[April-24-2026] Daily Cybersecurity Threat Report

Executive Summary

This comprehensive intelligence report details a highly active period of global cyber threat activity spanning April 23 to April 24, 2026. Based strictly on intercepted threat intelligence data, underground forum communications, and dark web marketplace listings, this report aggregates, categorizes, and analyzes a vast array of cybersecurity incidents. The observed events demonstrate a volatile threat landscape characterized by massive credential aggregation, targeted state-sponsored data exfiltration, disruptive hacktivism, and the active trading of corporate initial access.

During this brief window, threat actors executed highly coordinated campaigns affecting dozens of countries and multiple critical industries. We observed a staggering volume of credential combolists being distributed freely—numbering in the hundreds of millions of lines—fueling the broader credential stuffing and account takeover ecosystem. Simultaneously, Initial Access Brokers (IABs) successfully auctioned high-level administrative access to multi-million-dollar corporations, bridging the gap between opportunistic exploitation and targeted ransomware deployments.

Perhaps most alarming is the documented escalation of hacktivist operations targeting Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks. Threat actors actively claimed to have disabled critical infrastructure systems, including a Polish compressor station and an Israeli water management facility. Furthermore, government databases across Iraq, France, Indonesia, and the Philippines suffered severe compromises, exposing the sensitive personal identifiable information (PII) of tens of millions of citizens.

This report will systematically break down these incidents into distinct categories: Data Breaches and Leaks, Credential Combolists, Initial Access and Malware Services, Hacktivism and Defacements, and ICS/SCADA Disruptions. Through detailed analysis of threat actor methodologies, targeted sectors, and geopolitical motivations, this document aims to provide security professionals, policymakers, and organizations with a factual, grounded understanding of the immediate cyber threat landscape.

1. Threat Landscape Overview

The data analyzed in this report reflects a decentralized but highly efficient cybercrime ecosystem. Threat actors operate across multiple networks, primarily utilizing the open web (clearnet forums like DemonForums, CrackingX, and Altenens), the dark web (onion-routed marketplaces), and encrypted messaging platforms (predominantly Telegram) to communicate, trade, and distribute compromised assets.

1.1 Key Trends Identified

The Commericalization of Access: Initial Access Brokers (IABs) such as “TunaFish” and “BigTuna” are actively selling verified, highly privileged access (Domain Admin, Enterprise Admin, Server Admin) to large-scale enterprises with revenues exceeding $250 million.
Massive Aggregation of Credentials: The sheer volume of credential leaks is unprecedented. Threat actors like “CODER” and “StarLinkClub” are distributing files containing upwards of 480 million credential lines, indicating that automated stealer logs and historical breaches are being continuously recycled and weaponized.
Vulnerability-Specific Defacement Campaigns: The mass defacement landscape is dominated by a few highly active entities. For example, the actor “DimasHxR” executed dozens of surgical defacements targeting specific media upload directories, highly indicative of an automated exploitation campaign targeting a specific Content Management System (CMS) vulnerability.
Geopolitically Motivated ICS Attacks: Hacktivist groups are moving beyond simple website defacements and actively seeking to manipulate physical infrastructure, specifically targeting water management and energy systems in regions experiencing geopolitical tension.

2. Comprehensive Analysis of Data Breaches and Leaks

The period of April 23–24, 2026, saw a massive hemorrhage of sensitive data across both public and private sectors. The nature of these breaches ranges from politically motivated leaks to purely financial data extortion.

2.1 Government and Defense Sector Compromises

Government infrastructure remains a primary target for threat actors seeking sensitive citizen data, intelligence, or political leverage.

Russian Defense and Scientific Data (VNIIFTRI): In one of the most critical incidents, a threat actor known as “Rhodes” advertised the sale of 110GB of classified data allegedly stolen from VNIIFTRI, Russia’s premier precision measurement and defense metrology institute. This highly sensitive dataset reportedly contains classified documentation regarding GLONASS navigation systems, advanced quantum programs (including gravimeters, magnetometers, and atomic clocks), military communications, and personnel identification documents. The data was offered exclusively for $100.
French Government ANTS Platform: The threat actor “breach3d” claimed a massive exfiltration of 600 million lines of data from the French Agence Nationale des Titres Sécurisés (ANTS), the national agency responsible for secure identity documents like passports and driver’s licenses. The leaked data purportedly includes plaintext passwords, API keys, encryption keys, source code, and XML links to citizen identity documents. The actor stated this leak was politically motivated and not for sale.
French Ministry of Health: In another French government incident, the actor “breach3d” allegedly leaked a database belonging to sante.gouv.fr, containing the full names, emails, and certificate IDs of registered users, which was subsequently distributed for free by user “aggravage”.
Iraqi Citizenship and Intelligence Data: A threat actor operating under the alias “xorcat” leaked a massive SQL database obtained from Iraq’s Agency of Intelligence & Federal Investigation. The dataset, dated August 2022, contains over 22.3 million records, exposing the full names, physical addresses, National IDs, employment data, and case records of Iraqi citizens and foreigners.
Indonesian Civil Registration (Dukcapil): The actor “Xyph0rix” published a database originating from Indonesia’s Directorate General of Civil Registration (Dukcapil). This leak exposed highly sensitive PII, including National Identity Numbers (NIK), addresses, occupations, and blood types. Furthermore, the actor “MrAnomali” claimed a leak from the Indonesian National Nutrition Body (Badan Gizi Nasional) , and “RuiixH4xor_” leaked data from the Halmahera Barat regional government legal portal.
Philippine Drug Enforcement Agency (PDEA): Threat actor “Sh1nnySp1der” offered to sell data allegedly breached from the PDEA, providing proof images and soliciting buyers via encrypted email.
Arkansas State Crime Lab: In the United States, the “kittykatkrew” claimed to have compromised the Arkansas State Crime Lab’s web portal. The exfiltrated data reportedly includes comprehensive court calendars, defendant details, and a full personnel directory with direct contact information and agency affiliations.
Bangladesh RDCD: The actor “kingdataseller” distributed an archive belonging to the Bangladesh Rural Development and Co-operatives Division, exposing employee HR data, project details, and authentication files.
Indian Ministry of Home Affairs: Contact information, including names, emails, and phone numbers of personnel from the Indian Ministry of Home Affairs, was leaked by the actor “anon 23” on an underground forum.

2.2 Financial Services and Investment Sector

Financial databases are highly lucrative for threat actors, enabling identity theft, targeted phishing, and direct financial fraud.

UAE Investor System: The threat actor group “MD-Ghost” (also identifying as “The BlackH4t”) claimed a highly impactful breach of a United Arab Emirates investor system, exfiltrating 30GB of data. This stolen cache allegedly contains foreign investor registration details, financial records, and copies of high-value visas, including the Dubai Golden Visa.
Citibanamex (Mexico): The actor “Jansz,” associated with “GERSONFDP,” leaked a comprehensive database of Citibanamex customers. The highly granular data includes full names, blood types, geolocation details, salary information, payment records, and family member details, posing a severe risk of targeted extortion or physical security threats to the victims.
Bank Syariah Indonesia: The prolific actor “Xyph0rix” leaked an employee and customer database belonging to Bank Syariah Indonesia, exposing internal organizational structures, regional office details, and personal contact information.
Card24h.com: A database belonging to Card24h.com, a Thai peer-to-peer payment and carding-related platform, was leaked by the actor “enumerate”. The data, allegedly discovered on an exposed endpoint, contains usernames, bcrypt-hashed passwords, and wallet transaction histories.

2.3 Healthcare and Medical Sector

The healthcare sector continues to suffer breaches, resulting in the exposure of highly sensitive Protected Health Information (PHI).

LNM6 National Laboratory (Morocco): Threat actors “kingdataseller” and “anisanas2” claimed to have exfiltrated 100GB of medical data from the Laboratoire National Mohammed VI d’Analyses Médicales. The stolen records purportedly contain highly sensitive patient scan results and medical histories, which the actors offered for sale via Telegram.
Haamor.com (Thailand): A 350MB SQL database dump from the Thai health education platform Haamor was listed for sale by “DarkMafiaX”. The dataset contains registered user accounts dating back to 2011, including Thai script names and hashed passwords.
Ein Shemer Kibbutz (Israel): The CarLog vehicle management system for the Ein Shemer Kibbutz was breached by “imaloser,” exposing 771 resident records including driver’s license numbers and billing IDs.
Atraf LGBTQ+ Platform (Israel): A massive database from the Israeli LGBTQ+ dating platform Atraf, originally breached in 2021 by the Black Shadow group, was actively redistributed by the actor “imaloser”. The 700,000-record database contains incredibly sensitive data, including sexual preferences, gender identities, and HIV status, creating severe risks for extortion and physical harm to the victims.

2.4 E-Commerce, Retail, and Corporate Data

Corporate data breaches provide threat actors with the raw materials required for business email compromise (BEC), corporate espionage, and consumer fraud.

Claro El Salvador: Threat actor “MDGhost666” claimed a massive 500GB breach of Claro El Salvador, the nation’s largest telecommunications provider. The exfiltrated data reportedly contains contracts, internal company documentation, and user data.
CarGurus (United States): The actor “TheFallen” leaked a 7.1GB database dump from the automotive marketplace CarGurus, exposing over 12.4 million records containing PII and internal corporate data.
7-Eleven (United States): The same actor, “TheFallen,” distributed a 10.4GB compressed database containing over 600,000 Salesforce PII records allegedly belonging to 7-Eleven.
Bol.com (Belgium): A database of 400,000 Belgian customer records from Bol.com was offered for sale by “TrueNigger”. The extensive dataset includes identity numbers, tracking data, and payment methods.
Ayurveda-best.com (Ukraine): The actor “Keymous” leaked a database containing 27,000 comprehensive customer orders from the Ukrainian e-commerce site, including shipping addresses, IP addresses, and payment details.
8891.com.tw (Taiwan): A database dump from Taiwan’s largest automotive marketplace, 8891.com.tw, was distributed by the actor “ijpys”.
BulkApparel USA: The actor “ijpys” also sold a database of 298,480 wholesale customer records from BulkApparel for $300.
Protemps (Singapore): A recruitment database dump from Protemps Singapore, originally breached in 2021, was redistributed by “infintyx07,” exposing 49,591 records with hashed passwords and passport numbers.
FranceVerif.fr: The trust and coupon verification platform FranceVerif suffered a database leak by “ChimeraZ,” exposing user feedback, geolocation data, and merchant SIRET numbers.
Bodyhit Club (France): A database of 218,542 fitness club customers, including IBAN numbers and BIC codes, was offered for sale.
WooWup AWS Bucket: A threat actor shared 9,675 direct download links to exposed CSV files hosted on a misconfigured AWS S3 bucket belonging to the marketing automation platform WooWup.
Trucking Logistics Database: A massive 1.5 million-record database of trucking companies across the US, Canada, and Mexico (including DOT numbers and legal names) was leaked freely by “OriginalCrazyOldFart”.

3. The Proliferation of Credential Combolists

A significant portion of the cyber activity analyzed revolves around the distribution of “Combolists”—text files containing millions of compromised username/email and password combinations. These lists are the lifeblood of credential stuffing attacks, where automated tools rapidly test these combinations against banking, retail, and corporate portals.

The data from April 23–24 highlights a highly organized supply chain for these credentials, driven by prominent aggregators.

3.1 The Dominance of Key Aggregators

Threat Actor “CODER”: The actor known as “CODER” is undeniably the most prolific distributor of credential combolists in the observed dataset. Operating primarily through Telegram channels and the CrackingX forum, CODER employs a strategy of massive, free distribution to build a following. Their distributions are highly categorized by geography and platform. Observed leaks from CODER include:
- A 6 million-line list spanning multiple countries including Switzerland and Sweden.
- A 7.4 million-line global list (India, US, UK, Brazil, etc.).
- A 5 million-line list targeting casino platforms across .com, .fr, and .es domains.
- An 11 million-line “Asian mix” list.
- A 7 million-line list targeting France.
- An 11 million-line list targeting Cyprus.
- A 6 million-line list targeting Yahoo and Outlook accounts.
- A 6 million-line list targeting social media domains.
- An 11 million-line streaming service credential list.
- An 8 million-line Asia-Pacific targeted list.
- An 11 million-line e-commerce list targeting specific retailers like Allegro, Kaufland, Bol.com, and Decathlon.
- A 5 million-line fashion retail list targeting ASOS, Farfetch, and GOAT.
- A 9.4 million-line list targeting Hotmail and Office 365.
- A 3 million-line corporate SMTP service combolist.
Threat Actor “Ebbicloud”: Operating on the AlteNens (AE) forum and Telegram, Ebbicloud specializes in geographic and sector-specific credential drops. Their activity included:
- 27,300 school and government domain credentials.
- 16,000 corporate business email credentials, highly valuable for Business Email Compromise (BEC) attacks.
- Multiple European-targeted lists ranging from 15,800 to 21,900 lines.
- Multiple United States-targeted lists ranging from 9,200 to 23,800 lines.
Threat Actor “HQcomboSpace”: This actor utilizes Mega.nz to distribute massive files on CrackingX. Their focus heavily targets consumer platforms and webmail.
- 172,158 credentials targeting German gaming and casinos.
- 1.28 million lines of Yahoo credentials.
- 970,434 credentials for German shopping platforms.
- 192,342 corporate SMTP credentials designed for spam operations.
- Over 1.77 million and 1.57 million lines in multiple Yahoo-specific drops.
Threat Actor “thejackal101”: Operating on DemonForums, this actor distributes geo-targeted lists, largely promoting their “Elite_Cloud1” Telegram channel. Their leaks included credentials targeting Poland (485k) , Philippines (172k) , Peru (126k) , Portugal (75k) , Pakistan (46k) , Norway (21k) , and Nigeria (16k). This exact dataset was later mirrored by the actor “CobraEgy”.

3.2 Massive Uncategorized “URL:Log:Pass” Drops

The dataset reveals an alarming trend of ultra-massive credential aggregations formatted as URL:Login:Password (ULP). These are typically the direct output of Info-Stealer malware (like Vidar Stealer, as noted by the actor “BigTuna” ).

StarLinkClub: Distributed a monolithic 482.794 million-line ULP combolist, sized at 27GB, alongside a smaller 11.8 million-line list. The exact same 482 million-line database was also cross-posted by the actor “ebankastore”.
Mustukaral: Advertised a staggering 1.3 Terabyte ULP database. Instead of merely offering a download, Mustukaral provides a localized search interface, allowing other criminals to query specific targets or filter by country, essentially operating a credential search engine as a service.
Daxus: Shared a 5.97 million-line ULP combolist distributed via a dedicated website.

3.3 Platform-Specific Account Targeting

While massive lists are common, highly targeted access remains valuable.

Threat Actor “mu”: Actively solicits buyers on Telegram for access to compromised accounts on high-value platforms including eBay, OfferUp, PSN, Uber, Booking, Amazon, and Walmart.
Larry_Uchiha: Shared combolists specifically containing verified access to Netflix, OnlyFans, ChatGPT, Xbox, and Discord.
Microsoft/Hotmail Ecosystem: Hotmail and Outlook remain highly targeted. Dozens of incidents involved the distribution of “valid” or “UHQ” (Ultra High Quality) Hotmail credentials by actors like “MailAccesss,” “MegaCloudshop,” “alphacloud,” and “ValidMail”.

4. Initial Access Brokers (IABs) and Malware Services

The bridge between credential theft and devastating corporate ransomware attacks is facilitated by Initial Access Brokers. These actors specialize in breaching corporate perimeters and auctioning that access.

4.1 High-Value Corporate Access Sales

The “TunaFish” Operations: This highly sophisticated actor successfully auctioned critical access to major enterprises.
- Turkish Technology/SaaS Company: TunaFish sold AWS Console access with Domain Admin privileges to a Turkish company generating $250M–$500M in revenue. The network reportedly consisted of 5,000 hosts protected by Malwarebytes EDR.
- Colombian Construction Company: TunaFish also sold Palo Alto GlobalProtect VPN access to a Colombian construction firm of similar revenue size. This access carried Enterprise Admin privileges across a massive network of 10,000+ hosts, despite the presence of CrowdStrike Falcon EDR.
The “BigTuna” Operations: Likely related to TunaFish, this actor sold webshell and remote desktop access.
- Canadian Logistics Company: Sold ASPX webshell access with Server Admin privileges to a Canadian shipping company with 1,000 hosts.
- Japanese Aerospace/Defense Organization: Sold RDWeb access to a highly sensitive Japanese defense contractor, carrying Database Administrator (SA) privileges.
Cloud Infrastructure and RDP Rentals: Actors like “PORTAL” and “QQHB99” are operating rental services, offering cybercriminals temporary Remote Desktop Protocol (RDP) access to compromised Azure, AWS, and DigitalOcean cloud infrastructure for $200.

4.2 Malware, Vulnerability Scanners, and DDoS Services

To facilitate these breaches, an ecosystem of supporting tools is actively traded.

DynAmite 4.0 Malware Toolkit: The actor “CINCH19922” distributed the “DynAmite 4.0” modular malware creation toolkit, which features automated payload generation and customizable malware deployment. The same actor also distributed the “Gr3eNoX Exploit Scanner V4.2” for automated web vulnerability discovery.
DDoS-as-a-Service (DaaS): The platforms “Goofystress.st” and “Deep Stresser” aggressively marketed their DDoS capabilities on Telegram. They offer Layer 4 and Layer 7 attacks, claiming massive volumetric capabilities (up to 10 million packets per second) and specific bypasses for Cloudflare CAPTCHAs and gaming servers (Fortnite, Roblox, Call of Duty). Another service, “KillByte Solutions,” advertised IoT botnet infrastructure capable of 1.2 Tbps attacks.
Cryptocurrency Fraud Scripts: The actor “antelope” sold a “Flash USDT Sender Script” designed to manipulate the Ethereum network. By exploiting transaction replacement mechanisms with artificially low gas fees, criminals can create the illusion of a completed cryptocurrency payment before canceling it, defrauding merchants.

5. Hacktivism, Defacements, and Industrial Disruption

Website defacements—once viewed as minor digital vandalism—have evolved. In the observed data, defacements are utilized both as automated, mass-scale disruptions and as vectors for geopolitical messaging. Furthermore, hacktivist groups have worryingly crossed the threshold into attacking physical Industrial Control Systems (ICS).

5.1 The DimasHxR Automated Campaign

The threat actor “DimasHxR” executed an extraordinarily prolific defacement campaign. A critical technical analysis of their targets reveals a distinct pattern: virtually all defacements were not on the homepage, but rather within specific subdirectories, typically /pub/media/customer_ad or similar media paths.

This highly specific targeting strongly indicates that DimasHxR was not manually hacking sites, but rather utilizing an automated script to exploit an unpatched file upload or directory traversal vulnerability within a specific Content Management System (CMS), highly likely to be Magento based on the path naming conventions.

DimasHxR’s campaign indiscriminately targeted global retail and e-commerce platforms, demonstrating the widespread nature of the underlying vulnerability. Targets included:

Cartouches Arabais (Printing)
ClickNPay (Financial Services)
Stokrat (Ukraine)
MixMarket
PLC Product (Manufacturing)
Clever Möbel (German Furniture)
Tronictoy
Pawfect Foods (India)
Wagadootoo (South Africa)
Swebike (Sweden)
Manhattan Portage (US)
Mokca (Slovenia)
Zaafoo
Spa Galaxy (Moldova)
KTSPS (Malaysia)
Illuminus Brands
Isles of Scilly Flowers (UK)
Ignyte Active (US)
La Tintoreria Vinoteca (Spain)
Homegrown Cannabis (Germany)
LOH Motorsport (Ireland)
First Aid Zone
Iris Made With Love
Arpo Software
Enola Gaye (Norway)
MD Materiaux (France)
SportFoods (Netherlands)
PCMR (Hungary)
VDH Products
Firmbay
Design Ameublement (France)
Wolka Online (EU)
Karly Floats (Australia)
Bierl Antiquariat (Germany)
The Merch NZ (New Zealand)
Samdam Shop
CHS Pharmacy (UAE)
Silhouette Europe
Divenly (France)
The Garden (UK)
Neottia (Greece)
EWM (UK)
Bielizna For You (Poland)
Maggarack
Skin Collagen (Finland)
Larpsi (Brazil)
Lukime
Kids Luxury (UK)
Tribag (Romania)
Poleringspads (Norway)

5.2 The LegioN_LeakeR Mass Defacement Campaign

A distinctively different methodology was employed by the threat actor “EbRaHiM-VaKeR,” operating under the banner of the Telegram group “LegioN_LeakeR”. Unlike DimasHxR’s surgical path exploitations, EbRaHiM-VaKeR conducted “Mass Defacement” operations targeting Linux-hosted servers. This indicates the exploitation of server-level vulnerabilities (such as outdated Apache/Nginx instances or unpatched cPanel/WHM software) allowing the actor to simultaneously compromise multiple domains hosted on the same infrastructure.

Their targets primarily consisted of generic “.click” and “.website” domains, suggesting the compromise of cheap, shared-hosting environments. Targets included:

Vakalat Vidya (India)
Krishna Physiotherapy Rehab
Costlay
Ocean Mist
Aetherial Peak
Novatrax
Northgate Horizon
Maple Stone Ridge
Stratos Nova
Skyforge Horizon
Zymera Edge
Nebula Crest
Lunaris Edge
Silverwood Harbor
Orvaneh Harbor
Oak Haven Summit
Ironwood Harbor
Zynera Creek
Trivora Edge
Pinecrest Harbor
Blue Rock Holdings
Celestial Harbor
Aurora Summit
Averoncrest
Cloud Spire Ventures
Eclipsera
Blue Peak Ventures

Other notable defacements included the actor “Zod” targeting Brazilian VBA and Excel educational platforms , “MR.N43TXPLOIT” (BekasiRootSec) targeting Akoma Online infrastructure , and “Mr.PIMZZZXploit” conducting mass defacements affecting 16 sites including North Macedonian IT firms.

5.3 Escalation: Industrial Control System (ICS) Hacktivism

The most alarming development during this reporting period is the successful compromise of physical infrastructure systems by hacktivist groups. This represents a severe escalation from data theft to kinetic disruption.

Polish Compressor Station Attack: The “DDoSia Project” claimed unauthorized access to an industrial automation system controlling a compressor station in Poland. The group provided highly specific technical details, claiming to have compromised operator panels and actuator control circuits. They reported a complete loss of communication with multiple drive units (B2, B4, B5, B6, D7), forced all actuators into manual mode, and disabled the heat recovery systems. This represents a sophisticated understanding of ICS operations.
Polish Hospital BMS Attack: A group identifying as “The Z-Pentest Alliance” claimed to have compromised a Geo-Eko Building Management System (BMS) in a Polish hospital. The actor claimed full control over ventilation, temperature, and humidity systems in critical areas like surgical units and intensive care. The attack was politically motivated, using hashtags like #OpPoland.
Israeli Water Management Attack: The actors “TheSweetNight” and “OpsShadowStrike” claimed to have hijacked systems belonging to BERMAD CS Ltd, an Israeli water flow management company. The actors explicitly stated they utilized Modbus protocol attacks to target HMI (Human-Machine Interface) and SCADA systems. This attack involved collaboration across multiple international hacktivist crews (TengkorakCyberCrew, MalaysiaHacktivist) and carried explicit pro-Palestine/Iran messaging.
Turkish Telecommunications Disruption: The group “Armenian code” claimed cyber attacks against Turkey’s critical telecommunications infrastructure, targeting the operator systems of both Turkcell and Turk Telekom, claiming the ability to cause system power disconnections.

6. Detailed Threat Actor Profiles

To adequately defend against these threats, security teams must understand the specific behaviors and technical capabilities of the most active adversaries observed in this dataset.

CODER: The preeminent credential distributor. CODER operates primarily to drive traffic to Telegram channels. By giving away billions of credential pairs for free, CODER builds a massive audience, which can later be monetized through the sale of premium tools, zero-day exploits, or targeted corporate access.
TunaFish / BigTuna: Operating at the highest tier of the cybercrime ecosystem. These Initial Access Brokers possess the capability to bypass enterprise EDR solutions (CrowdStrike, Malwarebytes, Kaspersky) and secure persistent access (VPNs, Webshells) to networks belonging to multi-hundred-million-dollar corporations.
breach3d: A politically motivated actor specializing in French government infrastructure. By targeting the ANTS identity platform and the Ministry of Health , breach3d demonstrates advanced persistent threat (APT) capabilities, extracting database source code, API keys, and cryptographic material.
Xyph0rix: A specialized data broker focusing intensely on Indonesian corporate and government targets. Their portfolio includes the national civil registry (Dukcapil), the state-owned oil giant Pertamina, and Bank Syariah Indonesia.
DimasHxR: A lone-wolf script kiddie or automated bot operator. DimasHxR relies entirely on finding exposed media upload directories (like /pub/media/) on poorly secured e-commerce sites. While the volume of their attacks is high, the technical sophistication is low, relying on unpatched vulnerabilities in common CMS frameworks.

7. Conclusion & Strategic Recommendations

The cybersecurity events of April 23–24, 2026, illustrate a threat environment that is highly automated, deeply interconnected, and increasingly willing to target physical infrastructure.

The rampant distribution of over a billion credential pairs by actors like CODER and StarLinkClub guarantees that credential stuffing and brute-force attacks will remain a persistent, high-volume threat to all internet-facing authentication portals. Organizations that do not enforce robust, phishing-resistant Multi-Factor Authentication (MFA) across all external access points are highly likely to suffer account takeovers.

Furthermore, the activities of Initial Access Brokers like TunaFish demonstrate that perimeter security alone is insufficient. When threat actors can sell Enterprise Admin VPN access to networks supposedly protected by leading EDR solutions, organizations must assume breach and implement strict zero-trust network architectures, network segmentation, and continuous internal behavioral monitoring.

Finally, the pivot of hacktivist groups toward SCADA and ICS environments in Poland and Israel is a critical escalation. The lack of authentication and logging mechanisms in legacy OT (Operational Technology) systems makes them highly vulnerable to Modbus protocol manipulation. Critical infrastructure operators must physically or logically isolate these systems from the public internet immediately.

The velocity and scale of these incidents require organizations to adopt a proactive, intelligence-driven security posture, continuously monitoring the dark web and underground forums to preemptively identify when their data, credentials, or network access are being actively traded.

