[April-29-2026] Daily Cybersecurity Threat Report

This report provides an in-depth analysis of a significant volume of cyber incidents, data breaches, vulnerability disclosures, and underground market activities recorded on April 28, 2026. The threat landscape demonstrates a high degree of organization among threat actors, with a heavy emphasis on credential harvesting, exploitation of government and educational infrastructure, and the monetization of initial access and stolen data.

1. Major Corporate & Financial Data Breaches

The financial and corporate sectors experienced severe compromises involving massive data exfiltration, extortion, and the sale of sensitive customer records.

The Polymarket Infrastructure Compromise

A highly sophisticated and multi-faceted attack campaign was executed against Polymarket, a decentralized prediction market platform.

A threat actor utilizing the aliases “xorcat” and “./xorcat~files” claimed responsibility for the breach.
The actor exploited a chain of vulnerabilities, including CVE-2025-62718 (an SSRF vulnerability in the Axios client allowing access to internal Kubernetes services) and CVE-2024-51479 (a Next.js middleware authorization bypass affecting affiliate and preprod deployments).
Additional attack vectors included unauthenticated API endpoints, CORS misconfigurations, and insufficient rate limiting.
The breach resulted in the exposure of an exposed production admin portal with Vercel SSO authentication credentials.
The threat actor exfiltrated a massive dataset; initial claims indicated a 1GB API dump containing over 10 million records, including full personally identifiable information (PII) for 10,000 unique profiles, Ethereum wallet addresses, and social graph data.
Further claims escalated the incident to an 800GB data exfiltration in JSON format, accompanied by extortion threats.
A comprehensive package containing 300,000 user records (750 MB of data), proof-of-concept exploits, automated extraction scripts, and red team analysis was subsequently uploaded by the actor.
The actor actively monetized the breach by selling specialized attack tools (CORS, SSRF, Next.js bypass) designed to exploit synchronization flaws between the Polymarket API and the blockchain, enabling DoS attacks against liquidity providers.

McDonald’s India Data Exfiltration

The “Everest group” claimed a massive 861 GB data breach targeting McDonald’s India, specifically its operators Connaught Plaza Restaurants and Hardcastle Restaurants.
The breach allegedly occurred earlier on January 20, 2026.
The compromised data included financial reports, pricing data, internal communications, investor contact databases across multiple countries (US, UK, Singapore, India), store-level manager information, customer PII, and ERP system access.
The actor published the full leak, noting this follows previous vulnerabilities identified in 2017 and 2024.

Wells Fargo Customer Data Sale

A threat actor operating as “RubiconH4ck” advertised a database containing 4.6 million records allegedly belonging to Wells Fargo customers.
The dataset reportedly contained full names, physical addresses, email addresses, phone numbers, and PINs, updated between 2024 and 2026.

Additional Corporate and Financial Breaches

Magic Labs: A vulnerability in the Magic Labs login service was reported, allowing attackers to intercept authentication tokens, bypass security procedures, and execute unauthorized fund withdrawals.
RealT: A threat actor named “lowiq” leaked a database from the blockchain real estate platform RealT (realt.co) containing 61,738 records dated April 18, 2026, exposing user IDs, names, bank accounts, and Plaid-linked financial details of investors and staff.
Ledger (Australia): The actor “aisdata” offered a database of Australian Ledger hardware wallet customers containing names, phone numbers, product types, and purchase amounts.
Qzaem (Russia): Threat actor “Tanaka” released a 7.6 million record SQL database from the Russian lending platform qzaem.ru, exposing SNILS, INN numbers, hashed passwords, and payment card tokens.
Fondo de Garantías Antioquia (Colombia): Actors “Petro_Escobar” and “NyxarGroup” offered 5,000 records from FGA containing credit obligation details, overdue amounts, and payment statuses.
IngressoLive (Brazil): A database of 106,000 records from the Brazilian ticketing platform was leaked by “mastermind,” detailing buyer names, payment forms, and transaction values.
Canadian Tire: Threat actor “ROCK01” made available a 105 MB CSV database dump containing approximately 10 million Canadian Tire customer records, including names, addresses, and phone numbers.

2. Government, Military, and Critical Infrastructure Compromises

State, local, and national government entities faced sustained targeting, resulting in severe data exposure and operational disruption.

The Indonesian Government and Education Sector Crisis

Indonesian infrastructure was disproportionately targeted by a multitude of threat actors, indicating a systemic vulnerability crisis within the region.

Mr. Hanz Xploit: This highly prolific actor leaked or claimed access to numerous databases, including the Bengkalis Regency Government , Mahkamah Konstitusi Republik Indonesia (mkri.id) , Badan Penghubung Pemerintah Jawa Tengah (1 million records) , Universitas Gadjah Mada (1.5 million records) , Majelis Permusyawaratan Rakyat Republik Indonesia (MPR RI) , SMKN 5 Batam , and SMK Negeri 3 Kota Tangerang Selatan.
Indonesian National Police (Polri): Actor “MrLucxy” leaked 417,000 personnel records from a year-old hack of polri.go.id, exposing ranks, IDs, addresses, and employment statuses across multiple units. A separate actor, “JAX7,” also claimed access to a police personnel database.
Badan Kepegawaian Negara (BKN): Actor “Xyph0rix” leaked a database of civil servants containing National Identity Numbers (NIK), employment ranks, and job titles, last synchronized in January 2025.
Ministry of Industry (Kemenperin): Two separate actors, “MrAnomali” and “wildhigt,” offered data from Kemenperin, with the latter selling specific internal extension numbers and floor locations of high-ranking officials for 0.4 LTC.
Education Targets: Actor “JAX7” leaked thousands of records from SMA Trensains Muhammadiyah Sragen. Actor “treixnox” leaked over 2,000 highly sensitive records from SMAN 1 Malang, including parental income and geolocation data.

United States Law Enforcement, Military, and Infrastructure

Law Enforcement Data: Threat actor “spider321” sold a database of 90,000 US police personnel records spanning Texas and Missouri agencies, exposing job titles, supervisor details, and IP addresses. The same actor sold a dataset of 110,000 plaintext credentials for FBI employees (fbi.gov and ic.fbi.gov domains).
Military Documentation: Actor “spider321” also offered unverified M1 Abrams tank technical manuals for sale in PDF format.
US Marines Surveillance Leak: The “Handala” threat actor leaked personal details of 2,379 U.S. Marines stationed in the Gulf region, exposing home addresses, daily patterns, and family details, framed as a demonstration for future military attacks.
CCTV Infrastructure: Actors “TheSweetNight” and “OpsShadowStrike” claimed to have compromised CCTV systems across the US using CVE-2017-7921, citing political motivations regarding Palestine and Iran.
Municipal Disruption: The Kent District Library in Michigan suffered a ransomware attack forcing the closure of its branches and an ongoing investigation into potential data compromise.

French Government and Infrastructure Attacks

National ID System Cyberattack: France experienced a major cyberattack targeting its online system for passports and national ID cards, exposing millions of users and forcing administrative centers to revert to manual processing amid high travel demand.
HexDex Arrest: French police arrested a 21-year-old hacker (“HexDex”) responsible for over 100 intrusions, notably breaching the French Ministry of Education to expose 243,000 employee records.
NEMEA Group Leak: Threat actor “ChimeraZ” leaked a 7.0 GB (or 66 GB in a separate post) database from NEMEA Group and its affiliates (GOELIA, COGEDIM), exposing 203,733 files including passports, lease agreements, and ID cards.

Other Global Government Breaches

South Korea: The “Infrastructure Destruction Squad” claimed ongoing breaches of the Jeollanam Provincial Police Agency, government offices, and national data centers via digital file storage vulnerabilities.
Guatemala: “GordonFreeman” breached the RENAP civil registry (18 million records) and SAT tax authority (5.6 million vehicle records), demanding a 2 BTC ransom to halt public sale and future attacks.
Mexico: Actor “Straightonumberone” leaked 11,000 legal documents and citizen PII from the Instituto Registral y Catastral del Estado de Puebla (IRCEP).
Brazil: The political party “Podemos” was breached by “m0z1ll4screw” via a PHP 7.4.33 vulnerability, exposing 958,000 pieces of information.

3. The Combolist and Credential Ecosystem

The distribution of combolists (email and password combinations used for credential stuffing and account takeover) represented the highest volume of activity on April 28. Microsoft services (Hotmail, Outlook, Live, MSN) were the primary targets.

Key Distributors and Operations

Threat Actor	Target Focus / Geographic Region	Volume / Operations
thejackal101	Targeted geographic credential sets via “@Elite_Cloud1”	1.2M Italy , 311K India , 273K Indonesia , 215K Japan , 167K Mexico , 158K Hungary , 61K Montenegro , 60K Latvia , 59K Malaysia , 32K Israel , 23K Ireland , 20K Kenya , 20K Micronesia , 17K Lithuania.
CODER	Multi-million aggregated credential dumps via Telegram	13M mixed platforms (Twitter, Fortnite, Etsy) , 12M SMTP/IMAP , 12M Corporate , 12M Gaming , 11M Social Media , 9M Hotmail , 9M Outlook , 7M t-online.de , 5M Amazon AWS , 5M German emails (GMX, T-Online) , 4.7M Gaming , Hotmail UK/AOL combo.
el_capitan	Regional and platform-specific mass dumps	7.2M mixed country , 625K Gmail , 450K Hotmail , 310K Poland , 130K Japan. Promotes spamming and cracking tools.
snowstormxd	Monetized cloud storage & inbox-verified credentials	Distributed small, highly-verified batches (e.g., 146 UHQ Hotmail , 728 Hotmail , 1,457 mixed ). Promoted a paid cloud service with a built-in inboxer tool ranging from $3/24h to $120/lifetime via Telegram bot.
HQcomboSpace	High-volume sector-specific drops on Mega.nz	1.6M Gmail/Shopping , 1.1M Yahoo , 952K Gmail , 916K German Shopping , 879K German Gaming/Casino , 394K Hotmail/Streaming , 127K European Education/Retail , 118K Business Corporate , 51K Corporate Mail.
Prince1001	UHQ credentials for financial/gaming targeting	350K PayPal/Gaming , 269K Mixed , 165K Banking-targeted , 125K Spotify , 210 Hotmail.
BestCombo	European-focused and specific domain targeting	41K Gmail EU , 40K Hotmail EU , 20K Mixed , 12.7K Outlook EU , 11.9K Outlook , 6.8K Mixed EU , 2.1K live.com , 2K live.com EU , 2.1K MSN EU , 1.8K Hotmail.fr.
WhiteMelly	Daily Telegram distribution of stealer logs and combos	4GB URL:Login:Password lines from stealer logs , 1.5GB mixed logs , 20K mixed Hotmail/Live/Outlook (EU regions) , 2K Hotmail. Operates @suphoodbot for paid offerings.

Specialized Credential Services

Keyword-Targeted Lists: Actors like “Hotmail Cloud” and “He_Cloud” distributed highly refined lists of Hotmail credentials sorted by victim country and specific keyword targets (e.g., banking or gaming keywords in the inbox), demonstrating a targeted approach to account takeover.
Unique/Private Cloud Sources: Actors such as “UniqueCombo” consistently leaked 5,000-line batches of Hotmail credentials, advertising a dedicated shop for custom country requests.
Corporate and Forum Targeting: Actor “zod” shared specialized lists, including 77,527 corporate domain credentials and WordPress credentials, distributing passwords via Telegram.
Robinhood Targeting: Actor “Kevinn” offered cleaned lists of Robinhood user emails for balance verification and KYC data harvesting, alongside a Telegram-based automated credential checking service (“RhScan Bot”) charging $0.0003 per line to validate accounts.

4. Vulnerability Disclosures and Initial Access Brokering

The landscape featured the trade of critical software vulnerabilities, malware, and remote access to enterprise environments.

Vulnerabilities and Exploits

ChatGPT Code Execution Runtime Exfiltration: Check Point Research disclosed a critical flaw where a single malicious prompt activated a covert exfiltration channel within ChatGPT’s sandboxed environment, allowing for the silent theft of user messages and uploaded files, and enabling remote shell access for backdoored GPTs.
Figma Zero-Click RCE: A security researcher disclosed a complex zero-click Remote Code Execution vulnerability chain in Figma’s desktop Electron application. The exploit chained prototype pollution, a race condition, and XSS to execute arbitrary code via an exposed IPC handler.
AI Code Generation RCE (CVE-2026-4137): A threat actor detailed a remote code execution vulnerability affecting AI/ML code generation endpoints, utilizing prompt injection and sandbox evasion to bypass input validation.
NPM Client Compromise: An actor named “./xorcat~files” claimed to expose unauthenticated access to a production app’s configuration (42 config keys) and identified two critical CVEs in an official NPM client package, mapping user biographical data and internal sports provider IDs.

Malware and Exploit Kits

DarkSword iOS Exploit Kit: Source code was leaked for “DarkSword,” an alleged nation-state-grade iOS exploit kit (also called Coruna/CryptoWaters). The kit claims to chain 6 vulnerabilities to compromise iOS 18.4-18.7 devices via a single Safari visit, delivering malware (GHOSTBLADE, GHOSTKNIFE) for device takeover and crypto wallet theft.
Yellow Stealer: Threat actor “Polaris Web” sold a C/C++ x64 information stealer capable of harvesting browser credentials, Discord/Telegram sessions, over 150 crypto wallets, and utilizing UAC bypasses.
WhatsApp Phishing Panel: A complete toolkit was sold for $300, providing source code for a phishing panel and software to hijack WhatsApp sessions and automate malicious message sending.

Initial Access and Infrastructure Services

Cloud RDP Access: Brokers like “Squad Chat Marketplace” and “PORTAL” rented RDP access to major cloud providers (Azure, AWS, DigitalOcean) for $200, bundling them with compromised domain emails and GitHub student accounts.
Bulletproof Hosting: “BitHosting” advertised offshore VPS hosting with 2 Gbps shared bandwidth and cryptocurrency payments, geared toward hosting malicious infrastructure.
South Korean Insurance Firm: “TunaFish” sold SYSTEM-level access to a South Korean insurance company with $10M-$25M revenue via a compromised VMware Horizon instance for $898 in Bitcoin.

5. Defacement and Hacktivism Campaigns

Ideological and opportunistic threat actors executed numerous website defacement campaigns.

The YIIX103 Defacement Campaign

An independent threat actor using the alias “YIIX103” executed a focused defacement campaign against Indian manufacturing, automotive, and industrial websites. The attacks generally targeted specific PHP files (e.g., yo.php) rather than homepage takeovers, and many were “redefacements,” indicating persistent vulnerabilities on the host servers.

Victims Included: DC Motor India , Ashwamegh Industries , Kuldevi Engineers , SK Weighbridge (mass defacement) , Advance Bird Net Services , Nutrack Modular System , and Royal Air Component.

Hacktivist Operations

OpsShadowStrike: In collaboration with groups like TengkorakCyberCrew and EagleCyberCrew, this actor defaced multiple US real estate and auction websites (eiumis.com, decaturrealtors.com), citing political motivations related to Palestine and Iran.
BABAYO ERROR SYSTEM: Actor “m4ul1337” targeted specific pages on the Indian e-commerce platform manavelex.com and the payment processor MyRoadPay.
Khaibar Tech Team & Fynix: These groups claimed a politically motivated breach of the Turkish law firm Küçükislamoğlu Partners, citing intentions to target digital infrastructure associated with Zionist and American affiliates.
Hanzalah: The Iranian group executed a mass cyber attack targeting Israeli civilian telecommunications, sending hundreds of thousands of SMS messages containing political warnings.

6. Fraud, Phishing, and Carding Operations

The underground economy for financial fraud, identity theft, and phishing infrastructure was highly active.

Financial and Identity Data

Identity Packages (Fullz): Actors like “Samguz766” and “parkeradam964” sold comprehensive identity records (SSNs, DOBs, W2 forms, passports, UK NINs, Canadian SINs). Another actor, “Tryrdf,” sold high-quality fraudulent documents including LLC records and bank details.
Payment Card Dumps: “preston45” (ColdApollo) sold freshly skimmed Track 1 and Track 2 dumps with PINs ($60-$80) and cloned credit cards preloaded with balances up to $9,500 for ATM cash-outs. “BigBoris” sold multi-country CVV data for $30-$45 per record in BTC/USDT.
EBT Fraud: A threat actor (“tecat39051”) actively solicited bulk Electronic Benefits Transfer (EBT) data from spammers to conduct cashout operations, highlighting ongoing government benefits fraud.
SEC Filing Fraud: An actor named “GetRenewed” offered a $25,000 service to register fraudulent shell companies in the US and file them with the SEC’s EDGAR system to create legitimate-looking entities for money laundering.

Phishing and Surveillance Infrastructure

Bulk SMS Services: “Alice_sms6” operated a bulk SMS phishing gateway targeting financial institutions (Binance, PayPal, BBVA) across Europe with claims of 75-95% validity rates. “Young Global Bulk sms” offered similar high-quality SMS routes across 20+ European nations.
VoIP Spoofing (GoyCall): Actor “Kevinn” sold a premium VoIP service enabling caller ID spoofing across 200 countries with voice changers and verified caller ID bypass capabilities for social engineering.
Telegram Surveillance: The “Funstat” bot was advertised as a massive global database allowing users to extract message histories, map group memberships, and execute global message searches, posing severe privacy risks. Another bot (“la_kabra_666”) offered instant doxxing by national ID numbers.

7. Conclusion

The cyber incident data from April 28, 2026, reveals a highly industrialized threat landscape. The volume of credential combolists distributed—amounting to hundreds of millions of records—indicates that credential stuffing remains a primary vector for initial access. The severe compromises of the Indonesian government sector, the French national ID infrastructure, and platforms like Polymarket highlight critical vulnerabilities in API security, authentication middleware, and legacy systems. Threat actors are increasingly utilizing automated Telegram bots to monetize stolen data, provide fraud-as-a-service infrastructure, and distribute exploit kits.

