was archived via haxor.id, confirming the incident.
Date: 2026-04-16T05:48:59Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248560
Screenshots:
None
Threat Actors: MR~TNT, QATAR911
Victim Country: Brazil
Victim Industry: Technology / Web Hosting
Victim Organization: Soluções Mix
Victim Site: artsystemsacadas.solucoesmix.com.br
Mass Defacement of Brazilian Energy Sector Site by MR~TNT (QATAR911)
Category: Defacement
Content: On April 16, 2026, threat actor MR~TNT operating under the team QATAR911 conducted a mass defacement campaign targeting aeitaipu.com.br, a Brazilian website associated with AEIT Itaipu, likely linked to the Itaipu hydroelectric energy sector. The attack was carried out on a Linux-based server and forms part of a broader mass defacement operation. A mirror of the defaced page was archived at haxor.id.
Date: 2026-04-16T05:43:03Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248559
Screenshots:
None
Threat Actors: MR~TNT, QATAR911
Victim Country: Brazil
Victim Industry: Energy / Utilities
Victim Organization: AEIT Itaipu
Victim Site: aeitaipu.com.br
Alleged sharing of web penetration testing resources
Category: Data Leak
Content: A threat actor shared a website containing web penetration testing materials and other security-related content. The post does not specify details about the content or any specific victims.
Date: 2026-04-16T05:42:58Z
Network: openweb
Published URL: https://breached.st/threads/web-penetration-testing.86020/unread
Screenshots:
None
Threat Actors: Drift
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of Dadri Telecom website by #OpsShadowStrike
Category: Defacement
Content: The threat group #OpsShadowStrike, in collaboration with multiple hacktivist groups including TengkorakCyberCrew, MalaysiaHacktivist, EagleCyberCrew, and others, claims to have defaced the website of Dadri Telecom, an Indian fiber broadband provider. The defacement page was posted at dadritelecom.com/ops.html and a Zone-H mirror was submitted as proof (ID: 41693874). The attack appears motivated by pro-Palestine/anti-Israel hacktivism.
Date: 2026-04-16T05:38:31Z
Network: telegram
Published URL: https://t.me/c/3844432135/331
Screenshots:
None
Threat Actors: #OpsShadowStrike
Victim Country: India
Victim Industry: Telecommunications
Victim Organization: Dadri Telecom
Victim Site: dadritelecom.com
Alleged Russian Cyber Reconnaissance Against French Nuclear Infrastructure
Category: Cyber Attack
Content: Reports indicate increased Russian-attributed cyber activity targeting sensitive French networks, specifically focused on reconnaissance of communication infrastructure related to nuclear deterrence. Operations reportedly target technical centers, personnel, and support companies to identify potential vulnerabilities in critical systems.
Date: 2026-04-16T05:27:11Z
Network: telegram
Published URL: https://t.me/c/1283513914/21216
Screenshots:
None
Threat Actors: Russia
Victim Country: France
Victim Industry: Nuclear/Defense
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of credential combolist containing 172,000 records
Category: Combo List
Content: A threat actor shared a credential combolist containing 172,000 unique email and password combinations on a cybercrime forum.
Date: 2026-04-16T05:26:11Z
Network: openweb
Published URL: https://crackingx.com/threads/72256/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Solucoesmix by MR~TNT of QATAR911
Category: Defacement
Content: On April 16, 2026, the Brazilian website solucoesmix.com.br was defaced by threat actor MR~TNT, operating under the hacktivist group QATAR911. The attack targeted a Linux-based web server and resulted in a single-page defacement. The incident was archived and mirrored via haxor.id.
Date: 2026-04-16T05:15:14Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248558
Screenshots:
None
Threat Actors: MR~TNT, QATAR911
Victim Country: Brazil
Victim Industry: Technology / IT Solutions
Victim Organization: Solucoesmix
Victim Site: solucoesmix.com.br
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor shared a combolist containing 3,272 Hotmail email and password combinations on a cybercrime forum. The actor also advertises premium cloud access services through their Telegram channel and dedicated website.
Date: 2026-04-16T04:51:13Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-3-272-Good-HOTMAIL-GOODS-D4RKNETHUB-CLOUD
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials
Category: Combo List
Content: Threat actor D4rkNetHub shared a combolist containing 3,272 Hotmail credentials on a cybercriminal forum. The credentials are described as good suggesting they are verified as valid.
