1. Executive Summary
This report provides a comprehensive overview and analysis of 33 external cyber incidents, primarily alleged data breaches, data leaks, malware sales, and initial access sales, reported by various threat actors on open and dark web forums, and Telegram channels, as of July 12, 2025. These incidents highlight the dynamic and pervasive nature of the current cyber threat landscape, showcasing a wide array of malicious activities targeting diverse industries and organizations globally.
The analysis of these external incidents illustrates common attack vectors, compromised data types, and the active marketplaces for illicit cyber tools and information. This consolidated report aims to provide a holistic view of the wider threat environment, facilitating informed strategic decisions for enhanced cybersecurity resilience.
2. Overview of External Cyber Incidents
To provide a rapid, high-level summary of all documented incidents, a consolidated table has been prepared. This overview enables stakeholders to quickly grasp the scope and nature of events at a glance, serving as an efficient navigational aid to the more detailed incident reports that follow.
Table 1: Summary of Recorded Incidents
| Incident ID | Title | Date | Primary Impact | Source/Nature | Link to Detailed Report |
| INC005 | Alleged sale of vulnerability in Flamingo Finance | 2025-07-12 | Potential System Compromise | External – Reported | #inc005-details |
| INC006 | Alleged data breach of Kayan Aviation | 2025-07-12 | Data Exposure | External – Reported | #inc006-details |
| INC007 | Alleged data breach of BitMart | 2025-07-12 | Data Exposure | External – Reported | #inc007-details |
| INC008 | Alleged Sale of Proxy Services and Financial Identity Data Across Multiple Countries | 2025-07-12 | Data Exposure/Sale | External – Reported | #inc008-details |
| INC009 | Alleged Leak of 2025 Ellipal Mailing List | 2025-07-12 | Data Exposure | External – Reported | #inc009-details |
| INC010 | Alleged Sale of Dork Premium Pack for Website Vulnerability Scanning | 2025-07-12 | Tool/Malware Sale | External – Reported | #inc010-details |
| INC011 | Alleged Sale of “BinaryX RAT” Remote Access Malware Tool | 2025-07-12 | Tool/Malware Sale | External – Reported | #inc011-details |
| INC012 | Alleged access to Artech technologies Ltd | 2025-07-12 | Unauthorized Access | External – Reported | #inc012-details |
| INC013 | Alleged Sale of Hotmail-PayPal Full Capture Configuration | 2025-07-12 | Threat Activity Alert | External – Reported | #inc013-details |
| INC014 | Alleged database sale of Procurement Regulatory Authority of Zimbabwe (PRAZ) | 2025-07-12 | Data Exposure/Sale | External – Reported | #inc014-details |
| INC015 | Alleged Leak of Ledger 2025 DB Orders | 2025-07-12 | Data Exposure | External – Reported | #inc015-details |
| INC016 | Alleged data sale of Trust Growth Co., Ltd. | 2025-07-12 | Data Exposure/Sale | External – Reported | #inc016-details |
| INC017 | Alleged data sale of Tikla | 2025-07-12 | Data Exposure/Sale | External – Reported | #inc017-details |
| INC018 | Baksei Chamkrong targets the website of Architect Council of Thailand | 2025-07-12 | Brand Reputation Impact | External – Reported | #inc018-details |
| INC019 | Alleged data sale of Marketcraze | 2025-07-12 | Data Exposure/Sale | External – Reported | #inc019-details |
| INC020 | Alleged data sale of diMarka Colombia | 2025-07-12 | Data Exposure/Sale | External – Reported | #inc020-details |
| INC021 | Alleged sale of ECCP BaridiMob Database | 2025-07-12 | Data Exposure/Sale | External – Reported | #inc021-details |
| INC022 | Alleged data leak of Shuk Asakim | 2025-07-12 | Data Exposure | External – Reported | #inc022-details |
| INC023 | Alleged data leak of a notorious darkweb drug market | 2025-07-12 | Data Exposure | External – Reported | #inc023-details |
| INC024 | Alleged data sale of 1A Auto Parts | 2025-07-12 | Data Exposure/Sale | External – Reported | #inc024-details |
| INC025 | Alleged data sale of Snapay | 2025-07-12 | Data Exposure/Sale | External – Reported | #inc025-details |
| INC026 | Alleged Sale of Advanced BitM Phishing Platform Targeting Gmail | 2025-07-12 | Tool/Malware Sale | External – Reported | #inc026-details |
| INC027 | Alleged data sale of Naver Corporation | 2025-07-12 | Data Exposure/Sale | External – Reported | #inc027-details |
| INC028 | PELICAN HACKERS Claim to Target Dark Web Networks | 2025-07-12 | Threat Activity Alert | External – Reported | #inc028-details |
| INC029 | Alleged sale of initial acess to Somali government systems | 2025-07-12 | Unauthorized Access/Sale | External – Reported | #inc029-details |
