[April-28-2026] Daily Cybersecurity Threat Report

1. Executive Summary

This comprehensive threat intelligence report details a highly active cyber threat landscape observed primarily over the course of April 27, 2026, extending into early April 28, 2026. The provided dataset outlines hundreds of distinct cyber incidents, ranging from massive data exfiltration and credential stuffing campaigns to targeted critical infrastructure compromises and widespread website defacements.

The threat ecosystem is currently dominated by a few highly prolific actors and groups. Ransomware and extortion groups, such as ShinyHunters, have successfully breached massive corporate databases, resulting in the public release of millions of sensitive records. Simultaneously, the underground economy is flooded with “Combo Lists”—aggregated lists of compromised usernames and passwords—distributed by actors like HQcomboSpace, CODER, and snowstormxd to facilitate credential stuffing attacks against major email providers like Microsoft Hotmail and Yahoo. Furthermore, hacktivist and vandalism activities reached extreme volumes, primarily driven by a single threat actor known as chinafans (operating under 0xteam), who executed a massive, indiscriminate website defacement campaign affecting dozens of global targets.

The following sections provide a granular, categorical breakdown of the observed incidents, utilizing all available data to construct a detailed picture of the current cyber risk environment.

2. High-Impact Data Breaches and Exfiltration

Threat actors executed numerous successful data breaches targeting corporate entities, government infrastructure, healthcare providers, and educational institutions. These breaches predominantly resulted in the exposure of Personally Identifiable Information (PII), financial data, and classified internal communications.

2.1 Corporate and Enterprise Breaches

Udemy, Inc.: The threat actor group ShinyHunters claimed responsibility for a significant breach of the online learning platform Udemy. After failed ransom negotiations, the group publicly leaked the data on April 26, 2026. The dataset, measuring approximately 636 MB decompressed, contains over 1.4 million to 1.6 million unique records. Exposed data includes full names, email addresses, physical addresses, phone numbers, employer information, and highly sensitive instructor payout details such as PayPal, cheque, and bank transfer information.
ADT, Inc.: ShinyHunters also claimed a massive breach of ADT, a major US security services company. The actor leaked over 10 million Salesforce records, totaling over 11GB of compressed data, containing PII and internal corporate information after ADT failed to reach a negotiation agreement. The breach date was noted as April 26, 2026.
Bank of America: A threat actor operating under the alias Xyph0rix leaked a database allegedly containing Bank of America customer records. The data, shared freely on the Breached forum, includes UserIDs, first names, bank balances, account types, expiration dates, CVVs, and partial card details for products including the Cash Rewards Visa Signature and BankAmericard Rewards World Mastercard.
TotalEnergies: The threat actor Whisix attempted to sell a database containing roughly 79,000 customer records from the French multinational energy company TotalEnergies. The compromised data includes full names, phone numbers, addresses, and specific energy consumption details and subscription types.
7-Eleven & CarGurus: A threat actor known as Fallen claimed multiple massive breaches. They exposed over 600,000 Salesforce records (10.4GB compressed) belonging to 7-Eleven, containing PII and corporate data. Additionally, Fallen claimed a breach of CarGurus involving 12.4 million records (7.1GB compressed).
Marcus & Millichap, Inc.: The actor TheFallen leaked over 30 million Salesforce records (5.4GB compressed) belonging to this commercial real estate firm after failed negotiations, exposing PII and corporate data.
Bank Saderat Iran: Threat actor MDGhost (The BlackH4t MD-Ghost) leaked a massive 63 million record database from this state-owned Iranian bank. The dump includes account numbers, full names, card numbers, passwords, email addresses, and branch IDs.
Jetstar Asia Airways: Threat actor sprrhr0 offered a 24 million record database from this Singapore-based airline for $1,450, containing personal identifiers, contact details, and emergency contact information.
OLX Poland: An actor named xcgtyrewty offered 23 million user records from OLX Poland for $1,980, including names, regions, and mobile numbers.
Le Petit Vapoteur: Threat actor 3ndGames sold a 3.3 million customer database from this French e-cigarette retailer for 1,500€.
Brillenplatz.de: The actor sprrhr0 sold 478,344 records from this German eyewear retailer for $150, breached on April 27, 2026.
L’Opticienne Verte: Threat actor ijpys sold 13,039 customer records from this French eyewear brand for $50.
Astral Hotels: MDGhost sold over 1 million guest records from this Israeli hotel chain, including PII, room details, and credit card tokens.
Ryanair: Internal communications and legal case management data regarding flight delay compensation claims were leaked by GlitchX.
Crypto B2B Affiliate Platform: Threat actor unico sold a 26GB database containing 46 product databases, exposing 73 million records, including 119,273 unique emails, crypto wallets, and 14 admin accounts with SCRAM hashes.
Solusi Arya Prima: Threat actor Kyyzo sold a 41GB database from this Indonesian IT firm, exposing 2.1 million B2B transactions and 92,000 user records.
Ftimerbet.com: Threat actor alon3Hunt sold a user database with emails, bcrypt-hashed passwords, and transaction records from this betting platform.
iKara: A database of 342,972 records from this Vietnamese karaoke platform was leaked by fent888, including emails, IPs, and geographic coordinates.
My Book Qatar: GlitchX leaked 280,000 user records, including hashed passwords and civil data.
Jiangxi Taixin Steel Co. Ltd.: The group SnowSoul leaked 120GB of Seeyon OA system backups after the company refused a $5,000 extortion demand.

2.2 Government, State-Level, and Military Breaches

Indonesian Government & Immigration: A massive breach by BabayoErorSystem targeted the Indonesian e-Visa immigration portal (evisa.imigrasi.go.id) and the SIPGN/SIPSMO database, leaking between 1.1 million and 3 million records of immigration officers and personnel.
Indonesian Ministry of Health: The group SADBOY CYBER TEAM HACKTIVIST INDONESIA (SCTH) leaked 1.52 million records from the Ministry’s workforce system, exposing national IDs (NIK), bank accounts, and medical specialization data.
Indonesian National Police (POLRI): MR-Zeeone-Grayhat leaked a JSON database of 2,006 internal police records, including ranks from BRIPDA to KOMBESPOL.
Iraqi Independent High Electoral Commission (IHEC): Threat actor GlitchX leaked the personal data of over 4.5 million registered voters (a 10GB CSV file), including biometric indicators and voting card numbers. Additionally, actor Sicario1877 sold a 2022 Iraq National Database featuring comprehensive civil registry fields.
Syrian Government and Telecom: GlitchX leaked over 7 million records of Syrian citizens, including names, birthdates, and phone numbers.
Chinese People’s Liberation Army (PLA): Threat actor mosad attempted to sell allegedly classified reports and data from multiple branches of the PLA, including the Rocket Force, Navy, and Strategic Support Force.
US Navy Nuclear Submarines: PhotonPool_ leaked highly sensitive technical documents related to critical quiet technology for multiple US Navy nuclear submarine programs, including the Virginia, Columbia, and Seawolf classes, distributed via a Tor onion service.
Federal Bureau of Investigation (FBI): China-linked threat actors allegedly breached a sensitive FBI system containing law enforcement investigation and surveillance data, utilizing compromised ISP infrastructure.
Japan Aerospace Exploration Agency (JAXA): Threat actor APT001 offered a massive 7TB database allegedly belonging to JAXA for $500.
Taiwan Military Intelligence: Actor Yakohomot sold 1.8GB of sensitive documents for $16,000, detailing cybersecurity intelligence, TSMC infrastructure, naval radar R&D, and Wuling Base military projects.
French URSSAF: Actor hackplanete sold 12 million records from the French social security agency, including NIR (national IDs), IBANs, and SWIFT/BIC codes.
Uzbekistan Cybersecurity Center: Actor cyberpuls leaked a database belonging to the State Security Service and Cybersecurity Center.
Den Kulturelle Skolesekken (Norway): Spirigatito leaked 1.38 million rows of personal data from this Norwegian government program.
Sri Lanka Office on Missing Persons: AnoN SathaN leaked 25 confidential PDF dossiers regarding missing persons.
Uganda Ministry of Agriculture: Actor vicmeow leaked the MAAIF E-Extension System database, exposing farmer and officer data.
Mexican MORENA Movement: A dataset containing 1,145 records and 807 scanned ID images (INE) of the MORENA political movement founders in Tabasco was leaked.
Oyo State Commerce (Nigeria): Actor AckLine leaked 275,000 ID card images (21.5GB compressed).

2.3 Healthcare and Education Breaches

Choice Health Insurance: Actor clusapva freely released a massive database exposing the PII of over 2.1 million clients, including Social Security numbers, Medicare details, and healthcare.gov credentials, affecting affiliates like Humana and Anthem.
DEA Opioid Distribution Records: Actor OriginalCrazyOldFart leaked up to 74.5GB of ARCOS Washington Post datasets from an exposed AWS S3 bucket, exposing drug distribution records. The same actor leaked personal data of American doctors and nurses and data from OpenLoop Health.
Universidad Rafael Landívar (Guatemala): MrGoblinciano leaked a 20GB dataset containing 84,620 photos of students and professors alongside personal JSON data.
University of San Carlos of Guatemala (USAC): MrGoblinciano leaked financial records from the SIIF system, exposing national IDs and bank deposit details of employees.
Algerian Ministry of Education: Actor ./xorcat~files sold a database of 612,847 student records and 1.2M module access records for $2,800, obtained via a SQL injection during a red-team engagement.
MalDev Academy: Actor my4ri0d0 leaked the source code for a rebuild of the malware development training platform.

3. The Combo List Epidemic and Credential Harvesting

The most frequent type of incident observed on April 27 was the distribution of “Combo Lists.” These are massive text files containing millions of aggregated username (or email) and password combinations, usually in a username:password format. Cybercriminals use these lists to conduct automated credential stuffing attacks, attempting to breach user accounts across various platforms by exploiting password reuse. Several key actors dominated this space.

3.1 Prolific Combo List Distributors

CODER: A highly active distributor managing massive datasets via Telegram and cracking forums. Noteworthy releases include:
- 11 million Corporate Business credentials.
- 8 million mixed SMTP credentials.
- 9 million Hotmail credentials.
- 7 million Yahoo, Hotmail, and Orange France credentials.
- 5 million Office 365 credentials.
- 7 million Education sector credentials.
HQcomboSpace: Specialized in massive, curated lists, often hosted on Mega.nz. Key releases include:
- 1.36 million Hotmail credentials targeting cryptocurrency users.
- 1.97 million and 894,859 Yahoo credentials, also targeting crypto users.
- 1.19 million and 465,417 credentials targeting German shopping platforms.
- 892,295 German mixed-target credentials.
- 193,582 and 187,175 Education sector credentials.
- 139,054 Corporate SMTP credentials.
- 121,145 mixed Social/Shopping/Education credentials.
- 105,627 Gaming/Casino/Education credentials.
snowstormxd: This actor actively monetized combo lists by offering small, free “samples” of Hotmail credentials (typically batches of 146, 481, 1,158, or 2,582 records) alongside advertisements for a paid private cloud service. Subscriptions ranged from $3 for 24 hours to $120 for lifetime access, and included a “built-in email inboxer tool” designed to automatically access compromised accounts.
CobraEgy: This actor specialized in high-quality, country-specific combo lists distributed on DemonForums. Releases included:
- 1.547 million French credentials.
- 672,000 German credentials.
- 75,000 Greek credentials.
- 16,000 Estonian credentials.
- 14,000 Finnish credentials.
- 11,000 Hong Kong credentials.
- 10,000 Georgian credentials.
BestCombo: Focused on European and provider-specific lists. Releases included:
- 41,069 Gmail credentials targeting Europe.
- 36,022 Hotmail credentials.
- 11,986 Outlook.com credentials.
- 5,128 and 4,362 t-online.de credentials (Germany).
- 2,933 abv.bg credentials (Bulgaria).
- 1,179 orange.fr credentials (France).

3.2 Key Target Sectors for Credential Stuffing

Microsoft Services (Hotmail/Outlook/Live): Hotmail was overwhelmingly the most targeted provider. Actors like WhiteMelly leaked 13,000 mixed lines and a 3GB collection of Microsoft credentials sourced from stealer logs. ValidMail leaked 40,000 forum-validated Hotmail credentials. Countless other actors, including alphacloud, redcloud, He_Cloud, Kommander0, HollowKnight, and stevee36, released high-quality (UHQ) samples ranging from 250 to 39,800 records to prove validity.
Gaming and Streaming Platforms: Actor SYCOSUNNY leaked 1.5 million streaming credentials and 350,000 gaming credentials. Actor Ra-Zi distributed a 100,000 credential list explicitly targeting Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. Actor Larry_Uchiha leaked mixed lists for OnlyFans, ChatGPT, Xbox, Sony, and Discord.
Regional Lists: Actor ShroudX focused entirely on regional lists, releasing gated data for Germany, Japan, Poland, Russia, and the UK. carlos080 released 100,000 and 155,000 mixed records targeting US, UK, FR, and DE users.

4. Cyber Attacks, Critical Infrastructure, and Initial Access

Beyond passive data leaks, highly capable threat actors conducted active intrusions into critical infrastructure, sold zero-day exploits, and distributed sophisticated malware frameworks.

4.1 Critical Infrastructure and Cyber Attacks

MSTEC Smart PureWater System (South Korea): The threat actor The Z-Pentest Alliance claimed full operational control over MSTEC’s cMT2078X HMI, which manages water supply, heating, and cooling for critical infrastructure. The actor claimed to have disabled automatic protections and activated manual control over compressors and pumps, threatening equipment failure. The attack was geopolitically motivated by South Korean military support.
UK Hydraulic Structure (Dam/Pumping Station): The DDoSia Project compromised CCTV systems controlling a UK hydraulic structure. They posted HD camera feeds of turbines and spillways, referencing the Russia-Ukraine conflict as motivation.
Itron (US Energy Technology): Unknown actors gained access to the internal IT systems of Itron, a major US energy and water infrastructure management company. Incident response protocols were activated.
Medtronic plc: The medical device manufacturer suffered an unauthorized intrusion into its internal IT systems on April 24, 2026, though patient safety and product operations were reportedly unaffected.
Anthropic ‘Mathis’ Tool: An anonymous group breached Anthropic to access ‘Mathis’, a restricted-use cybersecurity tool. The breach occurred via an insider at a third-party contractor. Anthropic noted the tool could be a powerful hacking instrument if misused.
Hamrah Aval (MTN Irancell): Iran’s major telecom operator suffered multiple breaches. The Jooje Ardak Zesht group leaked employee emails, procurement docs, and security personnel info. Another group, Ugly Duckling, also claimed access.
eBay DDoS: The 313 Team (Islamic Cyber Resistance in Iraq) executed a DDoS attack disrupting eBay’s login and platform functions.

4.2 Exploits, Initial Access Brokers, and Malware

Polymarket Exploit Kit: Red Team exploit kits targeting the crypto prediction market Polymarket were sold for $10,000. The bundle included Python scripts exploiting CVE-2025-62718 (SSRF bypass) and CVE-2024-51479 (Next.js auth bypass), allowing unauthorized scraping and reward data exposure. The exfiltrated dataset included 4 de-anonymized user profiles and 1,000 market records.
React2Shell RCE Toolkit: Threat actor unico sold an RCE exploitation toolkit for React-based web servers for $750-$1,000. The tool automates mass scanning, pseudo-shell execution, and exfiltration of .env files and full databases.
Active Directory Dumper & VPN Checker v2.0: Actor Snow sold this malware toolkit for $1,000-$1,500. It enables automated deployment across VPS nodes, multi-mode AD enumeration, and VPN/LDAP credential validation.
Malachite Loader: Actor Pyrite sold a lightweight (188kb) C-based malware loader on HackForums. It features in-memory execution, NT syscalls for AV evasion, browser/crypto stealers, keyloggers, and a PHP C2 panel.
WinML EDR Evasion Technique: Actor RedQueen published a proof-of-concept on the Tier1 forum detailing how to abuse Windows Machine Learning (WinML) for in-memory payload staging. The technique embeds payloads within ONNX model structures, bypassing Endpoint Detection and Response (EDR) systems. RedQueen also published research on advanced EDR/XDR bypass techniques including API unhooking and indirect syscalls.
Crypters & Binders: Threat actor Jlamaille13 distributed malware evasion tools on DemonForums, including Vortex Binder 2.0 (combining malware with legitimate files) , a cracked Hap Crypter , and Black Crypt 2025 for advanced data obfuscation.
Initial Access Sales: Actor GhostByte sold Fortinet FortiGate firewall and VPN access to an Argentine electronic payments company ($57.6M revenue) for $500. Actor braun33 sold web shell access to 100 Italian servers for $1,500. Actor Toton sold ASPX webshell admin access to a tech company for $800. Actor BSeller freely shared RDP credentials targeting multiple systems located in China.

5. The “chinafans” (0xteam) Defacement Campaign

A defining characteristic of the April 27 threat landscape was a massive, industrialized website defacement campaign orchestrated by a threat actor (or automated script) known as chinafans, affiliated with the group 0xteam.

Unlike targeted hacktivism aiming at high-profile entities, this campaign was highly opportunistic, targeting small-to-medium businesses (SMBs), independent professionals, non-profits, and minor corporate domains globally. The attack vector consistently involved exploiting file upload or directory traversal vulnerabilities to place a signature text file at the root path, usually /0x.txt. The incidents were meticulously cataloged on zone-xsec.com.

Exhaustive Victim List of the ‘chinafans’ Campaign:

North America (USA & Canada): Gathering Green (Environmental non-profit) , Night Sky Creative (Design) , New Generation Church FL , God’s Grass Lawn Care , Ideal Appliance Repair , Quality Miami Roofing , Crosstree LLC , Placencia Painting , John’s Appliance Services , Montreal Location Rental (Canada) , Final Touch Media (Canada).
South America (Brazil & Peru): Cliniplam Health Plan , Cooper Transfer (Logistics) , José Menck Advocacia (Law firm) , Higic Clean Maceió , Vision Clinic , louraidan.com.br , MSLT Treinamentos , SALQA (Peru).
Europe (UK, France, Netherlands, etc.): Walsham Grange Care Home (UK) , FJAL Design (Netherlands) , Soodne Haagis (Estonia) , Viken’s Taxi (Norway) , 20220.ch (Switzerland) , ewfs.hu (Hungary) , Radteam Tirol (Austria) , Real Prague (Czech Republic) , Fox Rental (Bulgaria) , vikupauto-mo.ru (Russia).
Asia & Middle East: India Sports Nation (India) , Dr. Sambit Patnaik (India) , Sukien Starlight (Vietnam) , Ahhao Auto Car (Vietnam) , namngocwinport.vn (Vietnam) , sebuya.id (Indonesia) , Bubai BD (Bangladesh) , Dr. Erdem Caglar (Turkey) , Abu Hamdan (UAE).
Africa: Stickerket (Nigeria).
Various Uncategorized SMBs/Blogs: Techsum Digital , totallyreal.co , Funship , Tideborn Maritime , Inese Valtere , PromedTutor , Van Nguyen IT , Del Delivery , Core Skin Clinic , FeetFinesse , JJA Law Mediation , Savvy Winner , CorporateFever , Lancer , Grotesk Agency , we-refuse-abuse-tv-global.org , auttash.org , SP Service Apartments , pilarvacasantos.com , Wholesale Wounders , Discovery Pharmaceuticals , atz.asia , Kaia Emporium , Daxten Power , Impact Migration , behnamdehghan.com , The Water Show , HMedias , huysiavedaran.com , Crossover Music , Dietsche Sweets , linkabu.net , AHT Websites , SoftwareTestingHQ , Gallery Masterise , Garage Lamineci , gaevictassist.com , Circapoint , KL Repairs , nicholenguyen.com , brendalbassdavis.site , Viking Car , elenasala.com , keenac.com , Auto Vision Restoration , michaelrelph.com , liamilazzo.com , uv-i.com , Javajit , Advanced Web Technologies , Amazing Africa Adventure.

(Note: Other independent defacements occurred, such as Mr.spongebob targeting Institut Teknologi Garut , YIIX103 targeting wcaqq.com , ALP targeting pvzbaike.com , Cyber Islamic Resistance targeting the Israeli Ministry of Health , dann3xplo1t targeting a cPanel server , LEFT-10 targeting LSH Hotel , s13ntong targeting Neath Cluster Wales , and QATAR911 targeting Indoplast. However, these were isolated compared to the chinafans blitz.)

6. Financial Fraud, Carding, and Phishing Ecosystem

The illicit economy surrounding financial fraud, carding, and Phishing-as-a-Service (PhaaS) remained highly active on underground forums like Altenens (AE) and Telegram.

6.1 Carding and Fraud Products

Stolen Payment Cards: The actor GeneralSquahh (Telegram: @GSquah) operated a massive carding portfolio, selling EBT cards with PINs, Apple Pay accounts, high-limit non-VBV credit cards, CVV dumps, and cloned cards. The actor Andcolllee advertised a similar operation offering 101/201 track dumps with PINs, claiming a 100% approval rate globally. Actor Provin sold Track1/Track2 dumps and CVV fullz targeting the US, UK, and Canada, complete with SSN and drivers’ licenses, offering guides to cash out via CashApp and Venmo. Actor Havvc sold VBV and non-VBV cards with balances up to $2,000 for $25-$100.
Fraudulent Identity Documents: Actor jannat123 sold massive databases containing SSNs, passports, and driver’s licenses. Actor MAINMAN leaked a pack of French identity documents. Actor W4Rlord sold counterfeit Philippine government IDs (UMID, PhilSys, LTO) featuring valid QR codes, accepting USDT and Monero.
Counterfeit Currency: The actor Yoandi persistently advertised the sale of counterfeit banknotes (including Chinese currency) specifically manufactured to bypass B-level and C-level counterfeit detection machines.
Illicit Financial Services: Actor ComCASH_API advertised a turnkey API integration for a No-KYC/AML cryptocurrency exchange, designed to process crypto-to-fiat transactions anonymously with a 30% revenue share model. Actor StealerLogs sold gift cards (Amazon, Steam, Netflix) at a 30% discount via an automated Telegram bot, heavily implying the cards were purchased using stolen payment data. Actor alon3Hunt sold cryptographic keys extracted from the TonKeeper Wallet software.
Credential Checkers: Actor ananalbzoor distributed “Coiny,” an automated tool designed to check and validate Cointiply cryptocurrency platform accounts, flagging those with balances over $3 for fraudulent withdrawal.

6.2 Phishing and Logistics Fraud

Blue Light PhaaS Platform: Threat actor goodboytaxis sold a Phishing-as-a-Service platform named “Blue Light” for a base price of $1,500 plus a 7% commission. The platform included an admin panel, live user monitoring, and pre-configured templates targeting Bank of America, Chime, and TowneBank.
Targeted Phishing Campaigns: Cyberban News reported a targeted campaign impersonating the LiveDNS domain registrar, directing victims to fake payment pages using legitimate WHOIS data. Actor TOPCARDER promoted a fake Tether cryptocurrency wallet (tether-wallet.one) to steal funds. Actor Dataxlogs operated bulk SMS phishing infrastructure targeting financial services like TradeRepublic, Binance, BBVA, and PayPal in Spain.
Logistics Network Breach: In a unique intersection of physical and digital security, threat actor Boogeymann sold a database containing over 1 million records from the CTT Locky smart parcel locker network in Portugal. More critically, the actor obtained internal infrastructure data for over 1,900 locker units, including machine IDs, private IPs, and software versions, potentially allowing for physical package theft.

7. Stealer Logs and High-Volume Access Brokerage

In addition to aggregated combo lists, threat actors heavily traded in “stealer logs”—raw data harvested directly from infected machines via information-stealing malware. These logs contain highly sensitive, fresh data, including active session cookies, browser histories, cryptocurrency wallet data, and stored credentials.

7.1 Massive Stealer Log Distributions

blackcloud: This threat actor released a massive 44GB collection of fresh stealer logs on the XF forums, dated April 27, 2025 (likely a typo in the source for 2026). The post required forum registration to access.
ebl01d: Operating on the Breached forum, this actor freely distributed approximately 11,040 fresh stealer logs allegedly collected on April 21 and 22.
UP_DAISYCLOUD: This actor made 6,750 stealer logs freely available via a Pixeldrain cloud storage link, providing the password directly in the forum post.
fatetraffic: Shared a mixed combolist containing 1,750 stealer log entries via Pixeldrain on the CrackingX forum.
WhiteMelly: This highly active distributor promoted a Telegram channel (@suphoodbot) offering 2GB of full credential logs and a 3GB collection of URL:Login:Password (ULP) lines explicitly sourced from stealer logs, heavily targeting European users and Microsoft services.
bluestarcrack: Specifically targeted session cookies rather than raw passwords, leaking active session data for platforms including eBay, OnlyFans, and Binance via the Uploadery file-hosting service.

7.2 Cloud Infrastructure and Email Delivery Platforms

Initial access brokers actively sold access to infrastructure capable of launching further attacks, particularly spam and phishing campaigns.

Compromised Email Delivery Services: A threat actor identified as ric007 sold compromised accounts for enterprise-grade email delivery platforms, including AWS SES, SendGrid, Mailgun, SparkPost, Brevo, and Postmark. These accounts featured sending limits ranging from 40,000 to 100,000 emails, highly valuable for bypassing spam filters during phishing campaigns. The accounts were priced between $150 and $700, payable exclusively in cryptocurrency.
RDP and Cloud Rentals: The Squad Chat Marketplace offered rentals of Remote Desktop Protocol (RDP) access to major cloud infrastructure providers, including AWS, Microsoft Azure, and DigitalOcean, for $200. They bundled this access with compromised domain email accounts, GitHub student accounts, and escrow protection.

8. Dark Web Forum Dynamics and Specialized Cybercrime Tools

The underground forums (such as BreachForums, CrackingX, DemonForums, and Altenens) functioned as highly structured marketplaces. We observed administrative activities, specific data requests, and the proliferation of advanced cybercrime software.

8.1 Forum Administration and Data Requests

BreachForums Recruitment: The dark web ecosystem requires maintenance; user Hollow posted a moderator recruitment announcement on BreachForums (breachforums.rs). The post outlined eligibility requirements and directed applicants to communicate via a secure Signal handle (x9v4q7m2k5.01).
Targeted Database Requests: Threat actors often publicly request specific datasets to fulfill criminal contracts. Actor sassy2026 posted a request for a comprehensive Turkish National ID Serial Number database, explicitly seeking a dataset larger and more recent than a previously circulated 182,000-record leak.

8.2 Proliferation of Malware, Crypters, and Exploit Kits

The democratization of cybercrime was evident through the wide availability of advanced hacking tools and malware source code.

React2Shell RCE Toolkit: Threat actor unico sold an exploitation toolkit named “React2Shell” for $750–$1,000. This toolkit exploited a remote code execution vulnerability in React-based web servers, featuring mass scanning scripts and automated exfiltration capabilities for .env files, API keys, and full database dumps.
MalDev Academy Source Code Leak: In a blow to cybersecurity education platforms, actor my4ri0d0 leaked the source code for a rebuild of MalDev Academy, a platform designed to train users in malware development. The actor urged users to download the Pastebin-hosted file tree before it was subjected to DMCA takedowns.
Crypters and Obfuscators: Threat actor Jlamaille13 was highly active in distributing tools designed to evade antivirus detection. This included “Vortex Binder 2.0” (used to bundle malicious payloads with legitimate executables), a cracked version of “Hap Crypter”, and “Black Crypt 2025,” which leverages advanced cryptographic techniques for stealth-based cyber activities.
BLACKP1 Vishing Bot: Threat actor unico also advertised “BLACKP1,” an automated Press-1 (vishing/voice phishing) bot service. The service featured text-to-speech script generation, multi-regional voices, SIP routing, and full API access to enable reselling of social engineering and fraudulent support call campaigns.

9. Notable Niche and Sector-Specific Breaches

Several incidents stood out due to their highly specific targeting, highlighting that threat actors are indiscriminately targeting all sectors, from sports to professional associations.

Asian Football Confederation (AFC) and Al Nassr FC: Cyberban News reported a massive data breach exposing substantial volumes of information from the AFC and the Saudi football club Al Nassr FC. The exposed data allegedly included player databases, passports, identity information, contract records, and official AFC Champions League Elite competition registration forms.
Thailand Engineering Council: A cybersecurity incident exposed the personal information of approximately 350,000 engineers. Attackers exploited a vulnerable data migration window, sending a high volume of requests over a 10-hour period to siphon the database.
FFWPU (Unification Church) / TongilGroup: Threat actor 0xCAFE sold multiple datasets allegedly exfiltrated via IDOR vulnerabilities and database backup access from the South Korean religious organization. The breach included 1.29 million lines of personal info, over 10GiB of MSSQL/Oracle ERP backups, and employee documents with scanned IDs.