Date: 2026-04-16T04:50:24Z
Network: openweb
Published URL: https://crackingx.com/threads/72254/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of corporate email combolist
Category: Combo List
Content: A threat actor shared a combolist containing 102,756 corporate email credentials, marketed as suitable for lead targeting purposes. The credentials are distributed via a free file sharing platform.
Date: 2026-04-16T04:50:09Z
Network: openweb
Published URL: https://crackingx.com/threads/72255/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of AI OSINT tools and resources
Category: Data Leak
Content: Threat actor shared a GitHub repository containing articles, videos, and tools related to using artificial intelligence for open source intelligence gathering purposes.
Date: 2026-04-16T04:34:53Z
Network: openweb
Published URL: https://breached.st/threads/awesome-ai-osint.86019/unread
Screenshots:
None
Threat Actors: Drift
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of business credential combolist containing 5.4 million records
Category: Combo List
Content: Threat actor CODER is distributing a credential combolist containing 5.4 million business-related email and password combinations through Telegram channels. The combolist is being offered for free through dedicated Telegram groups.
Date: 2026-04-16T04:14:05Z
Network: openweb
Published URL: https://crackingx.com/threads/72252/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Ticketmaster 4.51TB Database Archive by ShinyHunters
Category: Data Breach
Content: A threat actor operating under the ShinyHunters identity is claiming to sell a 4.51TB Ticketmaster database archive containing approximately 980 million sales orders, 680 million order details, 1.2 billion party lookup records, 440 million unique email addresses, 4 million deduped records, 560 million AVS detail records, and 400 million encrypted credit card details with partial information. The asking price is $25,000 for the full dataset. Contact is via Telegram @shinyc0rpsss.
Date: 2026-04-16T04:01:43Z
Network: telegram
Published URL: https://t.me/c/3500620464/6842
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Entertainment / Ticketing
Victim Organization: Ticketmaster
Victim Site: ticketmaster.com
Alleged Free Leak of AT&T 70M Customer Database by ShinyHunters
Category: Data Breach
Content: The threat actor ShinyHunters has re-uploaded and made available for free download the AT&T 70M database (2021) on BreachForums. The dataset contains 73,481,539 records totaling 15.1GiB uncompressed (3.8GiB compressed), split into two files. Fields include SSN (Field 8) and Date of Birth (Field 9), with 29,083,259 records containing both SSN and DOB, and 44,398,280 records containing partial or no SSN/DOB. The data is described as pre-collated for immediate use.
Date: 2026-04-16T04:01:36Z
Network: telegram
Published URL: https://t.me/c/3737716184/1223
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Telecommunications
Victim Organization: AT&T
Victim Site: att.com
Alleged data leak of Zumvu database
Category: Data Leak
Content: A threat actor leaked a database dump from zumvu.com containing 260,000 records with MD5 hashed data through a cybercrime forum.
Date: 2026-04-16T03:53:04Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-zumvu-com
Screenshots:
None
Threat Actors: lefshaaa
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Zumvu
Victim Site: zumvu.com
Website Defacement of Bemondi by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor identified as DimasHxR defaced a media/customer directory page on the website bemondi.com. The attack was an isolated, non-mass defacement targeting a subdirectory of the domain rather than the homepage. No specific motive or team affiliation was disclosed in connection with this incident.
Date: 2026-04-16T03:46:35Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834609
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: Bemondi
Victim Site: www.bemondi.com
DimasHxR defaced www.bemondi.com/media/customer…
Category: Defacement
Content: Target: www.bemondi.com/media/customer…Attacker: DimasHxRDate: 2026-04-16 10:18:25
Date: 2026-04-16T03:40:51Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834609
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: www.bemondi.com/media/customer…
Website Defacement of Wibis.ch by DimasHxR
Category: Defacement
Content: On April 16, 2026, the website wibis.ch was defaced by a threat actor operating under the alias DimasHxR. The attacker targeted a media or customer advertising subdirectory of the Swiss domain. The defacement was a standalone, non-mass incident with no team affiliation reported.
Date: 2026-04-16T03:38:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834611
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Switzerland
Victim Industry: Unknown
Victim Organization: Wibis
Victim Site: www.wibis.ch
Alleged leak of email credentials combolist
Category: Combo List
Content: A threat actor shared a combolist containing 63,900 email credentials described as mixed, valid, private, and ultra high quality through a MediaFire download link.