Detected Incidents Draft Data

Alleged defacement of ivsoftdesign.mk by Mr.PIMZZZXploit
Category: Defacement
Content: Website defacement of ivsoftdesign.mk claimed by threat actor Mr.PIMZZZXploit. Defacement message posted to Babayo Eror System channel with photo evidence.
Date: 2026-04-23T23:58:40Z
Network: telegram
Published URL: https://t.me/c/3865526389/557
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: North Macedonia
Victim Industry: Unknown
Victim Organization: ivsoftdesign
Victim Site: ivsoftdesign.mk
Alleged leak of gaming and casino credentials targeting Germany
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 172,158 credential pairs targeting gaming and casino platforms in Germany. The data was shared freely via a Mega.nz file link on the cracking forum CrackingX. The leak appears to consist of email and password combinations sourced from German gaming and casino-related services.
Date: 2026-04-23T23:54:00Z
Network: openweb
Published URL: https://crackingx.com/threads/73062/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Gaming and Gambling
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of fresh compromised account database across multiple countries
Category: Combo List
Content: Threat actor mu is offering fresh database access containing compromised accounts from UK, DE, JP, NL, BR, PL, ES, US, IT and other countries. The seller specifically mentions targeting accounts on eBay, OfferUp, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, and Neosurf. Claims to own a private cloud with valid ntlworld webmail credentials available. Accepting custom keyword searches and requests via DM.
Date: 2026-04-23T23:51:47Z
Network: telegram
Published URL: https://t.me/c/2613583520/68436
Screenshots:
None
Threat Actors: mu
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy
Victim Industry: Multiple (e-commerce, gaming, travel, payment services)
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist including Netflix, Steam, Spotify and others
Category: Combo List
Content: A threat actor operating under the alias Ra-Zi has made available a claimed 140,000-entry combolist containing email:password credentials targeting multiple platforms including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. The post includes a hidden download link requiring forum registration, and also advertises the sale of higher-quality credential lists via Telegram. The actor promotes associated channels at t.me and cracking-club.com for further distribution and sales.
Date: 2026-04-23T23:30:04Z
Network: openweb
Published URL: https://demonforums.net/Thread-140k-Fresh-HQ-Combolist-Email-Pass-Netflix-Minecraft-Uplay-Steam-Hulu-spotify–201536
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: Unknown
Victim Industry: Entertainment and Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 140,000 mixed email credentials combolist
Category: Data Leak
Content: A threat actor known as carlos080 shared a combolist of approximately 140,000 email and password combinations on the AE forum. The combolist is described as fresh and high quality, containing mixed email credentials. No specific victim organization or country has been identified.
Date: 2026-04-23T23:26:44Z
Network: openweb
Published URL: https://altenens.is/threads/140k-fresh-hq-combolist-email-pass-mixed.2928893/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Domino BZ by Anonsecita
Category: Defacement
Content: The threat actor Anonsecita defaced the website www.domino.bz.it, an Italian domain, on April 24, 2026. The defacement was a targeted single-site attack, with the attacker leaving a text file as proof of compromise. No specific motive or additional technical details were disclosed in the available data.
Date: 2026-04-23T23:23:08Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248670
Screenshots:
None
Threat Actors: Anonsecita, Anonsecita
Victim Country: Italy
Victim Industry: Unknown
Victim Organization: Domino BZ
Victim Site: www.domino.bz.it
Alleged Gmail Spam Campaign Targeting Cryptocurrency Exchange Users
Category: Initial Access
Content: A threat actor is seeking individuals or services capable of delivering bulk spam emails to Gmail inboxes, specifically targeting cryptocurrency exchange users. The actor claims the campaign has yielded results in the eight-figure range, suggesting significant financial fraud or phishing activity. This indicates an active effort to bypass email filters and reach victims with fraudulent crypto-related content.
Date: 2026-04-23T23:14:07Z
Network: openweb
Published URL: https://darkforums.su/Thread-Email-spam
Screenshots:
None
Threat Actors: Haaland89
Victim Country: Unknown
Victim Industry: Cryptocurrency
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Kurdistan Region Citizenship Database
Category: Data Breach
Content: A threat actor on BreachForums has made available an alleged database containing 2.8 million records belonging to citizens of the Kurdistan Region of Northern Iraq. The dataset reportedly includes national ID numbers, full names, job titles, phone numbers, dates of birth, and resident type classifications. Access to the data requires registration or login on the forum, suggesting it may be gated behind a paywall or credit system.
Date: 2026-04-23T22:57:53Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Kurdistan-Region-Citizenship-Database
Screenshots:
None
Threat Actors: squadleader
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Kurdistan Region Government
Victim Site: Unknown
Alleged leak of session cookies for YouTube, TikTok, Steam, and other platforms
Category: Data Leak
Content: A threat actor operating under the alias bluestarcrack has shared session cookies allegedly belonging to users of multiple platforms including YouTube, TikTok, and Steam via the file hosting service Uploadery. The leaked data appears to consist of browser session cookies, which could be used to hijack authenticated user sessions without requiring passwords. No pricing was mentioned, suggesting the data was made available for free.
Date: 2026-04-23T22:56:47Z
Network: openweb
Published URL: https://breached.st/threads/cookies-youtube-tiktok-steam-more.86221/unread
Screenshots:
None
Threat Actors: bluestarcrack
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Multiple (YouTube, TikTok, Steam)
Victim Site: Unknown
Alleged Sale of AWS Console Initial Access to Turkish Technology/SaaS Company
Category: Initial Access
Content: A threat actor operating under the alias TunaFish is selling alleged AWS Console access to an unnamed Turkish Technology/SaaS company with an estimated revenue of $250M-$500M. The access is claimed to include Domain Admin privileges on a network of approximately 5,000 hosts, with Malwarebytes EDR present in the environment. Proof and additional details are offered via a Tor-hosted onion link.
Date: 2026-04-23T22:30:33Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-AWS-Console-Technology-SaaS-Turkey-250M-500M-revenue
Screenshots:
None
Threat Actors: TunaFish
Victim Country: Turkey
Victim Industry: Technology / SaaS
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Initial Access to construction company in Colombia via GlobalProtect VPN
Category: Initial Access
Content: A threat actor operating under the alias TunaFish is selling enterprise-level VPN access (Palo Alto GlobalProtect) to a Colombian construction company with an estimated revenue of $250M–$500M. The access is claimed to carry Enterprise Admin privileges on a network of approximately 10,000 or more hosts, protected by CrowdStrike Falcon EDR. The seller claims the access was verified within the last 48 hours and has not been shared with other buyers.
Date: 2026-04-23T22:29:53Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-VPN-GlobalProtect-Construction-Colombia-250M-500M-revenue
Screenshots:
None
Threat Actors: TunaFish
Victim Country: Colombia
Victim Industry: Construction
Victim Organization: Unknown
Victim Site: Unknown
Alleged Database Leak Posted on Underground Forum
Category: Data Leak
Content: A forum post titled BBDD was shared by user juan303 on the AE Leaked Databases forum. No content was available in the post, making it impossible to determine the victim, data type, or scope of the alleged leak. Further investigation is required to assess the nature and validity of this threat.
Date: 2026-04-23T22:11:44Z
Network: openweb
Published URL: https://altenens.is/threads/bbdd.2928884/unread
Screenshots:
None
Threat Actors: juan303
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Italian credential combolist
Category: Data Leak
Content: A threat actor operating under the alias aliladz213 has made available a combolist purportedly containing 1 million Italian email and password combinations on the forum AE – Combo List. The post claims the credential list is suitable for a wide range of credential stuffing or account takeover activities. No specific victim organization or source has been identified.
Date: 2026-04-23T22:10:55Z
Network: openweb
Published URL: https://altenens.is/threads/starcheck-mark-button1m-italy-combolist-good-for-everythingcheck-mark-buttonstar.2928874/unread
Screenshots:
None
Threat Actors: aliladz213
Victim Country: Italy
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of compromised database access and webmail credentials across multiple countries
Category: Data Breach
Content: Threat actor mu is advertising fresh database access spanning UK, Germany, Japan, Netherlands, Brazil, Poland, Spain, US, Italy and other countries. Claims to have valid inbox access to ntlworld webmails and a private cloud infrastructure. Specifically targeting e-commerce platforms (eBay, Amazon, Walmart, Mercari, Kleinanzeigen), payment services (Neosurf), booking platforms (Booking.com), ride-sharing (Uber), and gaming services (PSN). Offering to search for specific keywords and check availability upon request.
Date: 2026-04-23T21:44:14Z
Network: telegram
Published URL: https://t.me/c/2613583520/68392
Screenshots:
None
Threat Actors: mu
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy
Victim Industry: E-commerce, Payment Services, Ride-sharing, Gaming, Webmail
Victim Organization: Unknown
Victim Site: ntlworld.com, ebay.com, amazon.com, walmart.com, uber.com, booking.com, psn.playstation.com, mercari.com, kleinanzeigen.de, alibaba.com, poshmark.com, offerup.com, neosurf.com
Alleged leak of Polish email and password credentials
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 485,000 email and password credential pairs associated with Polish users. The post is dated April 23, 2026, and is described as fresh and high quality. The content is distributed via a hidden download link and promoted through a Telegram channel (@elite_cloud1).
Date: 2026-04-23T21:36:56Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-485-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Poland-%E2%9C%AA-23-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Philippine email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 172,000 email and password credential pairs allegedly sourced from Philippines-based accounts. The list is described as fresh and high quality, and is shared via a hidden download link on the forum. The actor also promotes a Telegram channel (t.me/elite_cloud1) for additional credential logs.
Date: 2026-04-23T21:36:34Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-172-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Philippines-%E2%9C%AA-23-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Philippines
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Peruvian email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 126,000 email and password pairs allegedly sourced from Peru. The credential list is described as fresh and high quality and is shared as hidden content on the forum. The actor also promotes additional credential logs via a Telegram channel linked to Elite_Cloud1.
Date: 2026-04-23T21:36:15Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-126-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Peru-%E2%9C%AA-23-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Peru
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Portugal credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has shared a combolist of approximately 75,000 email and password credential pairs associated with Portugal. The list is described as fresh and high quality and is made available via a hidden download link on DemonForums, with additional content promoted through a Telegram channel (@elite_cloud1).
Date: 2026-04-23T21:35:58Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-75-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Portugal-%E2%9C%AA-23-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Portugal
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Pakistani email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Elite_Cloud1 has shared a combolist of approximately 46,000 email address and password combinations associated with Pakistani users. The credential list is described as fresh and high quality, and has been made available via a hidden content gate on the forum. The actor also promotes additional credential logs through a Telegram channel.
Date: 2026-04-23T21:35:40Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-46-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Pakistan-%E2%9C%AA-23-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Pakistan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub has shared what is claimed to be a combolist containing 1,172 Hotmail credentials on the cracking forum CrackingX. The content is gated behind registration or sign-in, suggesting it is available to forum members as a free release. The post is dated April 26, 2023.
Date: 2026-04-23T21:35:23Z
Network: openweb
Published URL: https://crackingx.com/threads/73055/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of Norwegian credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 21,000 email and password pairs associated with Norwegian users. The list is described as fresh and high quality, suggesting recently obtained or validated credentials. The post directs users to a Telegram channel (@elite_cloud1) for additional credential logs.
Date: 2026-04-23T21:35:19Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-21-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Norway-%E2%9C%AA-23-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Norway
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo credential combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 1.28 million lines of alleged Yahoo credentials on the cracking forum CrackingX. The data, labeled as valid leaks for 2026, was shared via a Mega.nz link as a free download. The post suggests the combolist contains email and password combinations associated with Yahoo accounts.
Date: 2026-04-23T21:35:06Z
Network: openweb
Published URL: https://crackingx.com/threads/73056/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: United States
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged leak of Nigerian email credential combolist
Category: Combo List
Content: A threat actor known as thejackal101 has made available a combolist of approximately 16,000+ email and password credential pairs allegedly sourced from Nigeria. The list is described as fresh and high quality and is being distributed via a hidden content link on the forum. The actor promotes additional credential content through a Telegram channel at t.me/elite_cloud1.
Date: 2026-04-23T21:34:57Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-16-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Nigeria-%E2%9C%AA-23-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Nigeria
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Outlook and Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias karaokecloud has made available a combolist containing 1,852 credential pairs targeting Outlook and Hotmail email accounts. The list was shared for free download on a cracking forum. The credentials may be used for account takeover or further exploitation.
Date: 2026-04-23T21:34:51Z
Network: openweb
Published URL: https://crackingx.com/threads/73057/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: outlook.com
Alleged leak of full logs shared on underground forum
Category: Data Leak
Content: A threat actor operating under the alias WhiteMelly shared a post on the AE – Leaked Databases forum titled 1.2GB FULL LOGS, suggesting the availability of approximately 1.2GB of log data. No further details regarding the victim, data type, or content were available in the post. The nature and origin of the logs remain unknown.
Date: 2026-04-23T21:32:38Z
Network: openweb
Published URL: https://altenens.is/threads/1-2gb-full-logs.2928836/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor operating under the alias WhiteMelly has made available a combolist containing approximately 20,000 Hotmail email credential pairs on the AE forum. The post is categorized as Mail Access, suggesting the credentials provide direct email account access. No pricing information was provided, indicating the combolist was shared freely.
Date: 2026-04-23T21:31:45Z
Network: openweb
Published URL: https://altenens.is/threads/20k-hotmail-lines-mail-access.2928833/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of mixed email access credentials (25,000 lines)
Category: Data Leak
Content: A threat actor known as WhiteMelly shared a mixed combolist containing approximately 25,000 lines of email credentials with mail access on the AE forum. The post is described as a free leak of mixed email account credentials. No specific victim organization or country has been identified.
Date: 2026-04-23T21:31:33Z
Network: openweb
Published URL: https://altenens.is/threads/25k-mix-lines-mail-access.2928830/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of school and government email credentials
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has made available a combolist containing approximately 27,300 email credentials associated with school and government domains. The list is described as premium quality, suggesting verified or high-value entries. No specific organizations or countries have been identified from the available information.
Date: 2026-04-23T21:31:22Z
Network: openweb
Published URL: https://altenens.is/threads/fire-27-3k-school-and-govt-mails-premium-rocket-ebbi_cloud.2928835/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Government and Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 16,000 corporate business email credentials
Category: Data Leak
Content: A threat actor operating under the handle Ebbicloud has made available a combolist containing approximately 16,000 corporate and business email credentials on the cybercrime forum AlteNens. The post targets company business email accounts, which could be leveraged for business email compromise (BEC), phishing, or unauthorized access to corporate systems. No specific victim organizations or countries were identified in the post.
Date: 2026-04-23T21:31:11Z
Network: openweb
Published URL: https://altenens.is/threads/star-16k-company-business-mails-top-money-bag-ebbi_cloud.2928839/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Multiple Industries
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of gaming account credentials combolist
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has shared a combolist containing approximately 1,900 gaming-related email credentials on the forum AE – Combo List. The post, titled with references to gaming emails, suggests the credentials were made available for free distribution. No specific victim organization or platform has been identified.
Date: 2026-04-23T21:30:57Z
Network: openweb
Published URL: https://altenens.is/threads/star-1-9k-gaming-mails-new-rocket-ebbi_cloud.2928842/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of European email combolist
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud shared a combolist purportedly containing approximately 21,900 email credentials belonging to European users on the forum AE – Combo List. The post is labeled as VIP content, suggesting it may be restricted to privileged forum members. No specific targeted organization or victim site has been identified.
Date: 2026-04-23T21:30:43Z
Network: openweb
Published URL: https://altenens.is/threads/money-bag-21-9k-europe-country-mails-vip-fire-ebbi_cloud.2928847/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Europe
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of European email combolist
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud shared a combolist on the forum AE containing approximately 15,800 email credentials allegedly belonging to European users. The post is titled as premium Europe country mails, suggesting the credentials may be of higher quality or validity. No specific targeted organization or sector has been identified.
Date: 2026-04-23T21:30:32Z
Network: openweb
Published URL: https://altenens.is/threads/rocket-15-8k-europe-country-mails-premium-rocket-ebbi_cloud.2928849/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Europe
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of European email combolist
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud shared a combolist containing approximately 18,900 European email credentials on the forum Altenens. The post, promoted via the Telegram channel @ebbi_cloud, made the credential list freely available. No specific victim organization or source of the data was identified.
Date: 2026-04-23T21:30:20Z
Network: openweb
Published URL: https://altenens.is/threads/gem-stone-18-9k-europe-country-mails-super-fire-ebbi_cloud.2928846/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Europe
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 19,700 United States email credentials
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has made available a combolist containing approximately 19,700 United States email credentials on the forum AE – Combo List. The post claims the list is 100% valid. No specific targeted organization or service has been identified.
Date: 2026-04-23T21:30:08Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltage-19-7k-usa-america-mails-100-valid-high-voltage-ebbi_cloud.2928853/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 18,200 USA email combolist
Category: Data Leak
Content: A threat actor operating under the handle Ebbicloud shared a combolist containing approximately 18,200 email addresses allegedly belonging to United States-based users on the AE forum. The post was made available for free download or distribution. No specific victim organization or industry was identified.
Date: 2026-04-23T21:29:57Z
Network: openweb
Published URL: https://altenens.is/threads/star-18-2k-usa-america-mails-new-rocket-ebbi_cloud.2928854/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 16,000 United States email credentials combolist
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has shared what is alleged to be a combolist containing approximately 16,000 email credentials belonging to United States-based users. The post was made on the AE (AlteNens) cybercrime forum and appears to be a free distribution of the credential list. No specific victim organization or source platform has been identified.
Date: 2026-04-23T21:29:37Z
Network: openweb
Published URL: https://altenens.is/threads/money-bag-16k-usa-america-mails-mega-high-voltage-ebbi_cloud.2928857/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 14,800 USA email combolist
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has shared a combolist containing approximately 14,800 email credentials associated with United States users on the forum AE – Combo List. The post was made available via the actors channel @ebbi_cloud. No specific victim organization or targeted service has been identified.
Date: 2026-04-23T21:29:25Z
Network: openweb
Published URL: https://altenens.is/threads/fire-14-8k-usa-america-mails-new-star-ebbi_cloud.2928860/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 23,800 United States email credentials
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has made available a combolist containing approximately 23,800 email credentials associated with United States-based users. The post was shared on the AE (AlteNens) forum and promoted via the Telegram channel @ebbi_cloud. No specific victim organization or platform has been identified.
Date: 2026-04-23T21:29:13Z
Network: openweb
Published URL: https://altenens.is/threads/fire-23-8k-usa-america-mails-fresh-gem-stone-ebbi_cloud.2928862/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 9,200 United States email credentials combolist
Category: Data Leak
Content: A threat actor operating under the alias Ebbicloud has made available a combolist containing approximately 9,200 email credentials belonging to United States users. The post was shared on the AE (AlteNens) forum and appears to be a free distribution of the credential list. No specific victim organization or targeted service has been identified.
Date: 2026-04-23T21:29:01Z
Network: openweb
Published URL: https://altenens.is/threads/rocket-9-2k-usa-america-mails-super-rocket-ebbi_cloud.2928863/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Protemps Singapore Recruitment Database
Category: Data Leak
Content: A threat actor has redistributed a database dump allegedly originating from Protemps Singapore, a recruitment firm, originally breached in October 2021. The leaked data includes approximately 49,591 unique records containing names, email addresses, physical addresses, phone numbers, passport numbers, and MD5 hashed passwords. The actor states the repost was made because previous distribution links had expired, and the data was restored from a local backup.
Date: 2026-04-23T21:12:45Z
Network: openweb
Published URL: https://pwnforums.st/Thread-REPOST-Protemps-com-sg-Database-Leak-50k-Unique-Emails
Screenshots:
None
Threat Actors: infintyx07
Victim Country: Singapore
Victim Industry: Human Resources & Recruitment
Victim Organization: Protemps Singapore
Victim Site: protemps.com.sg
Alleged leak of 6 million multi-country credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist containing approximately 6 million credential pairs, allegedly spanning multiple countries including Slovenia, Sweden, Switzerland, and others. The actor promotes free combo distribution via Telegram channels and invites users to contact them directly for additional content. No specific victim organization or targeted service has been identified.
Date: 2026-04-23T21:04:04Z
Network: openweb
Published URL: https://crackingx.com/threads/73053/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Private Database Collection Including SSN, ID Documents, and Financial Records
Category: Data Breach
Content: A threat actor operating under the alias jannatmirza11 is advertising a collection of private databases via Telegram, claiming to offer company databases, government-issued document scans (ID cards, drivers licenses, passports), SSN/SIN records, consumer and citizen information, phone and email lists, and credential lists. The actor is directing buyers to contact them via Telegram at @jannat646500. No specific victim organizations or record counts are disclosed in the post.
Date: 2026-04-23T21:03:58Z
Network: openweb
Published URL: https://crackingx.com/threads/73051/
Screenshots:
None
Threat Actors: jannatmirza11
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of ayurveda-best.com.ua – 27k customer orders
Category: Data Breach
Content: A database dump from ayurveda-best.com.ua (Ukrainian e-commerce site) containing approximately 27,000 customer orders has been leaked. The dump includes comprehensive customer personal information: names, emails, phone numbers, fax numbers, payment details (cardholder names, addresses, payment methods), shipping addresses, order information, IP addresses, user agents, and timestamps. The data appears to be from an e-commerce platform database.
Date: 2026-04-23T20:46:06Z
Network: telegram
Published URL: https://t.me/KeymousTG/1169
Screenshots:
None
Threat Actors: Keymous
Victim Country: Ukraine
Victim Industry: E-commerce/Retail
Victim Organization: ayurveda-best.com.ua
Victim Site: ayurveda-best.com.ua
Alleged data breach of ayurveda-best.com – 27k customer orders database dump
Category: Data Breach
Content: A database dump allegedly from ayurveda-best.com (Ukrainian e-commerce site) containing approximately 27,000 customer orders has been shared. The dump includes comprehensive PII such as first/last names, emails, telephone numbers, fax, payment information (names, company, addresses, payment methods), shipping addresses, order details, IP addresses, user agents, and timestamps. The data appears to be from an e-commerce platform database.
Date: 2026-04-23T20:45:32Z
Network: telegram
Published URL: https://t.me/c/2588114907/1169
Screenshots:
None
Threat Actors: Keymous
Victim Country: Ukraine
Victim Industry: E-commerce/Retail
Victim Organization: ayurveda-best.com
Victim Site: ayurveda-best.com
Website Defacement of Tsalka.gr by Dkid03
Category: Defacement
Content: On April 24, 2026, the website tsalka.gr was defaced by a threat actor identified as Dkid03, operating without a team affiliation. The attack targeted the wp-content directory, suggesting the victim was running a WordPress-based web presence. The defacement was a singular, non-mass, and non-repeated incident with no disclosed motive or exploit details.
Date: 2026-04-23T20:43:32Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912445
Screenshots:
None
Threat Actors: Dkid03
Victim Country: Greece
Victim Industry: Unknown
Victim Organization: Tsalka
Victim Site: tsalka.gr
Website Defacement of Vakalat Vidya by EbRaHiM-VaKeR of LegioN_LeakeR
Category: Defacement
Content: The website vakalatvidya.com was defaced by threat actor EbRaHiM-VaKeR, operating under the group LegioN_LeakeR, on April 24, 2026. The defacement targeted a text file on the domain, suggesting a targeted intrusion rather than a full homepage takeover. The incident has been archived via zone-xsec.com mirror for further analysis.
Date: 2026-04-23T20:31:53Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912444
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, LegioN_LeakeR
Victim Country: India
Victim Industry: Legal Education
Victim Organization: Vakalat Vidya
Victim Site: vakalatvidya.com
Alleged leak of multi-country email and password combolist containing 7.4 million credentials
Category: Combo List
Content: A threat actor known as CODER has made available a combolist of approximately 7.4 million email and password combinations spanning multiple countries including India, China, Canada, the United States, Mexico, Brazil, Argentina, the United Kingdom, Germany, France, Italy, Spain, and Portugal. The credentials are being freely distributed via two Telegram channels and can also be requested directly through the actors Telegram handle CODER5544. No specific victim organization or source has been i
Date: 2026-04-23T20:31:47Z
Network: openweb
Published URL: https://crackingx.com/threads/73049/
Screenshots:
None
Threat Actors: CODER
Victim Country: Multiple
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Fullz, SSN, SIN, NIN, and Financial Leads Across Multiple Countries
Category: Carding
Content: A threat actor operating under the Telegram handle @Adamspeek is offering a wide range of stolen personal and financial data for sale, including US Social Security Numbers, Canadian Social Insurance Numbers, UK National Insurance Numbers, credit card dumps, and various demographic lead lists. The offerings span multiple countries and industries including banking, insurance, crypto, and healthcare sectors. Bulk discounts are advertised, suggesting an established data brokering operation targeting
Date: 2026-04-23T20:29:03Z
Network: openweb
Published URL: https://altenens.is/threads/fire-fullz-leads-usa-ssn-canada-sin-uk-nin-data-fire-telegram-bell-_-adamspeek.2928814/unread
Screenshots:
None
Threat Actors: parkeradam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Krishna Physiotherapy Rehab by EbRaHiM-VaKeR (LegioN_LeakeR)
Category: Defacement
Content: The website of Krishna Physiotherapy Rehab was defaced by threat actor EbRaHiM-VaKeR, operating under the group LegioN_LeakeR, on April 24, 2026. The incident was a targeted single-page defacement, not classified as a mass or home page defacement. The attackers motivation and server details remain unknown at this time.
Date: 2026-04-23T20:25:47Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912434
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Healthcare
Victim Organization: Krishna Physiotherapy Rehab
Victim Site: krishnaphysiotherapyrehab.com
Website Defacement of Costlay by EbRaHiM-VaKeR of LegioN_LeakeR
Category: Defacement
Content: The website costlay.com was defaced by threat actor EbRaHiM-VaKeR, operating under the group LegioN_LeakeR, on April 24, 2026. The incident targeted a specific file path (costlay.com/v.txt) rather than the site homepage, indicating a targeted file-level defacement. No motive, server details, or additional technical indicators were disclosed in connection with this incident.
Date: 2026-04-23T20:22:24Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912432
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Costlay
Victim Site: costlay.com
Alleged leak of IRGC Basij member personal data by pro-Yemeni hacktivist
Category: Data Leak
Content: A threat actor operating under the alias ansaralyemen has claimed to leak personal information of IRGC Basij members, citing Iranian oppression of Iranian and Yemeni people as motivation. The actor states they will release data on 47 members daily, including birthdates, birth certificate numbers, national IDs, and names. The data is being made available via a JustPaste.it link and a Telegram channel, with updates promised on a daily basis.
Date: 2026-04-23T20:11:11Z
Network: openweb
Published URL: https://pwnforums.st/Thread-IRGC-BASIJ-MEMBERS-DOX–188502
Screenshots:
None
Threat Actors: ansaralyemen
Victim Country: Iran
Victim Industry: Government / Military
Victim Organization: Islamic Revolutionary Guard Corps (IRGC) Basij