Detected Incidents Draft Data

Alleged DDoS-as-a-Service Operation – Goofystress
Category: Cyber Attack
Content: Goofystress (goofystresse.st) is advertising DDoS attack services offering Layer 4 (TCP/UDP flood up to 2-10 million PPS) and Layer 7 (CAPTCHA, cache, UAM bypasses) capabilities. Service claims 3+ years of operation with 1000-1500 customers. Includes game-specific DDoS bypasses for Fortnite, Minecraft, Apex, COD, Roblox, and Battlefield. Auto-payment system available via website.
Date: 2026-04-28T23:55:53Z
Network: telegram
Published URL: https://t.me/c/1669509146/95967
Screenshots:
None
Threat Actors: Goofystress
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Multiple Stolen Databases Including Financial, Aviation, and Entertainment Records
Category: Services
Content: A threat actor operating under the FACE OFF brand on a cybercrime forum is selling multiple stolen databases spanning financial platforms (Robinhood, Binance, OKX), aviation (LA Airport, 2.9M rows including names, emails, and CPA numbers), UK banking (full names, DOB, account numbers, sort codes), and Australian entertainment data (29M records including ticketing and passport data). The actor also offers SIP trunk and DID telephony access, fraudulent call center services with multilingual spea
Date: 2026-04-28T23:45:00Z
Network: openweb
Published URL: https://pwnforums.st/Thread-%E2%AD%90-GLOBAL-SIP-DATA-MARKET-FACE-OFF%E2%AD%90
Screenshots:
None
Threat Actors: Kevinn
Victim Country: Unknown
Victim Industry: Multiple Sectors (Financial, Aviation, Entertainment)
Victim Organization: Robinhood, Binance, OKX, LA Airport, UK Banking Institutions, Australia Entertainment
Victim Site: Unknown
Alleged Data Breach of Caritas-Spes Humanitarian Organization in Odesa, Ukraine
Category: Data Breach
Content: A threat actor claims to have breached Caritas-Spes, a humanitarian aid organization in Odesa, Ukraine, exfiltrating sensitive data on thousands of vulnerable beneficiaries including internally displaced persons, refugees, disabled individuals, and other war-affected populations. The stolen data allegedly includes full names, national ID and tax numbers, IBAN bank account details, Ukrainian passport scans, residential addresses, phone numbers, and internal organizational documents. The actor is
Date: 2026-04-28T23:34:03Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-The-Caritas-Spes-organization-in-Odesa-Data-Leak
Screenshots:
None
Threat Actors: blacknet00
Victim Country: Ukraine
Victim Industry: Non-Profit / Humanitarian Aid
Victim Organization: Caritas-Spes Odesa
Victim Site: Unknown
Alleged leak of email and password combolist
Category: Combo List
Content: A threat actor operating under the alias COYYYTOOOO on DemonForums has made available a combolist containing email and password combinations via a free download link hosted on pasteview.com. The post provides no additional context regarding the origin, targeted organization, or number of records included. The leak was shared freely with no price or conditions mentioned.
Date: 2026-04-28T23:26:09Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-PRIVATE-ACCESS
Screenshots:
None
Threat Actors: COYYYTOOOO
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of private combolist or credential data
Category: Combo List
Content: A threat actor operating under the handle COYYYTO shared a download link on the CrackingX forum under a thread titled PRIVATE ACCESS, hosted on pasteview.com. The post appears to distribute a combolist or credential dump freely with no price mentioned. No specific victim organization, country, or record count could be determined from the available information.
Date: 2026-04-28T23:25:43Z
Network: openweb
Published URL: https://crackingx.com/threads/73601/
Screenshots:
None
Threat Actors: COYYYTO
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of MSN.com credential combolist targeting European users
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a combolist of 2,171 credential pairs associated with msn.com, purportedly targeting European users. The list was shared via a Mega.co.nz download link on the cracking forum CrackingX. The post is dated April 28, 2026, though this date may reflect a future-dated or mislabeled timestamp.
Date: 2026-04-28T23:25:18Z
Network: openweb
Published URL: https://crackingx.com/threads/73602/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft (MSN)
Victim Site: msn.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Sellerxd has shared a combolist of alleged Hotmail credentials on DemonForums, claiming to contain 1,070 valid email and password combinations. The content is hidden behind a registration or login requirement, suggesting it is available to forum members at no explicit monetary cost. The validity and origin of the credentials have not been independently verified.
Date: 2026-04-28T23:25:13Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1070x-Valid-HQ-Hotmails
Screenshots:
None
Threat Actors: Sellerxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials via combolist distribution
Category: Combo List
Content: A threat actor known as snowstormxd has made available a combolist of 89 alleged UHQ (ultra-high quality) Hotmail credentials via a paste site and a Telegram channel. The post promotes a paid cloud service with a built-in inboxer tool, suggesting the credentials have been verified for inbox access. Pricing tiers for the cloud service range from $3 for 24 hours to $120 for lifetime access.
Date: 2026-04-28T23:24:54Z
Network: openweb
Published URL: https://crackingx.com/threads/73603/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Amazon AWS credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist allegedly containing 5 million Amazon AWS credentials via Telegram. The content is offered for free through Telegram channels and direct contact. The post does not include any sample data or verification of the claims.
Date: 2026-04-28T22:46:24Z
Network: openweb
Published URL: https://crackingx.com/threads/73596/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Cloud Computing
Victim Organization: Amazon AWS
Victim Site: aws.amazon.com
Alleged leak of mixed country credential combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared a mixed-country combolist containing approximately 17,000 credential pairs, made available to registered users. The post provides no details regarding the specific countries, services, or organizations from which the credentials originate. The content is gated behind a registration requirement on the forum.
Date: 2026-04-28T22:45:42Z
Network: openweb
Published URL: https://crackingx.com/threads/73597/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of multi-platform credential combolist including Netflix, Steam, Spotify and others
Category: Combo List
Content: A threat actor known as Ra-Zi has shared a combolist containing approximately 120,000 email:password credential pairs allegedly valid for multiple streaming and gaming platforms including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. The combolist is made available via a hidden download link on the forum, with registration or login required to access it. The same actor also advertises paid credential lists through a Telegram channel and a dedicated cracking website.
Date: 2026-04-28T22:45:09Z
Network: openweb
Published URL: https://demonforums.net/Thread-120k-Fresh-HQ-Combolist-Email-Pass-Netflix-Minecraft-Uplay-Steam-Hulu-spotify–202119
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Netflix, Minecraft, Uplay, Steam, Hulu, Spotify
Victim Site: Unknown
Alleged leak of Gmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist containing approximately 60,000 Gmail credentials on the cracking forum CrackingX. The post is categorized under Combolists & Dumps and appears to be a free release. Full content requires forum registration or sign-in to access.
Date: 2026-04-28T22:45:05Z
Network: openweb
Published URL: https://crackingx.com/threads/73598/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of 20,000 email and password credentials on underground forum
Category: Combo List
Content: A threat actor operating under the alias wingoooW has made available a combolist containing approximately 20,000 claimed valid email and password credential pairs via a free download link hosted on pasteview.com. The post was shared on the DemonForums combolist section with no additional context regarding the origin or targeted organizations. The validity and source of the credentials remain unverified.
Date: 2026-04-28T22:44:48Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-20K-VALID-ACCESS
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of USA, UK, and Canada Personal Data Including SSN, DOB, and Financial Records
Category: Data Breach
Content: A threat actor operating under the handle Samguz766 is selling verified personal data records for individuals in the USA, UK, and Canada. The offerings include full identity records (SSN, DOB, drivers license, address, employment details), tax-related data (W2 forms, 1040s, EIN leads), Medicare records, LLC documents, passports, and financial data including bank statements and CashApp details. The actor accepts Bitcoin and USDT payments and also offers hacking and spamming tools, scam pages, an
Date: 2026-04-28T22:42:07Z
Network: openweb
Published URL: https://altenens.is/threads/valid-usa-uk-canada-database-get-sample-first.2931180/unread
Screenshots:
None
Threat Actors: Samguz766
Victim Country: United States, United Kingdom, Canada
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Canadian Tire Customer Records
Category: Data Leak
Content: A threat actor operating under the alias ROCK01 has made available an alleged database dump containing approximately 10 million Canadian Tire customer records. The leaked data reportedly includes names, addresses, cities, provinces, postal codes, and phone numbers, distributed in CSV format with a compressed size of 105 MB. The post requires forum engagement to access the download link, and a Telegram contact handle (@jamesdigga) is also provided.
Date: 2026-04-28T22:41:52Z
Network: openweb
Published URL: https://altenens.is/threads/canadian-tire-breach-2025-exposed-with-names-emails-etc.2931190/unread
Screenshots:
None
Threat Actors: ROCK01
Victim Country: Canada
Victim Industry: Retail
Victim Organization: Canadian Tire
Victim Site: canadiantire.ca
Alleged leak of mixed credential combolists including Hotmail, Live, and Outlook accounts
Category: Data Leak
Content: A threat actor operating under the alias WhiteMelly has made available a 4GB collection of URL:Login:Password credential lines sourced from stealer logs, shared via a Telegram channel. The combolist includes mixed credentials spanning multiple regions (EU, UK, FR, PL, DE, IT) with a focus on Microsoft email services including Hotmail, Live, Outlook, and MSN accounts. The actor promotes daily free distribution of logs, cookies, and credential lists through Telegram, while also offering items fo
Date: 2026-04-28T22:41:40Z
Network: openweb
Published URL: https://altenens.is/threads/4gb-url-login-pass-lines-from-logs.2931184/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential logs including Hotmail, Live, and Outlook accounts
Category: Data Leak
Content: A threat actor operating under the alias WhiteMelly is distributing 1.5GB of mixed credential logs, cookies, and combolists via Telegram on a daily basis for free. The data includes email credentials from services such as Hotmail, Live, Outlook, and MSN, with geographic coverage spanning multiple European regions including the EU, UK, France, Poland, Germany, and Italy. The actor also advertises paid offerings through a Telegram bot (@suphoodbot), suggesting a dual free-and-paid distribution m
Date: 2026-04-28T22:41:26Z
Network: openweb
Published URL: https://altenens.is/threads/1-5gb-full-logs.2931185/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of credential combolists and account access across multiple countries
Category: Combo List
Content: Multiple vendors advertising the sale of credential combolists (email:password combinations) and private cloud database access containing Hotmail credentials and account data for various platforms (eBay, Walmart, Amazon, Kleinanzeigen, Poshmark, etc.) across multiple countries including UK, DE, JP, NL, BR, PL, ES, US, IT, FR, MX, CA, SG, and others. Vendors claim to have private cloud infrastructure with high-quality (HQ) credential datasets and offer keyword-specific searches.
Date: 2026-04-28T22:40:05Z
Network: telegram
Published URL: https://t.me/c/2613583520/71718
Screenshots:
None
Threat Actors: Squad Chat Marketplace
Victim Country: Multiple (United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy, France, Mexico, Canada, Singapore, Russia)
Victim Industry: E-commerce, Email Services, Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of Küçükislamoğlu Partners website by Khaibar Tech Team and Fynix
Category: Defacement
Content: Khaibar Tech Team in collaboration with Fynix claims to have successfully breached the official website of Küçükislamoğlu Partners, a Turkish law and legal consultancy firm. The threat actors state this operation marks the beginning of joint offensive activities and cite political motivations related to Palestine. They claim intentions to continue targeting digital infrastructure of entities they describe as Zionist and American affiliates.
Date: 2026-04-28T22:38:18Z
Network: telegram
Published URL: https://t.me/KHB313/15
Screenshots:
None
Threat Actors: Khaibar Tech Team
Victim Country: Turkey
Victim Industry: Legal Services
Victim Organization: Küçükislamoğlu Partners
Victim Site: www.kucukislamoglu.av.tr
Alleged leak of mixed email credentials and combolist data including Hotmail, Live, and Outlook accounts
Category: Data Leak
Content: A threat actor operating under the alias WhiteMelly has made available a mixed combolist of approximately 20,000 credential lines, including Hotmail, Live, Outlook, and MSN email accounts spanning multiple European regions (EU, UK, France, Poland, Germany, Italy). The post advertises free daily distributions of ULP (URL:Login:Password) combolists, logs, cookies, and leaked data via a Telegram channel. The actor also promotes a Telegram bot (@suphoodbot) for purchase inquiries, suggesting addit
Date: 2026-04-28T22:37:53Z
Network: openweb
Published URL: https://altenens.is/threads/20k-mix-lines-mail-access.2931181/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail and mixed email credentials combolist
Category: Data Leak
Content: A threat actor operating under the alias WhiteMelly has shared a combolist containing approximately 2,000 Hotmail credential lines (email:password format) on a cybercrime forum. The post advertises daily free distributions of mixed credential lists, logs, cookies, and leaked data via a Telegram channel, covering multiple email providers including Hotmail, Live, Outlook, and MSN across various European regions. The actor also solicits buyers through a Telegram bot handle (@suphoodbot) for those
Date: 2026-04-28T22:37:40Z
Network: openweb
Published URL: https://altenens.is/threads/2k-hotmail-lines-mail-access.2931182/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of 120,000 mixed email credentials combolist
Category: Data Leak
Content: A threat actor known as carlos080 has shared a free download of a combolist containing approximately 120,000 email:password credential pairs described as fresh and high quality. The combolist is mixed format, including credentials associated with major email providers such as AOL, Yahoo, Hotmail, and Outlook, spanning multiple countries including the USA, UK, France, Germany, Spain, Italy, Canada, and Australia. The actor also advertises paid combo services via Telegram handle @KOCsupport.
Date: 2026-04-28T22:37:27Z
Network: openweb
Published URL: https://altenens.is/threads/120k-fresh-hq-combolist-email-pass-mixed.2931188/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of URL:Login:Password credential list containing 6.18 million records
Category: Data Leak
Content: A threat actor operating under the alias DaxusULP has made available a URL:Login:Password combolist containing approximately 6.18 million credential pairs on the XF forum. The post promotes the Daxus.pro platform and associated Telegram channels for access to the full dataset. No specific victim organization or targeted service has been identified, suggesting this is an aggregated credential list sourced from multiple origins.
Date: 2026-04-28T22:32:06Z
Network: openweb
Published URL: https://xforums.st/threads/url-log-pass-6-18-m-daxus-pro-uhq.611863/
Screenshots:
None
Threat Actors: DaxusULP
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Initial Access to South Korean Insurance Firm via VMware Horizon
Category: Initial Access
Content: A threat actor operating under the alias TunaFish is selling SYSTEM-level access to an unnamed South Korean insurance company via a compromised VMware Horizon instance. The target organization reportedly generates between $10M and $25M in annual revenue and operates a network of approximately 500 hosts protected by SentinelOne EDR. The access is listed for $898 in Bitcoin on a dark web forum.
Date: 2026-04-28T22:28:06Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-VMware-Horizon-Insurance-South-Korea-10M-25M-revenue
Screenshots:
None
Threat Actors: TunaFish
Victim Country: South Korea
Victim Industry: Insurance
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of USA Police Database with 90,000 Records
Category: Data Breach
Content: A threat actor operating under the alias spider321 is selling a database allegedly containing 90,000 records of US law enforcement personnel. The exposed data includes full names, email addresses, phone numbers, IP addresses, agency affiliations, job titles, zip codes, and supervisor contact details spanning multiple police departments and law enforcement agencies across Texas and Missouri. Sample records include personnel from agencies such as Dallas County Sheriffs Office, Frisco Police Dep
Date: 2026-04-28T22:26:01Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-USA-Police-Db-90k-records
Screenshots:
None
Threat Actors: spider321
Victim Country: United States
Victim Industry: Law Enforcement / Public Safety
Victim Organization: Multiple US Law Enforcement Agencies
Victim Site: Unknown
Alleged Sale of FBI Employee Credentials
Category: Data Breach
Content: A threat actor operating under the alias spider321 is allegedly selling a dataset of FBI employee credentials on the Sellers Place forum. The dataset, claimed to contain over 110,000 records, includes plaintext email and password combinations associated with fbi.gov and ic.fbi.gov domains. Interested buyers are directed to contact the seller via Telegram at @Gotham5599.
Date: 2026-04-28T22:25:21Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-FBI-DATA
Screenshots:
None
Threat Actors: spider321
Victim Country: United States
Victim Industry: Government
Victim Organization: Federal Bureau of Investigation (FBI)
Victim Site: fbi.gov
Alleged Sale of M1 Abrams Tank Military Manuals
Category: Data Breach
Content: A threat actor operating under the alias spider321 on the Sellers Place forum is claiming to possess M1 Abrams tank technical manuals in PDF format and is offering them for sale. Interested buyers are directed to contact the actor via Telegram at @Gotham5599. The origin and authenticity of the claimed military documents have not been verified.
Date: 2026-04-28T22:24:43Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-M1-Abrams-tank-manuals
Screenshots:
None
Threat Actors: spider321
Victim Country: United States
Victim Industry: Defense & Military
Victim Organization: Unknown
Victim Site: Unknown
Alleged exposure of production app configuration and critical vulnerabilities in official NPM client
Category: Vulnerability
Content: Security researcher or threat actor claims to have discovered unauthenticated access to entire production application configuration containing 42 config keys (feature flags, promo banners, KYC settings, referral codes, UI layouts, chat assets). Additionally claims identification of two critical CVEs in the organizations official NPM client package and successful harvesting of user biographical data including political affiliations and social media links. Internal sports data provider IDs also reportedly mapped.
Date: 2026-04-28T22:17:10Z
Network: telegram
Published URL: https://t.me/c/3793980891/3151
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: Unknown
Victim Industry: Technology/Finance (inferred from KYC, referral, sports data references)
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail and streaming service credentials combolist
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a combolist containing approximately 394,054 credential pairs targeting Hotmail accounts and streaming service users. The list is described as fresh and is being distributed freely via a Mega.nz file sharing link. The combolist appears to aggregate credentials potentially usable for account takeover attacks against streaming platforms.
Date: 2026-04-28T22:01:45Z
Network: openweb
Published URL: https://crackingx.com/threads/73591/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology / Streaming
Victim Organization: Microsoft Hotmail / Multiple Streaming Services
Victim Site: hotmail.com
Alleged exposure of Polymarket admin portal with Vercel SSO access
Category: Initial Access
Content: Exposed Polymarket production admin portal (pmoo-admin-portal.prd.preview.polymarket.dev) with Vercel SSO authentication credentials made available.
Date: 2026-04-28T22:01:24Z
Network: telegram
Published URL: https://t.me/c/3793980891/3148
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: United States
Victim Industry: Cryptocurrency/Prediction Markets
Victim Organization: Polymarket
Victim Site: polymarket.dev
Alleged leak of PSN credentials combolist
Category: Combo List
Content: A threat actor known as CODER is distributing a PlayStation Network (PSN) combolist referred to as PSN COMBO 12 ML via Telegram channels. The post directs users to a Telegram contact and two group channels for free access to the credential list and related tools. No further details regarding the number of records or data fields are provided in the post.
Date: 2026-04-28T22:00:52Z
Network: openweb
Published URL: https://crackingx.com/threads/73592/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: PlayStation Network
Victim Site: playstation.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a combolist containing 728 alleged Hotmail credentials via a public paste link and a Telegram channel. The post promotes a paid cloud service and inbox-checking tool, suggesting the credentials have been validated. The actor is also monetizing access to a broader credential cloud service with tiered pricing.
Date: 2026-04-28T22:00:03Z
Network: openweb
Published URL: https://crackingx.com/threads/73593/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Outlook.com mixed combolist credentials
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a mixed combolist containing 12,773 lines of credentials targeting outlook.com accounts, dated April 28, 2026. The combolist, shared via a Mega.co.nz link on a cracking forum, appears to contain email and password combinations sourced from multiple origins. The post requires a reaction to access the download link.
Date: 2026-04-28T21:59:31Z
Network: openweb
Published URL: https://crackingx.com/threads/73594/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: outlook.com
Alleged leak of 3.1 million URL-login-password credentials
Category: Combo List
Content: A threat actor operating under the alias RandomUpload has shared a combolist containing approximately 3.1 million URL, login, and password combinations on the cracking forum CrackingX. The post requires forum registration to access the hidden download content. No specific victim organization or country has been identified, suggesting this is an aggregated credential list compiled from multiple sources.
Date: 2026-04-28T21:59:06Z
Network: openweb
Published URL: https://crackingx.com/threads/73595/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyber attack on Arvan Cloud and Hamrah-e Aval infrastructure by Jujeh Ordak group
Category: Cyber Attack
Content: Post claims that Jujeh Ordak (Ugly Duckling) threat group conducted an attack against Arvan Cloud infrastructure and Hamrah-e Aval (Iranian telecom/infrastructure provider) systems.
Date: 2026-04-28T21:41:08Z
Network: telegram
Published URL: https://t.me/c/3575098403/142
Screenshots:
None
Threat Actors: Jujeh Ordak
Victim Country: Iran
Victim Industry: Cloud Infrastructure, Telecommunications
Victim Organization: Arvan Cloud, Hamrah-e Aval
Victim Site: Unknown
Alleged data breach of pcd.com.sa
Category: Data Leak
Content: A threat actor known as lulzintel has made available an alleged database dump from pcd.com.sa, a Saudi Arabian organization. The breach reportedly occurred in April 2026 and exposed data belonging to approximately 72,558 customers. The database is being offered as a free download on a cybercrime forum, gated behind a points-based unlock system.
Date: 2026-04-28T21:26:55Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-SA-pcd-com-sa-Database-Leaked-Download
Screenshots:
None
Threat Actors: lulzintel
Victim Country: Saudi Arabia
Victim Industry: Unknown
Victim Organization: PCD
Victim Site: pcd.com.sa
Alleged Multiple Vulnerabilities in Polymarket Platform Including SSRF, Authorization Bypass, and API Abuse
Category: Vulnerability
Content: Security researcher discloses multiple vulnerabilities in Polymarkets infrastructure: (1) Unauthenticated /reports endpoint exposing 100 moderation records with internal system metadata including admin authentication addresses; (2) CVE-2025-62718 – SSRF vulnerability in polymarket/clob-client axios 1.14.0 via hostname normalization and NO_PROXY bypass allowing access to 169.254.169.254 and internal Kubernetes services (CVSS 9.9); (3) CVE-2024-51479 – Next.js middleware authorization bypass affecting affiliate.polymarket.com and preprod deployments with potential admin dashboard access; (4) API abuse vectors including lack of input validation (limit=999999, offset=-1 accepted), insufficient rate limiting (112 req/10s unblocked), and CORS misconfiguration (wildcard + credentials=true).
Date: 2026-04-28T21:26:49Z
Network: telegram
Published URL: https://t.me/c/3793980891/3143
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: United States
Victim Industry: Cryptocurrency/Prediction Markets
Victim Organization: Polymarket
Victim Site: polymarket.com
Alleged leak of Hotmail.fr credential combolist targeting European users
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a combolist containing approximately 1,846 email:password credential pairs associated with hotmail.fr accounts. The post is dated April 28, 2026, and targets European users. The combolist was shared freely via a Mega.co.nz link on the cracking forum CrackingX.
Date: 2026-04-28T21:19:16Z
Network: openweb
Published URL: https://crackingx.com/threads/73586/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: France
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.fr
Alleged leak of Hotmail credential combolist with country-sorted hits
Category: Combo List
Content: A threat actor operating under the alias Hotmail Cloud has made available a combolist of 1,259 claimed high-quality Hotmail credential hits on the cracking forum CrackingX. The leak includes inbox-verified accounts sorted by country, along with associated keyword targets, suggesting the credentials have been tested and validated for active inbox access.
Date: 2026-04-28T21:19:01Z
Network: openweb
Published URL: https://crackingx.com/threads/73587/
Screenshots:
None
Threat Actors: Hotmail Cloud
Victim Country: Multiple Countries
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of 12 million SMTP/IMAP credentials via combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist containing approximately 12 million SMTP and IMAP credentials via Telegram channels. The content appears to be freely shared through two Telegram groups, with the actor also offering additional combos upon direct contact. No specific victim organization or country has been identified.
Date: 2026-04-28T21:18:45Z
Network: openweb
Published URL: https://crackingx.com/threads/73588/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail and Outlook credentials combolist
Category: Combo List
Content: A threat actor known as karaokecloud has made available a combolist containing 810 email:password credential pairs for Hotmail and Outlook accounts on the cracking forum CrackingX. The combolist is offered as a free download. No specific breach source or victim country has been identified.
Date: 2026-04-28T21:18:28Z
Network: openweb
Published URL: https://crackingx.com/threads/73589/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Brazilian email and password combolist
Category: Combo List
Content: A threat actor known as ShroudX has shared an alleged high-quality Brazilian email and password combolist on a cybercrime forum. The credential list is being made available for free to users who reply to the thread. The origin and scope of the combolist are unknown, as the post content is hidden behind a reply gate.
Date: 2026-04-28T20:56:50Z
Network: openweb
Published URL: https://pwnforums.st/Thread-HQ-BRAZIL-EMAILPASS-COMBOLIST-txt–188734