| INC030 | Alleged data leak of Crypto investors | 2025-07-12 | Data Exposure | External – Reported | #inc030-details |
| INC031 | Alleged data leak of an unidentified hotel management infrastructures in Israel | 2025-07-12 | Data Exposure | External – Reported | #inc031-details |
| INC032 | Alleged data breach of Colmed Salud | 2025-07-12 | Data Exposure/Sale | External – Reported | #inc032-details |
| INC033 | Alleged access sale to an unidentified organization in UK | 2025-07-12 | Unauthorized Access/Sale | External – Reported | #inc033-details |
| INC034 | Moroccan Cyber Sentinels targets the website of BoidCMS | 2025-07-12 | Brand Reputation Impact | External – Reported | #inc034-details |
| INC035 | Alleged sale of Unauthorized access to WordPress administrator credentials | 2025-07-12 | Unauthorized Access/Sale | External – Reported | #inc035-details |
| INC036 | Alleged Sale of Unauthorized Access to Sunpower Electrics database | 2025-07-12 | Unauthorized Access/Sale | External – Reported | #inc036-details |
| INC037 | Alleged data leak of Binance full user records | 2025-07-12 | Data Exposure | External – Reported | #inc037-details |
The inclusion of this table serves several critical functions. For the target audience, such as project managers and team leads, it provides immediate, actionable information. By presenting a structured overview, the table allows for rapid scanning and identification of key incident characteristics, including their ID, title, date, and primary impact. This centralization of summary information significantly improves efficiency by enabling quick comprehension of the overall incident landscape without requiring a review of individual detailed reports. Furthermore, the table helps in contextualizing the frequency and types of incidents over a specific period, setting the stage for a deeper dive into each specific event. By incorporating internal links to the detailed report for each incident, the table also functions as an interactive index, greatly enhancing the usability and navigability of the complete report.
3. Detailed Incident Reports
This section provides a dedicated entry for each incident, elaborating on its specifics, including direct links to published URLs and evidential screenshots. These incidents represent claims made by the threat actors themselves and provide insight into the broader cybercrime landscape.
3.1. Incident INC005: Alleged sale of vulnerability in Flamingo Finance
Incident Description
On 2025-07-12, a threat actor identified as T0mbst0ne claimed to be offering to sell a Cross-Origin Resource Sharing (CORS) bug in the Flamingo Finance blockchain, accompanied by proof of concept from the exchange. This vulnerability was reported on the openweb network. The victim organization is Flamingo Finance, a financial services entity in Singapore, with the victim site being flamingo.finance.
Published URL
https://darkforums.st/Thread-CORS-Bug-Flamingo-Finance
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/679a0bf0-621c-4d37-a99e-83b8911d7783.jpg
3.2. Incident INC006: Alleged data breach of Kayan Aviation
Incident Description
On 2025-07-12, the threat group Worldleaks claimed to have obtained data from Kayan Aviation, an Aviation & Aerospace organization in the UK, with the victim site being kayan.aero. This data breach claim was made on the tor network.
Published URL
https://worldleaksartrjm3c6vasllvgacbi5u3mgzkluehrzhk2jz4taufuid.onion/companies/6805662265/overview
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/3d6ed19e-a4c1-43eb-86de-082d6e066a4f.png
3.3. Incident INC007: Alleged data breach of BitMart
Incident Description
On 2025-07-12, the threat actor Satanic claimed to have leaked the database of BitMart, a financial services organization with the victim site bitmart.com. The compromised data allegedly contains over 1.2 million user records, including email addresses and phone numbers. This data breach claim was made on the openweb network.
Published URL
https://darkforums.st/Thread-BitMart-com-Database-Breach-Official
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/6aa51099-2527-4933-a697-2e526e978706.jpg
- https://d34iuop8pidsy8.cloudfront.net/19996f2e-2828-4535-9b28-5b6db82089e4.jpg
3.4. Incident INC008: Alleged Sale of Proxy Services and Financial Identity Data Across Multiple Countries
Incident Description
On 2025-07-12, the threat actor Leakxsc claimed to be selling global HTTP/SOCKS5 proxy services alongside access to sensitive financial and identity data, including SSNs, bank and PayPal credentials, and OTP-capable phone numbers spanning over 40 countries. This data leak claim was made on the openweb network.
