[July-25-2025] Daily Cybersecurity Threat Report

Introduction

This report provides a comprehensive overview of recent cybersecurity incidents, specifically detailing 42 distinct events observed on various dark web and underground platforms. Its primary objective is to present key information for each incident, including categories, compromised content, dates, networks, original source URLs, and associated screenshots, strictly based on the provided data.¹ The report’s structure, layout, tone, and formatting are meticulously aligned with the model report.¹

The incidents documented herein occurred on July 25, 2025, as indicated by the “Article Last Updated Date” and the consistent “Date” field across all incidents in the provided data.¹ This uniform timestamp across all entries signifies that this report captures a highly current, single-day intelligence brief. This immediacy is crucial for understanding the dynamic nature of the contemporary threat landscape, offering a precise, near real-time snapshot of active cybercriminal operations. Such a focused temporal scope enhances the report’s relevance and potential for actionable intelligence, enabling organizations to adapt their security postures rapidly against immediate threats. The analysis is strictly limited to the factual data extracted from the provided JSON file, ensuring no external interpretation, embellishment, or additional commentary beyond the scope of the provided information.¹

Incident Details

This section meticulously lists each of the 42 cybersecurity incidents identified. Each incident is presented as a numbered entry, faithfully replicating the precise format, headings, and bullet points observed in the model report.¹

Incident List

Alleged data sale of Dietology

Category: Data Breach
Content: The threat actor claims to be selling 87,389 records from Dietology. The compromised data includes client profiles (names, emails, phone numbers, subscription info), transaction details (order IDs, amounts, dates), network logs (IP addresses, session tokens), and employee statistics.
Date: 2025-07-25T13:59:10Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Selling-%F0%9F%87%AE%F0%9F%87%B7-Iran-TVU-Technical-Vocational-University-Data-Leak-100k-2025)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/850344ee-6b10-48cf-a73d-6c3f3feeb096.png

Threat Actors: lCap0ne
Victim Country: Russia
Victim Industry: Health & Fitness
Victim Organization: dietology
Victim Site: dietology.live

Alleged data sale of FSJNow Classifieds Fort St John

Category: Data Breach
Content: The threat actor claims to be selling a 6.2MB dataset from FSJNow Classifieds Fort St John allegedly exposing over 42,000 records. The compromised data reportedly includes 30,337 user profiles containing names, emails, hashed passwords, phone numbers, and location coordinates, along with 11,619 dehashed email-password pairs. Additional exposed information includes company data, IP logs, and login timestamps.
Date: 2025-07-25T13:39:12Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Selling-%F0%9F%87%A8%F0%9F%87%A6-Canada-FSJNow-com-%E2%80%94-Community-Platform-Data-Breach-42K-Records-Exposed-2025)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/111c3988-38a3-4031-9e15-9850f5bbc875.png

Threat Actors: lCap0ne
Victim Country: Canada
Victim Industry: Marketing, Advertising & Sales
Victim Organization: fsjnow classifieds fort st john
Victim Site: fsjnow.com

Alleged data sale of All Travels Maldives Pvt Ltd

Category: Data Breach
Content: The threat actor claims to be selling a 12MB SQL database from All Travels Maldives Pvt Ltd, allegedly exposing 68,980 records. The compromised data includes user emails, hashed passwords, phone numbers, guest names, nationalities, passport/ID details, and payment voucher info.
Date: 2025-07-25T13:32:49Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Selling-%F0%9F%87%B2%F0%9F%87%BB-Maldives-AllTravels-mv-%E2%80%94-Resort-Booking-User-Data-Leak-68-980-Records)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/7d4ff97d-0b7b-4159-b121-8a98ecd581a9.png

Threat Actors: lCap0ne
Victim Country: Maldives
Victim Industry: Hospitality & Tourism
Victim Organization: all travels maldives pvt ltd
Victim Site: alltravels.mv

Alleged data sale of PHED Tanker Tracking System

Category: Data Breach
Content: The threat actor claims to be selling a massive 10GB MySQL dump from PHED Tanker Tracking System, allegedly exposing over 77 million water delivery logistics records spanning India (Rajasthan) and Hong Kong. The leaked dataset includes customer profiles (with GPS-tagged addresses), trip logs, tanker volumes, OTPs, driver and vehicle details, and real-time tracking data with timestamps.
Date: 2025-07-25T13:29:14Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Selling-%F0%9F%87%AE%F0%9F%87%B3%F0%9F%87%AD%F0%9F%87%B0-PhedTanker-com-%E2%80%94-Water-Delivery-Logistics-Leak-77M-Records-Exposed)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/05b97318-29e5-4149-bc45-ec96aee7e68d.png

Threat Actors: lCap0ne
Victim Country: India
Victim Industry: Government Relations
Victim Organization: phed tanker tracking system
Victim Site: phedtanker.com

Alleged data sale of SPACE CO., LTD.