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Canadian email and password combolist
Category: Combo List
Content: A threat actor operating under the alias ShroudX has shared an alleged high-quality Canadian email and password combolist on a cybercrime forum. The content is gated behind a reply requirement, suggesting it is being distributed freely to forum members. The post does not specify the source, number of records, or targeted organizations.
Date: 2026-04-28T20:56:07Z
Network: openweb
Published URL: https://pwnforums.st/Thread-HQ-CANADA-EMAILPASS-COMBOLIST-txt–188735
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Canada
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of France email and password combolist
Category: Combo List
Content: A threat actor known as ShroudX has shared an alleged high-quality French email and password combolist on a cybercrime forum. The content is gated behind a reply requirement, suggesting it is being distributed for free to forum members. The combolist appears to contain email address and password credential pairs targeting French users.
Date: 2026-04-28T20:55:26Z
Network: openweb
Published URL: https://pwnforums.st/Thread-HQ-FRANCE-EMAILPASS-COMBOLIST-txt–188736
Screenshots:
None
Threat Actors: ShroudX
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email:password combolist on cybercrime forum
Category: Combo List
Content: A threat actor known as ShroudX has shared a mixed email:password combolist on a cybercrime forum, made available to users who reply to the thread. The combolist is described as high quality and contains credentials from multiple sources. No specific victim organization, country, or record count has been identified.
Date: 2026-04-28T20:54:26Z
Network: openweb
Published URL: https://pwnforums.st/Thread-HQ-MIXED-EMAILPASS-COMBOLIST-txt–188738
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Creedx / MonsterGateway Brazilian white-label payment gateway
Category: Data Breach
Content: Threat actor ka1do claims a full compromise of Creedx Finance LTDAs Supabase CRM, a Brazilian white-label payment gateway operating under the brands Creedx and MonsterGateway. The breach allegedly exposed 43,000+ leads containing full PII (names, emails, WhatsApp numbers, CPFs), integration API keys, and financial configurations, while 27 admin backdoors were created across client tenants and unauthenticated payment webhooks were exploited to fraudulently mark transactions as paid. The actor
Date: 2026-04-28T20:23:09Z
Network: openweb
Published URL: https://breached.st/threads/full-breach-creedx-monstergateway-brazilian-white-label-payment-gateway-supabase-crm-full-compromise.86434/unread
Screenshots:
None
Threat Actors: ka1do
Victim Country: Brazil
Victim Industry: Financial Services
Victim Organization: Creedx Finance LTDA
Victim Site: creedx.com.br
Alleged Sale of Hotmail Credential Combolist with Inboxer Tool
Category: Combo List
Content: A threat actor known as snowstormxd is selling a combolist of 728 Hotmail credentials on a cracking forum. The post includes a download link and promotes a paid cloud service ranging from $3 for 24 hours to $120 for lifetime access. A built-in inboxer tool is advertised alongside the credential list, suggesting the credentials have been validated for inbox access.
Date: 2026-04-28T19:58:21Z
Network: openweb
Published URL: https://crackingx.com/threads/73577/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed European credential combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has shared a mixed combolist on a cracking forum, reportedly containing 6,857 lines of credentials targeting European users. The combolist was made available as a free download via a Mega file-sharing link. No specific organization or industry has been identified as the source of the leaked credentials.
Date: 2026-04-28T19:58:06Z
Network: openweb
Published URL: https://crackingx.com/threads/73578/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Europe
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Fullz, SSN, SIN, NIN and Financial Leads Across Multiple Countries
Category: Combo List
Content: A threat actor operating under the Telegram handle @Adamspeek is advertising the sale of fullz and personally identifiable information including US Social Security Numbers, Canadian Social Insurance Numbers, and UK National Insurance Numbers. The offering also includes credit card dumps, financial leads across multiple sectors such as mortgage, crypto, forex, and insurance, as well as drivers license images with selfies. The actor claims data is fresh and replaceable, with bulk discounts availa
Date: 2026-04-28T19:57:50Z
Network: openweb
Published URL: https://crackingx.com/threads/73580/
Screenshots:
None
Threat Actors: parkeradam964
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor known as Megacloud shared a combolist of 600 allegedly valid Hotmail credentials on the AE – Combo List forum. The post, dated April 28, is gated behind a reply requirement, suggesting it is a free leak rather than a sale. The credentials are described as high quality and freshly validated.
Date: 2026-04-28T19:54:25Z
Network: openweb
Published URL: https://altenens.is/threads/600x-hotmail-just-valid-just-top-quality-28-04.2931156/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of stolen account credentials and access logs for email, banking, and social media services
Category: Logs
Content: Threat actor offering for sale stolen credentials and account access logs for multiple services including Hotmail, Gmail, Comcast, ATT, AOL, Facebook, LinkedIn, iCloud, Uber, Reddit, and various dating/travel platforms. Post indicates availability of UHQ (ultra high quality) mailpass access and full account information.
Date: 2026-04-28T19:23:34Z
Network: telegram
Published URL: https://t.me/c/2613583520/71641
Screenshots:
None
Threat Actors: Yìchén
Victim Country: Unknown
Victim Industry: Multiple (Email, Social Media, Financial, Travel, Dating)
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 130,000 Japanese email credentials
Category: Combo List
Content: A threat actor operating under the alias el_capitan has shared a combolist of approximately 130,000 email and password credential pairs allegedly associated with Japanese users on a cybercrime forum. The content is described as semi-private and high quality. The actor also advertises cracking, spamming, and dumping tools and services via Telegram.
Date: 2026-04-28T19:20:16Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-130K-JAPAN-Semi-Private-HQ-Fresh-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 310,000 Polish credentials combolist
Category: Combo List
Content: A threat actor operating under the alias el_capitan has made available a combolist containing approximately 310,000 email and password credential pairs associated with Polish users. The content is hidden behind a registration or login requirement on the forum. The actor promotes additional services including spam tools, cracking tools, and lessons via Telegram channels.
Date: 2026-04-28T19:19:54Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-310K-POLAND-Good-Quality-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as el_capitan has made available a combolist containing approximately 450,000 Hotmail email and password combinations on a cybercrime forum. The content is hidden behind a registration or login requirement. The actor also promotes services including combo sales, spamming, dumping, and cracking tools via Telegram channels.
Date: 2026-04-28T19:19:38Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-450K-HOTMAIL-Good-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Outlook.com European credential combolist
Category: Combo List
Content: A threat actor on a cracking forum has made available a combolist containing 12,767 email and password combinations associated with outlook.com accounts, purportedly targeting European users. The credential list is dated April 28, 2026, and is being distributed for free via a Mega file-sharing link. The combolist may be used for account takeover attempts or credential stuffing attacks.
Date: 2026-04-28T19:19:34Z
Network: openweb
Published URL: https://crackingx.com/threads/73572/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: outlook.com
Alleged leak of 625,000 Gmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias el_capitan has made available a combolist claiming to contain 625,000 Gmail email and password combinations. The post is hosted on a known cybercrime forum and the actor advertises additional services including spamming, dumping, and cracking tools. The actor promotes contact via Telegram channels for further engagement.
Date: 2026-04-28T19:19:15Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-625K-GMAIL-High-Quality-Fresh-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of mixed combolist with 1,457 entries
Category: Combo List
Content: A threat actor known as snowstormxd has made available a mixed combolist containing 1,457 credential entries via a free download link on pasteview.com and a Telegram channel. The post also promotes a paid cloud service (snowstormxd Cloud) offering tiered subscription pricing, advertising features such as a built-in inboxer and private storage. No specific victim organization or country is identified, suggesting the combolist is aggregated from multiple sources.
Date: 2026-04-28T19:19:03Z
Network: openweb
Published URL: https://crackingx.com/threads/73575/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 7.2 million mixed-country credentials combolist
Category: Combo List
Content: A threat actor operating under the alias el_capitan has shared a combolist containing approximately 7.2 million email and password combinations sourced from multiple countries on a cybercrime forum. The credentials are described as suitable for a variety of malicious uses. The actor promotes additional services including spamming, dumping, and cracking tools via Telegram.
Date: 2026-04-28T19:18:45Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-7-2M-Mix-Countries-Combolist-Good-For-All
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Business Corporate Email Credentials and SMTP Access
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 118,133 lines of business corporate email credentials paired with passwords and SMTP access details. The data was shared via a Mega.nz file link on the cracking forum CrackingX. The leak appears to target corporate email accounts across multiple organizations, potentially enabling unauthorized SMTP-based email abuse or account takeover.
Date: 2026-04-28T19:18:38Z
Network: openweb
Published URL: https://crackingx.com/threads/73576/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of mixed personal data including SSNs, driver licenses, passports, and corporate records
Category: Data Breach
Content: A threat actor operating under the alias jannat123 is advertising multiple categories of sensitive data for sale via Telegram (@jannat646500). The offered data includes full company databases, scanned identity documents (IDs, driver licenses, passports), consumer information, phone and email lists, credential lists, SSN/SIN databases, and dumps from large websites. The scope and origin of the data remain unverified, and no specific victim organizations or record counts have been disclosed.
Date: 2026-04-28T19:07:14Z
Network: openweb
Published URL: https://xforums.st/threads/i-have-driver-license-ssn-passports-llc-ein-ltd.611861/
Screenshots:
None
Threat Actors: jannat123
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of cookies and credentials for multiple platforms including cPanel, GOG, and Epic Games
Category: Data Leak
Content: A threat actor operating under the alias bluestarcrack has made available what appears to be stolen session cookies and credentials for multiple platforms including cPanel, GOG, and Epic Games. The data is hosted on an external file hosting service (Uploadery). The exact number of affected accounts and geographic scope are unknown.
Date: 2026-04-28T19:06:20Z
Network: openweb
Published URL: https://breached.st/threads/cookies-cpanel-gog-epicgames-more.86431/unread
Screenshots:
None
Threat Actors: bluestarcrack
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Multiple (cPanel, GOG, Epic Games)
Victim Site: Unknown
Alleged data leak of Club Sportif Multisections (CSME)
Category: Data Leak
Content: A threat actor known as NormalLeVrai has freely leaked 1,272 confidential records allegedly belonging to Club Sportif Multisections (CSME), a French multi-sport association. The data was reportedly extracted directly from the organizations email inbox on 25/04/2026 and includes references to Postal Bank information. The actor also noted that the club manager used his work email to register on dating and adult websites.
Date: 2026-04-28T19:00:32Z
Network: openweb
Published URL: https://spear.cx/Thread-FR-Club-Sportif-Multisections
Screenshots:
None
Threat Actors: NormalLeVrai
Victim Country: France
Victim Industry: Sports & Recreation
Victim Organization: Club Sportif Multisections
Victim Site: Unknown
Alleged leak of stealer logs and credential combolists
Category: Logs
Content: A threat actor operating under the alias watercloud has made available stealer logs and a ULP (URL:Login:Password) combolist via Pixeldrain file-sharing links. The files are password-protected and shared freely on a dark web forum. No specific victim organization or country has been identified, suggesting the data may span multiple targets harvested through infostealer malware.
Date: 2026-04-28T18:58:59Z
Network: openweb
Published URL: https://darkforums.su/Thread-%E2%AD%90%E2%AD%90%E2%AD%90-STEALER-LOGS-AND-U-L-P-28-04-2026
Screenshots:
None
Threat Actors: watercloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Tawjih.tn database
Category: Data Leak
Content: A database leak allegedly from Tawjih.tn has been reported and documented on hacknotice.com. Tawjih.tn appears to be a Tunisian educational or guidance platform. The leak details are referenced in the provided URL.
Date: 2026-04-28T18:53:27Z
Network: telegram
Published URL: https://t.me/c/3008049195/316
Screenshots:
None
Threat Actors: Mecrobyte
Victim Country: Tunisia
Victim Industry: Education
Victim Organization: Tawjih.tn
Victim Site: tawjih.tn
Alleged data breach of Polymarket with 800GB of stolen data
Category: Data Breach
Content: A threat actor claims to possess 800GB of data from Polymarket and is threatening to share it unless contacted for negotiation. This suggests a data exfiltration incident with potential extortion.
Date: 2026-04-28T18:47:06Z
Network: telegram
Published URL: https://t.me/c/3793980891/3110
Screenshots:
None
Threat Actors: Unknown
Victim Country: United States
Victim Industry: Cryptocurrency/Prediction Markets
Victim Organization: Polymarket
Victim Site: polymarket.com
✪ [ 167 K++ ] Combo ✪ @Elite_Cloud1 ✪ { Mexico } ✪ [ 28/APR/2026 ] ✪
Category: Combo List
Content: New thread posted by thejackal101: ✪ [ 167 K++ ] Combo ✪ @Elite_Cloud1 ✪ { Mexico } ✪ [ 28/APR/2026 ] ✪
Date: 2026-04-28T18:37:59Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-167-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Mexico-%E2%9C%AA-28-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Malaysian credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 59,000 email and password credential pairs allegedly associated with Malaysian users. The post, dated April 28, 2026, is marked as FRESH and HQ (high quality), suggesting recently obtained or validated credentials. The content is hosted behind a registration wall on a cybercrime forum, with additional credential logs promoted via a Telegram channel.
Date: 2026-04-28T18:37:15Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-59-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Malaysia-%E2%9C%AA-28-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Malaysia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Montenegro credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 61,000+ email and password credentials associated with Montenegro. The list is described as FRESH and HQ (high quality), suggesting recently obtained or validated credentials. The post directs users to a Telegram channel (@elite_cloud1) for additional credential lists.
Date: 2026-04-28T18:36:44Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-61-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Montenegro-%E2%9C%AA-28-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Montenegro
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Latvian credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 60,000+ email and password credential pairs allegedly associated with Latvian users. The list is described as fresh and high quality and is being distributed via a hidden content link on the forum, with additional logs promoted through the Telegram channel @elite_cloud1.
Date: 2026-04-28T18:36:09Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-60-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Latvia-%E2%9C%AA-28-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Latvia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Kenyan email credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of over 20,000 email address and password pairs purportedly sourced from Kenya, dated April 28, 2026. The credentials are described as fresh and high quality and are accessible via a hidden content mechanism requiring forum registration. The actor also promotes a Telegram channel (@elite_cloud1) for further credential distributions.
Date: 2026-04-28T18:35:42Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-20-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Kenya-%E2%9C%AA-28-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Kenya
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Micronesia credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 20,000+ email and password credential pairs purportedly associated with Micronesia. The list is described as fresh and high quality and is shared via a hidden content link on the forum. The actor also promotes a Telegram channel (t.me/elite_cloud1) for additional credential logs.
Date: 2026-04-28T18:35:15Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-20-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Micronesia-%E2%9C%AA-28-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Micronesia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 28,000 valid email access credentials
Category: Combo List
Content: A threat actor on CrackingX (TRLCD2) has shared what is claimed to be a list of 28,000 valid email access credentials. The content is gated behind registration on the forum, limiting full visibility. No specific victim organization, country, or industry has been identified based on available information.
Date: 2026-04-28T18:35:02Z
Network: openweb
Published URL: https://crackingx.com/threads/73567/
Screenshots:
None
Threat Actors: TRLCD2
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Lithuanian credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 17,000+ email and password combinations allegedly associated with Lithuanian users. The credential list is described as fresh and high quality and is shared via a hidden download link on the forum. The actor also directs users to a Telegram channel (@elite_cloud1) for additional credential logs.
Date: 2026-04-28T18:34:53Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-17-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Lithuania-%E2%9C%AA-28-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Lithuania
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a mixed Hotmail credential combolist containing approximately 9 million entries. The combolist is being distributed for free via Telegram channels linked to the actor. The post directs interested parties to contact the actor via Telegram handle CODER5544 or join associated group channels.
Date: 2026-04-28T18:34:46Z
Network: openweb
Published URL: https://crackingx.com/threads/73571/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of 500GB+ Indonesian eBook collection from iPusnas
Category: Data Leak
Content: A threat actor on Breached forums has made available a collection of over 500GB of Indonesian eBook PDFs allegedly sourced from iPusnas, Indonesias national digital library platform. The actor claims the collection includes high-quality text-based eBooks not available on other platforms such as Zlibrary or Annas Archive. The content is suggested for use in LLM training datasets, and a session token is included as a sample.
Date: 2026-04-28T18:22:36Z
Network: openweb
Published URL: https://breached.st/threads/500gb-indonesian-ebook-from-ipusnas.86428/unread
Screenshots:
None
Threat Actors: yugdab
Victim Country: Indonesia
Victim Industry: Digital Library / Publishing
Victim Organization: iPusnas
Victim Site: ipusnas.id
Alleged Data Breach of SMK Negeri 3 Kota Tangerang Selatan
Category: Data Breach
Content: A threat actor known as Mr. Hanz Xploit has posted what appears to be a database allegedly belonging to SMK Negeri 3 Kota Tangerang Selatan, a vocational high school in South Tangerang City, Indonesia. The post was shared on the Breached forum under the databases section. No further details regarding the content, record count, or nature of the data are available.
Date: 2026-04-28T18:21:27Z
Network: openweb
Published URL: https://breached.st/threads/database-smk-negeri-3-kota-tangerang-selatan.86429/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: SMK Negeri 3 Kota Tangerang Selatan
Victim Site: Unknown
Alleged distribution of Netflix email validation tool for credential stuffing preparation
Category: Carding
Content: A threat actor operating under the alias ARON-TN has made available a console-based email validation tool targeting Netflix, shared freely on a cracking forum. The tool is designed to filter and validate large email datasets in bulk, enabling users to identify valid accounts before launching credential stuffing or account takeover attacks. The post includes a VirusTotal link and advises users to disable antivirus software to run the tool, indicating likely malicious functionality.
Date: 2026-04-28T17:55:47Z
Network: openweb
Published URL: https://demonforums.net/Thread-Netflix-Email-Valid-Checker-by-ARON-TN
Screenshots:
None
Threat Actors: Starip
Victim Country: Unknown
Victim Industry: Entertainment / Streaming
Victim Organization: Netflix
Victim Site: netflix.com
Alleged leak of gaming-related credential combolist containing 4.7 million records
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a gaming-themed combolist containing approximately 4.7 million credential pairs via Telegram channels. The content is being made available for free through two Telegram groups, with the actor also promoting additional free programs. The specific gaming platforms or organizations from which the credentials originated are not identified in the post.
Date: 2026-04-28T17:55:19Z
Network: openweb
Published URL: https://crackingx.com/threads/73561/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of Dork Searcher tool for bulk search query automation
Category: Initial Access
Content: A threat actor operating under the alias Mr Nexer has made available a console-based dork search tool via a cracking forum. The utility automates the loading and execution of bulk Google dork query lists from .txt files, enabling fast enumeration of potentially vulnerable or exposed targets. The tool is lightweight, requires minimal setup, and is designed for scraping and bulk search workflows, with antivirus evasion noted in the disclaimer.
Date: 2026-04-28T17:55:12Z
Network: openweb
Published URL: https://demonforums.net/Thread-Dork-Searcher-by-Mr-Nexer
Screenshots:
None
Threat Actors: Starip
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist targeting USA, UK, Poland, Italy, and Germany
Category: Combo List
Content: A threat actor using the handle karaokecloud has shared a combolist containing 3,840 email and password combinations on the cracking forum CrackingX. The credentials are described as verified (good) mail access combos sourced from users across the United States, United Kingdom, Poland, Italy, and Germany. The combolist is being made available as a free download.
Date: 2026-04-28T17:54:57Z
Network: openweb
Published URL: https://crackingx.com/threads/73562/
Screenshots:
None
Threat Actors: karaokecloud
Victim Country: Multiple
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of corporate email combolist with 12 million credentials
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist claimed to contain 12 million corporate email credentials. The content is accessible via registration or sign-in on the forum, and the actor also promotes free combolists and tools through Telegram channels. No specific victim organization or country has been identified.
Date: 2026-04-28T17:54:38Z
Network: openweb
Published URL: https://crackingx.com/threads/73563/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of live.com mixed credential combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has shared a mixed combolist targeting live.com accounts, comprising approximately 2,066 lines of credentials. The combolist was made available as a free download via a Mega file-sharing link on the cracking forum CrackingX. The post is dated April 28, 2026, and the content is gated behind a reaction requirement.
Date: 2026-04-28T17:54:20Z
Network: openweb
Published URL: https://crackingx.com/threads/73564/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: live.com
Alleged sale of Yahoo-targeted credential combolist containing 138,000 records
Category: Combo List
Content: A threat actor operating under the alias alex12 is selling a Yahoo-targeted combolist containing approximately 138,000 email and password credential pairs on the crackingx.com forum. The seller also claims to offer combolists targeting additional email providers including AOL, Hotmail, and Outlook, as well as region-specific lists for multiple countries. Contact is facilitated via Telegram handle @KOCsupport.
Date: 2026-04-28T17:54:03Z
Network: openweb
Published URL: https://crackingx.com/threads/73565/
Screenshots:
None
Threat Actors: alex12
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged RCE Vulnerability Disclosure in AI-Powered Code Generation Endpoints (CVE-2026-4137)
Category: Initial Access
Content: A technical analysis post on a cybercrime forum details CVE-2026-4137, a remote code execution vulnerability affecting AI/ML code generation endpoints in web applications. The post describes an attack chain involving prompt injection, sandbox evasion, and arbitrary code execution by bypassing input validation in AI-assisted coding tools. Multiple exploitation techniques are shared including direct command injection, context escape, multi-step bypass, and template injection payloads targeting vul
Date: 2026-04-28T17:47:03Z
Network: openweb
Published URL: https://tier1.life/thread/187
Screenshots:
None
Threat Actors: hyflock
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Yellow Stealer malware with credential and data harvesting capabilities
Category: Initial Access
Content: A threat actor operating under the alias Polaris Web is selling a C/C++ x64 information stealer dubbed Yellow Stealer on HackForums. The malware features extensive data exfiltration capabilities including browser credential and cookie theft, Discord and Telegram session harvesting, cryptocurrency wallet extraction (150+ wallets), gaming platform credential theft, messaging app session hijacking, and screenshot capture, with anti-analysis obfuscation and UAC bypass functionality. The stealer
Date: 2026-04-28T17:42:17Z
Network: openweb
Published URL: https://hackforums.net/showthread.php?tid=6324545
Screenshots:
None
Threat Actors: Polaris Web
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
SMS Gateway Service Advertisement – High-Quality Routes Across Europe
Category: Phishing
Content: User Vddstxwwo advertising SMS gateway sender services offering fast and reliable SMS delivery across multiple European countries including France, Spain, Italy, Malta, Sweden, Austria, Denmark, Luxembourg, Germany, Greece, Norway, Croatia, Poland, Romania, Belgium, Netherlands, UK, Portugal, Finland, Switzerland, Ireland. Service claims instant delivery and incredible rates with free test available.
Date: 2026-04-28T17:42:07Z
Network: telegram
Published URL: https://t.me/YoungJNCrossBulksms0285/13
Screenshots:
None
Threat Actors: Young Global Bulk sms
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of RealT Blockchain Real Estate Platform
Category: Data Breach
Content: A threat actor known as lowiq has shared a database dump allegedly obtained from RealT (realt.co), a blockchain-based real estate investment platform. The exposed data, dated April 18, 2026, contains approximately 61,738 records including user IDs, names, email addresses, phone numbers, bank account numbers, account types, user roles, and Plaid-linked financial account details. The breach appears to expose both individual investors and internal staff accounts, including attorneys, managers, an
Date: 2026-04-28T17:37:19Z
Network: openweb
Published URL: https://breached.st/threads/realt-61-7k.86427/unread
Screenshots:
None
Threat Actors: lowiq
Victim Country: United States
Victim Industry: Financial Technology (FinTech) / Cryptocurrency
Victim Organization: RealT
