[July-01-2025] Daily Cybersecurity Threat Report

Posted on

I. Executive Summary

This report provides a high-level overview of critical cybersecurity incidents reported within the last 24 hours, highlighting key threat actors and emerging patterns. The observed events encompass various attack types, including data breaches and website defacements, with potential targeting of critical infrastructure. Analysis of these daily incidents allows for the immediate identification of shifts in adversary focus, whether it involves a new industry vertical or a resurgence of specific attack methodologies. This capability provides an early warning for strategic adjustments by security leadership, enabling organizations to reallocate resources, prioritize patching efforts, or update their threat models based on real-time, actionable intelligence. Such responsiveness moves an organization from a reactive stance to a more proactive and adaptive security posture.

II. Daily Incident Overview

This section presents a structured summary of all reported cybersecurity incidents, designed to facilitate rapid identification of key details for each event.

Summary of Reported Cybersecurity Incidents (Last 24 Hours)

Incident NameTarget Sector/EntityAttack TypeIdentified Threat Actor(s)Primary ImpactStatusPublished URLScreenshots
Alleged Sale of Enterprise Access Logs Including Cisco, Fortinet, and CitrixInitial AccessStari4okSale of untested logs with access to enterprise systems and remote access platforms (Cisco, Fortinet, Citrix, GlobalProtect, RDWeb, VPN endpoints).Reportedhttps://forum.exploit.in/topic/261744/?do=findComment&comment=1578554https://d34iuop8pidsy8.cloudfront.net/6b7851b2-f0e9-4cc2-be79-80befdc14b5a.PNG
GARUDA ERROR SYSTEM targets the website of MD International schoolmd international schoolDefacementGARUDA ERROR SYSTEMWebsite defacement.Reportedhttps://t.me/c/2008069971/4232https://d34iuop8pidsy8.cloudfront.net/61013fa6-316e-48d1-87db-d0eb834c68ee.png
Alleged sale of an unknown Spanish consumer databaseData LeakRozo_rexSale of 1 million-line Spanish consumer database with emails, phone numbers, names, birth dates, addresses, nationality, and source details.Reportedhttps://darkforums.st/Thread-Selling-1M-ES-Consumer-Databasehttps://d34iuop8pidsy8.cloudfront.net/80030e45-0f1f-44a7-abcd-414ae8f1a0c8.png
Alleged data sale of Reale Seguros Generales S.A.reale seguros generales s.a.Data BreachhikaruSale of 1.2M+ records including customer IDs, names, NIF, DOB, address, phones, emails, payment methods, and bank details.Reportedhttps://darkforums.st/Thread-Selling-Reale-Seguros-Spainhttps://d34iuop8pidsy8.cloudfront.net/941efe6c-fc02-48c3-b2ce-bf2f4ec6fe1f.png, https://d34iuop8pidsy8.cloudfront.net/d9ad147a-c847-43af-91c9-0d03975451b6.png
Alleged data leak of Axis Bankaxis bankData LeakDevil120Sale of leaked database (45 MB CSV) with sensitive customer information: full names, mobile numbers, email addresses, account IDs, ID numbers, KYC document types, residential addresses, and transaction values.Reportedhttps://demonforums.net/Thread-axisbank-indiahttps://d34iuop8pidsy8.cloudfront.net/d52b812f-3fcb-4ef7-ae0a-6843965fe38e.PNG, https://d34iuop8pidsy8.cloudfront.net/d3972ea3-7809-40ff-97f2-70922d2f0854.PNG, https://d34iuop8pidsy8.cloudfront.net/ef6ce9e8-be6f-4582-8d2c-252838303114.PNG
Alleged data leak of MyCompassTodaymycompasstodayData BreachChapBreach of MyCompassToday database.Reportedhttps://darkforums.st/Thread-mycompasstoday-com-Breachedhttps://d34iuop8pidsy8.cloudfront.net/b2dd1f92-341e-4f0d-bd18-4deb11af44ad.png
Alleged Sale of Shell Access to a French Magento based E-Commerce StoreInitial AccessZimmerSale of unauthorized shell access to a Magento-based e-commerce store in France, including monthly order statistics.Reportedhttps://forum.exploit.in/topic/261742/?do=findComment&comment=1578546https://d34iuop8pidsy8.cloudfront.net/6227116d-08a4-4d1c-a169-518a909f6758.PNG
Cyber Jihad Movement claims to target LeMan MagazinelemanAlertCyber Jihad MovementTargeting of LeMan Magazine.Reportedhttps://t.me/CyberJihadMovement/174https://d34iuop8pidsy8.cloudfront.net/46d96eb4-2818-4ad9-b257-09cf94a88ca4.png
Alleged data leak of German CitizensData LeakRL96Leak of 900 records (.txt, 251 KB) including full names, email addresses, phone numbers, addresses, birthdates, device details, purchase info, bank account numbers, IBANs, BICs.Reportedhttps://leakbase.la/threads/900-germany-iban-imei.39906/https://d34iuop8pidsy8.cloudfront.net/b21ca406-3916-4175-8ab7-e06cfc97733f.png
Alleged Data Leak of Singapore citizensData LeakRL96Leak of approximately 40,000 individuals’ data (CSV, 4.77 MB) including PII such as names, email addresses, phone numbers, ZIP codes, billing and shipping addresses, dates of birth, gender.Reportedhttps://leakbase.la/threads/singapore-database-40k.39904/https://d34iuop8pidsy8.cloudfront.net/9e21000c-9229-4b4e-8f80-9c0726adc238.PNG, https://d34iuop8pidsy8.cloudfront.net/521d87fe-d3e7-41ef-923d-ddb98e669f21.PNG
Alleged data leak from Ctrip travel agent interface of march 2025ctripData BreachheiwukoongLeak of 7.5 million records from Ctrip travel agent interface including names, IDs, contact info, birthdays, addresses, and other personal details.Reportedhttps://darkforums.st/Thread-Selling-Travel-Agent-Database-Leak-March-2025-Data-Source-Ctrip-Co-operative-Interfacehttps://d34iuop8pidsy8.cloudfront.net/0e1f25c8-797f-4937-bb1d-fe7b1e71a8cd.png, https://d34iuop8pidsy8.cloudfront.net/18040f22-0358-4308-9a2e-460b311ff8f0.png
Alleged data sale of JP Morganjpmorgan chase & co.Data Breachmr_x1Sale of 4.3GB database allegedly containing JP Morgan USA customer data from 2025, including full names, SSNs, emails, addresses, bank details, and other sensitive personal and financial information.Reportedhttps://leakbase.la/threads/jp-morgan-usa-2025.39902/https://d34iuop8pidsy8.cloudfront.net/2199c4b7-7cf6-4cf8-90f6-346288aa6b50.png
Alleged data sale of EveryCoineverycoinData LeakShinchanSale of 20K row EveryCoin data including first name, last name, email, phone, country, money Balance, sell Count, buy Count, source and last Login.Reportedhttps://darkforums.st/Thread-Selling-CRYPTO-20K-EVERYCOIN-DATA-PERSONAL-CRYPTO-USAhttps://d34iuop8pidsy8.cloudfront.net/86317c80-1b9d-4491-baeb-d19c754a681d.png, https://d34iuop8pidsy8.cloudfront.net/314db337-f408-4e98-9630-70689361dc06.png
Alleged leak of GitHub credentialsgithubCombo Listdenisfilippov01Leak of 210,000 GitHub credentials (CSV) compiled from various combolists, including domain names, login usernames, and passwords.Reportedhttps://leakbase.la/threads/github-lp-210k.39901/https://d34iuop8pidsy8.cloudfront.net/1df00e69-81c1-477c-9a35-ea20d2fbe5ae.png
Alleged data leak from Binance and Ledger Crypto PlatformsData Leaktopsteppajustb2Leak of data involving 1.2 million Binance leads and 272,000 Ledger customers, including personal and potentially sensitive user information.Reportedhttps://leakbase.la/threads/1-2m-binance-leads-and-272k-ledger-customers-info.39900/https://d34iuop8pidsy8.cloudfront.net/edeafaf6-0dc6-4547-9053-f8455fce7a39.png
Alleged sale of Israeli Whatsapp DataData LeakPwnLilithXSale of 10 Million Israeli Whatsapp Data.Reportedhttps://darkforums.st/Thread-10-MILLION-ISRAELI-WHATSAPP-USERS-DATAhttps://d34iuop8pidsy8.cloudfront.net/64c766de-2ccf-428e-b286-b6d6975d0c3d.png
Alleged unauthorized access to a unidentified temperature control systemInitial AccessZ-PENTEST ALLIANCEUnauthorized access to an unidentified temperature control system.Reportedhttps://t.me/Z_alliance_ru/304https://d34iuop8pidsy8.cloudfront.net/45bdc3bf-aef4-423e-8d65-3b3f50aa5813.png