Category: Data Breach
Content: The threat actor claims to be selling 7k records from SPACE CO., LTD. The exposed data includes names of tenants and contractors (both individuals and companies), building names, room numbers, contract start and end dates, notice periods, and full Japanese address details.
Date: 2025-07-25T13:29:09Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Selling-%F0%9F%87%AF%F0%9F%87%B5-Japan-Space-Rent-co-jp-%E2%80%94-Real-Estate-Database-Leak-7-000-Records-2025)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/8c182b05-8f46-46d4-941d-33fd8ea27678.png

Threat Actors: lCap0ne
Victim Country: Japan
Victim Industry: Real Estate
Victim Organization: space co., ltd.
Victim Site: space-rent.co.jp

Alleged data breach of nurse.designs-solutions

Category: Data Breach
Content: The group claims to have leaked the database of nurse.designs-solutions
Date: 2025-07-25T13:17:33Z
Network: telegram
Published URL: (https://t.me/nxbbsec/1383)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/589ae64f-4df8-432a-b36c-2695cb0a18cc.png

Threat Actors: NXBB.SEC
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: nurse.designs-solutions
Victim Site: nurse.designs-solutions.com

Alleged Sale of U.S.-Based Magento Shop Admin Access with Credit Card Form

Category: Initial Access
Content: The threat actor claims to be selling full admin access to a Magento-based online shop located in the United States, with an active credit card payment form
Date: 2025-07-25T13:15:45Z
Network: openweb
Published URL: (https://forum.exploit.in/topic/263057/)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/80fe3862-c6b0-424d-b90f-56bc6186d25b.PNG

Threat Actors: izumrud
Victim Country: USA
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown

Alleged Leak of Hebei Province China Population Database

Category: Data Breach
Content: The threat actor claims to be selling a database containing information on 14.66 million individuals from Hebei Province, China. The exposed data reportedly includes names, ID card numbers, phone numbers, and addresses. The dataset is provided in.txt format with a total size of 18.57 GB, and access is restricted behind a credit-based system.
Date: 2025-07-25T13:12:59Z
Network: openweb
Published URL: (https://leakbase.la/threads/14-66m-hebei-province-china-population-db.40764/)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/db08d6b1-5239-4b6e-b0b6-4e85a3b7f397.PNG

Threat Actors: terebiasah
Victim Country: China
Victim Industry: Unknown
Victim Organization: hebei province
Victim Site: Unknown

Alleged Leak of UK Employee Records

Category: Data Leak
Content: The threat actor claims to be selling a freshly obtained database containing 20,000 UK employee records, which includes full personal and employment details such as names, dates of birth, National Insurance numbers, payroll numbers, email addresses, payee names, employer information, payslip options, and foreign account identifiers. The data is provided in CSV format.
Date: 2025-07-25T12:51:14Z
Network: openweb
Published URL: (https://forum.exploit.in/topic/263052/)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/b1e1d76a-aa1a-4d73-96eb-1a89f50ab518.PNG

Threat Actors: hensi
Victim Country: UK
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown

Alleged unauthorized root access to SPECO Control sro

Category: Initial Access
Content: The group claims to have gained unauthorized root access to the automation system of SPECO’s wastewater treatment facilities in Dlouhá Lhota, Czechia. The actor claims full control over pumps, valves, oxygen supply, sensor data, and emergency systems, potentially enabling ecological and technical disruption.
Date: 2025-07-25T11:53:56Z
Network: telegram
Published URL: (https://t.me/Z_alliance_ru/577)
Screenshots:

Threat Actors: Z-ALLIANCE
Victim Country: Czech Republic
Victim Industry: Industrial Automation
Victim Organization: speco control sro
Victim Site: speco.cz

Alleged data sale of an unknown Vietnamese e-commerce platform

Category: Data Leak
Content: The threat actor is selling an unknown Vietnamese e-commerce order data which includes unsigned and undelivered orders with details such as customer names, addresses, phone numbers, products, payment type, courier info, and tracking IDs.
Date: 2025-07-25T11:39:14Z
Network: openweb
Published URL: (https://darkforums.st/Thread-REAL-TIME-VIETNAM-ORDERS-DATA)
Screenshots:

Threat Actors: VietnameseDATA
Victim Country: Vietnam
Victim Industry: E-commerce & Online Stores
Victim Organization: Unknown
Victim Site: Unknown