Victim Site: realt.co
Alleged leak of Gmail credentials combolist targeting European users
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a combolist of approximately 41,069 Gmail credentials on the cracking forum CrackingX. The combolist is described as targeting European users and was shared via a Mega.co.nz download link. The post does not mention a price, indicating this is a free distribution of the credential list.
Date: 2026-04-28T17:09:55Z
Network: openweb
Published URL: https://crackingx.com/threads/73555/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor on DemonForums shared an alleged combolist containing 20,805 Hotmail email and password combinations. The content is hidden behind a registration or login requirement, suggesting it is being made available to forum members for free. No further details about the origin or collection method of the credentials are provided.
Date: 2026-04-28T17:09:48Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-20805x-HOTMAIL
Screenshots:
None
Threat Actors: NotSellerXd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias COYYYTOOOO has freely shared a combolist of approximately 2,000 alleged valid Hotmail email and password combinations on a cybercriminal forum. The credential list was made available via an external paste site link. The validity of the credentials has not been independently verified.
Date: 2026-04-28T17:09:05Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-2K-VALID-HOTMAIL
Screenshots:
None
Threat Actors: COYYYTOOOO
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of gaming and casino credential combolist targeting Germany
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist of approximately 879,005 lines targeting gaming and casino platforms in Germany. The credential list was shared via a Mega.nz file link on the cracking forum CrackingX. The post does not specify a particular organization, suggesting the combolist may aggregate credentials from multiple gaming and casino services.
Date: 2026-04-28T17:08:54Z
Network: openweb
Published URL: https://crackingx.com/threads/73557/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Gaming and Gambling
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist including Hotmail accounts
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 5,445 mixed email credentials on DemonForums, claiming the entries are premium and valid. The dataset reportedly includes Hotmail accounts alongside other mail providers, described as private cloud hits. The actor promotes their Telegram handle alphaaxd and the content is gated behind forum registration or login.
Date: 2026-04-28T17:08:17Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-5445x-PREMIUM-MIX-MAIL-HITS%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credentials including Hotmail
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 5,445 mixed email credentials, including verified Hotmail hits, described as premium and sourced from a private cloud. The list is offered as a free download via the cracking forum CrackingX. The actor can also be contacted via Telegram at alphaaxd.
Date: 2026-04-28T17:08:12Z
Network: openweb
Published URL: https://crackingx.com/threads/73558/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Facebook 533 Million User Records (2021 Scrape)
Category: Data Leak
Content: A threat actor on the AE forum has made available a structured database dump containing approximately 533 million Facebook user records allegedly scraped in 2021. The dataset includes fields such as mobile number, user ID, full name, gender, location, relationship status, workplace, email address, and birth date. The post does not claim ownership of the files and directs users to HaveIBeenPwned to verify exposure; no passwords are included in the dataset.
Date: 2026-04-28T17:03:13Z
Network: openweb
Published URL: https://altenens.is/threads/smiling-face-with-heart-eyessee-no-evil-monkey-facebook-533m-records-leak-2021-scrape-see-no-evil-monkeysmiling-face-with-heart-eyes.2931104/unread
Screenshots:
None
Threat Actors: ROCK01
Victim Country: United States
Victim Industry: Social Media / Technology
Victim Organization: Facebook
Victim Site: facebook.com
Alleged Data Leak of fw-wizard.com Database Dump
Category: Data Leak
Content: A threat actor known as pressplay22 has made available a full database dump allegedly sourced from fw-wizard.com on the Breached forum. The post offers a free download of the data. The victim organizations country and industry sector have not been confirmed.
Date: 2026-04-28T16:55:44Z
Network: openweb
Published URL: https://breached.st/threads/db-fw-wizard-com-com-full-dump-game.86426/unread
Screenshots:
None
Threat Actors: pressplay22
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: FW Wizard
Victim Site: fw-wizard.com
Alleged sale of RDP access and compromised email accounts
Category: Initial Access
Content: Threat actor offering rental of RDP access to cloud platforms (Azure, AWS, DigitalOcean) at $200, along with compromised domain email accounts, Gmail, Yahoo accounts, and GitHub student accounts. Services advertised for inbox operations with escrow payment option.
Date: 2026-04-28T16:36:30Z
Network: telegram
Published URL: https://t.me/c/2613583520/71556
Screenshots:
None
Threat Actors: Squad Chat Marketplace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged website defacement by Mr.PIMZZZXploit
Category: Defacement
Content: Threat actor Mr.PIMZZZXploit claims responsibility for defacing multiple websites including performancemanagementsystem.net and associated domains. Defacement message posted with list of compromised URLs across multiple hosting providers.
Date: 2026-04-28T16:28:39Z
Network: telegram
Published URL: https://t.me/c/3865526389/660
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: performancemanagementsystem.net
Alleged leak of mixed forum credentials combolist
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist containing 100,000 mixed credentials described as valid for forum accounts. The post was made on the cracking forum CrackingX under the Combolists & Dumps section. Full content of the post is restricted to registered members, limiting further detail on the origin or specific targets of the credential list.
Date: 2026-04-28T16:28:35Z
Network: openweb
Published URL: https://crackingx.com/threads/73546/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Mixed Outlook credentials combolist
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a mixed-target Outlook combolist containing approximately 9 million credential pairs via Telegram channels. The combolist is being made available for free through two Telegram groups. Users are directed to contact the actor via Telegram handle CODER5544 or join the group channels to obtain the credential list.
Date: 2026-04-28T16:28:11Z
Network: openweb
Published URL: https://crackingx.com/threads/73547/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Microsoft Outlook
Victim Site: outlook.com
Alleged leak of mixed email credential lists via PandaCloud Telegram channel
Category: Combo List
Content: A threat actor operating under the alias Kokos2846q is distributing free mixed email combolists via a Telegram channel (PandaCloud04) and a file-sharing link. The actor claims the lists are fully valid and updated daily, and also advertises private, unused credential lists available for purchase. No specific victim organization or record count has been identified.
Date: 2026-04-28T16:27:42Z
Network: openweb
Published URL: https://crackingx.com/threads/73548/
Screenshots:
None
Threat Actors: Kokos2846q
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias alphaxdd has made available a combolist of 1,455 alleged valid Hotmail credentials described as premium hits on a cybercriminal forum. The post indicates the content is hidden behind a registration or login requirement and references a Telegram contact for further distribution. The combolist is described as sourced from a private cloud with mixed email formats.
Date: 2026-04-28T16:27:22Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F-1455x-PREMIUM-HOTMAIL-HITS-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F–202082
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as alphaxdd has made available a combolist containing 1,455 alleged valid Hotmail credentials on a cracking forum. The post claims the credentials are premium hits with access to private cloud storage. The actor also promotes a Telegram contact for further engagement.
Date: 2026-04-28T16:27:07Z
Network: openweb
Published URL: https://crackingx.com/threads/73549/
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor known as wingoooW has freely shared a mixed combolist containing approximately 20,000 email and password combinations on DemonForums. The combolist is described as high quality and is available for free download via an external paste site. No specific victim organization or country has been identified, suggesting the credentials originate from multiple sources.
Date: 2026-04-28T16:26:41Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-20K-HQ-MIXED-MAIL
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias KiwiShio has made available a combolist containing 720 alleged Hotmail credentials on the cracking forum CrackingX. The post offers a free download of what is described as fresh, high-quality email and password combinations targeting Hotmail accounts. No additional victim details or data fields beyond credentials were specified.
Date: 2026-04-28T16:26:37Z
Network: openweb
Published URL: https://crackingx.com/threads/73550/
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credential combolist
Category: Combo List
Content: A threat actor known as klyne05 has made available a mixed email combolist on the cracking forum CrackingX, described as private and freshly verified. The post offers a free download of the credential list, which reportedly contains checked email and password combinations from various providers. No specific victim organization or record count was disclosed.
Date: 2026-04-28T16:26:21Z
Network: openweb
Published URL: https://crackingx.com/threads/73551/
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Bulletproof Hosting Service Advertised on Cybercrime Forum by BitHosting
Category: Initial Access
Content: A threat actor operating as BitHosting is advertising VPS hosting services on the cybercrime forum CrackingX, offering plans ranging from $5 to $155 per month with servers located in the Netherlands, Germany, and the United States. The service accepts cryptocurrency alongside traditional payment methods, features full root access, and provides 2 Gbps shared bandwidth, characteristics commonly associated with bulletproof hosting used to support malicious infrastructure. The advertisement target
Date: 2026-04-28T16:26:13Z
Network: openweb
Published URL: https://crackingx.com/threads/73545/
Screenshots:
None
Threat Actors: BitHosting
Victim Country: Unknown
Victim Industry: Cybercrime Infrastructure
Victim Organization: Unknown
Victim Site: bit.hosting
Alleged leak of Mystic Stealer logs targeting India-based Windows users
Category: Data Leak
Content: A threat actor known as HighWayToShell has made available 250 stealer logs collected via Mystic Stealer from India-based victims running Windows 10 Home (22H2). The logs contain credentials, cookies, and crypto wallet data harvested from Chrome 122.x browsers. The data is being distributed for free via a password-protected archive on a cybercrime forum.
Date: 2026-04-28T16:22:30Z
Network: openweb
Published URL: https://xforums.st/threads/ulp-mystic-stealer-250-logs-in-windows-10-home.611858/
Screenshots:
None
Threat Actors: HighWayToShell
Victim Country: India
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of European stealer logs and credentials
Category: Data Leak
Content: A threat actor on the Breached forum has made available a collection of approximately 3,000 allegedly valid stealer logs targeting European victims. The post, authored by pressplay22, includes a link to download the logs, which likely contain harvested credentials and related data. No specific organizations or industries have been identified as victims.
Date: 2026-04-28T16:13:48Z
Network: openweb
Published URL: https://breached.st/threads/fire-x-3000-valid-full-europe-fire.86424/unread
Screenshots:
None
Threat Actors: pressplay22
Victim Country: Europe
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Indonesian National Police (Polri) Personnel Records
Category: Data Leak
Content: A threat actor identified as MrLucxy claims to have hacked polri.go.id approximately one year ago and has made available a database containing 417,000 records of Indonesian National Police personnel. The leaked data reportedly includes officer IDs, NRP numbers, ranks, full names, positions, addresses, phone numbers, and employment status. The dataset spans multiple police units including Criminal Investigation, Community Development, and various sector offices, with personnel ranging from active
Date: 2026-04-28T16:12:20Z
Network: openweb
Published URL: https://breached.st/threads/data-polri-go-id.86421/unread
Screenshots:
None
Threat Actors: MrLucxy
Victim Country: Indonesia
Victim Industry: Government – Law Enforcement
Victim Organization: Indonesian National Police (Polri)
Victim Site: polri.go.id
Alleged Data Breach of Bengkalis Regency Government Website
Category: Data Breach
Content: A threat actor known as Mr. Hanz Xploit has allegedly posted a database associated with the Bengkalis Regency Government of Indonesia on the Breached forum. No further details regarding the content, size, or nature of the data are available from the post.
Date: 2026-04-28T16:11:46Z
Network: openweb
Published URL: https://breached.st/threads/database-pemerintah-kabupaten-bengkalis-go-id.86422/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Bengkalis Regency Government
Victim Site: bengkalis.go.id
Alleged Data Breach of car.insurance.net Exposing 10 Million US Car Insurance Records
Category: Data Breach
Content: A threat actor known as MDGhost (also identified as The BlackH4t MD-Ghost) has made available an alleged database containing 10 million US car insurance records from car.insurance.net. The dataset is in XLSX format and includes sensitive personal and vehicle information such as names, addresses, phone numbers, VINs, gender, car details, and claim amounts. The actor provided a Telegram contact for further communication, suggesting potential sale or distribution of the data.
Date: 2026-04-28T16:11:12Z
Network: openweb
Published URL: https://breached.st/threads/10-million-database-car-insurance-net-usa-car-insurance-usa.86423/unread
Screenshots:
None
Threat Actors: MDGhost
Victim Country: United States
Victim Industry: Insurance
Victim Organization: car.insurance.net
Victim Site: car.insurance.net
Alleged Data Leak of mkri.id Database
Category: Data Leak
Content: A threat actor known as Mr. Hanz Xploit has allegedly leaked a database associated with mkri.id, the official website of the Constitutional Court of the Republic of Indonesia (Mahkamah Konstitusi). The post was shared on the Breached forum under the databases section, though no additional details regarding the contents or record count are available. The nature and scope of the exposed data remain unverified.
Date: 2026-04-28T16:10:39Z
Network: openweb
Published URL: https://breached.st/threads/leak-database-mkri-id.86425/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Mahkamah Konstitusi Republik Indonesia
Victim Site: mkri.id
Alleged defacement of vvnputki.com by Mr.PIMZZZXploit
Category: Defacement
Content: Website defacement claimed by threat actor Mr.PIMZZZXploit. Defacement message posted with site URL https://vvnputki.com and hacker signature.
Date: 2026-04-28T16:09:13Z
Network: telegram
Published URL: https://t.me/c/3865526389/658
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: vvnputki.com
Victim Site: vvnputki.com
Alleged Data Breach of RENAP and SAT Guatemala Government Databases with Ransom Demand
Category: Data Breach
Content: Threat actor GordonFreeman, operating in coordination with group Team L4TAMFUCKERS, claims to have breached Guatemalas RENAP civil registry system obtaining 18 million records including birth, marriage, and death certificates, and the SAT tax authority acquiring 5.6 million vehicle records containing detailed ownership, tax, and vehicle identification data. The actor is demanding 2 BTC in ransom, threatening to publicly sell the entire dataset and launch sustained cyberattacks against Guatemala
Date: 2026-04-28T16:03:55Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Full-RENAP-DB-18M-Records-and-SAT-5-6M-Vehicles-GUATEMALA-2026
Screenshots:
None
Threat Actors: GordonFreeman
Victim Country: Guatemala
Victim Industry: Government
Victim Organization: RENAP (Registro Nacional de las Personas) and SAT (Superintendencia de Administración Tributaria)
Victim Site: Unknown
Alleged leak of mixed fresh combolist with 1,457 credentials
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a combolist of 1,457 mixed fresh credentials via a paste sharing site and a Telegram channel. The post promotes a paid cloud service offering private access to additional credential lists, with subscription tiers ranging from $3 for 24 hours to $120 for lifetime access. Payments are handled through a dedicated Telegram bot, suggesting an ongoing credential distribution operation.
Date: 2026-04-28T15:44:32Z
Network: openweb
Published URL: https://crackingx.com/threads/73539/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist containing 55,112 lines
Category: Combo List
Content: A threat actor operating under the alias Browzchel has made available a mixed combolist containing 55,112 lines on the cracking forum CrackingX. The combolist appears to be a compilation of credentials from various sources. The actor promotes distribution via a Telegram channel and personal handle @BossBrowz.
Date: 2026-04-28T15:43:46Z
Network: openweb
Published URL: https://crackingx.com/threads/73540/
Screenshots:
None
Threat Actors: Browzchel
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email access combolist with 31,000 credentials
Category: Combo List
Content: A threat actor known as MarkVesto has shared a mixed mail access combolist containing approximately 31,000 credential pairs on the CrackingX forum. The content appears to be freely distributed to registered users of the forum. The actor also promotes a Telegram channel (t.me/DuffyDataCloud) likely used to distribute similar combolists.
Date: 2026-04-28T15:43:11Z
Network: openweb
Published URL: https://crackingx.com/threads/73541/
Screenshots:
None
Threat Actors: MarkVesto
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias noir on the cracking forum CrackingX has made available a combolist containing 1,666 claimed valid credentials, including Hotmail accounts and a mixed set of private cloud service logins. The content is offered as a free download and the actor promotes their Telegram channel (@noiraccesss) for further contact.
Date: 2026-04-28T15:42:34Z
Network: openweb
Published URL: https://crackingx.com/threads/73542/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has made available a combolist purportedly containing 5,000 unique Hotmail credentials on the cracking forum CX. The post is gated behind registration or sign-in, limiting full visibility into the content. The combolist likely contains email and password pairs associated with Hotmail accounts.
Date: 2026-04-28T15:42:00Z
Network: openweb
Published URL: https://crackingx.com/threads/73543/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of live.com credentials targeting European users
Category: Combo List
Content: A threat actor operating under the alias BestCombo has shared a combolist of approximately 2,058 live.com credential pairs via a Mega file-sharing link on the CrackingX forum. The combolist is described as a European mix and is dated April 28, 2026. The credentials are made available as a free download behind a reaction gate.
Date: 2026-04-28T15:41:21Z
Network: openweb
Published URL: https://crackingx.com/threads/73544/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: live.com
Alleged Data Leak of SMKN 5 Batam Educational Institution Database
Category: Data Leak
Content: A threat actor operating under the alias Mr. Hanz Xploit claims to have leaked a database belonging to SMKN 5 Batam, a vocational high school located in Batam, Indonesia. The post was shared on the Breached forum under the databases section. No further details regarding the contents, record count, or nature of the data are available from the post.
Date: 2026-04-28T15:28:05Z
Network: openweb
Published URL: https://breached.st/threads/leak-database-smkn-5-batam.86420/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: SMKN 5 Batam
Victim Site: Unknown
Alleged defacement of multiple websites by OpsShadowStrike
Category: Defacement
Content: OpsShadowStrike claims to have defaced multiple websites across eiumis.com, cibrmls.com, corrierentals.com, decaturrealtors.com, normauctions.com, and ajbrowns.com domains. The group lists collaboration with multiple other hacktivist groups (TengkorakCyberCrew, MalaysiaHacktivist, EagleCyberCrew, and others) and cites political/activist motivations related to Palestine and Iran. Over 30 compromised URLs are provided as evidence.
Date: 2026-04-28T15:23:39Z
Network: telegram
Published URL: https://t.me/c/3844432135/409
Screenshots:
None
Threat Actors: OpsShadowStrike
Victim Country: United States
Victim Industry: Real estate, property management, auctions
Victim Organization: Multiple organizations (eiumis.com, cibrmls.com, corrierentals.com, decaturrealtors.com, normauctions.com, ajbrowns.com)
Victim Site: eiumis.com, cibrmls.com, corrierentals.com, decaturrealtors.com, normauctions.com, ajbrowns.com
Alleged leak of social media combolist with 11 million credentials
Category: Combo List
Content: A threat actor known as CODER is distributing a social media combolist containing approximately 11 million credential pairs via Telegram channels. The combolist is being made available for free through two Telegram groups, with the actor also offering additional combos via direct Telegram contact. No specific victim organization or platform has been identified.
Date: 2026-04-28T15:00:33Z
Network: openweb
Published URL: https://crackingx.com/threads/73532/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Social Media
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has freely shared a mixed combolist containing approximately 20,975 lines of credentials on the cracking forum CrackingX. The combolist, dated April 28, 2026, is described as fresh and good quality. The file is hosted on Mega.co.nz and made available via a hidden reaction link.
Date: 2026-04-28T15:00:09Z
Network: openweb
Published URL: https://crackingx.com/threads/73533/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 10 million credential combos from stealer logs
Category: Combo List
Content: A threat actor operating under the alias mr_daadaa has made available a combolist containing approximately 10 million URL:login:password (ULP) credentials via a public file-sharing link on MediaFire. The data is attributed to DADAZONE V2 stealer logs and is claimed to be fresh as of April 28, 2026. No specific victim organization or country has been identified, as stealer logs typically aggregate credentials from multiple sources.
Date: 2026-04-28T14:59:50Z
Network: openweb
Published URL: https://crackingx.com/threads/73534/
Screenshots:
None
Threat Actors: mr_daadaa
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Yahoo credential combolist
Category: Combo List
Content: A threat actor operating under the handle HQcomboSpace has made available a combolist purportedly containing 1,141,000 lines of Yahoo credentials on the cracking forum CrackingX. The file is hosted on Mega.nz and is offered as a free download. The post is labeled as Good Leaks Yahoo 2026, suggesting the credentials may be currently valid.
Date: 2026-04-28T14:59:35Z
Network: openweb
Published URL: https://crackingx.com/threads/73536/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: United States
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.com
Alleged leak of mixed email:password combolist (X2007 HQ Mix)
Category: Combo List
Content: A threat actor operating under the alias @Steveee36 has shared a combolist titled X2007 HQ Mix on the DemonForums cybercrime forum. The post contains hidden content requiring registration or login to access, suggesting the credential list is being freely distributed to forum members. The combolist likely contains email and password combinations, though the specific sources and targets remain unknown.
Date: 2026-04-28T14:59:17Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X2007-HQ-Mix-%E2%9A%A1%E2%9A%A1-BY-Steveee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 12 million gaming-related credentials via combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist containing approximately 12 million credential pairs targeting the gaming sector. The content is distributed freely via Telegram channels and groups associated with the actor. The post requires forum registration to access the download, with additional contact provided via Telegram handle CODER5544.
Date: 2026-04-28T14:59:13Z
Network: openweb
Published URL: https://crackingx.com/threads/73537/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias HollowKnight has made available a sample combolist containing approximately 1,750 Hotmail email and password credential pairs on the DemonForums cybercrime forum. The post is gated behind registration or login, suggesting it may serve as a promotional sample for a larger dataset. No price or payment terms are mentioned, indicating the sample is being freely distributed.
Date: 2026-04-28T14:59:00Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-1750x-SAMPLE-HOTMAIL-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: HollowKnight
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias HollowKnight07 has made available a sample combolist containing approximately 1,750 Hotmail credentials on a cracking forum. The post offers a free download of the credential list, which likely consists of email and password combinations. This appears to be a sample release, potentially used to advertise a larger dataset.
Date: 2026-04-28T14:58:56Z
Network: openweb
Published URL: https://crackingx.com/threads/73538/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of WhatsApp phishing panel and session hijacking toolkit
Category: Initial Access
Content: A threat actor is selling a WhatsApp phishing toolkit for $300, consisting of a phishing panel with source code and accompanying software designed to hijack WhatsApp sessions. The panel facilitates credential and session theft, while the bundled software enables automated WhatsApp message sending using the harvested sessions. The sale includes full source code of the phishing panel, enabling buyers to deploy and modify the infrastructure independently.
Date: 2026-04-28T14:47:08Z
Network: openweb
Published URL: https://breached.st/threads/whatsapp-phishing-panel-soft.86419/unread
Screenshots:
None
Threat Actors: 3ryblya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: whatsapp.com
Alleged Data Leak of Israeli Business and Personal Contact Database
Category: Data Leak
Content: A threat actor operating under the alias JAX7 has made available a structured database containing Israeli business and personal contact information via a free MediaFire download. The dataset includes names, email addresses, phone/WhatsApp numbers, company names, full addresses, fax numbers, and web URLs spanning multiple industries including real estate, restaurants, and education. The data appears to cover thousands of records across various business and personal categories within Israel.
Date: 2026-04-28T14:46:17Z
Network: openweb
Published URL: https://breached.st/threads/database-contacts-israel-email-phone.86418/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: Israel
Victim Industry: Multiple Sectors
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared a combolist of approximately 5,000 Hotmail email and password combinations on a cybercrime forum. The content is hidden behind a registration or login requirement, suggesting it is available to forum members. The actor also promotes a shop (unique-combo.shop) offering combolists for various countries and custom requests.
Date: 2026-04-28T14:19:23Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-Hotmail-Unique-Combo-4-5000–202069
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of 23,000 valid email access credentials
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has shared a list of 23,000 allegedly valid email access credentials. The content is available to registered users of the forum. No specific victim organization, country, or email provider has been identified from the available post metadata.
Date: 2026-04-28T14:19:18Z
Network: openweb
Published URL: https://crackingx.com/threads/73526/
Screenshots:
None
Threat Actors: TRLCD2
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Manavelex by m4ul1337 (BABAYO ERROR SYSTEM)
Category: Defacement
Content: On April 28, 2026, threat actor m4ul1337, affiliated with the group BABAYO ERROR SYSTEM, defaced a page on manavelex.com. The attack targeted a specific subpage (jm.html) rather than the sites homepage, indicating a targeted single-page defacement. No specific motive or server details were disclosed in connection with this incident.