Date: 2026-04-16T03:37:05Z
Network: openweb
Published URL: https://crackingx.com/threads/72250/
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Telegram premium subscriptions via intermediary service
Category: Initial Access
Content: Threat actor offering Telegram premium status subscriptions for 3, 6, and 12 month periods without requiring account sign-in, acting as intermediary with payment in USDT or TRX cryptocurrency. Service includes specific pricing structure and guarantor service requirements for transactions.
Date: 2026-04-16T03:36:06Z
Network: openweb
Published URL: https://crackingx.com/threads/72251/
Screenshots:
None
Threat Actors: vlesskey
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Telegram
Victim Site: telegram.org
Alleged data breach of DarkForums by ShinyHunters exposing 420k+ records
Category: Data Breach
Content: Threat actor ShinyHunters claims to have obtained and is sharing a dataset from DarkForums containing over 420,000 records, including posts, user data, and IP addresses. The data is reportedly updated as of April 15, 2026.
Date: 2026-04-16T03:35:55Z
Network: telegram
Published URL: https://t.me/c/3737716184/1208
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Online Forums
Victim Organization: DarkForums
Victim Site: Unknown
Website Defacement of RBD.se by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor identified as DimasHxR defaced a page on the Swedish website www.rbd.se, targeting a media/customer address path. The attack was a singular, non-mass defacement with no stated motive or team affiliation. Technical details regarding the server environment and attack vector remain unknown.
Date: 2026-04-16T03:32:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834582
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Sweden
Victim Industry: Unknown
Victim Organization: RBD
Victim Site: www.rbd.se
Website Defacement of Time and Tide Stores by DimasHxR
Category: Defacement
Content: On April 16, 2026, the attacker known as DimasHxR defaced a page on the UK-based retail website Time and Tide Stores. The incident was a targeted single-page defacement, not classified as a mass or home page defacement. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-16T03:32:13Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834589
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Retail
Victim Organization: Time and Tide Stores
Victim Site: www.timeandtidestores.co.uk
Website Defacement of Italian Domain by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor identified as DimasHxR defaced a webpage hosted on the Italian domain sappiamosolorubare.it. The attack targeted a subdirectory of the site and was neither a mass defacement nor a home page defacement. The incident was recorded and mirrored by zone-xsec.com under mirror ID 834583.
Date: 2026-04-16T03:31:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834583
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Italy
Victim Industry: Unknown
Victim Organization: Sappiamosolorubare
Victim Site: www.sappiamosolorubare.it
Website Defacement of LV Guitars by DimasHxR
Category: Defacement
Content: On April 16, 2026, threat actor DimasHxR defaced a page on lvguitars.com, a website associated with guitar retail or manufacturing. The attack targeted a specific media/custom path rather than the homepage and was carried out by an individual actor with no affiliated team. Server and infrastructure details were not disclosed in the available data.
Date: 2026-04-16T03:30:46Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834573
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / Music & Musical Instruments
Victim Organization: LV Guitars
Victim Site: www.lvguitars.com
Website Defacement of Phytoab by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor identified as DimasHxR defaced a page on www.phytoab.com, targeting a subdirectory within the sites media content path. The defacement was a targeted, single-site incident with no team affiliation reported. Server and infrastructure details were not disclosed in the available intelligence.
Date: 2026-04-16T03:30:02Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834579
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / E-commerce
Victim Organization: Phytoab
Victim Site: www.phytoab.com
Website Defacement of Totvi.cat by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor identified as DimasHxR defaced a webpage hosted on www.totvi.cat, a Catalan regional media or information portal based in Spain. The defacement targeted a specific media/custom directory path rather than the homepage, indicating a targeted file or directory-level compromise. No team affiliation, stated motive, or technical indicators were disclosed alongside the incident.
Date: 2026-04-16T03:29:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834590
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Spain
Victim Industry: Media/News
Victim Organization: Tot Vi
Victim Site: www.totvi.cat
Website Defacement of Maquinas Online by DimasHxR
Category: Defacement
Content: On April 16, 2026, the threat actor DimasHxR defaced a subdirectory of maquinasonline.com, an online machinery sales platform. The attack was a targeted, non-mass defacement with no stated motive or team affiliation. A mirror of the defaced page was archived at zone-xsec.com.