Alleged Leak of Valid USA/Europe Credential Combo List

Category: Combo List
Content: The threat actor claims to have shared a combo list containing 4,100 valid login credentials allegedly from a mix of users in the USA and Europe.
Date: 2025-07-25T11:32:53Z
Network: openweb
Published URL: (https://leakbase.la/threads/4-1k-usa-europe-mixed-valid-combolist.40760/)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/766531ea-852f-42bc-b0f2-c54ade95c726.PNG

Threat Actors: ComboPro
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown

Alleged data sale of an unknown Hong Kong based shipping platform

Category: Data Leak
Content: The threat actor claims to be selling 33,854 logistics records from an Unknown Hong Kong-based shipping platform. The file of 14.9MB, allegedly includes order IDs, customer names, phone numbers, addresses, delivery preferences, and metadata such as pickup points and shipping fees.
Date: 2025-07-25T11:11:38Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Selling-%F0%9F%87%AD%F0%9F%87%B0-33854%E9%A6%99%E6%B8%AF-Logistics-Platform-14-9MB-XLSX-%E2%80%94-33-854-Shipping-Records-Exposed-2025)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/82325974-c133-46b0-8899-9be51d483214.png

Threat Actors: lCap0ne
Victim Country: China
Victim Industry: Transportation & Logistics
Victim Organization: Unknown
Victim Site: Unknown

Alleged data sale of MagicSky

Category: Data Breach
Content: The threat actor claims to be selling 30,508 structured customer records from MagicSky leaked on October 23, 2024. The file of 2.41MB allegedly contains full names, phone numbers, addresses, transaction IDs, and order histories dating back to 2019.
Date: 2025-07-25T11:11:25Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Selling-%F0%9F%87%AD%F0%9F%87%B0-MagicSky-com-hk-%E2%80%94-Hong-Kong-Educational-Consumer-Order-Leak-30-508-Records)
Screenshots:

Threat Actors: lCap0ne
Victim Country: China
Victim Industry: Recreational Facilities & Services
Victim Organization: magicsky
Victim Site: magicsky.com.hk

Alleged Access Sale to Mexican Federal Organization

Category: Initial Access
Content: The threat actor claims to be auctioning VPN and domain user access to a federal organization based in Mexico.
Date: 2025-07-25T10:47:06Z
Network: openweb
Published URL: (https://forum.exploit.in/topic/263044/)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/4c121f36-4ec6-4ba9-ba24-e25fb35b9e17.PNG

Threat Actors: leakman
Victim Country: Mexico
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown

Alleged VPN and Domain Access Sale Targeting French and Omani Firms

Category: Initial Access
Content: The threat actor claims to be selling unauthorized VPN and domain user access to two separate organizations:
Date: 2025-07-25T10:43:54Z
Network: openweb
Published URL: (https://forum.exploit.in/topic/263045/)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/6fda9c95-20f9-438e-b15a-ff942b125ac9.PNG

Threat Actors: leakman
Victim Country: Oman
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown

Alleged RDWeb Access Sale to Dutch Finance Firm

Category: Initial Access
Content: The threat actor claims to be selling RDWeb access tied to a financial organization based in the Netherlands, allegedly generating $16 million in revenue. The listing includes access to a domain user network with 172 domain-joined computers. The compromised environment reportedly uses SentinelOne for antivirus protection.
Date: 2025-07-25T10:39:15Z
Network: openweb
Published URL: (https://forum.exploit.in/topic/263051/)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/bef85f37-9c9b-44c0-97ff-baaacda4e356.PNG

Threat Actors: samy01
Victim Country: Netherlands
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown

Alleged Sale of Corporate Email Credentials

Category: Data Leak
Content: The threat actor claims to be auctioning a database containing 7,000 valid corporate email and password combinations from the USA and EU regions
Date: 2025-07-25T10:35:38Z
Network: openweb
Published URL: (https://forum.exploit.in/topic/263054/)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/7a16c8d6-2342-4da3-9c6e-287db73dbb84.PNG

Threat Actors: Kay
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown

Alleged data sale of Fructose Limited

Category: Data Breach
Content: The threat actor claims to be selling 3,253 customer orders from Fructose Limited, leaked on September 10, 2024. The file of 3.21MB allegedly contains full names, mobile numbers, delivery addresses, order details, payment status, and gift notes. The structured dataset also includes delivery instructions and internal metadata.
Date: 2025-07-25T10:34:22Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Selling-%F0%9F%87%AD%F0%9F%87%B0-Fructose-com-hk-%E2%80%93-Premium-Fruit-Delivery-Customer-Leak-Hong-Kong-%E2%80%93-3-253-Order)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/cb98f106-8b2e-407c-8b85-ba2e9118e365.png

Threat Actors: lCap0ne
Victim Country: China
Victim Industry: E-commerce & Online Stores
Victim Organization: fructose limited
Victim Site: fructose.com.hk