Date: 2026-04-28T14:19:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915606
Screenshots:
None
Threat Actors: m4ul1337, BABAYO ERROR SYSTEM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Manavelex
Victim Site: manavelex.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared an alleged combolist containing approximately 5,000 Hotmail credentials on a cracking forum. The post is behind a registration wall, limiting full visibility into the content. The list appears to consist of unique email and password combinations targeting Hotmail accounts.
Date: 2026-04-28T14:19:02Z
Network: openweb
Published URL: https://crackingx.com/threads/73527/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: A threat actor known as StrawHatBase has shared a combolist containing approximately 26,000 mixed email address and password credential pairs on a cybercrime forum. The content is hidden behind registration or login, suggesting it is available to forum members at no monetary cost. The credentials appear to span multiple mail providers, though specific targeted organizations or countries are not identified.
Date: 2026-04-28T14:18:52Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-26K-GOOD-MIXED-MAIL-ACCESS
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email access credentials (26,000 records)
Category: Combo List
Content: A threat actor operating under the alias FAITHINUS shared a combolist of approximately 26,000 mixed email access credentials on a cracking forum. The post is gated behind registration, limiting full visibility into the datas origin or targeted mail providers. The credentials are described as good and mixed, suggesting they span multiple email services and have been verified for validity.
Date: 2026-04-28T14:18:41Z
Network: openweb
Published URL: https://crackingx.com/threads/73528/
Screenshots:
None
Threat Actors: FAITHINUS
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of WordPress credentials combolist
Category: Combo List
Content: A threat actor operating under the alias zod has shared what is claimed to be a WordPress credentials combolist on the crackingx.com forum. The content is gated behind registration or sign-in, with the password and additional details distributed via a Telegram channel. No specific victim organization, record count, or data volume has been disclosed.
Date: 2026-04-28T14:18:22Z
Network: openweb
Published URL: https://crackingx.com/threads/73529/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Indonesian Police Personnel Database
Category: Data Breach
Content: A user (JAX7) posted on Breachforums claiming access to an Indonesian Police Personnel Database. The breach appears to include sensitive personnel records from Indonesian law enforcement.
Date: 2026-04-28T14:18:15Z
Network: telegram
Published URL: https://t.me/byjax7/177
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Government/Law Enforcement
Victim Organization: Indonesian National Police
Victim Site: Unknown
Alleged leak of mixed email access combolist (57K credentials)
Category: Data Leak
Content: A threat actor operating under the alias Megacloud has made available a mixed email access combolist containing approximately 57,000 allegedly valid credentials. The 1.93 MB file is hosted on MEGA and was shared freely on the AE – Combo List forum. The combolist appears to aggregate credentials from multiple email providers, with no specific targeted organization or country identified.
Date: 2026-04-28T14:11:50Z
Network: openweb
Published URL: https://altenens.is/threads/57k-full-valid-mail-access-mix-28-04.2931062/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of Forex and Crypto FTD Depositor Leads Including Personal and Financial Data
Category: Data Breach
Content: A threat actor on BreachForums is selling structured lead databases containing personally identifiable and financial information of individuals who have made first-time deposits on Forex and cryptocurrency trading platforms. The sample data includes full names, email addresses, phone numbers, geographic location, deposit dates, deposit amounts, broker names, and traffic source details for victims across multiple countries including Mexico, the United Kingdom, South Africa, Australia, Canada, and
Date: 2026-04-28T14:11:04Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-Forex-Crypto-FTD-Depositors-Recovery-leads–187859
Screenshots:
None
Threat Actors: aisdata
Victim Country: Multiple
Victim Industry: Financial Services / Cryptocurrency Trading
Victim Organization: Multiple (BitiCodes, FXMundo, XproMarkets, QuantumAI, and others)
Victim Site: Unknown
Alleged Sale of Large Volume Email Database from Multiple Sources
Category: Data Breach
Content: A threat actor operating under the alias aisdata is allegedly selling a large volume of email databases sourced from multiple origins on BreachForums. The post lacks specific details regarding the targeted organizations, countries, or record counts. The nature and origin of the data remain unverified due to limited post content.
Date: 2026-04-28T14:07:18Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-Large-volume-of-email-database-with-these-source
Screenshots:
None
Threat Actors: aisdata
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Ledger Hardware Wallet Customer Records – Australia
Category: Data Breach
Content: A threat actor operating under the alias aisdata is selling an alleged database of Australian Ledger hardware wallet customers on BreachForums. The dataset includes full names, phone numbers, order IDs, product types, purchase amounts, and email addresses. The actor provides contact details via Telegram and Skype for purchase inquiries.
Date: 2026-04-28T14:05:56Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-2026-Ledger-hardware-wallet-customer-leak-Australia
Screenshots:
None
Threat Actors: aisdata
Victim Country: Australia
Victim Industry: Cryptocurrency / Financial Technology
Victim Organization: Ledger
Victim Site: ledger.com
Alleged Data Leak of Polymarket.com API Dump Including User PII and Market Data
Category: Data Leak
Content: A threat actor known as xorcat claims to have extracted over 10 million records from Polymarket.com by exploiting multiple vulnerabilities including unauthenticated API endpoints, a CORS misconfiguration, CVE-2025-62718 (Axios SSRF), and CVE-2024-51479 (Next.js auth bypass). The leaked data allegedly includes full user PII for approximately 10,000 unique profiles, ETH wallet addresses, market metadata, social graph data, and admin indicators, totaling approximately 1GB. The actor has made dump
Date: 2026-04-28T13:55:40Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Polymarket-com-FULL-API-BREACH-10M-Records-300k-Real-Identities-Admin-2026-04
Screenshots:
None
Threat Actors: xorcat
Victim Country: United States
Victim Industry: Financial Services
Victim Organization: Polymarket
Victim Site: polymarket.com
Alleged sale of attack tools by xorcat targeting Polymarket infrastructure
Category: Malware
Content: Threat actor xorcat is selling specialized attack tools including CORS, SSRF, Next.js bypass, and WebSocket attack capabilities. These tools are being actively exploited against Polymarkets infrastructure, specifically targeting a synchronization flaw between the Polymarket API and blockchain to launch DoS attacks against liquidity providers. Reported attack costs are under $0.10 with potential profits of $16,427 per successful account compromise.
Date: 2026-04-28T13:53:49Z
Network: telegram
Published URL: https://t.me/c/3793980891/3106
Screenshots:
None
Threat Actors: xorcat
Victim Country: Unknown
Victim Industry: Cryptocurrency/DeFi
Victim Organization: Polymarket
Victim Site: polymarket.com
Alleged vulnerability in Magic Labs login service enabling unauthorized account access and fund theft
Category: Vulnerability
Content: A vulnerability in Magic Labs login service allows attackers to intercept user authentication tokens and gain unauthorized account access. Reported cases include unauthorized fund withdrawals despite standard security procedures. Users have reported receiving login alerts followed by unauthorized withdrawal activity.
Date: 2026-04-28T13:51:36Z
Network: telegram
Published URL: https://t.me/c/3793980891/3102
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: Unknown
Victim Industry: Financial/Cryptocurrency
Victim Organization: Magic Labs
Victim Site: Unknown
Alleged Data Leak of Talentely Student Database
Category: Data Leak
Content: A threat actor operating under the alias Spirigatito has leaked a database allegedly belonging to Talentely, a career-focused EdTech platform under Veranda Learning Solutions. The leak contains records for approximately 514,412 students and 35,565 profile pictures, including fields such as full name, email address, phone number, institution, roll number, degree details, skills, course enrollment data, and profile images. The data has been made available for free download on a cybercrime forum,
Date: 2026-04-28T13:41:13Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-Talentely-Database-Pajeet-Edition-Leaked-Download
Screenshots:
None
Threat Actors: Spirigatito
Victim Country: India
Victim Industry: Education / EdTech
Victim Organization: Talentely
Victim Site: talentely.com
Alleged leak of mixed UHQ combolist with 1,457 credentials
Category: Combo List
Content: A threat actor known as snowstormxd has made available a mixed UHQ (Ultra High Quality) combolist containing 1,457 credential entries via a free download link on Pasteview and a Telegram channel. The post also advertises a paid private cloud service starting at $3 for 24 hours, with a built-in inboxer tool, suggesting the credentials may be intended for account takeover use. No specific victim organization or country has been identified, indicating the combolist is likely aggregated from multi
Date: 2026-04-28T13:35:00Z
Network: openweb
Published URL: https://crackingx.com/threads/73520/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed combolist targeting Twitter, Fortnite, Etsy and other platforms
Category: Combo List
Content: A threat actor using the handle CODER has made available a mixed combolist of approximately 13 million credential pairs, claimed to be fresh and high-quality, targeting platforms including Twitter, Fortnite, and Etsy among others. The actor is distributing the combolist via Telegram channels and directing interested parties to contact them directly. The post is hosted on the cracking forum CrackingX and requires registration to view full content.
Date: 2026-04-28T13:34:29Z
Network: openweb
Published URL: https://crackingx.com/threads/73523/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Twitter, Fortnite, Etsy
Victim Site: twitter.com, etsy.com
Alleged leak of Outlook.com credentials combolist
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a combolist of approximately 11,986 Outlook.com credential pairs via a Mega.nz link on the cracking forum CrackingX. The post, dated April 28, 2026, is described as fresh and containing good lines, suggesting recently verified or active credentials. The combolist is shared freely, gated only by a forum reaction requirement.
Date: 2026-04-28T13:34:04Z
Network: openweb
Published URL: https://crackingx.com/threads/73524/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: outlook.com
Alleged sale of RDP access to cloud infrastructure and email accounts
Category: Initial Access
Content: Threat actor offering rental of RDP access to Azure, AWS, and DigitalOcean infrastructure on daily/monthly basis for $200. Also offering domain email accounts (Gmail, Yahoo), GitHub student accounts, and domain access. Claims fresh RDP with good IP reputation and escrow payment option available.
Date: 2026-04-28T13:32:12Z
Network: telegram
Published URL: https://t.me/c/2613583520/71466
Screenshots:
None
Threat Actors: PORTAL
Victim Country: Unknown
Victim Industry: Cloud Infrastructure / Technology
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist targeting multiple regions
Category: Data Leak
Content: A threat actor operating under the alias Larry_Uchiha has shared a Hotmail credential combolist on the AE forum, allegedly containing approximately 1,300 email and password combinations. The combolist purportedly includes accounts from users across the United States, Europe, Asia, and Russia. The content is gated behind a forum reply requirement, suggesting free access upon engagement.
Date: 2026-04-28T13:32:04Z
Network: openweb
Published URL: https://altenens.is/threads/1-300x-hotmail-access-combo-usa-europe-asia-russian.2931054/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of mixed email service credentials combolist
Category: Data Leak
Content: A threat actor known as Larry_Uchiha shared a mixed email combolist on the AE forum, containing credentials for multiple email providers including Hotmail, Outlook, AOL, GMX, Inbox, iCloud, and Live. The combolist was made available for free to registered forum members who reply to the thread. The actual content is hidden behind a reply-gate, with additional distribution reportedly via Telegram.
Date: 2026-04-28T13:31:52Z
Network: openweb
Published URL: https://altenens.is/threads/mix-mail-combo-hotmail-outlook-aol-gmx-inbox-icloud-live-2026-4-25.2931055/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Multiple (Hotmail, Outlook, AOL, GMX, Inbox, iCloud, Live)
Victim Site: Unknown
Alleged leak of mixed platform credential combolist including Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, and Facebook
Category: Data Leak
Content: A threat actor operating under the alias Larry_Uchiha has shared a mixed-platform combolist on the forum AE – Combo List, containing credentials for multiple services including Netflix, OnlyFans, ChatGPT, Xbox, Sony, Discord, and Facebook. The combolist is being made available for free to forum members who reply to the thread. The actual credential content is hidden behind a reply gate and distributed via Telegram.
Date: 2026-04-28T13:31:39Z
Network: openweb
Published URL: https://altenens.is/threads/mix-account-combo-netflix-onlyfans-chatgpt-xbox-sony-discord-facebook-2026-4-25.2931056/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Netflix, OnlyFans, OpenAI, Xbox, Sony, Discord, Facebook
Victim Site: Unknown
Alleged Sale of Multi-Country CVV Financial Data by Threat Actor BigBoris
Category: Carding
Content: A threat actor operating under the alias BigBoris is selling stolen CVV payment card data covering multiple countries including the United States, United Kingdom, Canada, Australia, and EU nations. Card data is offered in a structured format including card number, expiration date, CVV2, cardholder name, billing address, and bank details, with prices ranging from $30 to $45 per record depending on country of origin. Payment is accepted via Bitcoin (BTC) and USDT, with contact facilitated throug
Date: 2026-04-28T13:24:05Z
Network: openweb
Published URL: https://altenens.is/threads/hello-all-buyer-my-nickname-is-bigboris-i-sell-all-cvv-all-country-us-uk-ca-au-eu-fr-mx-all-cvv-is-updated-every-day.2931049/unread
Screenshots:
None
Threat Actors: Decor
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Logs
Content: A threat actor operating under the alias D4rkNetHub has made available a combolist allegedly containing 3,253 valid Hotmail credentials on the XF forum. The post references a hosted file via D4RKNETHUB CLOUD, suggesting the credential list is being freely distributed. The origin and collection method of the credentials are unknown.
Date: 2026-04-28T13:23:33Z
Network: openweb
Published URL: https://xforums.st/threads/3-253-good-hotmail-goods-d4rknethub-cloud.611856/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged ongoing data dump of 800GB+ in JSON format
Category: Data Leak
Content: Threat actor claims to have exfiltrated over 800GB of data in JSON format with the dump still in progress. The actor suggests the victims are unaware (fools are sleeping), indicating an active, ongoing data theft operation.
Date: 2026-04-28T13:21:39Z
Network: telegram
Published URL: https://t.me/c/3793980891/3095
Screenshots:
None
Threat Actors: xorcat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Universitas Gadjah Mada
Category: Data Breach
Content: A threat actor known as Mr. Hanz Xploit has posted on a cybercrime forum claiming to possess a database allegedly belonging to Universitas Gadjah Mada, one of Indonesias largest public universities, purportedly containing 1.5 million records. No further details regarding the content of the database or the terms of access are available due to absent post content. The authenticity and full scope of the claimed breach remain unverified.
Date: 2026-04-28T13:18:14Z
Network: openweb
Published URL: https://breached.st/threads/1-5-milliond-database-universitas-gadjah-mada.86415/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Universitas Gadjah Mada
Victim Site: ugm.ac.id
Alleged Data Leak of MPR RI Member Database
Category: Data Leak
Content: A threat actor operating under the alias Mr. Hanz Xploit has allegedly leaked a database containing information on members of the Peoples Consultative Assembly of Indonesia (MPR RI). The post was shared on a known cybercrime forum, though no further details regarding the data contents or record count are available. The authenticity and scope of the leak have not been independently verified.
Date: 2026-04-28T13:17:42Z
Network: openweb
Published URL: https://breached.st/threads/leak-database-anggota-mpr-ri.86416/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Majelis Permusyawaratan Rakyat Republik Indonesia (MPR RI)
Victim Site: mpr.go.id
Alleged data leak of Polymarket – 1GB dataset
Category: Data Leak
Content: Threat actor announced the imminent release of approximately 1GB of data allegedly from Polymarket. The actor stated the data would be dropped within minutes of the message.
Date: 2026-04-28T13:15:29Z
Network: telegram
Published URL: https://t.me/c/3793980891/3092
Screenshots:
None
Threat Actors: xorcat
Victim Country: Unknown
Victim Industry: Cryptocurrency/Prediction Markets
Victim Organization: Polymarket
Victim Site: polymarket.com
Alleged leak of ULP combolist distributed via Telegram
Category: Combo List
Content: A threat actor operating under the alias zod has shared a ULP (URL:Login:Password) combolist labeled VIP ULP 13 on the cracking forum CrackingX. The content is gated behind registration or sign-in, with the password distributed via a Telegram channel (t.me/zoooddddd). No specific victim organization or record count has been identified.
Date: 2026-04-28T12:48:31Z
Network: openweb
Published URL: https://crackingx.com/threads/73517/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Leak of Hotmail Credential Combolist Targeting European Users
Category: Combo List
Content: A threat actor operating under the alias BestCombo has made available a combolist of approximately 40,631 Hotmail credential pairs on the cracking forum CrackingX. The list is described as a European mix combo, suggesting the credentials belong to users across European regions. The combolist is being distributed for free via a Mega file-sharing link, gated behind a reaction requirement.
Date: 2026-04-28T12:47:50Z
Network: openweb
Published URL: https://crackingx.com/threads/73518/
Screenshots:
None
Threat Actors: BestCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Gmail and Shopping credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 1.6 million credential pairs via a Mega.nz link. The list is described as fresh and targets shopping platforms and Gmail accounts. The credentials were shared freely on the cracking forum CrackingX.
Date: 2026-04-28T12:47:21Z
Network: openweb
Published URL: https://crackingx.com/threads/73519/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: E-Commerce
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist with keyword targets and country sorting
Category: Combo List
Content: A threat actor operating under the alias He_Cloud has made available a combolist of approximately 700 allegedly valid Hotmail email and password credentials. The list is described as high quality, includes keyword-targeted accounts, and has been sorted by country. The credentials are being freely distributed via download links on the forum.
Date: 2026-04-28T12:46:53Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-700x-HQ-Hotmail-Full-Valid-Keyword-Targets-sorted-countries-28-04
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credential combolist
Category: Data Leak
Content: A threat actor on the AE forum has shared an alleged combolist containing 350 fresh, valid Hotmail credentials. The content is hidden behind a reply-gate, requiring forum users to respond before accessing the credential list. The combolist appears to be made available for free to forum members.
Date: 2026-04-28T12:36:23Z
Network: openweb
Published URL: https://altenens.is/threads/sparkles-350x-fresh-hotmail-valid-sparkles.2931041/unread
Screenshots:
None
Threat Actors: Sellix
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Data Leak of Student Database from SMA Trensains Muhammadiyah Sragen
Category: Data Leak
Content: A threat actor operating under the alias JAX7 has freely distributed a JSON database dump containing personal records of students from SMA Trensains Muhammadiyah Sragen, an Islamic high school in Indonesia. The leaked data includes full names, gender, dates of birth, mothers names, national identification numbers (NIK), student identification numbers (NISN), class/homeroom assignments, and system IDs. The database reportedly covers students across all grade levels and contains thousands of reco
Date: 2026-04-28T12:33:31Z
Network: openweb
Published URL: https://breached.st/threads/database-sma-trensains-muhammadiyah-sragen.86414/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: SMA Trensains Muhammadiyah Sragen
Victim Site: Unknown
Alleged database breach of SMA Trensains Muhammadiyah Sragen
Category: Data Breach
Content: A database breach affecting SMA Trensains Muhammadiyah Sragen (an Indonesian secondary school) has been disclosed on Breachforums by user JAX7. The breach details and database are publicly available on the breach forum.
Date: 2026-04-28T12:20:08Z
Network: telegram
Published URL: https://t.me/byjax7/162
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: SMA Trensains Muhammadiyah Sragen
Victim Site: Unknown
Alleged data breach of Nemea Group
Category: Data Breach
Content: A threat actor known as ChimeraZ is selling 66 GB of data allegedly exfiltrated from Nemea Group, a French hospitality and student residence company. The dataset reportedly contains 203,733 files including ID cards, passports, health insurance cards, invoices, and other documents in PDF and image formats. Multiple Nemea-affiliated domains are listed as compromised, including nemea-groupe.com, residence-nemea.com, nemea-appart-hotel.com, nemea-residence-etudiante.com, and mygestion.nemea-serveur6
Date: 2026-04-28T12:16:06Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-66-GB-of-NEMEA-GROUP
Screenshots:
None
Threat Actors: ChimeraZ
Victim Country: France
Victim Industry: Hospitality & Real Estate
Victim Organization: Nemea Group
Victim Site: nemea-groupe.com
Alleged bulk SMS phishing service targeting financial institutions across multiple countries
Category: Phishing
Content: Threat actor operating bulk SMS phishing service offering campaigns targeting major financial institutions including Binance, PayPal, BBVA, TradeRepublic, and banking platforms across Spain, Portugal, and 200+ countries. Service advertises high click rates, lowest prices, and operates with contact handles @Alice_sms6, @Alice_global_SMS_bot, and @Youngjn123. Infrastructure includes multiple messaging routes and claims of 75-95% validity rates.
Date: 2026-04-28T12:15:56Z
Network: telegram
Published URL: https://t.me/global_bulksms_Alice/138
Screenshots:
None
Threat Actors: Alice_sms6
Victim Country: Unknown
Victim Industry: Financial Services, Banking, Payment Processing
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias FlashCloud2 has made available an alleged combolist of approximately 2,000 Hotmail credentials on the cracking forum CrackingX. The post is categorized under Combolists & Dumps and is described as UHQ (ultra-high quality), suggesting the credentials may be fresh or previously unverified. The full content of the post is restricted to registered or signed-in forum members.
Date: 2026-04-28T12:06:50Z
Network: openweb
Published URL: https://crackingx.com/threads/73510/
Screenshots:
None
Threat Actors: FlashCloud2
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged Leak of Hotmail Credential Hits with Keyword Targets and Country Sort
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available 163 alleged high-quality Hotmail credential hits, described as verified account accesses. The post includes associated keyword targets and credentials sorted by country, suggesting organized collection and categorization for account takeover purposes.
Date: 2026-04-28T12:06:05Z
Network: openweb
Published URL: https://crackingx.com/threads/73511/
Screenshots:
None
Threat Actors: Hotmail Cloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Alleged leak of t-online.de credential combolist (7 million records)
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist of approximately 7 million t-online.de credentials via Telegram channels. The post directs users to two free Telegram groups for access to the combolist and related tools. No price is mentioned, indicating the content is being freely distributed.
Date: 2026-04-28T12:05:36Z
Network: openweb
Published URL: https://crackingx.com/threads/73512/
Screenshots:
None
Threat Actors: CODER
Victim Country: Germany
Victim Industry: Telecommunications / Internet Services
Victim Organization: T-Online (Deutsche Telekom)
Victim Site: t-online.de
Alleged leak of Hotmail credential combolist with inbox access and country sorting
Category: Combo List
Content: A threat actor on DemonForums has made available a combolist of 1,547 alleged Hotmail email and password pairs, described as high-quality hits. The post includes separate downloads for inbox-accessible accounts and a version sorted by country. The credentials are being freely distributed with no price indicated.
Date: 2026-04-28T12:04:52Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1547x-HQ-HOTMAIL-HITS-INBOXES-TARGETS-SORTED-COUNTRIES–202059
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of corporate domain combolist
Category: Combo List
Content: A threat actor operating under the alias zod has made available a combolist containing 77,527 lines of corporate domain credentials on the cracking forum CX. The content is gated behind registration or sign-in, with a password distributed via a Telegram channel linked to the actor. No specific victim organization or country has been identified.
Date: 2026-04-28T12:04:41Z
Network: openweb
Published URL: https://crackingx.com/threads/73515/
Screenshots:
None
Threat Actors: zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has made available a combolist containing approximately 5,000 Hotmail email and password combinations on a cybercrime forum. The content is hidden behind a registration or login requirement. The actor also advertises a shop (unique-combo.shop) offering credential combolists for various countries upon request.
Date: 2026-04-28T12:04:36Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-Hotmail-Unique-Combo-3-5000–202060
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of mixed email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias NotSellerXd has shared a combolist containing approximately 3,210 mixed email and password combinations on a cybercrime forum. The content is hidden behind a registration or login requirement, suggesting it is being made available to forum members at no explicit cost. No specific victim organization or country has been identified, as the list appears to aggregate credentials from multiple sources.
Date: 2026-04-28T12:04:18Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-3210x-MIX-MAIL
Screenshots:
None
Threat Actors: NotSellerXd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Fraud Warning Against Altenens ATN ESCROW Trading Platform
Category: Carding
Content: A forum post on Altenens warns that the Altenens ATN ESCROW trading platform is allegedly a fraudulent scheme. According to the post, the platform falsifies guarantees and retains all Bitcoin transferred by users. Victims are urged to report the platforms activities to law enforcement.
Date: 2026-04-28T12:01:16Z
Network: openweb
Published URL: https://altenens.is/threads/la-plataforma-de-trading-altenens-atn-escorw-es-una-estafa.2931002/unread
Screenshots:
None
Threat Actors: Exhibit5
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Altenens ATN ESCROW
Victim Site: Unknown
Alleged breach of South Korean government institutions including Jeollanam Provincial Police and national data centers
Category: Data Breach
Content: Infrastructure Destruction Squad claims to have breached multiple South Korean government entities including Jeollanam do Provincial Police Agency, Jeollanam do Police Headquarters, various government offices, and national-level data centers. The threat actor alleges exploitation of vulnerabilities in digital file storage, corporate email, and government cloud storage systems. The breach is claimed to be active and ongoing with data being leaked and uploaded to dark web infrastructure.