Alleged database leak of Sarisské Bohdanovce municipality, Slovakiasarisské bohdanovce municipalityData BreachYOGJASEC-XTEAMLeak of database including usernames, passwords, and other sensitive municipal records.Reportedhttps://t.me/c/2847753588/87https://d34iuop8pidsy8.cloudfront.net/9afce5fe-59e9-4ee3-b965-5c03ecac3c99.png
Alleged database leak of Memory4Umemory4uData BreachYOGJASEC-XTEAMLeak of user database including usernames, passwords, and other sensitive information collected from the site’s authorization form.Reportedhttps://t.me/c/2847753588/84https://d34iuop8pidsy8.cloudfront.net/c3391287-9cf7-4da9-bbeb-13b819d584a4.png
Alleged dataleak of Marek Palinskýmarek palinskýData BreachYOGJASEC-XTEAMLeak of database.Reportedhttps://t.me/c/2847753588/89https://d34iuop8pidsy8.cloudfront.net/be5f8423-277a-4f8e-bc17-61f70a8c9241.png, https://d34iuop8pidsy8.cloudfront.net/fde73066-7727-4c10-b54d-18eddebee839.png
Alleged dataleak of Domex Interier s.r.o.domex interier s.r.o.Data BreachYOGJASEC-XTEAMLeak of database.Reportedhttps://t.me/c/2847753588/88https://d34iuop8pidsy8.cloudfront.net/bd3786d7-19a5-44bb-bdb1-9a4d3bf20afb.png, https://d34iuop8pidsy8.cloudfront.net/d7277040-53ab-4f3d-bc69-9c2cb967b06c.png
Alleged data leak of Police of the Republic of Indonesiapolice of the republic of indonesiaData BreachFANZ88Leak of IP addresses and user agents associated with the Police of the Republic of Indonesia, including HTTP requests from Windows, Android, and iOS devices.Reportedhttps://darkforums.st/Thread-Source-Code-IP-AND-USER-AGENT-POLICE-OF-THE-REPUBLIC-OF-INDONESIAhttps://d34iuop8pidsy8.cloudfront.net/7fd88494-ea1a-4c60-b15a-3d5c444e128e.png
Alleged data breach of KWE Metals LLC,kwe metals llcData BreachZeroDayXLeak of database and defacement of official website.Reportedhttps://darkforums.st/Thread-Leak-Report-KWE-Metals-LLC-Ransomware-Attack-Data-Leakhttps://d34iuop8pidsy8.cloudfront.net/7bb5ba1a-0ff1-426c-ad1a-f662831b9065.png
Alleged database leak of Verein Förderung Kärntner Arbeitsstiftungenverein förderung kärntner arbeitsstiftungenData BreachYOGJASEC-XTEAMLeak of database including usernames, passwords, and other sensitive information.Reportedhttps://t.me/c/2847753588/81https://d34iuop8pidsy8.cloudfront.net/48da4bd2-c6e9-4ff5-850b-d59f9f895559.PNG, https://d34iuop8pidsy8.cloudfront.net/1e1a2c82-790f-4ff3-b4e6-60c9ef6abf6b.PNG
Alleged data breach of PC-Netpc-netData BreachYOGJASEC-XTEAMLeak of database.Reportedhttps://t.me/c/2847753588/77https://d34iuop8pidsy8.cloudfront.net/8e046d28-0bf9-4c59-aa94-bd024217b15d.png
Alleged database leak of KrakenkrakenData BreachYOGJASEC-XTEAMLeak of database including usernames, passwords, and other sensitive information.Reportedhttps://t.me/c/2847753588/78https://d34iuop8pidsy8.cloudfront.net/249b10be-388e-4608-aaeb-ea347f88ced7.PNG, https://d34iuop8pidsy8.cloudfront.net/9cc15124-fb52-419a-bdef-45ce083f7cde.PNG
Alleged data breach of Erntetechnik Wiesenhofererntetechnik wiesenhoferData BreachYOGJASEC-XTEAMLeak of database.Reportedhttps://t.me/c/2847753588/76https://d34iuop8pidsy8.cloudfront.net/6f37cf81-04ff-4db0-ae23-a5f943d0b682.png, https://d34iuop8pidsy8.cloudfront.net/c9bb9745-bedf-4aef-92f7-1572cf7666d6.png
Alleged data breach of ÖGUTögut – austrian society for environment and technologyData BreachYOGJASEC-XTEAMLeak of database.Reportedhttps://t.me/c/2847753588/75https://d34iuop8pidsy8.cloudfront.net/a67b32d1-6254-49ca-a088-d1898cebccdf.png
Alleged database leak of ТзОВ “Наша Справа Аутдор”тзов “наша справа аутдорData BreachYOGJASEC-XTEAMLeak of database including usernames, passwords, and other sensitive information.Reportedhttps://t.me/c/2847753588/74https://d34iuop8pidsy8.cloudfront.net/dbc10a6d-80d7-4c68-8c18-f70c4a4f714d.PNG, https://d34iuop8pidsy8.cloudfront.net/1333d23a-c833-43f1-b2d3-7965a22b7ab4.PNG
Alleged data breach of Solalbert Elektrotechnik e.U.solalbert elektrotechnik e.u.Data BreachYOGJASEC-XTEAMLeak of database.Reportedhttps://t.me/c/2847753588/69https://d34iuop8pidsy8.cloudfront.net/417c4331-55de-4423-a841-5a99b580b731.png
Alleged database leak of Rfarm Co., Ltd.rfarm co., ltd.Data BreachYOGJASEC-XTEAMLeak of database including usernames, passwords, and other sensitive information.Reportedhttps://t.me/c/2847753588/70https://d34iuop8pidsy8.cloudfront.net/db01d9de-203f-402b-a81d-e3e0663aa048.PNG, https://d34iuop8pidsy8.cloudfront.net/023d4bf3-3d45-4881-b154-4c73fd405e46.PNG
Alleged sale of unauthorized access to an unidentified Spainish Medical Clinic’s systemInitial AccessHuanEbashesSale of access to a Spanish clinic’s system containing sensitive medical data of over 6,000 individuals.Reportedhttps://ramp4u.io/threads/%D0%BF%D1%80%D0%BE%D0%B4%D0%B0%D0%BC-%D0%B4%D0%BE%D1%81%D1%82%D1%83%D0%BF-%D0%BA-%D1%81%D0%B5%D1%82%D0%B8-%D0%BA%D0%BB%D0%B8%D0%BD%D0%B8%D0%BA-%D0%98%D1%81%D0%BF%D0%B0%D0%BD%D0%B8%D0%B8.3240/https://d34iuop8pidsy8.cloudfront.net/6c574ef4-e120-4e48-9317-2ca568357bda.png
Alleged data breach of Cozy Pensioncozypension.co.krData BreachYOGJASEC-XTEAMLeak of database including usernames, passwords, and other sensitive data.Reportedhttps://t.me/c/2847753588/71https://d34iuop8pidsy8.cloudfront.net/f29d2c5b-ddec-4eb9-84cf-f35f0d05cc84.png
Alleged data breach of multiple organization in Indonesiajackal holidaysData BreachflirtLeak of 2.1 Million database from multiple Indonesian organizations (Jackal Holidays, Aragon Transport, AO group, KPM Trans, Semeru Trans, Rejeki Baru, Joglosemar Executive Shuttle Bus Yogyakarta, Kalisari, Antar Lintas Sumatera, Selamat Trans, Connex Shuttle, Karunia Bakti, Harum BSI, City Trans Utama, PO Riyan Transport, PO Sari Harum, SadyaTrans, Ztrans and M R Trans Logistics) including name, mobile number, email.Reportedhttps://darkforums.st/Thread-Jackal-Holidays-19-others-Leaked-Downloadhttps://d34iuop8pidsy8.cloudfront.net/b59919da-f3e0-40a6-bd42-ffc8ba22830a.JPG, https://d34iuop8pidsy8.cloudfront.net/8db93014-9516-47fd-84dd-3bb6a7be4bb7.JPG
Alleged data leak of Penduduk Boyoalipenduduk boyoaliData BreachnewbiecybersecurityLeak of personal info of residents including full names, emails, KTA numbers, phone numbers, regional details, and status.Reportedhttps://darkforums.st/Thread-LEAKED-DATA-PENDUDUK-BOYOLALI-BY-NEWBIE-CYBER-SECURITYhttps://d34iuop8pidsy8.cloudfront.net/6337bf77-b470-4709-ad48-573f2d103efb.png
Alleged data leak of 1 MILLION PERSONAL DOCTORS DATAData LeakShinchanSale of personal data of over 1 million U.S. doctors, including names, credentials, specialties, addresses, and phone numbers.Reportedhttps://darkforums.st/Thread-Selling-USA-1-MILLION-PERSONAL-DOCTORS-DATAhttps://d34iuop8pidsy8.cloudfront.net/e3dda71c-0d08-42df-8c86-4a4762133c74.png
Alleged data breach of PEJABAT STRUKTURAL RIAU KABpejabat struktural riau kabData BreachFANZ88Sale of personal data including names, NIP (employee ID), departments, work units, job titles, and mobile phone numbers.Reportedhttps://darkforums.st/Thread-DATA-PEJABAT-STRUKTURAL-RIAU-KABhttps://d34iuop8pidsy8.cloudfront.net/7396ce9f-09f0-4d09-86bc-1662d04e46f9.png, https://d34iuop8pidsy8.cloudfront.net/bb228db7-0526-47c0-bcb4-a6d67bd22be7.png
Alleged data breach of Marsa Marocmarsamaroc.co.maData BreachdarkModsLeak of database sample containing full names and corporate email addresses of over 25 individuals.Reportedhttps://darkforums.st/Thread-Document-MOROCCO-MarsaMaroc-database-sample-fullname-emails-no-passwordshttps://d34iuop8pidsy8.cloudfront.net/f4ad959c-932c-40c2-be7a-9105573794cd.png, https://d34iuop8pidsy8.cloudfront.net/e67b7259-c833-4de7-90af-6e8601623e4d.png, https://d34iuop8pidsy8.cloudfront.net/6152dea6-1cac-40ee-ba64-6d1431ca23c6.png