Published URL
https://darkforums.st/Thread-Proxies-Numbers-Bank-acc
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/5ef88acc-c473-4ff8-817a-ef023d1ab219.jpg
3.5. Incident INC009: Alleged Leak of 2025 Ellipal Mailing List
Incident Description
On 2025-07-12, the threat actor btcokiz claimed to have a 2025 Ellipal mailing list containing around 4,000 entries, though its authenticity could not be verified. The actor was seeking a reputable partner to work with on it. This data leak claim was made on the openweb network.
Published URL
https://forum.exploit.in/topic/262318
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/968d70b1-523f-4215-a24c-076b18ae8ecf.png
3.6. Incident INC010: Alleged Sale of Dork Premium Pack for Website Vulnerability Scanning
Incident Description
On 2025-07-12, the threat actor bx1 claimed to be selling a Dork Premium Pack—a collection of advanced tools used to generate and customize Google Dorks, enabling users to identify vulnerabilities in websites and databases. These tools allegedly support tailored search queries, site scanning, and big data analysis to expose system weaknesses. This malware sale claim was made on the openweb network.
Published URL
https://kittyforums.to/thread/593
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/f2b2a421-caab-4f19-87c0-e82f6ba57f0a.jpg
3.7. Incident INC011: Alleged Sale of “BinaryX RAT” Remote Access Malware Tool
Incident Description
On 2025-07-12, the threat actor bx1 claimed to be selling a remote access tool named “BinaryX RAT” designed for full control of Windows systems. The tool allegedly supports features such as keystroke logging, file management, webcam and microphone access, reverse proxy, HVNC, and shell execution, and also enables chat, audio playback, and browser history monitoring. This malware sale claim was made on the openweb network.
Published URL
https://kittyforums.to/thread/592
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/cdc9227b-49f6-43e7-ab6b-6cba867ddfa6.jpg
- https://d34iuop8pidsy8.cloudfront.net/73b564d6-b006-446c-8eb2-0236282e5195.jpg
3.8. Incident INC012: Alleged access to Artech technologies Ltd
Incident Description
On 2025-07-12, the threat actor BABAYO EROR SYSTEM claimed to have accessed the website of Artech Technologies Ltd., an Education industry organization in Israel, with the victim site artech.org.il. This initial access claim was made on the telegram network.
Published URL
https://t.me/CyberBabayoEror/834
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/69f0e296-0e0e-4a1a-9c17-04f21bd8dc3b.png
3.9. Incident INC013: Alleged Sale of Hotmail-PayPal Full Capture Configuration
Incident Description
On 2025-07-12, the threat actor USD claimed to be selling a custom Hotmail-PayPal config with an inbox searcher tool, alleging full PayPal data capture, high performance, full customization, support, and exclusive privacy, aimed at financial exploitation. This alert was posted on the openweb network.
Published URL
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/9c9b8af4-5172-4d59-ad64-f97b7957fa6d.png
3.10. Incident INC014: Alleged database sale of Procurement Regulatory Authority of Zimbabwe (PRAZ)
Incident Description
On 2025-07-12, the threat actor “Hackers” claimed to be selling a 1TB database of the Procurement Regulatory Authority of Zimbabwe (PRAZ), a Government Administration entity in Zimbabwe, with the victim site praz.org.zw. This data breach claim was made on the telegram network.
Published URL
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/09e188d1-d7a9-40d1-b797-133680c9455c.png
3.11. Incident INC015: Alleged Leak of Ledger 2025 DB Orders
Incident Description
On 2025-07-12, the threat actor btcokiz claimed to have leaked a database with 610 records of U.S.-based Ledger customers, allegedly accessed in March 2025. The data purportedly includes purchase dates, Ledger types, asset holdings, addresses, emails, IDs, and CoinTracker syncs, with some entries containing screenshots of crypto holdings. This data leak claim was made on the openweb network.
Published URL
https://forum.exploit.in/topic/262317
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/e8cef3d5-b1ae-4230-bb88-ef3d3fdfc2ff.png
3.12. Incident INC016: Alleged data sale of Trust Growth Co., Ltd.
Incident Description
On 2025-07-12, the threat actor DataVortexDB claimed to be selling over 1,000,000 lines of data from the database of Trust Growth Co., Ltd., a Human Resources company in Japan, with the victim site trust-growth.co.jp. This data breach claim was made on the openweb network.