Date: 2026-04-28T11:55:03Z
Network: telegram
Published URL: https://t.me/c/2735908986/4077
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: South Korea
Victim Industry: Government/Law Enforcement
Victim Organization: South Korean Government (Jeollanam do Provincial Police Agency, Jeollanam do Police Headquarters, national data centers)
Victim Site: Unknown
Alleged Sale of Phishing Package Including Scampages, Email Senders, and SMTPs
Category: Initial Access
Content: A threat actor operating under the alias Skybat is advertising a phishing package for sale on the Breached forum. The package allegedly includes scam pages, phishing letters, an email sender tool, and SMTP credentials. Contact is facilitated via a Telegram handle (@crocsub).
Date: 2026-04-28T11:51:23Z
Network: openweb
Published URL: https://breached.st/threads/phishing-package-scampages-letters-email-sender-smtps.86412/unread
Screenshots:
None
Threat Actors: Skybat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Indonesian Civil Servant (BKN) Employee Database
Category: Data Leak
Content: A threat actor using the alias Xyph0rix has leaked a structured database dump allegedly belonging to Badan Kepegawaian Negara (BKN), Indonesias National Civil Service Agency. The leaked data includes sensitive personal and employment records of civil servants such as full names, National Identity Numbers (NIK), civil servant ID numbers (NIP), dates of birth, employment ranks, job titles, and employment tenure dates. The data appears to have been last synchronized in January 2025, suggesting it
Date: 2026-04-28T11:50:29Z
Network: openweb
Published URL: https://breached.st/threads/database-badan-pegawai-negara.86413/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Badan Kepegawaian Negara (BKN)
Victim Site: Unknown
Alleged data breach of Badan Pegawai Negara (Indonesian Civil Service)
Category: Data Breach
Content: A user named Xyph0rix has posted on Breachforums claiming access to a database from Badan Pegawai Negara (Indonesian State Personnel Board). The breach appears to involve government employee records.
Date: 2026-04-28T11:38:04Z
Network: telegram
Published URL: https://t.me/Xyph0rix/224
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Badan Pegawai Negara
Victim Site: Unknown
Website Redefacement of KCF.vn by Irene of XmrAnonye.id
Category: Defacement
Content: A threat actor known as Irene, affiliated with the group XmrAnonye.id, defaced a subdirectory of the Vietnamese website kcf.vn on April 28, 2026. This incident is classified as a redefacement, indicating the site had been previously compromised by the same or another attacker. The defacement was not a mass or homepage defacement, targeting a specific image directory path within the site.
Date: 2026-04-28T11:37:26Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915604
Screenshots:
None
Threat Actors: Irene, XmrAnonye.id
Victim Country: Vietnam
Victim Industry: Unknown
Victim Organization: KCF Vietnam
Victim Site: www.kcf.vn
Alleged Data Leak of NEMEA Group Affecting Multiple French Real Estate and Services Companies
Category: Data Leak
Content: A threat actor known as ChimeraZ has leaked a 7.0 GB database allegedly stolen from NEMEA Group, a French real estate and hospitality company. The leak impacts multiple affiliated entities including GOELIA, COGEDIM, VIVERIS, RHONE HABITAT, and EUROTELEPORT, and contains structured personal data such as lease agreements, SEPA mandates, parking rental contracts, and legal declarations, as well as approximately 1,000 identity documents including national ID cards and passports. The actor claims to
Date: 2026-04-28T11:30:35Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-330K-NEMEA-GROUP-7-0-GB
Screenshots:
None
Threat Actors: ChimeraZ
Victim Country: France
Victim Industry: Real Estate
Victim Organization: NEMEA Group
Victim Site: nemea-groupe.com
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias HollowKnight07 has made available a sample combolist containing 2,240 Hotmail credentials on the cracking forum CrackingX. The post offers a free download link, suggesting this is a sample release likely intended to demonstrate data quality. The targeted accounts are associated with Microsofts Hotmail email service.
Date: 2026-04-28T11:24:22Z
Network: openweb
Published URL: https://crackingx.com/threads/73506/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of German email credentials including GMX and T-Online combolists
Category: Combo List
Content: A threat actor operating under the alias CODER is distributing a combolist of approximately 5 million credentials allegedly belonging to German email and internet service provider users, including GMX and T-Online accounts. The combolists are being made available for free via Telegram channels linked in the post. The actor also promotes additional free tools and combo resources through associated Telegram groups.
Date: 2026-04-28T11:23:38Z
Network: openweb
Published URL: https://crackingx.com/threads/73507/
Screenshots:
None
Threat Actors: CODER
Victim Country: Germany
Victim Industry: Telecommunications / Email Services
Victim Organization: GMX, T-Online
Victim Site: gmx.de, t-online.de
Alleged leak of mixed credential combolist batch
Category: Combo List
Content: A threat actor known as snowstormxd has made available a mixed batch of 1,457 credential combos via a free download link on pasteview.com. The post also promotes a paid Telegram cloud service offering access to additional combolists, priced between $3 for 24 hours and $120 for lifetime access. The batch is described as including built-in inboxer functionality, suggesting the credentials have been pre-validated for inbox access.
Date: 2026-04-28T11:23:07Z
Network: openweb
Published URL: https://crackingx.com/threads/73508/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 165,000 email and password credentials on cybercrime forum
Category: Data Leak
Content: A threat actor operating under the alias Prince1001 has shared a combolist of approximately 165,000 email and password credential pairs on the cybercrime forum Altenens. The post claims the credentials are of high quality and suitable for banking-related account takeover activity. Access to the hidden content requires forum interaction, suggesting the data is being freely distributed to active members.
Date: 2026-04-28T11:19:52Z
Network: openweb
Published URL: https://altenens.is/threads/star-165-000-star-mailpass-high-voltageuhq-database-good-for-bankinghigh-voltage-fresh-data.2930986/unread
Screenshots:
None
Threat Actors: Prince1001
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Spotify credential combolist with 125,000 records
Category: Data Leak
Content: A threat actor on the AE – Combo List forum has made available a combolist of approximately 125,000 email and password combinations claimed to be valid for Spotify accounts. The post describes the data as UHQ (ultra-high quality) and fresh, suggesting recently harvested or verified credentials. The content is hidden behind a reply-gate, a common forum tactic to boost engagement before granting access to the download.
Date: 2026-04-28T11:19:39Z
Network: openweb
Published URL: https://altenens.is/threads/star-125-000-star-mailpass-high-voltageuhq-database-good-for-spotify-high-voltage-fresh-data.2930987/unread
Screenshots:
None
Threat Actors: Prince1001
Victim Country: Unknown
Victim Industry: Entertainment
Victim Organization: Spotify
Victim Site: spotify.com
Alleged leak of 269,000 email and password credentials on hacking forum
Category: Data Leak
Content: A threat actor using the alias Prince1001 has made available a combolist containing approximately 269,000 email and password pairs on the AE hacking forum. The post claims the credential list is UHQ (ultra-high quality) and suitable for use against multiple targets. The data appears to be shared freely, requiring only a reply to access the hidden download link.
Date: 2026-04-28T11:19:26Z
Network: openweb
Published URL: https://altenens.is/threads/star-269-000-star-mailpass-high-voltageuhq-database-good-for-all-target-high-voltage-fresh-data.2930988/unread
Screenshots:
None
Threat Actors: Prince1001
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 350,000 email and password credentials for PayPal and gaming platforms
Category: Data Leak
Content: A threat actor known as Prince1001 has made available a combolist of approximately 350,000 email and password credentials on the AE forum. The credentials are claimed to be fresh and of high quality, reportedly suitable for credential stuffing attacks against PayPal and gaming platforms. The post requires forum engagement to access the hidden download link.
Date: 2026-04-28T11:19:13Z
Network: openweb
Published URL: https://altenens.is/threads/star-350-000-star-mailpass-high-voltageuhq-database-good-for-paypal-and-gaming-high-voltage-fresh-data.2930990/unread
Screenshots:
None
Threat Actors: Prince1001
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Data Leak
Content: A threat actor operating under the alias Prince1001 shared a combolist containing 210 Hotmail credentials on the cybercrime forum AE (altenens.is). The post requires forum members to reply in order to access the hidden credential data. The content appears to be a free leak of email and password combinations associated with Hotmail accounts.
Date: 2026-04-28T11:19:00Z
Network: openweb
Published URL: https://altenens.is/threads/210-hotmails.2930989/unread
Screenshots:
None
Threat Actors: Prince1001
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft Hotmail
Victim Site: hotmail.com
Website Defacement of Espare.com by DimasHxR
Category: Defacement
Content: On April 28, 2026, threat actor DimasHxR defaced a specific media/customer address page on espare.com, a likely e-commerce or automotive parts platform. The attack was a targeted single-page defacement rather than a mass or home page defacement. The attacker operated independently without affiliation to a known hacking team.
Date: 2026-04-28T11:09:54Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915593
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: E-Commerce / Automotive Parts
Victim Organization: Espare
Victim Site: espare.com
Alleged sale of compromised PayPal accounts with balances
Category: Carding
Content: A threat actor operating under the alias preston45 on Breached forums is selling verified PayPal accounts with associated balances ranging from $2,000 to $10,000. Each account listing includes the email address, PayPal password, and a SOCKS proxy IP, priced between $150 and $600 depending on the account balance. The seller, reportedly verified by the forum admin, can be contacted via Telegram handle @ColdApollo.
Date: 2026-04-28T11:09:01Z
Network: openweb
Published URL: https://breached.st/threads/paypal-instant-transfer-verified-paypal-accounts-with-funds.86406/unread
Screenshots:
None
Threat Actors: preston45
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: PayPal
Victim Site: paypal.com
Alleged sale of skimmed payment card dumps with PINs across multiple countries
Category: Carding
Content: A threat actor operating under the alias ColdApollo is selling freshly skimmed payment card dumps including Track 1 and Track 2 data with PINs (201 and 101 format) sourced from the United States, United Kingdom, Canada, Australia, and Europe. Prices range from $60 to $80 per card depending on the country of origin. The actor claims the data is firsthand and fresh, and can be contacted via Telegram at @ColdApollo.
Date: 2026-04-28T11:08:19Z
Network: openweb
Published URL: https://breached.st/threads/freshly-skimmed-dumps-pins-201-hq-track-101-201-firsthand.86407/unread
Screenshots:
None
Threat Actors: preston45
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of cloned payment cards for ATM cash-out and online fraud
Category: Carding
Content: A threat actor operating under the alias preston45 and Telegram handle ColdApollo is selling cloned credit cards with preloaded balances ranging from $2,000 to $9,500, priced between $100 and $500. The cloned cards are advertised as usable at ATMs, gas stations, and for online purchases, and come with associated ATM PINs for cash-out operations. The seller claims to be verified by the forum administration on the Breached cybercrime forum.
Date: 2026-04-28T11:07:05Z
Network: openweb
Published URL: https://breached.st/threads/cloned-cards-available-with-tracking-cloned-cards-for-quick-withdrawals-at-atms.86409/unread
Screenshots:
None
Threat Actors: preston45
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of credential logs and account access across multiple platforms
Category: Logs
Content: Threat actor offering for sale private cloud hotmail credentials, Comcast, AT&T, GMX-DE, AOL, Gmail UHQ mailpass access, Facebook Ads accounts with spend, dating app accounts (Bumble, Zoosk, Match, EliteSingle, eHarmony), LinkedIn, Roblox RDP, OkCupid, StubHub, Ticketmaster, IHG, Marriott, JetBlue, Alaska Airlines account logs, iCloud fullz, Doordarsh, Verizon+PIN, Giffgaff, Uber, and Reddit credentials.
Date: 2026-04-28T10:58:35Z
Network: telegram
Published URL: https://t.me/c/2613583520/71402
Screenshots:
None
Threat Actors: Squad Chat Marketplace
Victim Country: United States
Victim Industry: Multiple (email, social media, travel, financial services, telecommunications)
Victim Organization: Unknown
Victim Site: Unknown
Alleged takedown of major platform by threat actor team
Category: Cyber Attack
Content: Threat actor claims their team has taken down one of the largest platforms. Limited technical details provided in the message.
Date: 2026-04-28T10:46:34Z
Network: telegram
Published URL: https://t.me/c/3793980891/3089
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of unpublished critical vulnerabilities by XORCat
Category: Vulnerability
Content: Threat actor claiming to possess unpublished critical vulnerabilities and offering them for sale at $5,000 per vulnerability. Contact provided via support@xorcat email address.
Date: 2026-04-28T10:42:27Z
Network: telegram
Published URL: https://t.me/c/3793980891/3088
Screenshots:
None
Threat Actors: XORCat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail, AOL, and Streaming service credentials combolist
Category: Combo List
Content: A threat actor operating under the alias CODER has made available a combolist containing credentials for Hotmail UK, AOL, and various streaming services via Telegram channels. The post directs users to two Telegram groups (t.me/Combo445544 and t.me/Coder554455) where free combolists and tools are distributed. No specific record count or pricing was mentioned, suggesting this is a free distribution of credential lists.
Date: 2026-04-28T10:38:59Z
Network: openweb
Published URL: https://crackingx.com/threads/73501/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Technology / Media & Entertainment
Victim Organization: Hotmail, AOL, Streaming Services
Victim Site: hotmail.co.uk
Alleged solicitation of address lists on cybercrime forum
Category: Combo List
Content: A threat actor using the handle Lilmike1176 on the cracking forum CrackingX posted a request soliciting address lists (addys) to be sent via private message to the user BigDevvy. The post suggests the actor is seeking personally identifiable information, likely physical or email addresses, possibly for use in fraud or spam campaigns. No specific victim organization, country, or record count was disclosed in the post.
Date: 2026-04-28T10:38:24Z
Network: openweb
Published URL: https://crackingx.com/threads/73502/
Screenshots:
None
Threat Actors: Lilmike1176
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email and password combolist
Category: Combo List
Content: A threat actor known as wingoooW has made available a mixed combolist containing approximately 32,000 email and password credential pairs via a free download link on pasteview.com. The post was shared on DemonForums in the combolists section. The origin of the credentials and the affected organizations or individuals are unknown.
Date: 2026-04-28T10:38:20Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-32K-VALID-MIXED
Screenshots:
None
Threat Actors: wingoooW
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Gaming and Shopping credentials targeting Yahoo users
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing over 1 million credential entries on the cracking forum CrackingX. The combolist is described as targeting gaming and shopping platforms, with a focus on Yahoo-associated accounts. The file has been shared freely via a Mega.nz link.
Date: 2026-04-28T10:38:01Z
Network: openweb
Published URL: https://crackingx.com/threads/73504/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: E-commerce and Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of T-Online.de credential combolist
Category: Combo List
Content: A threat actor operating under the alias COYYYTO has made available a combolist of approximately 18,000 T-Online.de credentials on the cracking forum CrackingX. The data was shared as a free download via an external paste site. T-Online is a major German internet service provider and email platform operated by Deutsche Telekom.
Date: 2026-04-28T10:37:26Z
Network: openweb
Published URL: https://crackingx.com/threads/73505/
Screenshots:
None
Threat Actors: COYYYTO
Victim Country: Germany
Victim Industry: Telecommunications
Victim Organization: T-Online
Victim Site: t-online.de
Alleged sale of stolen financial data including credit cards and bank logs
Category: Carding
Content: A threat actor operating under the alias Lilmike1176 is advertising stolen financial data on the crackingx.com forum. The offerings include linkable credit cards, bank logs, slips, and booking-related data. The actor directs potential buyers to a Telegram channel at t.me/Official1dae to conduct transactions.
Date: 2026-04-28T10:37:20Z
Network: openweb
Published URL: https://crackingx.com/threads/73503/
Screenshots:
None
Threat Actors: Lilmike1176
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged Zero-Click RCE Vulnerability Chain Disclosed in Figma Desktop Application
Category: Initial Access
Content: A security researcher (Benjamin Mamoud / DavenSec) disclosed a zero-click remote code execution vulnerability chain in Figmas desktop Electron application. The exploit chain combined prototype pollution in the variant processing function (eG), a race condition against an internal plugin re-run mechanism, and a second prototype pollution in figma.jsx.deserialize to manipulate feature flags, ultimately achieving XSS via a polluted errorHandler gadget and RCE via an exposed IPC handler (writeFileT
Date: 2026-04-28T10:28:44Z
Network: openweb
Published URL: https://tier1.life/thread/186
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Software / Technology
Victim Organization: Figma
Victim Site: figma.com
Alleged leak of private IP camera credentials
Category: Data Leak
Content: A threat actor using the alias Big_Meeper publicly shared a list of 44 compromised IP security cameras on a known cybercrime forum. The post includes IP addresses, ports, usernames, and plaintext passwords for each device. The cameras appear to belong to private individuals across multiple countries, based on the diversity of IP ranges and personal usernames observed.
Date: 2026-04-28T10:24:37Z
Network: openweb
Published URL: https://breached.st/threads/private-security-cameras-list.86404/unread
Screenshots:
None
Threat Actors: Big_Meeper
Victim Country: Unknown
Victim Industry: Private Individuals / Residential
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Polymarket.com – Full API dump with 300K+ records, PII, and exploit kit
Category: Data Breach
Content: Threat actor uploaded a comprehensive data breach package for Polymarket.com (decentralized prediction market platform) containing approximately 300,000+ user records (~750 MB extracted data) including full user PII, market data, and internal API access. The breach exploited multiple vulnerabilities including unauthenticated API endpoints, CORS misconfiguration, pagination bypass, and known CVEs (CVE-2025-62718, CVE-2024-51479). Package includes working proof-of-concept exploits, automated data extraction scripts, and detailed red team analysis with MITRE ATT&CK mapping.
Date: 2026-04-28T10:19:09Z
Network: telegram
Published URL: https://t.me/c/3793980891/3086
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: Unknown
Victim Industry: Financial Technology / Cryptocurrency
Victim Organization: Polymarket.com
Victim Site: polymarket.com
Alleged Data Breach of Polymarket.com via API Vulnerabilities Exposing 300K+ Records
Category: Data Leak
Content: A threat actor known as xorcat claims to have extracted over 300,000 records from Polymarket.com, a decentralized prediction market platform, by exploiting multiple vulnerabilities including unauthenticated API endpoints, a CORS misconfiguration, CVE-2025-62718 (Axios SSRF), and CVE-2024-51479 (Next.js auth bypass). The leaked data allegedly includes 10,000 unique user profiles with full PII, Ethereum wallet addresses, social graph data, internal user IDs, and market metadata totaling approxim
Date: 2026-04-28T10:17:51Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Polymarket-com-FULL-API-BREACH-300K-Records-10k-Real-Identities-Admin
Screenshots:
None
Threat Actors: xorcat
Victim Country: United States
Victim Industry: Financial Services
Victim Organization: Polymarket
Victim Site: polymarket.com
Alleged solicitation for bulk SMS sending infrastructure or SIM cards
Category: Combo List
Content: A threat actor posted on the cracking forum CrackingX requesting assistance in obtaining bulk SMS sending capabilities or SIM cards capable of sending messages at high volume. The request suggests potential intent to conduct SMS spam, phishing (smishing), or other mass messaging campaigns. No specific victim, price, or data type was mentioned.
Date: 2026-04-28T09:58:28Z
Network: openweb
Published URL: https://crackingx.com/threads/73498/
Screenshots:
None
Threat Actors: Clifford
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed forum credentials combolist
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist of approximately 100,000 mixed credentials described as valid and sourced from various forums. The post is gated behind registration or sign-in on the crackingx.com forum, limiting full content visibility. The specific origin, targeted organizations, and affected countries of the credential list remain unknown.
Date: 2026-04-28T09:57:46Z
Network: openweb
Published URL: https://crackingx.com/threads/73500/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Telegram User Surveillance and Data Aggregation Service Advertised via Funstat Bot
Category: Data Breach
Content: A threat actor is advertising Funstat, claimed to be the largest database of Telegram users and chats globally, accessible via a Telegram bot at telelog.bot. The service allegedly allows users to export message histories, view group and channel memberships, analyze user interactions, and search messages globally. This tool poses significant privacy and surveillance risks to Telegram users worldwide.
Date: 2026-04-28T09:57:27Z
Network: openweb
Published URL: https://crackingx.com/threads/73496/
Screenshots:
None
Threat Actors: funstat
Victim Country: Unknown
Victim Industry: Telecommunications / Messaging
Victim Organization: Telegram
Victim Site: telegram.org
Kent District Library blames ‘ransomware’ for closures
Category: Cyber Attack
Content: The Kent County Library has closed following a ransomware attack that affected all of its branches. The organization is currently investigating the incident with external specialists to determine its full scope and intends to notify users if their personal data has been compromised. To address the closure, some branches remain open with limited services for users.
Date: 2026-04-28T09:54:42Z
Network: openweb
Published URL: https://www.woodtv.com/news/kent-county/kent-district-library-blames-ransomware-for-closures/
Screenshots:
None
Threat Actors:
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Kent District Library
Victim Site: kdl.org
Alleged breach of colprecentro.edu.co
Category: Data Breach
Content: A domain associated with an educational institution (colprecentro.edu.co) has been posted in a market channel with a #sold hashtag, indicating potential sale of compromised access, credentials, or stolen data related to this organization.
Date: 2026-04-28T09:51:51Z
Network: telegram
Published URL: https://t.me/c/3205199875/520
Screenshots:
None
Threat Actors: Pharaohs Team
Victim Country: Colombia
Victim Industry: Education
Victim Organization: Colprecentro
Victim Site: colprecentro.edu.co
Alleged leak of Hotmail credential combolist
Category: Logs
Content: A threat actor operating under the alias UniqueCombo has made available a combolist allegedly containing 5,000 unique Hotmail credentials on a cybercrime forum. The post is categorized under Mail Access & Combolists, suggesting the list contains email and password pairs. No price or payment terms were mentioned, indicating the combolist was freely shared.
Date: 2026-04-28T09:47:35Z
Network: openweb
Published URL: https://xforums.st/threads/hotmail-unique-combo_2_5000.611825/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged sale of fresh credential databases across multiple countries
Category: Combo List
Content: Threat actor offering fresh database dumps containing credentials from UK, DE, JP, NL, BR, PL, ES, US, IT and other countries. Specifically targeting popular platforms including eBay, OfferUp, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, and Kleinanzeigen. Seller claims to have private cloud access and valid webmail credentials (ntlworld). Offering to check credentials against specific keywords upon request.
Date: 2026-04-28T09:41:05Z
Network: telegram
Published URL: https://t.me/c/2613583520/71345
Screenshots:
None
Threat Actors: mu
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy
Victim Industry: Multiple (e-commerce, payment, gaming, travel, email)
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyberattack causing widespread disruption to French passport and national ID system
Category: Cyber Attack
Content: A cyberattack targeted Frances online system for issuing passports, national ID cards, and drivers licenses, causing significant service disruption. According to Frances Interior Ministry, millions of users personal information was exposed. The system was taken offline for emergency maintenance and repairs. Citizens are unable to submit new requests or track existing applications, forcing administrative centers to revert to manual paper-based processes. The attack coincided with increased demand for travel document renewals, causing delays in travel and migration plans.
Date: 2026-04-28T09:32:59Z
Network: telegram
Published URL: https://t.me/c/1283513914/21444
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: France
Victim Industry: Government
Victim Organization: French Ministry of Interior / French Government
Victim Site: Unknown
Alleged Data Leak of qzaem.ru User Database with 7.6 Million Records
Category: Data Leak
Content: A threat actor known as Tanaka has made available a database dump from qzaem.ru, a Russian online lending/microfinance platform, containing approximately 7.6 million user records dated February 2024. The leaked SQL database includes sensitive personal and financial data such as full names, email addresses, phone numbers, hashed passwords, IP addresses, birth dates, physical addresses, SNILS (Russian social security numbers), INN (tax identification numbers), payment card tokens, card metadata, a
Date: 2026-04-28T09:24:48Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-qzaem-ru-7-6M-2024-02-Repost
Screenshots:
None
Threat Actors: Tanaka
Victim Country: Russia
Victim Industry: Financial Services
Victim Organization: Qzaem
Victim Site: qzaem.ru
Alleged cyber attacks by French hacker HexDex – 100 intrusions including French Ministry of Education breach
Category: Cyber Attack
Content: French police arrested a 21-year-old hacker using the alias HexDex for approximately 100 cyber intrusions since late 2025. The most significant attributed attack involved unauthorized access to the French Ministry of Educations systems, resulting in exposure of personal and contact information of approximately 243,000 employees. The suspect is charged with six offenses including organized criminal activity. Authorities indicate the attacker also targeted multiple government institutions, sports organizations, and professional bodies. Financial motivation was identified as the primary driver.
Date: 2026-04-28T09:19:29Z
Network: telegram
Published URL: https://t.me/c/1283513914/21443
Screenshots:
None
Threat Actors: HexDex
Victim Country: France
Victim Industry: Government/Education
Victim Organization: French Ministry of Education (Ministère de lÉducation)
Victim Site: Unknown
Alleged Data Leak of Netflix Email Dump
Category: Data Leak
Content: A threat actor known as CC-GuRu has allegedly shared or made available an email dump associated with Netflix.com on a darknet forum. The post is restricted to registered or signed-in members, limiting visibility into the full scope and nature of the leaked data. The specific record count and exact data fields included remain unknown.
Date: 2026-04-28T09:18:32Z