Alleged data sale of Los Angeles Police Departmentlos angeles police departmentData BreachShinchanSale of personal data including employee names, ranks, serial numbers, hire dates, divisions, departments, supervisors, and facial photographs.Reportedhttps://darkforums.st/Thread-Selling-USA-LAPD-PERSONAL-DATA-INFORMATION-WITH-ADVANCE-PHOTOhttps://d34iuop8pidsy8.cloudfront.net/e4aa0b6c-61fb-4cdd-92bd-d143e9effdc3.png, https://d34iuop8pidsy8.cloudfront.net/e1e1f9ed-a2c5-4fb6-8df6-419ff6cd905a.png, https://d34iuop8pidsy8.cloudfront.net/186c1684-3a60-49bb-83fb-8887c1b6dd27.png, https://d34iuop8pidsy8.cloudfront.net/375e23e0-2fdb-415c-b546-36db95da3223.png
Alleged data breach of Tentara Nasional Indonesia Angkatan Udara (TNI-AU)tentara nasional indonesia angkatan udara (tni-au)Data BreachnewbiecybersecurityLeak of database including hashed login credentials from the Air Force portal.Reportedhttps://darkforums.st/Thread-LEAKED-TNI-BY-NEWBIE-CYBER-SECURITYhttps://d34iuop8pidsy8.cloudfront.net/61ccfdf6-1958-4929-ba13-2bbfd5f2a082.png
Alleged database leak of Vietnamese national civil servantsData LeakJack_backSale of leaked database containing personal information of 22 million Vietnamese national civil servants, including full name, ID card number, date of birth, phone number, address, job position, salary information, organizational unit, and work location.Reportedhttps://darkforums.st/Thread-Vietnam-National-Civil-Servantshttps://d34iuop8pidsy8.cloudfront.net/314e533d-421d-48d5-90c6-0206f1f97d91.png
Golden Falcon targets a greenhouse controller system in South KoreaCyber AttackGolden falconCyberattack on a greenhouse controller system.Reportedhttps://t.me/Golden_falcon_team/409https://d34iuop8pidsy8.cloudfront.net/22f24cfa-ced0-4a0f-b433-f91774e8129b.png, https://d34iuop8pidsy8.cloudfront.net/c50a23bc-0f5c-496b-b81b-c44f6794c7cf.png
Liwaa Muhammad targets the website of AbhitechindiaabhitechindiaDefacementLiwaa MuhammadWebsite defacement.Reportedhttps://t.me/liwaamohammad/413https://d34iuop8pidsy8.cloudfront.net/f7309584-d028-4a25-abfd-86a7f9e34d9e.png, https://d34iuop8pidsy8.cloudfront.net/b28e9da3-92dd-48b3-b9e7-7945f381bfc3.png
Alleged data breach of DayTransday transData BreachflirtSale of breached database from an Indonesian ticketing provider, compromising DayTrans’ CRM and exposing over 940,000 user records containing names, phone numbers, emails, addresses, and travel history.Reportedhttps://darkforums.st/Thread-DayTrans-Leaked-Downloadhttps://d34iuop8pidsy8.cloudfront.net/37740bc8-d6b4-43bc-8475-0f5fcb4e199d.png, https://d34iuop8pidsy8.cloudfront.net/9c995c31-dd40-4a8e-91b3-8f9cd5714ebf.png
Alleged data breach of VGM Consultants Limitedvgm consultants limitedData BreachindexSale of breached database (655,000 unique user records) containing highly detailed PII and financial information such as names, contact details, loan account information, banking data, EMI history.Reportedhttps://darkforums.st/Thread-Selling-Vgmconsult-co-in-Databasehttps://d34iuop8pidsy8.cloudfront.net/a36be19a-b0d3-4fb8-b9ab-decf2e6f5cba.png, https://d34iuop8pidsy8.cloudfront.net/285a5a30-20ca-4372-b4e3-6f2bc7136098.png, https://d34iuop8pidsy8.cloudfront.net/db485201-3a1c-492f-9869-5bbcab0e12a6.png
Alleged sale of Citibank personal savings account databasecitibankData BreachMarket ExchangeSale of Citibank personal savings account dataset containing information on 630,000 customers, categorized by account fund levels.Reportedhttp://mxxxxxxxs4uqwd6cylditj7rh7zaz2clh7ofgik2z5jpeq5ixn4ziayd.onion/pc/goods_view.php?parameter=db44DXMClttshsnbym0TcSWSVxMjKo_eLOXK6yoQMCAJpYTzFK341QnGkEGi3nPGO_knXP7TEM7jpSLVFgNbrnjVtn8E04aPAvVR4Dy6qMRRh79kIF6AvCgK-ONNn3aeKAYAHhcb4dWeJqtaOLjOMDWgM_YiUX_EtLG8DRzzc4hu7N8ljpzF-iOea24CWuR_IhOm7h6Ulwh_L_tKf1NPhYIhttps://d34iuop8pidsy8.cloudfront.net/955f4df5-f2aa-42db-8d0d-9dcd63abd462.png
Alleged data breach of PorterporterData BreachindexSale of leaked database (7,090,000 unique users) including personal and institutional information such as names, phone numbers, account number.Reportedhttps://darkforums.st/Thread-Selling-Theporter-in-Databasehttps://d34iuop8pidsy8.cloudfront.net/d0ca9a8c-2c00-44f2-a827-a19126a8990f.JPG, https://d34iuop8pidsy8.cloudfront.net/68dc2a9a-aa06-4a57-91f1-f8bb5401a4b5.JPG
Alleged data breach of Universal Educationuniversal educationData BreachindexSale of leaked database (82,400 unique users) including personal and institutional information such as names, phone numbers, email addresses, school names, mailing addresses, and job titles.Reportedhttps://darkforums.st/Thread-Selling-Universal-edu-in-Databasehttps://d34iuop8pidsy8.cloudfront.net/ac1effb9-6ce4-43bd-bf83-4b48801b0c86.png
Alleged sale of RDP access to a law firm in the USAInitial AccessrawmeatOffer of RDP access to a U.S. law firm with domain admin rights, 35 hosts, and 2TB of data.Reportedhttps://forum.exploit.in/topic/261730/https://d34iuop8pidsy8.cloudfront.net/b17eae7b-57d6-45b0-aa0d-b3aa66e086c9.png
Alleged Sale of Unauthorized Access to Multiple OrganizationsInitial AccessmermeleSale of unauthorized SSH access to multiple high-revenue organizations across various countries (Russia, South Korea, India, China).Reportedhttps://forum.exploit.in/topic/261729/https://d34iuop8pidsy8.cloudfront.net/0f2d175b-72b6-4da1-8345-9beb87c30936.png, https://d34iuop8pidsy8.cloudfront.net/0fbd7629-f219-4e40-841d-ef38a56ab640.png
NXBB.SEC targets the website of Songkhla Provincial Private Education Officesongkhla provincial private education officeDefacementNXBB.SECWebsite defacement.Reportedhttps://t.me/nxbbsec/386https://d34iuop8pidsy8.cloudfront.net/4f47fe45-4cac-4029-a47a-e50c1b9f2d90.JPG
Alleged data breach of Oyo State Governmentoyo state governmentData BreachryusenseLeak of 270313 ID card and 270309 certificate from Oyo State Government.Reportedhttps://darkforums.st/Thread-Locked-ID-card-certificate-oyostate-gov-nghttps://d34iuop8pidsy8.cloudfront.net/aa359c39-f008-442c-bc8a-5bd0806e1ba0.JPG, https://d34iuop8pidsy8.cloudfront.net/1f7b4b78-610c-4c32-b1af-a5129d1ad975.JPG
Alleged Sale of Unauthorized Access to Multiple OrganizationsInitial AccessmermeleSale of unauthorized SSH access to over 1,500 compromised servers across various countries, targeting companies, crypto platforms, online shops, and casinos.Reportedhttps://forum.exploit.in/topic/261727/https://d34iuop8pidsy8.cloudfront.net/8a8aa34a-2321-4e48-b585-baa71824da8c.png
Alleged data breach of University of Pisauniversity of pisaData BreachMoonfrostTyrantSale of leaked database (15,000 to 17,000 students) including full names, email addresses, and phone numbers.Reportedhttps://xss.is/threads/141001/https://d34iuop8pidsy8.cloudfront.net/64acabea-82c7-45bf-9eee-b67408149a6b.png
Alleged data breach of DINSOS KOTA CIREBONdinsos kota cirebonData BreachRXYLeak of database containing personal information from the Cirebon public complaints system, including full names, family and national ID numbers, addresses, phone numbers, emails, and photos of KTPs.Reportedhttps://darkforums.st/Thread-Source-Code-LEAK-DATA-BASE-PENGADUAN-MASYARAKAT-CIREBON-666https://d34iuop8pidsy8.cloudfront.net/dc703d80-f0d2-4526-abaf-ee44de731e9e.png
Alleged leak of telegram database from multiple countriesData LeaknamolesaLeak of a Telegram user database containing 70 million records (1.87GB CSV) including user IDs, phone numbers, usernames, first names, and last names.Reportedhttps://darkforums.st/Thread-%F0%9F%94%A5-Telegram-Database-70M-Records-2020%E2%80%932025-CSVhttps://d34iuop8pidsy8.cloudfront.net/7adacdf3-dcdb-4dc0-89a2-0e0dfd3e2efd.png, https://d34iuop8pidsy8.cloudfront.net/cd1024ef-a349-4164-adf4-57d75a165211.png