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared an alleged combolist of approximately 2,170 fresh Hotmail credential hits dated April 23rd. The post offers access to verified email:password combinations for Hotmail accounts. The content is restricted to registered forum users.
Date: 2026-04-23T20:02:27Z
Network: openweb
Published URL: https://crackingx.com/threads/73042/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias MegaCloudShop has shared a combolist of approximately 217 fresh Hotmail email credentials dated April 23rd. The content is hidden behind a registration/login requirement on the forum, suggesting it is available to registered members. The actor promotes an associated store at megacloudshop.top.
Date: 2026-04-23T20:02:23Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-217X-Fresh-Hotmail-Hits-23-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged distribution of casino-targeted combolist affecting .com, .fr, and .es domains
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a 5 million entry combolist via Telegram, targeting casino platforms across .com, .fr, and .es domains. The credential lists are being made available for free through Telegram groups and on request. The actor promotes additional free tools and combos through dedicated Telegram channels.
Date: 2026-04-23T20:02:08Z
Network: openweb
Published URL: https://crackingx.com/threads/73043/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Gambling & Casinos
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of root shell access
Category: Initial Access
Content: User claims to have root access and has uploaded a shell, indicating potential sale or distribution of initial access to a compromised system.
Date: 2026-04-23T19:57:18Z
Network: telegram
Published URL: https://t.me/c/3008049195/303
Screenshots:
None
Threat Actors: Mecrobyte
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of tawjih.tn with threatened database leak
Category: Data Breach
Content: Threat actor claims to have hacked https://tawjih.tn/ and threatens to leak the database. No specific details about victim organization, data type, or timeline provided.
Date: 2026-04-23T19:57:08Z
Network: telegram
Published URL: https://t.me/c/3008049195/302
Screenshots:
None
Threat Actors: Mecrobyte
Victim Country: Tunisia
Victim Industry: Unknown
Victim Organization: tawjih.tn
Victim Site: tawjih.tn
Alleged leak of URL-login-password credential combolist
Category: Combo List
Content: A threat actor operating under the alias RandomUpload has made available a combolist containing approximately 314,000 URL-login-password credential pairs on a cracking forum. The post, dated April 26, 2024, requires forum registration to access the hidden download content. No specific victim organization or country has been identified, suggesting the credentials may span multiple sources.
Date: 2026-04-23T19:38:01Z
Network: openweb
Published URL: https://crackingx.com/threads/73040/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Asian mix combolist with 11 million credentials
Category: Combo List
Content: A threat actor known as CODER has made available an alleged combolist containing 11 million credential pairs described as an Asian mix on the crackingx.com forum. The actor promotes free combo distribution via Telegram channels and groups. No specific victim organization or targeted service has been identified.
Date: 2026-04-23T19:37:45Z
Network: openweb
Published URL: https://crackingx.com/threads/73041/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 1,200 Hotmail email credentials
Category: Logs
Content: A threat actor operating under the alias MegaCloud has made available a combolist containing approximately 1,200 Hotmail email credentials, described as fresh and high quality, dated April 23. The post requires forum registration to access the download link, suggesting the content is shared within a restricted cybercriminal community. No price is mentioned, indicating the credential list is being distributed for free.
Date: 2026-04-23T19:33:11Z
Network: openweb
Published URL: https://xforums.st/threads/1-2k-hotmail-fresh-mail-access-top-quality-23-04.609386/
Screenshots:
None
Threat Actors: MegaCloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email access credentials (9,060 records)
Category: Combo List
Content: A threat actor operating under the alias RandomUpload has made available a mixed combolist containing 9,060 email access credentials on the cracking forum CrackingX. The post is gated behind registration, limiting full visibility into the affected services or regions. The credentials appear to span multiple mail providers, as indicated by the mixed designation in the thread title.
Date: 2026-04-23T19:12:38Z
Network: openweb
Published URL: https://crackingx.com/threads/73036/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German shopping-targeted combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 970,434 credential entries via a Mega.nz link. The dataset is described as targeting European, specifically German, shopping platforms. No specific organization or domain has been identified as the source of the credentials.
Date: 2026-04-23T19:12:22Z
Network: openweb
Published URL: https://crackingx.com/threads/73037/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Retail & E-Commerce
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of mixed Polish and international database dump
Category: Combo List
Content: A threat actor operating under the alias karaokecloud has made available a mixed database dump on a cybercrime forum, claiming to contain approximately 4,990 records primarily associated with Poland and other unspecified countries. The data is offered as a free download. The nature of the organizations or individuals affected has not been disclosed.
Date: 2026-04-23T19:12:02Z
Network: openweb
Published URL: https://crackingx.com/threads/73038/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass and Repeated Website Defacement of Jernih Creatif by Irene of XmrAnonye.id
Category: Defacement
Content: On April 24, 2026, a threat actor known as Irene, affiliated with the group XmrAnonye.id, defaced the website of Jernih Creatif, an Indonesian creative services organization. This incident is classified as both a mass defacement and a redefacement, indicating the target had been previously compromised and was targeted again as part of a broader campaign. The defacement was carried out on a Linux-based server, with a mirror archived at haxor.id.
Date: 2026-04-23T19:08:37Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248669
Screenshots:
None
Threat Actors: Irene, XmrAnonye.id
Victim Country: Indonesia
Victim Industry: Creative Services / Design
Victim Organization: Jernih Creatif
Victim Site: www.jernihcreatif.com
Alleged Data Breach of MM Mega Market Vietnam (mmvietnam.com)
Category: Data Breach
Content: A threat actor operating under the alias ijpys has claimed a data breach of mmvietnam.com, the online ordering platform for MM Mega Market Vietnam. The exposed database allegedly contains 98,642 records including customer login names, email addresses, full names, and phone numbers. The data is being made available via a hidden download link on the forum, requiring account upgrade or reply to access.
Date: 2026-04-23T18:56:39Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-mmvietnam-com-98-6K
Screenshots:
None
Threat Actors: ijpys
Victim Country: Vietnam
Victim Industry: Retail & E-Commerce
Victim Organization: MM Mega Market Vietnam
Victim Site: mmvietnam.com
Alleged data breach of 7-Eleven exposing Salesforce PII records
Category: Data Leak
Content: A threat actor known as TheFallen has made available an alleged database dump from 7-Eleven, Inc., containing over 600,000 Salesforce records with PII and internal corporate data. The leaked dataset is reported to be over 10.4GB in compressed size. The data is being distributed via Telegram.
Date: 2026-04-23T18:56:01Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-2026-7-Eleven-Database
Screenshots:
None
Threat Actors: TheFallen
Victim Country: United States
Victim Industry: Retail
Victim Organization: 7-Eleven
Victim Site: 7-eleven.com
Alleged Data Breach of CarGurus with 12.4 Million Records Exposed
Category: Data Leak
Content: A threat actor known as TheFallen has made available an alleged database dump from CarGurus (cargurus.com) containing over 12.4 million records with personally identifiable information and internal corporate data. The compressed dataset is reported to be over 7.1GB in size. The actor is distributing the data via Telegram.
Date: 2026-04-23T18:55:23Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-2026-CARGURUS-database
Screenshots:
None
Threat Actors: TheFallen
Victim Country: United States
Victim Industry: Automotive Marketplace
Victim Organization: CarGurus
Victim Site: cargurus.com
Alleged leak of mixed email access combolist
Category: Combo List
Content: A threat actor operating under the alias StrawHatBase has made available a combolist containing approximately 32,000 email address and password combinations on DemonForums. The post is categorized as a mixed mail access list, suggesting credentials spanning multiple email providers. The content is hidden behind a registration or login requirement, indicating it is restricted to forum members.
Date: 2026-04-23T18:47:36Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-32K-GOOD-MAIL-ACCESS-MIX
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of credential combolist targeting multiple countries including Greece
Category: Combo List
Content: A threat actor known as CODER is distributing a combolist of approximately 7 million credential pairs, allegedly targeting users from multiple countries including Greece, Guatemala, Hungary, Iran, Ireland, and others. The combolist is being made available for free via Telegram channels and groups. The actor is also promoting additional free combo and tool resources through dedicated Telegram groups.
Date: 2026-04-23T18:47:32Z
Network: openweb
Published URL: https://crackingx.com/threads/73031/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist with 110 hits
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared a combolist allegedly containing 110 verified credential hits for Hotmail accounts. The content is restricted to registered users of the forum. The post is categorized under combolists and dumps, suggesting the credentials are email and password pairs.
Date: 2026-04-23T18:47:18Z
Network: openweb
Published URL: https://crackingx.com/threads/73032/
Screenshots:
None
Threat Actors: lpbPrivate
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of premium mixed credential combolist with inbox targets
Category: Combo List
Content: A threat actor on the CX cracking forum has made available a collection of 2,970 alleged premium mixed UHQ (ultra-high quality) credential hits along with a separate list of inboxed email targets. The content was shared as free downloads and appears to consist of combolists and targeted inbox data. No specific victim organization or country has been identified.
Date: 2026-04-23T18:46:53Z
Network: openweb
Published URL: https://crackingx.com/threads/73034/
Screenshots:
None
Threat Actors: Hotmail Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of French combolist credentials
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist allegedly containing 7 million credential pairs targeting French users. The combolist is being distributed freely via Telegram channels linked to the actor. No specific victim organization or domain has been identified.
Date: 2026-04-23T18:46:34Z
Network: openweb
Published URL: https://crackingx.com/threads/73035/
Screenshots:
None
Threat Actors: CODER
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist with inbox targets
Category: Combo List
Content: A threat actor operating under the alias He_Cloud on DemonForums has made available a combolist containing approximately 4,259 allegedly fresh and validated email:password credential pairs. The post includes a secondary download for inboxed targets, suggesting the credentials have been verified for inbox access. The credentials appear to be a mixed-source collection with no specific victim organization or country identified.
Date: 2026-04-23T18:46:31Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-4259x-HQ-MIX-FRESH-VALIDS-%E2%9A%A1%E2%9A%A1-INBOXES-TARGETS
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of DynAmite 4.0 modular malware creation toolkit
Category: Data Leak
Content: A threat actor operating under the alias CINCH19922 has made available a modular malware creation toolkit called DynAmite 4.0 on the AE cybercrime forum. The toolkit is described as offering pre-configured modules, automated payload generation, and rapid deployment capabilities for creating customizable malware payloads. A Telegram contact is provided for premium tools, and a download link is shared, suggesting free distribution of the toolkit.
Date: 2026-04-23T18:43:56Z
Network: openweb
Published URL: https://altenens.is/threads/dynamite-4-0-malware-creation-toolskithigh-voltage-rapid-deployment-capabilities.2928750/unread
Screenshots:
None
Threat Actors: CINCH19922
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of zxgktl.com by QATAR911
Category: Defacement
Content: The threat actor QATAR911 defaced a specific page on zxgktl.com, targeting the URL zxgktl.com/qa123.html on April 24, 2026. The incident was a targeted single-page defacement rather than a mass or home page defacement. Limited technical details are available regarding the server infrastructure or the attackers stated motivation.
Date: 2026-04-23T18:40:29Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912431
Screenshots:
None
Threat Actors: QATAR911, QATAR911
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: zxgktl.com
Mass Website Defacement of shop.emjepe.com by Irene of XmrAnonye.id
Category: Defacement
Content: On April 24, 2026, a threat actor known as Irene, operating under the group XmrAnonye.id, defaced the e-commerce website shop.emjepe.com. This incident is classified as both a mass defacement and a redefacement, indicating the site had been previously compromised and was targeted again as part of a broader campaign. The defacement was carried out on a Linux-based server, with the compromised page archived at haxor.id.
Date: 2026-04-23T18:34:13Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248668
Screenshots:
None
Threat Actors: Irene, XmrAnonye.id
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: Emjepe Shop
Victim Site: shop.emjepe.com
Alleged leak of 482 million URL:Login:Password credential lines
Category: Logs
Content: A threat actor operating under the alias StarLinkClub has made available a large combolist containing approximately 482.794 million lines in URL:Login:Password format, totaling approximately 27GB in size. The content is gated behind a reply requirement on the forum, suggesting it is being freely distributed rather than sold. The dataset appears to aggregate credentials from multiple sources and is not attributed to any single organization or country.
Date: 2026-04-23T18:29:31Z
Network: openweb
Published URL: https://pwnforums.st/Thread-URL-LOGIN-PASS-Url-Log-Pass-482-794-044-M%C4%B1ll%C4%B1on-L%C4%B1nes-27gb
Screenshots:
None
Threat Actors: StarLinkClub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 11.8 million URL:Login:Password credential lines
Category: Logs
Content: A threat actor operating under the alias StarLinkClub has shared a combolist containing approximately 11.8 million lines of URL:login:password credentials on a cybercrime forum. The archive is approximately 600MB in size and is made available to forum members who reply to the thread. No specific victim organization or country is identified, suggesting the data is aggregated from multiple sources.
Date: 2026-04-23T18:29:05Z
Network: openweb
Published URL: https://pwnforums.st/Thread-URL-LOGIN-PASS-Url-Log-Pass-11-887-391-M%C4%B1ll%C4%B1on-L%C4%B1nes-600mb
Screenshots:
None
Threat Actors: StarLinkClub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 300,000 German credentials combolist
Category: Combo List
Content: A threat actor operating under the alias IMROG has made available a combolist containing approximately 300,000 credential pairs allegedly associated with German users. The post is hosted on a cybercrime forum and describes the list as fully capped, indicating the credentials have been verified as valid. Access to the content requires forum engagement, suggesting it is being distributed freely to forum members.
Date: 2026-04-23T18:27:22Z
Network: openweb
Published URL: https://pwnforums.st/Thread-300k-GERMANY-Good-Fully-Capped-Combolist-ROG-s-KINGDOM
Screenshots:
None
Threat Actors: IMROG
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 250,000 USA credentials combolist
Category: Combo List
Content: A threat actor known as IMROG has shared a combolist containing approximately 250,000 credential pairs purportedly belonging to United States users. The post is hosted on a known cybercrime forum and claims the list is untouched and fresh. The content is gated behind a reply requirement, suggesting it is being distributed freely to forum members.
Date: 2026-04-23T18:26:59Z
Network: openweb
Published URL: https://pwnforums.st/Thread-250k-USA-Untouched-Fresh-Valid-Combolist-ROG-s-KINGDOM
Screenshots:
None
Threat Actors: IMROG
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 130,000 Polish credentials combolist
Category: Combo List
Content: A threat actor operating under the alias IMROG has shared a combolist containing approximately 130,000 credential pairs allegedly associated with Polish users. The content is made available for free to forum members who reply to the thread. No specific organization or service is identified as the source of the leaked credentials.
Date: 2026-04-23T18:26:36Z
Network: openweb
Published URL: https://pwnforums.st/Thread-130k-POLAND-Powerfull-Fresh-Combolist-ROG-s-KINGDOM
Screenshots:
None
Threat Actors: IMROG
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Microsoft credential combolist
Category: Combo List
Content: A threat actor operating under the alias IMROG has made available a combolist purportedly containing approximately 900,000 Microsoft account credentials on a cybercrime forum. The content is hidden behind a reply gate, requiring forum members to reply to the thread in order to access the download. The combolist is described as meaningful and high-quality by the poster.
Date: 2026-04-23T18:25:58Z
Network: openweb
Published URL: https://pwnforums.st/Thread-900k-MICROSOFT-Meaningfull-Simply-Best-Combolist-ROG-s-KINGDOM
Screenshots:
None
Threat Actors: IMROG
Victim Country: United States
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: microsoft.com
Alleged leak of French email and password credential list
Category: Combo List
Content: A threat actor known as ShroudX has shared an alleged high-quality French email and password combolist on a cybercrime forum. The credentials are made available as hidden content requiring forum engagement to access. The specific origin, affected organization, and record count of the combolist are unknown.
Date: 2026-04-23T18:25:34Z
Network: openweb
Published URL: https://pwnforums.st/Thread-HQ-FRANCE-EMAILPASS-COMBOLIST-txt–188461
Screenshots:
None
Threat Actors: ShroudX
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Vietnamese email credentials combolist
Category: Combo List
Content: A threat actor known as sxxone shared a combolist containing 57 email:password credential pairs allegedly belonging to Vietnamese users on a cybercrime forum. The content is gated behind a reply requirement, suggesting it is being freely distributed to forum members. The post is titled HQ FRESH 57X MAILPASS VN, indicating the credentials are purportedly high-quality and recently obtained.
Date: 2026-04-23T18:24:59Z
Network: openweb
Published URL: https://pwnforums.st/Thread-HQ-FRESSH-57X-MAILPASS-VN
Screenshots:
None
Threat Actors: sxxone
Victim Country: Vietnam
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Japanese Citizen Database with 80 Million Records
Category: Data Breach
Content: A threat actor known as Kim1000P is selling an alleged database containing 80 million Japanese citizen records for $3,000. The dataset includes full names, addresses, phone numbers, email addresses, dates of birth, and Japanese national identification (My Number) card numbers. Escrow is accepted, and sample data provided suggests the records are structured and contain authentic-looking Japanese personal information.
Date: 2026-04-23T18:23:33Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-Japan-citizen-80m-records
Screenshots:
None
Threat Actors: Kim1000P
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Bureau of Transportation Statistics (BTS.GOV)
Category: Data Breach
Content: A threat actor identified as TheAshborn is selling an alleged database containing approximately 20 million rows of personally identifiable information (PII) purportedly belonging to users of bts.gov, the official website of the U.S. Bureau of Transportation Statistics. The data is being offered for $5,000 worth of cryptocurrency via the Session messaging platform. Proof of the alleged breach has been shared via a Gofile link.
Date: 2026-04-23T18:22:33Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-USA-20-000-000-rows-PII-Data-of-BTS-GOV
Screenshots:
None
Threat Actors: TheAshborn
Victim Country: United States
Victim Industry: Government
Victim Organization: Bureau of Transportation Statistics
Victim Site: bts.gov
Alleged Data Breach of Bol.com Exposing 400,000 Belgian Customer Records
Category: Data Breach
Content: A threat actor operating under the alias TrueNigger is selling an alleged database dump of 400,000 Bol.com customer records. The dataset reportedly includes extensive personally identifiable information such as customer IDs, full names, email addresses, phone numbers, dates of birth, nationality, and identity numbers, as well as detailed shipping and order data including payment methods, tracking numbers, and delivery statuses. The seller is accepting negotiable pricing and transactions via es
Date: 2026-04-23T18:21:49Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-400k-Belgium-Bol-com-PII-DataSet-that-includes-username-email-phone
Screenshots:
None
Threat Actors: TrueNigger
Victim Country: Belgium
Victim Industry: E-Commerce
Victim Organization: Bol.com
Victim Site: bol.com
Alleged Data Breach of Bodyhit Club with Customer and Banking Information
Category: Data Breach
Content: A threat actor is selling a database allegedly obtained from Bodyhit Club (bodyhit.fr), a French fitness club operator. The breach reportedly affects 218,542 customers and includes sensitive personal data such as full names, birthdates, email addresses, phone numbers, physical addresses, IBAN numbers, and BIC codes. The data is offered in JSONL format and is attributed to a actor identified as underus.
Date: 2026-04-23T18:21:23Z
Network: openweb
Published URL: https://pwnforums.st/Thread-FRENCH-Bodyhit-Club-Database-Leak-218K-Customers-Bank-Info
Screenshots:
None
Threat Actors: undef
Victim Country: France
Victim Industry: Fitness & Sports Clubs
Victim Organization: Bodyhit Club
Victim Site: bodyhit.fr
Alleged Source Code Leak of Importaciones a México (importacionesamexico.com.mx)
Category: Data Leak
Content: A threat actor using the handle ijpys has made available an alleged Git repository source code leak belonging to Importaciones a México, a Mexican import/export company. The leaked data is approximately 730.9MB in size and was posted on April 21, 2026, as a free download requiring forum reply. The actor also promotes the content via a Telegram channel.
Date: 2026-04-23T18:20:34Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SOURCE-CODE-Importaciones-a-M%C3%A9xico-importacionesamexico-com-mx-Git-Source-Leak
Screenshots:
None
Threat Actors: ijpys
Victim Country: Mexico
Victim Industry: Retail / Import & Export
Victim Organization: Importaciones a México
Victim Site: importacionesamexico.com.mx
Alleged Data Leak of 1.5 Million US, Canadian, and Mexican Trucking Company Records
Category: Data Leak
Content: A threat actor has freely distributed a structured database containing over 1.5 million trucking company records covering the United States, Canada, and Mexico. The dataset includes DOT numbers, legal and DBA names, physical and mailing addresses, telephone numbers, fax numbers, and email addresses. The data appears to originate from regulatory or commercial carrier records and was made available as a 145.4 MB archive via a public file-sharing service.
Date: 2026-04-23T18:20:07Z
Network: openweb
Published URL: https://pwnforums.st/Thread-over-one-a-half-million-trucking-companies-US-CA-MX
Screenshots:
None
Threat Actors: OriginalCrazyOldFart
Victim Country: United States
Victim Industry: Transportation & Logistics
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of darknet resource links collection
Category: Data Leak
Content: A forum user on PwnForums shared a collection of darknet resource links described as active for 2026. The content is hidden behind a reply gate, requiring users to respond to the thread to access the links. No specific victim, data type, or record count can be determined from the available information.
Date: 2026-04-23T18:19:44Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DARKNET-RESOURCES-LINKS-2026-alive
Screenshots:
None
Threat Actors: pidoras
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Laboratoire National Mohammed VI dAnalyses Médicales (LNM6)
Category: Data Breach
Content: A threat actor known as kingdataseller claims to have exfiltrated approximately 100 GB of data from LNM6, a national medical analysis laboratory in Morocco backed by the Mohammed VI Foundation for Health and Sciences. The stolen data allegedly includes patient scan results and medical records. A sample of three zipped files has been made available for free, while the remainder of the dataset is being offered for sale.
Date: 2026-04-23T18:19:20Z
Network: openweb
Published URL: https://pwnforums.st/Thread-LNM6-%E2%80%94-Laboratoire-National-Mohammed-VI-d-Analyses-M%C3%A9dicales
Screenshots:
None
Threat Actors: kingdataseller
Victim Country: Morocco
Victim Industry: Healthcare
Victim Organization: Laboratoire National Mohammed VI dAnalyses Médicales
Victim Site: Unknown
Alleged Data Leak of WooWup Customer CSV Files via Public S3 Bucket
Category: Data Leak
Content: A threat actor shared a text file containing 9,675 direct download links pointing to CSV files stored in an exposed WooWup AWS S3 bucket (woowup-storage.s3.amazonaws.com). The files, which vary in size, were made freely available via a GoFile link. WooWup is a marketing automation and customer loyalty platform, and the exposed CSVs likely contain customer or campaign data belonging to WooWups business clients.
Date: 2026-04-23T18:18:56Z
Network: openweb
Published URL: https://pwnforums.st/Thread-WOO-files-don-t-remember-where-I-got-them-9-675-of-them
Screenshots:
None
Threat Actors: OriginalCrazyOldFart
Victim Country: Unknown
Victim Industry: Marketing Technology
Victim Organization: WooWup
Victim Site: woowup.com
Alleged Data Leak of Bangladesh Rural Development and Co-operatives Division (RDCD)
Category: Data Leak
Content: A threat actor known as kingdataseller has leaked data allegedly belonging to the Bangladesh Rural Development and Co-operatives Division (RDCD). The leaked archive purportedly contains personal information, employee and HR data, organizational roles, project and application details, authentication files, and metadata. The data has been made available as a free download via an external file-sharing link.
Date: 2026-04-23T18:18:02Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-Bangladesh-Rural-Development-and-Co-operatives-Divisionor
Screenshots:
None
Threat Actors: kingdataseller
Victim Country: Bangladesh
Victim Industry: Government
Victim Organization: Bangladesh Rural Development and Co-operatives Division
Victim Site: rdcd.gov.bd
Alleged Data Breach of Ein Shemer Kibbutz CarLog Vehicle Management System
Category: Data Breach
Content: A threat actor known as imaloser claims to have hacked the CarLog vehicle management system used by Ein Shemer Kibbutz in Israel, exfiltrating a database of approximately 771 resident records. The leaked data includes user IDs, full names, budget numbers, mobile phone numbers, CarLog identifiers, billing system IDs, drivers license numbers and types, and license validity dates. Multiple supporting files including car data exports, maintenance reports, and order reports are made available to f
Date: 2026-04-23T18:17:36Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-IL-Ein-shemer-kibbutz-Seder-Rehev-771
Screenshots:
None
Threat Actors: imaloser
Victim Country: Israel
Victim Industry: Agriculture / Residential Community
Victim Organization: Ein Shemer Kibbutz
Victim Site: Unknown
Alleged Data Leak of FranceVerif.fr Database
Category: Data Leak
Content: A threat actor known as ChimeraZ has leaked a database allegedly belonging to FranceVerif.fr, a French e-commerce trust and coupon verification platform. The leaked data, approximately 25 MB in size and distributed in JSON, JSONL, and CSV formats, contains user feedback records including names, email addresses, IP addresses, browser and OS details, geolocation data, as well as merchant shop records containing business names, addresses, SIRET numbers, phone numbers, emails, and coupon/gift card d
Date: 2026-04-23T18:17:12Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-35K-FranceVerif-fr
Screenshots:
None
Threat Actors: ChimeraZ
Victim Country: France
Victim Industry: E-Commerce / Consumer Services
Victim Organization: FranceVerif
Victim Site: franceverif.fr
Alleged Data Leak of French Ministry of Health (sante.gouv.fr) Database
Category: Data Leak
Content: A threat actor known as breach3d has allegedly leaked a database belonging to the French Ministry of Health (sante.gouv.fr). The leaked data reportedly includes full names, valid email addresses, and certificate IDs of registered users. The database is being made available for free download on a cybercrime forum by user aggravage.
Date: 2026-04-23T18:16:38Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-FR-sante-gouv-fr-Database
Screenshots:
None
Threat Actors: aggravage
Victim Country: France
Victim Industry: Government – Healthcare
Victim Organization: French Ministry of Health
Victim Site: sante.gouv.fr
Alleged Data Leak of Atraf Israeli LGBTQ+ Dating Platform Database
Category: Data Leak
Content: A database from Atraf, a popular Israeli LGBTQ+ dating and nightlife platform, has been leaked on a hacking forum. The data was originally exfiltrated during a breach of hosting provider CyberServe by the threat actor group Black Shadow in October 2021. The leaked SQLite database contains approximately 700,000 unique user profiles with highly sensitive personal information including usernames, passwords, email addresses, phone numbers, sexual preferences, gender identity, physical attributes, an
Date: 2026-04-23T18:16:13Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-IL-Atraf-LGBTQ-dating-platform-2021-700k
Screenshots:
None
Threat Actors: imaloser
Victim Country: Israel
Victim Industry: Social Networking / Dating
Victim Organization: Atraf
Victim Site: atraf.co.il
Alleged Data Leak of card24h.com Database
Category: Data Leak
Content: A threat actor claims to have leaked a database from card24h.com, a Thai peer-to-peer payment website. The database was allegedly discovered in April 2026 on a publicly exposed endpoint and contains names, email addresses, bcrypt-hashed passwords, usernames, IP addresses, and wallet history. The data is being made available for free download to forum members.
Date: 2026-04-23T18:15:48Z
Network: openweb
Published URL: https://pwnforums.st/Thread-Card24h-com-Database-Leaked-Download
Screenshots:
None
Threat Actors: enumerate
Victim Country: Thailand
Victim Industry: Financial Services
Victim Organization: Card24h
Victim Site: card24h.com
Alleged Data Breach of Atraf LGBTQ+ Dating Platform
Category: Data Breach
Content: A threat actor operating under the alias imaloser has allegedly made available a database dump from Atraf, an Israeli LGBTQ+ dating platform, containing approximately 700,000 records from 2021. The exposed data is claimed to include personal information of platform users. Given the sensitive nature of the platforms user base, this breach poses significant privacy and safety risks to the individuals affected.
Date: 2026-04-23T18:13:10Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-IL-Atraf-LGBTQ-dating-platform-2021-700k
Screenshots:
None
Threat Actors: imaloser
Victim Country: Israel
Victim Industry: Social Networking / Dating
Victim Organization: Atraf
Victim Site: atraf.com
Alleged Data Leak of Card24h.com Database
Category: Carding
Content: A threat actor operating under the alias enumerate has allegedly leaked a database belonging to Card24h.com, a carding-related platform, and made it available for free download on a cybercrime forum. The post was shared in the Databases section of the forum, suggesting the leak contains structured data. No further details regarding record count or specific data fields are available.
Date: 2026-04-23T18:10:57Z
Network: openweb
Published URL: https://pwnforums.st/Thread-Card24h-com-Database-Leaked-Download
Screenshots:
None
Threat Actors: enumerate
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Card24h
Victim Site: card24h.com
Alleged doxing of Pakistan News individual by Farebi Kafir
Category: Data Leak
Content: Personal identifying information including name (Shahjahan Masood), Pakistani CNIC number, multiple phone numbers, addresses, email accounts, and social media handles (GitHub, Instagram, Twitter) allegedly disclosed by threat actor Farebi Kafir. Post claims victim is associated with Pakistan News organization.
Date: 2026-04-23T18:10:07Z
Network: telegram
Published URL: https://t.me/c/3814026662/201
Screenshots:
None
Threat Actors: Farebi Kafir
Victim Country: Pakistan
Victim Industry: Media/News
Victim Organization: Pakistan News