Network: openweb
Published URL: https://darkpro.net/threads/netflix-com-email-dump-by-carding-forum.22902/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: United States
Victim Industry: Streaming / Entertainment
Victim Organization: Netflix
Victim Site: netflix.com
Alleged Sale of Fraudulent Identity Documents Including SSNs, Passports, and Financial Records
Category: Carding
Content: A threat actor operating under the alias Tryrdf is selling allegedly authentic identity and financial documents on DemonForums, including SSNs, drivers licenses, passports, utility bills, bank details with cards, LLC documents, tax IDs, and address verifications. The seller claims the documents are freshly acquired and of high quality, pricing them at elevated rates. Contact is facilitated via Telegram handle @DroneBott2.
Date: 2026-04-28T09:18:27Z
Network: openweb
Published URL: https://demonforums.net/Thread-Buy-fully-fresh-working-Doucuments-Bills-Detailes-Licenses-Aged-Fresh–202037
Screenshots:
None
Threat Actors: Tryrdf
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed combolist credentials distributed via cracking forum
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a mixed combolist containing 1,457 credential pairs via a cracking forum and Telegram channel. The post includes a free download link alongside a paid private cloud service offering tiered subscription access starting at $3 for 24 hours. The combolist is described as mixed, indicating credentials aggregated from multiple sources, with a built-in inboxer tool included.
Date: 2026-04-28T09:18:08Z
Network: openweb
Published URL: https://crackingx.com/threads/73495/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Modern Cleaning Methods Co. (Chem-Dry Kuwait)
Category: Data Breach
Content: A threat actor known as fent888 is selling an alleged database dump from chemdry.com.kw, the official website of Modern Cleaning Methods Co., a Kuwait-based Chem-Dry franchise. The dataset contains approximately 121,836 records with fields including personal identifiers, contact details, geolocation data, password hashes, device information, and booking details. The breach is claimed to have occurred on April 28, 2026, and is being offered for $120 via a Telegram channel.
Date: 2026-04-28T09:06:01Z
Network: openweb
Published URL: https://breached.st/threads/chemdry-com-kw-121-8k.86403/unread
Screenshots:
None
Threat Actors: fent888
Victim Country: Kuwait
Victim Industry: Cleaning Services
Victim Organization: Modern Cleaning Methods Co. (Chem-Dry)
Victim Site: chemdry.com.kw
Alleged Data Leak of Modular Construction Co. ID Customer Database
Category: Data Leak
Content: A threat actor known as Kyyzo has leaked a partial customer database belonging to modularconstruction.co.id, an Indonesian construction company. The leaked data includes customer names and phone numbers in JSON format. The actor indicated additional data will be posted incrementally and can be contacted via Telegram.
Date: 2026-04-28T09:05:06Z
Network: openweb
Published URL: https://breached.st/threads/database-modularconstruction-co-id.86402/unread
Screenshots:
None
Threat Actors: Kyyzo
Victim Country: Indonesia
Victim Industry: Construction
Victim Organization: Modular Construction Co.
Victim Site: modularconstruction.co.id
Alleged Data Breach of Badan Penghubung Pemerintah Jawa Tengah Government Portal
Category: Data Breach
Content: A threat actor known as Mr. Hanz Xploit has alleged a data breach of the Badan Penghubung Pemerintah Jawa Tengah, an Indonesian regional government liaison body. The post claims to involve approximately 1 million records from the organizations database. No further details regarding the nature of the data or the method of compromise are available from the post content.
Date: 2026-04-28T09:04:30Z
Network: openweb
Published URL: https://breached.st/threads/1-milliond-database-badan-penghubung-pemerintah-jawa-tengah-go-id.86401/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Badan Penghubung Pemerintah Jawa Tengah
Victim Site: badan-penghubung-pemerintah-jawa-tengah.go.id
Alleged Data Breach of UniversityKart Indian Education Platform Exposing 1 Million Student Records
Category: Data Breach
Content: A threat actor operating under the alias Sensitive2025 is selling an alleged database dump from UniversityKart, an Indian education platform, containing approximately 1 million records. The exposed data includes full names, mobile numbers, email addresses, gender, geographic details (city, state, country), interested universities and courses, lead source information, and timestamps. Sample records suggest the data originates from a leads management system and pertains to Indian students seekin
Date: 2026-04-28T08:48:49Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-Full-Database-1M-lines-universitykart-com-India
Screenshots:
None
Threat Actors: Sensitive2025
Victim Country: India
Victim Industry: Education
Victim Organization: UniversityKart
Victim Site: universitykart.com
Alleged leak of mixed premium credential combolists
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a collection of approximately 4,763 alleged high quality mixed premium credential hits. The post offers a free download of the combolist with no additional context regarding the origin or targeted services. The credentials are described as mixed, suggesting they span multiple platforms or services.
Date: 2026-04-28T08:39:19Z
Network: openweb
Published URL: https://crackingx.com/threads/73491/
Screenshots:
None
Threat Actors: anonymous_cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist with keyword targets
Category: Combo List
Content: A threat actor on the cracking forum CrackingX has made available a mixed combolist containing 3,547 alleged fully valid credential entries. The post includes separate downloads for validated hits and keyword-targeted credential lists, suggesting the combolists are organized by specific service or platform targets.
Date: 2026-04-28T08:39:03Z
Network: openweb
Published URL: https://crackingx.com/threads/73492/
Screenshots:
None
Threat Actors: Hotmail Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed credential combolist with keyword targets
Category: Combo List
Content: A threat actor known as He_Cloud has made available on DemonForums a combolist containing 3,547 claimed valid email:password credential pairs described as a private full valid mix access collection. The post also includes a separate download of keyword-targeted credentials. The content is being distributed for free with no price mentioned.
Date: 2026-04-28T08:38:55Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9D%84%E2%9D%84-3547x-Private-Full-Valid-Mix-Access-%E2%9D%84%E2%9D%84-KEYWORD-TARGETS
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed email credential combolist with inbox targets
Category: Combo List
Content: A threat actor operating under the alias He_Cloud on DemonForums has made available a mixed combolist containing 4,259 alleged valid email:password credential pairs. The post includes free download links for the full combolist, a filtered hits subset claimed to be 100% valid, and a separate list of keyword-based inbox targets. No specific victim organization or country has been identified.
Date: 2026-04-28T08:38:42Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-4259x-HQ-MIX-FRESH-VALIDS-%E2%9A%A1%E2%9A%A1-INBOXES-TARGETS–202036
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Gmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 952,789 Gmail credential pairs (email:password) via a Mega.nz file link. The list is described as high quality (HQ) and is being freely distributed on the cracking forum CrackingX. This type of combolist is typically compiled from multiple prior data breaches and used for credential stuffing attacks.
Date: 2026-04-28T08:38:38Z
Network: openweb
Published URL: https://crackingx.com/threads/73494/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Google
Victim Site: gmail.com
Alleged data breach of McDonalds India – 861 GB leaked by Everest group
Category: Data Breach
Content: Everest group claims to have breached McDonalds India (operating through Connaught Plaza Restaurants and Hardcastle Restaurants) on January 20, 2026. Alleged leaked data includes 861 GB of financial reports, audit trails, pricing data, internal communications, investor/partner contact databases (US, UK, Singapore, India), store-level data with manager information, customer personal data, and access to accounting/ERP systems. The full leak has been published. This follows previous incidents in 2017 (2.2M customer records via McDelivery app) and 2024 (API vulnerabilities in delivery system).
Date: 2026-04-28T08:26:37Z
Network: telegram
Published URL: https://t.me/c/1861685334/268
Screenshots:
None
Threat Actors: Everest group
Victim Country: India
Victim Industry: Food & Beverage / Quick Service Restaurants
Victim Organization: McDonalds India
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias UniqueCombo has shared an alleged combolist containing approximately 5,000 Hotmail credentials on the cracking forum CX. The post is titled Hotmail Unique Combo_1_5000, suggesting the list contains unique email and password combinations targeting Hotmail accounts. The full content of the post is restricted to registered or signed-in forum members.
Date: 2026-04-28T07:59:15Z
Network: openweb
Published URL: https://crackingx.com/threads/73490/
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Data Leak
Content: A threat actor known as alphacloud has shared a combolist containing 1,520 alleged valid Hotmail credentials on the forum AE – Combo List. The post claims the credentials are premium hits from a private cloud source. The actor can be contacted via Telegram at alphaaxd, and the content is gated behind a reply requirement.
Date: 2026-04-28T07:57:21Z
Network: openweb
Published URL: https://altenens.is/threads/snowflakesnowflake-1520x-premium-hotmail-hits-snowflakesnowflake.2930944/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias snowstormxd has made available a combolist of 146 allegedly ultra-high-quality (UHQ) Hotmail credentials via a public download link and a Telegram channel. The post advertises a built-in inboxer tool and promotes a paid private cloud service for additional credential access, priced between $3 and $120 depending on subscription tier. Payments are processed through a dedicated Telegram payment bot.
Date: 2026-04-28T07:21:07Z
Network: openweb
Published URL: https://crackingx.com/threads/73487/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of 2,379 U.S. Marines personal details by Handala threat actor
Category: Data Leak
Content: Handala threat actor claims to have leaked personal information on 2,379 U.S. Marines stationed in the Gulf region, including names, identities, family details, home addresses, base locations, and daily patterns. The post frames this as a demonstration of surveillance capabilities and includes explicit threats of future military attacks using missiles and drones. A shortened URL link is provided to access the alleged leaked data.
Date: 2026-04-28T07:05:15Z
Network: telegram
Published URL: https://t.me/c/3686754935/39
Screenshots:
None
Threat Actors: Handala
Victim Country: United States
Victim Industry: Military/Defense
Victim Organization: United States Marine Corps
Victim Site: Unknown
Alleged leak of Italian credential combolist with 1.2 million records
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist containing approximately 1.245 million email and password credential pairs allegedly targeting Italian users. The list is described as fresh and high quality, suggesting recently validated credentials. The post directs users to a Telegram channel (@elite_cloud1) for additional credential logs.
Date: 2026-04-28T06:42:22Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-1-245-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Italy-%E2%9C%AA-27-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Italy
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Indian email credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 311,000 email:password credential pairs allegedly originating from India. The list is described as fresh and high quality and is shared via a hidden download link on the forum. The actor promotes additional credential logs through a Telegram channel at t.me/elite_cloud1.
Date: 2026-04-28T06:42:01Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-311-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-India-%E2%9C%AA-27-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: India
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Indonesian email credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 273,000+ email and password credential pairs allegedly sourced from Indonesia. The list is described as FRESH and HQ (high quality), suggesting recently obtained or validated credentials. The post directs users to a Telegram channel (@elite_cloud1) for additional credential logs.
Date: 2026-04-28T06:41:43Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-273-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Indonesia-%E2%9C%AA-27-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Indonesia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Japanese email credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 215,000+ email:password credential pairs allegedly associated with Japanese users. The list is described as fresh and high quality and is shared via a hidden content mechanism on the forum. The actor promotes an associated Telegram channel (@elite_cloud1) for additional credential logs.
Date: 2026-04-28T06:41:23Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-215-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Japan-%E2%9C%AA-27-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hungarian credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist containing approximately 158,000 email and password combinations purportedly associated with Hungarian users. The credential list is described as fresh and high quality and is shared via a hidden content gate on the forum. The actor also promotes a Telegram channel (t.me/elite_cloud1) for additional credential dumps.
Date: 2026-04-28T06:41:04Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-158-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Hungary-%E2%9C%AA-27-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Hungary
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Israeli credential combolist
Category: Combo List
Content: A threat actor operating under the alias thejackal101 has made available a combolist of approximately 32,000+ email and password credential pairs allegedly sourced from Israeli accounts. The combolist is described as fresh and high quality and is offered as hidden content on the forum. The actor also promotes an associated Telegram channel (@elite_cloud1) for further credential distributions.
Date: 2026-04-28T06:40:45Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-32-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Israel-%E2%9C%AA-27-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Israel
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Irish email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias Elite_Cloud1 has made available a combolist containing approximately 23,000+ email address and password credential pairs purportedly associated with Irish users. The list is described as fresh and high quality and is shared via a hidden content gate on a cybercrime forum. The actor also maintains a Telegram channel at t.me/elite_cloud1 for further distribution of credential lists.
Date: 2026-04-28T06:40:28Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%AA-23-K-Combo-%E2%9C%AA-Elite-Cloud1-%E2%9C%AA-Ireland-%E2%9C%AA-27-APR-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Ireland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of fresh mixed credential combolist via MTX Cloud private service
Category: Combo List
Content: A threat actor operating under the alias Haydayx and associated with MTX CLOUD PRIVATE is selling subscription-based access to fresh mixed combolists, including Hotmail and other email credentials. The service offers between 5,000 to 100,000 credential lines daily, priced from $5 for a 3-day trial up to $40 for three months, with payments accepted in cryptocurrency. The combolists are claimed to be clean, verified, and updated daily with no duplicate entries.
Date: 2026-04-28T06:40:08Z
Network: openweb
Published URL: https://crackingx.com/threads/73484/
Screenshots:
None
Threat Actors: Haydayx
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credential combolist
Category: Combo List
Content: A threat actor operating under the alias @Steveee36 has made available a combolist purportedly containing 539 Hotmail email and password credential pairs. The content is shared for free on the DemonForums combolists section. The post requires forum registration or login to access the hidden content.
Date: 2026-04-28T06:40:04Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X539-HQ-Hotmail-%E2%9A%A1%E2%9A%A1-BY-Steveee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of European Education and Shopping Sector Combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist of approximately 127,760 credential lines via a Mega.nz link. The list is described as targeting European education and shopping sectors. The credentials were shared freely without any stated price on the crackingx.com forum.
Date: 2026-04-28T06:39:47Z
Network: openweb
Published URL: https://crackingx.com/threads/73485/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Europe
Victim Industry: Education, Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged CCTV Infrastructure Attack on United States by TheSweetNight and OpsShadowStrike
Category: Cyber Attack
Content: TheSweetNight and OpsShadowStrike claim to have compromised CCTV systems across the United States using CVE-2017-7921. The attack is attributed to a collaboration of multiple threat actors including TengkorakCyberCrew, MalaysiaHacktivist, EagleCyberCrew, and others. The post includes political messaging related to Palestine and Iran.
Date: 2026-04-28T06:32:51Z
Network: telegram
Published URL: https://t.me/TheSweetNightPublic/79
Screenshots:
None
Threat Actors: TheSweetNight
Victim Country: United States
Victim Industry: Critical Infrastructure (CCTV/Surveillance)
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of India Aadhaar Card Data Offered Free to Pakistani Law Enforcement
Category: Data Leak
Content: A threat actor using the alias anon 23 has claimed to possess Aadhaar card data belonging to Indian citizens and is making it available for free exclusively to Pakistani law enforcement agencies. The actor provided a Session app contact ID for communication and shared a file link, though the scope and authenticity of the alleged data remain unverified. The post carries a politically motivated tone, targeting Indian government identity data and offering it selectively to a rival nations law en
Date: 2026-04-28T06:31:34Z
Network: openweb
Published URL: https://xforums.st/threads/india-aadhaar-card-data.610786/
Screenshots:
None
Threat Actors: anon 23
Victim Country: India
Victim Industry: Government
Victim Organization: Unique Identification Authority of India (UIDAI)
Victim Site: uidai.gov.in
Alleged Data Breach of Paraguayan Insurance Database Exposing 288,394 Persons
Category: Data Breach
Content: A threat actor on BreachForums is sharing a database allegedly sourced from a Paraguayan insurance company, containing records on approximately 288,394 individuals. The dataset includes national ID numbers, full names, dates of birth, policy status, record type, and country codes. The content is gated behind registration or login, suggesting controlled distribution rather than a fully public free leak.
Date: 2026-04-28T06:29:28Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-Paraguay-288394-persons
Screenshots:
None
Threat Actors: dbrick84
Victim Country: Paraguay
Victim Industry: Insurance
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of DarkSword iOS exploit kit source code targeting multiple countries
Category: Data Leak
Content: A threat actor known as Alexmipula has leaked alleged source code for DarkSword, a purported iOS exploit kit claiming to chain 6 vulnerabilities to silently compromise iPhones running iOS 18.4-18.7 via a single Safari visit. The kit allegedly delivers three malware families — GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER — enabling device takeover, data theft, and surveillance. The post claims prior deployment by surveillance vendors and state actors across Saudi Arabia, Turkey, Malaysia, and Ukraine
Date: 2026-04-28T06:26:03Z
Network: openweb
Published URL: https://breached.st/threads/2026-new-ios-exploit-source-code-leakedfire.86398/unread
Screenshots:
None
Threat Actors: Alexmipula
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Indonesia Ministry of Industry (Kemenperin)
Category: Data Breach
Content: A threat actor operating under the alias MrAnomali is allegedly selling data associated with Indonesias Ministry of Industry (Kemenperin) on the Breached forum. The post provides minimal details regarding the nature or volume of the data involved. The claim remains unverified and further details are unavailable from the post content.
Date: 2026-04-28T06:25:01Z
Network: openweb
Published URL: https://breached.st/threads/for-sale-indonesia-ministry-of-industry-kemenperin.86397/unread
Screenshots:
None
Threat Actors: MrAnomali
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Ministry of Industry (Kemenperin)
Victim Site: kemenperin.go.id
Alleged Data Leak of ZAMECO Customer Database Including Personal Information
Category: Data Leak
Content: A threat actor operating under the alias Z4ne0days has leaked a database dump allegedly belonging to ZAMECO, a Philippine electric cooperative. The leaked data contains customer records including full names, email addresses, and account numbers. The data was freely shared on the Breached forum with no indication of a sale price.
Date: 2026-04-28T06:24:06Z
Network: openweb
Published URL: https://breached.st/threads/zameco-databse-user-phone-number-and-email.86399/unread
Screenshots:
None
Threat Actors: Z4ne0days
Victim Country: Philippines
Victim Industry: Electric Utility / Energy
Victim Organization: ZAMECO (Zambales II Electric Cooperative)
Victim Site: Unknown
Alleged cyber attack by Hanzalah hacker group targeting Israeli mobile phones with mass SMS campaign
Category: Cyber Attack
Content: Iranian hacker group Hanzalah claimed responsibility for sending hundreds of thousands of warning SMS messages to Israeli citizens mobile phones. The messages contained political messaging and warnings attributed to the group, claiming to be in response to Israeli government policies. This represents a claimed cyber attack campaign targeting civilian infrastructure.
Date: 2026-04-28T05:58:56Z
Network: telegram
Published URL: https://t.me/c/1283513914/21432
Screenshots:
None
Threat Actors: Hanzalah
Victim Country: Israel
Victim Industry: telecommunications/civilian
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of breached Indonesia Ministry of Industry (KEMENPERIN) database with 130+ official records
Category: Data Breach
Content: Threat actor offering for sale a dataset allegedly containing 130+ records from Indonesias Ministry of Industry (KEMENPERIN), including internal extension numbers, floor details, and direct room locations of high-ranking officials. Seller provided proof of validity with sample data including names, addresses, and phone numbers of government officials. Price: 0.4 LTC. Contact via @wildhigt on Litecoin.
Date: 2026-04-28T05:57:39Z
Network: telegram
Published URL: https://t.me/c/3865526389/648
Screenshots:
None
Threat Actors: wildhigt
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Indonesia Ministry of Industry (KEMENPERIN)
Victim Site: Unknown
Alleged data exfiltration vulnerability in ChatGPT code execution runtime via hidden outbound channel
Category: Data Leak
Content: Check Point Research disclosed a hidden outbound communication channel within ChatGPTs sandboxed code execution environment, bypassing OpenAIs stated data protection mechanisms. A single malicious prompt was sufficient to activate a covert exfiltration channel capable of leaking user messages, uploaded files, and other sensitive content without user knowledge or consent. The same channel could reportedly be abused by backdoored GPTs to establish remote shell access within the Linux runtime use
Date: 2026-04-28T05:52:11Z
Network: openweb
Published URL: https://tier1.life/thread/184
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: OpenAI
Victim Site: openai.com
Alleged leak of stealer logs archive (2GB, April 2026)
Category: Data Leak
Content: A threat actor known as blackcloud has made available a 2GB archive of stealer logs dated April 28, 2026 on the XF forum. The logs likely contain harvested credentials, cookies, and other sensitive data exfiltrated from victim machines via infostealer malware. No specific victim organization or country has been identified.
Date: 2026-04-28T05:46:43Z
Network: openweb
Published URL: https://xforums.st/threads/logs-fresh-2-gb-from-28-04-2026.610785/
Screenshots:
None
Threat Actors: blackcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged free distribution of Coruna iOS Exploit Kit (CryptoWaters) targeting iOS 13.0–17.2.1
Category: Data Leak
Content: A threat actor on Breached forums has made available an alleged iOS exploitation framework dubbed Coruna (also known as CryptoWaters), claimed to be a nation-state-grade modular toolkit comprising 23 exploits across 5 exploit chains targeting iOS versions 13.0 through 17.2.1. The framework purportedly delivers a 6-stage attack chain culminating in a payload called PlasmaLoader, designed for cryptocurrency wallet theft, seed phrase extraction, and financial data exfiltration from 18 wallet appl
Date: 2026-04-28T05:42:55Z
Network: openweb
Published URL: https://breached.st/threads/coruna-latest-version-ios-exploit-download-free-fire.86396/unread
Screenshots:
None
Threat Actors: Alexmipula
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Voney pharmacy loyalty platform affecting Indian pharmacists
Category: Data Breach
Content: Anonymous Switzerland claims to have gained unauthorized access to Voneys databases, a loyalty program platform serving Indian pharmacists. The threat actor claims to have extracted approximately 560MB of sensitive data including complete personal information (names, phone numbers, email addresses), banking details, financial transaction records, login credentials, contact lists, and behavioral data of pharmacists. The actor threatens to leak this data as a compressed file and uses the phrase We neither forget nor forgive.
Date: 2026-04-28T05:26:46Z
Network: telegram
Published URL: https://t.me/Anonymous_Switzerland/174
Screenshots:
None
Threat Actors: Anonymous Switzerland
Victim Country: India
Victim Industry: Pharmaceutical/Healthcare
Victim Organization: Voney
Victim Site: Unknown
Alleged sale of webshells
Category: Initial Access
Content: Threat actor advertising webshell sales via direct message contact (@Lei_BF). Webshells are initial access tools used for unauthorized server compromise.
Date: 2026-04-28T05:22:26Z
Network: telegram
Published URL: https://t.me/c/2590737229/950
Screenshots:
None
Threat Actors: Lei_BF
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor known as snowstormxd has made available a combolist of 146 alleged fresh Hotmail credentials via a free download link on pasteview.com. The post also promotes a Telegram-based private cloud storage service for credential lists, offered at tiered pricing. The actor appears to be actively distributing stolen Hotmail email credentials alongside monetizing a credential storage and inboxing service.
Date: 2026-04-28T05:17:04Z
Network: openweb
Published URL: https://crackingx.com/threads/73482/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of corporate email credentials combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist containing approximately 51,360 corporate email and password credential pairs via a Mega.nz file sharing link. The post, shared on the cracking forum CrackingX, is titled as a 2026 corporate mail credential leak. No specific victim organization, industry, or country has been identified.
Date: 2026-04-28T04:38:42Z
Network: openweb
Published URL: https://crackingx.com/threads/73481/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Data Leak
Content: A threat actor known as redcloud has made available a combolist of approximately 4,900 alleged valid Hotmail credentials on the AE – Combo List forum. The post, dated April 28, 2026, is described as private and ultra-high quality (UHQ), suggesting the credentials have been validated for active mail access. The actor provides a Telegram contact handle (@tutuba5m) and requires forum replies to access the hidden download link.
Date: 2026-04-28T04:37:52Z
Network: openweb
Published URL: https://altenens.is/threads/4-9k-high-voltagehotmailhigh-voltagevalid-mail-access-28-04.2930881/unread
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged data leak of Podemos Brazilian political party
Category: Data Leak