Date: 2026-04-16T03:28:37Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834574
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-Commerce / Machinery & Equipment
Victim Organization: Maquinas Online
Victim Site: www.maquinasonline.com
Website Defacement of World Car Parts UK by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor operating under the alias DimasHxR defaced a page on the UK-based automotive parts retailer World Car Parts. The defacement targeted a subdirectory of the media section of the website and was neither a mass nor a redefacement incident. No team affiliation, motive, or server details were disclosed in connection with the attack.
Date: 2026-04-16T03:27:55Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834601
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Automotive Parts Retail
Victim Organization: World Car Parts
Victim Site: www.worldcarparts.co.uk
Website Defacement of Zoye Glasses Parts by DimasHxR
Category: Defacement
Content: On April 16, 2026, the website zoyeglassesparts.com was defaced by the threat actor DimasHxR acting independently without a team affiliation. The defacement targeted a subdirectory of the site rather than the homepage and was neither a mass nor a repeated defacement event. No specific motive or server details were disclosed in association with this incident.
Date: 2026-04-16T03:27:13Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834602
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / Eyewear Parts
Victim Organization: Zoye Glasses Parts
Victim Site: www.zoyeglassesparts.com
Website Defacement of Vinos Wine by DimasHxR
Category: Defacement
Content: On April 16, 2026, the attacker known as DimasHxR defaced a web page on the Chilean wine retail website vinoswine.cl, targeting a subdirectory within the sites public media folder. The defacement was a single-page, non-mass incident with no team affiliation reported. Technical details regarding the server software and attack vector were not disclosed.
Date: 2026-04-16T03:26:27Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834597
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Chile
Victim Industry: Retail / E-Commerce (Wine & Beverages)
Victim Organization: Vinos Wine
Victim Site: www.vinoswine.cl
Website Defacement of US Candle Co by DimasHxR
Category: Defacement
Content: On April 16, 2026, threat actor DimasHxR defaced a subdirectory of the US Candle Co website (www.uscandleco.com). The incident was a targeted, single-site defacement with no team affiliation reported. No specific motive or server details were disclosed.
Date: 2026-04-16T03:25:38Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834593
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Retail / Consumer Goods
Victim Organization: US Candle Co
Victim Site: www.uscandleco.com
Website Defacement of Vape Density by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor identified as DimasHxR defaced a media/custom directory page on the Canadian vape retailer website vapedensity.ca. The attack was a targeted single-page defacement, not classified as a mass or home page defacement. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-16T03:24:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834594
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Canada
Victim Industry: Retail / E-commerce (Vaping/Tobacco Products)
Victim Organization: Vape Density
Victim Site: www.vapedensity.ca
Website Defacement of ServiceMandi by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor known as DimasHxR defaced a page on servicemandi.com, targeting a subdirectory within the sites media folder. The attacker operated independently without affiliation to a known group. The incident was a targeted, non-mass defacement affecting a single page rather than the sites homepage.
Date: 2026-04-16T03:24:13Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834606
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: India
Victim Industry: Services / E-commerce
Victim Organization: ServiceMandi
Victim Site: servicemandi.com
Website Defacement of Varlea by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor identified as DimasHxR defaced a media/customer subdirectory of the website varlea.com. The attack was an individual, non-mass defacement targeting a specific page rather than the homepage. No team affiliation, stated motive, or technical details regarding the server environment were disclosed.
Date: 2026-04-16T03:23:32Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834596
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Varlea
Victim Site: www.varlea.com
Website Defacement of Spediti.de by DimasHxR
Category: Defacement
Content: On April 16, 2026, the threat actor DimasHxR defaced a media/customer directory on the German logistics website spediti.de. The attack was a targeted single-site defacement with no team affiliation reported. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-16T03:22:51Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834585
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Germany
Victim Industry: Logistics / Freight and Shipping
Victim Organization: Spediti
Victim Site: www.spediti.de
Website Defacement of Printalot by DimasHxR
Category: Defacement
Content: On April 16, 2026, threat actor DimasHxR defaced a subdirectory of printalot.de, a German printing services website. The defacement targeted a specific media/customer path rather than the homepage, indicating a targeted file upload or directory traversal exploitation. No team affiliation, stated motive, or technical server details were disclosed.