Note: This table will be populated with specific incident data from the provided JSON input upon receipt.

The presentation of multiple incidents in a structured table provides a highly organized, digestible, and comparable format for rapid assessment. This approach enables quick side-by-side comparison of events based on criteria such as affected sectors or prevalent attack types. Essential information, including the identified threat actor and primary impact, is immediately visible, allowing for swift evaluation of severity and relevance. This serves as a concise reference point for readers who may wish to delve deeper into specific incidents. Furthermore, by presenting data uniformly, the table implicitly assists in discerning patterns across incidents. For instance, if multiple incidents reveal similar attack types, such as SQL injection or exposed Remote Desktop Protocol (RDP) exploitation, occurring across diverse targeted sectors, it suggests a widespread, actively exploited vulnerability or a favored TTP (Tactics, Techniques, and Procedures) by various threat actors. This indicates a broader, systemic risk rather than isolated events. As noted in external intelligence, exposed RDP services are indeed actively targeted by adversaries to deploy ransomware.1 Therefore, observing such a pattern across different industries would highlight a common entry point that adversaries are successfully leveraging, necessitating immediate attention to RDP security across an organization’s entire infrastructure.

III. Incident Deep Dive & Threat Actor Analysis

This section provides detailed context for each identified incident and its associated threat actor(s), offering comprehensive and actionable intelligence derived from extensive research. A threat actor, also commonly referred to as a threat group, adversary, or hacking team, is a human entity that executes actions with malicious intent. This entity can be a single person, a private company, or part of a government organization. The cybersecurity industry often employs varied and sometimes inconsistent naming conventions for these groups.2

Incident Title: Alleged Sale of Enterprise Access Logs Including Cisco, Fortinet, and Citrix

Summary of Event

The threat actor claims to be selling a package of untested logs allegedly containing access to various enterprise systems and remote access platforms. The pack includes entries related to Cisco (11,530), Fortinet (1,473), Citrix (863), GlobalProtect login portals (344), RDWeb (35), and VPN endpoints (1,465), among others.

Threat Actor Profile: Stari4ok

While specific detailed profiles for “Stari4ok” are not extensively documented in the provided research, the term “threat actor” generally refers to a human entity, whether an individual, a private company, or a government organization, that carries out malicious actions.2 The cybersecurity industry often uses varied and sometimes inconsistent naming conventions for these groups.2 Threat actor profiles typically provide a comprehensive understanding of specific actors, including their tactics, techniques, and procedures (TTPs), motives, and potential impact.3 Monitoring dark web mentions of an organization’s name and assets in cybercriminal channels and forums is a common practice to identify threats.4 The dark web is a part of the internet accessible only through special browsers like Tor, where users can remain anonymous, and it is often used for illegal activities such as data sales.5

Incident Title: GARUDA ERROR SYSTEM targets the website of MD International school

Summary of Event

The group claims to have defaced the website of MD International school.

Mirror:https://defacermirror.com/view/2595

Threat Actor Profile: GARUDA ERROR SYSTEM

Intelligence surrounding “GARUDA ERROR SYSTEM” presents a significant challenge due to conflicting attributions, which underscores the complexities inherent in threat intelligence naming and attribution.

One attribution identifies “GARUDA ERROR SYSTEM” as one of the top ten pro-Pakistani hacktivist groups.7 This group was observed conducting 15 incidents within a recent reporting period, primarily executing Distributed Denial of Service (DDoS) attacks (accounting for 55.5% of identified attacks), website defacements (35.5%), and selective data leaks (1.5%) against Indian organizations.7 Their targets included critical entities such as BSNL, the Income Tax Department, Hindustan Aeronautics Ltd, various state government portals, and Indian Railways.7 These operations are ideologically motivated and frequently coordinated through platforms like Telegram and X.7

Conversely, the user’s query implicitly links “GARUDA ERROR SYSTEM” to the Russian General Staff Main Intelligence Directorate (GRU). Cybersecurity agencies track a Russian GRU 161st Specialist Training Center (Unit 29155) under multiple aliases, including Cadet Blizzard, Ember Bear, Frozenvista, UNC2589, and UAC-0056.8 While explicit documentation does not list “GARUDA ERROR SYSTEM” as an alias for Cadet Blizzard or UAC-0056 8, the association in the query suggests a potential area of ambiguity. This GRU-affiliated group has been active since at least 2020, conducting computer network operations globally for espionage, sabotage, and reputational harm.8 Their activities include website defacements, infrastructure scanning, and data exfiltration. Notably, they have deployed the destructive multi-stage wiper malware WhisperGate against Ukrainian organizations since January 2022 and have conducted offensive cyber campaigns against NATO members in Europe and North America.8 They are known to exploit vulnerabilities in various software and systems, including Dahua Security, Atlassian Confluence Server and Data Center, Sophos Firewall, Microsoft Windows Server, and Red Hat.8 This group is believed to comprise junior active-duty GRU officers gaining experience in cyber operations.8

The conflicting attributions for “GARUDA ERROR SYSTEM” highlight a significant and recurring challenge in the field of threat intelligence: the absence of standardized naming conventions and the potential for misattribution or deliberate obfuscation. This ambiguity can arise from multiple, unrelated groups adopting similar names, or from different intelligence agencies having varying levels of confidence or classifications for the same entity. For a cybersecurity operations team, an incident attributed solely to “GARUDA ERROR SYSTEM” would necessitate deeper, immediate investigation to determine which specific entity is responsible. The appropriate defensive response, including geopolitical considerations, specific TTPs to block, and potential government liaison, will vary drastically depending on whether the adversary is a state-sponsored GRU operation or an ideologically driven hacktivist group. This situation underscores the critical need for robust internal attribution capabilities or reliance on highly trusted, multi-source threat intelligence partners to navigate such ambiguities effectively.

It is important to distinguish “GARUDA ERROR SYSTEM” from “Garuda Hacks,” which is a legitimate hackathon event 9, and “Garuda Linux,” an operating system 10, both of which are unrelated to any malicious cyber activity.

Incident Title: Alleged sale of an unknown Spanish consumer database

Summary of Event

The threat actor is selling 1 million-line of an unknown Spanish consumer database with emails, phone numbers, names, birth dates, addresses, nationality, and source details.

Threat Actor Profile: Rozo_rex

While specific details about “Rozo_rex” are not available in the provided research, the activity aligns with common cybercrime patterns involving the sale of leaked personal data. Threat actors often acquire data through various means, including stealing it from companies or buying it on darknet marketplaces.11 Such leaked data, especially large compilations of passwords like the “RockYou2024” dataset (which contains nearly 10 billion unique plaintext passwords and is an expansion of the 2021 compilation), are frequently used for credential stuffing attacks to compromise user accounts.12 These compilations often combine data from numerous old and new data breaches.12 The dark web is a common platform for the sale of such stolen information, including personal and financial data.11 If personal data is leaked, it can lead to identity theft, phishing attacks, and financial ruin.11

Incident Title: Alleged data sale of Reale Seguros Generales S.A.

Summary of Event

The threat actor claims to be selling 1.2M+ records from Reale Seguros Generales S.A., including customer IDs, names, NIF, DOB, address, phones, emails, payment methods, and bank details.