10. Conclusion and Strategic Outlook

The intelligence gathered from April 27 to April 28, 2026, reveals a cyber threat landscape characterized by hyper-industrialization and extreme volume. The data supports several critical conclusions:

The Credential Stuffing Avalanche: The sheer volume of “Combo Lists” released within a 24-hour period—totaling tens of millions of records distributed by actors like HQcomboSpace, CODER, and snowstormxd—indicates that automated credential stuffing remains one of the most prevalent threats to enterprise and consumer security. Organizations must enforce multi-factor authentication (MFA) and monitor for credential reuse, as threat actors are continuously verifying and repackaging older breaches alongside fresh stealer logs.
Ransomware’s Extortion Shift: The activities of groups like ShinyHunters (targeting Udemy and ADT) demonstrate a continued reliance on data-theft extortion. When victims refuse to pay, actors immediately weaponize the data by releasing it on forums to damage the target’s reputation and empower downstream fraud.
The Rise of Automated Defacement: The chinafans (0xteam) campaign highlights the extreme efficiency of automated vulnerability scanning and exploitation. By targeting unpatched file upload components or directory traversal flaws across random global SMBs, a single actor or script successfully defaced dozens of domains in hours. While low-impact individually, this mass vandalism underscores the poor security posture of smaller web environments.
Critical Infrastructure in the Crosshairs: The alleged compromise of the MSTEC Smart PureWater System in South Korea by The Z-Pentest Alliance and the UK hydraulic dam systems by the DDoSia Project serve as dire warnings. Hacktivists and state-aligned actors are actively seeking and exploiting exposed Operational Technology (OT) and Industrial Control Systems (ICS), leveraging geopolitical conflicts as justification for potentially destructive attacks.

Short-Term Forecast: We anticipate a secondary wave of targeted phishing and account takeover (ATO) attacks leveraging the specific data leaked during this period (such as the Bank Saderat Iran, Udemy, and Choice Health Insurance breaches). Organizations should proactively reset credentials exposed in recent dumps and heighten monitoring for anomalous login attempts originating from proxy networks or unfamiliar geolocations.