Date: 2026-04-16T03:22:02Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834581
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Germany
Victim Industry: Printing and Publishing Services
Victim Organization: Printalot
Victim Site: www.printalot.de
Website Defacement of WooTiTights by DimasHxR
Category: Defacement
Content: On April 16, 2026, threat actor DimasHxR defaced a page on the e-commerce website wootitights.com, targeting a file within the public media directory. The defacement was a targeted single-page attack, not classified as a mass or home page defacement. No team affiliation, stated motivation, or server details were disclosed.
Date: 2026-04-16T03:21:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834600
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / E-Commerce
Victim Organization: WooTiTights
Victim Site: www.wootitights.com
Website Defacement of Medikont by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor operating under the alias DimasHxR defaced a web page hosted on the Slovenian medical domain medikont.si. The attack targeted a subdirectory path within the sites public media folder and was carried out as a single, non-mass defacement. No team affiliation, stated motive, or technical infrastructure details were disclosed by the attacker.
Date: 2026-04-16T03:20:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834575
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Slovenia
Victim Industry: Healthcare / Medical
Victim Organization: Medikont
Victim Site: www.medikont.si
Website Defacement of Strictly Ecig by DimasHxR
Category: Defacement
Content: On April 16, 2026, a threat actor identified as DimasHxR defaced a page on the website of Strictly Ecig, an online retailer specializing in electronic cigarettes and vaping products. The defacement targeted a subdirectory within the sites media folder, suggesting possible exploitation of a content management system vulnerability. No team affiliation, stated motive, or server details were disclosed in connection with this incident.
Date: 2026-04-16T03:19:40Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834588
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / E-commerce (Vaping & Electronic Cigarettes)
Victim Organization: Strictly Ecig
Victim Site: www.strictlyecig.com
Website Defacement of SeashellCo by DimasHxR
Category: Defacement
Content: On April 16, 2026, the threat actor DimasHxR defaced a page on seashellco.com, targeting a subdirectory within the sites public media folder. The attack was a targeted single-site defacement with no team affiliation reported. No specific motive or server details were disclosed in connection with this incident.
Date: 2026-04-16T03:18:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/834584
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / E-commerce
Victim Organization: Seashell Co
Victim Site: www.seashellco.com
Alleged Sale of Waltio.com Crypto Tax User Data by ShinyHunters (150k+ Records)
Category: Data Breach
Content: The threat actor ShinyHunters is selling a dataset allegedly stolen from Waltio.com, a French crypto tax platform. The dataset reportedly contains 150,000+ records including full names, email addresses, phone numbers, and tax residency information (100% France). The data is being offered for sale on BreachForums. Contact details including a Telegram handle, email, Tox ID, and Session ID were provided.
Date: 2026-04-16T03:11:53Z
Network: telegram
Published URL: https://t.me/c/3737716184/1216
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: France
Victim Industry: Financial Services / Cryptocurrency
Victim Organization: Waltio
Victim Site: waltio.com
Alleged leak of Bandung population database
Category: Data Leak
Content: A threat actor leaked a population database from Bandung, Indonesia containing nearly 1 billion records with personal information including names, identification numbers, phone numbers, addresses, and demographic data in CSV format.
Date: 2026-04-16T03:11:45Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-leaked-Bandung-population-database
Screenshots:
None
Threat Actors: HtCvZBos
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach and Sale of Ticketmaster Entertainment Database by ShinyHunters
Category: Data Breach
Content: Threat actor ShinyHunters is allegedly selling a 4.51TB Ticketmaster Entertainment database containing approximately 980 million sales orders, 680 million order details, 1.2 billion party lookup records, 440 million unique email addresses, 560 million AVS detail records, and 400 million encrypted credit card details with partial information. Data fields include name, address, IP address, email, date of birth, credit card type, last 4 digits, and expiration dates. The asking price is $25,000. The post references breachforums.ai as the sales platform.
Date: 2026-04-16T03:03:46Z
Network: telegram
Published URL: https://t.me/c/3737716184/1195
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Entertainment / Ticketing
Victim Organization: Ticketmaster Entertainment, LLC
Victim Site: ticketmaster.com
Alleged leak of credential combolist containing 3.7 million records
Category: Combo List
Content: A threat actor shared a combolist containing 3.7 million URL:LOG:PASS credentials via a free download link on Pixeldrain. The actor promotes the content as private and ultra-high quality, with contact information provided via Telegram.