Threat Actor Profile: hikaru

“Hikaru” is identified as an alias for “Threat Actor 888”.14 There is also a strong indication of “Hikaru” being associated with, or operating under the moniker of, “ZeroDayX,” an Iran-linked threat actor.15 These actors may operate as mercenaries or be state-linked, sometimes seeking to monetize stolen data privately due to perceived low compensation from their primary affiliations.15

This actor primarily targets various companies for data breaches.14 Known victims include major entities such as Microsoft, BMW (Hong Kong), Shopify, Shell, and Decathlon.14 The typical modus operandi involves gaining unauthorized access to backend systems, such as phpMyAdmin, exfiltrating stored records in the form of SQL dumps, and subsequently leaking this data on prominent underground communities on the Dark Web.15 These activities are often part of broader information operations (IO) orchestrated by Iran to spread narratives of insecurity, particularly in geopolitically sensitive regions. For example, they targeted the Saudi Games to amplify anti-Israeli and anti-Saudi propaganda.15 They also target major sports events due to a combination of financial, political, and strategic motivations, including the theft and sale of valuable data, ransomware deployment, and ticket scams.15

“Hikaru” (as Threat Actor 888) is known for actively leaking data on prominent hacking forums, notably BreachForums.14 BreachForums is a key English-language cybercrime forum used for buying and selling stolen data, compromised credentials, and hacking tools, which has faced multiple law enforcement seizures.16 Prominent actors like IntelBroker and ShinyHunters were also active on this platform.16

The profile of Hikaru/ZeroDayX exemplifies a sophisticated threat actor who seamlessly blends state-sponsored information operations with opportunistic personal financial gain from data breaches. This suggests a complex and evolving threat model where geopolitical objectives might be pursued in parallel with, or even subsidized by, traditional cybercrime activities. The observation that their activities are part of a broader information operation carried out by Iran and its proxies, coupled with the possibility that the actors themselves might monetize stolen data “on the side” due to low pay, reveals a dual motivation. This blurs the traditional lines between nation-state actors and financially motivated cybercriminals. For organizations, this means that the impact of a breach by such an actor extends beyond direct financial loss or operational disruption. Their data could be weaponized in broader geopolitical influence campaigns, adding a significant layer of complexity to risk assessment, incident response, and public relations strategies. It also implies that some state-sponsored actors may be less ideologically pure and more opportunistic than previously assumed, potentially increasing the volume and diversity of attacks.

It is important to note that “Jade Cargill” 19 and the Marvel Comics “Dark Web” 20 are unrelated to this threat actor. Additionally, information regarding the North Korean APT group Kimsuky 21 is not attributed to Hikaru, despite appearing under a related search query.

Incident Title: Alleged data leak of Axis Bank

Summary of Event

The threat actor claims to be selling a leaked database allegedly belonging to Axis Bank, one of India’s leading private sector banks. The exposed data, shared in CSV format and sized at approximately 45 MB, reportedly includes highly sensitive customer information such as full names, mobile numbers, email addresses, account IDs, ID numbers, KYC document types, residential addresses, and transaction-related values.

Threat Actor Profile: Devil120

“Devil120” is identified as an alias for “Volt Typhoon,” also known as VOLTZITE.22 This group is a Chinese state-sponsored Advanced Persistent Threat (APT) group.22

Active since at least mid-2021, Volt Typhoon primarily focuses on cyber espionage against U.S. critical infrastructure sectors, with a particular emphasis on telecommunications and energy.22 They employ sophisticated techniques to maintain persistent, long-term access to networks while evading detection.22 A significant incident involved their infiltration of a U.S. electric utility (Littleton Electric Light and Water Departments, LELWD) for over 300 days (from February to November 2023), during which they collected sensitive operational technology (OT) data.22 This type of activity suggests a long-term strategic objective, potentially aimed at enabling future disruptive attacks on critical infrastructure.22 Challenges are posed by the long lifespan of devices in critical infrastructure, which attackers exploit.22

Volt Typhoon’s prolonged infiltration (over 300 days) and systematic collection of operational technology (OT) data from a U.S. electric utility 22 indicate a strategic objective far beyond immediate financial gain or typical data theft. This type of activity is characteristic of pre-positioning. It is not a quick ransomware deployment or a simple data exfiltration for sale; rather, the goal is to gain a deep understanding of how these systems operate, identify vulnerabilities, and potentially insert capabilities for future use. For critical infrastructure operators and national security agencies, this means the threat extends beyond immediate disruption or data compromise. It points to a long-game strategy where adversaries could, in a future geopolitical conflict or crisis, cause significant physical damage or widespread service outages. This elevates the threat from traditional cybersecurity concerns to national resilience and physical security, necessitating a shift in defensive focus towards deep network visibility, anomaly detection in OT environments, and robust resilience planning.

It is important to note the distinction from general data leaks or ransomware incidents. While the Ahold Delhaize data breach (November 2024) is mentioned in an article discussing Volt Typhoon, that breach was explicitly linked to “INC Ransomware Claims”.22 The provided intelligence does not directly attribute the Ahold Delhaize breach or the broader “16 billion records leaked” 24 to Devil120/Volt Typhoon. Their primary focus, as detailed in the research, is espionage on critical infrastructure and maintaining persistent access, not typically large-scale consumer data theft or ransomware for immediate financial gain.

Incident Title: Alleged data leak of MyCompassToday

Summary of Event

The threat actor claims to have breached the database of MyCompassToday.

Threat Actor Profile: Chap

“Chap” is a common term in computing, often referring to the Challenge-Handshake Authentication Protocol (CHAP). CHAP is an authentication protocol used to validate users, particularly in Point-to-Point Protocol (PPP) connections, VPNs, and ISP connections.25 It enhances security by using a challenge-response mechanism and a “shared secret” without transmitting the actual password in plaintext, making it more secure than protocols like PAP.25 The process involves the server sending a random challenge, the client computing a hash value using the challenge and a secret, and the server verifying the response.25 CHAP also includes periodic re-authentication to maintain connection integrity.26 However, if the authentication server’s database is stolen, the clear-text passwords stored for CHAP calculations could be exposed.25

While the term “Chap” in the context of a threat actor might suggest a specific individual or group, the provided research primarily defines “CHAP” as an authentication protocol.25 There are also profiles on platforms like HackerOne for individuals named “chapuka” 28, but these do not indicate malicious hacking group activities. Without further context, it is difficult to attribute the “MyCompassToday” breach to a specific, known threat actor named “Chap” in the same vein as other named groups. It is possible “Chap” is an alias used by an individual or a less-documented entity.

Incident Title: Alleged Sale of Shell Access to a French Magento based E-Commerce Store

Summary of Event

The threat actor claims to be selling unauthorized shell access to a Magento-based e-commerce store in France. The listing includes monthly order statistics, showing over 600 transactions across various payment methods such as Systempay, BeezUP, and PayPal.

Threat Actor Profile: Zimmer

The name “Zimmer” in the context of cybersecurity is primarily associated with a legitimate IT forensics and cybersecurity consulting firm, “IT Experts & IT Forensics Office Zimmer & Partner,” based in Germany, Austria, and Switzerland.29 This firm, led by Karsten Zimmer, provides services such as IT compliance, data protection, IT security management, penetration testing, forensic investigations, and evidence preservation for both private sector companies and government institutions.29 Karsten Zimmer is recognized as an IT expert and ethical hacker who works with federal and state criminal police offices, European authorities, and is a member of the Alliance for Cyber Security at the Federal Office for Information Security (BSI).29 Their work involves identifying vulnerabilities and securing systems from criminal attacks, and they are known for their expertise in data recovery, forensic investigation after virus attacks, smartphone examination, cryptography, and data security.29 They also collaborate with Ericsson to enhance mobile network security for communication service providers.31

Given this profile, it is highly unlikely that “Zimmer” as a threat actor selling unauthorized access is related to the legitimate cybersecurity firm. It is more probable that this is an alias adopted by an unrelated malicious actor. The use of such a name could be a deliberate attempt to create confusion or leverage a known, reputable name for deceptive purposes. The activities described (selling shell access to an e-commerce store) are typical of financially motivated cybercriminals seeking to exploit compromised systems.

Incident Title: Cyber Jihad Movement claims to target LeMan Magazine

Summary of Event

A recent post by the group indicates that they are targeting LeMan Magazine.

Threat Actor Profile: Cyber Jihad Movement

The “Cyber Jihad Movement” is not a single, unified hacking group but rather an overarching term encompassing various ideologically motivated cyber activities by diverse groups and individuals aligned with jihadist or extremist causes.14 It represents the digital extension of their broader objectives.