Published URL
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/151ef9c5-c7a0-4018-b3a8-2409772b705e.png
3.13. Incident INC017: Alleged data sale of Tikla
Incident Description
On 2025-07-12, the threat actor DataVortexDB claimed to be selling 1,365,247 lines of data from the database of Tikla, a Business and Economic Development entity in Turkey, with the victim site tikla.com.tr. This data breach claim was made on the openweb network.
Published URL
http://xss.is/threads/141786/
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/eeaa1db4-ea6a-414c-8263-f5e4c12976e5.png
3.14. Incident INC018: Baksei Chamkrong targets the website of Architect Council of Thailand
Incident Description
On 2025-07-12, the threat actor Baksei Chamkrong claimed to have defaced the website of the Architect Council of Thailand, an Architecture & Planning organization in Thailand, with the victim site act.or.th. This defacement claim was made on the telegram network.
Published URL
https://t.me/baksei_chamkrong/21
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/617e10ca-3bd1-4778-b3a5-7c8cc607bd10.png
3.15. Incident INC019: Alleged data sale of Marketcraze
Incident Description
On 2025-07-12, the threat actor DataVortexDB claimed to be selling the data of Marketcraze, an E-commerce & Online Stores entity in the UK, with the victim site marketcraze.co.uk. The data allegedly includes information of 900,000 users, with 500,000 records containing additional details such as date of birth. This data breach claim was made on the openweb network.
Published URL
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/6b9411ed-a60d-4f0d-9112-45f35f0a338b.png
3.16. Incident INC020: Alleged data sale of diMarka Colombia
Incident Description
On 2025-07-12, the threat actor DataVortexDB claimed to be selling 824,508 leads from the database of diMarka Colombia, a Software Development company in Colombia, with the victim site ignicia.com. This data breach claim was made on the openweb network.
Published URL
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/338f3a11-6418-426f-9bc4-5c9b2f0ea042.png
3.17. Incident INC021: Alleged sale of ECCP BaridiMob Database
Incident Description
On 2025-07-12, the threat actor Fox claimed to be selling the ECCP BaridiMob database, allegedly containing data of over 900,000 Algerian clients, 85GB of banking information, and an OTP bypass tool for unauthorized financial transfers. This data breach claim was made on the openweb network.
Published URL
https://darkforums.st/Thread-ECCP-BaridiMob-Database
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/70ca67c2-a658-422d-86d8-f5c7bad199d1.png
3.18. Incident INC022: Alleged data leak of Shuk Asakim
Incident Description
On 2025-07-12, the threat actor Anonymous Islamic claimed to have obtained a database containing details of hundreds of visitors and business projects, along with sensitive operational files and data revealing vulnerabilities in the site’s technical systems, from Shuk Asakim, an E-commerce & Online Stores entity in Israel, with the victim site shukasakim.co.il. This data leak claim was made on the telegram network.
Published URL
https://t.me/Anonymous0islamic/1296
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/47b7a0e8-5b09-475f-8790-8650fac27cf0.png
3.19. Incident INC023: Alleged data leak of a notorious darkweb drug market
Incident Description
On 2025-07-12, the threat actor PELICAN HACKERS claimed to have defaced and dumped the database of a notorious dark web drug market, and also claimed to have leaked the site’s backend. This data leak claim was made on the telegram network.
Published URL
https://t.me/PelicanHackers/15
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/0b196077-4f8c-4255-9723-e04735c041f1.png
3.20. Incident INC024: Alleged data sale of 1A Auto Parts
Incident Description
On 2025-07-12, the threat actor DataVortexDB claimed to be selling data from 1A Auto Parts, an Automotive industry entity in the USA, with the victim site 1aauto.com. The data allegedly includes 4,165,647 emails. This data breach claim was made on the openweb network.
Published URL
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/9ec2b75d-b1d8-4512-bf2a-cd69c90278c4.png
3.21. Incident INC025: Alleged data sale of Snapay
Incident Description
On 2025-07-12, the threat actor DataVortexDB claimed to be selling 60GB of data from Snapay, an Information Technology (IT) Services company in India, with the victim site snapay.in. The data allegedly includes photos, PDFs, and screenshots. This data breach claim was made on the openweb network.