Content: A threat actor operating under the alias m0z1ll4screw, along with their crew m0z1ll4s, claims to have exploited a vulnerability in PHP 7.4.33 to gain unauthorized access to the systems of Podemos, a Brazilian political party. The attacker allegedly extracted over 958,000 pieces of sensitive information and has made the data available for free download via a Gofile link. Contact was provided via a Telegram handle.
Date: 2026-04-28T04:27:57Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DOCUMENTS-%E2%AD%90podemos-org-br-Brazilian-political-party
Screenshots:
None
Threat Actors: m0z1ll4screw
Victim Country: Brazil
Victim Industry: Political Party
Victim Organization: Podemos
Victim Site: podemos.org.br
Alleged Data Breach of Movistar Peru Business Portal (empresas.movistar.com.pe)
Category: Data Breach
Content: A threat actor known as MDGhost claims to be offering a database allegedly sourced from empresas.movistar.com.pe, the B2B portal of Movistar Peru operated by Telefónica. The database purportedly contains approximately 4 million records in XLSX format, including full names, ID documents, dates of birth, phone numbers, payment types, service descriptions, city, and plan product details. The actor has provided a contact via Telegram under the handle The BlackH4t MD-Ghost.
Date: 2026-04-28T04:23:47Z
Network: openweb
Published URL: https://breached.st/threads/4-million-database-empresas-movistar-com-pe-telecom-company-in-peru.86395/unread
Screenshots:
None
Threat Actors: MDGhost
Victim Country: Peru
Victim Industry: Telecommunications
Victim Organization: Movistar Peru (Telefónica)
Victim Site: empresas.movistar.com.pe
Alleged Data Leak of Instituto Registral y Catastral del Estado de Puebla (IRCEP) Documents
Category: Data Leak
Content: A threat actor known as Straightonumberone has leaked over 11,000 documents belonging to the Instituto Registral y Catastral del Estado de Puebla (IRCEP), a Mexican government property registry agency. The leaked files, spanning 2018 to 2025, include legal documents, property records, payment receipts, and citizen PII such as scanned IDs, predial account numbers, and property ownership details. Half of the documents were made available freely on the forum, with the remainder offered for sale v
Date: 2026-04-28T04:17:17Z
Network: openweb
Published URL: https://darkforums.su/Thread-Document-Mexico-Instituto-Registral-y-Catastral-del-Estado-de-Puebla-IRCEP-11-269-files
Screenshots:
None
Threat Actors: Straightonumberone
Victim Country: Mexico
Victim Industry: Government
Victim Organization: Instituto Registral y Catastral del Estado de Puebla (IRCEP)
Victim Site: Unknown
Alleged Credential Checker Service for RobinHood Accounts via Telegram Bot
Category: Services
Content: A threat actor is advertising a Telegram-based automated credential checking service targeting RobinHood brokerage accounts, operated via the bot @goycaller_bot. The service offers fast scanning of credential lists at $0.0003 per line, with multiple scan modes, job control commands, and a referral bonus program. This tool is designed to validate stolen credentials against RobinHood accounts at scale.
Date: 2026-04-28T04:13:54Z
Network: openweb
Published URL: https://pwnforums.st/Thread-%E2%9C%85RobinHood-Checker-Fast-Scans-Telegram-Control-Drop-File-to-Scan
Screenshots:
None
Threat Actors: Kevinn
Victim Country: United States
Victim Industry: Financial Services
Victim Organization: RobinHood
Victim Site: robinhood.com
Alleged leak of mixed forum credentials combolist
Category: Combo List
Content: A threat actor operating under the alias ValidMail has shared an alleged combolist containing 100,000 mixed credentials described as valid forum accounts. The post is hosted on the cracking forum CrackingX and requires registration or login to access the content. The specific targeted platforms or victim organizations cannot be determined due to restricted access to the post content.
Date: 2026-04-28T03:55:54Z
Network: openweb
Published URL: https://crackingx.com/threads/73479/
Screenshots:
None
Threat Actors: ValidMail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of mixed valid email access credentials (69,400 records)
Category: Data Leak
Content: A threat actor known as redcloud has made available a combolist of approximately 69,400 mixed valid email credentials, described as private and ultra-high quality (UHQ). The list was shared for free on the AE forum with a reply-to-unlock mechanism, and the actor also references a Telegram contact (@tutuba5m). No specific victim organization or targeted domain has been identified, suggesting credentials may be aggregated from multiple sources.
Date: 2026-04-28T03:52:33Z
Network: openweb
Published URL: https://altenens.is/threads/69-4k-sparkles-mix-sparkles-valid-mail-access-28-04.2930877/unread
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged doxxing bot service offering personal data lookup by national ID
Category: Malware
Content: Advertisement for an automated doxxing bot service that claims to provide instant access to personal information including full names, phone numbers, addresses, and locations using only a national ID number (cédula). The service is marketed as anonymous, available 24/7, and operating with a constantly updated database. Contact information provided via Telegram handle @la_kabra_666.
Date: 2026-04-28T03:44:08Z
Network: telegram
Published URL: https://t.me/ironatlas_organization/132
Screenshots:
None
Threat Actors: la_kabra_666
Victim Country: Philippines
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of Wells Fargo Bank with 4.6 Million Customer Records
Category: Data Breach
Content: A threat actor operating under the alias RubiconH4ck is claiming to sell a database containing 4.6 million records allegedly belonging to Wells Fargo customers. The data reportedly includes full names, email addresses, physical addresses, PINs, and phone numbers, purportedly updated between 2024 and 2026. The actor is offering samples via Telegram and is open to negotiations to withhold the data from further distribution in exchange for payment.
Date: 2026-04-28T03:43:18Z
Network: openweb
Published URL: https://breached.st/threads/4-6-million-wels-fargo-bank-data.86394/unread
Screenshots:
None
Threat Actors: RubiconH4ck
Victim Country: United States
Victim Industry: Financial Services
Victim Organization: Wells Fargo
Victim Site: wellsfargo.com
Alleged leak of stealer logs distributed via file hosting platform
Category: Logs
Content: A threat actor known as MrKordy has made available a collection of stealer logs on a dark web forum, claiming the data is fresh and of ultra-high quality (UHQ) as of April 27, 2026. The logs are being distributed for free via a Gofile link. Stealer logs typically contain credentials, browser-saved passwords, cookies, and other sensitive data harvested by information-stealing malware.
Date: 2026-04-28T03:38:31Z
Network: openweb
Published URL: https://darkforums.su/Thread-STEALER-LOGS-%E2%AD%90%EF%B8%8FUHQ-FRESH-%E2%AD%90%EF%B8%8FFROM-27-4-2026%E2%AD%90%EF%B8%8F
Screenshots:
None
Threat Actors: MrKordy
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged fraudulent SEC company registration and filing service offered on dark web forum
Category: Initial Access
Content: A threat actor operating under the alias GetRenewed is selling a fraudulent company registration and SEC filing service for $25,000. The service includes registering a shell company in the U.S. and filing it with the SECs EDGAR system, creating a legitimate-looking regulated business entity. The actor also offers company registration in 60+ countries and EU nominee accounts starting at $4,500, suggesting a broader financial fraud and money laundering operation.
Date: 2026-04-28T03:36:50Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-%F0%9F%87%BA%F0%9F%87%B8-Company-Registration-and-Filing-with-the-SEC-USA
Screenshots:
None
Threat Actors: GetRenewed
Victim Country: United States
Victim Industry: Financial Services / Regulatory
Victim Organization: U.S. Securities and Exchange Commission (SEC/EDGAR)
Victim Site: sec.gov
Alleged Data Breach of FGA – Fondo de Garantías Antioquia (EmergiaCC)
Category: Data Breach
Content: Threat actors Petro_Escobar and NyxarGroup are selling a database allegedly obtained from FGA (Fondo de Garantías Antioquia), a Colombian credit guarantee fund supporting individuals and microentrepreneurs. The dataset contains approximately 5,000 records including full names, national ID numbers, phone numbers, addresses, credit obligation details, overdue amounts, payment statuses, and days in arrears. The data appears to originate from a debt management or collections system used by FGA.
Date: 2026-04-28T03:36:12Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-EmergiaCC-FONDO-DE-GARANTIAS-ANTIOQUIA
Screenshots:
None
Threat Actors: Petro_Escobar
Victim Country: Colombia
Victim Industry: Financial Services
Victim Organization: Fondo de Garantías Antioquia (FGA)
Victim Site: fga.com.co
Alleged Ransomware Data Leak by Nova Ransomware Group Targeting Multiple Organizations Across Multiple Countries
Category: Data Leak
Content: Nova Ransomwares Leak Spread Department (BlackAds), operated under the alias ShameLeak, has publicly leaked data from at least five organizations across Brazil, the United States, Indonesia, and Poland as retaliation for refusing to comply with ransom demands. Victims include VX Case (vxcase.com.br, 1TB), Wolf Technology Group (100GB), Electrical Resource International (15GB), Pemkab Bojonegoro (4GB), and M&K Foam Koło (mkfoam.pl, 60GB). The group also advertises an affiliate program, invitin
Date: 2026-04-28T03:35:14Z
Network: openweb
Published URL: https://darkforums.su/Thread-Document-Nova-Ransomware-Leakspread-Department-BlackAds
Screenshots:
None
Threat Actors: ShameLeak
Victim Country: Multiple
Victim Industry: Multiple
Victim Organization: Multiple
Victim Site: Multiple
Alleged leak of approximately 4,000 compromised camera access credentials
Category: Data Leak
Content: A threat actor known as NearLeVrai claims to have hacked approximately 4,000 cameras and made access details freely available via a file-sharing link. The actor acknowledges that not all camera accesses may still be active. No specific geographic region, organization, or industry has been identified as the victim.
Date: 2026-04-28T03:34:35Z
Network: openweb
Published URL: https://darkforums.su/Thread-cameras-acces
Screenshots:
None
Threat Actors: NearLeVrai
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Breach of IngressoLive Brazilian Ticketing Platform
Category: Data Breach
Content: A threat actor known as mastermind has made available an alleged database dump from IngressoLive, a Brazilian online ticketing platform. The exposed data reportedly contains approximately 106,000 records including buyer names, email addresses, payment form details, payment status, order values, commissions, and transaction-related financial data. The database appears to contain structured financial and transactional records tied to event ticket purchases made through the platform.
Date: 2026-04-28T03:33:42Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-ingressolive-com-106k
Screenshots:
None
Threat Actors: mastermind
Victim Country: Brazil
Victim Industry: Entertainment & Ticketing
Victim Organization: IngressoLive
Victim Site: ingressolive.com
Alleged Data Leak of Student Database from SMAN 1 Malang (sman1-mlg.sch.id)
Category: Data Leak
Content: A threat actor operating under the alias treixnox has freely distributed a database dump containing over 2,000 records belonging to students of SMAN 1 Malang, an Indonesian public high school. The leaked data is highly sensitive and includes full names, national identification numbers (NIK), national student IDs (NISN), dates and places of birth, home addresses with geolocation coordinates, contact numbers, family card numbers, parental information including income levels, and financial detail
Date: 2026-04-28T03:33:03Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-leak-database-from-sman1-mlg-sch-id-All-Document-infromation
Screenshots:
None
Threat Actors: treixnox
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: SMAN 1 Malang
Victim Site: sman1-mlg.sch.id
Alleged leak of Robinhood user email list
Category: Data Leak
Content: A threat actor on a cybercrime forum made available a claimed list of over 300 cleaned and verified email addresses associated with Robinhood accounts. The data is described as targeting financial and crypto accounts and is intended for use in credential checking, balance verification, or KYC data harvesting. The list includes emails from Gmail, Yahoo, Outlook, and custom domains.
Date: 2026-04-28T03:19:58Z
Network: openweb
Published URL: https://pwnforums.st/Thread-COLLECTION-LEAK-HQ-CLEANED-ROBINHOOD-EMAILS-FRESH-DUMP
Screenshots:
None
Threat Actors: Kevinn
Victim Country: United States
Victim Industry: Financial Services
Victim Organization: Robinhood
Victim Site: robinhood.com
Alleged leak of Hotmail credential combolist with inboxer tool
Category: Combo List
Content: A threat actor known as snowstormxd has made available a combolist containing 146 Hotmail credentials via a public paste site and a Telegram channel. The post claims the credentials have been validated with a built-in inboxer, suggesting the accounts are active. The actor also advertises a paid private cloud service offering additional combolists at tiered pricing.
Date: 2026-04-28T03:12:16Z
Network: openweb
Published URL: https://crackingx.com/threads/73477/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Website Defacement of MyRoadPay by m4ul1337 (BABAYO ERROR SYSTEM)
Category: Defacement
Content: On April 28, 2026, the website www.myroadpay.com, a road payment or toll processing service, was defaced by threat actor m4ul1337 operating under the group BABAYO ERROR SYSTEM. The attack targeted the homepage in a single-site defacement operation. No specific motivation or technical details were disclosed.
Date: 2026-04-28T03:04:45Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915351
Screenshots:
None
Threat Actors: m4ul1337, BABAYO ERROR SYSTEM
Victim Country: Unknown
Victim Industry: Financial Services / Payment Processing
Victim Organization: MyRoadPay
Victim Site: www.myroadpay.com
Alleged Credential Scanning Service RhScan Bot Advertised via Telegram
Category: Services
Content: A threat actor operating as Kevinn is advertising a Telegram-based credential checking service called RhScan Bot (via @goycaller_bot), marketed as RobinHood VM Checker. The service offers automated credential list scanning with multiple speed tiers, priced at $0.0003 per line, controlled entirely through Telegram bot commands. The tool is designed to validate credential lists at scale, supporting file uploads, reruns for accuracy, and a referral credit system.
Date: 2026-04-28T02:49:31Z
Network: openweb
Published URL: https://pwnforums.st/Thread-RhScan-Bot-Fast-Scans-Telegram-Control-Drop-File-to-Scan
Screenshots:
None
Threat Actors: Kevinn
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Sale of VoIP Spoofing and Caller ID Fraud Service (GoyCall)
Category: Initial Access
Content: A threat actor operating under the alias Kevinn is selling a premium VoIP spoofing service called GoyCall, which offers caller ID spoofing across 200+ countries, voice changing capabilities, and verified caller ID bypass for banks, exchanges, and Google. The service supports multiple dialer types including web, P1, and auto-dialers with 3CX/Asterisk/FreePBX PBX integration, and accepts cryptocurrency payments. This infrastructure is consistent with tools used in vishing campaigns, social engin
Date: 2026-04-28T02:41:39Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-GoyCall-Routes-Web-Dialer-Voice-Changer-Crypto-Top-Up
Screenshots:
None
Threat Actors: Kevinn
Victim Country: Unknown
Victim Industry: Telecommunications
Victim Organization: Unknown
Victim Site: goycall.com
Alleged leak of UK Yahoo credential combolist
Category: Data Leak
Content: A threat actor on PwnForums has made available a combolist of alleged high-quality UK Yahoo email and password credentials targeting yahoo.co.uk accounts. The post describes the combos as freshly dumped and verified, suitable for credential stuffing or account takeover campaigns. The actual sample data is locked behind a points paywall, and the total record count is not disclosed.
Date: 2026-04-28T02:40:08Z
Network: openweb
Published URL: https://pwnforums.st/Thread-COLLECTION-HQ-UK-YAHOO-COMBOS-FRESH-DUMP
Screenshots:
None
Threat Actors: Kevinn
Victim Country: United Kingdom
Victim Industry: Technology
Victim Organization: Yahoo
Victim Site: yahoo.co.uk
Alleged Data Leak of Brazilian Civil Defense Agency Database (defesacivil.am.gov.br)
Category: Data Leak
Content: A threat actor has publicly shared a database allegedly exported from defesacivil.am.gov.br, the civil defense agency of Amazonas state, Brazil. The leaked data reportedly contains SSNs, email addresses, and other personal information, which was accessible in plaintext via a publicly exposed endpoint. The actor claims the data was obtained opportunistically and is being distributed for free with no financial motive.
Date: 2026-04-28T02:38:33Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-defesacivil-am-gov-br-database
Screenshots:
None
Threat Actors: unico
Victim Country: Brazil
Victim Industry: Government
Victim Organization: Defesa Civil do Amazonas
Victim Site: defesacivil.am.gov.br
Alleged EBT Cashout Scheme Seeking Bulk Stolen Benefits Data
Category: Carding
Content: A threat actor operating under the alias tecat39051 is soliciting bulk Electronic Benefits Transfer (EBT) data for cashout purposes, directing interested parties to contact them via Telegram at @ebtpundit. This activity is indicative of government benefits fraud, where stolen EBT credentials or account data are monetized through unauthorized cash withdrawals. The post suggests coordination with spammers who likely obtain EBT account data through phishing or credential theft campaigns.
Date: 2026-04-28T02:26:45Z
Network: openweb
Published URL: https://altenens.is/threads/i-need-bulk-ebt-for-cashout-any-spammer-here-reach-me-on-tele-ebtpundit.2930866/unread
Screenshots:
None
Threat Actors: tecat39051
Victim Country: United States
Victim Industry: Government Benefits / Social Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 1.3 million URL:login:password credentials
Category: Combo List
Content: A threat actor known as WashingtonDC has made available a combolist containing approximately 1.3 million URL, login, and password combinations via a MediaFire download link. The post was shared on the cracking forum CrackingX on April 28th. No specific victim organization or country is identified, suggesting the credentials may be aggregated from multiple sources.
Date: 2026-04-28T01:55:12Z
Network: openweb
Published URL: https://crackingx.com/threads/73473/
Screenshots:
None
Threat Actors: WashingtonDC
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Hotmail credentials combolist
Category: Combo List
Content: A threat actor operating under the alias noir has made available a combolist containing 1,410 allegedly valid Hotmail credentials on a cracking forum. The post claims the credentials are UHQ (ultra high quality) and valid, with references to private cloud storage. The actor is promoting their Telegram handle (@noiraccesss) alongside the free download.
Date: 2026-04-28T01:54:33Z
Network: openweb
Published URL: https://crackingx.com/threads/73474/
Screenshots:
None
Threat Actors: noir
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of German shopping-targeted credential combolist
Category: Combo List
Content: A threat actor operating under the alias HQcomboSpace has made available a combolist of approximately 916,737 lines on a cracking forum, targeting German shopping platforms. The credential list is described as high-quality (HQ) and is being distributed for free via a Mega.nz link. No specific victim organization or domain has been identified.
Date: 2026-04-28T01:54:02Z
Network: openweb
Published URL: https://crackingx.com/threads/73475/
Screenshots:
None
Threat Actors: HQcomboSpace
Victim Country: Germany
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of stolen payment cards, dumps, EBT cards, checks, and carding methods
Category: Carding
Content: A threat actor operating under the alias iumyk5 is advertising stolen credit cards with high balances, magnetic stripe dumps (Track 1/Track 2, with and without PINs), EBT card dumps, clone cards, checks, and bank logs across multiple contact channels including Telegram, Signal, WhatsApp, and Gmail. The actor claims to offer both 101 (non-EMV) and 201 (EMV) dump types suitable for online shopping, payment fraud, and cashout operations. Contact details provided include a Telegram handle (@kaiotp
Date: 2026-04-28T01:53:57Z
Network: openweb
Published URL: https://demonforums.net/Thread-BEST-CC-DUMPS-EBT-CHECKS-METHOD–202007
Screenshots:
None
Threat Actors: iumyk5
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Leak of Hotmail Credential Combolist
Category: Combo List
Content: A threat actor known as snowstormxd has made available a combolist containing 146 alleged Hotmail credentials described as Ultra High Quality (UHQ). The post includes a free download link and claims the accounts have been pre-verified via a built-in inboxer tool. The actor also advertises a paid private cloud service offering additional credential drops.
Date: 2026-04-28T01:16:16Z
Network: openweb
Published URL: https://crackingx.com/threads/73472/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: hotmail.com
Alleged leak of approximately 4,000 compromised camera feeds
Category: Data Leak
Content: A threat actor on Breached forums claims to have hacked approximately 4,000 cameras and made access details freely available via an external file-sharing link. The actor acknowledges that not all camera feeds may still be active. No specific organizations, regions, or industries have been identified as victims.
Date: 2026-04-28T01:04:19Z
Network: openweb
Published URL: https://breached.st/threads/camera-acces.86393/unread
Screenshots:
None
Threat Actors: nearlevrai
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of secret documents collection by threat actor klodi666
Category: Data Breach
Content: A threat actor operating under the alias klodi666 is selling a self-described complete collection of secret documents on the AE – Leaked Databases forum for a fixed price of $1,000 USD. The seller accepts PayPal and Bitcoin as payment methods and can be contacted via WhatsApp (+355 699 149 691) or email ([email protected]). No details regarding the origin, volume, or specific nature of the documents have been disclosed, making victim attribution and data classification unclear.
Date: 2026-04-28T00:29:45Z
Network: openweb
Published URL: https://altenens.is/threads/document-collection-for-sale.2930843/unread
Screenshots:
None
Threat Actors: klodi666
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Redefacement of DC Motor India by Threat Actor YIIX103
Category: Defacement
Content: Threat actor YIIX103, operating independently without a team affiliation, carried out a redefacement of the Indian motor manufacturing website dcmotorindia.com, targeting a specific PHP file (yo.php). This marks at least a second defacement of the same target, indicating persistent interest or opportunistic exploitation of an unpatched vulnerability. No specific motive or proof-of-concept details were disclosed for this incident.
Date: 2026-04-28T00:18:33Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915324
Screenshots:
None
Threat Actors: YIIX103
Victim Country: India
Victim Industry: Manufacturing / Automotive Parts
Victim Organization: DC Motor India
Victim Site: www.dcmotorindia.com
Alleged doxxing bot service offering personal data extraction
Category: Malware
Content: Threat actor advertising an automated doxxing bot that claims to extract personal information including full names, phone numbers, addresses, and locations using only a national ID number (cédula). The service is marketed as anonymous, available 24/7, and operating on a constantly updated database. Contact information provided via Telegram handle @la_kabra_666.
Date: 2026-04-28T00:17:45Z
Network: telegram
Published URL: https://t.me/c/3518294966/132
Screenshots:
None
Threat Actors: la_kabra_666
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Redefacement of Ashwamegh Industries by YIIX103
Category: Defacement
Content: The threat actor YIIX103, operating independently without a known team affiliation, conducted a redefacement of the Ashwamegh Industries website on April 28, 2026. This incident marks a repeated compromise of the target, indicating persistent or recurring access to the web infrastructure. The defacement was not classified as a mass or homepage defacement, suggesting a targeted sub-page was altered.
Date: 2026-04-28T00:16:50Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915331
Screenshots:
None
Threat Actors: YIIX103
Victim Country: India
Victim Industry: Manufacturing / Industrial
Victim Organization: Ashwamegh Industries
Victim Site: www.ashwameghindustries.com
Website Redefacement of Kuldevi Engineers by Threat Actor YIIX103
Category: Defacement
Content: Threat actor YIIX103, operating without a team affiliation, conducted a redefacement of the Kuldevi Engineers website on April 28, 2026. This incident marks at least a second compromise of the target domain, indicating persistent targeting or inadequate remediation following a prior defacement. The attack was not classified as a mass or homepage defacement, suggesting a targeted intrusion of a specific web path.
Date: 2026-04-28T00:15:17Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915317
Screenshots:
None
Threat Actors: YIIX103
Victim Country: India
Victim Industry: Engineering / Manufacturing
Victim Organization: Kuldevi Engineers
Victim Site: www.kuldeviengineers.com
Mass Defacement of SK Weighbridge by Threat Actor YIIX103
Category: Defacement
Content: Threat actor YIIX103 conducted a mass defacement campaign targeting www.skweighbridge.in, compromising a specific page (yo.php) on the Indian weighbridge companys website. The incident, recorded on April 28, 2026, is classified as a mass defacement, suggesting multiple sites were targeted simultaneously. No specific motivation or proof of concept was disclosed by the attacker.
Date: 2026-04-28T00:14:16Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248706
Screenshots:
None
Threat Actors: YIIX103
Victim Country: India
Victim Industry: Manufacturing / Industrial Equipment
Victim Organization: SK Weighbridge
Victim Site: www.skweighbridge.in
Website Redefacement of Advance Bird Net Services by YIIX103
Category: Defacement
Content: The website of Advance Bird Net Services was defaced by threat actor YIIX103 operating independently without a team affiliation. This incident is classified as a redefacement, indicating the site had been previously compromised and defaced before. No specific motive, proof of concept, or server details were disclosed in connection with this attack.
Date: 2026-04-28T00:13:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915333
Screenshots:
None
Threat Actors: YIIX103
Victim Country: Unknown
Victim Industry: Agriculture / Wildlife Services
Victim Organization: Advance Bird Net Services
Victim Site: www.advancebirdnetservices.com
Website Defacement of Nutrack Modular System by YIIX103
Category: Defacement
Content: On April 28, 2026, a threat actor identified as YIIX103 defaced the website of Nutrack Modular System, an Indian modular systems company, targeting the file yo.php. The incident was a single-target, non-mass defacement with no stated motivation recorded. Server and infrastructure details were not disclosed in the available intelligence.
Date: 2026-04-28T00:07:06Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915308
Screenshots:
None
Threat Actors: YIIX103
Victim Country: India
Victim Industry: Manufacturing / Modular Systems
Victim Organization: Nutrack Modular System
Victim Site: nutrackmodularsystem.in
Website Defacement of Royal Air Component by YIIX103
Category: Defacement
Content: On April 28, 2026, threat actor YIIX103 defaced the website royalaircomponent.com by compromising the file yo.php. The attack was a targeted, non-mass defacement conducted by an individual acting without an affiliated team. Server and infrastructure details were not disclosed in the available intelligence.
Date: 2026-04-28T00:04:54Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/915306
Screenshots:
None
Threat Actors: YIIX103
Victim Country: Unknown
Victim Industry: Aviation / Aerospace
Victim Organization: Royal Air Component
Victim Site: royalaircomponent.com
Alleged sale of Hotmail and multi-platform credential combolists across multiple countries
Category: Combo List
Content: Seller offering private cloud Hotmail UHQ (ultra high quality) combolists and credentials for multiple countries (DE, FR, IT, BR, UK, US, JP, PL, RU, ES, NL, MX, CA, SG). Also advertising access to credentials for kleinanzeigen, eBay, Reddit, Poshmark, Depop, Walmart, and Amazon. Seller claims ability to verify credentials against buyer keywords. Targeting serious buyers only.
Date: 2026-04-28T00:01:07Z
Network: telegram
Published URL: https://t.me/c/2613583520/71066
Screenshots:
None
Threat Actors: Wěilóng
Victim Country: Unknown
Victim Industry: Technology/E-commerce/Email Services
Victim Organization: Unknown
Victim Site: Unknown