Victim Site: Unknown
Alleged Data Leak of fw-wizard.com Full Database Dump
Category: Data Leak
Content: A threat actor operating under the alias ebankastore has shared what is claimed to be a full database dump of fw-wizard.com on the Breached forum. The post references an external link hosted on leaky.info, suggesting the data has been made publicly available for free download. The nature and volume of the leaked data remain unknown without further access to the linked content.
Date: 2026-04-23T17:52:57Z
Network: openweb
Published URL: https://breached.st/threads/db-fw-wizard-com-full-dump.86219/unread
Screenshots:
None
Threat Actors: ebankastore
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: FW Wizard
Victim Site: fw-wizard.com
Alleged DDoS Attack Service Offering by KillByte Solutions
Category: Cyber Attack
Content: KillByte Solutions advertises professional DDoS/CC attack services with claimed capabilities of 470 million requests per second (Layer 7) and 1.2 Tbps (Layer 4). The service offers IoT botnet infrastructure, 2.5 million proxy pool, and geo-targeted attacks. Established in 2024, offering free test attacks and service packages through Telegram contact.
Date: 2026-04-23T17:50:59Z
Network: telegram
Published URL: https://t.me/killbyteiot/15
Screenshots:
None
Threat Actors: KillByte Solutions
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Cyprus email combolist credentials
Category: Combo List
Content: A threat actor known as CODER is distributing a combolist of approximately 11 million email credentials allegedly associated with Cyprus. The actor is sharing the content freely via Telegram channels and groups. Contact details and Telegram links are provided for obtaining the combo and related tools.
Date: 2026-04-23T17:38:23Z
Network: openweb
Published URL: https://crackingx.com/threads/73010/
Screenshots:
None
Threat Actors: CODER
Victim Country: Cyprus
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor known as klyne05 shared a mixed email combolist described as private and freshly checked on the crackingx.com forum. The post claims the credentials have been verified and are available for free download. No specific victim organization or record count details were provided in the post.
Date: 2026-04-23T17:38:08Z
Network: openweb
Published URL: https://crackingx.com/threads/73011/
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias KiwiShio has made available a combolist containing 875 Hotmail credentials on the cracking forum CrackingX. The post offers a free download of what is described as fresh, high-quality email credential pairs. The origin and method of collection for these credentials are unknown.
Date: 2026-04-23T17:37:52Z
Network: openweb
Published URL: https://crackingx.com/threads/73012/
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email access combolist with 79,000 credentials
Category: Combo List
Content: A threat actor known as MarkVesto has shared a mixed mail access combolist containing approximately 79,000 email credentials on the crackingx.com forum. The combolist appears to aggregate credentials from various email providers. The content is made available to registered forum users and also promoted via a Telegram channel.
Date: 2026-04-23T17:37:30Z
Network: openweb
Published URL: https://crackingx.com/threads/73014/
Screenshots:
None
Threat Actors: MarkVesto
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Polish credential combolist
Category: Combo List
Content: A threat actor operating under the alias karaokecloud has made available a combolist of approximately 6,800 credential pairs allegedly associated with Polish users. The combolist is being offered as a free download on the cracking forum CrackingX. No specific victim organization or service has been identified.
Date: 2026-04-23T17:37:15Z
Network: openweb
Published URL: https://crackingx.com/threads/73015/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of large-scale URL-login-password credential combolist
Category: Combo List
Content: A threat actor operating under the alias Mustukaral is making available a large-scale URL-login-password (ULP) combolist advertised as 1,300GB in size, with claims of private and fresh updates. The offering includes access to an online search interface to query credentials without downloading files, country-based filtering, and access to historical data. The combolist appears to aggregate credentials from multiple sources and is distributed via the crackingx.com forum.
Date: 2026-04-23T17:36:59Z
Network: openweb
Published URL: https://crackingx.com/threads/73016/
Screenshots:
None
Threat Actors: Mustukaral
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email access credentials (combolist)
Category: Combo List
Content: A threat actor operating under the alias WashingtonDC has made available a mixed email access combolist on the cracking forum CrackingX. The file, hosted on MediaFire, purportedly contains approximately 35,000 email credentials spanning multiple mail providers. The content was shared freely with no mention of a price or payment.
Date: 2026-04-23T17:36:42Z
Network: openweb
Published URL: https://crackingx.com/threads/73017/
Screenshots:
None
Threat Actors: WashingtonDC
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Distribution of Cracked zzchecker Account Checking Tool
Category: Combo List
Content: A threat actor known as theshitter has shared a cracked version of zzchecker, a paid account checker tool originally cracked by user ttz54. The tool has been made available for free download via Mega.nz. Account checker tools are commonly used to automate credential stuffing attacks and validate stolen credentials at scale.
Date: 2026-04-23T17:36:14Z
Network: openweb
Published URL: https://crackingx.com/threads/73020/
Screenshots:
None
Threat Actors: theshitter
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo and Outlook mixed credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a mixed combolist of approximately 6 million email credentials targeting Yahoo and Outlook accounts. The combolist is being distributed freely via Telegram channels and a cracking forum. The actor also promotes additional free combolists and tools through dedicated Telegram groups.
Date: 2026-04-23T17:35:49Z
Network: openweb
Published URL: https://crackingx.com/threads/73023/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Yahoo, Microsoft Outlook
Victim Site: yahoo.com, outlook.com
Alleged leak of corporate SMTP credentials combolist targeting business users
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 192,342 credential pairs on a cracking forum. The list is described as suitable for SMTP spam operations targeting corporate business accounts. The file is hosted on Mega.nz and distributed freely without any indicated price.
Date: 2026-04-23T17:35:26Z
Network: openweb
Published URL: https://crackingx.com/threads/73025/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 6 million social-targeted email combolists (COM/FR/ES)
Category: Combo List
Content: A threat actor known as CODER is distributing a combolist of approximately 6 million email credentials targeting social media users across COM, FR, and ES domains. The combolist is being made available via Telegram channels and groups. The actor promotes free combo and program distribution through dedicated Telegram groups.
Date: 2026-04-23T17:35:09Z
Network: openweb
Published URL: https://crackingx.com/threads/73027/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Distribution of Gr3eNoX Exploit Scanner V4.2 with Exploit Database Integration
Category: Initial Access
Content: A threat actor using the handle CINCH19922 shared a download link for Gr3eNoX Exploit Scanner V4.2, a web vulnerability scanning tool with integrated exploit database capabilities, on the AE – Leaked Databases forum. The tool is advertised as capable of detecting outdated software, misconfigurations, and known vulnerabilities across web applications and servers, supporting automated and multi-target scanning. The post also promotes a Telegram contact for additional premium offensive tools.
Date: 2026-04-23T17:32:52Z
Network: openweb
Published URL: https://altenens.is/threads/gr3enox-exploit-scanner-v4-2-exploit-database-integration.2928748/unread
Screenshots:
None
Threat Actors: CINCH19922
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist with 119,000 records
Category: Logs
Content: A threat actor known as UniqueCombo has shared a mixed combolist containing approximately 119,000 unique credential pairs on a cybercrime forum focused on mail access and combolists. The list appears to be a compilation of email and password combinations from various sources. No specific victim organization or country has been identified.
Date: 2026-04-23T17:30:15Z
Network: openweb
Published URL: https://xforums.st/threads/mix-unique-combo_5_119000.609373/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 482 million URL:login:password credential lines
Category: Data Leak
Content: A threat actor operating under the alias ebankastore has made available a large combolist containing approximately 482.794 million lines in URL:login:password format, totaling approximately 27GB in size. The dataset appears to be an aggregated credential list compiled from multiple sources, likely harvested via info-stealer malware or credential stuffing operations. The content is being shared via an external link on leaky.info and does not appear to target a single organization or country.
Date: 2026-04-23T17:25:34Z
Network: openweb
Published URL: https://breached.st/threads/url-log-pass-482-794-044-million-lines-27gb.86218/unread
Screenshots:
None
Threat Actors: ebankastore
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Carding Post on AE Forum
Category: Carding
Content: A forum post titled Hello world was made by user bouaicha80 in the Carding – BINs & Other section of the AE forum. The post contains only the Arabic phrase مرحبا بالعالم (meaning Hello World) with no additional threat-relevant content or data disclosed. No specific victim, data type, or carding material could be identified from the post.
Date: 2026-04-23T17:15:40Z
Network: openweb
Published URL: https://altenens.is/threads/hello-world.2928607/unread
Screenshots:
None
Threat Actors: bouaicha80
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Carding Post Sharing Working BIN for HBO Max
Category: Carding
Content: A threat actor on the carding forum Altenens shared an alleged working Bank Identification Number (BIN) for obtaining free or fraudulent access to HBO Max subscriptions. The post is gated behind a reply requirement, concealing the actual BIN details. This activity is consistent with carding operations targeting streaming service subscriptions using stolen or synthetic payment card data.
Date: 2026-04-23T17:15:13Z
Network: openweb
Published URL: https://altenens.is/threads/hbo-max-working-bin.2928632/unread
Screenshots:
None
Threat Actors: L0calh0st
Victim Country: Unknown
Victim Industry: Media & Entertainment
Victim Organization: HBO Max
Victim Site: hbomax.com
Alleged sharing of darknet forum and resource links for 2026
Category: Data Leak
Content: A threat actor on AE forums shared a curated list of darknet and clearnet forum links purportedly active in 2026, including onion sites, resource directories, and social network platforms. The list includes both surface web forums and Tor-based resources such as Dread, link directories, and resource browsers. No specific data breach, victim organization, or sensitive data type is associated with this post.
Date: 2026-04-23T17:13:43Z
Network: openweb
Published URL: https://altenens.is/threads/darknet-forums-2026.2928731/unread
Screenshots:
None
Threat Actors: toomuuch
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor known as alphacloud has made available a combolist of 1,380 alleged Hotmail credentials described as premium hits on a cybercrime forum. The post labels the content as valid and sourced from a private cloud, with mixed email formats. The actor is contactable via Telegram handle alphaaxd, and access to the hidden content requires forum engagement.
Date: 2026-04-23T17:12:24Z
Network: openweb
Published URL: https://altenens.is/threads/snowflakesnowflake-1380x-premium-hotmail-hits-snowflakesnowflake.2928726/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credentials including Hotmail accounts
Category: Data Leak
Content: A threat actor operating under the alias alphacloud has made available a combolist containing 3,788 alleged premium mixed email credential hits, including validated Hotmail accounts. The post is shared via the AE combo list forum and references a Telegram contact alphaaxd for further access. The content is gated behind a reply requirement, suggesting community engagement or distribution control.
Date: 2026-04-23T17:11:52Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltagehigh-voltage-3788x-premium-mix-mail-hitshigh-voltagehigh-voltage.2928727/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor using the alias Angiecrax has shared a combolist containing approximately 10,000 Hotmail credentials on the AE forum. The post advertises the list as fresh and UHQ (ultra-high quality), suggesting recently validated email and password combinations. The content is gated behind a reply requirement, a common forum tactic to boost engagement before granting access.
Date: 2026-04-23T17:11:08Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltagehigh-voltage-10k-fresh-uhq-hotmail-combohigh-voltagehigh-voltage.2928730/unread
Screenshots:
None
Threat Actors: Angiecrax
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Cox.net targeted combolist with 139,000 credentials
Category: Data Leak
Content: A threat actor operating under the alias carlos080 has made available a targeted combolist of approximately 139,000 Cox.net email credentials on the AE forum. The post offers a free download of email:password pairs and also advertises the sale of high-quality combolists for multiple email providers and countries via Telegram handle @KOCsupport.
Date: 2026-04-23T17:10:44Z
Network: openweb
Published URL: https://altenens.is/threads/139k-cox-net-targeted-combolist.2928732/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: United States
Victim Industry: Telecommunications
Victim Organization: Cox Communications
Victim Site: cox.net
Alleged leak of 39,000 email account credentials (Mail Access Combolist)
Category: Logs
Content: A threat actor operating under the alias Cir4Dk has made available a combolist containing approximately 39,000 alleged valid email account credentials on an underground forum. The post is categorized as UHQ (Ultra High Quality), suggesting the credentials have been verified as active. No specific target organization or country has been identified.
Date: 2026-04-23T17:08:46Z
Network: openweb
Published URL: https://xforums.st/threads/39k-uhq-mail-access-valids.609369/
Screenshots:
None
Threat Actors: Cir4Dk
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Arkansas State Crime Lab Personnel and Court Records
Category: Data Leak
Content: A threat actor operating under the alias kittykatkrew claims to have compromised the Arkansas State Crime Lab via its web portal (lasso.crimelab.arkansas.gov) and has publicly leaked exfiltrated data. The leaked data allegedly includes a complete court calendar with case details, defendant information, analyst assignments, and contact information, as well as a full personnel directory containing names, emails, phone numbers, job titles, agency affiliations, and account statuses. Sample records
Date: 2026-04-23T17:02:51Z
Network: openweb
Published URL: https://spear.cx/Thread-Database-Arkansas-State-Crime-Lab
Screenshots:
None
Threat Actors: kittykatkrew
Victim Country: United States
Victim Industry: Government / Law Enforcement
Victim Organization: Arkansas State Crime Lab
Victim Site: crimelab.arkansas.gov
Alleged leak of Vidar Stealer logs containing credentials and autofill data from Sweden
Category: Logs
Content: A threat actor known as BigTuna has made available approximately 2,500 stealer logs collected via Vidar Stealer, sourced from victims in Sweden running Windows 10 Home (22H2) using Microsoft Edge 120.x. The logs include harvested credentials and autofill data. A free sample was shared via a Tor-hosted link, attributed to SiberianShelves, with full content gated behind account replies or upgrades.
Date: 2026-04-23T16:59:22Z
Network: openweb
Published URL: https://darkforums.su/Thread-ULP-Vidar-Stealer-2500-logs
Screenshots:
None
Threat Actors: BigTuna
Victim Country: Sweden
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of initial access to Canadian logistics/shipping company via ASPX webshell
Category: Initial Access
Content: A threat actor identified as BigTuna is selling webshell (ASPX) access to an unnamed Canadian logistics and shipping company with an estimated revenue of $250M–$500M and a network of approximately 1,000 hosts. The access is advertised with Server Admin privileges on a system running Kaspersky Endpoint security. The listing was posted on a dark web access market forum.
Date: 2026-04-23T16:58:14Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Canada-Logistics-Shipping-sector-Webshell-ASPX
Screenshots:
None
Threat Actors: BigTuna
Victim Country: Canada
Victim Industry: Logistics / Shipping
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Initial Access to Japanese Aerospace/Defense Organization via RDWeb
Category: Initial Access
Content: A threat actor known as BigTuna is selling RDWeb access to an unnamed Japanese aerospace and defense organization with an estimated revenue of $250M–$500M. The access carries Database Administrator (SA) privileges on a network of approximately 50 hosts, with only Windows Defender as endpoint protection. The seller claims the access was verified within the last 48 hours.
Date: 2026-04-23T16:57:41Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-RDWeb-Aerospace-Defense-Japan-250M-500M-revenue
Screenshots:
None
Threat Actors: BigTuna
Victim Country: Japan
Victim Industry: Aerospace / Defense
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of VNIIFTRI: Russian Classified Defense and Scientific Data Offered for Sale
Category: Data Breach
Content: A threat actor known as Rhodes is selling approximately 110GB of allegedly stolen data from VNIIFTRI, Russias top precision measurement and defense metrology institute. The dataset reportedly includes classified documents related to GLONASS navigation systems, quantum programs (gravimeters, magnetometers, atomic clocks), military contracts and communications, shell company financial records, and employee personal data including passports and IDs. The data is being offered exclusively for $100
Date: 2026-04-23T16:56:47Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Russian-classified-quantum-GLONASS-metrology-submarine-programs-110GB
Screenshots:
None
Threat Actors: Rhodes
Victim Country: Russia
Victim Industry: Defense & Scientific Research
Victim Organization: All-Russian Scientific Research Institute for Physical-Engineering and Radiotechnical Metrology (VNIIFTRI)
Victim Site: vniiftri.ru
Alleged Data Breach of Haamor.com Thai Medical Education Platform
Category: Data Breach
Content: A threat actor known as DarkMafiaX is selling a 350MB SQL database dump allegedly sourced from haamor.com, a Thai health education website. The exposed data includes user records containing usernames, full names in Thai script, email addresses, and hashed passwords using SHA1 and PBKDF2 algorithms. The dataset appears to contain registered user account information dating back to at least 2011-2012.
Date: 2026-04-23T16:56:11Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-350-MB-Of-Medical-And-Hospital-Information-For-Haamor-com-Thailand
Screenshots:
None
Threat Actors: DarkMafiaX
Victim Country: Thailand
Victim Industry: Healthcare / Medical Education
Victim Organization: Haamor
Victim Site: haamor.com
Alleged sale of French personal records database (258,000 records)
Category: Data Breach
Content: A threat actor operating under the alias maniac666 is selling a database purportedly containing 258,000 records of French individuals for $100. The dataset includes personally identifiable information such as full name, email, physical address, phone number, gender, and date of birth. The actor is directing interested buyers to contact them via Telegram handles @maniacc666 and @maniacsvault.
Date: 2026-04-23T16:55:09Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-France-258k
Screenshots:
None
Threat Actors: maniac666
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of BulkApparel USA (bulkapparel.com)
Category: Data Breach
Content: A threat actor operating under the alias ijpys is selling an alleged database dump from BulkApparel, a US-based wholesale blank apparel retailer. The dataset purportedly contains 298,480 records including full names, email addresses, and phone numbers of customers. The seller is offering the data for $300 and can be contacted via Telegram at @ijpys.
Date: 2026-04-23T16:54:34Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-bulkapparel-com-BulkApparel-USA
Screenshots:
None
Threat Actors: ijpys
Victim Country: United States
Victim Industry: Retail & Wholesale Apparel
Victim Organization: BulkApparel
Victim Site: bulkapparel.com
Alleged Sale of WordPress Shell Access for Ransomware Deployment
Category: Initial Access
Content: A threat actor operating under the alias antelope is offering shell access to multiple compromised WordPress sites for sale on a dark web forum. The actor explicitly states the access is suitable for ransomware deployment. Interested buyers are directed to contact the seller via the handle @propanolcipher.
Date: 2026-04-23T16:53:59Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Shell-Access
Screenshots:
None
Threat Actors: antelope
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Claro El Salvador with 500GB of sensitive corporate data
Category: Data Leak
Content: A threat actor identified as MDGhost666 claims to have breached Claro El Salvador, the countrys largest telecommunications provider, and exfiltrated over 500GB of sensitive data. The leaked data allegedly includes PDF, DOC, XLSX, and DOCX files containing contracts, user data, and internal company information. The actor has made a sample available for download, framing the operation as part of a politically motivated campaign targeting countries with ties to the United States and Israel.
Date: 2026-04-23T16:53:07Z
Network: openweb
Published URL: https://darkforums.su/Thread-Claro-company-500GB
Screenshots:
None
Threat Actors: MDGhost666
Victim Country: El Salvador
Victim Industry: Telecommunications
Victim Organization: Claro El Salvador
Victim Site: Unknown
Alleged Data Leak of Indonesian Government Legal Documentation Website jdih.halbar.go.id
Category: Data Leak
Content: A threat actor operating under the alias RuiixH4xor_ has shared an alleged database dump from jdih.halbar.go.id, the legal documentation website of the Halmahera Barat regional government in Indonesia. The data has been made available for free download on DarkForums and includes files in ZIP format containing CSV, SQLite, and binary file types. The origin and full contents of the database have not been independently verified.
Date: 2026-04-23T16:52:12Z
Network: openweb
Published URL: https://darkforums.su/Thread-Database–74332
Screenshots:
None
Threat Actors: RuiixH4xor_
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: JDIH Halmahera Barat (Halbar Regional Government Legal Documentation Network)
Victim Site: jdih.halbar.go.id
Alleged Data Leak of jdih.halbar.go.id Indonesian Government Database
Category: Data Leak
Content: A threat actor known as RuiixH4xor_ claims to have leaked a database from jdih.halbar.go.id, an Indonesian government legal information portal associated with Halmahera Barat. The data has been made available as a free download in ZIP format containing CSV and BIN files. The post was shared on the dark web forum DarkForums.
Date: 2026-04-23T16:51:39Z
Network: openweb
Published URL: https://darkforums.su/Thread-Ruiixh4x0r
Screenshots:
None
Threat Actors: RuiixH4xor_
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: JDIH Halbar (Halmahera Barat Regional Legal Documentation and Information Network)
Victim Site: jdih.halbar.go.id
Alleged data leak of Citibanamex customer records by threat actor Jansz
Category: Data Leak
Content: A threat actor operating under the alias Jansz and associated with GERSONFDP has freely distributed an alleged database dump containing sensitive personal and financial data belonging to Citibanamex customers in Mexico. The leaked data reportedly includes full names, blood types, ages, phone numbers, family member information, email addresses, geographic location details, payment records, and salary information. The actor cited inaction by Mexican government authorities, including the SEP (S
Date: 2026-04-23T16:51:04Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-DATA-LEAK-CITIBANAMEX
Screenshots:
None
Threat Actors: Jansz
Victim Country: Mexico
Victim Industry: Banking & Financial Services
Victim Organization: Citibanamex
Victim Site: citibanamex.com
Alleged Data Breach of LNM6 National Laboratory Mohammed VI with Patient Medical Data for Sale
Category: Data Breach
Content: A threat actor operating under the alias anisanas2 claims to have exfiltrated approximately 100 GB of data from LNM6, a national medical analysis laboratory in Morocco backed by the Mohammed VI Foundation for Health and Sciences. The stolen data allegedly includes patient scan results, with three sample zipped files shared freely and the remainder being offered for sale. The actor can be contacted via a Telegram channel (@pka291back) and a designated sales bot (@pka291contact_off_bot).
Date: 2026-04-23T16:50:30Z
Network: openweb
Published URL: https://darkforums.su/Thread-LNM6-National-Laboratory-MOHAMMED-VI-DATA-FILES
Screenshots:
None
Threat Actors: anisanas2
Victim Country: Morocco
Victim Industry: Healthcare
Victim Organization: Laboratoire National Mohammed VI dAnalyses Médicales (LNM6)
Victim Site: Unknown
Alleged Data Breach of 8891.com.tw Taiwanese Automotive Platform
Category: Data Breach
Content: A threat actor operating under the alias ijpys has allegedly made available a database dump from 8891.com.tw, Taiwans largest automotive marketplace platform. The data appears to be shared via a hidden download link on a dark web forum, requiring users to reply or upgrade their account to access the content. The actor also maintains a Telegram channel (t.me/ijpyss), likely used to distribute stolen data or communicate with interested parties.
Date: 2026-04-23T16:49:56Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-8891-com-tw-Taiwan
Screenshots:
None
Threat Actors: ijpys
Victim Country: Taiwan
Victim Industry: Automotive
Victim Organization: 8891
Victim Site: 8891.com.tw
Alleged Data Breach of Chinese Casino/Gambling Website fe36q.shqrhh.vip
Category: Data Breach
Content: A threat actor known as alwaysdata is selling a database allegedly obtained from a Chinese online casino and gambling website operating at fe36q.shqrhh.vip. The database reportedly contains 183,000 unique registered user records. The seller is withholding specific data details and requiring private communication via Telegram handle @Caosho to prevent information disclosure prior to sale.
Date: 2026-04-23T16:49:20Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-fe36q-shqrhh-vip-CHINA-CHINESE-CASINI-GAMBLING-WEBSITE-DATABASE-PREMIUM
Screenshots:
None
Threat Actors: alwaysdata
Victim Country: China
Victim Industry: Gambling
Victim Organization: Unknown
Victim Site: fe36q.shqrhh.vip
Alleged Data Leak of La Mie Câline Biscarrosse with Admin Panel Access
Category: Data Leak
Content: A threat actor operating under the alias SherKhan, affiliated with PoudlardSec, WumpusSec, GoonMarket, and others, has publicly leaked a database dump and admin panel credentials belonging to La Mie Câline Biscarrosse, a French bakery chain location. The leaked data includes cash register records, invoices, quotes, and personal customer information such as names, addresses, phone numbers, and emails, along with admin login credentials. The data was made available as a free download via an exte
Date: 2026-04-23T16:48:47Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-FR-La-Mie-C%C3%A2line-Biscarrosse-Acces-Admin
Screenshots:
None
Threat Actors: SherKhan
Victim Country: France
Victim Industry: Food & Beverage / Bakery
Victim Organization: La Mie Câline Biscarrosse
Victim Site: lamiecaline.com
Alleged cyber attack on Turkcell Internet infrastructure by Armenian code group
Category: Cyber Attack
Content: A threat actor claiming to represent Armenian code group claims to have hacked the navigation screen of Turkcell Internet touch network and caused a complete system power disconnection. The post indicates this is part of an ongoing campaign against Turkish targets.
Date: 2026-04-23T16:48:41Z
Network: telegram
Published URL: https://t.me/c/3628793212/156
Screenshots:
None
Threat Actors: Armenian code
Victim Country: Turkey
Victim Industry: Telecommunications
Victim Organization: Turkcell
Victim Site: turkcell.com.tr
Alleged sale of Chinese passport data
Category: Carding
Content: A threat actor operating under the alias Mipor is offering a collection of over 1,000 alleged valid Chinese passport records for sale on a dark web forum. The actor is conducting transactions exclusively via the Session encrypted messaging application, refusing contact through Telegram or Tox. Samples are reportedly available upon request through Session.
Date: 2026-04-23T16:48:12Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-CHINESE-PASSPORT-1K-PLUS
Screenshots:
None
Threat Actors: Mipor
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged compromise of Turk Telekom management system affecting five divisions
Category: Cyber Attack
Content: Threat actor claims to have compromised the operator/management system controlling five independent divisions of Turk Telekom, Turkeys largest telecommunications company. Actor claims operational access and ability to manipulate system controls.
Date: 2026-04-23T16:47:43Z
Network: telegram
Published URL: https://t.me/c/3628793212/155
Screenshots:
None
Threat Actors: Armenian code
Victim Country: Turkey
Victim Industry: Telecommunications
Victim Organization: Turk Telekom
Victim Site: turktelecom.com.tr
Alleged Data Leak of French Government ANTS Platform by Threat Actor breach3d
Category: Data Leak
Content: Threat actor breach3d claims to have obtained 600 million lines of data from the French governments ANTS (Agence Nationale des Titres Sécurisés) platform, which handles secure identity documents including drivers licenses and passports. The leaked data allegedly includes plaintext passwords, API keys, encryption keys, source code, metadata, database contents, and links to identity documents (ID cards and passports) in XML format. The actor states the data is being made available freely, citi
Date: 2026-04-23T16:47:37Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-FR-ANTS-Part-2
Screenshots:
None
Threat Actors: breach3d
Victim Country: France
Victim Industry: Government
Victim Organization: Agence Nationale des Titres Sécurisés (ANTS)
Victim Site: ants.gouv.fr
Alleged Data Leak of Iraq Citizenship & Foreigners Database from Agency of Intelligence & Federal Investigation
Category: Data Leak
Content: A threat actor operating under the alias xorcat has leaked an alleged SQL database purportedly obtained from Iraqs Agency of Intelligence & Federal Investigation, dated August 2022. The database contains approximately 22.3 million records including full names, family details, physical addresses, national IDs, salary information, employment records, and case data for Iraqi citizens and foreigners. The data has been made available for free download via a Telegram channel, contingent on forum ac
Date: 2026-04-23T16:47:01Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-IRAQ-LEAKED-22-356-634-RECORDS-%E2%80%93-NATIONAL-ID-SALARY-FAMILY
Screenshots:
None
Threat Actors: xorcat
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Agency of Intelligence & Federal Investigation
Victim Site: Unknown
Alleged Data Leak of Iraq Citizenship and Foreigners Database from Agency of Intelligence and Federal Investigation
Category: Data Leak
Content: A threat actor known as xorcat has made available an alleged SQL database dump purportedly obtained from Iraqs Agency of Intelligence and Federal Investigation, dated August 2022. The leak contains approximately 22.3 million records including full names, family details, physical addresses, national IDs, salaries, spouse information, employment data, and case records. The database is being distributed via a Telegram channel with download access gated behind forum engagement or account upgrades
Date: 2026-04-23T16:44:18Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-IRAQ-LEAKED-22-356-634-RECORDS-%E2%80%93-NATIONAL-ID-SALARY-FAMILY
Screenshots:
None
Threat Actors: xorcat
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Agency of Intelligence & Federal Investigation
Victim Site: Unknown
Alleged Data Leak of Iraq Citizenship and Foreigners Database from Agency of Intelligence & Federal Investigation
Category: Data Leak
Content: A threat actor known as xorcat has made available an alleged SQL database dump purportedly obtained from Iraqs Agency of Intelligence & Federal Investigation, dated August 2022. The dataset contains approximately 22.3 million records exposing sensitive personal information including full names, family details, physical addresses, national IDs, salary information, employment data, and case records. The data is being distributed freely via Telegram, requiring only a forum reply or account upgra
Date: 2026-04-23T16:41:25Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-IRAQ-LEAKED-22-356-634-RECORDS-%E2%80%93-NATIONAL-ID-SALARY-FAMILY
Screenshots:
None
Threat Actors: xorcat
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Agency of Intelligence & Federal Investigation
Victim Site: Unknown
Alleged Data Leak of French Government ANTS Platform by Threat Actor breach3d