Detected Incidents Draft Data

Alleged leak of Hotmail credentials targeting cryptocurrency users
Category: Combo List
Content: A threat actor on CrackingX forum has made available a combolist of approximately 1.36 million credential pairs targeting Hotmail accounts, specifically curated for cryptocurrency-related attacks. The combolist was shared via a Mega.nz link and contains email and password combinations intended for use in credential stuffing or account takeover campaigns against crypto platforms.
Date: 2026-04-27T23:49:33Z
Network: openweb
Published URL: https://crackingx.com/threads/73471/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged sharing of dark web onion links including illicit services and tools
Category: Data Leak
Content: A forum post on Breached shared a collection of dark web onion links purportedly pointing to illicit services including a hitman service, hackers marketplace, file sharing platform associated with LockBit, onion search engines, and a leak information portal. The links cover a range of cybercriminal activities and underground services. No specific victim organization, data type, or record count was identified in the post.
Date: 2026-04-27T23:37:50Z
Network: openweb
Published URL: https://breached.st/threads/legit-darkweb-private-links-2026.86392/unread
Screenshots:
None
Threat Actors: Alexmipula
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Leak of Hotmail Credential Combolist with Cloud Service Advertisement
Category: Combo List
Content: A threat actor known as snowstormxd has made available a combolist of 1,158 Hotmail credentials via a public paste site and Telegram channel. The post also advertises a paid private cloud service with tiered pricing starting at $3 for 24 hours, offering a built-in email inboxer tool. The free combolist download appears to serve as a promotional sample for the actors paid credential and inboxing service.
Date: 2026-04-27T23:13:00Z
Network: openweb
Published URL: https://crackingx.com/threads/73466/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of fresh Hotmail credentials
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a combolist of 146 alleged fresh Hotmail credentials via a public paste link and Telegram channel. The post claims the accounts are inbox-verified with private contents accessible. The actor also advertises a paid credential cloud service with tiered subscription pricing via a Telegram payment bot.
Date: 2026-04-27T23:11:48Z
Network: openweb
Published URL: https://crackingx.com/threads/73470/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged distribution of 100,000 credential combolist targeting multiple streaming and gaming platforms
Category: Combo List
Content: A threat actor operating under the alias Ra-Zi has made available a combolist of 100,000 email:password credential pairs targeting multiple streaming and gaming platforms including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. The post includes a hidden download link accessible upon registration or login, and promotes a Telegram channel and website associated with the actor. The actor also advertises the sale of additional high-quality combolists via Telegram handle @KOCsupport, coverin
Date: 2026-04-27T23:11:44Z
Network: openweb
Published URL: https://demonforums.net/Thread-100k-Fresh-HQ-Combolist-Email-Pass-Netflix-Minecraft-Uplay-Steam-Hulu-spotify–201996
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: Unknown
Victim Industry: Entertainment and Gaming
Victim Organization: Netflix, Minecraft, Uplay, Steam, Hulu, Spotify
Victim Site: Unknown
Alleged leak of mixed email credentials and access data including Hotmail and Outlook accounts
Category: Data Leak
Content: A threat actor known as WhiteMelly has shared a mixed combolist of approximately 13,000 credential lines via a cybercrime forum, including email access for Hotmail, Live, Outlook, and MSN accounts. The post promotes a Telegram channel distributing free ULP combolists, logs, cookies, and leaked data on a daily basis, targeting users across multiple European regions including the EU, UK, France, Poland, Germany, and Italy. The actor also solicits buyers through a Telegram bot handle (@suphoodbot
Date: 2026-04-27T23:05:30Z
Network: openweb
Published URL: https://altenens.is/threads/13k-mix-lines-mail-access.2930831/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail and mixed email credentials combolist
Category: Data Leak
Content: A threat actor known as WhiteMelly has made available a combolist of approximately 3,000 Hotmail/Microsoft email credentials (username:password format) on the AE forum. The post advertises free daily distribution of mixed credential lists, logs, cookies, and leaked data via a Telegram channel, covering multiple email providers and geographic regions including EU, UK, FR, PL, DE, and IT. The actor also promotes a Telegram bot (@suphoodbot) for purchasing additional data.
Date: 2026-04-27T23:05:15Z
Network: openweb
Published URL: https://altenens.is/threads/3k-hotmail-lines-mail-access.2930832/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credential combolist containing 100,000 records
Category: Data Leak
Content: A threat actor operating under the alias carlos080 has made available a mixed combolist of approximately 100,000 email and password credential pairs on the AE forum. The combolist reportedly includes accounts from multiple email providers such as AOL, Yahoo, Hotmail, and Outlook, spanning users from several countries including the United States, United Kingdom, France, Germany, and others. The actor also advertises the sale of higher-quality credential lists via Telegram handle @KOCsupport.
Date: 2026-04-27T23:05:03Z
Network: openweb
Published URL: https://altenens.is/threads/100k-fresh-hq-combolist-email-pass-mixed.2930838/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolists including Hotmail and European accounts
Category: Data Leak
Content: A threat actor operating under the alias WhiteMelly has made available a 3GB collection of URL:login:password credential lines sourced from stealer logs. The combolist includes mixed credentials spanning multiple regions including EU, UK, France, Poland, Germany, and Italy, with a focus on Microsoft email services such as Hotmail, Live, Outlook, and MSN. The actor promotes a Telegram channel offering daily free leaks of combolists, logs, cookies, and mail credentials, and also advertises paid
Date: 2026-04-27T23:00:33Z
Network: openweb
Published URL: https://altenens.is/threads/3gb-url-login-pass-lines-from-logs.2930834/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential logs including Hotmail, Live, and Outlook accounts
Category: Data Leak
Content: A threat actor operating under the alias WhiteMelly is distributing 2GB of mixed credential logs, cookies, and combolists via a Telegram channel (@suphoodbot). The leaked data includes ULP (URL:Login:Password) combos, email credentials targeting Hotmail, Live, Outlook, and MSN accounts, as well as cookies and logs from multiple European regions including EU, UK, France, Poland, Germany, and Italy. The actor claims to share these materials daily for free while also offering paid options through
Date: 2026-04-27T23:00:17Z
Network: openweb
Published URL: https://altenens.is/threads/2gb-full-logs.2930835/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of mail access and credential databases across multiple countries
Category: Combo List
Content: Threat actor offering mail access credentials and database dumps for multiple countries (FR, BE, AU, CA, UK, US, NL, PL, DE, JP) along with configs, scripts, tools, and combolists. Also advertising fresh database access for UK, DE, JP, NL, BR, PL, ES, US, IT with targeting of e-commerce platforms (eBay, Offerup, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen) and webmail services. Requesting contact for database queries.
Date: 2026-04-27T22:56:52Z
Network: telegram
Published URL: https://t.me/c/2613583520/71057
Screenshots:
None
Threat Actors: Dataxlogs
Victim Country: France, Belgium, Australia, Canada, United Kingdom, United States, Netherlands, Poland, Germany, Japan, Brazil, Spain, Italy
Victim Industry: E-commerce, Payment Services, Webmail
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of compromised SMTP and AWS SES email service accounts with high sending limits
Category: Services
Content: A threat actor identified as ric007 is selling compromised accounts for multiple email delivery platforms including SendGrid, Mailgun, SparkPost, Brevo, Postmark, and AWS SES, with sending limits ranging from 40K to 100K emails. Accounts are sold with full login credentials and priced between $150 and $700 depending on the provider and sending limit. Payment is accepted exclusively in cryptocurrency, and the actor can be contacted via Telegram or private forum message.
Date: 2026-04-27T22:56:46Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-SMTP-AWS-SES-Accounts-50K-100K-Limits-Crypto-Only
Screenshots:
None
Threat Actors: ric007
Victim Country: Unknown
Victim Industry: Technology / Email Services
Victim Organization: SendGrid, Mailgun, SparkPost, SMTP2GO, Elastic Email, SMTP.com, Brevo, Postmark, AWS SES
Victim Site: Unknown
Alleged leak of stealer logs distributed via cloud storage
Category: Logs
Content: A threat actor operating under the alias UP_DAISYCLOUD has made available a collection of 6,750 stealer logs via a Pixeldrain cloud storage link. The logs, dated April 27, are described as fresh and were shared freely with a password provided in the post. Stealer logs typically contain harvested credentials, browser data, cookies, and other sensitive information extracted from compromised systems.
Date: 2026-04-27T22:52:47Z
Network: openweb
Published URL: https://darkforums.su/Thread-%F0%9F%9A%80-6750-LOGS-CLOUD-%E2%98%81-27-APRIL-%E2%9D%A4%EF%B8%8F-FRESH-LOGS%E2%9D%97%EF%B8%8F
Screenshots:
None
Threat Actors: UP_DAISYCLOUD
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of ITG Academic Institution by Mr.spongebob of Anonsec Team
Category: Defacement
Content: On April 28, 2026, a threat actor identified as Mr.spongebob, affiliated with Anonsec Team, defaced the website of Institut Teknologi Garut (ITG), an Indonesian academic institution. The defacement targeted a specific page (indzex.php) rather than the homepage, hosted on a cloud-based server. A mirror of the defacement was archived at haxor.id.
Date: 2026-04-27T22:41:04Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248705
Screenshots:
None
Threat Actors: Mr.spongebob, Anonsec team
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Institut Teknologi Garut (ITG)
Victim Site: itg.ac.id
Alleged leak of mixed education sector credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 193,582 credential entries via a Mega.nz file link. The leak is described as targeting the education sector across multiple countries. The data appears to be a mixed-country compilation of education-related credentials, likely sourced from various institutions.
Date: 2026-04-27T22:13:11Z
Network: openweb
Published URL: https://crackingx.com/threads/73462/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of European email access combolist
Category: Combo List
Content: A threat actor operating under the alias karaokecloud has made available a combolist containing 1,790 lines of email credentials with mail access, targeting European accounts. The list was shared as a free download on the cracking forum CrackingX. The specific email providers or organizations affected are not identified in the post.
Date: 2026-04-27T22:12:23Z
Network: openweb
Published URL: https://crackingx.com/threads/73463/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed forum credentials combolist
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist of approximately 100,000 mixed credentials described as valid and targeting forum accounts. The post is hosted on the cracking forum CrackingX but the full content requires registration or sign-in to access, limiting detailed analysis. The specific targeted platforms, origin, and validity of the credentials remain unknown.
Date: 2026-04-27T22:11:41Z
Network: openweb
Published URL: https://crackingx.com/threads/73464/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Leak of Hotmail Credential Combolist
Category: Combo List
Content: A threat actor on the CrackingX forum has made available a combolist containing 36,022 Hotmail credentials, described as fresh and dated April 27, 2026. The credential list was shared via a Mega file hosting link and is accessible upon forum reaction. No price was mentioned, indicating this is a free leak.
Date: 2026-04-27T22:11:03Z
Network: openweb
Published URL: https://crackingx.com/threads/73465/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of logs, credentials, fullz, and fraud tools via Telegram shop
Category: Carding
Content: A threat actor operating under the alias xqwxshop is advertising a Telegram-based shop selling logs, usernames, fullz, tools, services, methods, and banking-related data. The shop is hosted at t.me/xqwxmrket and was promoted on the cracking forum CrackingX. The offerings suggest involvement in credential theft, identity fraud, and financial fraud enablement.
Date: 2026-04-27T22:10:59Z
Network: openweb
Published URL: https://crackingx.com/threads/73461/
Screenshots:
None
Threat Actors: xqwxshop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Polymarket exploit kit with CVE-2025-62718, CVE-2024-51479, and exfiltrated user data
Category: Initial Access
Content: Threat actor offering sale of red team exploit kit targeting polymarket.com (production, preprod, affiliate, CLOB API). Bundle includes 5 Python3 PoC scripts exploiting: (1) CVE-2025-62718 axios NO_PROXY bypass enabling SSRF to metadata services (CVSS 9.9), (2) CVE-2024-51479 Next.js middleware auth bypass via pathname encoding (CVSS 7.5), (3) CLOB API CORS misconfiguration allowing unrestricted cross-origin scraping, (4) pagination bypass/DoS via negative offsets and rate limit bypass, (5) unauthenticated reward data exposure including contract addresses and fee structures, (6) WebSocket protocol abuse. Exfiltrated dataset (~8.3 MB) includes 1,000 market records, 100 reward configs, 6.3 MB metadata, 100 report records with 58 ETH addresses, and 4 de-anonymized user profiles with names, pseudonyms, and proxy wallets. Asking price: $10,000 USD in XMR/BTC with escrow.
Date: 2026-04-27T22:09:31Z
Network: telegram
Published URL: https://t.me/c/3793980891/3085
Screenshots:
None
Threat Actors: Unknown
Victim Country: Unknown
Victim Industry: Cryptocurrency/Prediction Markets
Victim Organization: Polymarket
Victim Site: polymarket.com
Alleged DDoS/Cyberattack on eBay by 313 Team
Category: Cyber Attack
Content: The 313 Team (Islamic Cyber Resistance in Iraq) claims responsibility for a cyberattack against eBay that caused service disruptions, preventing user login and access to various platform functions. eBay acknowledged the issue via its Japanese-language X account. The group provided a link to their Telegram channels and Beamed network presence.
Date: 2026-04-27T22:07:11Z
Network: telegram
Published URL: https://t.me/c/2250158203/1084
Screenshots:
None
Threat Actors: 313 Team
Victim Country: United States
Victim Industry: E-commerce
Victim Organization: eBay
Victim Site: ebay.com
Alleged Moderator Recruitment Post on BreachForums
Category: Data Breach
Content: A moderator recruitment announcement was posted on BreachForums (breachforums.rs) by user Hollow. The post outlines eligibility requirements for prospective moderators and directs applicants to contact a Signal handle (x9v4q7m2k5.01) for consideration. No threat activity, data breach, or malicious content is directly described in this post.
Date: 2026-04-27T22:03:32Z
Network: openweb
Published URL: https://breachforums.rs/Thread-IMPORTANT-READ-Moderator-Applications
Screenshots:
None
Threat Actors: Hollow
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of stolen payment card dumps, CVV fullz, and identity data targeting United States, United Kingdom, and Canada
Category: Carding
Content: A threat actor operating under the alias Ratyshubbout is selling stolen payment card data including Track1/Track2 dumps (101/201), CVV fullz with SSN, date of birth, and drivers license information targeting individuals from the United States, United Kingdom, and Canada. The actor claims a validity rate of 95-98% and offers replacement guarantees within 24-28 hours. Additionally, the post provides step-by-step instructions for cashing out stolen card data via platforms such as CashApp, Venmo,
Date: 2026-04-27T22:01:36Z
Network: openweb
Published URL: https://altenens.is/threads/sell-fresh-and-updated-cc-dumps-pin-cvv-fullz-cvv2-and-bank-logs-fresh-101-201-united-state-canada-europe-dumps-original-track1-track2-worldwid.2930778/unread
Screenshots:
None
Threat Actors: Provin
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Active Directory Dumper and VPN Checker malware tool v2.0
Category: Initial Access
Content: A threat actor operating under the alias Snow is selling Active Directory Dumper & VPN Checker v2.0, a malware toolkit priced between $1,000 and $1,500 depending on source code inclusion. The tool features an orchestrator-based architecture enabling automated deployment across multiple VPS nodes, centralized data collection, and multi-mode Active Directory enumeration including user accounts, domain controllers, group structures, SMB share scanning, and VPN/LDAP credential validation. The to
Date: 2026-04-27T22:00:44Z
Network: openweb
Published URL: https://tier1.life/thread/183
Screenshots:
None
Threat Actors: Snow
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Polymarket exploit kit with CVE-2025-62718, CVE-2024-51479, and exfiltrated user data
Category: Vulnerability
Content: Threat actor offering sale of Red Team Exploit Kit targeting polymarket.com (production, preprod, affiliate, CLOB API). Bundle includes 5 Python3 POC scripts and ~8.3 MB structured JSON exfiltrated dataset. Vulnerabilities disclosed: CVE-2025-62718 (axios NO_PROXY bypass enabling SSRF to metadata services), CVE-2024-51479 (Next.js middleware auth bypass via encoded traversal), CLOB API CORS misconfiguration (Access-Control-Allow-Origin: with credentials: true), pagination bypass/DoS vector, unauthenticated reward data exposure, and WebSocket protocol abuse. Exfiltrated data includes 1,000 market records, 100 reward configs, 6.3 MB metadata, 100 report records with 58 ETH addresses, and 4 de-anonymized user profiles with names, pseudonyms, and proxy wallets. Engagement date listed as 2026-04-27.
Date: 2026-04-27T22:00:39Z
Network: telegram
Published URL: https://t.me/c/3793980891/3084
Screenshots:
None
Threat Actors: Unknown
Victim Country: United States
Victim Industry: Cryptocurrency/Prediction Markets
Victim Organization: Polymarket
Victim Site: polymarket.com
Alleged Leak of MalDev Academy Rebuild Source Code
Category: Data Leak
Content: A threat actor on BreachForums has made available what they claim to be the source code for a rebuild of MalDev Academy, a malware development training platform. The post includes a file tree hosted on Pastebin and urges users to download the content before it is subject to a DMCA takedown. The leak is offered for free to registered or logged-in forum members.
Date: 2026-04-27T21:58:48Z
Network: openweb
Published URL: https://breachforums.rs/Thread-FREE-MALDEV-ACADEMY-REBUILD-SOURCE-CODE
Screenshots:
None
Threat Actors: my4ri0d0
Victim Country: Unknown
Victim Industry: Cybersecurity Education
Victim Organization: MalDev Academy
Victim Site: maldevacademy.com
Alleged leak of German email and password combolist
Category: Combo List
Content: A threat actor operating under the alias ShroudX has shared an alleged high-quality German email:password combolist on a cybercrime forum. The content is gated behind a reply requirement, obscuring the exact number of credentials and their origin. The combolist appears to target German-language email accounts and associated passwords.
Date: 2026-04-27T21:43:38Z
Network: openweb
Published URL: https://pwnforums.st/Thread-HQ-GERMANY-EMAILPASS-COMBOLIST-txt–188688
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Japan email credential combolist
Category: Combo List
Content: A threat actor known as ShroudX has shared an alleged high-quality Japan email:password combolist on a cybercrime forum. The content is gated behind a reply requirement, obscuring the exact record count and source. The post suggests the combolist targets Japanese email account holders and is being made available to forum members for free.
Date: 2026-04-27T21:42:54Z
Network: openweb
Published URL: https://pwnforums.st/Thread-HQ-JAPAN-EMAILPASS-COMBOLIST-txt–188689
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Polish email and password credential list
Category: Combo List
Content: A threat actor known as ShroudX has shared an alleged high-quality Polish email and password combolist on a cybercrime forum. The content is gated behind a reply requirement, limiting visibility of specific details such as record count or source. The post is categorized as a credential leak targeting Polish internet users.
Date: 2026-04-27T21:42:10Z
Network: openweb
Published URL: https://pwnforums.st/Thread-HQ-POLAND-EMAILPASS-COMBOLIST-txt–188690
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Russian email and password combolist
Category: Combo List
Content: A threat actor known as ShroudX has shared an alleged high-quality Russian email and password combolist on a cybercrime forum. The content is gated behind a reply requirement, obscuring the full details of the leak. The combolist appears to contain email address and password credential pairs associated with Russian users.
Date: 2026-04-27T21:41:26Z
Network: openweb
Published URL: https://pwnforums.st/Thread-HQ-RUSSIA-EMAILPASS-COMBOLIST-txt
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Russia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of UK email and password combolist
Category: Combo List
Content: A threat actor known as ShroudX has shared an alleged high-quality UK-targeted email and password combolist on a cybercrime forum. The credential list is available as hidden content, requiring forum members to reply to the thread to gain access. No specific victim organization or record count has been disclosed.
Date: 2026-04-27T21:40:53Z
Network: openweb
Published URL: https://pwnforums.st/Thread-HQ-UK-EMAILPASS-COMBOLIST-txt–188692
Screenshots:
None
Threat Actors: ShroudX
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of interia.pl Europa Mix credentials combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a combolist containing 2,462 credential pairs on the cracking forum CrackingX. The list is described as a Europa Mix Combo referencing interia.pl, a Polish internet portal, and was shared via a Mega file hosting link. The post is dated April 27, 2026, and requires a reaction to access the download link.
Date: 2026-04-27T21:25:59Z
Network: openweb
Published URL: https://crackingx.com/threads/73458/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Poland
Victim Industry: Internet Services
Victim Organization: Interia
Victim Site: interia.pl
Alleged leak of corporate business combolist with 11 million credentials
Category: Combo List
Content: A threat actor known as CODER is distributing a corporate business combolist allegedly containing 11 million credential pairs via Telegram channels. The combolist is being made available for free through two Telegram groups and can also be requested directly via the actors Telegram handle CODER5544. No specific victim organization or country has been identified.
Date: 2026-04-27T21:25:26Z
Network: openweb
Published URL: https://crackingx.com/threads/73460/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of classified Chinese Peoples Liberation Army (PLA) military reports and data
Category: Data Breach
Content: A threat actor operating under the alias mosad is selling allegedly classified reports and data from multiple branches and departments of the Chinese Peoples Liberation Army (PLA), including the Rocket Force, Navy, Air Force, Strategic Support Force, Ground Force, Joint Staff Department, and others. The seller is accepting escrow and can be contacted via Telegram, Session, Tox, Matrix, and Jabber. The legitimacy and origin of the claimed data have not been independently verified.
Date: 2026-04-27T21:11:42Z
Network: openweb
Published URL: https://breached.st/threads/2026-secret-chinese-pla-reports-data-for-sale.86391/unread
Screenshots:
None
Threat Actors: mosad
Victim Country: China
Victim Industry: Defense & Military
Victim Organization: Peoples Liberation Army (PLA)
Victim Site: Unknown
Alleged Data Leak of Marcus & Millichap, Inc. Salesforce Records
Category: Data Leak
Content: A threat actor known as TheFallen has leaked over 30 million Salesforce records allegedly stolen from Marcus & Millichap, Inc., a commercial real estate investment firm. The leaked data, totaling over 5.4GB compressed, reportedly contains PII and internal corporate data. The actor claims the company failed to reach an agreement following negotiations, resulting in the public release of the data via a download link and Telegram.
Date: 2026-04-27T21:03:29Z
Network: openweb
Published URL: https://darkforums.su/Thread-Marcus-Millichap-Inc
Screenshots:
None
Threat Actors: TheFallen
Victim Country: United States
Victim Industry: Real Estate
Victim Organization: Marcus & Millichap, Inc.
Victim Site: marcusmillichap.com
Alleged Data Leak of MORENA Movement Founders Personal Data in Tabasco, Mexico
Category: Data Leak
Content: A threat actor has freely shared a dataset containing 1,145 records and 807 images pertaining to the founders of the MORENA political movement in the Mexican state of Tabasco. The leaked data includes personal identifiable information such as full names, municipality, electoral section, gender, age, founding year, family member who registered them, community, and scanned government-issued ID images (INE). The approximately 300 MB archive was made publicly available via an anonymous file-sharing
Date: 2026-04-27T21:02:49Z
Network: openweb
Published URL: https://darkforums.su/Thread-Data-leak-Founders-of-the-MORENA-movement-in-Tabasco-MX
Screenshots:
None
Threat Actors: Memejico2026A
Victim Country: Mexico
Victim Industry: Political Organization
Victim Organization: MORENA (Movimiento Regeneración Nacional)
Victim Site: Unknown
Alleged leak of Hotmail, AOL, and social media credential combolists
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing free combolists containing credentials for Hotmail, AOL, and social media accounts via Telegram channels. The post references approximately 7 million records based on the thread title shorthand 7ml. Access to the combolists and associated tools is being made available through two Telegram groups.
Date: 2026-04-27T20:40:15Z
Network: openweb
Published URL: https://crackingx.com/threads/73453/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Kommander0 has made available a combolist of approximately 1,100 Hotmail credentials, claimed to be fully valid. The credential list was shared freely via a Gofile download link on a known cracking and combolist forum.
Date: 2026-04-27T20:39:42Z
Network: openweb
Published URL: https://crackingx.com/threads/73454/
Screenshots:
None
Threat Actors: Kommander0
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared a combolist containing 478 alleged Hotmail credential hits. The post indicates the content is hidden behind a registration requirement, suggesting the list is being made available to registered forum members. The origin and validity of the credentials are unverified.
Date: 2026-04-27T20:38:46Z
Network: openweb
Published URL: https://crackingx.com/threads/73456/
Screenshots:
None
Threat Actors: lpbPrivate
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a combolist of 1,158 Hotmail credentials via a free download link hosted on pasteview.com. The post also promotes a Telegram-based cloud service with built-in inbox access capabilities, offered at tiered pricing starting at $3 for 24 hours. The combination of free credential sharing and paid inboxing tools suggests the actor is monetizing access to compromised Hotmail accounts.
Date: 2026-04-27T20:37:53Z
Network: openweb
Published URL: https://crackingx.com/threads/73457/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Sale of Stolen Credentials, Financial Data, Malware Tools, and Fraudulent Documents by Threat Actor GSquah
Category: Carding
Content: Threat actor GeneralSquahh (Telegram: @GSquah) is advertising a broad portfolio of illicit goods and tools on the AE forum, including stolen credentials for streaming and productivity platforms, EBT cards with PINs, Apple Pay accounts, high-limit non-VBV credit cards, fullz packs containing SSN/DOB/CVV data, PayPal and email logs, forged identity documents and financial templates, OTP/2FA bypass tools, SMTP crackers, combo lists, and malware kits including keyloggers, RATs, and wallet drainers
Date: 2026-04-27T20:36:32Z
Network: openweb
Published URL: https://altenens.is/threads/microsoft-365-office-365-premium-lifetime-access-multi-device-netflix-hulu-disney-hbo-max-spotify-premium-4k-ad-free-bundles.2930716/unread
Screenshots:
None
Threat Actors: GeneralSquahh
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of stolen financial data, carding tools, and identity documents by threat actor GSquah
Category: Carding
Content: A threat actor operating under the alias GSquah is offering a range of fraudulent financial products and stolen data via Telegram (@GSquah), including dumps with PIN, EMV software, CVV cards, cloned cards, OTP bots, CashApp/Apple Pay linkables, fullz for UK and USA individuals, bank logs, identity documents (drivers licenses, IDs, passports), and gift cards. The post solicits direct messages for long-term business arrangements, suggesting an ongoing carding and fraud operation. No specific vict
Date: 2026-04-27T20:26:20Z
Network: openweb
Published URL: https://altenens.is/threads/check-mark-buttondumps-with-pin-check-mark-button-emv-software-check-mark-buttoncredit-cards-cvv-check-mark-buttonvalid-checks-slips-check-mark-buttonotp-bot-robot-available-check-mark-buttonmos-available-check-mark-buttonchecks-slips-check-mark-buttonclone-card-check-mark-buttoncas.2930737/unread
Screenshots:
None
Threat Actors: GeneralSquahh
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Student and Alumni Records from Madiun City Scholarship Portal
Category: Data Leak
Content: A threat actor operating under the alias BabayoErorSystem claims to have gained unauthorized access to the server at beasiswa.madiunkota.go.id, the scholarship portal of Madiun City, Indonesia. Three files containing student and alumni personal data, as well as student re-registration records, were exported and made available for free download via MediaFire. The leaked files include alumni lists and student data in Excel and text formats, dated April 28, 2026.
Date: 2026-04-27T20:24:05Z
Network: openweb
Published URL: https://breached.st/threads/3-files-data-base-beasiswa-madiunkota-go-id.86389/unread
Screenshots:
None
Threat Actors: BabayoErorSystem
Victim Country: Indonesia
Victim Industry: Government / Education
Victim Organization: Madiun City Scholarship Office (beasiswa.madiunkota.go.id)
Victim Site: beasiswa.madiunkota.go.id
Alleged Data Breach of Pemerintah Kabupaten Boyolali Government Portal
Category: Data Breach
Content: A threat actor known as Mr. Hanz Xploit claims to have obtained a database from the Boyolali Regency Government portal in Indonesia. The alleged database contains approximately 1.2 million records including personal information such as full names, email addresses, ID card numbers (KTPA), WhatsApp numbers, and additional administrative fields. The data appears to relate to permit or application submissions managed through the government platform.
Date: 2026-04-27T20:23:30Z
Network: openweb
Published URL: https://breached.st/threads/1-2-milliond-database-pemerintah-kabupaten-boyolali-go-id.86390/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Pemerintah Kabupaten Boyolali
Victim Site: boyolali.go.id
Alleged Data Leak of Universidad Rafael Landívar Student and Faculty Personal Data
Category: Data Leak
Content: A threat actor using the alias MrGoblinciano has freely distributed a dataset allegedly belonging to Universidad Rafael Landívar in Guatemala. The leak includes 84,620 photos of students and professors indexed by university ID (carnet), along with a JSON file containing personal information such as full names and dates of birth. The total package size is approximately 20 GB and was made available via a public file-sharing platform.
Date: 2026-04-27T20:18:56Z
Network: openweb
Published URL: https://spear.cx/Thread-Database-URL-UNIVERSIDAD-RAFAEL-LANDIVAR-GUATEMALA
Screenshots:
None
Threat Actors: MrGoblinciano
Victim Country: Guatemala
Victim Industry: Education
Victim Organization: Universidad Rafael Landívar
Victim Site: Unknown
Website Defacement of wcaqq.com by YIIX103
Category: Defacement
Content: On April 28, 2026, a threat actor operating under the handle YIIX103 defaced a page hosted on wcaqq.com, targeting a file within the WordPress uploads directory. The attacker acted independently without affiliation to a known team. The defacement was a single targeted incident, not a mass or repeat defacement.
Date: 2026-04-27T20:10:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915300
Screenshots:
None
Threat Actors: YIIX103
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: wcaqq.com
Alleged Data Breach of Crypto B2B Affiliate Platform Exposing 46 Product Databases
Category: Data Breach
Content: A threat actor claims to be selling a 26 GB full production database backup from an unnamed crypto B2B affiliate company, encompassing 46 separate product databases across crypto, NFT, and AI agent platforms. The dataset allegedly contains over 73 million records including 119,273 unique user email addresses, crypto wallet addresses, referral codes, points balances, IP-linked activity logs, and credentials for 14 database administrator accounts with SCRAM-SHA-1 and SCRAM-SHA-256 password hashes.
Date: 2026-04-27T20:04:05Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-CRYPTO-B2B-AFFILIATE-BREACH-CONTAINING-AFFILIATED-DATABASES
Screenshots:
None
Threat Actors: unico
Victim Country: Unknown
Victim Industry: Cryptocurrency / Blockchain
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of BLACKP1 Press-1 Bot service for vishing and social engineering campaigns
Category: Initial Access
Content: A threat actor operating under the alias unico is advertising a feature-rich automated Press-1 (vishing) bot service called BLACKP1 on a cybercrime forum. The service offers text-to-speech script generation, multi-regional voice options, automatic voicemail callbacks, SIP routing, campaign management, and full API access to enable reselling. The tool is designed to facilitate high-volume social engineering and fraudulent support calls, with planned features including an integrated OTP bypass b
Date: 2026-04-27T20:03:22Z
Network: openweb
Published URL: https://pwnforums.st/Thread-BLACKP1-PRESS-1-BOT-FEATURE-RICH-GET-YOUR-PICKUPS-TODAY
Screenshots:
None
Threat Actors: unico
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: blackp1.com
Alleged sale of React2Shell RCE exploitation toolkit for mass database dumping and credential exfiltration
Category: Initial Access
Content: A threat actor on PwnForums is selling a toolkit called React2Shell for $750-$1000 that exploits a remote code execution (RCE) vulnerability in React-based web servers. The toolkit includes mass scanning scripts, a pseudo-shell for manual command execution, and automated exfiltration of .env files, API keys, payment credentials, and full database dumps. The seller claims thousands of vulnerable targets remain exposed across the internet.
Date: 2026-04-27T20:02:39Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SOURCE-CODE-REACT2SHELL-EXPLOITATION-TOOLKIT-DUMP-LOTS-OF-HIGH-QUALITY-DATABASES-AND-LEADS
Screenshots:
None
Threat Actors: unico
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo-targeted crypto combolist with 894,859 credentials
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist of approximately 894,859 email and password combinations targeting Yahoo accounts, with a focus on cryptocurrency-related targets. The credential list was shared freely via a Mega.nz file link on the cracking forum CrackingX. No price was mentioned, indicating this is a free distribution of the combolist.
Date: 2026-04-27T19:53:30Z
Network: openweb
Published URL: https://crackingx.com/threads/73450/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology / Email Services
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged leak of t-online.de credential combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a combolist of 4,362 credential lines associated with t-online.de, a German email and internet service provider operated by Telekom Deutschland. The list, dated April 27, 2026, is described as fresh and was shared via a Mega file-hosting link on the cracking forum CrackingX. The post is gated behind a reaction requirement, suggesting forum engagement incentivization.
Date: 2026-04-27T19:53:10Z
Network: openweb
Published URL: https://crackingx.com/threads/73452/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Germany
Victim Industry: Telecommunications
Victim Organization: Telekom Deutschland
Victim Site: t-online.de
Alleged sale of Malachite Loader malware with stealer, clipper, and keylogger capabilities
Category: Initial Access
Content: A threat actor operating under the alias Pyrite is selling a malware toolkit called Malachite Loader on HackForums. The tool is a lightweight 188kb native C-based loader featuring in-memory execution, direct NT syscall usage for AV evasion, and modular plugins including a browser/crypto wallet stealer, clipboard hijacker, hook-based keylogger, and Windows Defender exclusion inserter. It includes a self-hosted PHP C2 panel, Telegram-based builder, and supports persistence via registry or Task
Date: 2026-04-27T19:52:18Z
Network: openweb
Published URL: https://hackforums.net/showthread.php?tid=6321511
Screenshots:
None
Threat Actors: Pyrite
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of 7-Eleven Exposing Salesforce Records and PII
Category: Data Breach
Content: A threat actor claims to have compromised over 600,000 Salesforce records belonging to 7-Eleven, containing personally identifiable information (PII) and internal corporate data. The database dump is reported to be over 10.4GB in compressed size. The data has been made available on a cybercrime forum.
Date: 2026-04-27T19:32:10Z
Network: openweb
Published URL: https://breached.st/threads/2026-7-eleven-database.86385/unread
Screenshots:
None
Threat Actors: Fallen
Victim Country: United States
Victim Industry: Retail
Victim Organization: 7-Eleven
Victim Site: 7-eleven.com
Alleged data breach of CarGurus exposing 12.4 million records
Category: Data Breach
Content: A threat actor known as Fallen claims to possess a database from CarGurus, Inc. containing over 12.4 million records with personally identifiable information and internal corporate data. The dataset is reported to be 7.1GB or more in compressed form. The actor is advertising the data via Telegram under the handle TheFallen.
Date: 2026-04-27T19:31:34Z
Network: openweb
Published URL: https://breached.st/threads/2026-cargurus-database.86386/unread
Screenshots:
None
Threat Actors: Fallen
Victim Country: United States
Victim Industry: Automotive Marketplace
Victim Organization: CarGurus
Victim Site: cargurus.com
Alleged data breach of Iranian Nuclear Energy organization
Category: Data Breach
Content: A threat actor known as Fallen is allegedly offering a 30GB database dump purportedly belonging to an Iranian nuclear energy organization. The post was shared on the Breached forum and the actor provides a Telegram contact for further communication. The size of the data and the sensitive nature of the sector make this a significant alleged breach if verified.
Date: 2026-04-27T19:31:01Z
Network: openweb
Published URL: https://breached.st/threads/iran-30gb-nuclear-energy-db.86387/unread
Screenshots:
None
Threat Actors: Fallen
Victim Country: Iran
Victim Industry: Nuclear Energy
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Archetyp Darknet Market Vendor Data
Category: Data Breach
Content: A threat actor operating under the alias Fallen has shared what is alleged to be a vendor data scrape from Archetyp, a darknet marketplace, dated April 2026. The data was posted on the Breached forum and the actor provided a Telegram contact for further communication. The exact number of records and specific data fields included in the scrape are not disclosed in the post.
Date: 2026-04-27T19:30:28Z
Network: openweb
Published URL: https://breached.st/threads/darkweb-archetyp-market-vendor-data-04-2026.86388/unread
Screenshots:
None
Threat Actors: Fallen
Victim Country: Unknown
Victim Industry: Dark Web Marketplace