Published URL
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/68a2150c-8271-47f9-b231-2ece72eca879.png
3.22. Incident INC026: Alleged Sale of Advanced BitM Phishing Platform Targeting Gmail
Incident Description
On 2025-07-12, the threat actor philishlets claimed to be selling a Browser-in-the-Middle (BitM) phishing platform based in Kameleo, alleging it can hijack Gmail and Google Workspace sessions, bypass 2FA (TOTP, SMS, backup codes), and capture cookies and tokens using real browser automation. This malware sale claim was made on the openweb network.
Published URL
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/585e6520-6e0c-4904-bb97-042e5fe563e2.png
- https://d34iuop8pidsy8.cloudfront.net/83d2da74-4721-4fcb-8752-d5e7a0bf8a68.png
3.23. Incident INC027: Alleged data sale of Naver Corporation
Incident Description
On 2025-07-12, the threat actor DataVortexDB claimed to be selling data from Naver Corporation, an E-commerce & Online Stores entity in South Korea, with the victim site sell.smartstore.naver.com. The data allegedly includes 732,000 emails, 1,420 phone numbers, and other information. This data breach claim was made on the openweb network.
Published URL
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/c0889df2-2bac-4210-8676-aed7ac1eabb9.png
3.24. Incident INC028: PELICAN HACKERS Claim to Target Dark Web Networks
Incident Description
On 2025-07-12, the threat group PELICAN HACKERS indicated in a recent post that they are targeting digital drug cartels and trafficking networks within the Tor ecosystem. This alert was posted on the telegram network.
Published URL
https://t.me/PelicanHackers/13
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/3ee31a62-b7da-4657-87f1-5f6bbe9ca161.png
3.25. Incident INC029: Alleged sale of initial acess to Somali government systems
Incident Description
On 2025-07-12, the threat actor Sc0rp10n claimed to be selling initial access to Somali government systems, offering 15.1 GB of data that allegedly includes over 65,000 emails, phone numbers, IP addresses, and passwords (both in cleartext and hashed formats), along with internal documents, admin panel credentials, and employee records. This initial access claim was made on the openweb network.
Published URL
https://darkforums.st/Thread-Exclusive-Initial-Access-Somali-Government-Infrastructure-Leak
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/cd8024cc-8ef4-4d44-b7ce-ea48a2d88368.png
3.26. Incident INC030: Alleged data leak of Crypto investors
Incident Description
On 2025-07-12, the threat actor Zagoramiy200 claimed to be selling an alleged data leak of 305,000 crypto investors, filtered for duplicates. This data leak claim was made on the openweb network.
Published URL
https://forum.exploit.in/topic/262299
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/886aba4d-ccf6-4fc3-849e-37d57fa90d7f.png
3.27. Incident INC031: Alleged data leak of an unidentified hotel management infrastructures in Israel
Incident Description
On 2025-07-12, the threat actor DAYzer0DAY claimed to have leaked personal and booking data of over 100,000 Israeli citizens, allegedly sourced from one of the most widely used hotel management infrastructures in Israel. The exposed information purportedly includes full guest records such as names, email addresses, phone numbers, booking details, internal references, agent data, and payment metadata. This data leak claim was made on the openweb network.
Published URL
https://darkforums.st/Thread-Israel-over-100k-citizens-data
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/75502b95-f9bb-4423-ae41-a3eb8356afc0.png
3.28. Incident INC032: Alleged data breach of Colmed Salud
Incident Description
On 2025-07-12, the threat actor aero claimed to be selling a database from Colmed Salud, containing 138,978 records scraped from medical invoices. The data allegedly includes full name, affiliate number, address, postal code, insurance type, and invoice date, all belonging to Argentine individuals. The leak is purportedly provided in a.db file within a.rar archive, along with two APIs (English and Spanish) that allow searching by affiliate number. This data breach claim was made on the openweb network.
Published URL
https://darkforums.st/Thread-COLMEDSANJUAN-COM-AR-138-978-Records-DB
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/5b3a088a-ce27-43be-b268-97691e66bc10.png
3.29. Incident INC033: Alleged access sale to an unidentified organization in UK
Incident Description
On 2025-07-12, the threat actor mysterywok claimed to be selling access to a UK-based OpenCart online store’s admin panel with shell access. This initial access claim was made on the openweb network.
Published URL
https://forum.exploit.in/topic/262296
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/257709d8-a509-4b26-b47a-4a03fd518d33.png
3.30. Incident INC034: Moroccan Cyber Sentinels targets the website of BoidCMS
Incident Description
On 2025-07-12, the group Moroccan Cyber Sentinels claimed to have defaced the website of BoidCMS, a Software entity in France, with the victim site boidcms.alwaysdata.net. This defacement claim was made on the telegram network.