Category: Data Leak
Content: Threat actor breach3d claims to have obtained 600 million lines of data from the French governments ANTS (Agence Nationale des Titres Sécurisés) platform, which manages secure identity documents including drivers licenses and passports. The leaked data reportedly includes logs, plaintext passwords, API keys, encryption keys, source code, metadata, database contents, and links to identity documents in XML format. The actor states the data is not for sale and is motivated by political pressure
Date: 2026-04-23T16:37:12Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-FR-ANTS-Part-2
Screenshots:
None
Threat Actors: breach3d
Victim Country: France
Victim Industry: Government
Victim Organization: Agence Nationale des Titres Sécurisés (ANTS)
Victim Site: ants.gouv.fr
Alleged Data Leak of Iraq Citizenship and Foreigners Database from Agency of Intelligence and Federal Investigation
Category: Data Leak
Content: A threat actor operating under the alias xorcat has made available an alleged SQL database dump attributed to Iraqs Agency of Intelligence and Federal Investigation, dated August 2022. The leak reportedly contains over 22 million records including full names, family details, physical addresses, national IDs, salaries, employment information, and case records for Iraqi citizens and foreigners. The data is being distributed via a Telegram channel and the actors personal website.
Date: 2026-04-23T16:34:47Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-IRAQ-LEAKED-22-356-634-RECORDS-%E2%80%93-NATIONAL-ID-SALARY-FAMILY
Screenshots:
None
Threat Actors: xorcat
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Agency of Intelligence & Federal Investigation
Victim Site: Unknown
Alleged sale of fresh database credentials and webmail access across multiple countries
Category: Combo List
Content: Threat actor mu is offering fresh database credentials and valid webmail access across multiple countries (UK, DE, JP, NL, BR, PL, ES, US, IT) with inbox access. Specifically targeting e-commerce and service platforms including eBay, Offerup, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, and Neosurf. Seller claims to own a private cloud with ntlworld valid webmails and requests DMs for specific keyword searches.
Date: 2026-04-23T16:30:01Z
Network: telegram
Published URL: https://t.me/c/2613583520/68257
Screenshots:
None
Threat Actors: mu
Victim Country: Unknown
Victim Industry: E-commerce, Financial Services, Gaming, Travel
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Iraq Citizenship & Foreigners Database from Agency of Intelligence & Federal Investigation
Category: Data Breach
Content: A SQL database containing 22,356,634 records from Iraqs Agency of Intelligence & Federal Investigation (dated August 2022) has been leaked. The database includes citizenship and foreigner records and was shared in the xorcat~files channel.
Date: 2026-04-23T16:18:05Z
Network: telegram
Published URL: https://t.me/c/3793980891/3065
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: Iraq
Victim Industry: Government/Intelligence
Victim Organization: Agency of Intelligence & Federal Investigation
Victim Site: Unknown
Website Defacement of Akoma Online Architecture Platform by MR.N43TXPLOIT of BekasiRootSec
Category: Defacement
Content: On April 23, 2026, threat actor MR.N43TXPLOIT operating under the group BekasiRootSec defaced the website hosted at architect.akoma.online, a platform associated with architectural services. The attack targeted a Linux-based web server and was recorded as a singular, non-mass defacement. A mirror of the defaced page was archived at haxor.id.
Date: 2026-04-23T16:15:05Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248648
Screenshots:
None
Threat Actors: MR.N43TXPLOIT, BekasiRootSec
Victim Country: Unknown
Victim Industry: Architecture / Professional Services
Victim Organization: Akoma Online
Victim Site: architect.akoma.online
Mass Website Defacement by MR.N43TXPLOIT of BekasiRootSec targeting backanartist.akoma.online
Category: Defacement
Content: On April 23, 2026, threat actor MR.N43TXPLOIT operating under the group BekasiRootSec conducted a mass defacement campaign targeting backanartist.akoma.online, a platform associated with artist support or promotion. The attack targeted a Linux-based web server and was confirmed as part of a broader mass defacement operation. A mirror of the defaced page was archived at haxor.id.
Date: 2026-04-23T16:12:44Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248649
Screenshots:
None
Threat Actors: MR.N43TXPLOIT, BekasiRootSec
Victim Country: Unknown
Victim Industry: Arts and Entertainment
Victim Organization: Back An Artist
Victim Site: backanartist.akoma.online
Mass defacement of backnart.akoma.online by MR.N43TXPLOIT of BekasiRootSec
Category: Defacement
Content: On April 23, 2026, the threat actor MR.N43TXPLOIT, operating under the Indonesian hacker group BekasiRootSec, conducted a mass defacement campaign targeting backnart.akoma.online, a Linux-based web server. The attack was part of a broader mass defacement operation, with a mirror of the defaced page archived at haxor.id. No specific motive or vulnerability details were disclosed.
Date: 2026-04-23T16:10:55Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248650
Screenshots:
None
Threat Actors: MR.N43TXPLOIT, BekasiRootSec
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: backnart.akoma.online
Alleged leak of mixed email and password combolist
Category: Combo List
Content: A threat actor operating under the alias stormtrooper has shared a mixed combolist containing 61,060 email and password credential pairs on DemonForums. The content is gated behind registration or login, and the actor promotes an associated Telegram channel (@BossBrowz) for further distribution. No specific victim organization or targeted service has been identified, suggesting the list is an aggregation from multiple sources.
Date: 2026-04-23T16:01:53Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-61-060-Lines-Fresh-Mix-Combolist
Screenshots:
None
Threat Actors: stormtrooper
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed combolist with 61,060 credential lines
Category: Combo List
Content: A threat actor operating under the alias Browzchel has shared a mixed combolist containing 61,060 lines of credentials on the CrackingX forum. The combolist is described as fresh and is being made available for free to registered users. The actor also promotes a Telegram channel (@BossBrowz) likely used for further distribution of similar content.
Date: 2026-04-23T16:01:33Z
Network: openweb
Published URL: https://crackingx.com/threads/73009/
Screenshots:
None
Threat Actors: Browzchel
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Pertamina Indonesia Employee Database
Category: Data Leak
Content: A threat actor using the handle Xyph0rix has publicly shared what appears to be a structured database dump belonging to Pertamina, Indonesias state-owned oil and gas company. The leaked data includes sensitive personal information of members and employees such as full names, home addresses, phone numbers, dates of birth, employment history, job titles, and family member details including spouse names. The data appears to cover retired and active personnel across multiple Pertamina subsidiarie
Date: 2026-04-23T15:56:23Z
Network: openweb
Published URL: https://breached.st/threads/database-pertamina-indonesia.86217/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Oil & Gas / Energy
Victim Organization: Pertamina
Victim Site: pertamina.com
Alleged leak of streaming service combolist with 11 million credentials
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist containing approximately 11 million credential pairs purportedly associated with streaming services. The list is being made available for free via Telegram channels and groups managed by the actor. No specific victim organization or platform has been identified from the available post content.
Date: 2026-04-23T15:32:40Z
Network: openweb
Published URL: https://crackingx.com/threads/73005/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Streaming / Entertainment
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multinational combolist spanning multiple countries
Category: Combo List
Content: A threat actor known as CODER is distributing a combolist of approximately 9 million credential pairs covering multiple countries including Afghanistan, Albania, Algeria, Angola, and others. The combolist is being made available for free via Telegram channels and groups operated by the actor. The actor also promotes additional free combo and tool resources through their Telegram presence.
Date: 2026-04-23T15:31:46Z
Network: openweb
Published URL: https://crackingx.com/threads/73008/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed Hotmail and email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Roronoa044 has made available a combolist containing 1,452 alleged valid email:password credentials described as a UHQ MIX, including Hotmail accounts and private cloud credentials. The content is hidden behind a registration or login requirement on the forum. The actor also references a Telegram contact (@noiraccesss) for further communication.
Date: 2026-04-23T15:31:17Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X1452-Valid-UHQ-MIX-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of RDP access and compromised email accounts
Category: Initial Access
Content: Threat actor offering rental of RDP access to cloud infrastructure providers (Azure, AWS, DigitalOcean) at $200, along with compromised domain email accounts, Gmail, Yahoo accounts, and GitHub student accounts. Service advertised as available for daily/monthly rental with escrow payment option.
Date: 2026-04-23T15:19:53Z
Network: telegram
Published URL: https://t.me/c/2613583520/68230
Screenshots:
None
Threat Actors: PORTAL
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist with 119,000 unique entries
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared a mixed combolist containing approximately 119,000 unique credential entries on the cracking forum CrackingX. The post is gated behind registration or sign-in, limiting full visibility into the content. No specific victim organization, industry, or country of origin has been identified.
Date: 2026-04-23T15:01:12Z
Network: openweb
Published URL: https://crackingx.com/threads/73001/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo and Shopping-related credential combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 1.27 million email:password credential pairs on the cracking forum CrackingX. The list is described as targeting shopping platforms and Yahoo accounts. The combolist is distributed freely via a Mega.nz file-sharing link.
Date: 2026-04-23T15:00:43Z
Network: openweb
Published URL: https://crackingx.com/threads/73002/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: E-Commerce / Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged leak of email and password combolists targeting multiple Asia-Pacific countries
Category: Combo List
Content: A threat actor operating under the alias CODER has made available an 8 million record email and password combolist, reportedly containing credentials associated with users from South Korea, North Korea, Vietnam, Thailand, Indonesia, Australia, and New Zealand. The combolist is being distributed freely via Telegram channels and groups managed by the actor. The actor also promotes additional free combolists and tools through associated Telegram channels.
Date: 2026-04-23T15:00:04Z
Network: openweb
Published URL: https://crackingx.com/threads/73004/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HollowKnight has shared a sample combolist of 730 Hotmail email and password combinations on the DemonForums cybercrime forum. The content is gated behind registration or login, suggesting it is being made available to forum members as a free sample. This post likely serves as a teaser for a larger credential list.
Date: 2026-04-23T14:59:39Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-730x-SAMPLE-HOTMAIL-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: HollowKnight
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged data leak of Badan Gizi Nasional (BGN) by MrAnomali
Category: Data Leak
Content: MrAnomali claims to have leaked data from Badan Gizi Nasional (BGN), an Indonesian national nutrition body. Details shared via provided link.
Date: 2026-04-23T14:40:51Z
Network: telegram
Published URL: https://t.me/c/3865526389/553
Screenshots:
None
Threat Actors: MrAnomali
Victim Country: Indonesia
Victim Industry: Government/Health
Victim Organization: Badan Gizi Nasional (BGN)
Victim Site: Unknown
Alleged Data Leak of viewbot.ai Order and Streamer Data
Category: Data Leak
Content: A threat actor operating under the handle heyocean claims to have accessed viewbot.ai, a view-botting service allegedly used by streamers to artificially inflate viewer counts. The actor has leaked order data from the platform, purportedly exposing the identities of streamers who purchased fake views, including one who was publicly identified after accidentally revealing the site during a live stream. The leaked data has been made available on the AE forum along with an external link containin
Date: 2026-04-23T14:37:22Z
Network: openweb
Published URL: https://altenens.is/threads/viewbot-ai-order-data-leaks-streamer-view-botting-data-leaks.2928718/unread
Screenshots:
None
Threat Actors: heyocean
Victim Country: Unknown
Victim Industry: Online Services / Streaming Fraud
Victim Organization: viewbot.ai
Victim Site: viewbot.ai
Alleged Distribution of HQ Dorks Generator Tool by CRYP70 on Cracking Forum
Category: Initial Access
Content: A threat actor operating under the alias Starip has shared a tool called HQ Dorks Generator by CRYP70 on a cracking forum. The tool is designed to automate the generation of structured search dorks using keyword combinations, INURL filters, and predefined templates, facilitating bulk query generation for search scraping and reconnaissance workflows. The tool is made available as a free download behind a registration wall, with antivirus evasion guidance explicitly provided in the post.
Date: 2026-04-23T14:30:30Z
Network: openweb
Published URL: https://demonforums.net/Thread-HQ-Dorks-Generator-by-CRYP70–201458
Screenshots:
None
Threat Actors: Starip
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed access combolist with 7,000 credentials
Category: Combo List
Content: A threat actor operating under the alias COYTO has made available a mixed access combolist containing approximately 7,000 email and password combinations via a public paste site. The post was shared on DemonForums in the combolists section and offered as a free download. No specific victim organization, industry, or country has been identified.
Date: 2026-04-23T14:30:15Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-7K-MIXED-ACCESS
Screenshots:
None
Threat Actors: COYTO
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-country credential combolist (4 million records)
Category: Combo List
Content: A threat actor known as CODER is distributing a combolist allegedly containing 4 million credential pairs spanning multiple countries including Italy, Spain, Portugal, Netherlands, Poland, Turkey, Egypt, South Africa, Nigeria, Kenya, and Japan. The combolist is being made available for free via Telegram channels and groups operated by the actor. Users are directed to contact the actor via Telegram handle CODER5544 or join the associated Telegram groups for access.
Date: 2026-04-23T14:29:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72998/
Screenshots:
None
Threat Actors: CODER
Victim Country: Multiple
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of WordPress credentials or data via Telegram
Category: Combo List
Content: A threat actor operating under the alias zod has shared what is described as WordPress-related content on the CrackingX forum. The post requires registration to view and directs users to a Telegram channel (t.me/zoooddddd) for the password, suggesting the material may contain WordPress credentials or combolists. No specific victim organization, country, or record count has been identified.
Date: 2026-04-23T14:29:19Z
Network: openweb
Published URL: https://crackingx.com/threads/72999/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of HQ mixed credential combolist
Category: Combo List
Content: A threat actor operating under the alias @Steveee36 has shared a combolist described as X1515 HQ Mix on the cracking forum CrackingX. The post offers a free download of what appears to be a high-quality mixed credential list. The specific sources, record count, and targeted organizations associated with this combolist are unknown.
Date: 2026-04-23T14:29:04Z
Network: openweb
Published URL: https://crackingx.com/threads/73000/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged website defacement of elindispensable.opennemas.com by Mr.XycanKing
Category: Defacement
Content: Threat actor Mr.XycanKing claims to have defaced elindispensable.opennemas.com, providing a URL to the defaced page as proof.
Date: 2026-04-23T14:27:03Z
Network: telegram
Published URL: https://t.me/c/3865526389/550
Screenshots:
None
Threat Actors: Mr.XycanKing
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: elindispensable
Victim Site: elindispensable.opennemas.com
Alleged cyber attack threats by TheGarudaEye against multiple countries and Israel infrastructure
Category: Cyber Attack
Content: TheGarudaEye threat actor publicly announced intentions to target infrastructure of countries listed in the Board of Peace, specifically naming Israel as current target. Group claims previous attacks on Indonesia and demands other countries withdraw from the Board of Peace or face cyber attacks. Threat framed as politically/religiously motivated.
Date: 2026-04-23T14:26:56Z
Network: telegram
Published URL: https://t.me/JohnWickXploit/90
Screenshots:
None
Threat Actors: TheGarudaEye
Victim Country: Israel
Victim Industry: Critical Infrastructure
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of PlanilhasVBA by Threat Actor Zod
Category: Defacement
Content: On April 23, 2026, a threat actor operating under the alias Zod defaced a page on planilhasvba.com.br, a Brazilian website focused on VBA spreadsheet resources. The attack targeted a specific subpage (zod.html) on a Linux-hosted server and was not classified as a mass or home page defacement. The incident was archived via the Haxor.id mirror service.
Date: 2026-04-23T14:13:58Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248645
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Brazil
Victim Industry: Technology / Software
Victim Organization: PlanilhasVBA
Victim Site: planilhasvba.com.br
Mass Defacement of Brazilian E-commerce Site by Threat Actor Zod
Category: Defacement
Content: Threat actor Zod conducted a mass defacement campaign targeting loja.planilhasvba.com.br, a Brazilian e-commerce platform associated with VBA spreadsheet products. The defacement was carried out on a Linux-based server and is classified as part of a mass defacement operation rather than a targeted single-site attack. A mirror of the defaced page was archived at haxor.id.
Date: 2026-04-23T14:11:42Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248647
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Brazil
Victim Industry: E-commerce / Software
Victim Organization: Planilhas VBA
Victim Site: loja.planilhasvba.com.br
Mass Defacement of Brazilian Excel/VBA Resources Site by Threat Actor Zod
Category: Defacement
Content: Threat actor Zod conducted a mass defacement campaign targeting excel.planilhasvba.com.br, a Brazilian website dedicated to Excel and VBA spreadsheet resources. The defacement was deployed on April 23, 2026, affecting the target hosted on a Linux server. This incident is part of a broader mass defacement operation attributed to the Zod team.
Date: 2026-04-23T14:09:45Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248646
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Brazil
Victim Industry: Technology / Education
Victim Organization: Planilhas VBA
Victim Site: excel.planilhasvba.com.br
Alleged Pornhub Credential Cracking Tool Shared on Underground Forum
Category: Carding
Content: A threat actor known as Starip has shared a multi-threaded console-based cracking tool called Project Hub by EZ on an underground forum, designed to process and validate Pornhub credential lists at high speed. The tool features adjustable thread counts, real-time console output, and is optimized for bulk credential checking workflows. The post notes the tool may be flagged as malware by antivirus software, suggesting potentially malicious components.
Date: 2026-04-23T14:03:18Z
Network: openweb
Published URL: https://demonforums.net/Thread-Project-Hub-by-EZ-Pornhub-Checker
Screenshots:
None
Threat Actors: Starip
Victim Country: Unknown
Victim Industry: Adult Entertainment
Victim Organization: Pornhub
Victim Site: pornhub.com
Alleged unauthorized access to Polish compressor station industrial automation system by DDoSia Project
Category: Cyber Attack
Content: The DDoSia Project claimed to have gained full unauthorized access to an industrial automation system controlling a compressor station in Poland. According to the post, attackers compromised operator panels, alarm/event logs, equipment settings, actuator control circuits, and heat recovery systems. A complete loss of communication between multiple drives (B2, B4, B5, B6, D7) and the control system was reported, with all actuators forced into manual mode and zero performance. Heat recovery system was disabled. The threat actor claims to maintain control over the system.
Date: 2026-04-23T14:03:14Z
Network: telegram
Published URL: https://t.me/nnm05716english/1806
Screenshots:
None
Threat Actors: DDoSia Project
Victim Country: Poland
Victim Industry: Industrial automation / Energy infrastructure
Victim Organization: Compressor station
Victim Site: Unknown
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor operating under the alias NotSellerxd has made available a mixed email combolist containing approximately 4,375 credential pairs on the cracking forum CrackingX. The post offers a free download of the combolist, which appears to aggregate credentials from various sources. No specific victim organization or targeted service has been identified.
Date: 2026-04-23T14:02:51Z
Network: openweb
Published URL: https://crackingx.com/threads/72995/
Screenshots:
None
Threat Actors: NotSellerxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias wingoooW has freely shared a combolist containing approximately 7,000 Hotmail email and password combinations on a cybercrime forum. The credential list was made available via an external paste site. The origin of the credentials and whether they have been verified as valid is unknown.
Date: 2026-04-23T14:02:45Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-7K-HQ-HOTMAIL–201454
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of German email and password credentials
Category: Combo List
Content: A threat actor operating under the alias COYTO has made available a combolist of German email and password credentials on DemonForums. The post, categorized under Combolists, provides a free download link via an external paste site. No specific victim organization or record count has been disclosed.
Date: 2026-04-23T14:02:22Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-GERMANY-PRIVATE
Screenshots:
None
Threat Actors: COYTO
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged DDoS-as-a-Service Operation – Goofystress Stresser Platform
Category: Malware
Content: Goofystress.st is advertising a DDoS-as-a-Service platform offering Layer 4 (TCP/UDP flood) and Layer 7 (application-layer) attack capabilities. The service claims to deliver 1.5-2 million pps TCP flood and 6-10 million pps UDP flood per concurrent connection, with bypasses for CAPTCHA, cache, and UAM protections. They also advertise game-specific DDoS bypasses for Fortnite, Minecraft, Apex, COD, Roblox, and Battlefield. The platform operates with an auto-payment system and claims 1000-1500 customers with 190-200 monthly active users.
Date: 2026-04-23T13:41:18Z
Network: telegram
Published URL: https://t.me/c/1669509146/94888
Screenshots:
None
Threat Actors: Goofystress
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged unauthorized access to Polish compressor station industrial automation system by DDoSia Project volunteers
Category: Cyber Attack
Content: The DDoSia Project claimed to have gained full unauthorized access to an industrial automation system controlling a compressor station in Poland. According to the post, attackers compromised operator panels, alarm/event logs, equipment settings, actuator control circuits, and heat recovery systems. The post reports loss of communication between multiple drive units (B2, B4, B5, B6, D7) and the control system, with all actuators forced into manual mode and zero performance. Heat recovery system disabled. Attackers claim to maintain control over the command interface.
Date: 2026-04-23T13:32:15Z
Network: telegram
Published URL: https://t.me/c/3087552512/1806
Screenshots:
None
Threat Actors: DDoSia Project
Victim Country: Poland
Victim Industry: Industrial Automation / Energy Infrastructure
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed mail access credentials
Category: Combo List
Content: A threat actor operating under the alias RandomUpload on the cracking forum CrackingX has shared a combolist containing 7,785 mixed mail access credentials. The post is gated behind registration, limiting full visibility into the specific mail providers or regions affected. The data appears to be a collection of email account credentials from various providers.
Date: 2026-04-23T13:19:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72990/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-country email and password combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a free combolist of approximately 5 million email and password combinations via Telegram channels. The credential list reportedly includes users from multiple countries including India, China, Canada, the United States, Mexico, Brazil, Argentina, the United Kingdom, Germany, and France. The actor is promoting two Telegram groups offering free combolists and tools.
Date: 2026-04-23T13:19:00Z
Network: openweb
Published URL: https://crackingx.com/threads/72991/
Screenshots:
None
Threat Actors: CODER
Victim Country: Multiple
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo email credentials combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared an alleged combolist of Yahoo email credentials in email:password format, dated April 23, 2026. The credential list is described as fresh and suitable for multiple purposes. The content is restricted to registered forum users.
Date: 2026-04-23T13:18:30Z
Network: openweb
Published URL: https://crackingx.com/threads/72992/
Screenshots:
None
Threat Actors: Kinglukeman
Victim Country: United States
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged sale of domain name prinem.com on cybercrime forum
Category: Initial Access
Content: A threat actor operating under the alias Hades_elgh is advertising the sale of the domain name prinem.com on a cybercrime forum. The domain is registered with GoDaddy and expires on February 3, 2027. The seller claims the domain has a clean history and no trademark issues.
Date: 2026-04-23T13:13:14Z
Network: openweb
Published URL: https://breached.st/threads/domain-name-for-sell.86215/unread
Screenshots:
None
Threat Actors: Hades_elgh
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: prinem.com
Alleged defacement of multiple websites by Mr.PIMZZZXploit
Category: Defacement
Content: Threat actor claiming responsibility for defacing approximately 16 websites across various domains including hr.ivsoftdesign.com, ristovskiprint.mk.ivsoftdesign.com, blood-donation.sukriya.top, renobtp.lahad.shop, web-order.sukriya.top, chatgptitalia.cc, and others. Post includes hacker signature Hacked By Mr.PIMZZZXploit and references to Babayo Eror System alliance.
Date: 2026-04-23T13:06:28Z
Network: telegram
Published URL: https://t.me/c/3865526389/545
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed platform credential combolist including Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, and Facebook
Category: Data Leak
Content: A threat actor operating under the alias Larry_Uchiha has shared a mixed-platform combolist on the forum AE – Combo List, containing credential pairs for multiple services including Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, and Facebook. The content is gated behind a reply requirement and distributed via Telegram. No price was mentioned, indicating this is a free leak.
Date: 2026-04-23T13:01:37Z
Network: openweb
Published URL: https://altenens.is/threads/mix-account-combo-netflix-onlyfans-chatgpt-xbox-sony-discord-facebook-2026-4-20.2928709/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Netflix, OnlyFans, OpenAI, Xbox, Sony, Discord, Facebook
Victim Site: Unknown
Alleged leak of Hotmail credential combolist targeting multiple regions
Category: Data Leak
Content: A threat actor operating under the alias Larry_Uchiha has shared a Hotmail credential combolist on the AE forum containing approximately 3,200 email:password pairs. The combolist reportedly includes accounts from users across the United States, Europe, Asia, and Russia. The content is gated behind a reply requirement and references a Telegram channel for distribution.
Date: 2026-04-23T13:01:01Z
Network: openweb
Published URL: https://altenens.is/threads/3-200x-hotmail-access-combo-usa-europe-asia-russian.2928708/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of mixed email service credentials combolist
Category: Data Leak
Content: A threat actor known as Larry_Uchiha shared a mixed email combolist on the AE forum, containing credentials for multiple email services including Hotmail, Outlook, AOL, GMX, Inbox, iCloud, and Live. The combolist was made available for free to forum members who reply to the thread. The actual content is hidden behind a reply gate and references a Telegram channel for distribution.
Date: 2026-04-23T13:00:22Z
Network: openweb
Published URL: https://altenens.is/threads/mix-mail-combo-hotmail-outlook-aol-gmx-inbox-icloud-live-2026-4-20.2928711/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German mixed-target combolist with 276,291 credentials
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing 276,291 credential pairs targeting German users across mixed targets. The combolist was shared freely via a Mega.nz link on the cracking forum CrackingX. The exact services or organizations affected are not specified, as the list is described as mixed-target.
Date: 2026-04-23T12:54:06Z
Network: openweb
Published URL: https://crackingx.com/threads/72987/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias HollowKnight07 has made available a sample combolist containing 1,180 Hotmail credentials on the cracking forum CrackingX. The post offers a free download link, suggesting this is a sample release likely intended to attract attention or establish reputation. The origin and validity of the credentials are unverified.
Date: 2026-04-23T12:53:51Z
Network: openweb
Published URL: https://crackingx.com/threads/72988/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed credential combolist containing 119,000 records
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared a mixed email:password combolist containing approximately 119,000 unique credential pairs on DemonForums. The content is hidden behind a registration or login requirement. The post also advertises a separate shop (unique-combo.shop) offering combolists from various countries on request.
Date: 2026-04-23T12:32:41Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-MIX-Unique-Combo-3-119000
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared a mixed combolist containing approximately 119,000 unique credential pairs on the cracking forum CrackingX. The post is gated behind registration or sign-in, limiting full visibility into the contents. No specific victim organization or industry has been identified, suggesting the list aggregates credentials from multiple sources.
Date: 2026-04-23T12:32:32Z
Network: openweb
Published URL: https://crackingx.com/threads/72985/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of URL:Login:Password credential combolist
Category: Combo List
Content: A threat actor operating under the alias RandomUpload has made available a combolist containing approximately 698,000 records in URL:login:password format on a cracking forum. The post requires registration to access the hidden download content. No specific victim organization or country has been identified, suggesting this may be an aggregated credential list from multiple sources.
Date: 2026-04-23T12:32:17Z
Network: openweb
Published URL: https://crackingx.com/threads/72986/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Unauthorized Access to Hospital Ventilation Control System (Geo-Eko BMS) in Poland
Category: Cyber Attack
Content: Threat actor claims to have gained unauthorized access to a Geo-Eko BMS hospital building management system controlling ventilation, temperature, and humidity in critical medical areas including surgical units, operating rooms, intensive care units, and emergency departments in Poland. The actor claims full control over system parameters with ability to manipulate or disable ventilation in patient care areas. Post indicates absence of authentication and logging mechanisms. Threat actor identifies as The Z-Pentest Alliance and references hashtags #OpPoland, #FuckEastwood, #FuckRedCircus, and #FreeVictoriaDubranova.
Date: 2026-04-23T12:19:18Z
Network: telegram
Published URL: https://t.me/c/3584758467/808
Screenshots:
None
Threat Actors: The Z-Pentest Alliance
Victim Country: Poland
Victim Industry: Healthcare
Victim Organization: Polish hospital (Geo-Eko BMS system)
Victim Site: Unknown
Alleged Leak of WordPress Admin Credentials