Victim Organization: Archetyp Market
Victim Site: Unknown
Alleged Compromise of MSTEC Smart PureWater System Critical Infrastructure in South Korea
Category: Cyber Attack
Content: Threat actor claiming full operational control over MSTECs Smart PureWater System (Weintek cMT2078X HMI) managing water supply, heating, and cooling for critical infrastructure in South Korea. Claims include: disabled automatic protections, manual mode activation on all key components (compressors, pumps, fans, expansion valves), full control over pressure and temperature settings, and capability to cause equipment failure or service disruption. Threat actor claims geopolitical motivation related to South Korean military support. Provides alleged evidence of system access and operational parameters.
Date: 2026-04-27T19:06:46Z
Network: telegram
Published URL: https://t.me/c/3584758467/833
Screenshots:
None
Threat Actors: The Z-Pentest Alliance
Victim Country: South Korea
Victim Industry: Critical Infrastructure – Water/Energy Management
Victim Organization: MSTEC
Victim Site: mstec.kr, purewatersystem.kr
Alleged leak of t-online.de credential combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a combolist containing 5,128 credential lines associated with t-online.de, a major German telecommunications and email service provider. The list is described as fresh and dated April 27, 2026, and is being distributed for free via a Mega file-sharing link on a cracking forum.
Date: 2026-04-27T19:05:25Z
Network: openweb
Published URL: https://crackingx.com/threads/73447/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Germany
Victim Industry: Telecommunications
Victim Organization: T-Online
Victim Site: t-online.de
Alleged leak of Hotmail, Yahoo, and Orange credentials combolist
Category: Combo List
Content: A threat actor known as CODER has made available a combolist of approximately 7 million credentials allegedly sourced from Hotmail, Yahoo, and Orange France accounts, including social and shopping site credentials. The actor is distributing the combolist for free via Telegram channels and directing users to register on the cracking forum to access the content.
Date: 2026-04-27T19:05:09Z
Network: openweb
Published URL: https://crackingx.com/threads/73448/
Screenshots:
None
Threat Actors: CODER
Victim Country: France
Victim Industry: Technology / Telecommunications
Victim Organization: Multiple (Hotmail, Yahoo, Orange)
Victim Site: Unknown
Alleged leak of USA credential combolist
Category: Combo List
Content: A threat actor operating under the alias RandomUpload has shared a combolist on the cracking forum CrackingX, purportedly containing 9,334 high-quality (HQ) credential pairs associated with United States-based accounts. The content is restricted to registered forum users. No specific victim organization or targeted service has been identified.
Date: 2026-04-27T19:04:46Z
Network: openweb
Published URL: https://crackingx.com/threads/73449/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Makassar City Government Employee Profiles
Category: Data Leak
Content: A threat actor operating under the alias ShenChuyi88 has leaked what is alleged to be a database containing 951 employee profiles from the Makassar City Government. The data is being made available for free download via BreachForums. The leaked records reportedly contain government employee profile information.
Date: 2026-04-27T18:50:58Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-951-data-on-makassar-city-government-employee-profiles-leaked-free-downloads
Screenshots:
None
Threat Actors: ShenChuyi88
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Makassar City Government
Victim Site: Unknown
Alleged Data Breach of Udemy, Inc.
Category: Data Breach
Content: A threat actor operating under the alias ShinyHunters has posted a thread on BreachForums alleging to possess a database belonging to Udemy, Inc., an online learning platform. No further details regarding the nature, size, or content of the alleged data are available from the post. The legitimacy and scope of the claimed breach have not been verified.
Date: 2026-04-27T18:49:34Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-Udemy-Inc-udemy-com
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: E-Learning / Online Education
Victim Organization: Udemy, Inc.
Victim Site: udemy.com
Alleged Data Breach of ADT, Inc.
Category: Data Breach
Content: A threat actor operating under the alias ShinyHunters has posted a thread on BreachForums allegedly involving a database associated with ADT, Inc. (adt.com), a major US-based security services company. No further details regarding the nature, content, or volume of the data are available from the post. The full scope and authenticity of the alleged breach remain unverified.
Date: 2026-04-27T18:48:13Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-ADT-Inc-adt-com
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Security Services
Victim Organization: ADT, Inc.
Victim Site: adt.com
Alleged data breach of ADT, Inc. – 10M+ Salesforce records leaked
Category: Data Breach
Content: Threat actor claims to have compromised over 10 million Salesforce records from ADT, Inc. (adt.com) containing personally identifiable information (PII) and internal corporate data totaling 11GB+ compressed. The actor states that ADT failed to reach a negotiation agreement and is now distributing the stolen data. Breach date updated April 26, 2026.
Date: 2026-04-27T18:46:54Z
Network: telegram
Published URL: https://t.me/c/3500620464/7456
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Security Services
Victim Organization: ADT, Inc.
Victim Site: adt.com
Alleged data breach of Hamrah Aval (MTN Irancell) by Jooje Ardak Zesht group
Category: Data Breach
Content: Threat actor claiming to be Jooje Ardak Zesht (جوجه اردک زشت) claims responsibility for breaching Hamrah Aval (MTN Irancell), Irans major telecom operator. According to the post, organizational data has been stolen and is being published, including employee emails, phone numbers, security personnel information, procurement documents, and training department records.
Date: 2026-04-27T18:46:40Z
Network: telegram
Published URL: https://t.me/c/3575098403/138
Screenshots:
None
Threat Actors: Jooje Ardak Zesht
Victim Country: Iran
Victim Industry: Telecommunications
Victim Organization: Hamrah Aval (MTN Irancell)
Victim Site: Unknown
Alleged data breach of Udemy, Inc. – 1.4M+ Salesforce records with PII
Category: Data Breach
Content: Threat actor claims to have compromised over 1.4M Salesforce records from Udemy, Inc. containing personally identifiable information (PII) and internal corporate data. The actor states that negotiation attempts with the company failed and has made the data available for download.
Date: 2026-04-27T18:44:24Z
Network: telegram
Published URL: https://t.me/c/3500620464/7455
Screenshots:
None
Threat Actors: Unknown
Victim Country: United States
Victim Industry: Education Technology
Victim Organization: Udemy, Inc.
Victim Site: udemy.com
Alleged Data Leak of University of San Carlos Guatemala (USAC) Employee Financial Records
Category: Data Leak
Content: A threat actor known as MrGoblinciano has leaked financial records belonging to employees of the University of San Carlos of Guatemala (USAC), extracted from the SIIF financial system. The leaked data reportedly includes fields such as national ID numbers (CUI), bank names, deposit amounts, account numbers, recipient names, and organizational department details. The data is being made available for free download via two external file-sharing links.
Date: 2026-04-27T18:36:48Z
Network: openweb
Published URL: https://spear.cx/Thread-Database-USAC-UNIVERSITY-SIIF-GUATEMALA
Screenshots:
None
Threat Actors: MrGoblinciano
Victim Country: Guatemala
Victim Industry: Education
Victim Organization: University of San Carlos of Guatemala (USAC)
Victim Site: usac.edu.gt
Website Defacement of pvzbaike.com by ALP (Alperen_216)
Category: Defacement
Content: On April 28, 2026, the website pvzbaike.com, likely a Plants vs. Zombies fan or wiki site, was defaced by threat actor ALP operating under the team Alperen_216. The attack targeted the homepage in a single, non-mass defacement operation. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-27T18:35:52Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915299
Screenshots:
None
Threat Actors: ALP, Alperen_216
Victim Country: Unknown
Victim Industry: Gaming/Entertainment
Victim Organization: PvZ Baike
Victim Site: pvzbaike.com
Alleged leak of streaming service credentials combolist
Category: Combo List
Content: A threat actor operating under the alias SYCOSUNNY has shared a combolist containing approximately 1.5 million credential pairs allegedly associated with streaming service accounts. The content is gated behind a reply wall, suggesting it is being distributed for free to forum members. The specific streaming platforms targeted are not identified in the post.
Date: 2026-04-27T18:29:26Z
Network: openweb
Published URL: https://pwnforums.st/Thread-1-5M-Streaming-Good-Combo
Screenshots:
None
Threat Actors: SYCOSUNNY
Victim Country: Unknown
Victim Industry: Media & Entertainment
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of corporate credentials combolist
Category: Combo List
Content: A threat actor known as SYCOSUNNY has shared a combolist containing approximately 180,000 credential pairs described as corporate or headquarters-related accounts. The content is gated behind a reply requirement, suggesting it is being distributed for free to forum members. The specific organizations or industries targeted are not identified in the post.
Date: 2026-04-27T18:28:20Z
Network: openweb
Published URL: https://pwnforums.st/Thread-180K-Corp-HQ-Combo
Screenshots:
None
Threat Actors: SYCOSUNNY
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias SYCOSUNNY has shared an alleged combolist containing 250,000 Hotmail credentials on an underground forum. The list is described as fresh, suggesting recently harvested or validated email and password pairs. No price was mentioned, indicating the combolist was made available for free.
Date: 2026-04-27T18:26:59Z
Network: openweb
Published URL: https://pwnforums.st/Thread-250K-Hotmail-Fresh-Combo
Screenshots:
None
Threat Actors: SYCOSUNNY
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of gaming-related email and password credentials
Category: Combo List
Content: A threat actor known as SYCOSUNNY has shared a combolist containing approximately 350,000 email and password credential pairs targeting gaming accounts. The content is gated behind a reply requirement, suggesting it is being distributed freely within the forum. The specific source or origin of the credentials is not disclosed in the post.
Date: 2026-04-27T18:24:49Z
Network: openweb
Published URL: https://pwnforums.st/Thread-350K-Gaming-EmailPass-HQ
Screenshots:
None
Threat Actors: SYCOSUNNY
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 400,000 email account credentials (combolist)
Category: Combo List
Content: A threat actor known as SYCOSUNNY has shared a combolist containing approximately 400,000 email account credentials on a cybercrime forum. The content is hidden behind a reply gate, requiring forum members to reply to the thread to access the download. No specific victim organization or country has been identified.
Date: 2026-04-27T18:24:10Z
Network: openweb
Published URL: https://pwnforums.st/Thread-400K-MailAccess-Good-Combo
Screenshots:
None
Threat Actors: SYCOSUNNY
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of TotalEnergies Exposing 79,000 Customer Records
Category: Data Breach
Content: A threat actor operating under the alias Whisix is allegedly selling a database containing approximately 79,000 records belonging to customers of TotalEnergies, a French multinational energy company. The compromised data reportedly includes personally identifiable information such as full names, phone numbers, gender, full addresses, and energy consumption details including electricity usage and subscription type. A sample has been made available via Pastebin, with the actor soliciting buyers
Date: 2026-04-27T18:15:39Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-FR-totalenergies-fr-79K-2025
Screenshots:
None
Threat Actors: Whisix
Victim Country: France
Victim Industry: Energy
Victim Organization: TotalEnergies
Victim Site: totalenergies.fr
Alleged leak of Gmail credentials combolist targeting European users
Category: Combo List
Content: A threat actor known as BestCombo has made available a combolist of approximately 41,069 Gmail credential pairs purportedly targeting European users, dated April 27, 2026. The credential list was shared freely via a Mega.co.nz link on the CrackingX forum. The post is hosted in the Combolists & Dumps section, suggesting the data consists of email and password combinations aggregated from prior breaches or stealer logs.
Date: 2026-04-27T18:09:22Z
Network: openweb
Published URL: https://crackingx.com/threads/73441/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Europe
Victim Industry: Unknown
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of education sector combo list credentials
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist reportedly targeting the education sector, referred to as edu combo list 7ml. The credentials are being made available for free via Telegram channels and groups managed by the actor. No specific victim organization or country has been identified.
Date: 2026-04-27T18:08:53Z
Network: openweb
Published URL: https://crackingx.com/threads/73445/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist with 2582 entries
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a mixed combolist containing 2,582 fresh credential entries via a public download link and Telegram channel. The post promotes a paid private cloud service offering additional combolists and a built-in inboxer tool, with subscription tiers ranging from $3 for 24 hours to $120 for lifetime access. Payments are facilitated through a dedicated Telegram payment bot.
Date: 2026-04-27T18:08:36Z
Network: openweb
Published URL: https://crackingx.com/threads/73446/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 155,000 Gmail-targeted credentials combolist
Category: Data Leak
Content: A threat actor operating under the alias carlos080 has made available a Gmail-targeted combolist containing approximately 155,000 email and password combinations on the AE forum. The post includes a hidden download link accessible upon reply, and the author also advertises additional credential lists for sale covering multiple email providers and countries via Telegram. The combolist appears to be in email:password and user:password formats.
Date: 2026-04-27T18:06:37Z
Network: openweb
Published URL: https://altenens.is/threads/155k-gmail-targeted-combolist.2930627/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: gmail.com
Alleged defacement of Israeli Ministry of Health website (Nituhim) by Cyber Islamic Resistance
Category: Defacement
Content: Cyber Islamic Resistance claims to have conducted a cyber attack against nituhim.co.il, a website operated by the Israeli Ministry of Health that provides surgical wait times and hospital information. The group claims the attack was part of their Wad Al-Sanwar Operations campaign.
Date: 2026-04-27T17:52:23Z
Network: telegram
Published URL: https://t.me/c/1651470668/1892
Screenshots:
None
Threat Actors: Cyber Islamic Resistance
Victim Country: Israel
Victim Industry: Government/Healthcare
Victim Organization: Israeli Ministry of Health
Victim Site: nituhim.co.il
Alleged leak of stealer logs from multiple victims
Category: Data Leak
Content: A threat actor operating under the alias ebl01d on the Breached forum has made available approximately 11,040 stealer logs allegedly collected on April 21 and 22. The logs, described as fresh, are being distributed freely via a download link. Stealer logs typically contain credentials, browser data, cookies, and other sensitive information harvested from compromised systems.
Date: 2026-04-27T17:50:11Z
Network: openweb
Published URL: https://breached.st/threads/11040-logs-21-22-april-red-heart-fresh-logs.86381/unread
Screenshots:
None
Threat Actors: ebl01d
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of US Navy nuclear submarine quiet technology documents
Category: Data Leak
Content: A threat actor operating under the alias PhotonPool_ has allegedly made available classified or sensitive technical documents related to critical quiet technology for multiple US Navy nuclear submarine programs, including the Sturgeon, Benjamin Franklin, Los Angeles, Ohio/Trident, Seawolf, Virginia, and Columbia classes. The content is being distributed via a Tor-based onion service. The post includes a SESSION identifier that may serve as a contact or authentication token for accessing the mate
Date: 2026-04-27T17:49:05Z
Network: openweb
Published URL: https://breached.st/threads/usa-advanced-nuclear-submarines-critical-quiet-technology.86383/unread
Screenshots:
None
Threat Actors: PhotonPool_
Victim Country: United States
Victim Industry: Defense & Military
Victim Organization: US Navy
Victim Site: Unknown
Alleged request for Turkish National ID Serial Number database
Category: Data Breach
Content: A threat actor on a cybercrime forum is requesting a Turkish national ID serial number database, specifically seeking a more comprehensive and recent version than an existing 182,000-record dataset. The post suggests awareness of at least one prior leak of Turkish ID data and indicates demand for a larger or updated database. No seller or price has been identified in this post.
Date: 2026-04-27T17:48:09Z
Network: openweb
Published URL: https://breached.st/threads/turkish-id-serial-number-db-needed.86382/unread
Screenshots:
None
Threat Actors: sassy2026
Victim Country: Turkey
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Bank of America Customer Financial Records
Category: Data Leak
Content: A threat actor operating under the alias Xyph0rix has leaked a database allegedly containing Bank of America customer records on the Breached forum. The data includes fields such as UserID, first name, bank balance, account type, expiration date, CVV, and partial card details associated with products including Bank of America Cash Rewards Visa Signature and BankAmericard Rewards World Mastercard. The database appears to be made available for free download, with no price or payment mentioned in
Date: 2026-04-27T17:47:35Z
Network: openweb
Published URL: https://breached.st/threads/database-bank-of-america.86362/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: United States
Victim Industry: Banking and Financial Services
Victim Organization: Bank of America
Victim Site: bankofamerica.com
Alleged Data Breach of Ftimerbet.com User Database
Category: Data Breach
Content: A threat actor operating under the alias alon3Hunt is offering for sale a database allegedly obtained from Ftimerbet.com, a betting platform. The database purportedly contains user personal information including email addresses, bcrypt-hashed passwords, phone numbers, and financial transaction records. The actor provided contact details via a Telegram handle and a Session messaging ID for further communication.
Date: 2026-04-27T17:41:15Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-DB-Ftimerbet-com-For-Sale
Screenshots:
None
Threat Actors: alon3Hunt
Victim Country: Unknown
Victim Industry: Gambling & Betting
Victim Organization: Ftimerbet
Victim Site: ftimerbet.com
Alleged Data Breach of Ryanair Internal Communications and Legal Case Data
Category: Data Leak
Content: A threat actor on a dark web forum has leaked internal communications and legal case management data allegedly stolen from Ryanair. The leaked data includes email correspondence, court case details, passenger booking references, flight numbers, travel departure and destination airports, claimant names, and internal ticket management records. The exposed data appears to relate to flight delay compensation claims handled by Ryanairs in-house legal teams across multiple European jurisdictions.
Date: 2026-04-27T17:39:23Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Ryanair-Internal-Communcations
Screenshots:
None
Threat Actors: GlitchX
Victim Country: Ireland
Victim Industry: Aviation / Transportation
Victim Organization: Ryanair
Victim Site: ryanair.com
Alleged Data Leak of mybookqatar.com User Database
Category: Data Leak
Content: A threat actor known as GlitchX has leaked a database allegedly belonging to mybookqatar.com, a Qatar-based platform, containing approximately 280,000 user records. The database dump in CSV format includes sensitive fields such as full name, mobile number, email address, hashed password, gender, date of birth, nationality, residence, and account status details. The data spans account creation dates from at least 2020 through 2022 and has been made available for free download on a dark web forum.
Date: 2026-04-27T17:38:32Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Qatar-mybookqatar-com
Screenshots:
None
Threat Actors: GlitchX
Victim Country: Qatar
Victim Industry: Technology
Victim Organization: My Book Qatar
Victim Site: mybookqatar.com
Alleged Data Leak of Iraqi Independent High Electoral Commission (IHEC) Voter Records
Category: Data Leak
Content: A threat actor known as GlitchX has made available a database allegedly sourced from the Independent High Electoral Commission of Iraq (ihec.iq), containing personal data of over 4.5 million registered voters. The leaked dataset includes full names, dates of birth, voting card numbers, school addresses, voter status flags, and biometric registration indicators. The data is offered as a free download in CSV format, totaling approximately 10GB uncompressed.
Date: 2026-04-27T17:37:54Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-IRAQI-IHEC-IQ-VOTER-RECORDS
Screenshots:
None
Threat Actors: GlitchX
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Independent High Electoral Commission (IHEC)
Victim Site: ihec.iq
Alleged Data Leak of Syrian Government and Telecom Citizen Registry Affecting 7 Million Records
Category: Data Leak
Content: A threat actor known as GlitchX has leaked a database allegedly sourced from Syrian government and telecom systems, containing over 7 million records of Syrian citizens. The dataset includes full names, gender, birthdates, locale, hometown, city, and phone numbers in CSV/plaintext format. The data appears to originate from a national citizen registry or similar government data stream.
Date: 2026-04-27T17:37:18Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-SYRIA-7M-gov-sy-telco-national-data-stream
Screenshots:
None
Threat Actors: GlitchX
Victim Country: Syria
Victim Industry: Government
Victim Organization: Syrian Government / Telecom Providers
Victim Site: gov.sy
Alleged data breach of Hamrah-e Aval (Hamrah Avval) by Ugly Duckling group
Category: Data Breach
Content: A threat actor group known as Ugly Duckling (جوجه اردک زشت) has disclosed leaked documents allegedly from Hamrah-e Aval (Iranian telecommunications company). The post indicates a critical situation and suggests the group may release additional documents. Analysis is needed to determine the initial access vector used in the breach.
Date: 2026-04-27T17:27:57Z
Network: telegram
Published URL: https://t.me/c/3575098403/137
Screenshots:
None
Threat Actors: Ugly Duckling
Victim Country: Iran
Victim Industry: Telecommunications
Victim Organization: Hamrah-e Aval
Victim Site: Unknown
Alleged data breach of Indonesian Immigration System (SIPGN/SIPSMO) – 1.1 million records
Category: Data Breach
Content: Breach of Indonesian government immigration database (SIPGN/SIPSMO) reportedly containing 1.1 million records of immigration officers and related personnel. Breach thread posted on breached.st. Multiple Indonesian news outlets (SindoNews, RCTI+, iNews, Okezone) covered the incident with official immigration authority denying the breach as hoax, though initial reports claimed 3 million eVisa system records compromised.
Date: 2026-04-27T17:26:02Z
Network: telegram
Published URL: https://t.me/c/3865526389/638
Screenshots:
None
Threat Actors: BABAYO EROR SYSTEM
Victim Country: Indonesia
Victim Industry: Government – Immigration
Victim Organization: Indonesian Immigration Authority (Imigrasi)
Victim Site: sipgn.sipsmo.bgn.go.id
Alleged leak of mixed domain-targeted combolist with 20,975 credentials
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a mixed domain-targeted combolist containing approximately 20,975 lines of credentials via a Mega.co.nz file sharing link. The combolist, dated April 27, 2026, was shared for free on the CrackingX forum. No specific victim organization or country has been identified, as the list appears to aggregate credentials from multiple domains.
Date: 2026-04-27T17:16:11Z
Network: openweb
Published URL: https://crackingx.com/threads/73435/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Polish credential combolist with 4,542 lines
Category: Combo List
Content: A threat actor operating under the alias karaokecloud has made available a combolist containing 4,542 credential pairs purportedly associated with Polish users. The list is described as good combo access, suggesting the credentials may be valid or recently verified. The combolist was shared as a free download on the cracking forum CrackingX.
Date: 2026-04-27T17:15:27Z
Network: openweb
Published URL: https://crackingx.com/threads/73436/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Gaming, Casino, and Education sector credential combolists
Category: Combo List
Content: A threat actor operating under the handle HQcomboSpace has made available a combolist containing approximately 105,627 credential entries targeting the gaming, casino, and education sectors. The list was shared via a Mega.nz file link on the cracking forum CrackingX. The specific organizations or domains affected are not identified in the post.
Date: 2026-04-27T17:14:38Z
Network: openweb
Published URL: https://crackingx.com/threads/73439/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Gaming, Casino, Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email:password combolist with 37,000 credentials
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared a mixed combolist containing approximately 37,000 unique email:password credential pairs on DemonForums. The content is hidden behind a registration or login requirement. The actor also promotes a shop (unique-combo.shop) offering combolists from various countries upon request.
Date: 2026-04-27T17:14:07Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-MIX-Unique-Combo-4-37000
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Office 365 credential combolist
Category: Combo List
Content: A threat actor known as CODER is distributing a mixed Office 365 combolist containing approximately 5 million credential pairs via Telegram channels. The combolist is being made available for free through two Telegram groups. The actor also advertises additional combo resources and tools through the same channels.
Date: 2026-04-27T17:14:02Z
Network: openweb
Published URL: https://crackingx.com/threads/73440/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist with email inbox targets
Category: Combo List
Content: A threat actor operating under the alias He_Cloud on DemonForums has made available a combolist containing 1,759 alleged valid email and password combinations, described as high-quality and fresh. The post also includes a separate download for inbox targets, suggesting the credentials may be intended for email account takeover or spam campaigns. No specific victim organization or country has been identified.
Date: 2026-04-27T17:13:47Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-1759x-HQ-MIX-FRESH-VALIDS-%E2%9A%A1%E2%9A%A1-INBOXES-TARGETS
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Data Leak
Content: A threat actor on the AE (Altenens) forum shared a combolist of 2,111 alleged Hotmail credentials described as UHQ hits, indicating high-quality or verified account access. The credentials were made available to forum members behind a reply-gate, requiring users to reply to the thread before accessing the hidden content.
Date: 2026-04-27T17:09:13Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltagecheck-mark-button-2111x-uhq-hotmail-hits-check-mark-buttonhigh-voltage.2930595/unread
Screenshots:
None
Threat Actors: Angiecrax
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credentials including Hotmail accounts
Category: Data Leak
Content: A threat actor operating under the alias alphacloud has shared a combolist containing 3,673 allegedly valid mixed email credentials, including Hotmail accounts, on the AE forum. The post references a private cloud storage source and directs users to a Telegram contact alphaaxd. The content is gated behind a reply requirement, suggesting it is being freely distributed to forum members.
Date: 2026-04-27T17:08:52Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltagehigh-voltage-3673x-premium-mix-mail-hitshigh-voltagehigh-voltage.2930614/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Indonesian government personnel database (SIPGN/SIPSMO BGN) – 1.1 million records
Category: Data Breach
Content: A data breach affecting SIPGN/SIPSMO BGN (Indonesian government agency) has been disclosed on breached.st forum. The breach involves approximately 1.1 million records of government personnel data. The breach details are being shared on a public breach notification forum.
Date: 2026-04-27T17:08:26Z
Network: telegram
Published URL: https://t.me/c/3865526389/637
Screenshots:
None
Threat Actors: BABAYO EROR SYSTEM
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: SIPGN/SIPSMO BGN
Victim Site: bgn.go.id
Alleged Leak of 44GB of Stealer Logs
Category: Data Leak
Content: A threat actor operating under the alias blackcloud has made available an alleged 44GB collection of fresh stealer logs dated April 27, 2025, on the XF forums. The post contains a restricted link requiring registration to access. The origin, affected organizations, and full scope of the leak remain unknown.
Date: 2026-04-27T17:08:07Z
Network: openweb
Published URL: https://xforums.st/threads/44-gb-fresh-logs-leaks-27-04-2025.610779/
Screenshots:
None
Threat Actors: blackcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyberattack on Medtronic with unauthorized system access
Category: Cyber Attack
Content: Medtronic reported to the US stock exchange that unauthorized access to portions of its internal systems was identified during a cyberattack. The company stated that technical assessments have begun to evaluate the scope of the incident and security teams are investigating. No details have been released regarding the extent of the breach or types of exposed data.
Date: 2026-04-27T16:59:57Z
Network: telegram
Published URL: https://t.me/c/1283513914/21430
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: United States
Victim Industry: Medical Device Manufacturing
Victim Organization: Medtronic
Victim Site: Unknown
Alleged Data Breach of Astral Hotels Exposing 1 Million Guest Records
Category: Data Breach
Content: A threat actor known as MDGhost (The BlackH4t MD-Ghost) is selling a database allegedly containing over 1 million guest and visitor records from Astral Hotels, an Israeli hotel chain. The exposed data includes personally identifiable information such as guest names, phone numbers, email addresses, country codes, as well as booking details including hotel, room ID, room type, pricing, and payment-related fields including credit card tokens and approval codes. The data is offered in XLSX format an
Date: 2026-04-27T16:52:13Z
Network: openweb
Published URL: https://breached.st/threads/1-million-visitor-data-hotel-astralhotels-co-il.86379/unread
Screenshots:
None
Threat Actors: MDGhost
Victim Country: Israel
Victim Industry: Hospitality
Victim Organization: Astral Hotels
Victim Site: astralhotels.co.il
Alleged data breach of SIPGN-SIPSMO BGN Indonesian Government Portal
Category: Data Breach
Content: A threat actor known as BabayoErorSystem is selling a database allegedly exfiltrated from the Indonesian government portal sipgn-sipsmo-web.bgn.go.id, associated with the National Geospatial Agency (BGN). The dataset purportedly contains approximately 1.1 million records of government personnel data. The post was shared on the Breached.st forum with an offer to sell the data.
Date: 2026-04-27T16:51:41Z
Network: openweb
Published URL: https://breached.st/threads/data-petugas-sipgn-sipsmo-bgn-go-id-1-1-milliond.86380/unread
Screenshots:
None
Threat Actors: BabayoErorSystem
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Badan Geospasial Nasional (BGN)
Victim Site: sipgn-sipsmo-web.bgn.go.id
Alleged Data Leak of Oyo State Commerce ID Cards (275,000 Records)
Category: Data Leak
Content: A threat actor operating under the alias AckLine has freely shared approximately 275,000 ID card images allegedly scraped from Oyo State Commerce, a Nigerian government-affiliated platform. The leaked dataset is approximately 21.5GB compressed and up to 70GB when extracted, and has been made available via a public file-sharing service. The actor claims the data was collected approximately one year prior and that the source has since been closed.
Date: 2026-04-27T16:47:36Z
Network: openweb
Published URL: https://spear.cx/Thread-Free-ID-Cards-oyostate-275K-IDs
Screenshots:
None
Threat Actors: AckLine
Victim Country: Nigeria
Victim Industry: Government
Victim Organization: Oyo State Commerce
Victim Site: oyostatecommerce.gov.ng
Alleged DDoSia Project Compromise of UK Hydraulic Structure CCTV System
Category: Cyber Attack
Content: DDoSia Project claims to have gained unauthorized access to CCTV systems controlling a UK hydraulic structure (dam/pumping station). Post includes screenshots/evidence of HD-IPC camera feeds showing turbines, spillways, and locks. Threat actor uses geopolitical messaging related to Russia-Ukraine conflict and explicitly references continued network access and surveillance capabilities.
Date: 2026-04-27T16:34:48Z
Network: telegram
Published URL: https://t.me/c/3087552512/1856
Screenshots:
None
Threat Actors: DDoSia Project
Victim Country: United Kingdom
Victim Industry: Critical Infrastructure – Water Management
Victim Organization: UK Critical Infrastructure (Hydraulic Structure/Dam Operator)
Victim Site: Unknown
Alleged Data Breach of URSSAF Exposing 12 Million Records Including Financial and Personal Data
Category: Data Breach
Content: A threat actor operating under the alias hackplanete is allegedly selling a database purportedly sourced from urssaf.fr, the French social security contribution collection agency. The database reportedly contains 12 million records including full names, email addresses, phone numbers, physical addresses, NIR (national identification numbers), IBANs, and SWIFT/BIC codes. A sample has been published on Pastebin, while the full dataset is available behind a point-based paywall on the forum.
Date: 2026-04-27T16:30:46Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-DATABASE-URSAF-LEAK-IBAN-BIC
Screenshots:
None
Threat Actors: hackplanete
Victim Country: France
Victim Industry: Government / Social Security
Victim Organization: URSSAF
Victim Site: urssaf.fr
Alleged leak of Yahoo credentials combolist targeting crypto users
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a combolist containing approximately 1.97 million credential pairs purportedly associated with Yahoo accounts, specifically targeting cryptocurrency users. The combolist was shared via a Mega.nz file link and is freely accessible. The post suggests the credentials may be particularly useful for targeting individuals with crypto holdings.
Date: 2026-04-27T16:23:28Z
Network: openweb
Published URL: https://crackingx.com/threads/73423/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Internet Services
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged distribution of Vortex Binder 2.0 file binding malware tool
Category: Initial Access
Content: A threat actor operating under the alias Jlamaille13 has shared a download link for Vortex Binder 2.0 on a cracking forum. Vortex Binder 2.0 is described as a file binding tool capable of combining multiple executable files into a single package, a technique commonly used to bundle malware with legitimate files. The tool poses significant cybersecurity risks as it can be leveraged to deliver malicious payloads to unsuspecting victims.
Date: 2026-04-27T16:23:05Z
Network: openweb
Published URL: https://demonforums.net/Thread-Vortex-Binder-2-0
Screenshots:
None
Threat Actors: Jlamaille13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed forum credentials combolist
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist containing approximately 100,000 mixed credentials described as valid forum account logins. The post was made on the cracking forum CrackingX under the Combolists & Dumps section. The actual content is gated behind registration or sign-in, limiting further verification of the claims.
Date: 2026-04-27T16:22:54Z
Network: openweb
Published URL: https://crackingx.com/threads/73426/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Distribution of Cracked Hap Crypter Tool
Category: Initial Access
Content: A threat actor on DemonForums shared a cracked version of Hap Crypter, a tool used to obfuscate or encrypt malware to evade detection. The post includes a download link and ironically lists risks associated with using cracked tools, including malware infection, data theft, and legal consequences. Such cracked crypters are commonly used by threat actors to prepare and deploy malicious payloads against targets.
Date: 2026-04-27T16:22:46Z
Network: openweb
Published URL: https://demonforums.net/Thread-Hap-Crypter-Cracked–201960
Screenshots:
None
Threat Actors: Jlamaille13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of Black Crypt 2025 crypter/obfuscation tool
Category: Initial Access
Content: A threat actor operating under the alias Jlamaille13 has made available a tool called Black Crypt 2025 on a cracking forum. The tool is described as leveraging advanced cryptographic techniques for data obfuscation, stealth-based cyber activities, and unauthorized data locking, consistent with a crypter used to evade antivirus and endpoint detection solutions. A download link was shared publicly in the forum post.
Date: 2026-04-27T16:22:27Z
Network: openweb
Published URL: https://demonforums.net/Thread-Black-Crypter-Use-advanced-antivirus-and-endpoint-protection–201961
Screenshots:
None
Threat Actors: Jlamaille13
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Leak of Outlook.com Credential Combolist Targeting European Users
Category: Combo List
Content: A threat actor known as BestCombo has made available a combolist of approximately 11,986 Outlook.com credential pairs purportedly targeting European users, dated April 27, 2026. The combolist was shared freely via a Mega file-sharing link on the cracking forum CrackingX. The post is gated behind a reaction requirement, suggesting it is a free release rather than a paid offering.
Date: 2026-04-27T16:22:19Z
Network: openweb
Published URL: https://crackingx.com/threads/73427/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: outlook.com
Alleged leak of mixed email and password combolist (X1723 HQ Mix)
Category: Combo List
Content: A threat actor using the handle Steveee36 and posted by erwinn91 on DemonForums has shared a combolist titled X1723 HQ Mix in the Combolists section. The post contains hidden content requiring registration or login to access, suggesting the credential list is being freely distributed to forum members. The combolist appears to contain email and password combinations, though the exact record count and affected organizations remain unknown.
Date: 2026-04-27T16:22:08Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X1723-HQ-Mix-%E2%9A%A1%E2%9A%A1-BY-Steveee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist with 30,727 lines
Category: Combo List
Content: A threat actor operating under the alias stormtrooper has shared a free mixed combolist containing 30,727 email:password credential pairs on DemonForums. The content is hidden behind a registration/login wall and is also distributed via a Telegram channel (@BossBrowz). No specific victim organization or industry has been identified, suggesting the list is an aggregation from multiple sources.
Date: 2026-04-27T16:21:52Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-30-727-Lines-Fresh-Mix-Combolist
Screenshots:
None
Threat Actors: stormtrooper
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials including Hotmail accounts
Category: Combo List
Content: A threat actor operating under the alias noir has made available a combolist of approximately 2,594 alleged valid credentials on the cracking forum CrackingX. The post claims to include valid Hotmail accounts and a mixed credential set described as UHQ (ultra-high quality). The actor promotes a Telegram channel (@noiraccesss) and provides a download link for the credential list.