Date: 2026-04-16T03:02:03Z
Network: openweb
Published URL: https://crackingx.com/threads/72246/
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Gmail credentials combolist
Category: Combo List
Content: A threat actor leaked a combolist containing approximately 1.39 million Gmail email and password combinations from mixed countries. The credentials are being distributed for free download via a cloud storage link.
Date: 2026-04-16T03:01:45Z
Network: openweb
Published URL: https://crackingx.com/threads/72247/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor shared a combolist containing 4.6K allegedly valid Hotmail email credentials via a free download link on a cybercrime forum.
Date: 2026-04-16T03:01:28Z
Network: openweb
Published URL: https://crackingx.com/threads/72248/
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged data breach and sale of 500k+ records from dxmpay.com (Du Xiaoman Pay) by ShinyHunters
Category: Data Breach
Content: Threat actor ShinyHunters is selling a dataset of 500,000+ records allegedly stolen from dxmpay.com, the official platform of Du Xiaoman Pay (formerly Baidu Wallet), a Chinese digital payment and financial management platform. The data reportedly includes user financial data (transaction history, payment amounts, wallet/merchant accounts), PII (full name, mobile number, email, ID card, date of birth, loan amounts), login credentials (username, password, session tokens/cookies), business/merchant data (API keys, financial reports), internal system data (database server configs, API endpoints), and technical data (IP addresses, device info, activity logs). The actor claims super admin access to the platforms control panel, system logs, user management, and merchant management. A sample of 20k–100k lines is offered for $20k USD; the full dataset is priced at $100k USD. The breach is also listed on breachforums.ai.
Date: 2026-04-16T02:59:36Z
Network: telegram
Published URL: https://t.me/c/3737716184/1209
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: China
Victim Industry: Financial Services / Digital Payments
Victim Organization: Du Xiaoman Pay (dxmpay.com)
Victim Site: dxmpay.com
Alleged leak of credential list containing 3.7 million records
Category: Logs
Content: A threat actor named RedCloud made available a credential list containing 3.7 million URL/username/password combinations through a forum post with Telegram contact information for access.
Date: 2026-04-16T02:38:23Z
Network: openweb
Published URL: https://darkforums.su/Thread-%E2%9A%A1-3-7M-URL-LOG-PASS-PRIVATE-UHQ%E2%9A%A1
Screenshots:
None
Threat Actors: RedCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of Rocball Federation of India website by OpsShadowStrike
Category: Defacement
Content: The hacktivist group #OpsShadowStrike, in collaboration with multiple groups including TengkorakCyberCrew, MalaysiaHacktivist, EagleCyberCrew, CyberActivistMalaysia, AskarBadai, TheSweetNight, and Noheartz, claims to have defaced the Rocball Federation of India website (asianrocball.com). A zone-h mirror (ID: 41693857) was provided as proof. The attack appears politically motivated, referencing pro-Palestine and anti-Israel sentiments under the #AllMuslimHackers banner.
Date: 2026-04-16T02:25:48Z
Network: telegram
Published URL: https://t.me/c/3844432135/329
Screenshots:
None
Threat Actors: #OpsShadowStrike
Victim Country: India
Victim Industry: Sports
Victim Organization: Rocball Federation of India
Victim Site: asianrocball.com
Alleged data leak of PlaySexShop.ru database
Category: Data Leak
Content: A threat actor shared a database dump from PlaySexShop.ru containing 5 files with transactions, orders, clients, users, and employee data. The leaked data includes personal information, contact details, and business records with various communication platforms and CRM system fields.
Date: 2026-04-16T02:08:00Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-PlaySexShop-ru-70k-64k-65k-36k
Screenshots:
None
Threat Actors: Tendi
Victim Country: Russia
Victim Industry: Retail
Victim Organization: PlaySexShop
Victim Site: playsexshop.ru
Alleged Leak of Ticketmaster Taylor Swift Event Barcodes by ShinyHunters
Category: Data Leak
Content: Threat actor ShinyHunters has made available Ticketmaster event barcodes related to Taylor Swift events, described as part 1 of 65,000 parts. The data has been uploaded to BreachForums (breachforums.ai). No price is mentioned, indicating this is a free leak/distribution.