Category: Data Leak
Content: A threat actor operating under the alias popfizz has shared what are claimed to be WordPress administrator login credentials on the cybercrime forum Altenens. The post is gated behind a reply requirement, obscuring the full details of the leaked data. The scope, origin, and volume of the alleged credential list remain unknown.
Date: 2026-04-23T12:16:51Z
Network: openweb
Published URL: https://altenens.is/threads/leak-wordpress-admin-logins.2928693/unread
Screenshots:
None
Threat Actors: popfizz
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias FlashCloud2 has shared an alleged Hotmail combolist on a cracking forum, described as UHQ (ultra-high quality) and all valid, suggesting the credentials are active and recently verified. The post is behind a login wall, limiting full visibility into the scope and nature of the data. The combolist likely contains email and password combinations associated with Hotmail accounts.
Date: 2026-04-23T12:10:16Z
Network: openweb
Published URL: https://crackingx.com/threads/72981/
Screenshots:
None
Threat Actors: FlashCloud2
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor known as klyne05 has made available a combolist of Hotmail credentials on the cracking forum CrackingX. The post claims the credentials are fresh and have been checked, suggesting they are recently verified email and password combinations. No further details regarding record count or origin of the data are provided in the post.
Date: 2026-04-23T12:09:33Z
Network: openweb
Published URL: https://crackingx.com/threads/72983/
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of Gmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist containing approximately 60,000 Gmail credentials on the cracking forum CrackingX. The post is categorized under Combolists & Dumps and is restricted to registered or signed-in forum members. The origin and validity of the credential list have not been verified.
Date: 2026-04-23T12:09:01Z
Network: openweb
Published URL: https://crackingx.com/threads/72984/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Mass Website Defacement by EbRaHiM-VaKeR of LegioN_LeakeR Team
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement campaign targeting the website oceanmist.click hosted on a Linux server. The defacement was confirmed as part of a broader mass defacement operation, with the incident archived and mirrored at haxor.id. No specific motive or proof-of-concept details were disclosed.
Date: 2026-04-23T11:50:36Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248636
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Ocean Mist
Victim Site: oceanmist.click
Website Defacement of aetherialpeak.click by EbRaHiM-VaKeR of LegioN_LeakeR
Category: Defacement
Content: On April 23, 2026, the website aetherialpeak.click was defaced by threat actor EbRaHiM-VaKeR, operating under the group LegioN_LeakeR. The incident was a targeted single-site defacement with no mass or redefacement indicators. The attack was mirrored and archived via zone-xsec.com.
Date: 2026-04-23T11:50:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912405
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: aetherialpeak.click
Mass Website Defacement of novatrax.website by EbRaHiM-VaKeR (LegioN_LeakeR)
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram-based group LegioN_LeakeR, conducted a mass defacement campaign targeting novatrax.website hosted on a Linux server. The defacement was confirmed as part of a broader mass defacement operation, with a mirror archived at haxor.id. No specific motive or proof-of-concept details were disclosed.
Date: 2026-04-23T11:49:25Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248634
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Novatrax
Victim Site: novatrax.website
Mass defacement of northgatehorizon.website by EbRaHiM-VaKeR of LegioN_LeakeR
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement campaign targeting northgatehorizon.website hosted on a Linux server. The defacement was confirmed as part of a broader mass defacement operation, with the altered content archived at haxor.id. No specific motivation was publicly disclosed.
Date: 2026-04-23T11:48:43Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248633
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Northgate Horizon
Victim Site: northgatehorizon.website
Mass Defacement Campaign by EbRaHiM-VaKeR (LegioN_LeakeR) Targeting maplestoneridge.click
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement attack against maplestoneridge.click, a Linux-hosted website. The defacement was confirmed as part of a broader mass defacement campaign, with the compromised page archived at haxor.id. No specific motivation or additional server details were disclosed.
Date: 2026-04-23T11:48:18Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248631
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Maple Stone Ridge
Victim Site: maplestoneridge.click
Mass Website Defacement by EbRaHiM-VaKeR of LegioN_LeakeR Team
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement campaign targeting stratosnova.click hosted on a Linux server. The defacement was confirmed as part of a broader mass defacement operation, with the incident archived and mirrored at haxor.id. No specific motive or proof-of-concept details were disclosed.
Date: 2026-04-23T11:47:46Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248641
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Stratos Nova
Victim Site: stratosnova.click
Mass defacement of skyforgehorizon.click by EbRaHiM-VaKeR of LegioN_LeakeR
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram-based group LegioN_LeakeR, conducted a mass defacement campaign targeting skyforgehorizon.click hosted on a Linux server. The defacement was confirmed as part of a mass operation and archived via haxor.id. No specific motive or proof-of-concept details were disclosed.
Date: 2026-04-23T11:47:09Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248640
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Skyforge Horizon
Victim Site: skyforgehorizon.click
Alleged Sale of Compromised SMTP Services for Spam Campaigns
Category: Initial Access
Content: A threat actor operating under the handle office_365shop is selling compromised SMTP accounts across multiple reputable email service providers including AWS, Sendgrid, SMTP2GO, Mailjet, and others. The actor claims the accounts guarantee 100% inbox delivery, indicating they are sourced from legitimate, trusted sending infrastructure. Buyers are directed to contact the seller via Telegram at @office_365shop for purchases.
Date: 2026-04-23T11:46:53Z
Network: openweb
Published URL: https://demonforums.net/Thread-Buy-Fresh-Well-Reputed-SMTPs-For-Spamming-100-Inbox
Screenshots:
None
Threat Actors: office_365shop
Victim Country: Unknown
Victim Industry: Email and Cloud Services
Victim Organization: AWS Amazon, Sendgrid, SMTP2GO, Mailjet, Elastic Email, SparkPost, Gmobb, Nifty, Plala, Rentalserver, Heteml, Commufa.jp
Victim Site: Unknown
Mass Website Defacement by EbRaHiM-VaKeR of LegioN_LeakeR Telegram Group
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement campaign targeting zymeraedge.website hosted on a Linux server. The defacement was part of a broader mass defacement operation, with the defaced content archived at haxor.id. No specific motivation or reason was disclosed for the attack.
Date: 2026-04-23T11:46:37Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248643
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Zymera Edge
Victim Site: zymeraedge.website
Alleged leak of mixed email access combolist containing 27,000 credentials
Category: Combo List
Content: A threat actor operating under the alias MegaCloudshop has shared a combolist of approximately 27,000 alleged valid email credentials on a cybercrime forum. The post, dated April 23rd, describes the content as a full valid mail access mix, suggesting active and verified email account access. The actor promotes their store at megacloudshop.top, indicating this may serve as a promotional sample for their shop.
Date: 2026-04-23T11:46:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-27K-Full-Valid-Mail-Access-Mix-Just-valid-Data-23-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Website Defacement by EbRaHiM-VaKeR of LegioN_LeakeR targeting nebulacrest.click
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram-based group LegioN_LeakeR, conducted a mass defacement campaign that included the domain nebulacrest.click hosted on a Linux server. The defacement was archived and mirrored at haxor.id, confirming its occurrence. No specific motivation or reason was disclosed for the attack.
Date: 2026-04-23T11:46:07Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248632
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Nebula Crest
Victim Site: nebulacrest.click
Alleged leak of 27,000 mixed email account credentials
Category: Combo List
Content: A threat actor on a cybercrime forum has made available a combolist of approximately 27,000 validated email account credentials described as a full valid mail access mix. The data is dated April 23rd and claimed to contain only verified, working credentials. The post requires forum registration to access the hidden content.
Date: 2026-04-23T11:45:59Z
Network: openweb
Published URL: https://crackingx.com/threads/72980/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Defacement Campaign by EbRaHiM-VaKeR of LegioN_LeakeR Targeting lunarisedge.click
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement attack against lunarisedge.click, a Linux-hosted website. The defacement was part of a broader mass defacement campaign, with a mirror of the attack archived at haxor.id. No specific motivation or proof-of-concept details were disclosed.
Date: 2026-04-23T11:45:31Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248630
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Lunaris Edge
Victim Site: lunarisedge.click
Mass defacement campaign by EbRaHiM-VaKeR of LegioN_LeakeR targeting silverwoodharbor.click
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement attack against silverwoodharbor.click, hosted on a Linux server. The defacement was part of a broader mass defacement campaign rather than an isolated or targeted attack. A mirror of the defaced page has been archived at haxor.id.
Date: 2026-04-23T11:44:57Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248639
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Silverwood Harbor
Victim Site: silverwoodharbor.click
Mass Defacement Campaign by EbRaHiM-VaKeR of LegioN_LeakeR Targeting orvaneharbor.website
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement attack against orvaneharbor.website, hosted on a Linux server. The defacement was part of a broader mass defacement campaign, with the compromised page archived at haxor.id. No specific motive or proof-of-concept was publicly disclosed.
Date: 2026-04-23T11:44:19Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248637
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Orvaneh Harbor
Victim Site: orvaneharbor.website
Mass Website Defacement by EbRaHiM-VaKeR of LegioN_LeakeR Team
Category: Defacement
Content: On April 23, 2026, a threat actor operating under the alias EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement campaign targeting oakhavensummit.click hosted on a Linux server. The defacement was not a re-defacement and did not target the home page, suggesting a broader campaign involving multiple pages or sites. The incident was archived and mirrored on haxor.id.
Date: 2026-04-23T11:43:49Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248635
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Oak Haven Summit
Victim Site: oakhavensummit.click
Mass Defacement Campaign by EbRaHiM-VaKeR of LegioN_LeakeR targeting ironwoodharbor.click
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement attack against ironwoodharbor.click, a Linux-hosted website. The defacement was part of a broader mass defacement campaign and was archived on haxor.id. No specific motive or proof-of-concept details were disclosed.
Date: 2026-04-23T11:43:14Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248629
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Ironwood Harbor
Victim Site: ironwoodharbor.click
Mass Defacement of zyneracreek.website by EbRaHiM-VaKeR of LegioN_LeakeR
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement campaign targeting zyneracreek.website hosted on a Linux server. The defacement was not a re-defacement and did not affect the homepage directly. A mirror of the defacement was archived at haxor.id.
Date: 2026-04-23T11:42:44Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248644
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Zynera Creek
Victim Site: zyneracreek.website
Mass defacement by EbRaHiM-VaKeR of LegioN_LeakeR targeting trivoraedge.website
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement campaign that included the website trivoraedge.website. The defacement targeted a Linux-based server and was archived via haxor.id. This incident is part of a broader mass defacement operation attributed to the same actor.
Date: 2026-04-23T11:42:18Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248642
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Trivora Edge
Victim Site: trivoraedge.website
Mass defacement by EbRaHiM-VaKeR of LegioN_LeakeR targeting pinecrestharbor.click
Category: Defacement
Content: A mass defacement attack was carried out by threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, targeting the website pinecrestharbor.click hosted on a Linux server. The attack, recorded on April 23, 2026, was part of a broader mass defacement campaign rather than an isolated incident. A mirror of the defaced page has been archived at haxor.id.
Date: 2026-04-23T11:41:40Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248638
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Real Estate / Hospitality
Victim Organization: Pinecrest Harbor
Victim Site: pinecrestharbor.click
Mass Defacement of BlueRock Holdings by EbRaHiM-VaKeR / LegioN_LeakeR
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement campaign targeting bluerockholdings.click, a site associated with a holdings or investment entity. The attack was carried out on a Linux-based server and is classified as part of a mass defacement operation rather than a targeted single-site attack. The defacement was archived and mirrored on haxor.id.
Date: 2026-04-23T11:35:40Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248625
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Finance / Investment
Victim Organization: Blue Rock Holdings
Victim Site: bluerockholdings.click
Mass defacement by EbRaHiM-VaKeR and LegioN_LeakeR team targeting celestialharbor.click
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, operating under the Telegram group LegioN_LeakeR, conducted a mass defacement attack against the website celestialharbor.click hosted on a Linux server. The defacement was confirmed as part of a mass defacement campaign, with a mirror of the defaced content archived at haxor.id. No specific geopolitical motive or targeted industry was identified based on available data.
Date: 2026-04-23T11:35:00Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248626
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Celestial Harbor
Victim Site: celestialharbor.click
Website defacement of aetherialpeak.click by EbRaHiM-VaKeR of LegioN_LeakeR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, defaced the website aetherialpeak.click. The attack targeted a Linux-based server and resulted in a single-page defacement rather than a mass or home page defacement. A mirror of the defaced content was archived at haxor.id.
Date: 2026-04-23T11:33:38Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248621
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: aetherialpeak.click
Mass defacement of aurorasummit.click by EbRaHiM-VaKeR of LegioN_LeakeR
Category: Defacement
Content: The website aurorasummit.click was defaced by threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, on April 23, 2026. The incident was classified as a mass defacement campaign targeting a Linux-based server. The defacement was mirrored and archived at haxor.id, indicating it was part of a broader coordinated attack campaign.
Date: 2026-04-23T11:32:51Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248622
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Aurora Summit
Victim Site: aurorasummit.click
Mass Web Defacement by EbRaHiM-VaKeR of LegioN_LeakeR targeting averoncrest.website
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, carried out a mass web defacement campaign targeting averoncrest.website hosted on a Linux server. The defacement was confirmed as part of a broader mass defacement operation, with a mirror archived at haxor.id. No specific motivation or proof-of-concept details were disclosed.
Date: 2026-04-23T11:31:53Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248623
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Averoncrest
Victim Site: averoncrest.website
Mass Defacement of cloudspireventures.click by EbRaHiM-VaKeR of LegioN_LeakeR
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement campaign targeting cloudspireventures.click, a business ventures website hosted on a Linux server. The defacement was part of a broader mass defacement operation and is archived at haxor.id. No specific motive or proof-of-concept details were disclosed.
Date: 2026-04-23T11:31:14Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248627
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Business Services
Victim Organization: Cloud Spire Ventures
Victim Site: cloudspireventures.click
Mass Website Defacement by EbRaHiM-VaKeR of LegioN_LeakeR Team
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR, conducted a mass defacement campaign targeting eclipsera.click hosted on a Linux server. The defacement was part of a broader mass defacement operation, with the attack archived at haxor.id. The attackers motive and victims country of origin remain unconfirmed based on available data.
Date: 2026-04-23T11:30:19Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248628
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Eclipsera
Victim Site: eclipsera.click
Mass Defacement of BluePeak Ventures by EbRaHiM-VaKeR (LegioN LeakeR)
Category: Defacement
Content: On April 23, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN LeakeR, conducted a mass defacement campaign targeting bluepeakventures.click, a likely venture capital or investment-related website. The attack was carried out on a Linux-based server and is classified as a mass defacement, indicating multiple sites were compromised as part of the same operation. The defacement was archived and mirrored via haxor.id.
Date: 2026-04-23T11:29:41Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248624
Screenshots:
None
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Finance / Venture Capital
Victim Organization: Blue Peak Ventures
Victim Site: bluepeakventures.click
Alleged Distribution of Mixed Credential Combolist (8 Million Lines)
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing an alleged 8 million line mixed credential combolist described as UHQ (ultra-high quality) hits via Telegram channels and direct contact. The combolist is being made available for free through Telegram groups at t.me/Combo445544 and t.me/Coder554455. The origin or targeted services of the credentials are not specified in the post.
Date: 2026-04-23T11:24:09Z
Network: openweb
Published URL: https://crackingx.com/threads/72978/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged document forgery and identity document manipulation service offered by threat actor vasya_rogov
Category: Carding
Content: A threat actor operating under the alias vasya_rogov is advertising document forgery and rendering services on the crackingx forum. The service offers custom-made fraudulent document templates at up to 1200 dpi resolution, EXIF metadata removal to eliminate traces of editing, and utilizes computer forensic tools. Contact is facilitated via Telegram handles @vasya_rogov1 and a channel @vasya_rogov12, with a payment-upon-completion model and discounts for bulk clients.
Date: 2026-04-23T11:24:02Z
Network: openweb
Published URL: https://crackingx.com/threads/72979/
Screenshots:
None
Threat Actors: vasya_rogov
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged solicitation for private United States email account credentials
Category: Data Breach
Content: A threat actor operating under the alias jesus13gar1 on the AE combo list forum is actively seeking a provider of highly private email accounts originating from the United States. The actor claims to be willing to pay well for the accounts and directs interested parties to contact them via a Telegram handle. No specific organization, volume, or source has been identified.
Date: 2026-04-23T11:08:39Z
Network: openweb
Published URL: https://altenens.is/threads/need-proveedor-us.2928677/unread
Screenshots:
None
Threat Actors: jesus13gar1
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged free distribution of 7 million corporate email combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist purportedly containing 7 million corporate email credentials via Telegram channels. The combolist is being made available for free through two Telegram groups focused on combo and program sharing. The actor also solicits direct contact via Telegram handle CODER5544 for additional combo requests.
Date: 2026-04-23T11:02:01Z
Network: openweb
Published URL: https://crackingx.com/threads/72974/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged solicitation for private United States email account credentials
Category: Combo List
Content: A threat actor operating under the alias jesus13gar is seeking a provider of highly private email accounts originating from the United States. The actor claims to be willing to pay and directs potential suppliers to contact them via Telegram. No specific organization, volume, or data source has been identified.
Date: 2026-04-23T11:01:46Z
Network: openweb
Published URL: https://crackingx.com/threads/72975/
Screenshots:
None
Threat Actors: jesus13gar
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 4,300 Chinese email account credentials
Category: Logs
Content: A threat actor known as MegaCloud has shared a combolist of approximately 4,300 allegedly valid Chinese email account credentials on an underground forum. The post, dated April 23rd, offers access to verified mail account logins. No specific email provider or organization has been identified as the source of the credential list.
Date: 2026-04-23T10:57:53Z
Network: openweb
Published URL: https://xforums.st/threads/4-3k-china-full-valid-mail-access-23-04.609350/
Screenshots:
None
Threat Actors: MegaCloud
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of credential combolists and account access across multiple countries
Category: Combo List
Content: Threat actors advertising the sale of fresh credential combolists (email:password combinations) and compromised account access for multiple countries (UK, DE, JP, NL, BR, PL, ES, US, IT, etc.). Sellers claim to have access to Hotmail, eBay, Offerup, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, Neosurf, and Reddit accounts. Sellers mention private cloud infrastructure and offer keyword checking services for buyers.
Date: 2026-04-23T10:39:52Z
Network: telegram
Published URL: https://t.me/c/2613583520/68117
Screenshots:
None
Threat Actors: mu
Victim Country: Multiple (United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy, Mexico, Canada, Singapore)
Victim Industry: Multiple (e-commerce, email, gaming, travel, payment services)
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of 1,500 USA email access credentials
Category: Combo List
Content: A threat actor operating under the alias MegaCloudshop is selling a combolist of approximately 1,500 valid email credentials belonging to United States-based users, claimed to be tested and active as of April 23. The listing is posted on DemonForums and directs buyers to an external storefront at megacloudshop.top.
Date: 2026-04-23T10:36:32Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1-5K-USA-Just-Valid-Mail-Access-Top-Quality-23-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 1,500 valid USA email access credentials
Category: Combo List
Content: A threat actor operating under the alias MailAccesss has made available a list of approximately 1,500 valid email access credentials targeting United States-based accounts. The post, shared on the crackingx.com forum, claims the credential list is of top quality and dated April 23. The content is restricted to registered forum users, suggesting it is distributed as a member benefit rather than for explicit sale.
Date: 2026-04-23T10:36:16Z
Network: openweb
Published URL: https://crackingx.com/threads/72971/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo domain credential combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has freely distributed a combolist containing approximately 825,730 credential pairs targeting Yahoo domain accounts. The combolist was made available via a Mega.nz file sharing link on the crackingx.com forum. No purchase or payment is required to access the leaked credentials.
Date: 2026-04-23T10:36:01Z
Network: openweb
Published URL: https://crackingx.com/threads/72973/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: United States
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged SCADA/HMI hijacking of BERMAD CS Ltd water management systems via Modbus protocol attacks
Category: Cyber Attack
Content: TheSweetNight and OpsShadowStrike claim to have hijacked BERMAD CS Ltd, an Israeli water flow management and control solutions company. The attack allegedly involved Modbus protocol attacks targeting HMI/SCADA systems. Multiple hacktivist groups and individuals claim collaboration including TengkorakCyberCrew, MalaysiaHacktivist, EagleCyberCrew, and others. Post includes political/hacktivist messaging related to Palestine and Iran.
Date: 2026-04-23T10:27:01Z
Network: telegram
Published URL: https://t.me/TheSweetNightPublic/70
Screenshots:
None
Threat Actors: TheSweetNight
Victim Country: Israel
Victim Industry: Water Management / Critical Infrastructure
Victim Organization: BERMAD CS Ltd
Victim Site: bermad.com
Alleged leak of mixed credential combolist containing 119,000 records
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared a mixed combolist containing approximately 119,000 unique credential pairs on the cracking forum CrackingX. The post is behind a login wall, limiting full visibility into the content, origin, or targets of the leaked credentials. The combolist appears to aggregate credentials from multiple sources given its MIX designation.
Date: 2026-04-23T10:13:37Z
Network: openweb
Published URL: https://crackingx.com/threads/72967/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email/password combolist with 119,000 credentials
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared a mixed combolist containing approximately 119,000 unique email and password credential pairs on DemonForums. The content is hidden behind a registration or login wall, limiting immediate public access. The actor also promotes an external shop (unique-combo.shop) offering combolists targeting multiple countries.
Date: 2026-04-23T10:13:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-MIX-Unique-Combo-2-119000
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 58,000 German email account credentials
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a combolist containing approximately 58,000 allegedly valid German email account credentials. The post, dated April 23, describes the content as Full Valid Mail Access, suggesting active and working email account logins. The content is restricted to registered forum users.
Date: 2026-04-23T10:13:20Z
Network: openweb
Published URL: https://crackingx.com/threads/72968/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 58,000 German email credentials
Category: Combo List
Content: A threat actor operating under the alias MegaCloudshop has made available a combolist containing approximately 58,000 email credentials allegedly belonging to German users. The post is dated April 23rd and claims the credentials are fully valid and provide mail access. The content is hidden behind a registration or login requirement on the forum, and the actor promotes an external store at megacloudshop.top.
Date: 2026-04-23T10:13:11Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-58-K-GERMANY-Full-Valid-Mail-Access-23-04
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor known as Jelooos is sharing what they claim to be untouched, first-hand private Hotmail credential hits on the cracking forum CX. The post is gated behind registration or sign-in, limiting visibility into the full scope of the leak. The data appears to be a combolist of valid Hotmail account credentials.
Date: 2026-04-23T10:13:05Z
Network: openweb
Published URL: https://crackingx.com/threads/72969/
Screenshots:
None
Threat Actors: Jelooos
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged database breach of Bank Syariah Indonesia
Category: Data Breach
Content: A user named Xyph0rix has posted on Breachforums regarding a database breach affecting Bank Syariah Indonesia. The breach details are shared via a dedicated thread on the breach forum platform.
Date: 2026-04-23T10:08:25Z
Network: telegram
Published URL: https://t.me/Xyph0rix/190
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Financial Services / Banking
Victim Organization: Bank Syariah Indonesia
Victim Site: Unknown
Alleged data breach of Bank Syariah Indonesia
Category: Data Leak
Content: A threat actor operating under the alias Xyph0rix has made available an alleged database dump belonging to Bank Syariah Indonesia (BSI). The leaked data includes employee or customer records containing names, IDs, telephone numbers, email addresses, physical addresses, organizational positions, and regional office details. The data is being freely distributed via a download link on the Breached forum.
Date: 2026-04-23T10:08:19Z
Network: openweb
Published URL: https://breached.st/threads/database-bank-syariah-indonesia.86214/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Banking and Financial Services
Victim Organization: Bank Syariah Indonesia
Victim Site: bankbsi.co.id
Alleged sale of fresh database credentials across multiple countries
Category: Combo List
Content: Threat actor offering fresh database access and credentials across multiple countries (UK, DE, JP, NL, BR, PL, ES, US, IT) with inbox access. Claims to have private cloud infrastructure and valid webmail accounts. Targeting popular platforms including eBay, OfferUp, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, and Neosurf. Soliciting direct messages for specific requests.
Date: 2026-04-23T10:05:39Z
Network: telegram
Published URL: https://t.me/c/2613583520/68104
Screenshots:
None
Threat Actors: mu
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy
Victim Industry: Multiple (e-commerce, gaming, travel, financial services)
Victim Organization: Unknown
Victim Site: Unknown
Alleged DDoS-as-a-Service Operation – Goofystress Platform
Category: Cyber Attack
Content: Goofystress.st is advertising a DDoS-as-a-Service platform offering Layer 4 (TCP/UDP flood up to 10M pps) and Layer 7 attack capabilities with protection bypasses (CAPTCHA, Cache, UAM). The service claims 3+ years of operation, 1000-1500 customers, and provides auto-payment system for subscription-based access to attack infrastructure targeting gaming platforms (Fortnite, Minecraft, Apex, COD, Roblox, Battlefield).
Date: 2026-04-23T09:35:24Z
Network: telegram
Published URL: https://t.me/c/1669509146/94842
Screenshots:
None
Threat Actors: Goofystress
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: goofystresse.st
Alleged leak of mixed stealer logs combolist by threat actor fatetraffic
Category: Combo List
Content: A threat actor operating under the alias fatetraffic has made available a mixed combolist of 2,000 entries sourced from stealer logs, dated April 22, 2026. The credential list was shared for free via a Pixeldrain link with a password provided in the post. No specific victim organization or country has been identified, suggesting the data spans multiple sources.
Date: 2026-04-23T09:30:25Z
Network: openweb
Published URL: https://crackingx.com/threads/72964/
Screenshots:
None
Threat Actors: fatetraffic
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Leak of Hotmail and Office 365 Credential Combolist
Category: Combo List
Content: A threat actor known as CODER is distributing a large combolist containing approximately 9.4 million email and password combinations targeting Hotmail (including hotmail.fr and hotmail.es) and Office 365 accounts. The combolist is being made available via Telegram channels and groups operated by the actor. No price is mentioned, suggesting the credentials are being freely shared.
Date: 2026-04-23T09:30:09Z
Network: openweb
Published URL: https://crackingx.com/threads/72965/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of large-scale URL-login-password credential database with online search access
Category: Combo List
Content: A threat actor on CrackingX is offering access to a claimed 1.3TB collection of URL-login-password (ULP) credential logs, described as a private database with historical and continuously updated entries. The offering includes access to an online search tool allowing users to query targets without downloading the full dataset. Users can filter results by country, suggesting a broad multi-national scope of compromised credentials.
Date: 2026-04-23T09:29:48Z
Network: openweb
Published URL: https://crackingx.com/threads/72966/
Screenshots:
None
Threat Actors: Mustukaral
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Indonesian Civil Registration (Dukcapil) Database
Category: Data Leak