Date: 2026-04-27T16:21:48Z
Network: openweb
Published URL: https://crackingx.com/threads/73428/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: hotmail.com
Alleged leak of Hotmail and mixed credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Roronoa044 has made available a combolist of approximately 2,594 alleged valid credentials on DemonForums, described as a UHQ Mix containing Hotmail and mixed email-password combinations. The content is hidden behind a registration or login requirement on the forum. The actor also references a Telegram channel (@noiraccesss) likely for further distribution or contact.
Date: 2026-04-27T16:21:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X2594-Valid-UHQ-Mix-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: hotmail.com
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor operating under the alias klyne05 has made available a mixed email combolist on the cracking forum CrackingX. The post claims the credentials are fresh and have been checked by the author. Limited details are available due to minimal post content, but the combolist appears to contain email and password combinations from multiple sources.
Date: 2026-04-27T16:21:25Z
Network: openweb
Published URL: https://crackingx.com/threads/73429/
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor operating under the alias klyne05 has shared a mixed email:password combolist on the DemonForums cybercrime forum. The content is described as private and freshly checked, suggesting the credentials have been recently validated for validity. Access to the content requires forum registration or login, and the post is gated behind a like-to-unlock mechanism.
Date: 2026-04-27T16:21:16Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1MIX-MAIL%E2%9A%A1%E2%9A%A1PRIVATE%E2%9A%A1%E2%9A%A1FRESH%E2%9A%A1%E2%9A%A1CHEKED-BY-klyne05-%E2%9A%A1%E2%9A%A1–201964
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed UHQ combolist with 2582 credentials
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a mixed UHQ (ultra-high quality) combolist containing 2,582 credential pairs via a free download link on pasteview.com and a Telegram channel. The post also advertises a paid private cloud service offering access to additional combolists and tools, including a built-in inboxer, priced from $3 for 24 hours up to $120 for lifetime access, with payments processed via a Telegram bot.
Date: 2026-04-27T16:20:55Z
Network: openweb
Published URL: https://crackingx.com/threads/73431/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias KiwiShio has shared a combolist of 540 Hotmail email and password combinations on a cybercrime forum. The content is gated behind forum registration or login, suggesting it is available for free to registered members. The credentials are claimed to be fresh and high quality.
Date: 2026-04-27T16:20:47Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-540x-%E2%AD%90%E2%AD%90-FRESH-HQ-HOTMAIL-%E2%AD%90%E2%AD%90
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of logs, credentials, fullz, and cybercrime tools via Telegram marketplace
Category: Data Breach
Content: A threat actor operating under the alias xqwxshop is advertising a Telegram-based marketplace offering logs, usernames, fullz, tools, services, and methods at low prices. The post directs potential buyers to a Telegram channel (t.me/xqwxmrkt). No specific victim organizations, record counts, or pricing details are disclosed in the forum post.
Date: 2026-04-27T16:20:26Z
Network: openweb
Published URL: https://crackingx.com/threads/73430/
Screenshots:
None
Threat Actors: xqwxshop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Stolen Credit and Debit Cards with Full Information
Category: Carding
Content: A threat actor operating under the alias Havvc is selling stolen credit and debit cards, both VBV and non-VBV, via Telegram (@SkullBawlJames). Cards are offered with full cardholder information at prices ranging from $25 to $100, purportedly carrying balances between $600 and $2,000. The actor also advertises fraudulent transfers via CashApp, Apple Pay, PayPal, cryptocurrency, and bank platforms including Zelle and Chime.
Date: 2026-04-27T16:17:28Z
Network: openweb
Published URL: https://altenens.is/threads/got-legit-credit-and-debit-cards-both-vbv-and-non-vbv-for-only-40-with-the-balance-of-1-1k-which-comes-with-full-information-youre-new-to-this-and.2930539/unread
Screenshots:
None
Threat Actors: Havvc
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Data Leak
Content: A threat actor known as alphacloud has shared a combolist containing 1,895 alleged valid Hotmail credentials on the AE forum. The post claims the credentials are premium hits and were sourced from a private cloud. The actor is also associated with a Telegram handle alphaaxd and requires forum replies to access the hidden content.
Date: 2026-04-27T16:16:41Z
Network: openweb
Published URL: https://altenens.is/threads/snowflakesnowflake-1895x-premium-hotmail-hits-snowflakesnowflake.2930592/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged EDR/XDR Bypass and Evasion Techniques Research Article Published on Underground Forum
Category: Initial Access
Content: A detailed Red Team-oriented research article was published on the underground forum Tier1, authored by Excalibra, covering advanced EDR/XDR bypass techniques including API unhooking, in-memory BOF execution, indirect syscalls, ETW bypass, and kernel callback evasion. The article includes practical case studies such as validation of a PostExpKit plugin and a Bitdefender bypass scenario. The content provides actionable evasion strategies and combined technique chains designed to defeat modern
Date: 2026-04-27T16:01:13Z
Network: openweb
Published URL: https://tier1.life/thread/180
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Indonesian Agricultural and Government Personnel Database
Category: Data Breach
Content: A threat actor operating under the alias 053o has shared a structured database containing personal information of Indonesian government and agricultural sector personnel on the Breached forum. The exposed data includes full names, email addresses, phone numbers, and institutional affiliations, with victims linked to agencies such as the Directorate General of Horticulture, various provincial agricultural departments, and academic institutions. The dataset appears to originate from a registrati
Date: 2026-04-27T15:58:59Z
Network: openweb
Published URL: https://breached.st/threads/database-indonesia-include-number-name-gmail.86377/unread
Screenshots:
None
Threat Actors: 053o
Victim Country: Indonesia
Victim Industry: Government / Agriculture
Victim Organization: Multiple Indonesian Government Agricultural Agencies
Victim Site: Unknown
Alleged Free RDP Access Shared for China-Based Host
Category: Initial Access
Content: A threat actor on Breached forums has freely shared RDP credentials for a China-based host at IP 36.140.138.133 on port 3389. The credentials include an Administrator account username and password for the system identified as ECS-83060582-00. No payment or sale is indicated; the access details were made available at no cost.
Date: 2026-04-27T15:58:15Z
Network: openweb
Published URL: https://breached.st/threads/1-rdp.86373/unread
Screenshots:
None
Threat Actors: BSeller
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Free RDP Access Shared for Chinese Host
Category: Initial Access
Content: A threat actor on Breached forums has made available free RDP access to a Chinese host at IP address 36.212.16.104 on port 3389. The post includes administrator credentials for the system identified as ECS-17183383-00. The access appears to be shared at no cost, suggesting it may be a compromised cloud or hosted server instance.
Date: 2026-04-27T15:57:45Z
Network: openweb
Published URL: https://breached.st/threads/1-rdp.86374/unread
Screenshots:
None
Threat Actors: BSeller
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Free RDP Access Shared for Host 116.196.79.27
Category: Initial Access
Content: A threat actor on Breached forums has made available free RDP access to a host at IP address 116.196.79.27 on port 3389. The credentials include the username XINLV\Administrator with a plaintext password, suggesting administrative-level access to a Windows system. The IP geolocation indicates the host is likely located in China.
Date: 2026-04-27T15:57:13Z
Network: openweb
Published URL: https://breached.st/threads/1-rdp.86375/unread
Screenshots:
None
Threat Actors: BSeller
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Bank Saderat Iran Exposing 63 Million Records
Category: Data Breach
Content: A threat actor identified as MDGhost (The BlackH4t MD-Ghost) claims to have obtained a database dump from Bank Saderat Iran containing over 63 million records. The leaked data allegedly includes account numbers, full names, card numbers, password hints, email addresses, passwords, phone numbers, usernames, and branch IDs. Bank Saderat Iran is a state-owned bank established in 1952 with a significant domestic and international presence.
Date: 2026-04-27T15:56:32Z
Network: openweb
Published URL: https://breached.st/threads/63-million-bank-data-sederarat-iran.86376/unread
Screenshots:
None
Threat Actors: MDGhost
Victim Country: Iran
Victim Industry: Banking & Finance
Victim Organization: Bank Saderat Iran
Victim Site: Unknown
Alleged Data Leak of Indonesian Ministry of Health Workforce Database
Category: Data Leak
Content: A threat actor operating under the name SADBOY CYBER TEAM HACKTIVIST INDONESIA (SCTH) has made available an alleged database dump containing 1.52 million records from the Indonesian Ministry of Healths workforce system. The leaked data includes sensitive fields such as full names, national ID numbers (NIK), NIP (civil servant IDs), phone numbers, WhatsApp numbers, email addresses, residential details, professional codes, bank account numbers, and medical specialization data. The actor claims
Date: 2026-04-27T15:56:05Z
Network: openweb
Published URL: https://breached.st/threads/1-52-million-ministry-of-health-workforce-database-indonesia.86378/unread
Screenshots:
None
Threat Actors: SCTH
Victim Country: Indonesia
Victim Industry: Government – Healthcare
Victim Organization: Ministry of Health Indonesia
Victim Site: Unknown
Alleged Data Leak of University of Kerbala G Suite User Database
Category: Data Leak
Content: A threat actor known as Rihana has freely shared a database dump allegedly containing 1,529 G Suite user records from the University of Kerbala in Iraq. The leaked data includes usernames, institutional email addresses, passwords, and address fields. The database is made available for free download via a hidden link requiring forum participation to access.
Date: 2026-04-27T15:35:55Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-Iraq-uokerbala-edu-iq-G-Suite-users
Screenshots:
None
Threat Actors: Rihana
Victim Country: Iraq
Victim Industry: Education
Victim Organization: University of Kerbala
Victim Site: uokerbala.edu.iq
Alleged Data Leak of LCBO Customer Database
Category: Data Leak
Content: A threat actor known as Spirigatito has freely leaked an alleged database dump belonging to the Liquor Control Board of Ontario (LCBO), Canadas official liquor retail and e-commerce platform. The leaked dataset purportedly contains 165,840 customer records including account IDs, full names, email addresses, phone numbers, and account types. The full dataset is gated behind a forum points system, with sample records provided to validate the claim.
Date: 2026-04-27T15:35:20Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-LCBO-Database-Leaked-Download
Screenshots:
None
Threat Actors: Spirigatito
Victim Country: Canada
Victim Industry: Retail / Alcohol & Beverage
Victim Organization: Liquor Control Board of Ontario (LCBO)
Victim Site: lcbo.com
Alleged Data Leak of Den Kulturelle Skolesekken (DKS) Government Database, Norway
Category: Data Leak
Content: A threat actor using the alias Spirigatito has leaked a database allegedly belonging to Den Kulturelle Skolesekken (DKS), a major national government programme in Norway. The leaked database reportedly contains approximately 1.38 million rows of personal data including full names, email addresses, phone numbers, physical addresses, nationality, and language preferences. Sample records shared in the post appear to include both government employees and performers associated with the programme.
Date: 2026-04-27T15:34:30Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-Government-of-Norway-DenKulturelles-Database-Leaked-Download
Screenshots:
None
Threat Actors: Spirigatito
Victim Country: Norway
Victim Industry: Government
Victim Organization: Den Kulturelle Skolesekken (DKS)
Victim Site: Unknown
Alleged Data Leak of Choice Health Insurance and Affiliated Healthcare Providers
Category: Data Leak
Content: A threat actor on PwnForums has freely released a database allegedly belonging to Choice Health Insurance, exposing PII of over 2.1 million clients and patients including full names, phone numbers, Social Security numbers, Medicare/Medicaid numbers, banking and payment card details, medical records, and healthcare.gov credentials. The data is also reported to affect affiliated insurers including Humana, United Healthcare, Anthem, WellCare, and Centene. The actor claims the files were sourced fro
Date: 2026-04-27T15:33:40Z
Network: openweb
Published URL: https://pwnforums.st/Thread-Choice-Health-Insurance
Screenshots:
None
Threat Actors: clusapva
Victim Country: United States
Victim Industry: Healthcare / Health Insurance
Victim Organization: Choice Health Insurance
Victim Site: choicehealthinsurance.com
Alleged intrusion of Hamrah-e Aval (MTN Irancell) and Irans Computer Engineering Organization
Category: Cyber Attack
Content: A threat actor claims to have compromised Hamrah-e Aval (MTN Irancell), a major Iranian telecommunications operator, and the Sazman-e Nezam-e Sanfi-ye Rayaneh-ai (Irans Computer Engineering Organization). The actor states that details will be released soon. The post is in Persian and includes a reference to Internet Pro.
Date: 2026-04-27T15:32:06Z
Network: telegram
Published URL: https://t.me/c/3575098403/134
Screenshots:
None
Threat Actors: Unknown
Victim Country: Iran
Victim Industry: Telecommunications, Government IT
Victim Organization: Hamrah-e Aval (MTN Irancell) and Sazman-e Nezam-e Sanfi-ye Rayaneh-ai
Victim Site: Unknown
Alleged leak of Hotmail and Outlook credentials combolist
Category: Combo List
Content: A threat actor using the handle karaokecloud has made available a combolist containing 3,460 lines of credentials targeting Hotmail and Outlook email accounts. The post offers a free download of the credential list on a cracking forum. The combolist likely contains email and password pairs for Microsoft email services.
Date: 2026-04-27T14:33:24Z
Network: openweb
Published URL: https://crackingx.com/threads/73416/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed credential combolist distributed via cracking forum
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a mixed batch combolist containing 2,582 credential entries via a paste sharing site and a Telegram channel. The post also advertises a private cloud service with built-in inbox checking capabilities, offered at tiered pricing starting at $3 for 24 hours. The combolist appears to aggregate credentials from multiple unspecified sources.
Date: 2026-04-27T14:32:49Z
Network: openweb
Published URL: https://crackingx.com/threads/73417/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed SMTP combolist with 8 million credentials
Category: Combo List
Content: A threat actor operating under the alias CODER has made available an alleged mixed SMTP combolist containing approximately 8 million credential pairs via Telegram channels. The content is being distributed for free through two Telegram groups and requires registration or sign-in on the crackingx.com forum to access. No specific victim organization or country has been identified, suggesting the combolist is aggregated from multiple sources.
Date: 2026-04-27T14:31:49Z
Network: openweb
Published URL: https://crackingx.com/threads/73420/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HollowKnight on DemonForums has made available a sample combolist containing 525 Hotmail email and password combinations. The post is categorized under Combolists and the content is gated behind forum registration or login, suggesting it may serve as a teaser for a larger dataset. The origin and collection method of the credentials are unknown.
Date: 2026-04-27T14:31:29Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-525x-SAMPLE-HOTMAIL-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: HollowKnight
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email and password combolist with 37,000 records
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared a mixed combolist containing approximately 37,000 unique email and password credential pairs on DemonForums. The content is hidden behind registration or login, suggesting it is available to forum members at no explicit cost. The actor also promotes a shop (unique-combo.shop) offering combolists from various countries on request.
Date: 2026-04-27T14:31:14Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-MIX-Unique-Combo-3-37000
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of RDP credentials for Chinese systems
Category: Initial Access
Content: A threat actor on Breached forum has freely shared RDP credentials for two Chinese IP addresses (14.18.116.221 and 14.29.211.109) on port 3389, both using the Administrator account with the same password. The credentials provide remote desktop access to systems identified with the hostname MASTER-YZJBZ229. No organization or industry affiliation has been identified.
Date: 2026-04-27T14:09:16Z
Network: openweb
Published URL: https://breached.st/threads/free-rdp-china.86370/unread
Screenshots:
None
Threat Actors: BSeller
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of RDP access credentials for a Chinese host
Category: Initial Access
Content: A threat actor shared a single set of RDP credentials for a Chinese IP address (36.138.214.219) on port 3389, targeting a host named DESKTOP-KB95FO4 with Administrator-level access. The credentials, including username and password, were made available for free on the forum. This represents unauthorized access to a remote desktop service hosted in China.
Date: 2026-04-27T14:08:31Z
Network: openweb
Published URL: https://breached.st/threads/1-rdp-china.86372/unread
Screenshots:
None
Threat Actors: BSeller
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Redefacement of LSH Hotel by LEFT-10 of Banjarnegara Xploit
Category: Defacement
Content: The threat actor LEFT-10, affiliated with the group Banjarnegara Xploit, conducted a redefacement of the LSH Hotel website on April 27, 2026. The attacker targeted the KindEditor directory path, suggesting exploitation of a vulnerable web editor component. This incident marks a repeated compromise of the same target, indicating the underlying vulnerability may not have been remediated after the initial defacement.
Date: 2026-04-27T13:57:17Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915297
Screenshots:
None
Threat Actors: LEFT-10, Banjarnegara Xploit
Victim Country: Unknown
Victim Industry: Hospitality
Victim Organization: LSH Hotel
Victim Site: www.lsh-hotel.com
Cyberattack on Medtronic plc
Category: Cyber Attack
Content: Medtronic plc announced that an unauthorized third party accessed data from certain of its IT systems on April 24, 2026. The company immediately took steps to contain the incident and engaged external experts to conduct its investigation. At this stage, Medtronic has identified no impact on its products, patient safety, or financial operations, and does not anticipate any material impact on its business.
Date: 2026-04-27T13:53:25Z
Network: openweb
Published URL: https://app.quotemedia.com/data/downloadFiling?webmasterId=101533&ref=319979674&type=HTML&symbol=MDT&cdn=83dd8d0bda390cc08b7e0796ad099fb8&companyName=Medtronic+plc.&formType=8-K&dateFiled=2026-04-27
Screenshots:
None
Threat Actors:
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Medtronic plc
Victim Site: medtronic.com
Alleged data breach of Algerian Ministry of Education – 612,847 student records leaked
Category: Data Breach
Content: A MySQL 5.7 database dump from i.education.gov.dz (Algerian Ministry of Education intranet) containing 612,847 student records has been leaked and is being sold for $2,800 USD. The breach was allegedly obtained through UNION-based SQL injection (SQLi) on /portal/etudiants.php during a contracted red-team engagement. The database includes student personal information (names, emails, phone numbers, birthdates, departments, enrollment dates), academic module access records (1.2M records), and administrative account credentials with bcrypt hashes. The seller claims the client (an Algerian edu-tech firm) rejected a discount demand and was dropped, leading to the public release of the dataset.
Date: 2026-04-27T13:45:18Z
Network: telegram
Published URL: https://t.me/c/3793980891/3080
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: Algeria
Victim Industry: Government – Education
Victim Organization: Algerian Ministry of Education
Victim Site: i.education.gov.dz
Alleged leak of mixed education sector credential combolist
Category: Combo List
Content: A threat actor known as HQcomboSpace has made available a combolist containing approximately 187,175 credential pairs targeting the education sector, referred to as a WorldCombo Edu Mixed Target 2026 list. The combolist was shared freely via a Mega.nz link on the crackingx.com forum. The affected organizations and countries are unknown, as the list appears to aggregate credentials from multiple education-related sources.
Date: 2026-04-27T13:31:33Z
Network: openweb
Published URL: https://crackingx.com/threads/73412/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Business Corporate combolist (7 million records)
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist allegedly containing 7 million business/corporate credential pairs. The combolist is being distributed for free via Telegram channels and groups linked to the actor. No specific victim organization or targeted industry has been identified.
Date: 2026-04-27T13:30:59Z
Network: openweb
Published URL: https://crackingx.com/threads/73415/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged promotion of No-KYC/AML cryptocurrency exchange API service on cybercrime forum
Category: Initial Access
Content: A threat actor operating under the alias ComCASH_API is advertising API integration services for a no-KYC/AML cryptocurrency exchange on a cybercrime forum. The service offers crypto-to-crypto and crypto-to-fiat order processing, liquidity access, and a turnkey white-label exchange solution, with a revenue-sharing model of 30% of commissions. The offering is designed to facilitate anonymous financial transactions, with the only stated restriction being the exclusion of direct dark market traffic
Date: 2026-04-27T13:30:40Z
Network: openweb
Published URL: https://crackingx.com/threads/73414/
Screenshots:
None
Threat Actors: ComCASH_API
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: comcash.cc
Alleged Data Breach of Bank Saderat Iran Exposing 63 Million User Records
Category: Data Breach
Content: A threat actor known as TheBlackh4tMrGhost has claimed to possess and shared a database allegedly belonging to Bank Saderat Iran, a state-owned bank established in 1952. The leaked dataset purportedly contains over 63 million records including account numbers, card numbers, full names, email addresses, phone numbers, passwords, and branch identifiers. The data was posted on BreachForums along with references to Telegram channels for distribution.
Date: 2026-04-27T13:25:03Z
Network: openweb
Published URL: https://breachforums.rs/Thread-63-million-bank-sederat-iran-s-user-database
Screenshots:
None
Threat Actors: TheBlackh4tMrGhost
Victim Country: Iran
Victim Industry: Banking & Financial Services
Victim Organization: Bank Saderat Iran
Victim Site: Unknown
Alleged leak of mixed credential combolist containing 37,000 records
Category: Logs
Content: A threat actor operating under the alias UniqueCombo has shared a mixed combolist containing approximately 37,000 unique credential pairs on a cybercrime forum. The post, titled MIX Unique Combo_2_37000, suggests the credentials are sourced from multiple origins. No specific victim organization, industry, or country has been identified.
Date: 2026-04-27T13:21:57Z
Network: openweb
Published URL: https://xforums.st/threads/mix-unique-combo_2_37000.610777/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed platform credential combolist including Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, and Facebook
Category: Data Leak
Content: A threat actor operating under the alias Larry_Uchiha has shared a mixed account combolist on the forum AE – Combo List, reportedly containing credentials for multiple platforms including Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, and Facebook. The post requires users to reply to access the hidden download link, which is distributed via Telegram. The combolist appears to be freely shared rather than sold, as no price or payment method is mentioned.
Date: 2026-04-27T13:13:37Z
Network: openweb
Published URL: https://altenens.is/threads/mix-account-combo-netflix-onlyfans-chatgpt-xbox-sony-discord-facebook-2026-4-24.2930443/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Multiple Organizations
Victim Site: Unknown
Alleged leak of mixed email provider credential combolist
Category: Data Leak
Content: A threat actor operating under the alias Larry_Uchiha shared a mixed email provider combolist on the AE forum, containing credentials for multiple services including Hotmail, Outlook, AOL, GMX, Inbox, iCloud, and Live. The combolist was made available for free to forum members who reply to the thread. The actual content is hidden behind a reply gate, with a Telegram reference suggesting additional distribution channels may exist.
Date: 2026-04-27T13:13:25Z
Network: openweb
Published URL: https://altenens.is/threads/mix-mail-combo-hotmail-outlook-aol-gmx-inbox-icloud-live-2026-3-26.2930445/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Multiple Email Providers (Hotmail, Outlook, AOL, GMX, Inbox, iCloud, Live)
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist targeting multiple regions
Category: Data Leak
Content: A threat actor known as Larry_Uchiha has shared a combolist of approximately 1,600 Hotmail email credentials on the AE forum. The credential list reportedly includes accounts from users across the United States, Europe, Asia, and Russia. The post requires users to reply before accessing the hidden download link, with a Telegram reference suggesting further distribution via that platform.
Date: 2026-04-27T13:13:13Z
Network: openweb
Published URL: https://altenens.is/threads/1-600x-hotmail-access-combo-usa-europe-asia-russian.2930442/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged Data Breach of iKara Vietnamese Karaoke Platform Exposing 342,972 User Records
Category: Data Breach
Content: A threat actor on Breached forums has made available an alleged database dump from iKara, a Vietnam-based karaoke and singing platform, reportedly breached on April 23, 2026. The exposed dataset contains approximately 342,972 records including fields such as email addresses, full names, IP addresses, geographic coordinates, phone numbers, device IDs, and account metadata. Affected users appear to be predominantly located in Vietnam, with the data spanning account creation dates from mid-2020 onw
Date: 2026-04-27T13:08:32Z
Network: openweb
Published URL: https://breached.st/threads/ikara-342-9k.86365/unread
Screenshots:
None
Threat Actors: fent888
Victim Country: Vietnam
Victim Industry: Entertainment / Music Streaming
Victim Organization: iKara
Victim Site: ikara.co
Alleged Cryptocurrency Giveaway Scam Promoted on Cybercrime Forum
Category: Carding
Content: A forum post on Breached promotes a fraudulent cryptocurrency giveaway scheme, claiming to offer 10–25 USDT to new users with no deposits or withdrawal limits. This is consistent with a social engineering or financial fraud lure designed to deceive users into visiting a malicious or phishing resource. No legitimate threat data, victim organization, or leaked data is associated with this post.
Date: 2026-04-27T13:07:33Z
Network: openweb
Published URL: https://breached.st/threads/star-10-25-usdt-to-everyone-star.86367/unread
Screenshots:
None
Threat Actors: breachedlogs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Jiangxi Taixin Steel Co. Ltd. by SnowSoul threat actor
Category: Data Leak
Content: The threat actor group SnowSoul has made available approximately 120GB of database backup files allegedly belonging to Jiangxi Taixin Steel Co. Ltd., a Chinese steel manufacturer with reported annual revenue of 3 billion CNY. The files appear to be Seeyon OA system backups spanning from August 2025 to April 2026, shared freely via FileMirage after the victim reportedly refused to pay a $5,000 USD extortion demand.
Date: 2026-04-27T13:06:58Z
Network: openweb
Published URL: https://breached.st/threads/chinese-data-zhong-guo-shu-ju-snowsoul-id-1305-free-download-120g-bak.86368/unread
Screenshots:
None
Threat Actors: 元帅*
Victim Country: China
Victim Industry: Steel / Manufacturing
Victim Organization: Jiangxi Taixin Steel Co. Ltd.
Victim Site: Unknown
Website Defacement of cPanel-Hosted Site by dann3xplo1t
Category: Defacement
Content: On April 27, 2026, a threat actor operating under the alias dann3xplo1t defaced a website hosted on a cPanel shared hosting environment, targeting the subdomain giving-teal-jackrabbit.91-203-69-150.cpanel.site. The defaced page was uploaded as stfu.php, indicating potential exploitation of file upload or access control vulnerabilities on the Linux-based server. The incident was recorded as a singular, non-mass defacement with no stated motive or team affiliation.
Date: 2026-04-27T12:56:07Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248704
Screenshots:
None
Threat Actors: dann3xplo1t
Victim Country: Unknown
Victim Industry: Web Hosting / Unknown
Victim Organization: Unknown
Victim Site: giving-teal-jackrabbit.91-203-69-150.cpanel.site
Alleged sale of RDP access and compromised email accounts
Category: Initial Access
Content: Threat actor offering rental of RDP access to cloud infrastructure providers (Azure, AWS, DigitalOcean) at $200, along with compromised domain email accounts, Gmail, Yahoo accounts, and GitHub student accounts. Service advertised as available for daily/monthly rental with escrow protection.
Date: 2026-04-27T12:53:32Z
Network: telegram
Published URL: https://t.me/c/2613583520/70922
Screenshots:
None
Threat Actors: Squad Chat Marketplace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 1.6 million URL-login-password credentials
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a combolist containing approximately 1.6 million URL-login-password credential pairs, dated April 27, 2026. The post offers hidden content to registered forum users, suggesting the combolist is freely shared within the community. No specific victim organization or country has been identified, indicating this may be an aggregated credential list from multiple sources.
Date: 2026-04-27T12:27:18Z
Network: openweb
Published URL: https://crackingx.com/threads/73405/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed combolist with 2,582 credentials
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a mixed combolist containing 2,582 credential entries via a free download link on pasteview.com. The post also advertises a paid private cloud service with tiered pricing, suggesting additional credential data may be accessible to paying subscribers. The combolist is described as mixed, indicating credentials sourced from multiple services or industries.
Date: 2026-04-27T12:26:03Z
Network: openweb
Published URL: https://crackingx.com/threads/73408/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available an alleged combolist of approximately 9 million Hotmail credentials, claimed to be valid. The actor is distributing the credential list via Telegram channels and directing interested parties to contact them directly. No price is mentioned, suggesting the combolist is being shared freely.
Date: 2026-04-27T12:25:20Z
Network: openweb
Published URL: https://crackingx.com/threads/73409/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as HollowKnight has shared a sample combolist containing 1,270 Hotmail email and password combinations on DemonForums. The content is gated behind registration or login, suggesting it is available as a free download to forum members. This appears to be a sample release, potentially intended to advertise a larger credential set.
Date: 2026-04-27T12:24:58Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-1270x-SAMPLE-HOTMAIL-%E2%9A%A1%E2%9A%A1–201939
Screenshots:
None
Threat Actors: HollowKnight
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor operating under the alias NotSellerXd has shared a mixed email combolist containing approximately 5,285 email and password combinations on Demon Forums. The content is gated behind registration or login, suggesting it is being made available for free to forum members. No specific victim organization or country has been identified, indicating the credentials likely originate from multiple sources.
Date: 2026-04-27T12:24:42Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-5285x-MIX-MAIL
Screenshots:
None
Threat Actors: NotSellerXd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist sorted by country
Category: Combo List
Content: A threat actor operating under the alias He_Cloud has made available a combolist of 259 alleged premium Hotmail email credentials on the DemonForums cybercrime forum. The list is described as high-quality and is offered as a free download, sorted by country and filtered for active inboxes. No pricing or sale mechanism was mentioned, indicating this is a free leak.
Date: 2026-04-27T12:24:17Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-259x-PREMIUM-HQ-HOTMAILS-%E2%9A%A1%E2%9A%A1-INBOXES-TARGETS-SORTED-COUNTRIES
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged Data Leak of Indonesian National Police (POLRI) Personnel Database
Category: Data Leak
Content: A threat actor using the alias MR-Zeeone-Grayhat has freely shared a JSON database dump containing internal personnel records of the Indonesian National Police (POLRI). The leaked dataset includes 2,006 entries with fields such as rank, full name, duty/position (down to village level), phone number, and email address, covering a range of ranks from BRIPDA to KOMBESPOL. The data was made available as a free download via MediaFire.
Date: 2026-04-27T12:03:29Z
Network: openweb
Published URL: https://breached.st/threads/database-internal-data-of-the-republic-of-indonesia-police-polri.86364/unread
Screenshots:
None
Threat Actors: XZeeoneOfc
Victim Country: Indonesia
Victim Industry: Government – Law Enforcement
Victim Organization: Indonesian National Police (POLRI)
Victim Site: polri.go.id
Alleged Data Leak of Udemy Customer and Instructor Data by ShinyHunters
Category: Data Leak
Content: In April 2026, online learning platform Udemy was targeted by the ShinyHunters group in a pay or leak extortion attempt. Following the refusal or failure to pay, the threat actor publicly leaked data containing approximately 1.4 million unique email addresses belonging to customers and instructors. The leaked dataset also includes names, physical addresses, phone numbers, employer information, and instructor payout details such as PayPal, cheque, and bank transfer information.
Date: 2026-04-27T11:56:59Z
Network: openweb
Published URL: https://darkforums.su/Thread-Udemy-2026
Screenshots:
None
Threat Actors: mnull
Victim Country: United States
Victim Industry: Online Education
Victim Organization: Udemy
Victim Site: udemy.com
Alleged cyberattack on FBI sensitive systems by China-linked threat actors with data exfiltration
Category: Cyber Attack
Content: The FBI disclosed a significant cybersecurity incident affecting one of its sensitive systems containing information related to federal law enforcement investigations and surveillance operations. Threat actors allegedly gained access to highly sensitive data including information on individuals under investigation and surveillance data. The attack was conducted through compromised internet service provider infrastructure, demonstrating sophisticated capabilities. This incident is attributed to Chinese state-linked threat actor groups that have previously targeted critical infrastructure and telecommunications companies.
Date: 2026-04-27T11:54:07Z
Network: telegram
Published URL: https://t.me/c/1283513914/21419
Screenshots:
None
Threat Actors: China-linked threat actors
Victim Country: United States
Victim Industry: Government/Law Enforcement
Victim Organization: Federal Bureau of Investigation (FBI)
Victim Site: Unknown
Alleged phishing kit and bulk SMS infrastructure offering mail access and credential harvesting tools
Category: Phishing
Content: Threat actor operating phishing infrastructure offering mail access across multiple countries (FR, BE, AU, CA, UK, US, NL, PL, DE, JP) along with phishing configs, scripts, tools, and credential lists (combos). Also advertising bulk SMS phishing capability targeting financial services (TradeRepublic, Binance, BBVA, PayPal) in Spain with claims of high traffic availability.
Date: 2026-04-27T11:34:06Z
Network: telegram
Published URL: https://t.me/c/2613583520/70893
Screenshots:
None
Threat Actors: Dataxlogs
Victim Country: Unknown
Victim Industry: Financial Services, Cryptocurrency, Banking
Victim Organization: Unknown
Victim Site: Unknown
Alleged Bank of America Database Breach
Category: Data Breach
Content: A threat actor with the handle Xyph0rix has posted on Breachforums regarding an alleged database breach of Bank of America. The post includes links to the threat actors profile and a dedicated thread discussing the breach.
Date: 2026-04-27T11:12:57Z
Network: telegram
Published URL: https://t.me/Xyph0rix/220
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: United States
Victim Industry: Financial Services
Victim Organization: Bank of America
Victim Site: bankofamerica.com
Alleged Data Breach of Solusi Arya Prima (solusiaryaprima.co.id)
Category: Data Breach
Content: A threat actor operating under the alias Kyyzo is selling a 41GB+ database allegedly stolen from solusiaryaprima.co.id and premmiere.co.id, Indonesian technology/IT solutions companies. The dataset reportedly contains 2.1 million B2B transaction records, 92,000+ user records, and 175+ sales records, with sample data exposing full names and phone numbers of individuals. The database is being offered for sale on the Breached forum.
Date: 2026-04-27T11:06:14Z
Network: openweb
Published URL: https://breached.st/threads/sell-41gb-database-solusiaryaprima-co-id.86361/unread
Screenshots:
None
Threat Actors: Kyyzo
Victim Country: Indonesia
Victim Industry: Technology / IT Solutions
Victim Organization: Solusi Arya Prima
Victim Site: solusiaryaprima.co.id
Alleged leak of French identity documents pack
Category: Data Leak
Content: A threat actor operating under the alias MAINMAN has made available a pack of French identity documents on the Breached forum. The post, titled FR French France Docs PACKS IDs, offers a free download of what appears to be a collection of French identification documents. No specific organization or victim site has been identified as the source of the leaked materials.
Date: 2026-04-27T11:05:35Z
Network: openweb
Published URL: https://breached.st/threads/fr-french-france-docs-packs-ids.86357/unread
Screenshots:
None
Threat Actors: MAINMAN
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Carding Scam Promoting Fake Tether Cryptocurrency Wallet
Category: Carding
Content: A threat actor on a cybercrime forum is promoting a fraudulent Tether cryptocurrency wallet site at tether-wallet.one, luring users with promises of free USDT tokens and a Tether address. This appears to be a phishing or scam operation designed to steal cryptocurrency funds or credentials from victims seeking free digital currency.
Date: 2026-04-27T11:05:04Z
Network: openweb
Published URL: https://breached.st/threads/how-to-get-tether-me-address-and-10-usdt.86358/unread
Screenshots:
None
Threat Actors: TOPCARDER
Victim Country: Unknown
Victim Industry: Cryptocurrency / Financial Services
Victim Organization: Unknown
Victim Site: tether-wallet.one
Alleged data breach of AFC and Al Nassr FC with player and identity information exposed
Category: Data Breach
Content: Reports indicate a cyberattack resulting in the alleged exposure of data attributed to the Asian Football Confederation (AFC) and Al Nassr FC. The claimed breach includes substantial volumes of information such as player databases, passports, identity information, emails, contract records, and AFC Champions League Elite competition registration forms.