Published URL
https://t.me/MoroccanCyberSentinelsOfficial/1289
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/31329a65-1f47-44bc-8310-622adfadad41.png
3.31. Incident INC035: Alleged sale of Unauthorized access to WordPress administrator credentials
Incident Description
On 2025-07-12, the threat actor Reve claimed to be selling a bulk list of 15,144 valid WordPress administrator credentials with 95–100% accuracy. This initial access claim was made on the openweb network.
Published URL
https://forum.exploit.in/topic/262295
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/17a8e8e7-7027-429a-a4b7-00b717d6e9f2.png
3.32. Incident INC036: Alleged Sale of Unauthorized Access to Sunpower Electrics database
Incident Description
On 2025-07-12, the threat actor Kavinsky claimed to be selling unauthorized SMTP and database access for sunpowerelectric, a Renewables & Environment company in Spain, with the victim site tienda.sunpowerelectric.es. This initial access claim was made on the openweb network.
Published URL
https://darkforums.st/Thread-Selling-sunpowerelectric-SMTP-DATABASE-Access
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/c3aad028-9ae4-40e8-a692-219b82d10853.png
- https://d34iuop8pidsy8.cloudfront.net/6b1de04d-b332-4eb8-82cb-ba4cd52e08aa.png
3.33. Incident INC037: Alleged data leak of Binance full user records
Incident Description
On 2025-07-12, the threat actor AbuBakarGSF claimed to have leaked massive user data from major crypto platforms, including over 1.4 million Binance records, allegedly exposing personal details like names, emails, and payment information. The leak also purportedly involves a massive 16 billion-entry infostealer dump containing sensitive credentials. This data leak claim was made on the openweb network.
Published URL
https://darkforums.st/Thread-Document-Binance-full-data-leads-2025
Screenshots
- https://d34iuop8pidsy8.cloudfront.net/86e661d8-c934-4456-a8a8-e00471e279d6.png
4. Key Observations
The analysis of these external cyber incidents reveals several critical observations regarding the broader cyber threat landscape:
- Prevalence of Data-Related Incidents: A significant majority of the incidents (20 out of 33) are categorized as “Data Breach” or “Data Leak,” indicating a high demand and active market for compromised data on illicit forums. This includes personal identifiable information, financial credentials, and various user records.
- Active Market for Cyber Tools and Access: The incidents also highlight a robust marketplace for malicious tools (e.g., Dork Premium Pack, BinaryX RAT, BitM Phishing Platform) and initial access to systems (e.g., WordPress admin credentials, government systems, e-commerce platforms). This signifies that threat actors are actively developing and trading capabilities to facilitate further attacks.
- Global and Diverse Targeting: The incidents demonstrate that cyber threats are geographically widespread, affecting organizations and individuals across numerous countries (e.g., Singapore, UK, Japan, Israel, Somalia, Argentina) and industries (e.g., Financial Services, Aviation, Government, E-commerce, Healthcare). This underscores the universal nature of cyber risk.
- Opportunistic and Monetization-Driven Threat Actors: The nature of these reported incidents suggests that many threat actors are driven by financial gain, seeking to exploit vulnerabilities, exfiltrate data, or sell access and tools for profit. The rapid reporting of these alleged incidents on various networks indicates a dynamic and fast-moving illicit market.
The sheer volume and nature of these external threats suggest that organizations are constantly targeted, and compromised data and access are readily monetized. This necessitates a strategic shift towards a more proactive and preventative posture. Continuous monitoring of the external threat landscape, as detailed in this report, is vital to anticipate emerging threats and inform robust defense strategies.
5. Conclusion
The analysis of the external cyber incidents provides a clear picture of a highly active and opportunistic cybercrime ecosystem. The prevalence of alleged data breaches and leaks, coupled with the active trade of malicious tools and initial access, underscores the persistent and evolving nature of cyber threats.
This report highlights that organizations globally face a diverse array of sophisticated and financially motivated threat actors. To enhance cybersecurity resilience, it is crucial for organizations to adopt a proactive and intelligence-driven approach. This involves continuous monitoring of the external threat landscape, understanding common attack vectors and compromised data types, and implementing robust preventative measures. By staying informed about these external trends, organizations can better anticipate and defend against potential attacks, thereby strengthening their overall security posture in a dynamic threat environment.