Content: A threat actor operating under the alias Xyph0rix has leaked what is claimed to be a database from Indonesias Directorate General of Civil Registration (Dukcapil). The leaked data includes sensitive personally identifiable information such as full names, National Identity Numbers (NIK), occupation, age, gender, province, residential address, email, and blood type. A download link for the full database has been made available on the forum.
Date: 2026-04-23T09:24:20Z
Network: openweb
Published URL: https://breached.st/threads/database-dukcapil-go-id.86213/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Dukcapil (Direktorat Jenderal Kependudukan dan Pencatatan Sipil)
Victim Site: dukcapil.go.id
Alleged Threat Actor Group Takeover and Operation 0ktapus Launch
Category: Cyber Attack
Content: Threat actors claiming operational control of a breach channel and group, identifying themselves as associated with UNC3944, UNC6040, UNC6395, and UNC6240. They are announcing a new operation called Operation 0ktapus and recruiting members to join their Telegram group.
Date: 2026-04-23T09:13:14Z
Network: telegram
Published URL: https://t.me/c/3500620464/7277
Screenshots:
None
Threat Actors: UNC3944
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Dukcapil (Indonesian Population Database)
Category: Data Breach
Content: A user named Xyph0rix has posted on Breachforums regarding a database breach of Dukcapil (dukcapil.go.id), Indonesias official population and civil registry database. The breach is being discussed in a dedicated thread on the Breachforums platform.
Date: 2026-04-23T09:09:19Z
Network: telegram
Published URL: https://t.me/Xyph0rix/189
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Dukcapil
Victim Site: dukcapil.go.id
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as alphaxdd has made available a combolist of 1,411 allegedly valid Hotmail credentials on the cracking forum CrackingX. The post describes the credentials as premium hits from a private cloud mix of email accounts. The actor can be contacted via Telegram handle alphaaxd and the content is offered as a free download.
Date: 2026-04-23T09:06:24Z
Network: openweb
Published URL: https://crackingx.com/threads/72963/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of RDP access to cloud infrastructure and compromised accounts
Category: Initial Access
Content: Threat actor offering rental of RDP access to Azure, AWS, and DigitalOcean infrastructure for $200 daily/monthly rates. Also advertising domain email accounts (Gmail, Yahoo), GitHub student accounts, and domain access. Seller claims fresh IPs and limited stock availability, offering escrow services.
Date: 2026-04-23T09:02:03Z
Network: telegram
Published URL: https://t.me/c/2613583520/68066
Screenshots:
None
Threat Actors: PORTAL
Victim Country: Unknown
Victim Industry: Technology/Cloud Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist allegedly containing 1,773,327 email and password credential pairs associated with Yahoo accounts. The combolist was shared via a Mega.nz download link on the cracking forum CrackingX. The credentials are described as high-quality (HQ) leaks, suggesting they may have been verified or sourced from recent breaches.
Date: 2026-04-23T08:44:06Z
Network: openweb
Published URL: https://crackingx.com/threads/72961/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: United States
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged $3.5 Million Theft from Volo DeFi Protocol
Category: Cyber Attack
Content: Representatives of the Volo DeFi protocol reported a security breach resulting in the theft of approximately $3.5 million. Project representatives stated they responded immediately to the hack and that user funds are not at risk.
Date: 2026-04-23T08:39:46Z
Network: telegram
Published URL: https://t.me/c/1397463379/11171
Screenshots:
None
Threat Actors: LZT
Victim Country: Unknown
Victim Industry: DeFi/Cryptocurrency
Victim Organization: Volo
Victim Site: Unknown
Alleged Data Breach of Iraqi Police Personnel Database
Category: Data Breach
Content: A threat actor claims to have breached a database belonging to Iraqi police personnel and officials. The leaked database allegedly contains personal information including first name, last name, email, title, start year, and address. The actor also claims to have obtained adult video clips from the breach.
Date: 2026-04-23T08:37:59Z
Network: openweb
Published URL: https://breached.st/threads/police-base-and-officials-in-iraq-2025-have-been-hacked.86212/unread
Screenshots:
None
Threat Actors: karllllllllX
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Iraqi Police
Victim Site: Unknown
Alleged distribution of SMTP combolists via Telegram channels
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing free SMTP-targeted combolists via Telegram channels. The actor promotes two Telegram groups offering free credential lists and tools. No specific victim organization or record count has been identified.
Date: 2026-04-23T08:10:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72960/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist affecting Allegro, Kaufland, Bol.com and others
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist of approximately 11 million email and password combinations targeting users of multiple e-commerce and retail platforms including Allegro, Kaufland, Bol.com, Fnac, ManoMano, Bricomarché, Decathlon, Zalora, The Iconic, and Culture Kings. The combolist is being distributed for free via Telegram channels and a cracking forum. The actor promotes additional free combos and tools through dedicated Telegram groups.
Date: 2026-04-23T07:41:11Z
Network: openweb
Published URL: https://crackingx.com/threads/72956/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: E-Commerce & Retail
Victim Organization: Allegro, Kaufland, Bol.com, Fnac, ManoMano, Bricomarché, Decathlon, Zalora, The Iconic, Culture Kings
Victim Site: allegro.pl, kaufland.de, bol.com, fnac.com, manomano.com, bricomarche.com, decathlon.com, zalora.com, theiconic.com.au, culturekings.com.au
Alleged Carding and Payment Infrastructure Service Advertised on Underground Forum
Category: Carding
Content: A threat actor operating under the alias cyberbizbz is advertising Cyberbiz.bz, a payment processing platform on an underground forum catering to high-risk and gray-market online businesses. The service offers ECOM VISA and Mastercard payment acceptance, virtual card issuing, anti-fraud systems, and flexible API integration targeting verticals such as adult content, gaming, VPN services, SMS activation, and loot boxes. The platform appears designed to facilitate payment processing for business
Date: 2026-04-23T07:40:47Z
Network: openweb
Published URL: https://crackingx.com/threads/72959/
Screenshots:
None
Threat Actors: cyberbizbz
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: cyberbiz.bz
Alleged cyber attack on Polish industrial plant by Shadow ClawZ 404
Category: Cyber Attack
Content: Shadow ClawZ 404 claims to have compromised an industrial system in Poland, causing operational disruption with multiple alarms triggered. The group claims responsibility for stopping the industrial plant operations.
Date: 2026-04-23T07:38:50Z
Network: telegram
Published URL: https://t.me/c/3251820623/66
Screenshots:
None
Threat Actors: Shadow ClawZ 404
Victim Country: Poland
Victim Industry: Industrial/Manufacturing
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Indian Ministry of Home Affairs (MHA) Contact Information
Category: Data Leak
Content: A threat actor using the alias anon 23 on XF forums allegedly leaked contact information belonging to Indian Ministry of Home Affairs (MHA) personnel, including email addresses, phone numbers, and names. The post was made on the XF Index Database forum. No further details regarding the volume of records or method of acquisition are available.
Date: 2026-04-23T07:38:06Z
Network: openweb
Published URL: https://xforums.st/threads/indian-government-mha-email-phone-name-leak.609344/
Screenshots:
None
Threat Actors: anon 23
Victim Country: India
Victim Industry: Government
Victim Organization: Ministry of Home Affairs (MHA)
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Logs
Content: A threat actor operating under the alias ValidMail has made available a combolist of approximately 37,000 Hotmail domain credentials, claimed to be valid as of April 26, 2023. The post was shared on the XF forums under the Mail Access & Combolists section. Access to the content requires forum registration.
Date: 2026-04-23T07:37:04Z
Network: openweb
Published URL: https://xforums.st/threads/37k-hotmail-domain-with-valid-23-04-26.609343/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed-domain email credentials combolist
Category: Logs
Content: A threat actor operating under the alias ValidMail has made available a combolist containing approximately 146,000 email credentials across mixed domains, dated April 26, 2023. The post is hosted on the XF Mail Access & Combolists forum and claims the entries are valid. No specific victim organization or country is identified, as the list spans multiple domains.
Date: 2026-04-23T07:36:33Z
Network: openweb
Published URL: https://xforums.st/threads/146k-mix-domain-with-valid-23-04-26.609346/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged breach of UAE investor system by MD-Ghost/The BlackH4t with 30GB data theft
Category: Data Breach
Content: Threat actor group MD-Ghost (also known as The BlackH4t) claims to have breached the United Arab Emirates investor system and exfiltrated approximately 30GB of sensitive data. The alleged stolen data includes identity documents, visa copies (including Dubai Golden Visa), foreign investor registration information, and financial records.
Date: 2026-04-23T07:29:50Z
Network: telegram
Published URL: https://t.me/c/1283513914/21344
Screenshots:
None
Threat Actors: MD-Ghost
Victim Country: United Arab Emirates
Victim Industry: Finance/Investment
Victim Organization: UAE Investor System
Victim Site: Unknown
Website Defacement of Cartouches Arabais by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced a subdirectory of cartouchesarabais.com, a website likely associated with a cartridge or printing supplies retailer. The incident was a targeted, non-mass defacement affecting a specific media path rather than the homepage. No team affiliation, stated motive, or server details were disclosed in relation to this attack.
Date: 2026-04-23T07:23:23Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912362
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / E-commerce
Victim Organization: Cartouches Arabais
Victim Site: cartouchesarabais.com
Alleged leak of Norwegian email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist of approximately 21,000 email and password credential pairs allegedly associated with Norwegian users. The list is described as fresh and high quality, and is being distributed via a hidden content link on DemonForums and promoted through a Telegram channel (Maxi_links). No specific victim organization or domain has been identified.
Date: 2026-04-23T07:13:29Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-21-K-%E2%9C%A6-Norway-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-23-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Norway
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Nigerian email credentials combolist
Category: Combo List
Content: A threat actor known as CobraEgy has made available a combolist containing over 16,000 email and password credential pairs allegedly associated with Nigerian users. The list is described as fresh and high quality, and is being distributed for free via the DemonForums platform. The post references a Telegram channel (Maxi_links) for additional combolists.
Date: 2026-04-23T07:12:38Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-16-K-%E2%9C%A6-Nigeria-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-23-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Nigeria
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email and password combolist
Category: Combo List
Content: A threat actor operating under the alias wingoooW has made available a mixed combolist containing approximately 6,000 email and password credential pairs via a free download link on pasteview.com. The post was shared on DemonForums in the combolists section. No specific victim organization or country has been identified, suggesting the credentials may originate from multiple sources.
Date: 2026-04-23T07:12:11Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-6K-MIXED-GOODS
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias @Steveee36 has made available a combolist of 722 alleged Hotmail credentials on the cracking forum CrackingX. The post offers a free download of the credential list, described as HQ (high quality), suggesting the credentials may be recently verified or active. No additional details about the datas origin or collection method are provided.
Date: 2026-04-23T07:11:22Z
Network: openweb
Published URL: https://crackingx.com/threads/72955/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged phishing SMS kit with spoofed sender IDs for Australia
Category: Phishing
Content: Threat actor Youngjn123 advertising bulk SMS phishing service with updated sender IDs impersonating legitimate cryptocurrency and financial services (Crypto.com, Telegram, Coinspot, Binance, Latitude). Offering free test SMS and additional country/sender ID options via direct message.
Date: 2026-04-23T07:09:47Z
Network: telegram
Published URL: https://t.me/YoungJNCrossBulksms0285/2
Screenshots:
None
Threat Actors: Youngjn123
Victim Country: Australia
Victim Industry: Financial Services, Cryptocurrency
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of ClickNPay by DimasHxR
Category: Defacement
Content: On April 23, 2026, the threat actor DimasHxR defaced a web page on clicknpay.com, a payment processing platform, targeting a subdirectory within the sites public media folder. The defacement was a targeted single-page attack, not a mass or home page defacement. No team affiliation, stated motive, or server details were disclosed.
Date: 2026-04-23T07:00:39Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912343
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Financial Services / Payment Processing
Victim Organization: ClickNPay
Victim Site: clicknpay.com
Alleged Discord Server DDoS/Ban Service Offering
Category: Cyber Attack
Content: User @Steiner935 is advertising a service to ban or disrupt Discord servers, including legacy servers. Claims to offer the cheapest and best service in the market for this malicious capability.
Date: 2026-04-23T06:58:47Z
Network: telegram
Published URL: https://t.me/c/2613583520/68019
Screenshots:
None
Threat Actors: Steiner935
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Polish email and password credentials
Category: Combo List
Content: A threat actor known as CobraEgy has made available a combolist of approximately 485,000 email and password credential pairs allegedly associated with Polish users. The list is described as fresh and high quality, and was shared freely on the DemonForums cybercrime forum. Additional combolists are promoted via the Telegram channel Maxi_links.
Date: 2026-04-23T06:44:32Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-485-K-%E2%9C%A6-Poland-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-23-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Philippine email credential combolist
Category: Combo List
Content: A threat actor known as CobraEgy has shared a combolist containing approximately 172,000 email and password credential pairs allegedly belonging to Philippine users on the Demon Forums cybercrime forum. The list is described as fresh and high quality. The content is made available for free via hidden content and a Telegram channel linked to Maxi_links.
Date: 2026-04-23T06:43:53Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-172-K-%E2%9C%A6-Philippines-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-23-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Philippines
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Stokrat (Ukraine) by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor using the handle DimasHxR defaced a media/customer directory path on the Ukrainian website stokrat.com.ua. The attack was a targeted, non-mass defacement conducted by an individual actor with no affiliated team. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-23T06:43:21Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912288
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Ukraine
Victim Industry: E-commerce / Retail
Victim Organization: Stokrat
Victim Site: stokrat.com.ua
Alleged leak of Peruvian email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist of over 126,000 email and password credential pairs allegedly associated with Peruvian users. The content is described as fresh and high quality, and is being distributed for free on the DemonForums platform. The post references the Telegram channel Maxi_links as a source for additional combolists.
Date: 2026-04-23T06:43:09Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-126-K-%E2%9C%A6-Peru-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-23-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Peru
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Portuguese email credential combolist
Category: Combo List
Content: A threat actor known as CobraEgy has made available a combolist containing over 75,000 email and password pairs purportedly belonging to Portuguese users. The content is described as fresh and high quality, and is being distributed freely via the DemonForums platform. Additional combolists are promoted through the Telegram channel Maxi_links.
Date: 2026-04-23T06:42:44Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-75-K-%E2%9C%A6-Portugal-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-23-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Portugal
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of MixMarket by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor operating under the alias DimasHxR defaced a media or custom page on mixmarket.market, an e-commerce or marketplace platform. The attacker acted independently without affiliation to a known group or team. The incident was a targeted single-page defacement, not a mass or home page defacement, with details archived at zone-xsec.com.
Date: 2026-04-23T06:42:29Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912251
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-Commerce / Marketplace
Victim Organization: MixMarket
Victim Site: mixmarket.market
Alleged leak of Pakistani email credentials combolist
Category: Combo List
Content: A threat actor known as CobraEgy has shared a combolist containing over 46,000 email and password combinations allegedly associated with Pakistani users on the DemonForums cybercrime forum. The credential list is described as fresh and high quality, and is made available as hidden content requiring forum registration. The post references a Telegram channel (Maxi_links) for additional combolists.
Date: 2026-04-23T06:42:17Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-46-K-%E2%9C%A6-Pakistan-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-23-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Pakistan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of credential combolists targeting fashion and e-commerce platforms
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist of approximately 5 million email and password combinations allegedly targeting multiple fashion and e-commerce platforms including ASOS, Grailed, GOAT, Stadium Goods, Vestiaire Collective, The RealReal, Farfetch, eMAG, Ozon, and Cdiscount. The credentials are being distributed for free via Telegram channels and groups associated with the actor. The post does not mention a price, suggesting the combolists are shared f
Date: 2026-04-23T06:41:31Z
Network: openweb
Published URL: https://crackingx.com/threads/72954/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: E-Commerce / Fashion Retail
Victim Organization: ASOS, Grailed, GOAT, Stadium Goods, Vestiaire Collective, The RealReal, Farfetch, eMAG, Ozon, Cdiscount
Victim Site: asos.com, grailed.com, goat.com, stadiumgoods.com, vestiairecollective.com, therealreal.com, farfetch.com, emag.ro, ozon.ru, cdiscount.com
Website Defacement of PLCProduct by DimasHxR
Category: Defacement
Content: On April 23, 2026, threat actor DimasHxR defaced a media/customer directory page on plcproduct.com, a website associated with programmable logic controller (PLC) products. The attack was a targeted single-page defacement, not classified as a mass or home page defacement. No specific motive, server details, or team affiliation were disclosed in connection with this incident.
Date: 2026-04-23T06:41:28Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912265
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Industrial / Manufacturing (PLC Products)
Victim Organization: PLC Product
Victim Site: plcproduct.com
Website Defacement of Clever Möbel by DimasHxR
Category: Defacement
Content: On April 23, 2026, the attacker known as DimasHxR defaced a media/customer directory path on the German furniture retailer website clever-moebel.de. The incident was a targeted single-site defacement, not part of a mass defacement campaign. No specific motive or proof-of-concept details were disclosed, and server information remains unknown.
Date: 2026-04-23T06:40:28Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912320
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Germany
Victim Industry: Retail / Furniture
Victim Organization: Clever Möbel
Victim Site: www.clever-moebel.de
Website Defacement of Tronictoy by DimasHxR
Category: Defacement
Content: On April 23, 2026, the attacker known as DimasHxR defaced a media/customer directory page on tronictoy.com. The incident was a targeted, single-site defacement with no team affiliation reported. Technical details such as server software and IP address were not disclosed.
Date: 2026-04-23T06:39:24Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912297
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / Toys & Consumer Electronics
Victim Organization: Tronic Toy
Victim Site: tronictoy.com
Website Defacement of Pawfect Foods by DimasHxR
Category: Defacement
Content: On April 23, 2026, the attacker known as DimasHxR defaced a subdirectory of pawfectfoods.in, an Indian pet food company. The defacement targeted a specific media/customer path rather than the homepage, indicating a targeted partial site compromise. No team affiliation, stated motive, or technical details regarding the server environment were disclosed.
Date: 2026-04-23T06:38:22Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912262
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: India
Victim Industry: Pet Food / Retail
Victim Organization: Pawfect Foods
Victim Site: pawfectfoods.in
Website Defacement of Wagadootoo by DimasHxR
Category: Defacement
Content: On April 23, 2026, the South African website wagadootoo.co.za was defaced by a threat actor operating under the alias DimasHxR. The defacement targeted a subdirectory of the site rather than the homepage and was carried out as a solo operation with no affiliated team. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-23T06:37:36Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912315
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: South Africa
Victim Industry: Unknown
Victim Organization: Wagadootoo
Victim Site: wagadootoo.co.za
Website Defacement of Swebike by DimasHxR
Category: Defacement
Content: On April 23, 2026, the attacker known as DimasHxR defaced a page on swebike.se, a Swedish bicycle retail website. The defacement targeted a subdirectory path related to customer address media content. No team affiliation was claimed, and the incident was classified as a single, non-mass, non-home page defacement.
Date: 2026-04-23T06:36:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912290
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Sweden
Victim Industry: Retail / E-commerce
Victim Organization: Swebike
Victim Site: swebike.se
Website Defacement of Manhattan Portage by DimasHxR
Category: Defacement
Content: On April 23, 2026, threat actor DimasHxR defaced a page on manhattanportage.com, a US-based bag and accessories retailer. The attack targeted a subdirectory of the website rather than the homepage and was carried out as a single, non-mass defacement. No specific motive or team affiliation was reported for this incident.
Date: 2026-04-23T06:35:48Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912247
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Retail / E-Commerce
Victim Organization: Manhattan Portage
Victim Site: manhattanportage.com
Website Defacement of Mokca.si by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor operating under the alias DimasHxR defaced a publicly accessible media directory on mokca.si, a Slovenian website likely running a Magento-based e-commerce platform, as indicated by the /pub/media/customer_ad path. The defacement was an individual, targeted attack affecting a specific subdirectory rather than the homepage. No team affiliation, stated motive, or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-23T06:35:00Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912252
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Slovenia
Victim Industry: E-Commerce / Retail
Victim Organization: Mokca
Victim Site: mokca.si
Website Defacement of Zaafoo by DimasHxR
Category: Defacement
Content: On April 23, 2026, threat actor DimasHxR defaced a media/customer address page on zaafoo.com, an e-commerce platform. The attack was a targeted single-page defacement, not part of a mass or home page defacement campaign. No team affiliation, stated motive, or technical server details were disclosed in association with this incident.
Date: 2026-04-23T06:34:01Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912321
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-commerce / Retail
Victim Organization: Zaafoo
Victim Site: zaafoo.com
Website Defacement of Spa Galaxy by DimasHxR
Category: Defacement
Content: On April 23, 2026, the attacker known as DimasHxR defaced a subdirectory of spagalaxy.md, a spa and wellness business based in Moldova. The defacement targeted a media/customer upload path rather than the homepage, indicating a targeted file path intrusion. No team affiliation, stated motive, or server details were disclosed.
Date: 2026-04-23T06:33:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912280
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Moldova
Victim Industry: Health & Wellness / Beauty
Victim Organization: Spa Galaxy
Victim Site: spagalaxy.md
Website Defacement of ktsps.com.my by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor operating under the alias DimasHxR defaced a subpath of the Malaysian website ktsps.com.my, targeting its media/customer directory. The attack was carried out as a single, targeted defacement with no team affiliation reported. No specific motive or server details were disclosed in connection with this incident.
Date: 2026-04-23T06:27:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912234
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Malaysia
Victim Industry: Unknown
Victim Organization: KTSPS
Victim Site: ktsps.com.my
Website Defacement of Illuminus Brands by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor operating under the handle DimasHxR defaced a media/custom directory page on illumusbrands.com. The attack was not classified as a mass or home defacement, suggesting it targeted a specific sub-page of the site. No team affiliation, stated motive, or technical indicators were attributed to the attacker.
Date: 2026-04-23T06:26:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912226
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail/Consumer Brands
Victim Organization: Illuminus Brands
Victim Site: illumusbrands.com
Website Defacement of Isles of Scilly Flowers by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced a subdirectory of islesofscillyflowers.com, a floral retailer based in the Isles of Scilly, United Kingdom. The incident was a targeted, non-mass defacement affecting a specific page rather than the sites homepage. No team affiliation, stated motive, or technical server details were disclosed.
Date: 2026-04-23T06:25:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912231
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Retail / Floriculture
Victim Organization: Isles of Scilly Flowers
Victim Site: islesofscillyflowers.com
Website Defacement of Ignyte Active by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced a media/custom directory page on ignyteactive.com. The incident was a targeted single-page defacement, not a mass or home page defacement. No team affiliation, motive, or technical server details were disclosed in the available reporting.
Date: 2026-04-23T06:24:13Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912225
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Health & Fitness / Active Lifestyle
Victim Organization: Ignyte Active
Victim Site: ignyteactive.com
Website Defacement of Latintoreriavinoteca by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced the website of La Tintoreria Vinoteca, a Spanish wine bar or restaurant. The attack was a targeted single-site defacement, with the attacker modifying a page within the sites public directory. No team affiliation, stated motive, or additional technical details were disclosed.
Date: 2026-04-23T06:23:15Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912235
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Spain
Victim Industry: Food & Beverage / Hospitality
Victim Organization: La Tintoreria Vinoteca
Victim Site: latintoreriavinoteca.es
Website Defacement of Homegrown Cannabis by DimasHxR
Category: Defacement
Content: On April 23, 2026, the attacker DimasHxR defaced the website homegrowncannabis.de, a German cannabis-related website. The incident was a singular, targeted defacement with no team affiliation reported. Technical details such as server software and attack vector remain unknown.
Date: 2026-04-23T06:22:18Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912223
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Germany
Victim Industry: Cannabis / Retail
Victim Organization: Homegrown Cannabis
Victim Site: homegrowncannabis.de
Website Defacement of LOH Motorsport by DimasHxR
Category: Defacement
Content: On April 23, 2026, the website lohmotorsport.ie, belonging to Irish motorsport organization LOH Motorsport, was defaced by a threat actor operating under the alias DimasHxR. The attack targeted a subdirectory of the sites media path and was carried out as a single, targeted defacement with no team affiliation reported. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-23T06:21:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912236
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Ireland
Victim Industry: Automotive / Motorsport
Victim Organization: LOH Motorsport
Victim Site: lohmotorsport.ie
Website Defacement of First Aid Zone by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor operating under the handle DimasHxR defaced a subdirectory of firstaidzone.com, a website associated with first aid services. The attack targeted a specific media/custom path rather than the homepage and was conducted without affiliation to a known hacking group. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-23T06:20:26Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912218
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Healthcare / First Aid Services
Victim Organization: First Aid Zone
Victim Site: firstaidzone.com
Alleged sale of RDP access to cloud platforms and email accounts
Category: Initial Access
Content: Threat actor offering rental of RDP access to Azure, AWS, and DigitalOcean infrastructure on daily/monthly basis for $200. Also offering domain email accounts (Gmail, Yahoo), domain access, and GitHub student accounts. Advertises fresh RDP with good IP reputation, suitable for inbox operations. Escrow payment method available.
Date: 2026-04-23T06:20:20Z
Network: telegram
Published URL: https://t.me/c/2613583520/68000
Screenshots:
None
Threat Actors: PORTAL
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Iris Made With Love by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced a subdirectory of irismadewithlove.com, a small retail or handmade goods website. The attack was a targeted single-page defacement, not classified as a mass or home page defacement. No specific motive, team affiliation, or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-23T06:19:23Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912230
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / E-commerce
Victim Organization: Iris Made With Love
Victim Site: irismadewithlove.com
Website Defacement of arpo.software by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced a subdomain of arpo.software, targeting a specific media path on the host. The attack was a single targeted defacement, not part of a mass or home page defacement campaign. No team affiliation, motive, or server details were disclosed in connection with this incident.
Date: 2026-04-23T06:18:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912221
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Technology/Software
Victim Organization: Arpo Software
Victim Site: give-us.arpo.software
Alleged leak of Gmail credential combolist targeting forum users
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist containing approximately 60,000 Gmail credentials on the cracking forum CrackingX. The post is categorized under Combolists & Dumps, suggesting the credentials are being made available to forum members. Full content is restricted to registered or signed-in users.
Date: 2026-04-23T06:17:41Z
Network: openweb
Published URL: https://crackingx.com/threads/72948/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of Europe and USA combolists
Category: Combo List
Content: A threat actor on the CrackingX forum has shared combolists claimed to be of high validity, targeting users from Europe and the United States. The post advertises the credential lists as 100% full valid and high quality. No specific organization, victim count, or pricing information was provided in the post.
Date: 2026-04-23T06:17:24Z
Network: openweb
Published URL: https://crackingx.com/threads/72949/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Enola Gaye by DimasHxR
Category: Defacement
Content: On April 23, 2026, the attacker DimasHxR defaced a media/customer directory page on enolagaye.no, a Norwegian website associated with the Enola Gaye brand known for smoke grenades and pyrotechnic products. The incident was a targeted, single-site defacement with no team affiliation reported and limited technical metadata available.
Date: 2026-04-23T06:17:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912216
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Norway
Victim Industry: Retail / Entertainment
Victim Organization: Enola Gaye
Victim Site: enolagaye.no
Alleged leak of German mixed domain credential combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a combolist containing over 1 million lines of credentials associated with mixed German domains. The data was shared as a free download via Mega.nz. The leak appears to aggregate credentials from multiple sources targeting German internet users across various domains.
Date: 2026-04-23T06:17:09Z
Network: openweb
Published URL: https://crackingx.com/threads/72951/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of phone number and password credential list
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared what is described as a high-quality private combolist containing phone number and password credential pairs. The post does not specify a target organization, country, or record count. No price is mentioned, suggesting the credentials are being made available for free.
Date: 2026-04-23T06:16:54Z
Network: openweb
Published URL: https://crackingx.com/threads/72952/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed USA and Europe credential combolist
Category: Data Leak
Content: A threat actor operating under the alias hangover934 has shared an alleged combolist on the AE forum, containing credential hits purportedly sourced from users in the United States and Europe. The post advertises the list as exclusive and organized by country. No specific organizations, record counts, or pricing details were provided.
Date: 2026-04-23T05:59:23Z
Network: openweb
Published URL: https://altenens.is/threads/starby-countriesstarhits-mix-usastareuropestarexclusive-combolist-star.2928635/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email:password combolist with 119,000 records
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared a mixed combolist containing approximately 119,000 unique email and password pairs on DemonForums. The content is hidden behind a registration or login requirement, suggesting it is available to forum members at no explicit cost. The actor also promotes an external shop (unique-combo.shop) offering combolists for various countries and on-request.
Date: 2026-04-23T05:53:08Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-MIX-Unique-Combo-1-119000
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Distribution of Corporate SMTP Combolist (3 Million Records)
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist containing approximately 3 million credential pairs targeting corporate SMTP services via Telegram channels. The actor promotes free access to combo lists and cracking tools through two Telegram groups. The content appears to be gated behind forum registration, with distribution facilitated externally via Telegram.
Date: 2026-04-23T05:53:05Z
Network: openweb
Published URL: https://crackingx.com/threads/72947/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyber attack on German Parliament Speakers mobile device attributed to Russian hackers
Category: Cyber Attack
Content: Reports indicate that the mobile phone of Julia Klöckner, Speaker of the German Parliament, was targeted in a cyber attack. According to reports, Russian hackers allegedly gained access to the device through the Signal social network. Additionally, the German Chancellors mobile phone is under security review, suggesting the attack may have broader scope affecting other senior German officials.
Date: 2026-04-23T05:48:16Z
Network: telegram
Published URL: https://t.me/c/1283513914/21340
Screenshots:
None
Threat Actors: Russian hackers
Victim Country: Germany
Victim Industry: Government
Victim Organization: German Parliament / German Government
Victim Site: Unknown
Alleged Data Breach of UAE Investors Platform Exposing 30GB of Investor Data
Category: Data Breach
Content: A threat actor identified as MDGhost claims to have compromised a UAE-based investor platform, exfiltrating approximately 30GB of sensitive data. The leaked data allegedly includes personal information of investor members, visa documents including Dubai Golden Visas, financial transaction records, and identity-related documents. The data purportedly covers investors from multiple countries and is being made available with a full sample provided.
Date: 2026-04-23T05:47:32Z
Network: openweb
Published URL: https://breached.st/threads/uae-investors-30gb.86211/unread
Screenshots:
None
Threat Actors: MDGhost
Victim Country: United Arab Emirates
Victim Industry: Finance / Investment
Victim Organization: UAE Investors
Victim Site: Unknown
Alleged DDoS-as-a-Service (DaaS) Marketing Campaign – Deep Stresser and Goofystress Platforms
Category: Malware
Content: Multiple posts advertising two DDoS stresser services: Deep Stresser (deepstresser.su) and Goofystress (goofystresse.st). Both platforms offer Layer 4 and Layer 7 DDoS attack capabilities with advertised throughput of 1.5-2M pps TCP and 6-10M pps UDP. Services include protection bypasses (CAPTCHA, UAM, cache), game-specific bypasses (Fortnite, Minecraft, Apex, COD, Roblox), and auto-payment systems. Deep Stresser is running a promotional giveaway offering service packages and $50 USDT rewards.
Date: 2026-04-23T05:38:29Z
Network: telegram
Published URL: https://t.me/c/1669509146/94800
Screenshots:
None
Threat Actors: Deep Stresser
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of MD Materiaux by DimasHxR
Category: Defacement
Content: On April 23, 2026, the attacker known as DimasHxR defaced a page on the website of MD Materiaux, a French building materials company. The attack targeted a non-homepage media directory path and was carried out as a single, targeted defacement rather than a mass or repeated attack. No specific motive or technical details were disclosed.
Date: 2026-04-23T04:30:37Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912148
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: France
Victim Industry: Construction / Building Materials
Victim Organization: MD Materiaux
Victim Site: www.mdmateriaux.com
Website Defacement of SportFoods by DimasHxR
Category: Defacement
Content: On April 23, 2026, the threat actor DimasHxR defaced a subdirectory of the Dutch sports nutrition website sportfoods.nl. The attack targeted a media/custom path rather than the homepage and was conducted as a solo, non-mass defacement. No specific motivation or technical details regarding the server environment were disclosed.
Date: 2026-04-23T04:29:47Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912157
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Netherlands
Victim Industry: Retail / Sports Nutrition
Victim Organization: SportFoods
Victim Site: www.sportfoods.nl
Website Defacement of PCMR.hu by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor operating under the alias DimasHxR defaced a page on the Hungarian website www.pcmr.hu, targeting a media/customer directory path. The attacker acted independently without an affiliated team. No specific motive, server details, or proof of concept were disclosed in relation to this incident.
Date: 2026-04-23T04:28:51Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912153
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Hungary
Victim Industry: Unknown
Victim Organization: PCMR
Victim Site: www.pcmr.hu
Website Defacement of VDH Products by DimasHxR
Category: Defacement
Content: On April 23, 2026, the attacker known as DimasHxR defaced a page on www.vdhproducts.com, targeting a subdirectory within the sites public media path. The incident was a targeted single-page defacement with no team affiliation reported and no stated motive. The attack was documented and mirrored by zone-xsec.com under mirror ID 912160.
Date: 2026-04-23T04:28:05Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912160
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Manufacturing / Products
Victim Organization: VDH Products
Victim Site: www.vdhproducts.com
Website Defacement of Firmbay by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced a media/customer directory page on the e-commerce platform Firmbay (firmbay.com). The attack was an isolated, non-mass defacement targeting a specific subpath of the website. Server and infrastructure details were not disclosed in the available intelligence.
Date: 2026-04-23T04:27:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912142
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: Firmbay
Victim Site: www.firmbay.com
Website Defacement of Design Ameublement by DimasHxR
Category: Defacement
Content: On April 23, 2026, the website of Design Ameublement, a French furniture and interior design company, was defaced by the threat actor DimasHxR operating without an affiliated team. The attacker targeted a subdirectory of the domain, performing a single-page defacement rather than a full homepage or mass defacement. No specific motive or server details were disclosed in connection with this incident.
Date: 2026-04-23T04:26:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912140
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: France
Victim Industry: Retail / Furniture & Interior Design
Victim Organization: Design Ameublement
Victim Site: www.designameublement.com
Website Defacement of Wolka Online by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced a media/customer directory page on wolkaonline.eu, an e-commerce platform operating under the .eu top-level domain. The attack was a targeted single-site defacement with no team affiliation reported. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-23T04:25:27Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912135
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: European Union
Victim Industry: E-Commerce / Retail
Victim Organization: Wolka Online
Victim Site: wolkaonline.eu
Website Defacement of Karly Floats by DimasHxR
Category: Defacement
Content: On April 23, 2026, the Australian website karlyfloats.com.au was defaced by a threat actor known as DimasHxR acting without a team affiliation. The defacement targeted a subdirectory of the site rather than the homepage and was not part of a mass defacement campaign. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-23T04:24:39Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912144
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Australia
Victim Industry: Retail / Event Services
Victim Organization: Karly Floats
Victim Site: www.karlyfloats.com.au
Website Defacement of Bierl Antiquariat by DimasHxR
Category: Defacement
Content: On April 23, 2026, the threat actor DimasHxR defaced a subdirectory of the German antiquarian bookshop website Bierl Antiquariat. The attack was a targeted, non-mass defacement affecting a specific page rather than the homepage. No team affiliation, motive, or server details were disclosed in connection with this incident.
Date: 2026-04-23T04:23:46Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912137
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Germany
Victim Industry: Retail – Antiquarian Books and Collectibles
Victim Organization: Bierl Antiquariat
Victim Site: www.bierl-antiquariat.de
Website Defacement of The Merch NZ by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor known as DimasHxR defaced a media/customer subdirectory of the New Zealand-based merchandise retailer website themerch.nz. The defacement was a targeted single-site attack, not part of a mass defacement campaign. No specific motive or additional technical details regarding the server infrastructure were disclosed.
Date: 2026-04-23T04:22:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912159
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: New Zealand
Victim Industry: Retail / E-Commerce
Victim Organization: The Merch NZ
Victim Site: www.themerch.nz
Website Defacement of samdam.shop by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced a subdirectory of the e-commerce website samdam.shop, targeting a path under the Magento-style public media directory. The attack was a single targeted defacement with no team affiliation reported. No specific motive or server details were disclosed.
Date: 2026-04-23T04:22:05Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912154
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: Samdam Shop
Victim Site: www.samdam.shop
Website Defacement of CHS Pharmacy (UAE) by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor operating under the alias DimasHxR defaced a media or custom content directory on the CHS Pharmacy website hosted in the United Arab Emirates. The incident was a targeted, single-site defacement rather than a mass or home page compromise. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-23T04:21:12Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912139
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Arab Emirates
Victim Industry: Healthcare / Pharmacy
Victim Organization: CHS Pharmacy
Victim Site: www.chspharmacy.ae
Website Defacement of Silhouette Europe by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced a media directory on the website of Silhouette Europe, a European eyewear or fashion-related organization. The attack was a targeted single-site defacement with no team affiliation reported and no specific motive disclosed. Technical details such as server software and IP address were not publicly available.
Date: 2026-04-23T04:20:16Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912156
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: European Union
Victim Industry: Retail / Fashion
Victim Organization: Silhouette Europe
Victim Site: www.silhouetteeurope.eu
Website Defacement of Divenly by Threat Actor DimasHxR
Category: Defacement
Content: On April 23, 2026, threat actor DimasHxR defaced a media/customer directory page on the French website divenly.fr. The incident was a targeted single-site defacement with no team affiliation reported. The attackers motivation and server details remain unknown at this time.
Date: 2026-04-23T04:19:24Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912141
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: France
Victim Industry: E-commerce / Retail
Victim Organization: Divenly
Victim Site: www.divenly.fr
Website Defacement of thegrdn.co.uk by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor operating under the alias DimasHxR defaced a web page hosted on the domain thegrdn.co.uk, targeting a subdirectory of the site. The attack was not classified as a mass or home page defacement, suggesting a targeted intrusion into a specific media or custom content directory. No team affiliation, stated motivation, or technical details regarding the server environment were disclosed.
Date: 2026-04-23T04:17:38Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912158
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: The Garden
Victim Site: www.thegrdn.co.uk
Website Defacement of Neottia.gr by DimasHxR
Category: Defacement
Content: On April 23, 2026, the Greek website neottia.gr was defaced by a threat actor operating under the alias DimasHxR, acting independently without a known group affiliation. The defacement targeted a subdirectory of the site rather than the homepage, suggesting a targeted path-level compromise. No specific motive or technical details regarding the exploitation method were disclosed.
Date: 2026-04-23T04:16:52Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912151
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Greece
Victim Industry: Unknown
Victim Organization: Neottia
Victim Site: www.neottia.gr
Alleged leak of Yahoo credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 1.57 million credential pairs associated with Yahoo accounts. The combolist was shared via a Mega.nz file link on the cracking forum CrackingX. The leaked data is described as high-quality and likely contains email and password combinations.
Date: 2026-04-23T04:06:47Z
Network: openweb
Published URL: https://crackingx.com/threads/72943/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: United States
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Website Defacement of EWM by DimasHxR
Category: Defacement
Content: On April 23, 2026, the attacker known as DimasHxR defaced a media/customer asset path on ewm.co.uk, a UK-based e-commerce or retail website. The defacement targeted a specific subdirectory rather than the homepage, indicating a targeted file upload or directory traversal exploitation. No team affiliation, stated motive, or technical server details were disclosed.
Date: 2026-04-23T04:05:18Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912102
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: E-Commerce / Retail
Victim Organization: EWM
Victim Site: ewm.co.uk
Website Defacement of Bielizna For You by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor operating under the alias DimasHxR defaced a subdirectory of bieliznaforyou.pl, a Polish lingerie/underwear retail website. The attack was a targeted, non-mass defacement affecting a specific media path rather than the homepage. No team affiliation, stated motive, or technical details regarding the server environment were disclosed.
Date: 2026-04-23T04:03:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912099
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Poland
Victim Industry: Retail / E-commerce
Victim Organization: Bielizna For You
Victim Site: bieliznaforyou.pl
Website Defacement of Maggarack by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced the website maggarack.com, targeting a subdirectory within the sites public media folder. The defacement was an individual, non-mass attack with no affiliated team or stated motive. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-04-23T04:00:53Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912108
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-commerce / Retail
Victim Organization: Maggarack
Victim Site: maggarack.com
Website Defacement of Skincollagen.fi by DimasHxR
Category: Defacement
Content: On April 23, 2026, a threat actor identified as DimasHxR defaced a subdirectory of skincollagen.fi, a Finnish health and beauty e-commerce website. The attack targeted a media path within the sites public directory, consistent with exploitation of a content management system or file upload vulnerability. The incident was recorded as a single, non-mass defacement with no team affiliation attributed to the attacker.
Date: 2026-04-23T03:45:49Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912096
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Finland
Victim Industry: Health & Beauty / E-Commerce
Victim Organization: Skin Collagen
Victim Site: skincollagen.fi
Website Defacement of Larpsi by DimasHxR
Category: Defacement
Content: On April 23, 2026, the threat actor DimasHxR defaced a page on the Brazilian website larpsi.com.br, targeting a file path within the sites public media directory. The attack was carried out by a lone actor with no affiliated team, and was a targeted single-page defacement rather than a mass or home page defacement. Technical details such as server software and IP address were not disclosed.
Date: 2026-04-23T03:43:36Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912082
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Brazil
Victim Industry: Publishing / Media
Victim Organization: Larpsi
Victim Site: larpsi.com.br
Website Defacement of Lukime by Threat Actor DimasHxR
Category: Defacement
Content: On April 23, 2026, threat actor DimasHxR defaced a specific media/customer address page on lukime.com. The attack was conducted individually without affiliation to a known group. The targeted subdirectory suggests a customer-facing e-commerce or service platform was compromised.
Date: 2026-04-23T03:26:27Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912054
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-commerce / Retail
Victim Organization: Lukime
Victim Site: lukime.com
Website Defacement of Kids Luxury UK by DimasHxR
Category: Defacement
Content: On April 23, 2026, the website kidsluxury.uk was defaced by a threat actor operating under the handle DimasHxR, acting independently without a known group affiliation. The defacement targeted a subdirectory of the site rather than the homepage and does not appear to be part of a mass defacement campaign. No specific motivation or technical details regarding the attack vector were disclosed.
Date: 2026-04-23T03:24:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912053
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United Kingdom
Victim Industry: Retail / E-Commerce
Victim Organization: Kids Luxury
Victim Site: kidsluxury.uk
Website Defacement of Tribag.ro by DimasHxR
Category: Defacement
Content: On April 23, 2026, the Romanian website tribag.ro was defaced by a threat actor operating under the alias DimasHxR. The attacker targeted a media/customer directory path on the server. No team affiliation, stated motive, or technical details regarding the server infrastructure were disclosed in connection with this incident.
Date: 2026-04-23T03:23:39Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912068
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Romania
Victim Industry: Unknown
Victim Organization: Tribag
Victim Site: www.tribag.ro
Website Defacement of Poleringspads by DimasHxR
Category: Defacement
Content: On April 23, 2026, the Norwegian website poleringspads.no was defaced by the threat actor DimasHxR acting independently without a team affiliation. The attack targeted a media/custom directory path and was a single, non-mass defacement incident. No specific motive or technical server details were disclosed.
Date: 2026-04-23T03:22:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/912062
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Norway
Victim Industry: Retail / Automotive Services
Victim Organization: Poleringspads
Victim Site: poleringspads.no
Alleged offering of black hat pentesting and database extraction services by threat actor Splashed
Category: Services
Content: A threat actor operating under the alias Splashed is advertising professional black hat pentesting services on the forum spear.cx, claiming over six years of experience in the security field. Services offered include source code auditing across multiple programming languages, web application vulnerability testing (XSS, SQLi, IDOR, LFI, RFI, SSTI), and unauthorized database extraction. Payments are accepted exclusively in cryptocurrency (XMR/BTC), with contact conducted via the anonymous Qtox m
Date: 2026-04-23T03:16:44Z
Network: openweb
Published URL: https://spear.cx/Thread-Com-Boss-SERVICE-Professional-Pentesting-Services-Source-Code-Web-application
Screenshots:
None
Threat Actors: Splashed
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of 170k Vercel employee credentials with password hashes
Category: Combo List
Content: Threat actor claiming to possess and selling a dataset of approximately 170,000 Vercel employee records including email addresses and password hashes. Seller requesting $10,000 USD and providing session ID as proof. Contact via Telegram handle @shinyc0rpsss.
Date: 2026-04-23T02:52:53Z
Network: telegram
Published URL: https://t.me/c/3500620464/7275
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: Unknown
Victim Industry: Cloud Platform / Web Infrastructure
Victim Organization: Vercel
Victim Site: vercel.com
Alleged leak of URL:Log:Pass combolist containing 5.97 million credentials
Category: Combo List
Content: A threat actor operating under the alias Daxus has shared a URL:LOG:PASS combolist containing approximately 5.97 million credential pairs on the cracking forum CrackingX. The data is described as UHQ (Ultra High Quality) and is being distributed via the Daxus.pro website and an associated Telegram channel. No specific victim organization or targeted service has been identified.
Date: 2026-04-23T02:43:19Z
Network: openweb
Published URL: https://crackingx.com/threads/72940/
Screenshots:
None
Threat Actors: Daxus
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor on DemonForums has made available a combolist of alleged valid Hotmail credentials, described as UHQ (ultra-high quality) and sourced from a private cloud. The post references a Telegram contact (@noiraccesss) and requires forum registration to access the hidden content. No explicit record count or price was mentioned in the post.
Date: 2026-04-23T02:43:14Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X689-Valid-UHQ-Hotmail-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias noir on CrackingX has made available an alleged combolist of valid Hotmail credentials, described as UHQ (ultra-high quality) and private. The post advertises valid mixed credentials with a download link and directs interested parties to a Telegram channel (@noiraccesss) for further access.
Date: 2026-04-23T02:43:00Z
Network: openweb
Published URL: https://crackingx.com/threads/72941/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of Chinese Peoples Liberation Army (PLA) sensitive military data
Category: Data Breach
Content: A threat actor operating under the alias mosad is selling data allegedly obtained from multiple divisions of the Chinese Peoples Liberation Army, including the Cyberspace Force Technology Research Institute, the Rocket Force, the Joint Staff Intelligence Directorate, and several other military research institutes. The actor claims to be transitioning from private contracted work to a broader intelligence-selling operation and is targeting think tanks and well-funded organizations as potential
Date: 2026-04-23T02:33:00Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-CHINA-BULK-PLA-Rocket-Force-Foreign-Affairs-Cyberforce-DATA-OPEN-FOR-SALE
Screenshots:
None
Threat Actors: mosad
Victim Country: China
Victim Industry: Government & Military
Victim Organization: Chinese Peoples Liberation Army (PLA)
Victim Site: Unknown
Alleged Sale of Flash USDT Sender Script for Ethereum Transaction Manipulation
Category: Carding
Content: A threat actor identified as antelope is selling a Flash USDT Sender Script for $500 via Telegram (@propanolcipher). The script exploits Ethereums transaction replacement mechanism by deliberately broadcasting ERC-20 USDT transfer transactions with an artificially low gas price (3 Gwei) to keep them in a pending state indefinitely, creating the illusion of a completed payment. The sender can then cancel the transaction by replacing it with a 0-value self-transfer at 50% higher gas price, effe
Date: 2026-04-23T02:32:10Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Flash-USDT-Sender-Script–74294
Screenshots:
None
Threat Actors: antelope
Victim Country: Unknown
Victim Industry: Cryptocurrency / Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Kwik Attorneys by MR~TNT of QATAR911
Category: Defacement
Content: The website kwikattorneys.com, belonging to a legal services firm, was defaced by threat actor MR~TNT operating under the group QATAR911 on April 23, 2026. The attack targeted a Linux-based web server hosting the attorney services platform. The defacement was a targeted single-site incident, with a mirror of the defaced page archived at haxor.id.
Date: 2026-04-23T02:19:39Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248620
Screenshots:
None
Threat Actors: MR~TNT, QATAR911
Victim Country: United States
Victim Industry: Legal Services
Victim Organization: Kwik Attorneys
Victim Site: kwikattorneys.com
Alleged leak of mixed corporate credential combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 183,795 lines of credentials via a Mega.nz link on the cracking forum CrackingX. The combolist is described as targeting mixed corporate entities and is labeled for 2026. No specific victim organizations or countries have been identified.
Date: 2026-04-23T02:02:13Z
Network: openweb
Published URL: https://crackingx.com/threads/72939/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple Organizations
Victim Site: Unknown
Alleged sale of RDP access and compromised accounts (Azure, AWS, DigitalOcean, email, GitHub)
Category: Initial Access
Content: Threat actor offering rental of RDP access to cloud infrastructure providers (Azure, AWS, DigitalOcean) at $200, along with compromised domain email accounts (Gmail, Yahoo), and GitHub student accounts. Services advertised as fresh with good IP reputation, available for daily/monthly rental with escrow payment option.
Date: 2026-04-23T01:59:11Z
Network: telegram
Published URL: https://t.me/c/2613583520/67899
Screenshots:
None
Threat Actors: QQHB99
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed valid email access credentials (15,400 records)
Category: Data Leak
Content: A threat actor known as redcloud has made available a combolist of approximately 15,400 allegedly valid mixed email credentials, described as private and ultra-high quality (UHQ). The data was shared on the AE combo list forum with a free download gated behind a reply requirement, and the actor also provided a Telegram contact handle (@tutuba5m).
Date: 2026-04-23T01:28:41Z
Network: openweb
Published URL: https://altenens.is/threads/15-4k-sparkles-mix-sparkles-valid-mail-access-23-04.2928619/unread
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Israeli CRM system by NoHeartz and OpsShadowStrike
Category: Data Leak
Content: NoHeartz threat actor claims to have leaked a customer relationship management (CRM) system belonging to an Israeli organization (crmlink.co.il). The leak is attributed to NoHeartz in collaboration with OpsShadowStrike and multiple other hacktivist groups including TengkorakCyberCrew, MalaysiaHacktivist, EagleCyberCrew, and others. The post includes Telegram contact information for the threat actors.
Date: 2026-04-23T01:18:33Z
Network: telegram
Published URL: https://t.me/Noheartz1337/195
Screenshots:
None
Threat Actors: NoHeartz
Victim Country: Israel
Victim Industry: Software/SaaS – Customer Relationship Management
Victim Organization: CRM Link (crmlink.co.il)
Victim Site: crmlink.co.il
Alleged Data Breach of Philippine Drug Enforcement Agency (PDEA)
Category: Data Breach
Content: A threat actor operating under the alias Sh1nnySp1der is allegedly selling data obtained from the Philippine Drug Enforcement Agency (PDEA). The post includes proof images and directs interested parties to contact the seller via a Proton Mail address, suggesting the data is being offered for sale. No specific record count or data types were disclosed in the post.
Date: 2026-04-23T01:17:01Z
Network: openweb
Published URL: https://breached.st/threads/philippine-drug-enforcement-agency.86205/unread
Screenshots:
None
Threat Actors: Sh1nnySp1der
Victim Country: Philippines
Victim Industry: Government
Victim Organization: Philippine Drug Enforcement Agency
Victim Site: Unknown
Alleged ShinyHunters Identity Dispute – Threat Actor Claims Impersonation by Mattys Savoie
Category: Cyber Attack
Content: An individual claiming to be the original ShinyHunters threat actor alleges that Mattys Savoie (website owner of shinyhunte.rs) impersonated them, abused their PGP key, and used the ShinyHunters name to conduct ransomware attacks and blackmail operations against companies including Salesforce. The claimant provides official contact channels (Telegram, XMPP, email, Session) and PGP verification methods to distinguish themselves from the alleged impersonator. Includes threats of physical retaliation against Savoie.
Date: 2026-04-23T01:16:11Z
Network: telegram
Published URL: https://t.me/c/3500620464/7261
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: shinyhunte.rs
Alleged sale of spamming tools and credential harvesting tutorials
Category: Malware
Content: Threat actor Raysp0my is advertising availability of spamming tools and tutorials targeting multiple platforms and services including Facebook, banking systems, credit cards, and Office 365. This represents malicious tooling for credential theft and fraud.
Date: 2026-04-23T00:46:27Z
Network: telegram
Published URL: https://t.me/c/2613583520/67867
Screenshots:
None
Threat Actors: Raysp0my
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail valid email credentials
Category: Combo List
Content: A threat actor operating under the alias redcloud has made available a credential list purportedly containing approximately 4,100 valid Hotmail email account credentials. The post, dated 23 April 2026, includes a free download link hosted on MediaFire and references a Telegram contact for further communication. The combolist is described as private and ultra-high quality (UHQ), suggesting the credentials have been verified for validity.
Date: 2026-04-23T00:40:04Z
Network: openweb
Published URL: https://crackingx.com/threads/72937/
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor operating under the alias Bugmann6666 has shared an alleged UHQ (ultra-high quality) Hotmail credential combolist on the forum Altenens. The post requires users to reply before accessing the hidden download content, suggesting the credentials are being distributed for free. The combolist likely contains email and password combinations associated with Hotmail/Microsoft accounts.
Date: 2026-04-23T00:26:33Z
Network: openweb
Published URL: https://altenens.is/threads/hotmail-login-uhq.2928608/unread
Screenshots:
None
Threat Actors: Bugmann6666
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com