Alleged data sale of Oceanus World

Category: Data Breach
Content: The threat actor claims to be selling 3,960 customer records from Oceanus World leaked on October 22, 2024. The file of 377KB allegedly contains names, phone numbers, delivery addresses, and order details like seafood items, prices, and delivery schedules.
Date: 2025-07-25T10:33:55Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Selling-%F0%9F%87%AD%F0%9F%87%B0-Oceanus-World-Premium-Seafood-Store-Hong-Kong-3-960-Orders-Exposed-2024)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/faa189ca-9b47-43e9-9816-ac956ae1c3fb.png

Threat Actors: lCap0ne
Victim Country: Canada
Victim Industry: Information Technology (IT) Services
Victim Organization: oceanus world
Victim Site: oceanus-world.com

Allege data leak of EnerHome Consulting Ltd.

Category: Data Breach
Content: The threat actor claims to have leaked database and admin panel access for EnerHome Consulting Ltd., a Canadian energy consultation firm. The dataset reportedly includes over 233,000 verified homeowner records from 2023 to mid-2025, containing full names, Canadian phone numbers, verified emails, complete addresses, postal codes, installation schedules, advisor assignments, payment statuses, application details, and service interest markers.
Date: 2025-07-25T09:21:55Z
Network: openweb
Published URL: (https://darkforums.st/Thread-%F0%9F%94%B4%C2%A0-ENERHOMECONSULTING-CA-DATABASE)
Screenshots:

Threat Actors: menksoaDF
Victim Country: Canada
Victim Industry: Building and construction
Victim Organization: enerhome consulting ltd.
Victim Site: enerhomeconsulting.ca

Alleged data breach of Dubai Police Smart Training Center (STC)

Category: Data Breach
Content: The group claims to have leaked personal and professional details of a senior UAE police officer affiliated with the Transportation Security Department under UAE Police, including Dubai and Abu Dhabi Police. The leaked data includes the officer’s full name, email address, job number, department, rank, gender, and mobile number.
Date: 2025-07-25T06:34:37Z
Network: telegram
Published URL: (https://t.me/JokeirR07x/125?single)
Screenshots:

Threat Actors: JoKeiR 07x
Victim Country: UAE
Victim Industry: Government Administration
Victim Organization: dubai police smart training center
Victim Site: stcpolice.ae

Alleged Data Breach of JAHIZ

Category: Data Breach
Content: The group claims responsibility for hacking a UAE government website related to a national initiative for training federal employees in future skills JAHIZ.
Date: 2025-07-25T06:33:22Z
Network: telegram
Published URL: (https://t.me/JokeirR07x/121)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/d3818c9f-d531-4de3-8a5e-6a2023d60949.png

Threat Actors: JoKeiR 07x
Victim Country: UAE
Victim Industry: Government Administration
Victim Organization: jahiz
Victim Site: jahiz.gov.ae

Alleged Data Breach of JAHIZ

Category: Data Breach
Content: The group claims responsibility for hacking a UAE government website related to a national initiative for training federal employees in future skills JAHIZ.
Date: 2025-07-25T06:27:01Z
Network: telegram
Published URL: (https://t.me/JokeirR07x/121)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/d3818c9f-d531-4de3-8a5e-6a2023d60949.png

Threat Actors: JoKeiR 07x
Victim Country: UAE
Victim Industry: Government Administration
Victim Organization: jahiz
Victim Site: jahiz.gov.ae

Alleged Data Breach JAHIZ

Category: Data Breach
Content: The group claims responsibility for hacking a UAE government website related to a national initiative for training federal employees in future skills JAHIZ.
Date: 2025-07-25T06:26:47Z
Network: telegram
Published URL: (https://t.me/JokeirR07x/121)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/d3818c9f-d531-4de3-8a5e-6a2023d60949.png

Threat Actors: JoKeiR 07x
Victim Country: UAE
Victim Industry: Government Administration
Victim Organization: jahiz
Victim Site: jahiz.gov.ae

Alleged data breach of digital dubai

Category: Data Breach
Content: A threat actor group claims to have breached Dubai.ae, the official site of Dubai, alleging full undetected access to both front-end and back-end systems. The attack, led by Dark Hell 07x with collaborators, reportedly involved extracting and analyzing system data.
Date: 2025-07-25T06:06:58Z
Network: telegram
Published URL: (https://t.me/JokeirR07x/128)
Screenshots:

Threat Actors: JoKeiR 07x
Victim Country: UAE
Victim Industry: Government Administration
Victim Organization: digital dubai
Victim Site: dubai.ae

Alleged data breach of Dubai Police Smart Training Center (STC)