Date: 2026-04-16T02:05:23Z
Network: telegram
Published URL: https://t.me/c/3737716184/1192
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Entertainment / Ticketing
Victim Organization: Ticketmaster
Victim Site: ticketmaster.com
Alleged Data Leak of Abrigo, Kemper Corporation, and Amtrak by ShinyHunters Following Failed Ransom Negotiations
Category: Data Leak
Content: Threat actor ShinyHunters has publicly leaked data from three organizations after failed ransom negotiations. Abrigo, Inc. had 1.7M+ Salesforce records exposed; Kemper Corporation had 13M+ records (29GB+ compressed); and National Railroad Passenger Corporation (Amtrak) had 9.4M+ records (19GB+ compressed). All leaks were updated April 15, 2026 and are hosted on the same IP (91.215.85.22). Data contains PII and internal corporate data. Files are freely downloadable via direct links.
Date: 2026-04-16T01:55:55Z
Network: telegram
Published URL: https://t.me/c/3500620464/6829
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Financial Services, Insurance, Transportation
Victim Organization: Abrigo Inc., Kemper Corporation, Amtrak (National Railroad Passenger Corporation)
Victim Site: abrigo.com, kemper.com, amtrak.com
Alleged Data Leak of National Railroad Passenger Corporation (Amtrak) by ShinyHunters
Category: Data Leak
Content: Threat actor ShinyHunters claims to have leaked over 9.4 million Salesforce records (19GB+ compressed) belonging to Amtrak (amtrak.com). The data reportedly includes PII and internal corporate data. The group states the company failed to reach a ransom agreement, and the data has been made available for free download via a direct link. Updated April 15, 2026.
Date: 2026-04-16T01:55:49Z
Network: telegram
Published URL: https://t.me/c/3737716184/1206
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Transportation
Victim Organization: National Railroad Passenger Corporation (Amtrak)
Victim Site: amtrak.com
Alleged Data Leak of Mytheresa by ShinyHunters
Category: Data Leak
Content: The threat actor ShinyHunters claims to have leaked sensitive customer PII and transactional history data belonging to Mytheresa, a luxury fashion e-commerce platform. The leak was published on April 15, 2026, after the company allegedly failed to reach a ransom agreement. A downloadable archive is being made available via a direct IP-hosted URL.
Date: 2026-04-16T01:44:47Z
Network: telegram
Published URL: https://t.me/c/3500620464/6828
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Germany
Victim Industry: Retail / E-Commerce
Victim Organization: Mytheresa
Victim Site: mytheresa.com
Alleged Data Leak of Abrigo, Inc. by ShinyHunters — 1.7M+ Salesforce Records
Category: Data Leak
Content: Threat actor ShinyHunters claims to have leaked over 1.7 million Salesforce records containing PII from Abrigo, Inc. The group states the company failed to reach a ransom agreement despite multiple offers. The data was published on April 15, 2026, with a direct download link provided via a threat actor-controlled server.
Date: 2026-04-16T01:44:44Z
Network: telegram
Published URL: https://t.me/c/3737716184/1204
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Financial Services
Victim Organization: Abrigo, Inc.
Victim Site: Unknown
Mass Website Defacement of Indian Educational Institution by T-XpLoiT
Category: Defacement
Content: On April 16, 2026, a threat actor identified as T-XpLoiT conducted a mass defacement campaign targeting the diploma subdomain of PVPIT Sangli, an educational institution in India. The attacker successfully compromised the Linux-based web server and replaced content with a defacement page. This incident was part of a broader mass defacement operation attributed to the same actor.
Date: 2026-04-16T01:43:11Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248557
Screenshots:
None
Threat Actors: T-XpLoiT
Victim Country: India
Victim Industry: Education
Victim Organization: PVPIT Sangli (Pravara Vidhyalaya Pratishthans Institute of Technology, Sangli)
Victim Site: diploma.pvpitsangli.edu.in
Alleged data breach targeting Italian plastics industry B2B database
Category: Data Breach
Content: Threat actor boltak is selling a stolen B2B database containing 499 contact records from the Italian plastics industry for $1,899 USD in Bitcoin. The database includes full names, company details, email addresses, phone numbers, addresses, and MD5 password hashes with 94% of contacts concentrated in Italy.