Key groups and figures within this movement include the Islamic State Hacking Division (ISHD), also known as the United Cyber Caliphate (UCC). This entity represents a merger of several pro-ISIS hacker groups, including Ghost Caliphate Section, Sons Caliphate Army (SCA), Caliphate Cyber Army (CCA), and the Kalashnikov E-Security Team. They have been active since at least 2014.33 A notable figure was Junaid Hussain, a British hacker (alias TriCk) who became a key English-language cyber influencer for ISIS. He was previously part of TeaMp0isoN, a hacktivist collective with pro-Palestinian and pro-Kashmiri motivations, known for collaborating with groups like ZCompany Hacking Crew.34

The specific activities and modus operandi of this movement, often referred to as “Electronic Jihad,” primarily involve propaganda and recruitment. They extensively use online platforms, including social media (e.g., Facebook, YouTube) and dedicated forums, to spread extremist messages, glorify violence, recruit sympathizers, and radicalize individuals.35 This includes creating “knowledge-based articles relating to Jihad” and utilizing both the “broadcast mode” (wide dissemination of gruesome videos) and “conversation mode” (one-on-one radicalization efforts) of the internet.36 Website defacement is a common tactic used to convey political or religious messages, cause reputational harm, and announce successful hacks.23 Documented examples include Facebook pages 34, Hobart Airport, French TV5Monde, Solar UK, and various Australian websites.33 They also engage in doxing and the publication of “kill lists,” which typically contain personal information, often targeting military personnel. However, such lists have frequently been compiled from publicly available, unclassified, or outdated data rather than direct compromises of sensitive government systems.33 Distributed Denial of Service (DDoS) attacks are also employed to disrupt services and amplify their messages.33 Generally, these groups are classified as low-threat and inexperienced, often relying on publicly available hacking tools and basic vulnerabilities.33

Incident Title: Alleged data leak of German Citizens

Summary of Event

A threat actor has leaked a dataset allegedly from Germany, containing 900 records in.txt format (251 KB). The compromised data reportedly includes full names, email addresses, phone numbers, addresses, birthdates, device details, purchase info, bank account numbers, IBANs, BICs, and more.

Threat Actor Profile: RL96

While a specific detailed profile for “RL96” as a named threat actor is not available in the provided research, the activities described align with common data leakage incidents. The research notes indicate that “RL96” is also the designation for a “Compact 1U Rackmount 8-Channel Sound Masking Controller” 38, which is a legitimate product and unrelated to cybercrime. Therefore, it is highly probable that “RL96” in this context is an alias used by an individual or a less-documented threat actor.

Data leaks, such as the one described, often involve the exposure of personally identifiable information (PII) and financial details, which can be bought and sold on the dark web.11 The dark web is a part of the internet not indexed by search engines, requiring special browsers like Tor for access, and is known for trafficking stolen personal and financial information.6 Such exposed data can be used for various malicious purposes, including phishing campaigns, identity theft, and fraud.24 Organizations are advised to continuously monitor open, deep, and dark web sources to detect threats and identify credential compromises.4

Incident Title: Alleged Data Leak of Singapore citizens

Summary of Event

The threat actor claims to have leaked the database of approximately 40,000 individuals from Singapore. The data, shared in CSV format, is reportedly 4.77 MB in size and includes personally identifiable information (PII) such as names, email addresses, phone numbers, ZIP codes, billing and shipping addresses, dates of birth, gender, and more.

Threat Actor Profile: RL96

While a specific detailed profile for “RL96” as a named threat actor is not available in the provided research, the activities described align with common data leakage incidents. The research notes indicate that “RL96” is also the designation for a “Compact 1U Rackmount 8-Channel Sound Masking Controller” 38, which is a legitimate product and unrelated to cybercrime. Therefore, it is highly probable that “RL96” in this context is an alias used by an individual or a less-documented threat actor.

Data leaks, such as the one described, often involve the exposure of personally identifiable information (PII) and financial details, which can be bought and sold on the dark web.11 The dark web is a part of the internet not indexed by search engines, requiring special browsers like Tor for access, and is known for trafficking stolen personal and financial information.6 Such exposed data can be used for various malicious purposes, including phishing campaigns, identity theft, and fraud.24 Organizations are advised to continuously monitor open, deep, and dark web sources to detect threats and identify credential compromises.4

Incident Title: Alleged data leak from Ctrip travel agent interface of march 2025

Summary of Event

The threat actor claims to have leaked 7.5 million records from the Ctrip travel agent interface which includes names, IDs, contact info, birthdays, addresses, and other personal details.

Threat Actor Profile: heiwukoong

While a specific profile for “heiwukoong” is not available in the provided research, the activity aligns with common data breach and data leak patterns observed on the dark web. The dark web is a segment of the internet that is not indexed by search engines and requires specific software like Tor for access, often used for anonymous communication and illegal activities, including the sale of stolen data.5 The term “Dark Web” is also a Marvel Comics crossover storyline 20, which is unrelated to cybersecurity threats.

Data breaches involving personal information are a significant concern, as compromised data can be used for identity theft, phishing, and other fraudulent activities.11 Threat actors often acquire such data through various means, including direct breaches or purchasing it from darknet marketplaces.11

Incident Title: Alleged data sale of JP Morgan

Summary of Event

A threat actor is selling a 4.3GB database allegedly containing JP Morgan USA customer data from 2025. The CSV/XLSX files reportedly include full names, SSNs, emails, addresses, bank details, and other sensitive personal and financial information.

Threat Actor Profile: mr_x1

While a specific profile for “mr_x1” as a threat actor is not available in the provided research, the name “MRX1” is associated with a legitimate Amana XpressChef high-speed combination oven 39 and an autonomous underwater vehicle 40, neither of which are related to cybercrime. Therefore, it is highly probable that “mr_x1” in this context is an alias used by an individual or a less-documented threat actor.

The sale of sensitive financial data, such as that allegedly from JP Morgan, is a common activity on dark web marketplaces.5 Such data can be used for identity theft, financial fraud, and other illicit activities.11 Organizations are advised to continuously monitor for exposed credentials and sensitive documents on the dark web to protect against such threats.4

Incident Title: Alleged data sale of EveryCoin

Summary of Event

The threat actor claims to be selling 20K row EveryCoin data which includes first name, last name, email, phone, country, money Balance, sell Count, buy Count, source and last Login.

Threat Actor Profile: Shinchan

While a specific profile for “Shinchan” as a named threat actor is not available in the provided research, the name “Shinchan” is associated with a video game title, “Shin chan: Shiro and the Coal Town” 41, which is unrelated to cybercrime. There is also a profile on HackerOne for a user named “shinchannohara” 42, but this does not indicate malicious hacking group activities. Therefore, it is highly probable that “Shinchan” in this context is an alias used by an individual or a less-documented threat actor.

The sale of personal data, such as that from EveryCoin, is a common activity in cybercrime. Such data, including names, emails, and financial details, can be used for phishing attacks, identity theft, and other fraudulent activities.11 Threat actors often acquire this data through breaches or by purchasing it on darknet marketplaces.11

Incident Title: Alleged leak of GitHub credentials

Summary of Event

A threat actor claims to have leaked a selection of 210,000 GitHub credentials compiled from various combolists. The data is in CSV format and includes domain names, login usernames, and passwords.

Threat Actor Profile: denisfilippov01

No specific profile for “denisfilippov01” is available in the provided research. This appears to be an individual threat actor or an alias. The activity of leaking credentials from combolists is a common tactic used by cybercriminals. Combolists are compilations of stolen usernames and passwords, often sourced from previous data breaches, which threat actors use to perform credential stuffing attacks against various online services.12 The dark web and various hacking forums are primary marketplaces for such leaked data.17

Incident Title: Alleged data leak from Binance and Ledger Crypto Platforms

Summary of Event

A threat actor claims to have leaked data involving 1.2 million Binance leads and 272,000 Ledger customers. The compromised data reportedly includes personal and potentially sensitive user information.

Threat Actor Profile: topsteppajustb2

No specific profile for “topsteppajustb2” is available in the provided research. This appears to be an individual threat actor or an alias. The activity of leaking large datasets of login credentials and personal information from crypto platforms aligns with common cybercrime trends. Cybersecurity researchers have noted that billions of login credentials have been leaked and compiled into datasets online, providing criminals with “unprecedented access” to consumer accounts.32 Such data is often sold or traded on dark web marketplaces.5

Incident Title: Alleged sale of Israeli Whatsapp Data

Summary of Event

The threat actor claims to be selling 10 Million Israeli Whatsapp Data.

Threat Actor Profile: PwnLilithX

No specific profile for “PwnLilithX” is available in the provided research. This appears to be an individual threat actor or an alias. The sale of large datasets of personal information, such as WhatsApp user data, is a common activity on dark web marketplaces.5 Such data can be used for various malicious purposes, including targeted phishing campaigns, identity theft, and other forms of fraud.11

Incident Title: Alleged unauthorized access to a unidentified temperature control system

Summary of Event

The group claims to have gained unauthorized access to a unidentified temperature control system in Portugal.