Category: Data Breach
Content: The group claims to have leaked personal and professional details of a senior UAE police officer affiliated with the Transportation Security Department under UAE Police, including Dubai and Abu Dhabi Police. The leaked data includes the officer’s full name, email address, job number, department, rank, gender, and mobile number.
Date: 2025-07-25T06:04:16Z
Network: telegram
Published URL: (https://t.me/JokeirR07x/125?single)
Screenshots:

Threat Actors: JoKeiR 07x
Victim Country: UAE
Victim Industry: Government Administration
Victim Organization: dubai police smart training center
Victim Site: stcpolice.ae

Alleged data breach of TerraNet

Category: Data Breach
Content: The threat actor claims to have breached TerraNet Lebanon, gaining undetected access to all systems and allegedly exposing 1,163 wallets, each containing 100 USDT.
Date: 2025-07-25T06:02:23Z
Network: telegram
Published URL: (https://t.me/JokeirR07x/146)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/8a226721-ab74-4760-a65c-66555f149183.jpg

Threat Actors: JoKeiR 07x
Victim Country: Lebanon
Victim Industry: Network & Telecommunications
Victim Organization: terranet
Victim Site: terra.net.lb

Alleged data breach of digital duabi

Category: Data Breach
Content: A threat actor group claims to have breached Dubai.ae, the official site of Dubai, alleging full undetected access to both front-end and back-end systems. The attack, led by Dark Hell 07x with collaborators, reportedly involved extracting and analyzing system data.
Date: 2025-07-25T06:01:21Z
Network: telegram
Published URL: (https://t.me/JokeirR07x/128)
Screenshots:

Threat Actors: JoKeiR 07x
Victim Country: UAE
Victim Industry: Government Administration
Victim Organization: digital dubai
Victim Site: dubai.ae

Alleged data breach of CORTE SUPERIOR DE JUSTICIA LIMA NORTE

Category: Data Breach
Content: A threat actor claims to have exploited Peru’s judicial system (sirejud.pj.gob.pe) to access and download confidential case files tied to Lima Norte prosecutors, using a bot that guessed document links based on staff name patterns and ID numbers.
Date: 2025-07-25T05:46:33Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Document-CORTE-SUPERIOR-DE-JUSTICIA-LIMA-NORTE-2025)
Screenshots:

Threat Actors: Gatito_FBI_Nz
Victim Country: Peru
Victim Industry: Judiciary
Victim Organization: corte superior de justicia lima norte
Victim Site: sirejud.pj.gob.pe

Alleged data breach of EHSUAE | Emirates Health Services Establishment

Category: Data Breach
Content: Threat actor claiming affiliation with the “Dark Hell 07x” group, in collaboration with “Jokeir 07X” and “Dr. SHell 08x,” has claimed responsibility for a breach of maharati.ehs.gov.ae, a UAE government healthcare training platform operated by Emirates Health Services (EHS). The group alleges that it has exfiltrated 111 GB of data during the intrusion.
Date: 2025-07-25T05:41:34Z
Network: telegram
Published URL: (https://t.me/JokeirR07x/117?single)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/7918c90d-4cd4-4335-aab7-7437a00da455.png

Threat Actors: JoKeiR 07x
Victim Country: UAE
Victim Industry: Hospital & Health Care
Victim Organization: ehsuae | emirates health services establishment
Victim Site: maharati.ehs.gov.ae

Alleged document leak U.S. TASK FORCE LATIGO

Category: Data Leak
Content: The threat actor claims to have leaked a classified document related to the U.S. Task Force Latigo.
Date: 2025-07-25T05:31:00Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Document-U-S-TASK-FORCE-LATIGO-CLASSIFIED-DOCUMENT-LEAK)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/3b8883d3-8849-4a3b-aeb8-380103db72a1.png

Threat Actors: ANONx09
Victim Country: USA
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown

Alleged data breach of Dominos

Category: Data Breach
Content: The threat actor claims to have breached the website of Dominos France, allegedly gaining access to data from over 500,000 users.
Date: 2025-07-25T05:17:19Z
Network: openweb
Published URL: (https://leakbase.la/threads/dominos-fr-500k.40752/)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/83ca65af-1eb9-4572-b7f1-7a459115835c.jpg

Threat Actors: inexorabledisco
Victim Country: France
Victim Industry: Food & Beverages
Victim Organization: dominos
Victim Site: dominos.fr