Date: 2026-04-27T11:00:18Z
Network: telegram
Published URL: https://t.me/c/1283513914/21415
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: Saudi Arabia
Victim Industry: Sports/Football
Victim Organization: AFC (Asian Football Confederation), Al Nassr FC
Victim Site: Unknown
Alleged sale of email credentials, cookies, and account access across multiple countries
Category: Logs
Content: Threat actor offering for sale email credentials with IMAP access, Gmail cookies, and LinkedIn cookies/passwords. Claims to have valid, private credentials from multiple countries (FR, BE, AU, CA, UK, US, NL, PL, DE, JP) and offers custom requests. Seeking long-term partnerships with data providers. Also advertising fresh database access with inbox features for various platforms (eBay, OfferUp, PSN, Booking, Uber, Poshmark, Amazon, Walmart, Mercari, Kleinanzeigen, neosurf).
Date: 2026-04-27T10:59:50Z
Network: telegram
Published URL: https://t.me/c/2613583520/70857
Screenshots:
None
Threat Actors: Dataxlogs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of web shell access to Italian company servers
Category: Initial Access
Content: A threat actor operating under the alias braun33 is selling web shell access to approximately 100 Italian company servers for $1,500 in cryptocurrency (BTC or ETH). The actor also offers the full list along with the associated exploit for $2,000. An escrow service is available to facilitate transactions.
Date: 2026-04-27T10:53:17Z
Network: openweb
Published URL: https://pwnforums.st/Thread-Italy-Web-shell
Screenshots:
None
Threat Actors: braun33
Victim Country: Italy
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Japan Aerospace Exploration Agency (JAXA)
Category: Data Breach
Content: A threat actor identified as APT001 is selling an alleged 7TB database belonging to the Japan Aerospace Exploration Agency (JAXA) for $500. A sample has been made available via a file-sharing link, and an escrow service is offered to facilitate the transaction. The authenticity and contents of the database have not been independently verified.
Date: 2026-04-27T10:51:20Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-Japan-Aerospace-Exploration-Agency-JAXA-7TB-Database
Screenshots:
None
Threat Actors: APT001
Victim Country: Japan
Victim Industry: Aerospace & Defense
Victim Organization: Japan Aerospace Exploration Agency (JAXA)
Victim Site: jaxa.jp
Alleged leak of mixed combolist with 2582 credentials
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has shared a mixed combolist containing 2,582 credential pairs via a public paste link and a Telegram channel. The post includes a free download link alongside promotional material for a paid cloud service offering access to additional combolists. A built-in inboxer tool is advertised alongside the leak, suggesting the credentials are intended for account takeover activity.
Date: 2026-04-27T10:43:13Z
Network: openweb
Published URL: https://crackingx.com/threads/73401/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of German mixed-target credential combolist
Category: Combo List
Content: A threat actor known as HQcomboSpace has made available a mixed-target combolist containing approximately 892,295 lines of credentials targeting Germany. The combolist was shared via a Mega.nz download link on the cracking forum CrackingX. No specific victim organization or industry has been identified, as the list appears to aggregate credentials from multiple sources.
Date: 2026-04-27T10:42:05Z
Network: openweb
Published URL: https://crackingx.com/threads/73404/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email and password combolist with 37,000 credentials
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared a mixed combolist containing approximately 37,000 unique email and password credential pairs on DemonForums. The content is gated behind registration or login on the forum. The post also advertises a shop (unique-combo.shop) offering combolists from various countries upon request.
Date: 2026-04-27T10:41:36Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-MIX-Unique-Combo-1-37000
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Uzbekistan Cybersecurity Center and State Security Service Database
Category: Data Leak
Content: A threat actor using the handle cyberpuls posted on BreachForums claiming to have leaked a database belonging to the Uzbekistan Cybersecurity Center and the State Security Service. The post includes what appears to be an embedded image, likely containing sample data or proof of the alleged breach. The data appears to have been made available for free to forum members.
Date: 2026-04-27T10:33:19Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-Uzbekistan-Cybersecurity-Center-State-Security-Service-Database-Leaked
Screenshots:
None
Threat Actors: cyberpuls
Victim Country: Uzbekistan
Victim Industry: Government
Victim Organization: Uzbekistan Cybersecurity Center / State Security Service
Victim Site: Unknown
Alleged imminent cyber attack threat against United States Navy by Handala Hack
Category: Cyber Attack
Content: Handala Hack threat actor posted a message claiming the US Navy is vulnerable and threatening an imminent attack in the coming hours to demonstrate their infiltration capabilities. The post includes threatening language directed at US government entities.
Date: 2026-04-27T10:25:55Z
Network: telegram
Published URL: https://t.me/c/3686754935/30
Screenshots:
None
Threat Actors: Handala Hack
Victim Country: United States
Victim Industry: Government/Military
Victim Organization: United States Navy
Victim Site: Unknown
Alleged data breach of Brillenplatz.de
Category: Data Breach
Content: A threat actor operating under the alias sprrhr0 is selling a database allegedly stolen from Brillenplatz.de, a German online eyewear retailer. The dataset contains approximately 478,344 records including full names, email addresses, phone numbers, dates of birth, gender, age, and physical addresses. The data is claimed to have been breached on April 27, 2026, and is being offered for $150 via Telegram.
Date: 2026-04-27T10:20:15Z
Network: openweb
Published URL: https://breached.st/threads/brillenplatz-de-478-3k.86356/unread
Screenshots:
None
Threat Actors: sprrhr0
Victim Country: Germany
Victim Industry: Retail – Eyewear / Optical
Victim Organization: Brillenplatz
Victim Site: brillenplatz.de
Alleged Data Breach of OLX Poland with 23 Million User Records for Sale
Category: Data Breach
Content: A threat actor is selling an alleged database dump from OLX Poland (olx.pl), a major Polish online classifieds and e-commerce platform. The dataset reportedly contains 23 million records including full names, regions, and mobile phone numbers of users. The seller is offering the database for 1,980 USD and can be contacted via the handle Tcznxhdk.
Date: 2026-04-27T10:19:23Z
Network: openweb
Published URL: https://breached.st/threads/olx-pl-database.86355/unread
Screenshots:
None
Threat Actors: xcgtyrewty
Victim Country: Poland
Victim Industry: E-Commerce & Online Marketplace
Victim Organization: OLX Poland
Victim Site: olx.pl
Alleged Firefox Vulnerability (CVE-2026-6770) Enabling Tor User Identification
Category: Vulnerability
Content: A security vulnerability identified as CVE-2026-6770 in Firefox was discovered that could enable user tracking even in private browsing mode. The flaw operates through the IndexedDB interface, allowing correlation of user activity across different websites. The vulnerability also affected Tor Browser, compromising anonymity features. Mozilla patched the issue in Firefox version 150 and the Tor Project in version 15.0.10.
Date: 2026-04-27T10:16:58Z
Network: telegram
Published URL: https://t.me/c/1283513914/21411
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Jetstar Asia Airways
Category: Data Breach
Content: A threat actor operating under the alias sprrhr0 is selling an alleged database dump from Jetstar Asia Airways, a Singapore-based budget airline. The dataset purportedly contains over 24 million records including personal identifiers, contact details, addresses, phone numbers, email addresses, and emergency contact information. The seller is asking $1,450 for the data and can be reached via Telegram.
Date: 2026-04-27T09:41:57Z
Network: openweb
Published URL: https://breached.st/threads/jetstar-com-24-1m.86353/unread
Screenshots:
None
Threat Actors: sprrhr0
Victim Country: Singapore
Victim Industry: Aviation / Transportation
Victim Organization: Jetstar Asia Airways
Victim Site: jetstar.com
Murata Details Data Exposure but Says Operations Unaffected After Cyberattack – TipRanks.com
Category: Cyber Attack
Content: Murata Manufacturing Co. a annoncé avoir subi un accès non autorisé à son environnement informatique, bien que ses opérations courantes ne soient pas affectées. Environ 73 000 dossiers demployés et 15 000 dossiers de clients ou partenaires ont pu être compromis, incluant des données personnelles et professionnelles. La société travaille avec les autorités et des experts en cybersécurité pour surveiller les risques et renforcer ses mesures de sécurité.
Date: 2026-04-27T09:33:06Z
Network: openweb
Published URL: https://www.tipranks.com/news/company-announcements/murata-details-data-exposure-but-says-operations-unaffected-after-cyberattack
Screenshots:
None
Threat Actors:
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Murata Manufacturing Co.
Victim Site: murata.com
Generation Life suffers cyber incident – Money Management
Category: Cyber Attack
Content: Generation Development Group (GDG) a informé ses actionnaires dun incident de cybersécurité contenu affectant sa filiale, Generation Life, suite à un accès non autorisé via un fournisseur tiers. Lentreprise a rapidement détecté et maîtrisé lincident, sans preuve dimpact sur les systèmes principaux ou de transactions frauduleuses. GDG a notifié plusieurs organismes australiens, y compris APRA et lACSC, tout en menant une enquête approfondie sur la nature de cette activité.
Date: 2026-04-27T09:33:03Z
Network: openweb
Published URL: https://www.moneymanagement.com.au/generation-life-suffers-cyber-incident/
Screenshots:
None
Threat Actors:
Victim Country: Australia
Victim Industry: Unknown
Victim Organization: Generation Development Group (GDG)
Victim Site: genlife.com.au
Alleged Data Leak of DEA Opioid Distribution Records and US Pharmacy Data
Category: Data Leak
Content: A threat actor has made available files allegedly sourced from an exposed AWS S3 bucket (coiled-datasets.s3.amazonaws.com) containing DEA opioid distribution records, including the ARCOS Washington Post dataset (up to 74.5GB). A compressed subset of the opioid data (405.3MB) has been shared via Gofile. Additional files including mortgage data were referenced but reportedly not downloaded by the actor.
Date: 2026-04-27T09:22:13Z
Network: openweb
Published URL: https://pwnforums.st/Thread-every-drug-store-in-the-USA-who-sold-Opioids
Screenshots:
None
Threat Actors: OriginalCrazyOldFart
Victim Country: United States
Victim Industry: Healthcare / Pharmaceutical
Victim Organization: Drug Enforcement Administration (DEA)
Victim Site: coiled-datasets.s3.amazonaws.com
Alleged Data Leak of Bordeaux-Métropole Tourist Tax Registration Database
Category: Data Leak
Content: A threat actor known as ChimeraZ has freely leaked a partial database from the Bordeaux Métropole tourist tax portal (taxedesejour.bordeaux.metropole.fr). The dataset contains approximately 11,000 records in JSON format (3.1 MB) including registrant names, email addresses, phone numbers, postal addresses, and registration dates of accommodation operators. The data has been made available via multiple file-sharing platforms.
Date: 2026-04-27T09:20:32Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-11K-H%C3%89BERGEMENTS-TAXES-DE-SEJOUR-DE-BORDEAUX-METROPOLE
Screenshots:
None
Threat Actors: ChimeraZ
Victim Country: France
Victim Industry: Government
Victim Organization: Bordeaux Métropole
Victim Site: taxedesejour.bordeaux.metropole.fr
Alleged leak of Georgian email credentials combolist
Category: Combo List
Content: A threat actor known as CobraEgy has shared a combolist of over 10,000 email and password pairs allegedly belonging to Georgian users on Demonforums. The credential list is described as fresh and high quality, and is made available for free via hidden content requiring forum registration. The post also promotes a Telegram channel (Maxi_links) for additional combolists.
Date: 2026-04-27T09:13:25Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-10-K-%E2%9C%A6-Georgia-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-27-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Georgia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo credential combolist
Category: Combo List
Content: A threat actor on CrackingX has made available a combolist of approximately 388,760 Yahoo email credentials, described as mixed country. The credential list has been shared via a Mega.nz link at no apparent cost. The combolist is labeled as 2026 and contains email and password combinations associated with Yahoo accounts.
Date: 2026-04-27T09:13:22Z
Network: openweb
Published URL: https://crackingx.com/threads/73397/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX shared what they claim to be a fresh combolist of Hotmail account credentials, referred to as hits indicating validated working logins. The post content is hidden behind a registration wall, limiting visibility into the full scope and record count of the alleged credential list.
Date: 2026-04-27T09:13:07Z
Network: openweb
Published URL: https://crackingx.com/threads/73398/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a combolist of 481 alleged UHQ (ultra-high quality) Hotmail credentials via a public paste link. The post also promotes a paid private cloud service offering additional credential lists and a built-in email inboxer tool, accessible via Telegram for fees ranging from $3 to $120.
Date: 2026-04-27T09:12:50Z
Network: openweb
Published URL: https://crackingx.com/threads/73399/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hong Kong email credential combolist
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist containing over 11,000 email and password combinations associated with Hong Kong users on the DemonForums cybercrime forum. The credential list is described as fresh and high quality, and is being distributed for free via a hidden content link. The actor also promotes a Telegram channel Maxi_links for additional combolist distributions.
Date: 2026-04-27T09:12:22Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-11-K-%E2%9C%A6-Hong-Kong-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-27-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Hong Kong
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist with forum-valid accounts
Category: Combo List
Content: A threat actor operating under the alias ValidMail has made available a combolist of approximately 40,000 Hotmail email credentials on the cracking forum CrackingX. The post claims the credentials have been validated against forum accounts, suggesting active usability. The full content requires forum registration or login to access.
Date: 2026-04-27T09:12:15Z
Network: openweb
Published URL: https://crackingx.com/threads/73400/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged unauthorized access to Anthropics Mathis security tool by anonymous threat actor
Category: Initial Access
Content: According to Bloomberg reporting, an anonymous group gained unauthorized access to Anthropics Mathis cybersecurity tool, a restricted-use security instrument designed for organizational use. The tool was in beta testing with select companies including Apple. Access was obtained through a third-party contractor of Anthropic, with an insider involved in the external contractor organization. The group reportedly gained access by guessing the online location of the model. Anthropic states they are investigating but have found no evidence of damage or compromise to main systems. The company emphasizes that limited distribution of Mathis was intended to prevent misuse, as the tool could become a powerful hacking instrument if used improperly.
Date: 2026-04-27T09:01:14Z
Network: telegram
Published URL: https://t.me/c/1283513914/21409
Screenshots:
None
Threat Actors: Anonymous group
Victim Country: United States
Victim Industry: Artificial Intelligence / Cybersecurity
Victim Organization: Anthropic
Victim Site: anthropic.com
Alleged leak of session cookies for multiple platforms including eBay, OnlyFans, and Binance
Category: Data Leak
Content: A threat actor operating under the alias bluestarcrack has shared session cookies for multiple platforms including eBay, OnlyFans, and Binance via a file hosted on Uploadery. The leaked cookies could allow unauthorized account access by bypassing authentication on the affected platforms. No pricing was mentioned, suggesting the data was made available for free.
Date: 2026-04-27T08:54:04Z
Network: openweb
Published URL: https://breached.st/threads/cookies-ebay-onlyfans-binance-more.86350/unread
Screenshots:
None
Threat Actors: bluestarcrack
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: eBay, OnlyFans, Binance
Victim Site: ebay.com, onlyfans.com, binance.com
Alleged leak of Gmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a combolist of approximately 6,142 Gmail credentials on a cracking forum. The combolist, dated April 26, 2026, is described as a mixed domain target collection and is being distributed freely via a Mega file-sharing link. The post requires a reaction to access the hidden download link.
Date: 2026-04-27T08:24:56Z
Network: openweb
Published URL: https://crackingx.com/threads/73389/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of mixed stealer logs combolist by threat actor fatetraffic
Category: Combo List
Content: A threat actor known as fatetraffic has made available a mixed combolist of 1,750 stealer log entries dated April 27, 2026, via a Pixeldrain file-sharing link. The post, shared on the cracking forum CrackingX, includes a password-protected archive containing credential data harvested from information-stealing malware. No specific victim organization or country has been identified.
Date: 2026-04-27T08:24:38Z
Network: openweb
Published URL: https://crackingx.com/threads/73392/
Screenshots:
None
Threat Actors: fatetraffic
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available an alleged combolist of 11 million Hotmail credentials on the cracking forum CX. The post directs users to contact the actor via Telegram (@CODER5544) or join their Telegram channels for free combo lists and related tools.
Date: 2026-04-27T08:24:16Z
Network: openweb
Published URL: https://crackingx.com/threads/73395/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 1,089 alleged valid Hotmail credentials on a cracking forum. The post describes the hits as premium and associated with private cloud access, suggesting the accounts may have cloud storage linked. The actor also promotes a Telegram handle alphaaxd for further contact.
Date: 2026-04-27T08:24:00Z
Network: openweb
Published URL: https://crackingx.com/threads/73396/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of counterfeit currency bypassing detection systems
Category: Cyber Attack
Content: Threat actor advertising counterfeit banknotes (精品假钞) with capability to pass B-level and C-level counterfeit detection machines. Telegram channel link provided for transaction facilitation.
Date: 2026-04-27T08:21:40Z
Network: telegram
Published URL: https://t.me/c/2613583520/70782
Screenshots:
None
Threat Actors: Yoandi
Victim Country: Unknown
Victim Industry: Financial
Victim Organization: Unknown
Victim Site: Unknown
Alleged WinML-based in-memory payload staging and EDR evasion technique published
Category: Initial Access
Content: A threat actor known as RedQueen published a detailed technical post on the T1 forum describing a technique to abuse Windows Machine Learning (WinML) for in-memory payload staging and EDR evasion on Windows 10/11. The method involves embedding arbitrary payloads within ONNX model protobuf structures, loading them entirely from memory via WinML API to leave no disk artifacts, and leveraging legitimate ML API call chains to blend in with normal application behavior. Full proof-of-concept code is p
Date: 2026-04-27T08:10:42Z
Network: openweb
Published URL: https://tier1.life/thread/179
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Multiple Stolen Databases Including SSN, Passports, and Corporate Records
Category: Data Breach
Content: A threat actor operating under the alias jannat123 is advertising multiple stolen datasets for sale via Telegram, including full company databases, scanned identity documents (IDs, drivers licenses, passports), consumer information, SSN/SIN records, phone and email lists, credential combolists, and large site database dumps. The offerings span both individual and corporate data, suggesting aggregation from multiple sources. Contact is facilitated through the Telegram handle @jannat646500.
Date: 2026-04-27T08:09:44Z
Network: openweb
Published URL: https://xforums.st/threads/drivers-license-ssn-passports-combo-emails-databases-llc-ein-ltd.610774/
Screenshots:
None
Threat Actors: jannat123
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Fraudulent Philippine Government Identity Documents
Category: Carding
Content: A threat actor operating under the alias W4Rlord is selling allegedly government-registered counterfeit Philippine identification documents, including UMID, TIN ID, National ID (PhilSys), PRC ID, and LTO Drivers License. The listings claim the IDs feature valid QR codes and complete personal details, suggesting potential document forgery or fraudulent issuance. Payment is accepted via USDT and Monero (XMR), with contact facilitated through Telegram.
Date: 2026-04-27T08:02:23Z
Network: openweb
Published URL: https://breached.st/threads/philippine-government-ids-umid-tin-national-id-prc-drivers-license.86349/unread
Screenshots:
None
Threat Actors: W4Rlord
Victim Country: Philippines
Victim Industry: Government
Victim Organization: Philippine Government (UMID, BIR, PhilSys, PRC, LTO)
Victim Site: Unknown
Alleged sale of administrative webshell access to technology company by threat actor Toton
Category: Initial Access
Content: Threat actor Toton is allegedly selling initial administrative access to a technology company and software service provider. The access is reported to be an ASPX webshell with network administrator-level privileges, enabling control of critical system components. The asking price is approximately $800 USD.
Date: 2026-04-27T07:51:46Z
Network: telegram
Published URL: https://t.me/c/1283513914/21404
Screenshots:
None
Threat Actors: Toton
Victim Country: Unknown
Victim Industry: technology/software services
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Blue Light Phishing-as-a-Service platform by goodboytaxis
Category: Phishing
Content: Threat actor goodboytaxis is offering a Phishing-as-a-Service (PhaaS) platform called Blue Light with a base price of $1,500 USD plus 7% commission. The service includes a full administrative panel with multi-level access, live user monitoring, detailed event logging, and the ability to capture sensitive information including passwords and identity data. Pre-configured phishing pages targeting financial institutions including Bank of America, Chime, and TowneBank are available through the service.
Date: 2026-04-27T07:42:28Z
Network: telegram
Published URL: https://t.me/c/1283513914/21403
Screenshots:
None
Threat Actors: goodboytaxis
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Techsum Digital by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced a subdomain of Techsum Digital by uploading a text file (0x.txt) to the target server. The incident was a single-target defacement with no indication of mass or repeated compromise. The attack was documented and mirrored via zone-xsec.com.
Date: 2026-04-27T07:41:13Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915262
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Techsum Digital
Victim Site: zetch.techsum.digital
Website Defacement of Soodne Haagis by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Estonian website soodnehaagis.ee. The defacement was a targeted, single-site incident and does not appear to be part of a mass defacement campaign. A mirror of the defaced page was archived at zone-xsec.com for reference.
Date: 2026-04-27T07:40:33Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915254
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Estonia
Victim Industry: Retail / E-commerce
Victim Organization: Soodne Haagis
Victim Site: soodnehaagis.ee
Website Defacement of totallyreal.co by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website totallyreal.co by altering a file at the path /0x.txt. The defacement was a targeted, single-site incident with no indication of mass or repeated defacement activity. No specific motivation or server details were disclosed in connection with this incident.
Date: 2026-04-27T07:39:47Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915268
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: totallyreal.co
Website defacement of funship.club by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor operating under the alias chinafans, affiliated with 0xteam, defaced the website funship.club by uploading a defacement file at the path /0x.txt. The incident was a targeted, single-site defacement with no indication of mass or repeated compromise. The server details and underlying infrastructure information were not publicly disclosed.
Date: 2026-04-27T07:38:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915275
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Entertainment / Leisure
Victim Organization: Funship
Victim Site: funship.club
Website Defacement of Tideborn Maritime by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor operating under the alias chinafans and affiliated with 0xteam defaced the website of Tideborn Maritime, a maritime industry organization. The defacement targeted a specific file path (0x.txt) rather than the homepage, indicating a targeted file upload or directory traversal exploitation. The incident was recorded and mirrored by zone-xsec.com.
Date: 2026-04-27T07:38:12Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915255
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Maritime / Shipping
Victim Organization: Tideborn Maritime
Victim Site: tidebornmaritime.com
Website Defacement of inesevaltere.com by chinafans (0xteam)
Category: Defacement
Content: The website inesevaltere.com was defaced by threat actor chinafans operating under the group 0xteam on April 27, 2026. The defacement was a targeted single-site incident, with the attacker leaving a marker at the path /0x.txt. No specific motive or reason was disclosed for the attack.
Date: 2026-04-27T07:37:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915278
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Inese Valtere
Victim Site: inesevaltere.com
Website Defacement of Brazilian Health Plan Provider by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, affiliated with 0xteam, defaced a page on the Brazilian health plan provider website planodesaudecliniplam.com.br. The incident was a targeted single-page defacement, not classified as a mass or home defacement. The server details and specific motive remain unknown.
Date: 2026-04-27T07:36:49Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915269
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Healthcare
Victim Organization: Cliniplam Health Plan
Victim Site: planodesaudecliniplam.com.br
Website Defacement of India Sports Nation by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Indian sports news website indiasportsnation.com. The defacement was a targeted single-site attack, leaving a text file at the path /0x.txt as evidence of compromise. The incident was archived and mirrored by zone-xsec.com for threat intelligence purposes.
Date: 2026-04-27T07:36:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915270
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: India
Victim Industry: Sports & Recreation Media
Victim Organization: India Sports Nation
Victim Site: indiasportsnation.com
Website Defacement of Coopertransfer by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the Brazilian transportation and logistics website coopertransfer.com.br was defaced by threat actor chinafans operating under the group 0xteam. The attacker uploaded a defacement file at the path /0x.txt, consistent with the teams naming convention. The incident was a targeted, single-site defacement with no mass or re-defacement indicators reported.
Date: 2026-04-27T07:35:14Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915247
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Transportation / Logistics
Victim Organization: Cooper Transfer
Victim Site: coopertransfer.com.br
Website Defacement of Stickerket Nigeria by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the Nigerian e-commerce website stickerket.com.ng was defaced by a threat actor identified as chinafans, operating under the group 0xteam. The defacement was a targeted single-site attack, with a mirror of the defaced page archived at zone-xsec.com. No specific motivation or server details were disclosed in the available data.
Date: 2026-04-27T07:34:34Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915292
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Nigeria
Victim Industry: E-commerce / Retail
Victim Organization: Stickerket
Victim Site: stickerket.com.ng
Website Defacement of Sukien Starlight by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Vietnamese website sukienstarlight.vn. The attacker uploaded a defacement file at the path /0x.txt, targeting what appears to be an events or entertainment organization. The incident was a single targeted defacement, not part of a mass or repeated attack campaign.
Date: 2026-04-27T07:33:52Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915253
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Vietnam
Victim Industry: Events and Entertainment
Victim Organization: Sukien Starlight
Victim Site: sukienstarlight.vn
Website Defacement of InspireCities by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website inspirecities.org was defaced by a threat actor identified as chinafans, operating under the group 0xteam. The attacker placed a defacement file at the path /0x.txt on the target server. The incident was recorded as a single-target, non-mass defacement with no prior redefacement history.
Date: 2026-04-27T07:33:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915252
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Non-Profit / Urban Development
Victim Organization: InspireCities
Victim Site: inspirecities.org
Website Defacement of Vikens Taxi by chinafans (0xteam)
Category: Defacement
Content: The threat actor chinafans, operating under the group 0xteam, defaced the website of Vikens Taxi, a transportation company likely based in Norway. The defacement was recorded on April 27, 2026, targeting a specific file path on the domain. The incident was a single targeted defacement, not classified as a mass or repeated attack.
Date: 2026-04-27T07:32:26Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915274
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Norway
Victim Industry: Transportation
Victim Organization: Vikens Taxi
Victim Site: vikenstaxi.com
Website Defacement of sebuya.id by chinafans of 0xteam
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Indonesian website sebuya.id. The defacement was a targeted single-site incident, with the defaced content hosted at the path /0x.txt. A mirror of the defacement was archived via zone-xsec.com.
Date: 2026-04-27T07:32:00Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915291
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Indonesia
Victim Industry: Unknown
Victim Organization: Sebuya
Victim Site: sebuya.id
Website Defacement of Brazilian Law Firm josemenck.adv.br by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Brazilian law firm website josemenck.adv.br, leaving a defacement file at the path /0x.txt. The incident was a targeted single-site defacement with no indication of mass or repeated compromise. No specific motive or vulnerability details were disclosed.
Date: 2026-04-27T07:30:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915285
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Legal Services
Victim Organization: José Menck Advocacia
Victim Site: josemenck.adv.br
Website Defacement of PromedTutor by chinafans (0xteam)
Category: Defacement
Content: The website promedtutor.com was defaced by threat actor chinafans, operating under the group 0xteam, on April 27, 2026. The defacement targeted a tutoring or medical education platform, with the attacker leaving a signature file at the path /0x.txt. No specific motivation or additional technical details were disclosed for this incident.
Date: 2026-04-27T07:30:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915277
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Education
Victim Organization: PromedTutor
Victim Site: promedtutor.com
Website defacement of vannguyen.it.com by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website vannguyen.it.com by uploading a defacement file (0x.txt). The incident was a targeted single-site defacement with no indication of mass or repeated defacement activity. The server details and specific motive behind the attack remain unknown.
Date: 2026-04-27T07:29:27Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915283
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Information Technology
Victim Organization: Van Nguyen IT
Victim Site: vannguyen.it.com
Website Defacement of Del Delivery by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website deldelivery.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The attacker left a defacement file at the path /0x.txt. No specific motive, exploited vulnerability, or server details were disclosed in connection with this incident.
Date: 2026-04-27T07:28:46Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915259
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Logistics / Delivery Services
Victim Organization: Del Delivery
Victim Site: deldelivery.com
Website Defacement of GatheringGreen by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website gatheringgreen.org was defaced by threat actor chinafans operating under the group 0xteam. The attacker replaced content at the targeted URL with a defacement page, as archived in the zone-xsec mirror. The incident was a single-target, non-mass defacement with no specific motive publicly stated.
Date: 2026-04-27T07:28:05Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915264
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Environmental / Non-Profit
Victim Organization: Gathering Green
Victim Site: gatheringgreen.org
Website Defacement of Core Skin Clinic by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website of Core Skin Clinic by uploading a defacement file at coreskinclinic.com/0x.txt. The incident was a targeted, single-site defacement with no indication of mass or repeated defacement activity. The attackers motivation and technical details regarding the server infrastructure remain unknown.
Date: 2026-04-27T07:27:22Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915280
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Healthcare / Beauty & Aesthetics
Victim Organization: Core Skin Clinic
Victim Site: coreskinclinic.com
Alleged leak of French email and password credentials
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist containing approximately 1.547 million email and password credential pairs targeting France. The content is described as fresh and high quality, and is being distributed freely via a hidden download link on DemonForums. The actor also promotes additional combolists through a Telegram channel identified as Maxi_links.
Date: 2026-04-27T07:26:55Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-1-547-K-%E2%9C%A6-France-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-27-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of namngocwinport.vn by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Vietnamese website namngocwinport.vn by uploading a defacement file (0x.txt). The incident was a targeted single-site defacement with no indication of mass or repeated compromise. The attack was documented and mirrored by zone-xsec.com.
Date: 2026-04-27T07:26:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915267
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Vietnam
Victim Industry: Unknown
Victim Organization: Nam Ngoc Win Port
Victim Site: namngocwinport.vn
Alleged leak of German email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist containing approximately 672,000 email:password credential pairs reportedly associated with German users. The list is described as fresh and high quality, and is being distributed freely via the Demon Forums platform. Additional combolists are promoted through a Telegram channel linked to Maxi_links.
Date: 2026-04-27T07:26:37Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-672-K-%E2%9C%A6-Germany-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-27-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Thailand Engineering Council affecting 350,000 engineers
Category: Data Breach
Content: The Thailand Engineering Council reported a cybersecurity incident resulting in the exposure of approximately 350,000 engineers personal information. Attackers exploited a vulnerable data migration window between servers, sending a high volume of requests over approximately 10 hours to extract sensitive data from the database.
Date: 2026-04-27T07:26:26Z
Network: telegram
Published URL: https://t.me/c/1283513914/21402
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: Thailand
Victim Industry: Professional Engineering Association
Victim Organization: Thailand Engineering Council
Victim Site: Unknown
Alleged spam or promotional post referencing Globelink travel insurance
Category: Combo List
Content: A post on a cracking forum references Globelinks comprehensive travel insurance website. The post does not contain any clear threat activity, data leak, or breach claim, and appears to be spam or a promotional message. No stolen data, credentials, or malicious content is evident.
Date: 2026-04-27T07:26:21Z
Network: openweb
Published URL: https://crackingx.com/threads/73385/
Screenshots:
None
Threat Actors: alexsnowy1985
Victim Country: Unknown
Victim Industry: Insurance
Victim Organization: Globelink
Victim Site: globelink.eu
Alleged leak of Greek email and password credentials
Category: Combo List
Content: A threat actor operating under the alias CobraEgy has made available a combolist containing over 75,000 email and password credential pairs allegedly associated with Greek users. The post, shared on DemonForums and promoted via the Telegram channel Maxi_links, describes the data as fresh and high quality. No specific organization or breach source has been identified.
Date: 2026-04-27T07:26:12Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-75-K-%E2%9C%A6-Greece-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-27-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Greece
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias Steveee36 has made available a combolist allegedly containing 1,624 Hotmail credentials on the cracking forum CrackingX. The post offers a free download of the file, described as HQ (high quality), suggesting the credentials may be recently verified or active.
Date: 2026-04-27T07:26:06Z
Network: openweb
Published URL: https://crackingx.com/threads/73386/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Finnish email and password credentials
Category: Combo List
Content: A threat actor known as CobraEgy has shared a combolist of approximately 14,000 email and password credential pairs associated with Finnish users on the DemonForums cybercrime forum. The credentials are described as fresh and high quality, and are made available for free via hidden content requiring forum registration. The post also references a Telegram channel (Maxi_links) for additional combolists.
Date: 2026-04-27T07:25:57Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-14-K-%E2%9C%A6-Finland-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-27-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Finland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 11.88 million URL:Login:Password credentials
Category: Combo List
Content: A threat actor operating under the alias Daxus has made available a combolist containing approximately 11.88 million URL, login, and password combinations on the cracking forum CrackingX. The post directs users to the Daxus.pro website and an associated Telegram channel for access to the full dataset. No specific victim organization or country has been identified, suggesting this is an aggregated credential list.