Threat Actor Profile: Z-PENTEST ALLIANCE

While a detailed profile for “Z-PENTEST ALLIANCE” is not explicitly provided, the research notes indicate that groups involved in “Initial Access” activities, particularly those targeting SCADA-like systems (which temperature control systems can be), are often involved in broader disruption and message amplification.43 This type of access can be a precursor to more significant cyberattacks, including sabotage or data exfiltration.

Incident Title: Alleged database leak of Sarisské Bohdanovce municipality, Slovakia

Summary of Event

The threat actor claims to have leaked the database of Sarisské Bohdanovce Municipality, located in Slovakia. The compromised data reportedly includes usernames, passwords, and other sensitive municipal records.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The activity of leaking databases, especially from government entities, is a common tactic used by various threat actors, including hacktivist groups or financially motivated cybercriminals. Such leaks often aim to cause reputational damage or to sell the compromised data on underground forums.5

Incident Title: Alleged database leak of Memory4U

Summary of Event

The threat actor claims to have leaked the user database from Memory4U. The compromised data reportedly includes usernames, passwords, and other sensitive information collected from the site’s authorization form.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The activity of leaking user databases, particularly those containing usernames and passwords, is a common tactic. Such compromised credentials can be used for credential stuffing attacks against other services where users might reuse passwords.12

Incident Title: Alleged dataleak of Marek Palinský

Summary of Event

The group claims to have leaked the database of Marek Palinský.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The activity of leaking databases, especially from individuals or smaller entities, can be motivated by various factors, including hacktivism, personal vendettas, or simply demonstrating capabilities.

Incident Title: Alleged dataleak of Domex Interier s.r.o.

Summary of Event

The group claims to have leaked the database of Domex Interier s.r.o.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The activity of leaking databases from private companies, such as a furniture business, often aims for financial gain through the sale of customer or business data, or for reputational damage.

Incident Title: Alleged data leak of Police of the Republic of Indonesia

Summary of Event

The threat actor claims to have leaked the IP addresses and user agents associated of the Police of the Republic of Indonesia which include multiple HTTP requests from devices running Windows, Android, and iOS, showing activity such as page requests, redirects, and timeouts.

Threat Actor Profile: FANZ88

No specific profile for “FANZ88” is available in the provided research. This appears to be an individual threat actor or an alias. The targeting of law enforcement agencies for data leaks, even if it’s seemingly less sensitive data like IP addresses and user agents, can be motivated by hacktivism, a desire to embarrass the organization, or to gather intelligence for future, more impactful attacks.

Incident Title: Alleged data breach of KWE Metals LLC,

Summary of Event

The threat actor claims to have leaked database of KWE Metals LLC, and also defaced their official website.

Threat Actor Profile: ZeroDayX

“ZeroDayX” is identified as an Iran-linked threat actor, strongly associated with “Hikaru” (also known as “Threat Actor 888”).14 These actors may operate as mercenaries or be state-linked, sometimes seeking to monetize stolen data privately due to perceived low compensation from their primary affiliations.15

Their typical modus operandi involves gaining unauthorized access to backend systems, exfiltrating stored records (often as SQL dumps), and subsequently leaking this data on prominent underground communities on the Dark Web.15 These activities are frequently part of broader information operations (IO) orchestrated by Iran to spread narratives of insecurity.15 They have targeted various companies for data breaches, including major entities like Microsoft, BMW (Hong Kong), Shopify, Shell, and Decathlon.14 The combination of data leakage and website defacement, as seen in the KWE Metals LLC incident, aligns with the tactics of groups aiming to cause reputational harm and amplify their messages.37

The profile of ZeroDayX/Hikaru exemplifies a sophisticated threat actor who seamlessly blends state-sponsored information operations with opportunistic personal financial gain from data breaches. This suggests a complex and evolving threat model where geopolitical objectives might be pursued in parallel with, or even subsidized by, traditional cybercrime activities.

Incident Title: Alleged database leak of Verein Förderung Kärntner Arbeitsstiftungen

Summary of Event

The group claims to have leaked the database of Verein Förderung Kärntner Arbeitsstiftungen. The compromised data includes usernames, passwords, and other sensitive information.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The activity of leaking databases, especially from educational or non-profit organizations, often aims for financial gain through the sale of compromised credentials or for reputational damage.

Incident Title: Alleged data breach of PC-Net

Summary of Event

The group claims to have leaked the database of PC-Net.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The activity of leaking databases from IT services companies can be particularly impactful, as it may expose sensitive client data or provide access to further systems.

Incident Title: Alleged database leak of Kraken

Summary of Event

The group claims to have leaked the database of Kraken. The compromised data includes usernames, passwords, and other sensitive information.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The targeting of social media or online networking platforms like “Kraken” for database leaks is common, as these platforms often hold vast amounts of user data, including credentials, which are valuable on the dark web for credential stuffing and other fraudulent activities.5

Incident Title: Alleged data breach of Erntetechnik Wiesenhofer

Summary of Event

The group claims to have leaked the database of Erntetechnik Wiesenhofer.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The leaking of databases from machinery or industrial companies can expose intellectual property, operational data, or sensitive employee/customer information, which can be valuable for industrial espionage or financial gain.

Incident Title: Alleged data breach of ÖGUT

Summary of Event

The group claims to have leaked the database of ÖGUT – Austrian Society for Environment and Technology.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The targeting of research organizations or societies for data breaches can be motivated by a desire to steal research data, intellectual property, or member information, potentially for financial gain or to disrupt operations.

Incident Title: Alleged database leak of ТзОВ “Наша Справа Аутдор”

Summary of Event

The group claims to have leaked the database of ТзОВ ‘Наша Справа Аутдор’. The compromised data includes usernames, passwords, and other sensitive information.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The leaking of databases from marketing, advertising, and sales companies can expose customer lists, campaign data, and sensitive business strategies, which can be valuable for competitors or other malicious actors.

Incident Title: Alleged data breach of Solalbert Elektrotechnik e.U.

Summary of Event

The group claims to have leaked the database of Solalbert Elektrotechnik e.U.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The leaking of databases from energy and utilities companies is a serious concern, as it can expose critical infrastructure details, customer data, or operational information, potentially leading to disruption or further attacks.

Incident Title: Alleged database leak of Rfarm Co., Ltd.

Summary of Event

The threat actor claims to have leaked the database of Rfarm Co., Ltd. The compromised data includes usernames, passwords, and other sensitive information.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The leaking of databases from agriculture and farming companies can expose sensitive operational data, supply chain information, or customer/employee details.

Incident Title: Alleged sale of unauthorized access to an unidentified Spainish Medical Clinic’s system

Summary of Event

A threat actor claims to be selling access to a Spanish clinic’s system containing sensitive medical data. The access allegedly includes a computer used for recording personal notes of doctors and patients, affecting data of over 6,000 individuals.

Threat Actor Profile: HuanEbashes

No specific profile for “HuanEbashes” is available in the provided research. This appears to be an individual threat actor or an alias. The sale of unauthorized access to healthcare systems is a highly lucrative activity for cybercriminals due to the sensitive nature and high value of medical data. Compromised medical data can be used for various forms of fraud, including identity theft and insurance fraud.

Incident Title: Alleged data breach of Cozy Pension

Summary of Event

The threat actor claims to have leaked a database that allegedly includes usernames, passwords, and other sensitive data belonging to Cozy Pension.

Threat Actor Profile: YOGJASEC-XTEAM

No specific profile for “YOGJASEC-XTEAM” is available in the provided research. This appears to be a hacking group or an alias. The leaking of databases from hospitality and tourism businesses, such as pensions, can expose guest information, booking details, and payment data, making it valuable for financial fraud or targeted attacks.

Incident Title: Alleged data breach of multiple organization in Indonesia

Summary of Event

The threat actor claims to be leaked 2.1 Million database from multiple organization in Indonesia. The Compromised Data Includes name, mobile number, email etc. The affected organization are Jackal Holidays, Aragon Transport, AO group, KPM Trans, Semeru Trans, Rejeki Baru, Joglosemar Executive Shuttle Bus Yogyakarta, Kalisari, Antar Lintas Sumatera, Selamat Trans, Connex Shuttle, Karunia Bakti, Harum BSI, City Trans Utama, PO Riyan Transport, PO Sari Harum, SadyaTrans, Ztrans and M R Trans Logistics.

Threat Actor Profile: flirt

No specific profile for “flirt” is available in the provided research. This appears to be an individual threat actor or an alias. The large-scale data breach affecting multiple organizations within the transportation and logistics sector in Indonesia highlights a significant risk to supply chains and critical services. The compromised data, including names, mobile numbers, and emails, can be used for various forms of fraud, phishing, and identity theft.

Incident Title: Alleged data leak of Penduduk Boyoali

Summary of Event

The threat actor claims to have leaked the data base of Penduduk Boyoali which contains personal info of residents, including full names, emails, KTA numbers, phone numbers, regional details, and status.