Alleged data breach of Fiscalía General del Estado de San Luis Potosí

Category: Data Breach
Content: The threat actor claims to be selling breached data from the Fiscalía General del Estado de San Luis Potosí, a Mexican government agency responsible for law enforcement and public prosecution. The breach involves over 73,000 PDF documents totaling 36.4 GB, allegedly containing criminal record certificates and other sensitive legal documents managed through the agency’s official online platform (fiscaliaslp.gob.mx). This portal is used by citizens for services such as background checks and lost document reports.
Date: 2025-07-25T03:31:30Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Selling-Criminal-Justice-and-Public-Services-San-Luis-Potos%C3%AD-Prosecutor-Breach-34-6-GB)
Screenshots:

Threat Actors: Kazu
Victim Country: Mexico
Victim Industry: Government Administration
Victim Organization: fiscalía general del estado de san luis potosí
Victim Site: fiscaliaslp.gob.mx

Alleged unauthorized access to Rocchetta Nervina

Category: Initial Access
Content: The group claims to have gained unauthorized access to Rocchetta Nervina.
Date: 2025-07-25T02:47:50Z
Network: telegram
Published URL: (https://t.me/n2LP_wVf79c2YzM0/718)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/7c037a5a-e5b0-41e6-b83c-6fa78e96ef1a.jpg

Threat Actors: Infrastructure Destruction Squad
Victim Country: Italy
Victim Industry: Agriculture & Farming
Victim Organization: rocchetta nervina
Victim Site: rocchettanervina.com

Alleged data leak of Administradora de Fondos de Pensiones

Category: Data Breach
Content: The threat actor claims to have leaked a comprehensive database containing personal information of approximately 4 million individuals affiliated with Peru’s private pension system (AFP – Administradoras de Fondos de Pensiones). The exposed data, shared in.sql format, allegedly includes full names, national ID numbers (DNI), dates of birth, gender, nationality, geographic details (district, province, department), phone numbers, email addresses, and pension-related information such as AFP codes and fund types. The SQL dump, reportedly 1.38 GB uncompressed and 210 MB compressed.
Date: 2025-07-25T02:20:03Z
Network: openweb
Published URL: (https://darkforums.st/Thread-AFP-PERU-DATABASE-LEAK-4M)
Screenshots:

Threat Actors: hannibalmaa
Victim Country: Peru
Victim Industry: Financial Services
Victim Organization: afp association
Victim Site: asociacionafp.pe

Alleged data leak of Administradora de Fondos de Pensiones

Category: Data Breach
Content: The threat actor claims to have leaked a comprehensive database containing personal information of approximately 4 million individuals affiliated with Peru’s private pension system (AFP – Administradoras de Fondos de Pensiones). The exposed data, shared in.sql format, allegedly includes full names, national ID numbers (DNI), dates of birth, gender, nationality, geographic details (district, province, department), phone numbers, email addresses, and pension-related information such as AFP codes and fund types. The SQL dump, reportedly 1.38 GB uncompressed and 210 MB compressed.
Date: 2025-07-25T02:19:25Z
Network: openweb
Published URL: (https://darkforums.st/Thread-AFP-PERU-DATABASE-LEAK-4M)
Screenshots:

Threat Actors: hannibalmaa
Victim Country: Argentina
Victim Industry: Financial Services
Victim Organization: afp association
Victim Site: asociacionafp.pe

Alleged data breach of Policía de Santa Cruz

Category: Data Breach
Content: The threat actor claims to be leaking internal payroll and personnel documents from the Police of Santa Cruz, Argentina. The leaked archive reportedly contains thousands of records, including payroll liquidation files, administrative spreadsheets, a full personnel list with names, ranks, and national ID numbers, and official PDF documents with barcodes. Ranks listed range from “Agente” to “Comisario” and “Cadete.” The exposed folders include multiple categorized payroll directories, and a sample provided lists an individual’s full identity and position.
Date: 2025-07-25T01:58:48Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Document-Police-Payroll-Internal-Documents-Leak)
Screenshots:

Threat Actors: DelitosPenales
Victim Country: Argentina
Victim Industry: Government Administration
Victim Organization: policía de santa cruz
Victim Site: policiadesantacruz.gob.ar

Alleged data breach of Phuket Provincial Administrative Organization

Category: Data Breach
Content: The threat actor claims to have breached the Phuket Provincial Administrative Organization (PPAO), gaining full access to the system administrator panel.
Date: 2025-07-25T01:51:56Z
Network: telegram
Published URL: (https://t.me/We_H3c4kedz1/298)
Screenshots:

Threat Actors: H3C4KEDZ
Victim Country: Thailand
Victim Industry: Government Administration
Victim Organization: phuket provincial administrative organization
Victim Site: ppao.go.th

Alleged data breach of Treasure data

Category: Data Breach
Content: Threat actor claims to be selling security event data from a United States organization using the Treasure Data platform. The compromised data reportedly includes event timestamps, user IDs, event codes, and associated security keys, with over 109 Million records stored in the database.
Date: 2025-07-25T01:35:03Z
Network: telegram
Published URL: (https://t.me/c/2490485755/14615)
Screenshots:

Threat Actors: DigitalGhost
Victim Country: USA
Victim Industry: Software Development
Victim Organization: treasure data
Victim Site: treasuredata.com

Alleged data breach of Treasure data

Category: Data Breach
Content: Threat actor claims to be selling security event data from a Japanese organization using the Treasure Data platform. The compromised data reportedly includes event timestamps, user IDs, event codes, and associated security keys, with over 109 Million records stored in the database.
Date: 2025-07-25T01:29:19Z
Network: telegram
Published URL: (https://t.me/c/2490485755/14615)
Screenshots:

Threat Actors: DigitalGhost
Victim Country: Japan
Victim Industry: Software Development
Victim Organization: treasure data
Victim Site: treasuredata.com

Alleged data breach of Multiple organization

Category: Data Breach
Content: A threat actor claims to be selling a leaked customer database allegedly sourced from Spanish energy companies Naturgy Iberia, Iberdrola, Endesa, and Nedgia Catalunya, containing 200,000 records. The data, available in CSV/XLSX format, reportedly includes full names, national ID numbers, phone numbers, email addresses, service locations, inspection history.
Date: 2025-07-25T00:12:02Z
Network: openweb
Published URL: (https://darkforums.st/Thread-Selling-200K-Spain-Energias-NATURGY-IBERIA-IBERDROLA-ENDESA-NEDGIA-CATALUNYA)
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/ee646273-3e76-4b34-abc4-9a80caa7edbe.png

Threat Actors: N4t0x
Victim Country: Spain
Victim Industry: Energy & Utilities
Victim Organization: naturgy iberia
Victim Site: naturgy.com

Analysis of Incident Patterns

A review of the incident categories across all 42 entries reveals an overwhelming prevalence of data exfiltration activities. “Data Breach” and “Data Leak” incidents collectively account for the vast majority of the observed cybercriminal activities.¹ This statistical dominance underscores that the acquisition and subsequent monetization of sensitive information remain primary objectives for threat actors in the current digital landscape. The sheer volume of such incidents highlights a persistent and defining characteristic of the observed threat landscape, indicating a sustained focus on compromising and exploiting data assets.

Beyond direct data compromise, a significant trend involves the strategic role of initial access brokerage. Eight incidents are explicitly categorized as “Initial Access”.¹ The descriptions for these entries detail the sale of various types of network footholds, ranging from administrative access to e-commerce platforms to root access within industrial control systems, as well as VPN and domain user access to corporate networks. These initial access points are not typically the final goal of an attack; rather, they represent critical first steps in a larger, multi-stage attack chain. Such offerings constitute a specialized and active market within the cyber underground, facilitating subsequent, more damaging operations like ransomware deployment, extensive data exfiltration, or operational disruption. For instance, the compromise of SPECO Control sro, an industrial automation entity, explicitly mentions gaining “full control over pumps, valves, oxygen supply, sensor data, and emergency systems, potentially enabling ecological and technical disruption”.¹ This illustrates the severe real-world consequences that can stem from the sale of initial network access.

An examination of the platforms where these incidents are publicized reveals dominant channels for illicit cyber activities. The network field indicates a strong preference for openweb (specifically dark forums such as darkforums.st, leakbase.la, exploit.in, kittyforums.to, and xss.is) and telegram as the primary venues for threat actors to advertise and sell compromised data and access.¹ This widespread use of these platforms, particularly Telegram which is more accessible than traditional dark web forums, suggests a potential trend towards lower barriers to entry for illicit activities and broader dissemination of breach information. The prevalence of these networks confirms their role as central marketplaces and communication hubs for cybercriminals. Proactive threat intelligence gathering efforts should therefore prioritize continuous monitoring of these specific openweb forums and Telegram channels to identify emerging threats, track actor activities, and gain early warnings of potential compromises.

The geographical distribution of affected entities, as indicated by the “Victim Country” field, demonstrates a wide global reach of these cyber threats. Affected countries include Russia, Canada, Maldives, India, Japan, UK, Czech Republic, Vietnam, Mexico, Oman, Netherlands, Italy, Peru, Argentina, Thailand, UAE, Lebanon, France, Spain, and USA, alongside instances where the victim country is “Unknown”.¹ Concurrently, the “Victim Industry” field reveals a broad spectrum of targeted sectors, ranging from “Health & Fitness” and “Hospitality & Tourism” to “Government Administration,” “Financial Services,” “Industrial Automation,” and “Judiciary”.¹ This extensive geographical and sectoral diversity signifies that cyber threats are truly global and often indiscriminate. Threat actors appear opportunistic, targeting any vulnerable entity regardless of its location or business domain. This highlights the interconnectedness of the global digital landscape and the universal need for robust cybersecurity measures.