Date: 2026-04-16T01:42:25Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-RECENTLY-STOLEN-B2B-DATABASE-ITALIAN-PLASTICS-INDUSTRY-STOLEN-3-DAY
Screenshots:
None
Threat Actors: boltak
Victim Country: Italy
Victim Industry: Plastics Manufacturing
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of zero-day exploit for ASUS AiCloud remote code execution vulnerability
Category: Initial Access
Content: Threat actor berz0k claims to be selling a zero-day pre-authentication remote code execution exploit for ASUS AiCloud with root access for $80,000. The actor claims the exploit has 100% reliability, does not cause crashes, and affects over 32 million potential targets identified through Shodan.
Date: 2026-04-16T01:41:18Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-0day-Asus-Aicloud-Preauth-RCE
Screenshots:
None
Threat Actors: berz0k
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: ASUS
Victim Site: Unknown
Alleged data breach of Live Nation/Ticketmaster affecting 100 million users
Category: Data Breach
Content: Threat actor OnarDev claims to possess a 1.3TB database containing personal information of 100 million Live Nation/Ticketmaster customers, including names, addresses, emails, phone numbers, ticket sales data, and partial credit card details. The sample data shows customer lookup information with email addresses and various ID fields.
Date: 2026-04-16T01:40:34Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Live-Nation-Ticketmaster-100M-Users-Card-Details-1-3TB
Screenshots:
None
Threat Actors: OnarDev
Victim Country: Unknown
Victim Industry: Entertainment
Victim Organization: Live Nation/Ticketmaster
Victim Site: ticketmaster.com
Mass Website Defacement of C.B. Shah College by T-XpLoiT
Category: Defacement
Content: On April 16, 2026, the threat actor T-XpLoiT conducted a mass defacement campaign targeting cbshahcollege.ac.in, an Indian academic institution. The attacker uploaded a defacement page to the colleges web server running on a Linux-based system. This incident was part of a broader mass defacement operation rather than an isolated attack against a single target.
Date: 2026-04-16T01:37:15Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248556
Screenshots:
None
Threat Actors: T-XpLoiT
Victim Country: India
Victim Industry: Education
Victim Organization: C.B. Shah College
Victim Site: cbshahcollege.ac.in
Alleged leak of Hotmail credentials
Category: Combo List
Content: Threat actor noir claims to have valid high-quality Hotmail credential lists available through private cloud and Telegram contact. The post advertises mixed valid Hotmail credentials but requires forum registration to view full content.
Date: 2026-04-16T01:29:00Z
Network: openweb
Published URL: https://crackingx.com/threads/72244/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Chinese government and commercial databases
Category: Data Leak
Content: Forum post claims massive collection of Chinese datasets totaling 50+ billion records including JD.com users, e-commerce data, logistics companies, police databases, and citizen records. The collection allegedly spans 8-9 TB of compressed data from multiple high-value Chinese platforms and government-linked databases.
Date: 2026-04-16T00:45:32Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-MASSIVE-CHINESE-DATA-COLLECTION-LEAK-%E2%80%93-50-BILLION-RECORDS-TOTAL-2026
Screenshots:
None
Threat Actors: CreamVixen
Victim Country: China
Victim Industry: Multiple
Victim Organization: Multiple Chinese platforms and government agencies
Victim Site: Unknown
Alleged leak of social media and e-commerce credential data
Category: Combo List
Content: Threat actor HQcomboSpace shared a combolist containing over 1.1 million credentials allegedly targeting social media and shopping platforms. The data is distributed via a Mega.nz file sharing link as a free download.
Date: 2026-04-16T00:44:59Z
Network: openweb
Published URL: https://crackingx.com/threads/72242/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials
Category: Combo List
Content: A threat actor shared a list of 20,000 Hotmail credentials on a cybercrime forum. The credentials are described as fresh goods suggesting they may be recently compromised.
Date: 2026-04-16T00:44:44Z
Network: openweb
Published URL: https://crackingx.com/threads/72243/
Screenshots:
None
Threat Actors: Cir4d
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Wattpad database dump with cracked passwords
Category: Combo List
Content: User claims to have leaked cracked passwords from an original Wattpad breach containing personal identifying information including names, emails, phone numbers, dates of birth, and social media account details in a 930.6MB compressed CSV file.
Date: 2026-04-16T00:13:38Z
Network: openweb
Published URL: https://pwnforums.st/Thread-Wattpad-Cracked-Lines-30kk
Screenshots:
None
Threat Actors: StrawberryJam
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Wattpad
Victim Site: wattpad.com