Threat Actor Profile: newbiecybersecurity

No specific profile for “newbiecybersecurity” is available in the provided research. This appears to be an individual threat actor or an alias. The targeting of government administration entities for data leaks, particularly resident personal information, can be motivated by hacktivism, a desire to expose perceived vulnerabilities, or to sell the data on underground markets. The name “newbiecybersecurity” might suggest a less experienced actor, but the impact of such a leak can still be significant.

Incident Title: Alleged data leak of 1 MILLION PERSONAL DOCTORS DATA

Summary of Event

The threat actor claims to be selling personal data of over 1 million U.S. doctors, including names, credentials, specialties, addresses, and phone numbers.

Threat Actor Profile: Shinchan

While a specific profile for “Shinchan” as a named threat actor is not available in the provided research, the name “Shinchan” is associated with a video game title, “Shin chan: Shiro and the Coal Town” 41, which is unrelated to cybercrime. There is also a profile on HackerOne for a user named “shinchannohara” 42, but this does not indicate malicious hacking

Works cited

  1. Exposed RDP Actively Targeted by Threat Actors to Deploy Ransomware – Cyble, accessed July 1, 2025, https://cyble.com/blog/exposed-rdp-actively-targeted-by-threat-actors-to-deploy-ransomware/
  2. Threat Actor Profile List – Cybergeist, accessed July 1, 2025, https://cybergeist.io/threat-actor
  3. Threat Actor Profiles – Cyble, accessed July 1, 2025, https://cyble.com/threat-actor-profiles/
  4. Dark Web Monitoring – ReliaQuest, accessed July 1, 2025, https://reliaquest.com/solutions/dark-web-monitoring/
  5. Dark web – Wikipedia, accessed July 1, 2025, https://en.wikipedia.org/wiki/Dark_web
  6. The Dark Web Explained | CrowdStrike, accessed July 1, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/dark-web/
  7. Pro-Pak hackers launched sustained cyber attacks post Pahalgam; BSNL, Railways among targets: Study | Kerala news | Onmanorama, accessed July 1, 2025, https://www.onmanorama.com/news/kerala/2025/05/11/operation-sindoor-cyber-offensive-target-indian-organisations.html
  8. Feds Issue Warning About Russian Hacking Group Targeting Critical Infrastructure, accessed July 1, 2025, https://www.hipaajournal.com/alert-russian-gru-hacking-group-critical-infrastructure/
  9. Garuda Hacks | Indonesia’s Premier Global Hackathon, accessed July 1, 2025, https://2020.garudahacks.com/
  10. Getting error while installing Garuda linux : r/GarudaLinux – Reddit, accessed July 1, 2025, https://www.reddit.com/r/GarudaLinux/comments/1kvxp60/getting_error_while_installing_garuda_linux/
  11. Personal Data Leak Checker: Your Email & Data – Breached? | CyberNews, accessed July 1, 2025, https://cybernews.com/personal-data-leak-check/
  12. RockYou2024 compilation containing 10 billion passwords was leaked online, accessed July 1, 2025, https://securityaffairs.com/165460/data-breach/rockyou2024-compilation-10b-passwords.html
  13. My information was found on the dark web, what should I do? – ID Watchdog, accessed July 1, 2025, https://www.idwatchdog.com/education/-/article/information-found-on-dark-web
  14. Threat Actor 888 (Threat Actor) – Malpedia, accessed July 1, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/threat_actor_888
  15. Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games – Resecurity, accessed July 1, 2025, https://www.resecurity.com/blog/article/iran-linked-threat-actors-leak-visitors-and-athletes-data-from-saudi-games
  16. Flash Report: Prominent Threat Actors Reportedly Arrested | ZeroFox, accessed July 1, 2025, https://www.zerofox.com/intelligence/flash-report-prominent-threat-actors-reportedly-arrested/
  17. Crime forum – Wikipedia, accessed July 1, 2025, https://en.wikipedia.org/wiki/Crime_forum
  18. BreachForums, a key English-language cybercrime forum, seized by the FBI | CyberScoop, accessed July 1, 2025, https://cyberscoop.com/breachforums-a-key-english-language-cybercrime-forum-seized-by-the-fbi/
  19. Jade Cargill – Wikipedia, accessed July 1, 2025, https://en.wikipedia.org/wiki/Jade_Cargill
  20. Dark Web (Marvel Comics) – Wikipedia, accessed July 1, 2025, https://en.wikipedia.org/wiki/Dark_Web_(Marvel_Comics)
  21. Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks – Securonix, accessed July 1, 2025, https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/
  22. Chinese Volt Typhoon Hackers Infiltrated US Electric Grid for Nearly a Year – Hackread, accessed July 1, 2025, https://hackread.com/chinese-volt-typhoon-hackers-infiltrated-us-electric-grid/
  23. Ahold Delhaize Cyberattack Disrupts U.S. Operations – The Cyber Express, accessed July 1, 2025, https://thecyberexpress.com/ahold-delhaize-cyberattack/
  24. Over 16 billion records leaked in “unimaginable” major data breach – here’s what we know, accessed July 1, 2025, https://www.techradar.com/pro/website-building/over-16-billion-records-leaked-in-unimaginable-major-data-breach-heres-what-we-know-and-how-you-can-see-if-youre-safe
  25. Challenge-Handshake Authentication Protocol – Wikipedia, accessed July 1, 2025, https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol
  26. What is Challenge Handshake Authentication Protocol (CHAP) – Cybersecurity Terms and Definitions – VPN Unlimited, accessed July 1, 2025, https://www.vpnunlimited.com/help/cybersecurity/chap
  27. What is CHAP Authentication and How Does it Work? | Ping Identity, accessed July 1, 2025, https://www.pingidentity.com/en/resources/identity-fundamentals/authentication/chap-authentication.html
  28. chapuka | Profile – HackerOne, accessed July 1, 2025, https://hackerone.com/chapuka
  29. ÜBER UNS – Zimmer & Partner – csi-menden.de, accessed July 1, 2025, https://csi-menden.de/en/ueber-uns/
  30. EDV-Sachverständige & IT-Forensik – Zimmer & Partner – csi-menden.de, accessed July 1, 2025, https://csi-menden.de/en/
  31. POST Luxembourg enhances network security with ESM – Ericsson, accessed July 1, 2025, https://www.ericsson.com/en/press-releases/3/2025/post-luxembourg-enhances-network-security-with-esm
  32. 16 billion login credentials leaked online, Cybernews researchers say – YouTube, accessed July 1, 2025, https://www.youtube.com/watch?v=M38WguON58M
  33. Islamic State Hacking Division – Wikipedia, accessed July 1, 2025, https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division
  34. The British Hacker Who Became the Islamic State’s Chief Terror Cybercoach: A Profile of Junaid Hussain, accessed July 1, 2025, https://ctc.westpoint.edu/british-hacker-became-islamic-states-chief-terror-cybercoach-profile-junaid-hussain/
  35. – JIHADIST USE OF SOCIAL MEDIA – GovInfo, accessed July 1, 2025, https://www.govinfo.gov/content/pkg/CHRG-112hhrg74647/html/CHRG-112hhrg74647.htm
  36. New Tools, New Vulnerabilities: The Emerging Cyber-Terrorism Dyad, accessed July 1, 2025, https://cyberdefensereview.army.mil/CDR-Content/Articles/Article-View/Article/1136007/new-tools-new-vulnerabilities-the-emerging-cyber-terrorism-dyad/
  37. What is a Website Defacement Attack | Examples & Prevention – Imperva, accessed July 1, 2025, https://www.imperva.com/learn/application-security/website-defacement-attack/
  38. RL96-8ch – Soft dB, accessed July 1, 2025, https://www.softdb.com/_files/_sound_masking_division/Documentation/Products_Litterature/Controller_RL96-RLCTL2/Specsheet_RL96.pdf
  39. Amana MRX1 Silver XpressChef 3i Series Countertop High Speed Combination Microwave / Impingement Combination Oven, 208-240V 3.6 kW – Restaurant Supply Store, accessed July 1, 2025, https://www.restaurantsupply.com/amana-mrx1-silver-xpresschef-3i-series-countertop-high-speed-combination-microwave-impingement-combination-oven-208-240v-3-6-kw
  40. Specifications of “MR-X1” | Download Table – ResearchGate, accessed July 1, 2025, https://www.researchgate.net/figure/Specifications-of-MR-X1_tbl1_265928459
  41. Save 30% on Shin chan: Shiro and the Coal Town on Steam, accessed July 1, 2025, https://store.steampowered.com/app/2699820/Shin_chan_Shiro_and_the_Coal_Town/
  42. Shinchan | Profile – HackerOne, accessed July 1, 2025, https://hackerone.com/shinchannohara
  43. The Top 10 Dark Web Telegram Chat Groups and Channels – SOCRadar® Cyber Intelligence Inc., accessed July 1, 2025, https://socradar.io/the-top-10-dark-web-telegram-chat-groups-and-channels/

Related Posts