An analysis of the threat_actors field identifies several prolific and potentially organized entities. For example, “lCap0ne” is linked to multiple incidents, as are “JoKeiR 07x” and “DigitalGhost”.¹ The explicit mention of “Dark Hell 07x” collaborating with “Jokeir 07X” and “Dr. SHell 08x” in one incident further confirms the existence of group affiliations among these actors.¹ The repeated appearance of specific threat actor names indicates that the cybercriminal landscape includes both highly active individuals and coordinated groups. Tracking these actors allows for the development of more targeted threat intelligence, including their typical tactics, techniques, and procedures (TTPs), preferred victim profiles, and methods of monetization. Understanding these patterns can significantly enhance cybersecurity defenses by informing defensive strategies, improving threat hunting capabilities, and contributing to more effective attribution efforts.

The nature of the compromised data consistently points to a high level of sensitivity, carrying significant implications for victims. The content field frequently details the compromise of highly sensitive information, including client profiles, hashed and dehashed passwords, financial transaction details, passport/ID numbers, GPS-tagged addresses, employee payroll and National Insurance numbers, and even classified government documents (e.g., U.S. Task Force Latigo) and criminal record certificates.¹ Furthermore, incidents involving “combo lists” directly provide credentials for potential reuse.¹ The exfiltration of such deeply sensitive and personally identifiable information (PII) elevates the risk of identity theft, sophisticated phishing campaigns, financial fraud, and blackmail. The availability of dehashed credentials and combo lists directly facilitates credential stuffing attacks against other online services, creating a cascading effect of potential compromises. Moreover, access to internal systems via API keys, tokens, or administrative dashboards, as seen in some data breaches, indicates that initial compromises can provide deep footholds for further exploitation and complete system takeovers.¹

Conclusion

The incidents detailed in this report highlight a dynamic and persistent landscape of cyber threats, predominantly characterized by data exfiltration and the sale of initial network access. The vast majority of observed incidents (34 out of 42) fall under the “Data Breach” or “Data Leak” categories, underscoring the primary motivation of threat actors to acquire and monetize sensitive information.¹ A significant number of incidents (8 out of 42) also involve the sale of “Initial Access” ¹, indicating a specialized market for gaining footholds within target networks, often as a precursor to more damaging attacks.

Threat actors consistently leverage openweb forums and telegram channels as primary platforms for advertising and selling compromised assets.¹ This trend reinforces the strong financial motivation behind these cyber incidents and highlights the accessibility of illicit marketplaces. The incidents demonstrate a broad geographical reach and impact across diverse sectors, from health and fitness to government administration, financial services, and critical infrastructure.¹ The compromise of highly sensitive data, including personal records, financial details, and classified documents, poses significant risks such as identity theft, fraud, and potential disruption of essential services.¹

A recurring pattern observed is the persistent targeting of critical infrastructure components and government bodies. Examples include water delivery logistics systems, wastewater treatment facilities, police and judicial systems, and various government administrative platforms.¹ The consistent targeting of these sectors signifies a heightened national security and public safety risk. Successful breaches in these areas can lead to widespread disruption of essential services, erosion of public trust, and compromise of highly sensitive citizen data or defense information. This extends beyond typical corporate data breaches, directly impacting societal functions and national stability.

In light of these findings, it is imperative for organizations to maintain and continuously enhance their cybersecurity posture. Key recommendations include:

Implementing robust Identity and Access Management (IAM) solutions with multi-factor authentication (MFA) across all systems.
Deploying comprehensive data loss prevention (DLP) strategies and strong encryption for data at rest and in transit.
Conducting continuous vulnerability management, regular penetration testing, and timely patching of all systems.
Investing in proactive threat intelligence gathering, particularly from underground forums and channels, to anticipate and mitigate emerging threats.
Developing and regularly testing incident response plans to ensure rapid and effective containment and recovery from breaches.
Providing ongoing cybersecurity awareness training for all employees to mitigate human-centric vulnerabilities.

The observed patterns underscore the persistent and evolving nature of cyber threats. Organizations must adopt adaptive and resilient cybersecurity frameworks, fostering a culture of security to defend against the wide array of sophisticated and opportunistic attacks continuously emerging in the digital landscape.

Introduction

Incident Details

Incident List

Analysis of Incident Patterns

Conclusion

Related Posts

Scale AI Integrates Pesto AI Team to Enhance AI Data Solutions

Lucid Motors Acquires Nikola’s Arizona Facilities to Bolster Manufacturing Capabilities

Cybersecurity Threat Roundup – April 3, 2025