Date: 2026-04-27T07:25:52Z
Network: openweb
Published URL: https://crackingx.com/threads/73387/
Screenshots:
None
Threat Actors: Daxus
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of fresh Hotmail credentials
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a combolist of 481 alleged fresh Hotmail credentials via a public paste link. The post also promotes a paid cloud storage service attributed to the same actor, offering tiered subscription plans for private credential storage. The actor claims the credentials are active and promotes a built-in inboxer tool suggesting intended use for email account takeover.
Date: 2026-04-27T07:25:35Z
Network: openweb
Published URL: https://crackingx.com/threads/73388/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Estonian email credentials combolist
Category: Combo List
Content: A threat actor known as CobraEgy has made available a combolist of approximately 16,000+ email and password combinations allegedly associated with Estonian users on DemonForums. The credentials are described as fresh and high quality, and are shared for free via hidden content requiring forum registration. The post also references a Telegram channel (Maxi_links) for additional combolists.
Date: 2026-04-27T07:25:32Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-16-K-%E2%9C%A6-Estonia-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6Maxi-Leaks%E2%9C%A6-27-4-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Estonia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of New Generation Church FL by chinafans (0xteam)
Category: Defacement
Content: The threat actor chinafans, operating under the group 0xteam, defaced the website of New Generation Church FL, a religious organization based in Florida, United States. The defacement was recorded on April 27, 2026, and targeted a specific page rather than the homepage. No mass or repeated defacement activity was indicated in this incident.
Date: 2026-04-27T07:20:35Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915185
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Religious Organization
Victim Organization: New Generation Church FL
Victim Site: newgenerationchurchfl.com
Website Defacement of Gods Grass Lawn Care by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website of Gods Grass Lawn Care, a small business in the lawn care and landscaping industry. The defacement was a targeted, single-site incident and does not appear to be part of a mass defacement campaign. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-04-27T07:19:54Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915227
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Landscaping / Lawn Care Services
Victim Organization: Gods Grass Lawn Care
Victim Site: godsgrasslawncare.com
Website Defacement of FeetFinesse by chinafans (0xTeam)
Category: Defacement
Content: On April 27, 2026, the website feetfinesse.com was defaced by threat actor chinafans operating under the group 0xTeam. The attacker uploaded a defacement file (0x.txt) to the target web server. No specific motive or vulnerability details were disclosed in connection with this incident.
Date: 2026-04-27T07:19:13Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915208
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Retail/E-commerce
Victim Organization: FeetFinesse
Victim Site: feetfinesse.com
Website Defacement of 20220.ch by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Swiss website 20220.ch. The defacement was a targeted single-site incident, with a mirror of the defaced page archived at zone-xsec.com. No specific motive or vulnerability details were disclosed.
Date: 2026-04-27T07:18:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915176
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Switzerland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: 20220.ch
Website Defacement of JJA Law Mediation by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website jjalaw-mediation.com, belonging to JJA Law Mediation, was defaced by threat actor chinafans operating under the group 0xteam. The defacement was a targeted, non-mass incident affecting a single page on the domain. No specific motive or server details were disclosed.
Date: 2026-04-27T07:17:47Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915194
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Legal Services
Victim Organization: JJA Law Mediation
Victim Site: jjalaw-mediation.com
Website Defacement of Savvy Winner by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website savvywinner.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement targeted a specific file path (/0x.txt) rather than the homepage, indicating a targeted file-level intrusion. No specific motive or additional technical details were disclosed in connection with this incident.
Date: 2026-04-27T07:17:02Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915195
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Savvy Winner
Victim Site: savvywinner.com
Website Defacement of CorporateFever by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website corporatefever.com was defaced by threat actor chinafans, operating under the group 0xteam. The attacker placed a defacement file at the path /0x.txt on the target server. No specific motive, proof of concept, or additional technical details were disclosed in connection with this incident.
Date: 2026-04-27T07:16:18Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915187
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Media/Business News
Victim Organization: CorporateFever
Victim Site: corporatefever.com
Website Defacement of Lancer by chinafans (0xteam)
Category: Defacement
Content: A threat actor known as chinafans, operating under the group 0xteam, defaced a file hosted on the CDN subdomain of lancer.website on April 27, 2026. The defacement targeted a specific text file (0x.txt) rather than the homepage, indicating a targeted content injection rather than a full site takeover. The incident was recorded and mirrored by zone-xsec.com under mirror ID 915233.
Date: 2026-04-27T07:15:36Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915233
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology/Freelancing Services
Victim Organization: Lancer
Victim Site: cdn.lancer.website
Website Defacement of Grotesk Agency by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website grotesk.agency was defaced by threat actor chinafans, operating under the group 0xteam. The attacker planted a defacement file at the path /0x.txt. The incident was a targeted, non-mass defacement with no specific motive publicly disclosed.
Date: 2026-04-27T07:14:57Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915190
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Creative/Design Agency
Victim Organization: Grotesk Agency
Victim Site: grotesk.agency
Website Defacement of fjaldesign.nl by chinafans of 0xteam
Category: Defacement
Content: On April 27, 2026, the website fjaldesign.nl, belonging to a Dutch design firm, was defaced by a threat actor identified as chinafans operating under the group 0xteam. The defacement was a targeted, non-mass incident, with the attacker leaving a text-based payload at the path /0x.txt. No specific motivation or server details were disclosed.
Date: 2026-04-27T07:14:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915191
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Netherlands
Victim Industry: Design / Creative Services
Victim Organization: FJAL Design
Victim Site: fjaldesign.nl
Alleged sale of stolen payment cards, dumps, fullz, and bank logs via Telegram
Category: Carding
Content: A threat actor operating under the alias Andcolllee is advertising a range of fraudulent financial products including cloned cards, ATM dump tracks (101/201 with PIN), fullz with SSN/DOB, bank logs, EBT dumps, and identity documents. The actor claims worldwide availability and a 100% approval rate, with contact facilitated via Telegram handle @GSquah. This activity is consistent with a carding operation offering stolen payment and identity data for fraud purposes.
Date: 2026-04-27T07:13:34Z
Network: openweb
Published URL: https://altenens.is/threads/cc-cvv-vbv-non-vbv-dumps-fullz-bank-logs-full-info-best-all-linkables-quality-product-list-always-selling-stuff-high-qualit.2930338/unread
Screenshots:
None
Threat Actors: Andcolllee
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Ideal Appliance Repair by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website of Ideal Appliance Repair, a home appliance repair service. The attack was a targeted single-site defacement, with a mirror of the defacement archived at zone-xsec.com. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-27T07:13:30Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915179
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Home Appliance Repair Services
Victim Organization: Ideal Appliance Repair
Victim Site: ideal-appliance-repair.com
Website Defacement of Radteam.tirol by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website radteam.tirol was defaced by a threat actor operating under the handle chinafans, affiliated with the group 0xteam. The defacement targeted a specific text file (0x.txt) on the Austrian domain. The incident was recorded as a singular, non-mass defacement event with no prior redefacement history.
Date: 2026-04-27T07:12:46Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915189
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Austria
Victim Industry: Unknown
Victim Organization: Radteam Tirol
Victim Site: radteam.tirol
Website Defacement of Ahhao Auto Car by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor operating under the alias chinafans, affiliated with 0xteam, defaced a file on the Vietnamese automotive website ahhaoautocar.vn. The defacement targeted a specific path (0x.txt) rather than the homepage, indicating a targeted file-level intrusion. The incident was recorded as a single, non-mass defacement event.
Date: 2026-04-27T07:12:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915193
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Vietnam
Victim Industry: Automotive
Victim Organization: Ahhao Auto Car
Victim Site: ahhaoautocar.vn
Website Defacement of Dr. Sambit Patnaik by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website of Dr. Sambit Patnaik, an individual medical practitioner. The defacement targeted a specific file path (0x.txt) on the domain, suggesting a targeted file-level intrusion rather than a full homepage takeover. No specific motivation or technical server details were disclosed.
Date: 2026-04-27T07:11:25Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915210
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: India
Victim Industry: Healthcare / Medical Services
Victim Organization: Dr. Sambit Patnaik (Medical Practice)
Victim Site: drsambitpatnaik.com
Website Defacement of werefuseabusetvglobal.org by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website werefuseabusetvglobal.org was defaced by a threat actor known as chinafans, operating under the group 0xteam. The targeted organization appears to be an advocacy or awareness platform focused on anti-abuse causes. The incident was a targeted single-site defacement with no mass or repeat defacement indicators recorded.
Date: 2026-04-27T07:10:43Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915175
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Non-Profit / Advocacy
Victim Organization: We Refuse Abuse TV Global
Victim Site: werefuseabusetvglobal.org
Website Defacement of auttash.org by chinafans (0xteam)
Category: Defacement
Content: The website auttash.org was defaced by threat actor chinafans, operating under the team designation 0xteam. The defacement was recorded on April 27, 2026, with a text-based payload hosted at the path /0x.txt. The incident was a targeted single-site defacement with no mass or re-defacement indicators noted.
Date: 2026-04-27T07:09:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915200
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Auttash
Victim Site: auttash.org
Website Defacement of SP Service Apartments by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, successfully defaced the website of SP Service Apartments at spservicedapartments.com. The incident was a targeted single-site defacement, not classified as a mass or home page defacement. A mirror of the defaced page has been archived on zone-xsec.com.
Date: 2026-04-27T07:09:18Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915183
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Hospitality / Real Estate
Victim Organization: SP Service Apartments
Victim Site: spservicedapartments.com
Website Defacement of Vikupauto-mo by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the attacker known as chinafans, affiliated with 0xteam, defaced the Russian automotive website vikupauto-mo.ru. The defacement targeted a specific file path (0x.txt) and was neither a mass nor a home page defacement. The incident was recorded and mirrored by zone-xsec.com.
Date: 2026-04-27T07:08:37Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915225
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Russia
Victim Industry: Automotive
Victim Organization: Vikupauto-mo
Victim Site: vikupauto-mo.ru
Website Defacement of pilarvacasantos.com by chinafans (0xteam)
Category: Defacement
Content: The website pilarvacasantos.com was defaced by threat actor chinafans, operating under the group 0xteam, on April 27, 2026. The defacement targeted a personal or portfolio website, likely belonging to an individual named Pilar Vaca Santos. The incident was a singular, targeted defacement rather than a mass or redefacement event.
Date: 2026-04-27T07:07:55Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915178
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Personal/Portfolio
Victim Organization: Pilar Vaca Santos
Victim Site: pilarvacasantos.com
Website Defacement of WholesaleWounders by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website wholesalewounders.com was defaced by threat actor chinafans operating under the group 0xteam. The defacement was a targeted, single-site incident with a text file placed at the path /0x.txt. No specific motive, proof of concept, or server details were disclosed in the available intelligence.
Date: 2026-04-27T07:07:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915218
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Retail/Wholesale
Victim Organization: Wholesale Wounders
Victim Site: wholesalewounders.com
Website Defacement of Montreal Location Rental by chinafans (0xTeam)
Category: Defacement
Content: On April 27, 2026, the website montreallocationrental.com, a Canadian rental and location services company based in Montreal, was defaced by a threat actor operating under the alias chinafans, affiliated with the hacking group 0xTeam. The attack was a targeted single-site defacement with no indication of mass or repeated defacement activity. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-04-27T07:06:24Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915173
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Canada
Victim Industry: Real Estate / Rental Services
Victim Organization: Montreal Location Rental
Victim Site: montreallocationrental.com
Website Defacement of Discovery Pharmaceuticals by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website discoverypharm.com was defaced by threat actor chinafans operating under the group 0xteam. The defacement targeted a file path on the pharmaceutical companys web server. No specific motive or technical details regarding the server infrastructure were disclosed in the available records.
Date: 2026-04-27T07:05:36Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915205
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Pharmaceuticals
Victim Organization: Discovery Pharmaceuticals
Victim Site: discoverypharm.com
Website defacement of atz.asia by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor operating under the handle chinafans and affiliated with 0xteam defaced the website atz.asia, leaving a defacement file at atz.asia/0x.txt. The incident was a targeted, non-mass defacement with no additional technical indicators such as server software or IP address disclosed. A mirror of the defacement was archived via zone-xsec.com.
Date: 2026-04-27T07:04:52Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915221
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Asia-Pacific (Unknown specific country)
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: atz.asia
Website Defacement of Kaia Emporium by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website kaiaemporium.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement was a targeted single-site attack, with the defaced content hosted at kaiaemporium.com/0x.txt. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-27T07:04:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915217
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Retail/E-Commerce
Victim Organization: Kaia Emporium
Victim Site: kaiaemporium.com
Website Defacement of Daxten Power by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website daxtenpower.com was defaced by threat actor chinafans operating under the group 0xteam. The attacker left a defacement file at the path /0x.txt. The incident was a targeted, single-site defacement with no indication of mass or repeated compromise.
Date: 2026-04-27T07:03:26Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915177
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Energy / Power
Victim Organization: Daxten Power
Victim Site: daxtenpower.com
Alleged targeted phishing campaign impersonating LiveDNS domain registrar
Category: Phishing
Content: A phishing campaign has been identified that impersonates the LiveDNS domain registration service. Victims receive fraudulent domain renewal emails and are redirected to fake payment pages where they enter banking card information. The attackers use legitimate user data (domain names, email addresses) likely sourced from public WHOIS records to increase credibility of the phishing emails.
Date: 2026-04-27T07:02:56Z
Network: telegram
Published URL: https://t.me/c/1283513914/21401
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Impact Migration by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website impactmigration.org was defaced by threat actor chinafans operating under the group 0xteam. The attacker placed a defacement file at the path /0x.txt on the target server. The incident was a single targeted defacement, not part of a mass or repeated defacement campaign.
Date: 2026-04-27T07:02:45Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915206
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Immigration Services
Victim Organization: Impact Migration
Victim Site: impactmigration.org
Website Defacement of MSLT Treinamentos by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor identified as chinafans, operating under the group 0xteam, defaced the website of MSLT Treinamentos, a training services organization likely based in Brazil. The defacement was a targeted single-site incident, with the defaced content archived via zone-xsec.com. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-27T07:02:05Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915180
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Education / Training Services
Victim Organization: MSLT Treinamentos
Victim Site: msltreinamentosrc.com
Website Defacement of behnamdehghan.com by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website behnamdehghan.com by uploading a defacement file at the path /0x.txt. The incident was a targeted, single-site defacement with no mass or repeated defacement indicators recorded.
Date: 2026-04-27T07:01:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915184
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Behnam Dehghan
Victim Site: behnamdehghan.com
Website Defacement of Night Sky Creative by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website nightskycreative.com was defaced by threat actor chinafans operating under the group 0xteam. The defacement targeted a creative services organization, with the attacker leaving a text-based defacement file at the path /0x.txt. This appears to be a singular, targeted defacement rather than a mass or home page compromise.
Date: 2026-04-27T06:55:06Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915155
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Creative Services / Design
Victim Organization: Night Sky Creative
Victim Site: nightskycreative.com
Website Defacement of The Water Show by chinafans (0xteam)
Category: Defacement
Content: The website thewatershow.org was defaced by threat actor chinafans, operating under the group 0xteam, on April 27, 2026. The defacement targeted a specific file path (/0x.txt) rather than the homepage, suggesting a targeted file-level intrusion. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-27T06:54:18Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915142
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Entertainment / Events
Victim Organization: The Water Show
Victim Site: thewatershow.org
Website Defacement of Final Touch Media by chinafans (0xteam)
Category: Defacement
Content: The Canadian media company Final Touch Media had its website defaced by a threat actor identified as chinafans, operating under the group 0xteam. The defacement was recorded on April 27, 2026, targeting a specific file path on the domain. The incident was a targeted single-site defacement with no mass or repeat defacement indicators noted.
Date: 2026-04-27T06:53:29Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915160
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Canada
Victim Industry: Media and Entertainment
Victim Organization: Final Touch Media
Victim Site: finaltouchmedia.ca
Website Defacement of hmedias.com by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website hmedias.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement targeted a specific file path (0x.txt) rather than the homepage, indicating a targeted intrusion rather than a mass or home page defacement. The incident was archived and mirrored via zone-xsec.com for documentation purposes.
Date: 2026-04-27T06:52:44Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915147
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Media
Victim Organization: HMedias
Victim Site: hmedias.com
Website Defacement of huysiavedaran.com by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website huysiavedaran.com was defaced by a threat actor known as chinafans, operating under the team designation 0xteam. The defacement targeted a specific file path (0x.txt) on the domain and was neither a mass nor a redefacement incident. No specific motivation or technical exploitation details were disclosed.
Date: 2026-04-27T06:51:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915165
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Huysiavedaran
Victim Site: huysiavedaran.com
Alleged Sale of Counterfeit Currency Bypassing Detection Systems
Category: Cyber Attack
Content: User Yoandi is advertising the sale of counterfeit currency (fake banknotes) claiming the product can pass B-level and C-level currency detection machines. Multiple posts promoting the same service with Telegram links for quality verification.
Date: 2026-04-27T06:51:46Z
Network: telegram
Published URL: https://t.me/c/2613583520/70730
Screenshots:
None
Threat Actors: Yoandi
Victim Country: Unknown
Victim Industry: Financial
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Crossover Music by chinafans (0xteam)
Category: Defacement
Content: The website crossovermusic.net was defaced by threat actor chinafans operating under the team 0xteam on April 27, 2026. The defacement targeted a file path (0x.txt) on the music-related website. This was a singular, targeted defacement rather than a mass or home page defacement event.
Date: 2026-04-27T06:51:10Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915164
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Entertainment/Music
Victim Organization: Crossover Music
Victim Site: crossovermusic.net
Website Defacement of Dietsche Sweets by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website dietschesweets.com was defaced by threat actor chinafans operating under the group 0xteam. The defacement targeted a sweets or confectionery-related business, with the attacker leaving a marker file at the path /0x.txt. The incident was a single-target, non-mass defacement with no redefacement history recorded.
Date: 2026-04-27T06:50:27Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915138
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Food & Beverage / Confectionery
Victim Organization: Dietsche Sweets
Victim Site: dietschesweets.com
Website Defacement of linkabu.net by chinafans (0xteam)
Category: Defacement
Content: The website linkabu.net was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement was recorded on April 27, 2026, targeting a specific file path (0x.txt) rather than the homepage, indicating a targeted file-level intrusion. No specific motive, server details, or country attribution were identified for this incident.
Date: 2026-04-27T06:49:45Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915148
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Linkabu
Victim Site: linkabu.net
Website Defacement of AHT Websites by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor identified as chinafans, operating under the group 0xteam, defaced the website ahtwebsites.com by uploading a defacement file at the path /0x.txt. The incident was a targeted single-site defacement with no mass or re-defacement indicators. The attack details are archived via zone-xsec mirror for forensic reference.
Date: 2026-04-27T06:48:57Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915158
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Web Hosting / Technology Services
Victim Organization: AHT Websites
Victim Site: ahtwebsites.com
Website Defacement of SoftwareTestingHQ by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website softwaretestinghq.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement targeted a specific file path (0x.txt) and was neither a mass nor a redefacement incident. No specific motive or server details were disclosed.
Date: 2026-04-27T06:48:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915154
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology / Software Testing
Victim Organization: SoftwareTestingHQ
Victim Site: softwaretestinghq.com
Website Defacement of Gallery Masterise by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website gallery-masterise.com. The attack targeted a gallery or art-related organization, with the defacement content hosted at the path /0x.txt. No specific motive, server details, or proof-of-concept information were disclosed in connection with this incident.
Date: 2026-04-27T06:47:24Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915139
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Arts and Entertainment
Victim Organization: Gallery Masterise
Victim Site: gallery-masterise.com
Website Defacement of Abu Hamdan by chinafans (0xteam)
Category: Defacement
Content: The website abuhamdan.ae was defaced by threat actor chinafans, operating under the group 0xteam, on April 27, 2026. The defacement was a targeted, single-site attack with a text file planted at the root path. No specific motivation or vulnerability details were disclosed in the available intelligence.
Date: 2026-04-27T06:46:37Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915166
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United Arab Emirates
Victim Industry: Unknown
Victim Organization: Abu Hamdan
Victim Site: abuhamdan.ae
Website Defacement of bubaibd.com by chinafans of 0xteam
Category: Defacement
Content: On April 27, 2026, the website bubaibd.com was defaced by a threat actor using the handle chinafans, operating under the group 0xteam. The defacement was a targeted, non-mass attack affecting a single page on the domain. A mirror of the defacement was archived via zone-xsec.com.
Date: 2026-04-27T06:45:51Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915159
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Bangladesh
Victim Industry: Unknown
Victim Organization: Bubai BD
Victim Site: bubaibd.com
Website Defacement of Garage Lamineci by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website garagelamineci.com by uploading a defacement file (0x.txt). The attack was a targeted single-site defacement with no mass or redefacement indicators. Technical details regarding the server environment and attack vector were not disclosed.
Date: 2026-04-27T06:45:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915153
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Automotive / Home Improvement
Victim Organization: Garage Lamineci
Victim Site: garagelamineci.com
Website Defacement of ewfs.hu by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Hungarian website ewfs.hu by uploading a defacement file at the path /0x.txt. The incident was a targeted single-site defacement with no mass or re-defacement characteristics noted.
Date: 2026-04-27T06:44:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915163
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Hungary
Victim Industry: Unknown
Victim Organization: EWFS
Victim Site: ewfs.hu
Website Defacement of RealPrague by chinafans (0xteam)
Category: Defacement
Content: The website realprague.org was defaced by threat actor chinafans operating under the group 0xteam on April 27, 2026. The defacement targeted a Prague-focused travel or lifestyle website, with the attacker leaving a text-based defacement file at the path /0x.txt. This was a single targeted defacement, not part of a mass or redefacement campaign.
Date: 2026-04-27T06:43:30Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915156
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Czech Republic
Victim Industry: Travel and Tourism
Victim Organization: Real Prague
Victim Site: realprague.org
Website Defacement of Johns Appliance Services by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website of Johns Appliance Services, a home appliance service business. The attack was a targeted single-site defacement, not classified as a mass or repeated defacement. The incident was archived via zone-xsec.com mirror for record purposes.
Date: 2026-04-27T06:42:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915157
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Home Appliance Services / Retail
Victim Organization: Johns Appliance Services
Victim Site: johnsapplianceservices.com
Website Defacement of louraidan.com.br by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, affiliated with 0xteam, defaced the Brazilian website louraidan.com.br by uploading a defacement file at the path /0x.txt. The incident was a targeted single-site defacement with no server or OS details disclosed. A mirror of the defacement was archived via zone-xsec.com.
Date: 2026-04-27T06:41:57Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915151
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Loura Idan
Victim Site: louraidan.com.br
Alleged Data Leak of US Drug & Alcohol Treatment Facilities
Category: Data Leak
Content: A threat actor operating under the alias OriginalCrazyOldFart has freely shared a 1.7 GB compressed archive purportedly containing data related to US drug and alcohol treatment facilities. The data was made available via a public file-hosting service (gofile.io) with no payment required. The nature and sensitivity of the records have not been confirmed, but given the context, the archive may contain patient or facility-related personal information.
Date: 2026-04-27T06:41:14Z
Network: openweb
Published URL: https://pwnforums.st/Thread-US-Drug-Alcohol-Treatment-Facilities
Screenshots:
None
Threat Actors: OriginalCrazyOldFart
Victim Country: United States
Victim Industry: Healthcare – Substance Abuse Treatment
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Walsham Grange Care Home by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website of Walsham Grange Care Home, a UK-based care facility, was defaced by a threat actor known as chinafans operating under the group 0xteam. The incident was a targeted single-site defacement with no indication of mass or repeated defacement activity. The attack highlights continued opportunistic defacement operations by 0xteam against small and vulnerable organizations.
Date: 2026-04-27T06:41:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915161
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United Kingdom
Victim Industry: Healthcare / Social Care
Victim Organization: Walsham Grange Care Home
Victim Site: walsham-grange-care-home.co.uk
Website Defacement of Higic Clean Maceió by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the Brazilian cleaning services company Higic Clean Maceió had its website defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement targeted a specific file path (0x.txt) on the companys domain, a common technique used to demonstrate unauthorized access. The incident was recorded and mirrored by zone-xsec.com for archival purposes.
Date: 2026-04-27T06:40:23Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915137
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Cleaning Services
Victim Organization: Higic Clean Maceió
Victim Site: higicleanmaceio.com.br
Website Defacement of Quality Miami Roofing by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the team 0xteam, defaced a page on qualitymiamiroofing.com, a roofing services company based in Miami, United States. The defacement targeted a specific file path (0x.txt) rather than the homepage, indicating a targeted file upload or web shell placement. The incident was recorded and mirrored by zone-xsec.com.
Date: 2026-04-27T06:39:35Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915152
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Construction / Roofing Services
Victim Organization: Quality Miami Roofing
Victim Site: qualitymiamiroofing.com
Website Defacement of gaevictassist.com by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website gaevictassist.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement was a targeted, non-mass incident affecting a single page on the domain. No specific motivation or server details were disclosed in the available intelligence.
Date: 2026-04-27T06:38:49Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915140
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: gaevictassist.com
Website Defacement of Circapoint by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website circapoint.com was defaced by threat actor chinafans, operating under the group 0xteam. The defacement was a targeted single-site attack, with the defaced content accessible at the path /0x.txt. The incident was archived and mirrored by zone-xsec.com for threat intelligence purposes.
Date: 2026-04-27T06:38:00Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915143
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Circapoint
Victim Site: circapoint.com
Website Defacement of KL Repairs by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website klrepairs.com was defaced by threat actor chinafans, operating under the group 0xteam. The attacker left a defacement file at klrepairs.com/0x.txt. The incident was a targeted, non-mass defacement with no specific motive publicly disclosed.
Date: 2026-04-27T06:37:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915141
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Repair Services
Victim Organization: KL Repairs
Victim Site: klrepairs.com
Website Defacement of nicholenguyen.com by chinafans (0xteam)
Category: Defacement
Content: The website nicholenguyen.com was defaced by a threat actor operating under the alias chinafans, affiliated with the group 0xteam. The defacement was recorded on April 27, 2026, with a mirror archived at zone-xsec.com. The incident was a targeted single-site defacement with no indication of mass or repeated defacement activity.
Date: 2026-04-27T06:36:24Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915150
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Personal/Blog
Victim Organization: Nichole Nguyen
Victim Site: nicholenguyen.com
Website Defacement of brendalbassdavis.site by chinafans of 0xteam
Category: Defacement
Content: The threat actor chinafans, operating under the group 0xteam, defaced the website brendalbassdavis.site on April 27, 2026. The defacement was a targeted single-site attack, with the defaced content hosted at the path /0x.txt. No server details or specific motivation were disclosed for this incident.
Date: 2026-04-27T06:35:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915162
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Brenda Lbass Davis
Victim Site: brendalbassdavis.site
Alleged leak of German shopping-targeted credential combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 1.19 million credential pairs via a Mega.nz link on the crackingx forum. The combolist is described as HQ (high quality) and specifically targeted at German shopping platforms. No specific victim organization or website has been identified.
Date: 2026-04-27T06:33:58Z
Network: openweb
Published URL: https://crackingx.com/threads/73382/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of abv.bg credential combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a combolist allegedly associated with abv.bg, a Bulgarian email and internet services provider. The list contains approximately 2,933 credential pairs and is described as fresh, dated April 26, 2026. The combolist was shared for free via a Mega.co.nz link on the cracking forum CrackingX.
Date: 2026-04-27T06:33:41Z
Network: openweb
Published URL: https://crackingx.com/threads/73383/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Bulgaria
Victim Industry: Internet Services
Victim Organization: ABV
Victim Site: abv.bg
Alleged Distribution of Proxy Generator Tool on Cracking Forum
Category: Initial Access
Content: A forum post on DemonForums by user makitabosch is sharing a proxy generator tool attributed to @YILKIMA via multiple download mirrors. The post contains minimal detail beyond mirror links and an unrelated adult dating site advertisement. The tool may be used to generate proxies for anonymization, credential stuffing, or other malicious activities.
Date: 2026-04-27T06:33:30Z
Network: openweb
Published URL: https://demonforums.net/Thread-PROXY-GENERATOR-BY-YILKIMA
Screenshots:
None
Threat Actors: makitabosch
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed USA and Europe credential combolists
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared a mixed combolist containing credentials allegedly sourced from users in the United States and various European countries. The post is labeled as exclusive and organized by country. No specific organizations, record counts, or pricing details are mentioned.
Date: 2026-04-27T06:33:25Z
Network: openweb
Published URL: https://crackingx.com/threads/73384/
Screenshots:
None
Threat Actors: gsmfix
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of VisionClinic by chinafans (0xteam)
Category: Defacement
Content: A Brazilian medical clinic website, visionclinic.med.br, was defaced by threat actor chinafans operating under the group 0xteam on April 27, 2026. The attack targeted a single page (0x.txt) and was neither a mass nor a redefacement incident. The defacement was archived and mirrored via zone-xsec.com.
Date: 2026-04-27T06:29:33Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914892
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Healthcare
Victim Organization: Vision Clinic
Victim Site: visionclinic.med.br
Website Defacement of Viking Car by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website viking-car.online. The defacement targeted a file path (0x.txt) on the domain, which appears to be associated with an automotive business. The incident was recorded as a single-target, non-mass defacement event.
Date: 2026-04-27T06:28:49Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914906
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Automotive
Victim Organization: Viking Car
Victim Site: viking-car.online
Website Defacement of elenasala.com by chinafans (0xteam)
Category: Defacement
Content: The website elenasala.com was defaced by a threat actor known as chinafans, operating under the group 0xteam, on April 27, 2026. The defacement was a targeted, non-mass incident affecting a specific page on the domain. No additional technical details such as server software, IP address, or motive were disclosed.
Date: 2026-04-27T06:28:00Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914896
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Elena Sala
Victim Site: elenasala.com
Website Defacement of keenac.com by chinafans (0xteam)
Category: Defacement
Content: The website keenac.com was defaced by a threat actor operating under the handle chinafans, affiliated with the group 0xteam. The defacement was recorded on April 27, 2026, with a mirror of the defaced page archived at zone-xsec.com. The incident was a targeted single-site defacement with no mass or repeat defacement indicators noted.
Date: 2026-04-27T06:27:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914907
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Keenac
Victim Site: keenac.com
Website Defacement of Auto Vision Restoration by chinafans (0xteam)
Category: Defacement
Content: The website autovisionrestoration.com, belonging to an automotive restoration business, was defaced by threat actor chinafans operating under the group 0xteam on April 27, 2026. The attack was a targeted single-site defacement rather than a mass or home page defacement. A mirror of the defacement was archived via zone-xsec.com.
Date: 2026-04-27T06:26:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914900
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Automotive Services
Victim Organization: Auto Vision Restoration
Victim Site: autovisionrestoration.com
Alleged cyber attack on Itron, US energy technology company
Category: Cyber Attack
Content: Itron, a US-based energy technology company operating in energy management and water/electricity infrastructure, reported a cyber attack on April 13, 2026. An unknown individual or group gained access to portions of the companys internal IT systems. The company activated incident response protocols and initiated investigations with external experts and security authorities. The scope of compromised data remains under investigation with no threat actor claiming responsibility at the time of reporting.
Date: 2026-04-27T06:25:51Z
Network: telegram
Published URL: https://t.me/c/1283513914/21399
Screenshots:
None
Threat Actors: Unknown
Victim Country: United States
Victim Industry: Energy Technology / Critical Infrastructure
Victim Organization: Itron
Victim Site: Unknown
Alleged Credential Checker Tool Targeting Cointiply Cryptocurrency Platform Shared on Cracking Forum
Category: Carding
Content: A threat actor on a cracking forum has shared a tool called Coiny designed to check and validate Cointiply cryptocurrency platform accounts. The tool categorizes accounts by balance, flagging those with over $3 as hits eligible for withdrawal, and claims full account capture capability with an updated algorithm for increased speed. The tool is advertised as fully working and updated for 2025-26, indicating active development for ongoing credential abuse.
Date: 2026-04-27T06:25:40Z
Network: openweb
Published URL: https://altenens.is/threads/coiny-cointiply-crypto-cashoutchecker.2930325/unread
Screenshots:
None
Threat Actors: ananalbzoor
Victim Country: Unknown
Victim Industry: Cryptocurrency
Victim Organization: Cointiply
Victim Site: cointiply.com
Website Defacement of michaelrelph.com by chinafans (0xteam)
Category: Defacement
Content: The website michaelrelph.com was defaced by threat actor chinafans, operating under the group 0xteam, on April 27, 2026. The defacement targeted a specific file path (/0x.txt) rather than the homepage, indicating a targeted file-level compromise. The incident is recorded as a singular, non-mass defacement with a mirror archived at zone-xsec.com.
Date: 2026-04-27T06:25:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914920
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Michael Relph
Victim Site: michaelrelph.com
Website Defacement of liamilazzo.com by chinafans (0xteam)
Category: Defacement
Content: The website liamilazzo.com was defaced by threat actor chinafans, operating under the group 0xteam, on April 27, 2026. The defacement was a targeted single-site attack, with the defaced content hosted at the path /0x.txt. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-04-27T06:24:40Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914895
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Lia Milazzo
Victim Site: liamilazzo.com
Website Defacement of drerdemcaglar.com by chinafans (0xteam)
Category: Defacement
Content: The website drerdemcaglar.com, belonging to a Turkish medical professional identified as Dr. Erdem Caglar, was defaced by a threat actor operating under the handle chinafans and affiliated with 0xteam. The defacement was recorded on April 27, 2026, and targeted a specific file path (0x.txt) rather than the homepage, indicating a non-home, single-site defacement operation. The incident has been archived and mirrored via zone-xsec.com.
Date: 2026-04-27T06:23:57Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914912
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Turkey
Victim Industry: Healthcare
Victim Organization: Dr. Erdem Caglar (Medical Practice)
Victim Site: drerdemcaglar.com
Website Defacement of uv-i.com by chinafans (0xteam)
Category: Defacement
Content: The website uv-i.com was defaced by threat actor chinafans, operating under the group 0xteam, on April 27, 2026. The defacement was a targeted single-site attack, with a mirror of the defaced page archived at zone-xsec.com. No specific motivation or vulnerability details were disclosed in the available intelligence.
Date: 2026-04-27T06:23:02Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914899
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: uv-i.com
Website Defacement of Fox Rental by chinafans (0xteam)
Category: Defacement
Content: The website foxrental.bg, belonging to Fox Rental in Bulgaria, was defaced by threat actor chinafans operating under the group 0xteam on April 27, 2026. The attacker uploaded a defacement file (0x.txt) to the target server. This was a targeted single-site defacement with no indication of mass or repeated compromise.
Date: 2026-04-27T06:22:10Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914898
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Bulgaria
Victim Industry: Rental Services
Victim Organization: Fox Rental
Victim Site: foxrental.bg
Website Defacement of Javajit by chinafans of 0xteam
Category: Defacement
Content: The website javajit.com was defaced by threat actor chinafans operating under the group 0xteam on April 27, 2026. The defacement targeted a specific file path (0x.txt) rather than the homepage, suggesting a targeted file upload or web shell exploitation. No specific motive or server details were disclosed in connection with this incident.
Date: 2026-04-27T06:21:24Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914913
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Javajit
Victim Site: javajit.com
Website Defacement of Placencia Painting by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website of Placencia Painting, a painting services company, was defaced by threat actor chinafans operating under the group 0xteam. The defacement was a targeted single-site attack, with the defaced content archived via zone-xsec.com. No specific motive or technical vulnerability details were disclosed.
Date: 2026-04-27T06:20:34Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914914
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Construction & Home Services
Victim Organization: Placencia Painting
Victim Site: placenciapainting.com
Website Defacement of Advanced Web Technologies by chinafans (0xTeam)
Category: Defacement
Content: On April 27, 2026, a threat actor operating under the handle chinafans, affiliated with 0xTeam, defaced a web page on advancedwebtechnologies.com. The incident was a targeted single-page defacement, not classified as a mass or home page defacement. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-04-27T06:19:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914911
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Information Technology
Victim Organization: Advanced Web Technologies
Victim Site: advancedwebtechnologies.com
Alleged leak of URL:Login:Password combolist shared on cybercrime forum
Category: Data Leak
Content: A threat actor using the handle hangover934 has shared what is claimed to be a high-quality private ULP (URL:Login:Password) combolist on the cybercrime forum AE – Combo List. The post advertises the credential list as HQ Private, suggesting it may contain previously unreleased or premium credentials. No specific victim organization, record count, or targeted service could be determined from the available post content.
Date: 2026-04-27T06:19:18Z
Network: openweb
Published URL: https://altenens.is/threads/star-url-login-passstar-ulp-starhq-privatestar.2930321/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Amazing Africa Adventure by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website amazingafricaadventure.com was defaced by threat actor chinafans operating under the group 0xteam. The attack targeted a travel and tourism website, replacing its content with the attackers message. The defacement was a single targeted incident, not part of a mass defacement campaign.
Date: 2026-04-27T06:18:44Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914904
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Travel and Tourism
Victim Organization: Amazing Africa Adventure
Victim Site: amazingafricaadventure.com
Website Defacement of Crosstree LLC by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the website of Crosstree LLC was defaced by a threat actor known as chinafans, operating under the team name 0xteam. The defacement was a targeted single-site attack, leaving a text-based payload at the path /0x.txt. No specific motive or server details were disclosed in the incident record.
Date: 2026-04-27T06:18:02Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914905
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Professional Services
Victim Organization: Crosstree LLC
Victim Site: crosstreellc.com
Website Defacement of salqa.org.pe by chinafans (0xteam)
Category: Defacement
Content: On April 27, 2026, the Peruvian website salqa.org.pe was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement was a targeted single-site incident, with the attacker leaving a text file at salqa.org.pe/0x.txt as evidence of compromise. No specific motive or server details were disclosed.
Date: 2026-04-27T06:17:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914894
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Peru
Victim Industry: Unknown
Victim Organization: SALQA
Victim Site: salqa.org.pe
Alleged Data Leak of OpenLoop Health Patient Records via Exposed Amazon S3 Bucket
Category: Data Leak
Content: A threat actor has made available a file allegedly sourced from an exposed Amazon S3 bucket belonging to OpenLoop Health, a telehealth provider. The leaked file, titled Healthie_Organization_Clients_Full_Info_09_29_2023, contains client phone numbers and email addresses. The data was shared via a free file hosting service with no payment requested.
Date: 2026-04-27T06:01:58Z
Network: openweb
Published URL: https://pwnforums.st/Thread-2025-OpenLoopHealth
Screenshots:
None
Threat Actors: OriginalCrazyOldFart
Victim Country: United States
Victim Industry: Healthcare
Victim Organization: OpenLoop Health
Victim Site: openloophealth.com
Alleged Data Leak of American Healthcare Professionals Personal Data
Category: Data Leak
Content: A threat actor shared what they claim to be a 2025 dataset containing personal information of American doctors and nurses, including addresses, emails, and phone numbers. The data was allegedly sourced from an exposed Amazon S3 bucket identified as pec3-prod. The archive, approximately 118.3 MB in size, was made available via Gofile but the links are reportedly no longer functional.
Date: 2026-04-27T06:01:23Z
Network: openweb
Published URL: https://pwnforums.st/Thread-2025-file-American-Doctors-Nurses
Screenshots:
None
Threat Actors: OriginalCrazyOldFart
Victim Country: United States
Victim Industry: Healthcare
Victim Organization: Unknown
Victim Site: pec3-prod.s3.amazonaws.com
Website Defacement of Neath Cluster Wales by s13ntong of PurbalinggaHackerTeam
Category: Defacement
Content: On April 27, 2026, the website belonging to Neath Cluster Wales was defaced by threat actor s13ntong, affiliated with PurbalinggaHackerTeam. The attack targeted a specific subdirectory of the Welsh regional organizations web presence. The incident was a targeted single-page defacement, with a mirror archived at zone-xsec.com.
Date: 2026-04-27T05:59:36Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914891
Screenshots:
None
Threat Actors: s13ntong, PurbalinggaHackerTeam
Victim Country: United Kingdom
Victim Industry: Public Sector / Regional Development
Victim Organization: Neath Cluster Wales
Victim Site: www.neathcluster.wales
Alleged Leak of Aliyun.com Domain-Targeted Combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has freely shared a domain-targeted combolist containing 1,289 credential pairs associated with aliyun.com, dated April 26, 2026. The combolist was made available via a Mega.co.nz download link, gated behind a reaction requirement. Aliyun is the cloud computing platform operated by Alibaba Cloud, one of Chinas largest technology companies.
Date: 2026-04-27T05:54:45Z
Network: openweb
Published URL: https://crackingx.com/threads/73376/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: China
Victim Industry: Technology
Victim Organization: Alibaba Cloud (Aliyun)
Victim Site: aliyun.com
Alleged leak of Chinese goods-related combolist shared on cracking forum
Category: Combo List
Content: A threat actor known as D4rkNetHub shared a combolist on the cracking forum CrackingX, allegedly containing 1,903 credential entries associated with Chinese goods or services. The post references a cloud-hosted file via an image link, with access restricted to registered forum members. Limited details are available regarding the specific origin or targeted organizations.
Date: 2026-04-27T05:54:29Z
Network: openweb
Published URL: https://crackingx.com/threads/73377/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: China
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged counterfeit currency distribution operation
Category: Cyber Attack
Content: User Yoandi is advertising counterfeit Chinese currency (fake notes) capable of passing B-level and C-level currency verification machines. Multiple promotional posts linking to a Telegram channel for purchasing counterfeit currency.
Date: 2026-04-27T05:53:46Z
Network: telegram
Published URL: https://t.me/c/2613583520/70697
Screenshots:
None
Threat Actors: Yoandi
Victim Country: China
Victim Industry: Financial
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Indonesian e-Visa Immigration Database (evisa.imigrasi.go.id)
Category: Data Leak
Content: A threat actor known as BabayoErorSystem has claimed to leak a database obtained from the Indonesian e-Visa immigration portal (evisa.imigrasi.go.id). The post, shared on Breached.st, alleges the database contains approximately 3 million records. No price was mentioned, suggesting the data is being made available freely to the community.
Date: 2026-04-27T05:36:23Z
Network: openweb
Published URL: https://breached.st/threads/3-milliond-data-base-evisa-imigrasi-go-id.86256/unread
Screenshots:
None
Threat Actors: BabayoErorSystem
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Direktorat Jenderal Imigrasi (Indonesian Directorate General of Immigration)
Victim Site: evisa.imigrasi.go.id
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as snowstormxd has made available a combolist of 481 Hotmail credentials via a free download link on a cracking forum. The post also advertises a private Telegram cloud service offering additional credential lists and a built-in inboxer tool, available via subscription. The actor promotes this as a restock, suggesting prior distributions of similar content.
Date: 2026-04-27T05:17:45Z
Network: openweb
Published URL: https://crackingx.com/threads/73374/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub has made available a combolist containing 1,742 Hotmail credentials on the cracking forum CrackingX. The post is gated behind registration, suggesting the content is shared freely to registered members. The origin and collection method of the credentials are unknown.
Date: 2026-04-27T05:17:29Z
Network: openweb
Published URL: https://crackingx.com/threads/73375/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged sale of RDP access and compromised cloud/email accounts
Category: Initial Access
Content: Threat actor offering rental of RDP access to Azure, AWS, and Digital Ocean infrastructure on daily/monthly basis for $200. Also advertising domain email accounts (Gmail, Yahoo), GitHub student accounts, and domain access. Mentions escrow service and limited stock availability. Targeting initial access buyers.
Date: 2026-04-27T05:08:02Z
Network: telegram
Published URL: https://t.me/c/2613583520/70677
Screenshots:
None
Threat Actors: Squad Chat Marketplace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Sri Lankas Office on Missing Persons Confidential Dossiers
Category: Data Leak
Content: A threat actor known as AnoN SathaN (anonsathan_xd) claims to have leaked 25 confidential PDF dossiers belonging to Sri Lankas Office on Missing Persons (OMP), a state institution responsible for investigating cases of missing and disappeared persons. The documents have been made available via a Mega.nz download link and were announced on the actors Telegram channel. The leak was disclosed on April 27, 2026.
Date: 2026-04-27T04:59:55Z
Network: openweb
Published URL: https://breached.st/threads/sri-lankas-office-on-missing-persons-confidential-dossiers-pdf-unlocked.86348/unread
Screenshots:
None
Threat Actors: anonsathan_xd
Victim Country: Sri Lanka
Victim Industry: Government
Victim Organization: Office on Missing Persons
Victim Site: omp.gov.lk
Alleged Sale of Counterfeit Currency Passing Banknote Verification Machines
Category: Cyber Attack
Content: User Yoandi is advertising counterfeit currency (fake banknotes) claiming the product can pass B-level and C-level banknote verification machines. Multiple promotional posts with Telegram links directing to sales channel.
Date: 2026-04-27T04:54:09Z
Network: telegram
Published URL: https://t.me/c/2613583520/70662
Screenshots:
None
Threat Actors: Yoandi
Victim Country: Unknown
Victim Industry: Financial
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of corporate SMTP credentials combolist targeting business users
Category: Combo List
Content: A threat actor on the crackingx.com forum has made available a combolist containing approximately 139,054 credential lines, reportedly intended for SMTP spam abuse targeting corporate and business users. The combolist was shared via a Mega.nz link as a free download. No specific victim organization or country was identified.
Date: 2026-04-27T04:39:00Z
Network: openweb
Published URL: https://crackingx.com/threads/73372/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed domain-targeted combolist with 44,016 credentials
Category: Combo List
Content: A threat actor operating under the alias BestCombo has freely shared a mixed domain-targeted combolist containing 44,016 lines of credentials on the CrackingX forum. The combolist, dated April 26, 2026, was made available via a Mega file-sharing link. No specific victim organization or country has been identified, as the list appears to aggregate credentials from multiple domains.
Date: 2026-04-27T04:38:43Z
Network: openweb
Published URL: https://crackingx.com/threads/73373/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged counterfeit currency distribution operation targeting India
Category: Cyber Attack
Content: Criminal actors advertising counterfeit currency notes (fake money) capable of bypassing B-level and C-level currency verification machines. Multiple promotional posts linking to Telegram group for quality verification and sales.
Date: 2026-04-27T04:06:18Z
Network: telegram
Published URL: https://t.me/c/2613583520/70635
Screenshots:
None
Threat Actors: Yoandi
Victim Country: India
Victim Industry: Financial
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist with forum-valid accounts
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist of approximately 40,000 Hotmail email credentials on the cracking forum CrackingX. The credentials are claimed to be valid for forum-based services. The full content is restricted to registered or signed-in forum members.
Date: 2026-04-27T03:24:12Z
Network: openweb
Published URL: https://crackingx.com/threads/73368/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as snowstormxd has made available a combolist of 481 claimed ultra-high-quality (UHQ) Hotmail credentials via a public paste site and a Telegram channel. The post advertises a built-in inboxer tool and promotes a paid cloud service for accessing additional content, suggesting ongoing credential harvesting operations. The free download functions as a sample or promotional offering tied to the actors broader paid service.
Date: 2026-04-27T03:23:47Z
Network: openweb
Published URL: https://crackingx.com/threads/73369/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of orange.fr credentials combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has shared a combolist allegedly containing 1,179 credential pairs associated with orange.fr accounts. The list is described as targeting European users and was made available for free download via a Mega file-sharing link. The post is dated April 26, 2026, though the authenticity and origin of the credentials have not been independently verified.
Date: 2026-04-27T03:23:22Z
Network: openweb
Published URL: https://crackingx.com/threads/73370/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: France
Victim Industry: Telecommunications
Victim Organization: Orange
Victim Site: orange.fr
Alleged CVV Fraud Operation – NeZha CVV Support Group
Category: Logs
Content: Cybercriminal group operating CVV fraud scheme advertising stolen credit card data and validation services. Posts promote CVV Benefits Chat Group with contact handle @nzccg001, offering access to stolen card information and validation tools.
Date: 2026-04-27T03:03:49Z
Network: telegram
Published URL: https://t.me/c/2613583520/70604
Screenshots:
None
Threat Actors: NeZha CVV Support
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Udemy by ShinyHunters group
Category: Data Leak
Content: Threat actor group ShinyHunters allegedly breached online learning platform Udemy, compromising over 1.6 million records containing full names, email addresses, physical addresses, phone numbers, employer information, and instructor payout methods including PayPal, cheque, and bank transfer details. After Udemy reportedly refused to pay a ransom, the group publicly leaked the stolen data on April 26, 2026. The leaked dataset is approximately 636 MB decompressed and contains roughly 1,401,162 uni
Date: 2026-04-27T03:00:08Z
Network: openweb
Published URL: https://spear.cx/Thread-Database-Udemy-com-leak
Screenshots:
None
Threat Actors: [Mod] Tanaka
Victim Country: United States
Victim Industry: Education / E-Learning
Victim Organization: Udemy
Victim Site: udemy.com
Alleged leak of Outlook.com credentials combolist
Category: Combo List
Content: A threat actor on CrackingX forum has made available a combolist containing approximately 2,904 lines of Outlook.com credentials, claimed to be fresh and dated April 26, 2026. The credential list is being distributed for free via a Mega file-sharing link, accessible through a reaction-gated post.
Date: 2026-04-27T02:45:57Z
Network: openweb
Published URL: https://crackingx.com/threads/73367/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: outlook.com
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor operating under the alias redcloud has shared a combolist of approximately 3,500 alleged valid Hotmail credentials on the AE – Combo List forum. The post, dated April 27, 2026, describes the credentials as UHQ (ultra-high quality) and private, suggesting they have not been previously circulated. The content is available as a free download to forum members who reply to the thread, with the actor also providing a Telegram contact handle.
Date: 2026-04-27T02:36:18Z
Network: openweb
Published URL: https://altenens.is/threads/3-5k-high-voltagehotmailhigh-voltagevalid-mail-access-27-04.2930250/unread
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Sale of Fortinet Firewall and VPN Admin Access to Argentine Electronic Payments Company
Category: Initial Access
Content: A threat actor identified as GhostByte is selling super admin access to a Fortinet FortiGate firewall and full admin VPN access belonging to a leading electronic payments and bank card company in Argentina. The compromised environment includes an Active Directory network with 22 Windows servers, and the victim organization reportedly has an annual revenue of $57.6 million. The access is being offered for $500.
Date: 2026-04-27T02:20:05Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-super-admin-firewall-fortigate-access-and-full-admin-vpn-access
Screenshots:
None
Threat Actors: GhostByte
Victim Country: Argentina
Victim Industry: Financial Services / Electronic Payments
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Taiwan military and cybersecurity intelligence data
Category: Data Breach
Content: A threat actor operating under the alias Yakohomot is selling approximately 1.8GB of sensitive plaintext documents allegedly sourced from Taiwan. The data purportedly includes a cybersecurity and strategic intelligence brief, TSMC infrastructure and economic reporting, naval radar research and development materials attributed to China, and documents related to a military infrastructure project at Wuling Base. The seller is asking $16,000 and can be contacted via a Session encrypted messaging i
Date: 2026-04-27T02:19:12Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Taiwan-military-Cybersecurity-data
Screenshots:
None
Threat Actors: Yakohomot
Victim Country: Taiwan
Victim Industry: Government & Defense
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of FFWPU (Family Federation for World Peace and Unification) and TongilGroup
Category: Data Breach
Content: A threat actor known as 0xCAFE is selling multiple datasets allegedly stolen from FFWPU (통일교, Unification Church) and affiliated TongilGroup entities. The data, reportedly exfiltrated via IDOR vulnerabilities and database backup access, includes 1.29 million lines of personal information, 6,600 accounts with plaintext passwords, MSSQL and Oracle ERP database backups totaling over 10GiB, employee personal documents with scanned IDs, and approximately 1GiB of MySQL dumps spanning roughly 10 serv
Date: 2026-04-27T02:18:37Z
Network: openweb
Published URL: https://darkforums.su/Thread-Korean-Cult-FFWPU-%E7%B5%B1%E4%B8%80%E6%95%99%E4%BC%9A-%ED%86%B5%EC%9D%BC%EA%B5%90-Data-for-Sale-1-29M
Screenshots:
None
Threat Actors: 0xCAFE
Victim Country: South Korea
Victim Industry: Religious Organization
Victim Organization: FFWPU / TongilGroup
Victim Site: ffwp.or.kr
Alleged Sale of Super Admin Access to Abu Dhabi Department of Finance
Category: Initial Access
Content: A threat actor operating under the alias Crimson is selling Super Administrator access to the Abu Dhabi Department of Finance (addof.gov.ae) for $800 USD. The seller is offering proof of access via an external file sharing link and is accepting contact exclusively through the Session encrypted messaging application. The nature and extent of access to the government financial institutions systems has not been independently verified.
Date: 2026-04-27T02:17:29Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Abu-Dhabi-Department-Of-Finance-Super-Admin-Access
Screenshots:
None
Threat Actors: Crimson
Victim Country: United Arab Emirates
Victim Industry: Government
Victim Organization: Abu Dhabi Department of Finance
Victim Site: addof.gov.ae
Alleged data breach of Le Petit Vapoteur customer database
Category: Data Breach
Content: A threat actor on a dark web forum is selling an alleged customer database from Le Petit Vapoteur, a French e-cigarette and vaping retailer, for 1,500€. The dataset reportedly contains over 3.3 million customer records. The seller provided a Session messenger handle for contact and claims to have data samples available.
Date: 2026-04-27T02:16:54Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-FR-Le-Petit-Vapoteur
Screenshots:
None
Threat Actors: 3ndGames
Victim Country: France
Victim Industry: Retail – Vaping & Electronic Cigarettes
Victim Organization: Le Petit Vapoteur
Victim Site: lepetitvapoteur.com
Alleged Sale of TonKeeper Wallet Cryptographic Keys
Category: Data Breach
Content: A threat actor operating under the alias alon3Hunt is selling 6 cryptographic keys allegedly extracted from internal TonKeeper Wallet software, associated with blockchain accounts. The seller is offering the keys via escrow and can be contacted through a Session ID and Telegram handle for further details on their potential use.
Date: 2026-04-27T02:16:19Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Keys-To-The-Tonkeeper-Wallet
Screenshots:
None
Threat Actors: alon3Hunt
Victim Country: Unknown
Victim Industry: Cryptocurrency / Blockchain
Victim Organization: TonKeeper
Victim Site: tonkeeper.com
Alleged Sale of Iraq National Database (2022)
Category: Data Breach
Content: A threat actor known as Sicario1877 is selling an alleged national database of Iraq dated 2022, described as a private leak. The database contains structured personal records including full names, family numbers, birth dates, job information, salary details, social security numbers, and other civil registry fields in Arabic. The seller claims the last public leak of similar data occurred in 2014 and is offering contact via Telegram for purchase inquiries.
Date: 2026-04-27T02:15:45Z
Network: openweb
Published URL: https://darkforums.su/Thread-Iraq-Database-2022-For-Sell
Screenshots:
None
Threat Actors: Sicario1877
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Iraq National Registry
Victim Site: Unknown
Alleged Data Breach of LOpticienne Verte French Eyewear Brand
Category: Data Breach
Content: A threat actor operating under the alias ijpys is selling a database allegedly belonging to LOpticienne Verte, a French eco-friendly eyewear retailer. The dataset contains 13,039 records including full names, phone numbers, email addresses, street addresses, postal codes, and dates of birth. The data is being offered for $50 via a Darkforums listing, with the actor reachable through Telegram.
Date: 2026-04-27T02:15:11Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-lopticienneverte-com-France-13K
Screenshots:
None
Threat Actors: ijpys
Victim Country: France
Victim Industry: Retail
Victim Organization: LOpticienne Verte
Victim Site: lopticienneverte.com
Alleged sale of credentials from OneDrive and Zelcore data breach
Category: Data Breach
Content: A threat actor operating under the alias isPacino is selling stolen data allegedly sourced from OneDrive and Zelcore. The seller accepts various data formats including Email:Hash (Bcrypt) and is offering a 60/40 revenue split, accepting payment in BTC, XMR, and ETH. Contact is facilitated via Telegram (@isBruh) and Tox.
Date: 2026-04-27T02:14:34Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Checking-Your-Bases-in-Crypto
Screenshots:
None
Threat Actors: isPacino
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: OneDrive, Zelcore
Victim Site: onedrive.com, zelcore.io
Alleged Data Leak of SURXRAT Indonesian RAT Malware Network User Database
Category: Data Leak
Content: A threat actor operating under the alias 0xf4r has publicly leaked a database containing information on 1,210+ users of SURXRAT, an Indonesian-origin remote access trojan (RAT) malware network with alleged global reach. The leaked records include Gmail addresses, usernames, user IDs, device IDs, passwords, last login timestamps, and registry timestamps. The poster claims to be actively identifying and exposing members and developers of the network, including individuals reportedly still in hig
Date: 2026-04-27T02:13:56Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-DATABASE-USER-SURXRAT-INDONESIA
Screenshots:
None
Threat Actors: 0xf4r
Victim Country: Indonesia
Victim Industry: Cybercrime Network
Victim Organization: SURXRAT
Victim Site: Unknown
Alleged Sale of Discounted Gift Cards via Automated Telegram Bot
Category: Carding
Content: A threat actor operating under the alias StealerLogs is selling discounted gift cards at 30% below face value across 12 major brands including Amazon, Steam, Netflix, and Nike via an automated Telegram bot. The bot accepts cryptocurrency payments including BTC, SOL, ETH, and USDT, with instant code delivery upon payment. The steep discounts strongly suggest the gift cards are fraudulently obtained, likely through carding, account takeover, or stealer log exploitation.
Date: 2026-04-27T02:13:20Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-GIFT-CARDS-30-OFF-off30gcs
Screenshots:
None
Threat Actors: StealerLogs
Victim Country: Unknown
Victim Industry: Retail, Entertainment, Food Delivery
Victim Organization: Amazon, Steam, Google, Apple, Netflix, Spotify, Xbox, PlayStation, Nike, Zalando, Uber, DoorDash
Victim Site: Unknown
Alleged Data Leak of Uganda Ministry of Agriculture MAAIF E-Extension System Database
Category: Data Leak
Content: A threat actor known as vicmeow has leaked a database allegedly obtained from Ugandas MAAIF E-Extension System, a digital agricultural platform. The leaked data reportedly includes user records, API keys, email addresses, phone numbers, and physical addresses of farmers and extension officers. A sample archive has been made available via a MediaFire download link.
Date: 2026-04-27T02:12:04Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-extension-agriculture-go-ug-Uganda-Ministry-of-Agriculture-E-Extension
Screenshots:
None
Threat Actors: vicmeow
Victim Country: Uganda
Victim Industry: Government
Victim Organization: Ministry of Agriculture, Animal Industry and Fisheries (MAAIF)
Victim Site: extension.agriculture.go.ug
Alleged Data Breach of CTT Locky Parcel Locker System in Portugal
Category: Data Breach
Content: A threat actor known as Boogeymann is allegedly selling a database containing over 1 million records from CTTs Locky smart parcel locker network in Portugal. The exposed data includes customer names, phone numbers, email addresses, package IDs, and pickup timestamps. Additionally, the actor claims to possess internal infrastructure data for over 1,900 locker units, including private IP addresses, machine IDs, hardware types, and backend/frontend software versions.
Date: 2026-04-27T02:11:28Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Portuguese-CTT-Carrier-Locky-System
Screenshots:
None
Threat Actors: Boogeymann
Victim Country: Portugal
Victim Industry: Postal & Logistics Services
Victim Organization: CTT – Correios de Portugal (Locky)
Victim Site: ctt.pt
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Roronoa044 has made available a combolist of allegedly valid Hotmail email credentials on DemonForums. The post, labeled as UHQ (ultra-high quality), claims the credentials are valid and stored on a private cloud. The actor also advertises a Telegram channel (@noiraccesss), suggesting this may be part of an ongoing credential distribution operation.
Date: 2026-04-27T01:58:50Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X873-Valid-UHQ-Hotmail-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of multi-category credential combolist targeting social, shopping, and education platforms
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist of approximately 121,145 credential lines via a Mega.nz file link. The combolist reportedly targets social media, shopping, and education platforms. The credentials are described as high-quality and have been freely distributed on the cracking forum CrackingX.
Date: 2026-04-27T01:58:45Z
Network: openweb
Published URL: https://crackingx.com/threads/73364/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Multiple (Social Media, E-Commerce, Education)
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed valid email access credentials (39,800 records)
Category: Data Leak
Content: A threat actor operating under the alias redcloud has made available a combolist of approximately 39,800 mixed valid email credentials, described as UHQ (ultra-high quality) and private. The post, dated 27 April 2026, offers a free download via a hidden reply-gated link on the AE combo list forum. The actor also references a Telegram handle (@tutuba5m) for further contact.
Date: 2026-04-27T01:56:27Z
Network: openweb
Published URL: https://altenens.is/threads/39-8k-sparkles-mix-sparkles-valid-mail-access-27-04.2930246/unread
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of fresh Hotmail credential combolist
Category: Combo List
Content: A threat actor known as snowstormxd has made available a combolist of 481 alleged fresh Hotmail credentials via a public paste link and a Telegram channel. The post claims the credentials are inbox-verified using a built-in inboxer tool. The actor also advertises a paid cloud service with tiered pricing, suggesting this free drop serves as a promotional sample.
Date: 2026-04-27T01:23:02Z
Network: openweb
Published URL: https://crackingx.com/threads/73360/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of GMX.de credentials combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a combolist targeting the gmx.de domain, containing approximately 1,063 credential entries. The combolist was shared via a Mega.co.nz link on the cracking forum CrackingX. No price was mentioned, indicating this is a free distribution of the credential list.
Date: 2026-04-27T01:22:45Z
Network: openweb
Published URL: https://crackingx.com/threads/73361/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Germany
Victim Industry: Technology
Victim Organization: GMX
Victim Site: gmx.de
Website Defacement of Indoplast by QATAR911
Category: Defacement
Content: On April 27, 2026, the threat actor QATAR911 defaced a page on the Indian plastics manufacturer Indoplasts website (www.indoplast.co.in). The incident targeted a specific sub-page and was neither a mass nor a home page defacement. The attack was mirrored and documented via zone-xsec.com.
Date: 2026-04-27T00:59:17Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/914886
Screenshots:
None
Threat Actors: QATAR911, QATAR911
Victim Country: India
Victim Industry: Manufacturing / Plastics
Victim Organization: Indoplast
Victim Site: www.indoplast.co.in
Alleged data breach of Udemy exposing 1.4 million user records
Category: Data Leak
Content: In April 2026, threat actor group ShinyHunters allegedly breached online learning platform Udemy, compromising over 1.4 million user records. After Udemy refused to pay a ransom, the stolen data was publicly leaked on April 26, 2026. The leaked database includes full names, email addresses, physical addresses, phone numbers, employer information, and instructor payout details including PayPal, cheque, and bank transfer information.
Date: 2026-04-27T00:50:34Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-Udemy-udemy-com-2026-04-26-1-40M-Users
Screenshots:
None
Threat Actors: thelastwhitehat
Victim Country: United States
Victim Industry: Online Education / E-Learning
Victim Organization: Udemy
Victim Site: udemy.com
Alleged leak of nifty.com domain-targeted mixed combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a mixed combolist targeting the domain nifty.com, containing approximately 4,440 credential entries. The combolist was shared for free via a Mega file-sharing link on the cracking forum CrackingX. The post is dated April 26, 2026, and the data type suggests email and password pairs associated with the targeted domain.
Date: 2026-04-27T00:44:31Z
Network: openweb
Published URL: https://crackingx.com/threads/73359/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Nifty
Victim Site: nifty.com
Alleged leak of German shopping-targeted combolist with 465,417 credentials
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing 465,417 credential lines via a Mega.nz link on the cracking forum CrackingX. The combolist is described as targeting German shopping platforms and is labeled as high quality (HQ). No specific victim organization or domain has been identified.
Date: 2026-04-27T00:08:59Z
Network: openweb
Published URL: https://crackingx.com/threads/73358/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 56,000 valid email access credentials combolist
Category: Data Leak
Content: A threat actor known as VegaM has shared a combolist containing approximately 56,000 allegedly valid email access credentials on the AE forum. The credential list was made available via Pasteview, a text-sharing platform. No specific victim organization or country has been identified, suggesting the combolist may aggregate credentials from multiple sources.
Date: 2026-04-27T00:06:12Z
Network: openweb
Published URL: https://altenens.is/threads/56k-valid-mailaccess-combolist.2930206/unread
Screenshots:
None
Threat Actors: VegaM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown