[June-01-2026] Daily Cybersecurity Threat Report

I. Executive Summary

This report details a series of recent cyber incidents, providing key information for each event strictly based on the provided draft data from June 1, 2026, and May 31, 2026. The threat landscape during this period is characterized by massive data breaches orchestrated by high-profile actors, extensive sale of initial access to critical infrastructure, a high volume of structured database sales by prolific brokers, and coordinated mass defacement campaigns.

II. Threat Actor Profiling and Major Campaigns

A. ShinyHunters

The threat actor group ShinyHunters was responsible for some of the most critical and high-volume data breaches recorded during this period.

Live Nation / TicketMaster: The actor claimed to have breached Live Nation/TicketMaster, exfiltrating approximately 560 million customer records totaling 1.3TB of data. The stolen data includes full customer details, ticket sales, event information, order details, and credit card information, offered for $50,000 USD. In a separate but related incident, the actor offered 10 million printable Ticketmaster e-ticket barcodes for major events (e.g., Taylor Swift, Rolling Stones) for $10,000 USD.
Neiman Marcus: ShinyHunters compromised Neiman Marcus infrastructure, obtaining 182 million customer profiles, 3 million plaintext credit card numbers, 50 million customer emails with IP tracking, and 12 million gift card numbers. The dataset, which also includes 6 billion rows of customer shopping records, was priced at $10,000 USD.
National Credit Information Center of Vietnam: The group offered a full database dump containing over 160 million records with customer financial information for $10,000 USD.
NVIDIA: The actor claimed to have compromised NVIDIA’s GeForce Now service, exfiltrating 1.3 million user records from the backend, offered for $5,000 USD.
Compass.com: Full administrative access to Compass.com (a US real estate tech company) was offered for $30,000 USD, including access to their admin panel, internal network, Okta, Stripe, Salesforce, and source code.
Critical Infrastructure & Government: ShinyHunters claimed a breach of an unnamed Iranian nuclear facility, exfiltrating 340GB of surveillance footage and 550GB of classified files, priced at $100,000 USD. The group also claimed a breach of the French centralized Weapons Information System, leaking 62,511 unique weapon records alongside owner data.
GAP, Inc.: The actor obtained 224,200 unique email addresses, phone numbers, home addresses, and loyalty program data from GAP, Inc..

B. Rupert and Databasehooligan (High-Volume Database Brokers)

The threat actor “Rupert” executed a massive campaign selling highly structured database dumps from retail, telecommunications, government, and education sectors across the globe. The datasets are almost uniformly structured into three interconnected tables (e.g., Contacts, Orders, Support Tickets) and are typically priced between $900 and $1,400, often accepting forum escrow. The actor “Databasehooligan” utilized near-identical methodologies, targeting primarily US and UK entities.

Key Retail and E-commerce Breaches (Rupert/Databasehooligan):

Europe: Darty (France) suffered breaches exposing 520,000 and 428,000 customer records. Additional victims include Vatera (Hungary, 492,000 records) , Mobilfox (Hungary, 312,000 records) , Karkkainen (Finland, 473,000 records) , Schaefer Shop (Germany, 742,000 records) , autoteile24 (Germany, 742,000 records) , Radio Popular (Portugal, 437,000 and 237,000 records) , Continente (Portugal, 576,000 records) , Vliegershop (Netherlands, 875,000 records) , hotelsinnederland (Netherlands, 287,000 records) , Broil King BBQ (Greece, 317,000 records) , and Chateau Primeur (France, 243,000 records).
Asia-Pacific & Middle East: Victims include Wildberries (Russia, 732,000 records) , Noon.com (Saudi Arabia, 738,000 records) , PChome EC (Taiwan, 437,000 records) , PCstore (Taiwan, 487,000 records) , Baan Lae Suan (Thailand, 413,000 records) , Pramool (Thailand, 483,000 records) , Kaidee (Thailand, 527,000 records) , 11ST (South Korea, 652,000 records) , i-mall (South Korea, 742,000 records) , Mirae-N (South Korea, 745,000 records) , and OLX Philippines (623,000 records).
Americas & Africa: Midas (South Africa, 463,000 records) , Gian Bo Fuegos Artificiales (Venezuela, 768,000 records) , and Wanderers Club (South Africa, 674,000 records). Databasehooligan targeted Copart (US, 533,000 records) , Sportsmans Warehouse (US, 715,000 records) , US Squash (684,000 records) , Rightmove (UK, 357,000 records) , and Checkatrade (UK, 624,000 records).

Key Telecommunications & Technology Breaches (Rupert):

MasMovil (Spain, 742,000 records).
Wind Tre (Italy, 563,000 records).
Fastweb (Italy, 536,000 records).
Telkom South Africa (742,000 records).
au/KDDI (Japan, 243,000 records).
HKT Limited (Hong Kong, 482,000 records).
Mytelnet (Tunisia, 478,000 records).
CSI Telecom (Mexico, 732,000 records).
T-Mobile Czech Republic (387,000 records).

Government & Education Targets (Rupert/Databasehooligan):

Nitaqat Portal (Saudi Arabia, 437,000 records).
Ministry of Tourism (Venezuela, 542,000 records).
Securities and Exchange Commission of Pakistan (387,000 records).
Rosmolodezh (Russia, 478,000 records).
National Personnel Authority (Japan, 742,000 records).
CONACYT (Mexico, 384,000 records).
Cairo University (Egypt, 748,000 records).
Kumon (Japan, 612,000 records).
UK Course Finder (417,000 records).

C. Hacktivists and Defacement Campaigns

Zod: This threat actor executed a widespread mass defacement campaign targeting Linux-based servers. The actor consistently deployed defacement pages at the /zod.html path. Targets included Japanese educational institutions like Kanda School , Uriage News , K-School , Egypt Tours , and multiple subdomains hosted on WPProService.
EbRaHiM-VaKeR (LegioN LeakeR): Also targeting Linux-hosted servers, this actor engaged in mass defacements that heavily overlapped with Zod’s targets, including K-School , Kanda School , and Uriage News.
CiaoxD_ (Brotherhood Capung Indonesia): This actor focused on targeted homepage defacements. Victims included VillageMilk , Ayuzing , IPS-EEC , Semantob , rohpo.in (India) , and Witherspoon Meat Market (US).
Ruiixh4xor (SHENHAXSEC): Executed single, non-mass homepage defacements against dytools.click , aitip.me , and ChinaBuyHelper.

III. Critical Infrastructure and Government Exposures

In addition to the breaches by ShinyHunters and Rupert, government and critical infrastructure entities faced severe targeting:

NASA: A threat actor (hackformetome) offered persistent web shell access and an RCE exploit targeting a live nasa.gov host physically located in a NASA data center. The access provides www-data level remote code execution and reaches internal CIDRs behind firewalls, priced at $10,000 in Monero.
Noi Bai International Airport (Vietnam): The “Infrastructure Destruction Squad” claimed a successful attack resulting in the complete destruction of network infrastructure, disabling router interfaces, internal bridges, and primary internet connectivity.
Classified Military Documents: A threat actor (mosad) offered alleged 2026 Chinese PLA military test reports , SECRET//NOFORN documents from a US government agency , and NATO Cosmic Top Secret documents. The same actor sold initial access to Pakistan’s Ministry of Foreign Affairs (mofa.gov.pk) alongside exfiltrated documents from dgmp.gov.pk.
Hajj and Pilgrimage Organization (Iran): An actor (irleak) offered 168 million database records spanning 1984 to 2024, including passports, biometrics, and details on government/military officials.
Indonesian Government: The Supreme Court (Komdanas Mahkamah Agung) suffered a database leak by actor JAX7. Additional leaks impacted the Ministry of Religious Affairs , the Gunungkidul Regency portal , and the Ministry of Energy and Mineral Resources (jdih.esdm.go.id), where exposed Docker configurations revealed hardcoded MySQL passwords and internal ports.
Colombian National Electoral Council (CNE): Actor Hydr0gen (EsqueleSquad) leaked audit reports, complaints, and 2026 campaign financing records.
US Law Enforcement: A database export from RemoteCom, a compliance platform for monitoring probationers/parolees, was leaked, exposing officer emails, client data, and compliance metrics.
Bangladesh Army: Actor blacknet00 claimed to exploit an SNMP vulnerability on a MikroTik router at Qadirabad Military Base, exposing over 500 connected devices and 50 internal networks.
Other Government Leaks: Data was breached from the Peruvian Police Anti-Drug Unit (DIRANDRO, 300,000 records) , China National Copyright Administration (47,659 records) , Iraqi Companies Registrar (450,000 employees) , and the Executive Commission for Victim Assistance in Quintana Roo, Mexico. Furthermore, a 2020 Delaware voter list and Rifle & Pistol Club membership records were leaked from an exposed S3 bucket.

IV. Widespread Corporate and Financial Data Breaches

AT&T: Actor Edric (and later Vyntra) sold an AT&T Mobile consumer database containing over 500,000 records spanning 2024-2025, including names, phone numbers, and street addresses.
Finance & Insurance: A dataset from an undisclosed Spanish gas company exposing 555,000 records including IBAN details was sold by jordanbelfortwolf. Standard Lesotho Bank suffered a breach of 472,000 records including national IDs, credit check results, and loan records. Zorgverzekeren Vergelijk (Netherlands, 417,000 records) , and Takaful Insurance (Saudi Arabia, 528,000 records) were also compromised.
Healthcare: Fortis Healthcare (India) suffered a breach of 437,000 patient records including ward assignments and billing codes. Dallah Hospital (Saudi Arabia) saw 56,000 patient records exposed. Jelgavas Veseliba (Latvia) had 237,000 records leaked.
Large-Scale Leaks & Collections: A threat actor shared an alleged database of 16,000 US gun owners , 3 million US job seekers from getofficejobs.net , 1.9 million Entrepreneur readers , and 3 million US debit leads from badcreditloans.com. A dataset of 100 million Indian users from mydukaan.io was also offered for sale.
Other Notable Corporate Breaches: Tape à l’Oeil (France, 1.7 million records); Fargo.uz (Uzbekistan, 980,000 records); SocialCatfish.com (1 million credentials); Nandos UK/Ireland (87,000 employee records) ; and GamaSoft Colombia (150GB of POS databases and client records).

V. Initial Access Brokering and Vulnerability Exploitation

A. Initial Access Markets

Threat actors actively sold access to corporate environments and cloud infrastructure:

Cloud & RDP Access: Actor PORTAL consistently offered rental RDP access to Azure, AWS, and DigitalOcean infrastructure for a $200 daily/monthly rate.
Kodex Accounts: Compromised Kodex accounts, utilized for submitting fraudulent EDR (Endpoint Detection and Response) requests to platforms like Discord and Coinbase, were sold for $4,000.
Telecom & B2B Platforms: Actor whitespace sold intelligence packages for an APAC telecom provider and an Eastern European B2B platform, including pre-auth session bypass payloads and internal Redis node metadata for network pivoting.
Logistics & Social Media: Compromised FedEx and UPS accounts with billing access were sold for $10-$20. Twitter accounts were sold based on follower counts, specifically targeting crypto-audiences.

B. Exploits and Vulnerabilities

NGINX 0-Day: Actor innocentzero offered a pre-authenticated 0-day RCE exploit targeting NGINX mainline and stable releases combined with PHP-FPM default configurations. The exploit chained an HTTP/2 RCE with arbitrary file upload, priced at $32,000 USD for exclusive rights.
Exim CVE-2026-45185: A use-after-free vulnerability affecting Exim mail transfer agents using GnuTLS was detailed on an open web forum. The flaw, triggered during TLS shutdown with BDAT chunked processing, enables unauthenticated RCE.
MikroTik RouterOS: Threat actors discussed exploiting outdated MikroTik RB951Ui-2nD devices running RouterOS version 6.40.8 with known critical vulnerabilities.

VI. Carding, Financial Fraud, and Phishing Operations

A. Carding and Identity Theft

The underground economy for financial fraud remains highly active:

Tools and Training: Actor greyder39 freely distributed EMV carding tools, including EMV Reader/Writer 8.6, ATR Tool 7.0, and ARQC Generators, used for cloning smartcards. Cracked ATM cloning tools were also shared by zerodark. Actor Darkode1 sold a $1,500 carding training course covering anti-fraud bypass, BIN exploitation, and cashout schemes.
Card Dumps and Services: s2lender offered a private CC dump service providing 4,000–12,000 fresh dumps daily. Stolen CVV/CC payment data for multiple countries was sold by Donegizo and Chaser80. Actor Volticc (BigBoris) sold stolen credit cards, bank logins, full identity information (SSN, DOB, DL), and offered money exchange services.
Identity Document Forgery: Actor Crefloo sold editable PSD packs containing forged passports and utility bills for 70+ countries, marketed specifically to bypass KYC verification on platforms like Coinbase and Revolut. Actor Selin offered digital forged IDs, driver’s licenses, and passports for bulk purchase.

B. Counterfeit Currency

A highly coordinated operation was observed on Telegram involving actors like Boss Shop, Pretty, and Banti. These actors used Chinese text to advertise “premium counterfeit” (精品假抄) banknotes and “top-tier fake currency”. The operation relies heavily on restricted Telegram channels to facilitate distribution.

C. Phishing Toolkits

HTML Phishing Builder: Actor PUSU sold an HTML phishing payload builder featuring 24 templates impersonating Adobe, OneDrive, and DocuSign. The tool embeds encrypted payloads into HTML/SVG files compatible with Gmail, offering multi-OS targeting and chained execution for up to $600/year.
Credential Checkers: Actor BABAYO EROR SYSTEM sold multiple credential checking tools (Admin Panel, WordPress, cPanel, WHM) to perform mass login verification against enterprise platforms. An SMTP extraction and verification tool, designed to harvest functional SMTP credentials for spam infrastructure, was distributed by h3llegy. Additionally, a Hotmail inbox checker tool (V3) source code was distributed by anasxzer00.

VII. Conclusion

The cyber threat activity from May 31 to June 1, 2026, highlights a highly industrialized underground economy. High-tier threat actors like ShinyHunters are successfully compromising multi-national corporations and critical infrastructure, demanding massive ransom/sale prices. Simultaneously, high-volume brokers like Rupert have standardized the monetization of global CRM and retail databases. The sale of direct initial access (via web shells, Kodex accounts, and RDP) alongside advanced phishing and carding toolkits indicates that the barrier to entry for executing sophisticated cyber attacks continues to lower, facilitating widespread exploitation across all geographic regions and industry sectors.

Detected Incidents Draft Data – 2026-06-01 (run date)

Alleged sale of RDP access and compromised cloud platform credentials
Category: Initial Access
Content: Threat actor offering rental of RDP access to Azure, AWS, and DigitalOcean infrastructure for $200 daily/monthly rates. Also advertising compromised domain mail accounts, Gmail, Yahoo accounts, GitHub Student accounts, and stolen ChatGPT Plus and Claude subscriptions. Services offered with escrow protection.
Date: 2026-06-01T04:35:30Z
Network: telegram
Published URL: https://t.me/c/2613583520/94659
Screenshots:
1 screenshot(s) available
Threat Actors: PORTAL
Victim Country: Unknown
Victim Industry: Technology/Cloud Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Komdanas Mahkamah Agung
Category: Data Breach
Content: A threat actor on a breach forum claims to be selling or leaking a database belonging to Komdanas Mahkamah Agung, the integrated data network system of the Indonesian Supreme Court. The post includes an attachment, but no further details on record count or data fields are visible in the extracted content.
Date: 2026-06-01T04:20:03Z
Network: openweb
Published URL: https://breached.su/threads/database-pegawai-komdanas-mahkaman-agung.87787/unread
Screenshots:
1 screenshot(s) available
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Mahkamah Agung (Supreme Court of Indonesia)
Victim Site: mahkamahagung.go.id
Alleged data leak of US gun owners database
Category: Data Leak
Content: A threat actor has freely shared an alleged database of approximately 16,000 US gun owners, containing full names, email addresses, physical addresses, and weapon of choice. The origin of the data is unattributed. The dataset is gated behind forum registration.
Date: 2026-06-01T04:04:08Z
Network: openweb
Published URL: https://breachforu.ms/Thread-REPOST-GUN-OWNERS-USA-16K
Screenshots:
1 screenshot(s) available
Threat Actors: N3tw0rkSh4d0w
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of US job seekers personal data from getofficejobs.net
Category: Data Leak
Content: A threat actor has shared an alleged dataset of approximately 3 million US job seekers sourced from getofficejobs.net. The sample includes first name, last name, email address, and IP address fields. The data is being distributed freely on a breach forum.
Date: 2026-06-01T04:03:26Z
Network: openweb
Published URL: https://breachforu.ms/Thread-REPOST-JOB-SEEKERS-USA-3M
Screenshots:
1 screenshot(s) available
Threat Actors: N3tw0rkSh4d0w
Victim Country: United States
Victim Industry: Recruitment
Victim Organization: Get Office Jobs
Victim Site: getofficejobs.net
Sale of persistent web shell and RCE exploit on NASA (nasa.gov) infrastructure
Category: Initial Access
Content: A threat actor is offering for sale persistent web shell access and an associated exploit targeting a live nasa.gov web application host, claimed to be physically located within a NASA data center. The access provides www-data level remote code execution via HTTP/S and is described as capable of reaching broad internal NASA network ranges including multiple internal CIDRs behind firewalls. The seller is asking $10,000 in Monero with escrow and claims persistence survives reboots.
Date: 2026-06-01T04:00:00Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-RDP-SELLING-nasa-gov-Persistent-Web-Shell-Exploit
Screenshots:
1 screenshot(s) available
Threat Actors: hackformetome
Victim Country: United States
Victim Industry: Government
Victim Organization: NASA
Victim Site: nasa.gov
Alleged data breach of undisclosed Spanish gas company exposing IBAN and personal records
Category: Data Breach
Content: A threat actor is offering for sale a database allegedly obtained from a Spanish gas company via exploitation of a vulnerability. The dataset contains approximately 555,000 unique records including full names, phone numbers, email addresses, IBAN banking details, and location data. The seller claims the data is previously unpublished and has never been sold.
Date: 2026-06-01T03:53:37Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-SELLING-Spanish-Gas-Company-Database-IBAN-Phones
Screenshots:
1 screenshot(s) available
Threat Actors: jordanbelfortwolf
Victim Country: Spain
Victim Industry: Energy
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of DIRANDRO — Peruvian National Police Anti-Drug Unit
Category: Data Breach
Content: A threat actor operating under the group L4TAMFUCK3RS claims to be selling approximately 300,000 records (~7.8GB) allegedly stolen from DIRANDRO, the Peruvian National Polices specialized anti-drug trafficking unit. The dataset purportedly contains highly sensitive personnel and operational data including full names, national ID numbers (DNI), police identification codes (CIP), residential addresses, family information, police intervention records, geographic coordinates, seized substance det
Date: 2026-06-01T03:48:40Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78522
Screenshots:
3 screenshot(s) available
Threat Actors: cantpwn
Victim Country: Peru
Victim Industry: Government
Victim Organization: DIRANDRO – Policía Nacional del Peru
Victim Site: Unknown
Sale of Business Intelligence Dataset Containing 50,000+ Executive and Company Records
Category: Data Leak
Content: A threat actor is offering a dataset of 50,000+ records purportedly containing executive and company information including names, job titles, company names, locations, and business attributes. The data spans multiple regions and industries, with sample records showing individuals in CEO and executive-adjacent roles across various organizations. The seller is directing buyers to a Telegram channel for purchase.
Date: 2026-06-01T03:17:48Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78453
Screenshots:
1 screenshot(s) available
Threat Actors: Edric
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Stansberry Research — 100,000 US consumer records
Category: Data Breach
Content: A threat actor is offering for sale an alleged database attributed to Stansberry Research and its TradeSmith platform, containing approximately 100,000 U.S. consumer records. The dataset reportedly includes full name, email, phone, mailing address, TradeSmith user IDs, account creation dates, customer status flags, and deposit references. The seller is advertising the database via Telegram and a channel marketed as a premium leads source.
Date: 2026-06-01T03:17:09Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78462
Screenshots:
1 screenshot(s) available
Threat Actors: Edric
Victim Country: United States
Victim Industry: Finance
Victim Organization: Stansberry Research
Victim Site: stansberry.com
Website Defacement of VillageMilk by CiaoxD_ of Brotherhood Capung Indonesia
Category: Defacement
Content: On June 1, 2026, the website villagemilk.com was defaced by threat actor CiaoxD_, operating under the hacktivist group Brotherhood Capung Indonesia. The attack resulted in a homepage defacement, replacing the sites content with the attackers messaging. No specific motive or reason was provided for the attack.
Date: 2026-06-01T03:08:53Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/930434
Screenshots:
1 screenshot(s) available
Threat Actors: CiaoxD_, Brotherhood Capung Indonesia
Victim Country: Unknown
Victim Industry: Food and Beverage
Victim Organization: Village Milk
Victim Site: villagemilk.com
Sale of streaming, VPN, and gaming accounts on cracking forum
Category: Carding
Content: A forum seller is advertising an account store offering streaming, VPN, and gaming accounts for sale at low prices via an external shop. The accounts are likely obtained through credential stuffing or account takeover methods. No specific victim organization or record count is disclosed.
Date: 2026-06-01T03:00:52Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9A%A1-THE-ULTIMATE-ACCOUNTS-STORE-%E2%AD%90-Streaming-VPNs-Gaming-Cheap-Reliable-%E2%9A%A1
Screenshots:
2 screenshot(s) available
Threat Actors: Rayie
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: genmarket.us
Alleged data breach of Gian Bo Fuegos Artificiales (Venezuelan fireworks distributor)
Category: Data Breach
Content: A threat actor is selling an alleged database dump from gianbofuegosartificiales.com, a Venezuelan fireworks distributor, for $1,300. The dataset reportedly contains approximately 768,000 records spanning three sections: customer and distributor contacts (including full names, emails, phone numbers, and addresses), fireworks order history, and distributor location data. The seller claims the data is fresh and organized, and is accepting forum escrow for the transaction.
Date: 2026-06-01T02:49:38Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78515
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Venezuela
Victim Industry: Retail
Victim Organization: Gian Bo Fuegos Artificiales
Victim Site: gianbofuegosartificiales.com
Alleged data breach of Venezuelas Ministry of Tourism (mintur.gob.ve)
Category: Data Breach
Content: A threat actor is selling an alleged dataset of 542,000 records attributed to Venezuelas Ministry of Tourism (mintur.gob.ve), priced at $1,200. The dataset reportedly includes three sections: Contacts (names, emails, phone numbers, login history, marketing data), Tourism Inquiries, and Booking History. The seller is accepting forum escrow and can be contacted via Telegram.
Date: 2026-06-01T02:49:00Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78517
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Venezuela
Victim Industry: Government
Victim Organization: Ministry of Tourism of Venezuela
Victim Site: mintur.gob.ve
Alleged data breach of MasMovil (masmovil.es) exposing 742K customer records
Category: Data Breach
Content: A threat actor is selling an alleged dataset from Spanish telecom provider MasMovil (masmovil.es) for $1,200, claiming it contains approximately 742,000 records. The dataset is structured across three tables — Contacts, Orders, and Support Tickets — and reportedly includes full customer PII (name, address, email, phone, date of birth, tax ID, password hashes), order and billing details, and support ticket contents. Sample files are provided via Gofile links.
Date: 2026-06-01T02:25:05Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78493
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Spain
Victim Industry: Telecommunications
Victim Organization: MasMovil
Victim Site: masmovil.es
Alleged data breach of GAME España (game.es)
Category: Data Breach
Content: A threat actor is selling an alleged dataset originating from the Spanish video game retailer GAME (game.es), purportedly containing approximately 284,000 records. The data is structured across three sections covering customer contacts (including names, emails, phone numbers, addresses, Tax IDs, and encrypted passwords), order history, and loyalty/membership information including VIP status and points balances. The seller is asking $1,200 and directing buyers to contact via Telegram.
Date: 2026-06-01T02:24:20Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78494
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Spain
Victim Industry: Retail
Victim Organization: GAME España
Victim Site: game.es
Alleged data breach of PChome EC (pchomeec.com.tw) exposing 437K records
Category: Data Breach
Content: A threat actor is selling an alleged dataset from pchomeec.com.tw containing approximately 437,000 records across three sections: customer contacts (including names, emails, phone numbers, IP addresses, and physical addresses), support tickets, and order transactions (including payment method, shipping/billing addresses, and order details). The data is priced at $1,200 and the seller accepts forum escrow for transactions.
Date: 2026-06-01T02:23:36Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78495
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Taiwan
Victim Industry: Retail
Victim Organization: PChome EC
Victim Site: pchomeec.com.tw
Alleged data breach of PCstore Taiwan (pcstore.com.tw)
Category: Data Breach
Content: A threat actor is offering for sale an alleged dataset of approximately 487,000 records originating from pcstore.com.tw, a Taiwanese e-commerce platform. The dataset is structured across three sections — Contact, Order, and Deliverytracking — containing customer personal information, order and payment details, and shipment tracking data. The data includes names, email addresses, phone numbers, physical addresses, payment methods, and delivery tracking information.
Date: 2026-06-01T02:22:57Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78496
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Taiwan
Victim Industry: Retail
Victim Organization: PCstore
Victim Site: pcstore.com.tw
Alleged data breach of undisclosed Taiwanese organization exposing personal and contact records
Category: Data Breach
Content: A threat actor is selling a dataset allegedly originating from an undisclosed Taiwanese organization, comprising approximately 237,000 records across three structured sections: Contacts, Support Tickets, and Booking History. The exposed data includes full names, email addresses, phone numbers, physical addresses, payment details, and service history. Sample files were shared via Gofile links.
Date: 2026-06-01T02:22:20Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78497
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Taiwan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Baan Lae Suan (baanlaesuan.com) exposing 413K Thai business contacts and financials
Category: Data Breach
Content: A threat actor is selling a dataset allegedly originating from baanlaesuan.com, a Thai home improvement platform, for $1,300. The dataset reportedly contains 413,000 records across three sections: business contacts (including names, emails, phone numbers, and addresses), shop financials (capital amounts, annual revenue, net profit), and shop documents (file paths, document passwords, and compliance records). Sample download links are provided via Gofile.
Date: 2026-06-01T02:21:56Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78498
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Thailand
Victim Industry: Retail
Victim Organization: Baan Lae Suan
Victim Site: baanlaesuan.com
Alleged data breach of Pramool (pramool.com) exposing contact, transaction, and login records
Category: Data Breach
Content: A threat actor is offering an alleged database dump from pramool.com containing approximately 483,000 records organized across three sections: Contacts (including names, emails, phone numbers, and CRM data), Transaction Histories (including payment methods, revenue amounts, and billing addresses), and Shop Logins and Security (including login credentials, password hashes, session tokens, and two-factor authentication details). Sample files have been shared via Gofile links as proof.
Date: 2026-06-01T02:21:05Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78499
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Thailand
Victim Industry: Retail
Victim Organization: Pramool
Victim Site: pramool.com
Alleged data breach of Kaidee (kaidee.com) exposing user contacts, shop financials, and registrations
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from kaidee.com, a Thai online marketplace, comprising approximately 527,000 records across three sections: Contacts (user and shop owner personal details including names, emails, phone numbers, and addresses), Shopfinancials (business metrics such as revenue, profit margins, and tax IDs), and Shopregistrations (account credentials including password hashes, registration documents, and operational details). The dataset contains a broad r…
Date: 2026-06-01T02:20:28Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78500
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Thailand
Victim Industry: Retail
Victim Organization: Kaidee
Victim Site: kaidee.com
Alleged data breach of Keejob Tunisia employment platform
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from keejob.com, a Tunisian employment platform, containing approximately 137,000 records across three sections: contacts with personal and communication details, email campaign logs, and job applications including applicant PII, résumé references, salary expectations, and application statuses. The data is being sold and described as fresh and organized.
Date: 2026-06-01T02:19:41Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78501
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Tunisia
Victim Industry: Recruitment
Victim Organization: Keejob
Victim Site: keejob.com
Alleged data breach of Mytelnet (Tunisia) exposing 478K customer records
Category: Data Breach
Content: A threat actor is selling an alleged dataset from Mytelnet (mytelnet.tn), a Tunisian telecommunications provider, for $1,000. The dataset purportedly contains 478,000 records across three sections: customer contacts (including names, emails, phone numbers, addresses, password hashes), product usage profiles, and household demographic data. The data includes sensitive personal and marketing information such as income brackets, marital status, and employment status.
Date: 2026-06-01T02:19:05Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78502
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Tunisia
Victim Industry: Telecommunications
Victim Organization: Mytelnet
Victim Site: mytelnet.tn
Alleged Sale of Counterfeit Currency (Fake Banknotes)
Category: Cyber Attack
Content: Multiple users promoting the sale of counterfeit banknotes through Telegram channels with links to dedicated marketplaces. Posts reference premium counterfeit currency and top-tier fake banknotes with active recruitment and distribution channels.
Date: 2026-06-01T02:12:22Z
Network: telegram
Published URL: https://t.me/c/2613583520/94567
Screenshots:
1 screenshot(s) available
Threat Actors: Boss Shop
Victim Country: Unknown
Victim Industry: Financial/Currency
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of fresh database dumps across multiple countries and platforms
Category: Data Breach
Content: Threat actor offering fresh database access covering multiple countries (UK, DE, JP, NL, BR, PL, ES, US, IT) with specific platform targets including Roblox, eBay, OfferUp, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, and neosurf. Seller claims to own private cloud infrastructure and offers inbox access. Contact via Telegram DM.
Date: 2026-06-01T01:57:48Z
Network: telegram
Published URL: https://t.me/c/2613583520/94584
Screenshots:
1 screenshot(s) available
Threat Actors: Num
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy
Victim Industry: Multiple (e-commerce, gaming, travel, payment services)
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of AT&T Mobile consumer database with 500K+ records
Category: Data Breach
Content: A threat actor is selling an alleged AT&T Mobile consumer database containing 500,000+ records dated 2024-2025. The dataset includes full names, primary and secondary phone numbers, street addresses, and email addresses for US-based consumers. Sample records are provided in the post to substantiate the claim.
Date: 2026-06-01T01:56:22Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78472
Screenshots:
1 screenshot(s) available
Threat Actors: Edric
Victim Country: United States
Victim Industry: Telecommunications
Victim Organization: AT&T
Victim Site: att.com
Alleged data breach of Noon.com exposing customer contact and identity records
Category: Data Breach
Content: A threat actor is selling an alleged dataset from noon.com, a Saudi Arabia-based e-commerce platform, for $1,400. The dataset reportedly contains approximately 738,000 records spanning customer contact details (name, DOB, email, phone, address, social profiles), KYC identity card records, and branch store profiles. The data includes sensitive personal and identity verification fields potentially usable for fraud or targeted attacks.
Date: 2026-06-01T01:55:37Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78481
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Saudi Arabia
Victim Industry: Retail
Victim Organization: Noon
Victim Site: noon.com
Alleged data breach of Saudi Arabia Nitaqat Portal (nitaqat.com.sa)
Category: Data Breach
Content: A threat actor is selling an alleged dataset from nitaqat.com.sa, Saudi Arabias Nitaqat labor compliance portal, for $900. The dataset reportedly contains 437,000 records spanning contacts (names, emails, phone numbers, job titles, addresses), support tickets, and booking history. The seller claims the data is fresh and organized across three interconnected sections.
Date: 2026-06-01T01:54:48Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78483
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Saudi Arabia
Victim Industry: Government
Victim Organization: Nitaqat Portal
Victim Site: nitaqat.com.sa
Alleged data breach of Takaful Insurance (takaful.org.sa) exposing customer contacts, insurance applications, and support tickets
Category: Data Breach
Content: A threat actor is selling an alleged dataset from takaful.org.sa, a Saudi Arabian Takaful insurance provider, for $1,100. The dataset reportedly contains approximately 528,000 records across three sections: customer contacts (including full names, emails, phone numbers, addresses, and access levels), insurance applications, and support tickets. The data includes personally identifiable information such as birthdates, mailing addresses, and secondary emails.
Date: 2026-06-01T01:54:10Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78484
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Saudi Arabia
Victim Industry: Finance
Victim Organization: Takaful Insurance
Victim Site: takaful.org.sa
Alleged data breach of Telkom South Africa with 742K customer records
Category: Data Breach
Content: A threat actor is selling an alleged dataset originating from Telkom South Africa (telkom.co.za) containing approximately 742,000 records. The dataset is structured across three sections — Contacts, Subscription Contracts, and Support Tickets — and includes personally identifiable information such as national ID numbers, dates of birth, contact details, billing information, and support interaction logs. Sample download links are provided via Gofile.
Date: 2026-06-01T01:53:26Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78485
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: South Africa
Victim Industry: Telecommunications
Victim Organization: Telkom
Victim Site: telkom.co.za
Sale of Canada B2B Business Dataset with 13,000+ Records
Category: Data Breach
Content: A threat actor is offering a Canada-wide B2B dataset containing 13,000+ business contact records including names, cities, provinces, postal codes, email domains, and phone availability flags. The dataset is advertised for sale via Telegram and covers all Canadian provinces. The origin and source of the data are not disclosed.
Date: 2026-06-01T01:53:05Z
Network: openweb
Published URL: https://breachforu.ms/Thread-International-Canada-Business-Dataset-B2B-Directory
Screenshots:
1 screenshot(s) available
Threat Actors: Vyntra
Victim Country: Canada
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Midas South Africa (midas.co.za)
Category: Data Breach
Content: A threat actor is selling an alleged database originating from midas.co.za, a South African retail organization. The dataset reportedly contains approximately 463,000 customer records spanning three tables: customer contact information, delivery addresses, and sales orders, including fields such as email addresses, phone numbers, VAT numbers, order totals, and payment status. Sample files were shared via Gofile links as proof.
Date: 2026-06-01T01:52:45Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78486
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: South Africa
Victim Industry: Retail
Victim Organization: Midas
Victim Site: midas.co.za
Alleged data breach of Wanderers Club South Africa with member profiles and event booking records
Category: Data Breach
Content: A threat actor is selling an alleged dataset originating from wanderers.co.za, a South African sports club, for $1,200. The dataset reportedly contains approximately 674,000 records spanning three sections: member contact profiles (including name, email, phone, gender, age range), sports membership details (payment status, membership type, sport preferences), and event booking history (payment amounts, cancellations, check-in status). Sample files were shared via Gofile links as proof.
Date: 2026-06-01T01:51:58Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78487
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: South Africa
Victim Industry: Sports & Recreation
Victim Organization: Wanderers Club
Victim Site: wanderers.co.za
Alleged data breach of 11ST (11st.co.kr) exposing 652K customer records
Category: Data Breach
Content: A threat actor is selling an alleged database originating from South Korean e-commerce platform 11st.co.kr, claiming 652,000 records organized across three sections: Contacts, Orders, and Referrals. The dataset purportedly includes customer personal details (name, email, phone, address, birthday, gender), order and payment transaction data (settlement amounts, bank info, delivery details), and marketing/referral attribution data.
Date: 2026-06-01T01:51:20Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78488
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: South Korea
Victim Industry: Retail
Victim Organization: 11ST
Victim Site: 11st.co.kr
Alleged data breach of i-mall.co.kr with vendor bank accounts, contacts, and sales orders
Category: Data Breach
Content: A threat actor is offering for sale a dataset allegedly originating from i-mall.co.kr, a South Korean e-commerce platform, priced at $1,400. The dataset reportedly contains approximately 742,000 records spanning three sections: contacts (including emails, phone numbers, company details, and financial metadata), vendor bank accounts (including bank account numbers, SWIFT codes, and payment terms), and sales orders (including order totals, payment status, and shipping details). The seller is accep…
Date: 2026-06-01T01:50:38Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78489
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: South Korea
Victim Industry: Retail
Victim Organization: i-mall
Victim Site: i-mall.co.kr
Alleged data breach of Mirae-N (mirae-n.com) exposing 745,000 South Korean customer records
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from mirae-n.com, a South Korean organization, containing approximately 745,000 records across three sections: Contact (personal and demographic data including names, addresses, emails, phone numbers, and child information), Purchase History (transactional and payment data), and Login and Security (encrypted passwords, session tokens, MFA settings, and IP addresses). Sample files were shared via external hosting links.
Date: 2026-06-01T01:49:55Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78491
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: South Korea
Victim Industry: Retail
Victim Organization: Mirae-N
Victim Site: mirae-n.com
Alleged data breach of Fundación Tripartita with 642,000 records
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from fundaciontripartita.org, a Spanish professional training organization. The dataset reportedly contains 642,000 records across three sections — Contacts, Companies, and Course Enrollments — including personally identifiable information such as names, tax ID numbers, email addresses, phone numbers, dates of birth, and certification details. Sample data is linked via a file-sharing service.
Date: 2026-06-01T01:49:17Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78492
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Spain
Victim Industry: Education
Victim Organization: Fundación Tripartita
Victim Site: fundaciontripartita.org
Alleged sale of compromised Kodex account with access to 320+ companies
Category: Initial Access
Content: Threat actor offering sale of a Kodex account claimed to provide access to 320+ companies and platforms including Discord, Coinbase, and Roblox. Account is marketed as suitable for submitting EDR (Endpoint Detection and Response) requests to major companies. Price listed at $4,000 with escrow payment required. Full company list available via Pastebin link.
Date: 2026-06-01T01:34:16Z
Network: telegram
Published URL: https://t.me/c/3468046329/1551
Screenshots:
2 screenshot(s) available
Threat Actors: prodesp
Victim Country: Unknown
Victim Industry: Multiple
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of compromised Kodex account with access to 320+ companies
Category: Initial Access
Content: Threat actor offering sale of a compromised Kodex account for $4,000 USD via escrow. The account allegedly provides access to 320+ ready-to-use companies and is marketed as suitable for submitting EDR (Endpoint Detection and Response) requests to major companies and platforms including Discord, Coinbase, and Roblox. Full company list referenced on Pastebin.
Date: 2026-06-01T01:33:53Z
Network: telegram
Published URL: https://t.me/c/3468046329/1550
Screenshots:
2 screenshot(s) available
Threat Actors: operador
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of hotelsinnederland.nl exposing contact and booking records
Category: Data Breach
Content: A threat actor is selling a dataset allegedly originating from hotelsinnederland.nl containing approximately 287,000 records across three sections: customer contacts (including names, emails, phone numbers, addresses, and birthdates), hotel property details, and booking transaction history. The data includes personally identifiable information such as guest preferences, booking financials, and contact details.
Date: 2026-06-01T01:25:27Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78469
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Netherlands
Victim Industry: Hospitality
Victim Organization: Hotels in Nederland
Victim Site: hotelsinnederland.nl
Alleged data breach of Yellow Pages New Zealand (yellow.co.nz)
Category: Data Breach
Content: A threat actor is selling an alleged database dump from yellow.co.nz containing approximately 237,000 records spanning three tables: Contacts (including names, emails, phone numbers, hashed passwords, and marketing data), Businesses (including payment information, annual revenue, and contract details), and Accesslogs (including IP addresses, login methods, and session data). The dataset is priced at $900 and offered via Telegram contact with forum escrow accepted.
Date: 2026-06-01T01:24:40Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78471
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: New Zealand
Victim Industry: Business Services
Victim Organization: Yellow New Zealand
Victim Site: yellow.co.nz
Alleged data breach of Pakistan Securities and Exchange Commission (SECP)
Category: Data Breach
Content: A threat actor is selling an alleged database dump originating from secp.gov.pk, the Securities and Exchange Commission of Pakistan, for $1,000. The dataset reportedly contains approximately 387,000 records across three sections: Contacts (including usernames, password hashes, emails, phone numbers, and job titles), Member Interests, and Member Offices with geolocation data. The actor claims the data is fresh and organized for research or outreach purposes.
Date: 2026-06-01T01:24:03Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78473
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Pakistan
Victim Industry: Government
Victim Organization: Securities and Exchange Commission of Pakistan
Victim Site: secp.gov.pk
Alleged data breach of OLX Philippines
Category: Data Breach
Content: A threat actor is selling an alleged dataset originating from olx.com.ph containing approximately 623,000 records. The dataset includes personal contact details (full name, email, phone, address), distributor account information, and order transaction records organized across three sections. The seller is asking $1,200 and accepts forum escrow for the transaction.
Date: 2026-06-01T01:23:13Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78474
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Philippines
Victim Industry: Retail
Victim Organization: OLX Philippines
Victim Site: olx.com.ph
Alleged data breach of Radio Popular (radiopopular.pt) exposing customer contacts, orders, and shipping data
Category: Data Breach
Content: A threat actor is selling an alleged dataset from radiopopular.pt, a Portuguese consumer electronics retailer, priced at $900. The dataset reportedly contains 437,000 records spanning three sections: customer contacts (including full name, email, phone, tax ID, and marketing data), orders (including payment method, amounts, and invoice details), and shipping deliveries (including addresses, tracking details, and delivery status).
Date: 2026-06-01T01:22:37Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78475
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Portugal
Victim Industry: Retail
Victim Organization: Radio Popular
Victim Site: radiopopular.pt
Alleged data breach of Radio Popular (radiopopular.pt)
Category: Data Breach
Content: A threat actor is selling an alleged dataset from radiopopular.pt, a Portuguese electronics retailer, containing approximately 237,000 records. The dataset reportedly includes customer contact details (names, emails, phone numbers, tax IDs, addresses), order history, and support ticket records. The seller is asking $1,000 and accepting forum escrow.
Date: 2026-06-01T01:22:01Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78476
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Portugal
Victim Industry: Retail
Victim Organization: Radio Popular
Victim Site: radiopopular.pt
Alleged data breach of Continente (continente.pt) exposing ~576K customer records
Category: Data Breach
Content: A threat actor is offering an alleged dataset of approximately 576,000 customer records from Portuguese retail platform continente.pt. The dataset is structured across three sections covering customer contact details (including full name, Tax ID, email, phone, address), order history (including payment method, amounts, and delivery data), and notification preferences with consent tracking. The data includes sensitive fields such as Tax ID numbers, lifetime value, loyalty program enrollment, and
Date: 2026-06-01T01:21:20Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78477
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Portugal
Victim Industry: Retail
Victim Organization: Continente
Victim Site: continente.pt
Alleged data breach of Wildberries (wildberries.ru) with 732K customer records
Category: Data Breach
Content: A threat actor is selling an alleged dataset from Russian retail platform Wildberries (wildberries.ru) for $900, claiming approximately 732,000 records. The dataset purportedly includes customer contact details (emails, phone numbers, encrypted passwords, last login IPs, marketing consent flags), wishlist data, and store address metadata organized across three structured sections. Sample files are hosted on Gofile for prospective buyers to verify.
Date: 2026-06-01T01:20:35Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78478
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Russia
Victim Industry: Retail
Victim Organization: Wildberries
Victim Site: wildberries.ru
Alleged data breach of forum.sevcable.ru
Category: Data Breach
Content: A threat actor is offering for sale a dataset allegedly originating from forum.sevcable.ru, a Russian online forum. The dataset purportedly contains 492,000 records spanning user contact profiles, support tickets, and authentication data including hashed passwords, IP addresses, and login history. The seller is asking $1,200 and accepting forum escrow for the transaction.
Date: 2026-06-01T01:19:50Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78479
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Russia
Victim Industry: Technology
Victim Organization: Sevcable Forum
Victim Site: forum.sevcable.ru
Alleged data breach of Rosmolodezh (Russian Federal Agency for Youth Affairs)
Category: Data Breach
Content: A threat actor is selling an alleged dataset from rosmolodezh.ru, the Russian Federal Agency for Youth Affairs, comprising approximately 478,000 records across three sections: personal contacts (including full names, emails, phone numbers, and postal addresses), conference participation records, and university profiles with rector contact details. The dataset is offered for $1,100 via Telegram.
Date: 2026-06-01T01:19:14Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78480
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Russia
Victim Industry: Government
Victim Organization: Rosmolodezh
Victim Site: rosmolodezh.ru
Alleged data leak of China National Copyright Administration (xinda-pt.cn)
Category: Data Leak
Content: A threat actor affiliated with Anka Red Team claims to have leaked a database of 47,659 records from xinda-pt.cn, associated with the China National Copyright Administration. The leaked data reportedly includes full names, gender, email addresses, mobile phone numbers, ID numbers, student/employee IDs, and regional/institutional information. The data was made available on a Turkish hacking forum.
Date: 2026-06-01T00:59:34Z
Network: openweb
Published URL: https://www.turkhackteam.org/konular/cin-ulusal-telif-hakki-idaresi-47k-database-leak-ankateam.2083069/
Screenshots:
2 screenshot(s) available
Threat Actors: ‘SALDIRGAN
Victim Country: China
Victim Industry: Government
Victim Organization: China National Copyright Administration
Victim Site: xinda-pt.cn
Alleged data breach of Fastweb Italy with consumer contact and subscription data
Category: Data Breach
Content: A threat actor is offering an alleged dataset purportedly originating from Fastweb, an Italian telecommunications provider, comprising approximately 536,000 records. The dataset is structured across three sections — Contacts, Subscriptions, and Support Requests — and includes highly sensitive fields such as full names, birth dates, tax codes, VAT numbers, hashed passwords, phone numbers, physical addresses, contract details, payment methods, and support ticket logs. Sample download links were sh…
Date: 2026-06-01T00:54:22Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78457
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Italy
Victim Industry: Telecommunications
Victim Organization: Fastweb
Victim Site: fastweb.it
Alleged data breach of Japans National Personnel Authority (jinji.go.jp)
Category: Data Breach
Content: A threat actor is selling an alleged dataset of 742,000 records originating from jinji.go.jp, the website of Japans National Personnel Authority. The dataset reportedly includes personal contact information, payroll records (including bank account details and tax data), and departmental assignments for Japanese government staff. The seller is asking $900 and accepts forum escrow.
Date: 2026-06-01T00:53:45Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78458
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Japan
Victim Industry: Government
Victim Organization: National Personnel Authority of Japan
Victim Site: jinji.go.jp
Alleged data breach of Kumon Japan (kumon.ne.jp) — 612K personal contact records
Category: Data Breach
Content: A threat actor is selling an alleged dataset from kumon.ne.jp, a Japanese educational services provider, comprising approximately 612,000 records across three sections: Contacts, Student Enrollments, and Support Tickets. The Contacts section includes full names, dates of birth, phone numbers, addresses, email addresses, and marketing preferences. The dataset is priced at $1,100 and offered via Telegram or forum private message.
Date: 2026-06-01T00:53:08Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78459
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Japan
Victim Industry: Education
Victim Organization: Kumon
Victim Site: kumon.ne.jp
Alleged data breach of au.com (KDDI) exposing customer contact and account data
Category: Data Breach
Content: A threat actor is selling an alleged dataset from my.au.com, the customer portal of Japanese telecommunications provider au (KDDI), for $1,200. The dataset reportedly contains approximately 243,000 records spanning three tables: Contacts (including full names, email addresses, phone numbers, and encrypted passwords), Serviceorders (subscription and billing details), and Supporttickets. Sample files were shared via Gofile links as proof.
Date: 2026-06-01T00:52:31Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78460
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Japan
Victim Industry: Telecommunications
Victim Organization: au (KDDI)
Victim Site: my.au.com
Alleged data leak of email addresses and phone numbers of Spanish public figures
Category: Data Leak
Content: A threat actor known as catwoman (with fuzy) has leaked email addresses and phone numbers of notable Spanish public figures, including the President of the Government of Spain. The data was reportedly obtained via an Instagram vulnerability and OSINT techniques. The leak was shared freely on PwnForums as hidden content requiring a reply to access.
Date: 2026-06-01T00:52:08Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-Email-Phone-Famous-People-From-Spain-Leak
Screenshots:
1 screenshot(s) available
Threat Actors: catwoman
Victim Country: Spain
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Jelgavas Veseliba (Latvia healthcare provider) exposing patient records
Category: Data Breach
Content: A threat actor is selling an alleged dataset of 237,000 records from Latvian healthcare provider Jelgavas Veseliba for $1,100. The dataset reportedly contains patient personal identifiers (personal ID, passport number, date of birth, contact details), appointment booking history, and medical education records. The data is structured across three interconnected tables and is offered via Telegram contact with forum escrow accepted.
Date: 2026-06-01T00:51:54Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78461
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Latvia
Victim Industry: Healthcare
Victim Organization: Jelgavas Veseliba
Victim Site: jelgavasveseliba.lv
Alleged data breach of Standard Lesotho Bank
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from Standard Lesotho Bank, containing approximately 472,000 records across three sections: customer personal information (including national IDs, hashed passwords, KYC status, and risk profiles), loan application records, and customer support tickets. The data includes highly sensitive financial and identity fields such as national IDs, loan amounts, credit check results, and relationship manager assignments.
Date: 2026-06-01T00:50:58Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78463
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Lesotho
Victim Industry: Finance
Victim Organization: Standard Lesotho Bank
Victim Site: standardlesothobank.co.ls
Alleged data breach of Mexicos National Council of Science and Technology (CONACYT)
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from Mexicos CONACYT (conacyt.gob.mx), containing approximately 384,000 records across three tables: Contacts (researcher and reviewer PII including names, emails, phone numbers, and LinkedIn profiles), Reviewassignments (scientific review committee details and peer rankings), and Usercredentials (hashed passwords, session tokens, security question hashes, and MFA configuration). Sample download links are provided via Gofile.
Date: 2026-06-01T00:50:07Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78464
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Mexico
Victim Industry: Government
Victim Organization: National Council of Science and Technology (CONACYT)
Victim Site: conacyt.gob.mx
Alleged data breach of CSI Telecom Mexico
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from CSI Telecom (csitelecom.com.mx), a Mexican telecommunications provider. The data encompasses approximately 732,000 records across three structured sections: Contacts (including full name, email, phone, address, birth date, and gender), Support Tickets, and Service Orders (including payment method, billing account, and installation address). Sample download links were provided via Gofile.
Date: 2026-06-01T00:49:29Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78465
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Mexico
Victim Industry: Telecommunications
Victim Organization: CSI Telecom
Victim Site: csitelecom.com.mx
Alleged data breach of zorgverzekerenvergelijk.nl exposing health insurance customer data
Category: Data Breach
Content: A threat actor is selling an alleged dataset from Dutch health insurance comparison platform zorgverzekerenvergelijk.nl, comprising approximately 417,000 records. The dataset includes three sections: customer contact details (name, email, phone, address), insurance quote request data (coverage amounts, premium estimates, risk scores), and user access logs (IP addresses, password hashes, session IDs, MFA status). The data is offered with sample download links on an external file-sharing service.
Date: 2026-06-01T00:48:54Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78467
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Netherlands
Victim Industry: Healthcare
Victim Organization: Zorgverzekeren Vergelijk
Victim Site: zorgverzekerenvergelijk.nl
Alleged data breach of Vliegershop (vliegershop.nl)
Category: Data Breach
Content: A threat actor is selling an alleged database dump from vliegershop.nl, a Netherlands-based retail site, containing approximately 875,000 records. The dataset includes customer contact details (names, emails, phones, IP addresses, social media handles), order transaction records, and shipping addresses organized across three interconnected tables. Sample download links were provided via Gofile.
Date: 2026-06-01T00:48:11Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78468
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Netherlands
Victim Industry: Retail
Victim Organization: Vliegershop
Victim Site: vliegershop.nl
Sale of stolen credit cards for multiple countries
Category: Carding
Content: A threat actor is offering stolen credit cards purportedly covering multiple countries including the USA, UK, EU, Canada, and others. The seller advertises the cards as legitimate and affordable, directing interested buyers to a Telegram contact. No specific victim organization or record count is disclosed.
Date: 2026-06-01T00:35:32Z
Network: openweb
Published URL: https://demonforums.net/Thread-Ccs-For-All-Countries-%E2%9A%A1%EF%B8%8FOUT-ON-DISCOUNT–206372
Screenshots:
1 screenshot(s) available
Threat Actors: Trewgoree
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of discounted gift cards and verified financial accounts on cybercrime forum
Category: Carding
Content: A threat actor is offering discounted gift cards (including Visa, Amazon, Steam, and others) and verified financial accounts (PayPal, Coinbase, Binance, Cashapp, Stripe, and more) for sale on a cybercrime forum. Payment is accepted via cryptocurrency, PayPal, Steam trades, or gift cards. The seller references a Telegram handle (@StyleCarding) and claims 200+ reputation points on a cracking site.
Date: 2026-06-01T00:34:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-Selling-Cheapest-Giftcard-50-for-100-and-Verified-Accounts–206377
Screenshots:
1 screenshot(s) available
Threat Actors: Resddyggyy
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Vlachakis Systems (vlachakis-systems.gr)
Category: Data Breach
Content: A threat actor is selling a dataset allegedly originating from vlachakis-systems.gr, a Greek organization. The dataset contains approximately 284,000 records spanning contacts (including full names, emails, phone numbers, addresses, LinkedIn/Facebook profiles), support tickets, and a product catalogue, priced at $1,300.
Date: 2026-06-01T00:23:06Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78447
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Greece
Victim Industry: Technology
Victim Organization: Vlachakis Systems
Victim Site: vlachakis-systems.gr
Alleged data breach of HKT Limited (hkt.com) exposing telecom customer database
Category: Data Breach
Content: A threat actor is selling an alleged database dump from HKT Limited, a Hong Kong telecom provider, containing approximately 482,000 records. The dataset includes customer contact information (names, emails, phone numbers, mailing addresses), service orders, and support tickets with verified email and phone fields. The seller is asking $900 and accepts forum escrow for the transaction.
Date: 2026-06-01T00:22:21Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78448
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Hong Kong
Victim Industry: Telecommunications
Victim Organization: HKT Limited
Victim Site: hkt.com
Alleged data breach of Vatera.hu Hungarian e-commerce platform
Category: Data Breach
Content: A threat actor is selling an alleged dataset obtained from vatera.hu, a Hungarian e-commerce marketplace, for $900. The dataset reportedly contains approximately 492,000 records spanning three sections: Contacts (user PII including email, phone, full name, and login data), SellerProfiles (seller account details, tax IDs, business license numbers, and fraud/compliance flags), and SupportTickets (case management data including chat transcripts and customer satisfaction scores).
Date: 2026-06-01T00:21:44Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78449
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Hungary
Victim Industry: Retail
Victim Organization: Vatera
Victim Site: vatera.hu
Alleged data breach of Mobilfox (mobilfox.hu) exposing customer contacts, vehicle leads, and service appointments
Category: Data Breach
Content: A threat actor is selling an alleged database dump from Mobilfox, a Hungarian vehicle/telecom retailer, comprising approximately 312,000 records across three datasets: customer contacts, vehicle leads, and service appointments. Exposed fields include names, email addresses, phone numbers, addresses, vehicle details, financial deal values, and appointment records. The dataset is being offered for $1,100 with sample files hosted on Gofile.
Date: 2026-06-01T00:21:07Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78450
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Hungary
Victim Industry: Retail
Victim Organization: Mobilfox
Victim Site: mobilfox.hu
Alleged data breach of ugyvedek.net — Hungarian legal professionals contact database
Category: Data Breach
Content: A threat actor is selling a dataset allegedly sourced from ugyvedek.net, a Hungarian legal professionals platform, for $1,200. The dataset contains approximately 187,000 records spanning three sections: contacts (names, emails, phone numbers, addresses), consultation requests (legal inquiry details, assigned lawyer IDs, case data), and subscription management records. The data includes personally identifiable information and legal consultation details of clients and legal professionals.
Date: 2026-06-01T00:20:30Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78451
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Hungary
Victim Industry: Legal
Victim Organization: ugyvedek.net
Victim Site: ugyvedek.net
Sale of alleged database from Byjus Exam Prep containing student and guardian contact data
Category: Data Breach
Content: A threat actor is selling an alleged database originating from byjusexamprep.com, an Indian online education platform. The dataset reportedly contains approximately 592,000 records across three sections: student and guardian contact details (including names, addresses, phone numbers, password hashes, and social profiles), student enrollment records (including course fees, payment status, and academic session data), and user login session data (including IP addresses, device info, and MFA status)…
Date: 2026-06-01T00:19:48Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78452
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: India
Victim Industry: Education
Victim Organization: Byjus Exam Prep
Victim Site: byjusexamprep.com
Alleged data leak of French B2B company database scraped from public sources
Category: Data Leak
Content: A threat actor is sharing a database of companies registered in France, reportedly generated using IQUALIF, a tool that scrapes Yellow Pages and cross-references the SIREN business registry. The dataset allegedly includes landline and mobile phone numbers for French businesses, with the record count estimated at hundreds of thousands to potentially millions of entries. The data is made available behind a forum point-paywall.
Date: 2026-06-01T00:19:32Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-FRANCE-DATABASE-B2B-ALL-OF-THE-COMPANIES-REGISTERED-IN-FRANCE
Screenshots:
1 screenshot(s) available
Threat Actors: MartySupereme
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Fortis Healthcare exposing patient contact and admission records
Category: Data Breach
Content: A threat actor is selling an alleged dataset of 437,000 records originating from Fortis Healthcare, a major Indian hospital network. The dataset reportedly includes three interconnected sections: patient/contact personal information (name, DOB, phone, email, address), hospital admission records (ward assignments, physician details, billing codes, insurance policy IDs), and prospective patient inquiry leads. The data is being offered for $1,000 via Telegram.
Date: 2026-06-01T00:19:11Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78454
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: India
Victim Industry: Healthcare
Victim Organization: Fortis Healthcare
Victim Site: fortishealthcare.com
Alleged data breach of Wind Tre (windtre.it) exposing 563K Italian telecom customer profiles
Category: Data Breach
Content: A threat actor is selling an alleged dataset originating from Wind Tre (windtre.it), an Italian telecommunications provider, containing approximately 563,000 customer records. The dataset is structured across three sections — Contacts, Device Registrations, and Contract Subscriptions — and includes personal identifiers (name, date of birth, fiscal code, VAT number), contact details, hashed passwords, Wi-Fi credentials, device registration data, and contract/subscription information. Sample files…
Date: 2026-06-01T00:18:27Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78455
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Italy
Victim Industry: Telecommunications
Victim Organization: Wind Tre
Victim Site: windtre.it
Alleged data breach of Gruppo Ferrovie Italiane
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from Gruppo Ferrovie Italiane, Italys railway group, containing approximately 492,000 records. The dataset spans three sections — Contacts, Ticketing Support Requests, and Order History — and includes personally identifiable information such as names, addresses, email addresses, phone numbers, dates of birth, encrypted passwords, and CRM metadata. The data is being offered for sale on a dark web forum.
Date: 2026-06-01T00:17:49Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78456
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Italy
Victim Industry: Transportation
Victim Organization: Gruppo Ferrovie Italiane
Victim Site: gruppoferrovieitaliane.it

Detected Incidents Draft Data – 2026-05-31 (day before)

Sale of Fake Identity Document PSD Pack for Financial Platform Bypass
Category: Carding
Content: A threat actor is selling an editable PSD pack containing forged passports, drivers licenses, IDs, bank statements, and utility bills covering 70+ countries. The pack is explicitly marketed to bypass KYC verification on financial platforms including Coinbase, Revolut, Blockchain, and N26. The seller advertises availability via Telegram for long-term business arrangements.
Date: 2026-05-31T23:59:54Z
Network: openweb
Published URL: https://demonforums.net/Thread-PASSPORTS-DRIVER-S-LICENSE-ID-STATEMENT-UTILITY-BILL-PSD-PACK-70-COUNTRIES–206367
Screenshots:
1 screenshot(s) available
Threat Actors: Crefloo
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Cairo University
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from Cairo University (cu.edu.eg), containing approximately 748,000 records across three sections: contacts (students, faculty, staff with PII including national identity numbers, addresses, and phone numbers), student enrollment records, and authentication records including password hashes, IP addresses, and session data. The data is structured across interconnected tables and is being sold on a dark web forum.
Date: 2026-05-31T23:57:29Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78437
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Egypt
Victim Industry: Education
Victim Organization: Cairo University
Victim Site: cu.edu.eg
Free distribution of EMV carding tools including EMV Reader/Writer, ATR Tool, and smartcard utilities
Category: Carding
Content: A forum user is distributing a collection of EMV carding tools for free via Mega.nz, including EMV Reader/Writer 8.6, ATR Tool 7.0, IST Tool 7.0, ARQC Generator, Magnetic Stripe Reader/Writer, X2 SmartCard All-in-One with serial, and several other smartcard manipulation utilities. These tools are commonly used for cloning and manipulating payment card data on physical smartcards.
Date: 2026-05-31T23:57:01Z
Network: openweb
Published URL: https://crackingx.com/threads/77420/
Screenshots:
1 screenshot(s) available
Threat Actors: greyder39
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Karkkainen.com exposing customer contact, order, and address records
Category: Data Breach
Content: A threat actor is offering a dataset allegedly sourced from karkkainen.com, a Finnish retail organization, containing approximately 473,000 records. The dataset is structured across three sections covering customer contacts (including names, emails, phone numbers, and demographic details), order and payment records (including masked credit card data, payment methods, and transaction details), and billing/delivery address information. The data is being offered for sale on a dark web forum.
Date: 2026-05-31T23:56:44Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78439
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Finland
Victim Industry: Retail
Victim Organization: Karkkainen
Victim Site: karkkainen.com
Alleged data breach of Darty (darty.com) exposing 520K French retail customer records
Category: Data Breach
Content: A threat actor is offering for sale an alleged dataset from French electronics retailer Darty (darty.com) containing approximately 520,000 customer records. The dataset is structured across three sections covering customer contact details (including email, password hashes, birth date, and gender), delivery addresses, and billing information. The data reportedly includes PII such as full names, postal addresses, phone numbers, tax numbers, and company registration numbers.
Date: 2026-05-31T23:56:07Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78440
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: France
Victim Industry: Retail
Victim Organization: Darty
Victim Site: darty.com
Alleged data breach of Darty (darty.com) exposing ~428K French customer records
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from Darty, a French electronics retailer, containing approximately 428,000 customer records. The data is structured across three sections: customer contact information (including PII such as name, email, phone, address, date of birth, and gender), order history (including payment method, order amounts, and tracking details), and customer support tickets (including IP addresses, issue details, and satisfaction scores). Sample download li…
Date: 2026-05-31T23:55:28Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78441
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: France
Victim Industry: Retail
Victim Organization: Darty
Victim Site: darty.com
Alleged data breach of Chateau Primeur with business contacts, orders, and delivery records
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from chateauprimeur.com, a French wine retailer, comprising approximately 243,000 records. The dataset is organized into three sections — Contacts, Orders, and Deliveries — containing personal information such as names, addresses, phone numbers, emails, and order transaction details. Sample files are hosted on Gofile for prospective buyers.
Date: 2026-05-31T23:54:51Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78442
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: France
Victim Industry: Retail
Victim Organization: Chateau Primeur
Victim Site: chateauprimeur.com
Alleged data breach of Schaefer Shop (schaefer-shop.de)
Category: Data Breach
Content: A threat actor is offering an alleged customer database dump from German retailer Schaefer Shop containing approximately 742,000 records. The dataset is structured across three sections covering customer contact details (including name, email, phone, date of birth, and social media profiles), order history and behavioral analytics, and customer address information. Sample files have been shared via Gofile links.
Date: 2026-05-31T23:54:06Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78443
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Germany
Victim Industry: Retail
Victim Organization: Schaefer Shop
Victim Site: schaefer-shop.de
Alleged data breach of Unipark (unipark.de) exposing user contacts, study participation records, and consent data
Category: Data Breach
Content: A threat actor is offering a dataset allegedly sourced from unipark.de, a German academic survey platform, containing approximately 437,000 records. The data is structured across three sections: Contacts (including names, emails, phone numbers, addresses, and professions), Study Participation Records, and Subscription and Consent Information. The exposed fields include personally identifiable information, marketing preferences, and data consent statuses.
Date: 2026-05-31T23:53:22Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78444
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Germany
Victim Industry: Education
Victim Organization: Unipark
Victim Site: unipark.de
Alleged data breach of autoteile24.de exposing customer contacts, orders, and payment card data
Category: Data Breach
Content: A threat actor is offering a dataset allegedly originating from autoteile24.de, a German auto parts retailer, comprising approximately 742,000 records across three sections: customer contact details (names, emails, phone numbers, addresses), order records (billing, delivery, payment metadata), and payment card data including encrypted card numbers and expiry dates. The dataset is being sold and is structured across interconnected tables suggesting extraction from a CRM or e-commerce backend.
Date: 2026-05-31T23:52:41Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78445
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Germany
Victim Industry: Retail
Victim Organization: autoteile24.de
Victim Site: autoteile24.de
Alleged data breach of Broil King BBQ Greece
Category: Data Breach
Content: A threat actor is selling an alleged dataset from broilkingbbq.gr containing approximately 317,000 records across three sections: customer contacts (including names, emails, phone numbers, and addresses), product registrations (warranty and purchase details), and customer survey responses. The data is offered for $1,100 via Telegram contact, with forum escrow accepted.
Date: 2026-05-31T23:51:52Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78446
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Greece
Victim Industry: Retail
Victim Organization: Broil King BBQ Greece
Victim Site: broilkingbbq.gr
Alleged data breach of Fargo.uz logistics company – 980,000 records leaked
Category: Data Breach
Content: A database containing 980,000 records from Fargo.uz, a leading logistics service provider in Uzbekistan, has been leaked. The dataset includes detailed personal information: sender/recipient names, phone numbers (primary, secondary, tertiary), full addresses, email addresses, passport details (series and number), and address identifiers. The data is available in CSV/Text format via MediaFire download link.
Date: 2026-05-31T23:32:35Z
Network: telegram
Published URL: https://t.me/c/3500620464/9028
Screenshots:
1 screenshot(s) available
Threat Actors: Breach
Victim Country: Uzbekistan
Victim Industry: Logistics/E-commerce
Victim Organization: Fargo.uz
Victim Site: fargo.uz
Alleged data breach of GAP, Inc – 224K customer records with PII
Category: Data Breach
Content: Threat actor claims to have breached GAP, Inc and obtained 224,200 unique email addresses, 152,100 phone numbers, 146,100 home addresses, and customer account information related to loyalty programs and personal identifiable information (PII). Data appears to be offered for sale or distribution.
Date: 2026-05-31T23:20:54Z
Network: telegram
Published URL: https://t.me/c/3500620464/9027
Screenshots:
1 screenshot(s) available
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Retail
Victim Organization: GAP, Inc
Victim Site: gap.com
Alleged sale of 10 million Ticketmaster event ticket barcodes
Category: Data Breach
Content: Threat actor claiming to possess 10 million Ticketmaster e-ticket barcodes for major events (Taylor Swift, Jennifer Lopez, Justin Timberlake, Morgan Wallen, Foo Fighters, Kacey Musgraves, P!NK, Rolling Stones, Pearl Jam, Hozier) and offering them for sale at $10,000 USD. The actor claims these are printable e-tickets with non-rotating barcodes that can be used to print fraudulent tickets from home.
Date: 2026-05-31T23:17:34Z
Network: telegram
Published URL: https://t.me/c/3500620464/8996
Screenshots:
1 screenshot(s) available
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Entertainment/Ticketing
Victim Organization: Ticketmaster
Victim Site: ticketmaster.com
Sale of FedEx and UPS accounts with billing access
Category: Carding
Content: A threat actor is selling compromised FedEx and UPS accounts with billing enabled, including business accounts. Accounts are priced at $10 for FedEx and $20 for UPS with a minimum purchase of five accounts.
Date: 2026-05-31T22:45:38Z
Network: openweb
Published URL: https://patched.to/Thread-wts-fedex-ups-accounts-with-billing-enabled-business-308278
Screenshots:
1 screenshot(s) available
Threat Actors: kahnwalddjonas
Victim Country: Unknown
Victim Industry: Logistics
Victim Organization: Unknown
Victim Site: Unknown
Sale of initial access to APAC telecom provider and Eastern European B2B platform
Category: Initial Access
Content: A threat actor is selling access intelligence packages for two targets: an unnamed APAC telecom provider and an Eastern European B2B platform. The offering includes reverse-proxy configurations, unauthenticated API entrypoints, a pre-auth session bypass payload leveraging a leaked CSRF token, and internal Redis node metadata enabling network pivoting. Payment is requested in Monero via escrow.
Date: 2026-05-31T22:44:02Z
Network: openweb
Published URL: https://breachforu.ms/Thread-Sell-IAB-2-access-Telecom-target-Eastern-Europe-B2B-platform-Bonus
Screenshots:
1 screenshot(s) available
Threat Actors: whitespace
Victim Country: Unknown
Victim Industry: Telecommunications
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Executive Commission for Victim Assistance Quintana Roo (Mexico)
Category: Data Leak
Content: A threat actor known as Alz_157s claims to have leaked a SQL database belonging to the Executive Commission for Victim Assistance in Quintana Roo, Mexico. The data is being made available for free download on a known cybercrime forum. No record count or additional details were provided in the post.
Date: 2026-05-31T22:38:59Z
Network: openweb
Published URL: https://breached.su/threads/mexico-executive-commission-for-victim-assistance-quintana-roo.87785/unread
Screenshots:
1 screenshot(s) available
Threat Actors: alz
Victim Country: Mexico
Victim Industry: Government
Victim Organization: Executive Commission for Victim Assistance Quintana Roo
Victim Site: Unknown
Sale of stolen CVV/CC payment card data
Category: Carding
Content: A threat actor is advertising stolen CVV/CC payment card data for sale, claiming to have a large daily inventory of live and valid cards from multiple countries including the US, UK, Canada, Australia, Japan, and China. Cards are sold in fullz format including card number, expiration date, CVV2, cardholder name, and billing details. The seller offers replacements for dead cards and advertises bulk/reseller pricing via Telegram.
Date: 2026-05-31T22:18:39Z
Network: openweb
Published URL: https://altenens.is/threads/hello-everyone-we-are-looking-for-a-good-customers-to-buy-cvv-cc-and-do-business-long-term-cause-we-have-a-huge-cvv-cc-in-store-everyday-to-sell.2946680/unread
Screenshots:
2 screenshot(s) available
Threat Actors: Donegizo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Claude API tokens
Category: Data Leak
Content: A threat actor is freely distributing what they claim to be 2 million Claude API tokens. The content is hidden behind a registration/login wall on the forum. No further details about the origin or validity of the tokens are provided.
Date: 2026-05-31T22:10:40Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9D%A4%EF%B8%8F-free-ai-tokens-claude-api-2m-tokies-%E2%9D%A4%EF%B8%8F-308272
Screenshots:
1 screenshot(s) available
Threat Actors: JVZU
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Anthropic
Victim Site: anthropic.com
Alleged sale of administrative access to Compass.com
Category: Initial Access
Content: Threat actor offering full administrative access to Compass.com, a US-based real estate technology company valued at $7 billion. Access includes admin panel, user accounts, Okta, Stripe, Zendesk, Salesforce, GitHub accounts, internal network, and billions of data points. Seller claims ability to erase company systems and access all confidential documents and source code. Price: $30,000 USD.
Date: 2026-05-31T21:57:43Z
Network: telegram
Published URL: https://t.me/c/3500620464/9013
Screenshots:
3 screenshot(s) available
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Real Estate Technology
Victim Organization: Compass.com
Victim Site: compass.com
Alleged breach of Iranian nuclear facility with exfiltration of surveillance systems and classified documents
Category: Data Breach
Content: Threat actors claiming to have breached an unnamed Iranian nuclear facilitys surveillance and data systems. Alleged exfiltration includes 340GB of video footage from over 60 security cameras covering 5 years of activities, plus 20,000+ classified files totaling 550GB. Data is being offered for sale at $100k USD (negotiable). Breach date claimed as March 10, 2026. Contact via Telegram provided.
Date: 2026-05-31T21:57:31Z
Network: telegram
Published URL: https://t.me/c/3500620464/8998
Screenshots:
1 screenshot(s) available
Threat Actors: ShinyHunters
Victim Country: Iran
Victim Industry: Nuclear/Critical Infrastructure
Victim Organization: Iranian nuclear facility (unnamed)
Victim Site: Unknown
Alleged breach of French Weapons Information System (FR) – 62,511 weapon records with owner data
Category: Data Breach
Content: Threat actors claiming to have breached Frances centralized Weapons Information System database. The leaked dataset allegedly contains 62,511 unique weapon records including firearm specifications (type, make, model, serial numbers), legal classifications, owner identification (names, dates of birth, addresses, emails, phone numbers), transaction history (88% sales/transfers, 6% repairs), and prefectural authority contact information. Actors claim this was conducted by Nahyl, Dorian Dali, and As…
Date: 2026-05-31T21:56:58Z
Network: telegram
Published URL: https://t.me/c/3500620464/8977
Screenshots:
2 screenshot(s) available
Threat Actors: Shinyhunters
Victim Country: France
Victim Industry: Government/Law Enforcement
Victim Organization: French Government – Weapons Information System
Victim Site: Unknown
Alleged data leak of ZKTeco installation guides and related documents
Category: Data Leak
Content: A threat actor has leaked installation guides and other files allegedly belonging to ZKTeco, a biometric security and access control manufacturer. The files are being distributed freely via a Telegram link. The scope and sensitivity of the leaked documents beyond installation guides is unspecified.
Date: 2026-05-31T21:37:28Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DOCUMENTS-ZKTECO-Installation-Guides
Screenshots:
1 screenshot(s) available
Threat Actors: s1ethx7z
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: ZKTeco
Victim Site: zkteco.com
Alleged data leak of ZKTeco documents and installation guides
Category: Data Leak
Content: A threat actor has leaked documents and installation guides allegedly belonging to ZKTeco, a biometric and access control technology manufacturer. The files are being distributed via a Telegram channel link. No further details about the scope or origin of the data were provided.
Date: 2026-05-31T21:33:48Z
Network: openweb
Published URL: https://breached.su/threads/zkteco-documents-and-installation-guides.87784/unread
Screenshots:
1 screenshot(s) available
Threat Actors: s1ethx7z
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: ZKTeco
Victim Site: zkteco.com
Alleged data breach of Neiman Marcus – 182M customer profiles and 3M plaintext credit card numbers
Category: Data Breach
Content: ShinyHunters claims to have compromised Neiman Marcus infrastructure and obtained 182 million customer profiles including names, addresses, phone numbers, DOB, email, SSN last 4 digits, and 3 million plaintext credit card numbers. Additionally claims 70M transactions with full customer details, 50M customer emails with IP tracking, 12M gift card numbers, and 6 billion rows of customer shopping records and employee data. Threat actor is selling the data for $10,000 USD with contact information pr…
Date: 2026-05-31T21:24:21Z
Network: telegram
Published URL: https://t.me/c/3500620464/8959
Screenshots:
1 screenshot(s) available
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Retail
Victim Organization: Neiman Marcus
Victim Site: neimanmarcus.com
Alleged data breach of NVIDIA GeForce Now by ShinyHunters
Category: Data Breach
Content: ShinyHunters claims to have compromised NVIDIAs GeForce Now service and exfiltrated approximately 1.3 million user records from the backend. The alleged dataset includes first names, last names, verified email addresses, usernames/nicknames, dates of birth, membership status, 2FA/TOTP status, internal roles, access flags, and account creation dates. The threat actor is offering the data for sale at $5,000 USD.
Date: 2026-05-31T21:24:10Z
Network: telegram
Published URL: https://t.me/c/3500620464/8957
Screenshots:
1 screenshot(s) available
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Technology/Gaming
Victim Organization: NVIDIA
Victim Site: nvidia.com
Alleged data breach of Live Nation/TicketMaster – 560 million customer records
Category: Data Breach
Content: ShinyHunters threat actor claims to have breached Live Nation/TicketMaster and exfiltrated approximately 560 million customer records totaling 1.3TB of data. Stolen data includes full customer details (name, address, email, phone), ticket sales and event information, order details, credit card information (customer name, last 4 digits, expiration date), and customer fraud details. Data is being offered for sale at $50,000 USD. Contact information provided: Telegram @shsupportsh, XMPP shinyc0rpss…
Date: 2026-05-31T21:21:15Z
Network: telegram
Published URL: https://t.me/c/3500620464/8921
Screenshots:
1 screenshot(s) available
Threat Actors: ShinyHunters
Victim Country: United States
Victim Industry: Entertainment/Ticketing
Victim Organization: Live Nation Entertainment / TicketMaster
Victim Site: ticketmaster.com
Alleged data breach of National Credit Information Center of Vietnam – 160M+ records
Category: Data Breach
Content: ShinyHunters threat actor group is selling a full database dump from the National Credit Information Center of Vietnam containing 160 million+ records. The group claims to have database columns with customer financial information. Price listed at $10,000 USD. Contact via @shsupportsh on Telegram. Additional proof and download links provided via their Tor blog and direct HTTP links.
Date: 2026-05-31T21:20:47Z
Network: telegram
Published URL: https://t.me/c/3500620464/8884
Screenshots:
1 screenshot(s) available
Threat Actors: ShinyHunters
Victim Country: Vietnam
Victim Industry: Financial Services
Victim Organization: National Credit Information Center of Vietnam
Victim Site: Unknown
Alleged Gravity Bridge hack resulting in $5.4 million theft
Category: Cyber Attack
Content: Alleged compromise of Gravity Bridge cryptocurrency bridge resulting in theft of approximately $5.4 million. Post claims partial funds have been laundered through ChangeNow and Binance, with approximately 2100 ETH remaining in attackers account.
Date: 2026-05-31T21:12:48Z
Network: telegram
Published URL: https://t.me/c/1397463379/11411
Screenshots:
2 screenshot(s) available
Threat Actors: LZT
Victim Country: Unknown
Victim Industry: Cryptocurrency/Blockchain
Victim Organization: Gravity Bridge
Victim Site: gravitybridge.net
Sale of alleged patient records from Dallah Hospital, Saudi Arabia
Category: Data Breach
Content: A threat actor is offering for sale a dataset allegedly originating from Dallah Hospital in Saudi Arabia, containing approximately 56,000 sensitive patient records. The dataset includes patient names in Arabic and English, doctor details, visit dates, age, gender, department, and contact information. A sample file was provided via an external link, and the seller is accepting contact for pricing.
Date: 2026-05-31T21:09:56Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-SELL-Saudi-Arabia-dallah-hospital-com-hospital-56k-Sensitive-Patient-Records
Screenshots:
1 screenshot(s) available
Threat Actors: oaaaoxxz
Victim Country: Saudi Arabia
Victim Industry: Healthcare
Victim Organization: Dallah Hospital
Victim Site: dallah-hospital.com
Alleged data breach of the Hajj and Pilgrimage Organization in Iran
Category: Data Breach
Content: A threat actor is selling an alleged database dump from Irans Hajj and Pilgrimage Organization containing over 168 million records spanning 1984 to 2024. The dataset purportedly includes full personal identities, national codes (SSNs), passport details and scans, biometric photos, banking and payment information, travel and insurance records, and details on government officials, NAJA and Basij forces, and clerics. The actor is also claiming to possess source code for Hajj-related applications a
Date: 2026-05-31T21:08:38Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-SELLING-The-Hajj-and-Pilgrimage-Organization-in-Iran-168-000-000-DB-Records
Screenshots:
1 screenshot(s) available
Threat Actors: irleak
Victim Country: Iran
Victim Industry: Government
Victim Organization: Hajj and Pilgrimage Organization
Victim Site: Unknown
Alleged data breach of CEX Spain
Category: Data Breach
Content: A threat actor is selling an alleged full database of CEX Spain containing over 1 million records. The dataset reportedly includes full names, email addresses, phone numbers, birth dates, store credit balances, postal addresses, and order information. The seller is asking $350 in cryptocurrency and can be contacted via Telegram.
Date: 2026-05-31T21:02:44Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-SELLING-CEX-SPAIN-FULL-DATABASE-1M
Screenshots:
1 screenshot(s) available
Threat Actors: cexleaked
Victim Country: Spain
Victim Industry: Retail
Victim Organization: CEX
Victim Site: es.webuy.com
Alleged data leak of 2020 Delaware voter lists and Delaware Rifle & Pistol Club member records
Category: Data Leak
Content: A threat actor claims to have found and is freely distributing two files obtained from an exposed Amazon S3 bucket: a 2020 Delaware voter list (183.2 MB archive) and a 2022 membership list for the Delaware Rifle & Pistol Club (106.2 KB CSV). The post alleges the data includes members of the Biden family.
Date: 2026-05-31T20:59:10Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-2020-Delaware-Voter-lists-Members-Delaware-Rifle-Pistol-Club
Screenshots:
1 screenshot(s) available
Threat Actors: OriginalCrazyOldFart
Victim Country: United States
Victim Industry: Government
Victim Organization: Delaware Rifle & Pistol Club / Delaware State Voter Registry
Victim Site: Unknown
Alleged data breach of GamaSoft Colombia
Category: Data Leak
Content: A threat actor claims to have exfiltrated over 150GB of data from GamaSoft Colombia, a POS software provider serving the food and beverage sector. The leaked data allegedly includes MySQL database dumps, client records with personal identifiers (names, addresses, phone numbers, emails, tax IDs), software installers, invoices, inventory data, and backups dating to 2015. Multiple archive files have been made available, with sample records from client-facing databases provided as proof.
Date: 2026-05-31T20:55:58Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DATABASE-gamasoftcol-com-database-clients-software
Screenshots:
1 screenshot(s) available
Threat Actors: tillthaend
Victim Country: Colombia
Victim Industry: Technology
Victim Organization: GamaSoft Colombia
Victim Site: gamasoftcol.com
Alleged data leak of French homeowner database with 555K records
Category: Data Leak
Content: A threat actor has freely distributed a database purportedly containing personal information on approximately 555,000 single-home owners across France. The post claims the dataset was previously shared on the same forum before being removed. No source organization or breach origin is identified.
Date: 2026-05-31T20:54:34Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-FRANCE-DATABASE-555K-OF-HOME-OWNERS-DATA
Screenshots:
1 screenshot(s) available
Threat Actors: MartySupereme
Victim Country: France
Victim Industry: Real Estate
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of avantages-enseignants.fr
Category: Data Breach
Content: A threat actor is offering a database allegedly sourced from avantages-enseignants.fr, a French platform serving teachers and National Education staff. The post claims 126,000 records and provides download links accessible via forum points.
Date: 2026-05-31T20:53:01Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-FR-126K-avantages-enseignants-fr
Screenshots:
1 screenshot(s) available
Threat Actors: kvantize
Victim Country: France
Victim Industry: Education
Victim Organization: avantages-enseignants.fr
Victim Site: avantages-enseignants.fr
Website Defacement of Sofiha Cloud by Marleng1337 of Midas Haxor Team
Category: Defacement
Content: On June 1, 2026, the threat actor Marleng1337, operating under the Midas Haxor Team, defaced a page on sofihacloud.com, a cloud services provider. The attack targeted a specific page (mrlg.php) rather than the homepage, indicating a targeted single-page defacement. No mass or redefacement indicators were observed, and server details remain unknown.
Date: 2026-05-31T20:45:51Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/930433
Screenshots:
1 screenshot(s) available
Threat Actors: Marleng1337, Midas Haxor Team
Victim Country: Unknown
Victim Industry: Technology / Cloud Services
Victim Organization: Sofiha Cloud
Victim Site: www.sofihacloud.com
Sale of 152 Canadian payment cards (CCs)
Category: Carding
Content: A threat actor is sharing 152 Canadian payment cards sourced from BIN-based methods. The post claims the cards have been used to hit Spotify Premium accounts and encourages others to use them for fraudulent activity. Content is gated behind registration or login.
Date: 2026-05-31T20:42:27Z
Network: openweb
Published URL: https://patched.to/Thread-152-canada-ccs
Screenshots:
1 screenshot(s) available
Threat Actors: imnotskyzzz
Victim Country: Canada
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of RDP access and compromised cloud accounts
Category: Initial Access
Content: Threat actor offering rental of RDP access to Azure, AWS, and Digital Ocean infrastructure on daily/monthly basis at $200. Also selling compromised domain email accounts, Gmail, Yahoo accounts, GitHub Student accounts, and subscription services (ChatGPT Plus, Claude, ElevenLabs Creator Plan). Escrow service offered.
Date: 2026-05-31T17:59:32Z
Network: telegram
Published URL: https://t.me/c/2613583520/94308
Screenshots:
1 screenshot(s) available
Threat Actors: PORTAL
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of compromised Twitter accounts with follower-based pricing
Category: Initial Access
Content: Threat actor offering to sell Twitter accounts categorized by follower count (0-29, 30+, 100-500, 500-999, 1k-10k+ followers) with aged tokens. Pricing ranges from $0.3 to $9 per thousand followers. Accounts include Gold, Grey, and Blue tier classifications with crypto-follower targeting.
Date: 2026-05-31T17:55:29Z
Network: telegram
Published URL: https://t.me/c/2613583520/94302
Screenshots:
1 screenshot(s) available
Threat Actors: Raphee
Victim Country: Unknown
Victim Industry: Social Media
Victim Organization: Twitter
Victim Site: twitter.com
Alleged exploitation of vulnerable MikroTik RouterOS device
Category: Cyber Attack
Content: Threat actor discusses compromising a MikroTik RB951Ui-2nD device running outdated RouterOS version 6.40.8 with known critical vulnerabilities. The device had not been rebooted or updated for 136 days, making it an easy target for exploitation.
Date: 2026-05-31T17:00:15Z
Network: telegram
Published URL: https://t.me/c/2735908986/4586
Screenshots:
1 screenshot(s) available
Threat Actors: Infrastructure Destruction Squad
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Entrepreneur database with 1.9 million records
Category: Data Leak
Content: A threat actor has freely shared an alleged database dump attributed to Entrepreneur, containing approximately 1.9 million records. The sample includes fields such as email address, first and last name, and full mailing address. The data appears to target US-based individuals.
Date: 2026-05-31T16:59:15Z
Network: openweb
Published URL: https://breachforu.ms/Thread-REPOST-Entrepreneuer-1-9M-RECORDS
Screenshots:
1 screenshot(s) available
Threat Actors: N3tw0rkSh4d0w
Victim Country: United States
Victim Industry: Media
Victim Organization: Entrepreneur
Victim Site: entrepreneur.com
Alleged cyber attack on Noi Bai International Airport resulting in complete network infrastructure destruction
Category: Cyber Attack
Content: Claim of successful cyber attack against Noi Bai International Airport in Vietnam. Alleged attackers disabled entire network infrastructure including all main router interfaces, wireless services, internal network bridges, and primary internet connectivity. Claims all connected devices were removed from router records, administration settings were altered, VoIP systems taken offline, and five internal devices isolated.
Date: 2026-05-31T16:58:31Z
Network: telegram
Published URL: https://t.me/c/2735908986/4585
Screenshots:
1 screenshot(s) available
Threat Actors: Infrastructure Destruction Squad
Victim Country: Vietnam
Victim Industry: Transportation/Aviation
Victim Organization: Noi Bai International Airport
Victim Site: Unknown
Alleged leak of 4,000 passport scans and photos
Category: Data Leak
Content: A threat actor has freely shared a collection of 4,000 passport scans and associated pictures of mixed nationality. The files are available via two download links posted on the forum. No source organization or breach origin is identified in the post.
Date: 2026-05-31T16:45:47Z
Network: openweb
Published URL: https://breached.su/threads/4000-sets-passport-scan-pictures-mixed.87783/unread
Screenshots:
1 screenshot(s) available
Threat Actors: adminpidor
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged infrastructure attack on Noi Bai International Airport (Hanoi, Vietnam)
Category: Cyber Attack
Content: Threat actor claims to have disabled internal network and router systems at Noi Bai International Airport in Hanoi, Vietnam, resulting in system downtime. Post advises monitoring systems due to alleged outage.
Date: 2026-05-31T16:43:25Z
Network: telegram
Published URL: https://t.me/c/2735908986/4582
Screenshots:
1 screenshot(s) available
Threat Actors: Infrastructure Destruction Squad
Victim Country: Vietnam
Victim Industry: Transportation/Aviation
Victim Organization: Noi Bai International Airport
Victim Site: Unknown
Alleged unauthenticated RCE vulnerability in Exim (CVE-2026-45185)
Category: Vulnerability
Content: A post details CVE-2026-45185, a use-after-free vulnerability in the Exim mail transfer agent affecting systems using GnuTLS (common on Debian-based distributions including Ubuntu). The flaw is triggered during TLS shutdown in combination with BDAT chunked processing, resulting in a single-byte write to freed memory that corrupts allocator metadata and enables unauthenticated remote code execution. The writeup describes both technical exploitation methodology and the use of LLM-assisted exploit
Date: 2026-05-31T16:30:00Z
Network: openweb
Published URL: https://tier1.life/thread/272
Screenshots:
4 screenshot(s) available
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of US Debit Leads from Bad Credit Loan Services
Category: Data Leak
Content: A threat actor is freely distributing a dataset of approximately 3 million US debit leads containing full names, email addresses, phone numbers, phone carriers, and source URLs attributed to loan services including badcreditloans.com and cashusa.com. The data appears to originate from loan application submissions and is being shared on a breach forum as a repost.
Date: 2026-05-31T16:22:39Z
Network: openweb
Published URL: https://breachforu.ms/Thread-REPOST-DEBIT-LEADS-USA-3M-RECORD
Screenshots:
1 screenshot(s) available
Threat Actors: N3tw0rkSh4d0w
Victim Country: United States
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: badcreditloans.com
Mass Redefacement of Kanda School Website by Threat Actor Zod
Category: Defacement
Content: Threat actor Zod conducted a mass defacement campaign targeting official-kanda-school.com, marking this as a redefacement of a previously compromised site. The attack was carried out on a Linux-based server and is part of a broader mass defacement operation. A mirror of the defacement has been archived at haxor.id.
Date: 2026-05-31T16:11:10Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249745
Screenshots:
1 screenshot(s) available
Threat Actors: Zod, Zod
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Kanda School
Victim Site: official-kanda-school.com
Mass Website Defacement of Japanese Educational Institution by Threat Actor Zod
Category: Defacement
Content: Threat actor Zod conducted a mass defacement campaign targeting kandaschool1.xsrv.jp, a Japanese educational institution hosted on a Linux server. The attacker deployed a defacement page at the /zod.html path on May 31, 2026. This incident is part of a broader mass defacement operation attributed to the Zod threat actor.
Date: 2026-05-31T16:10:27Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249747
Screenshots:
1 screenshot(s) available
Threat Actors: Zod, Zod
Victim Country: Japan
Victim Industry: Education
Victim Organization: Kanda School
Victim Site: kandaschool1.xsrv.jp
Mass Redefacement of uriage-news.com by Threat Actor Zod
Category: Defacement
Content: Threat actor Zod conducted a mass defacement campaign targeting uriage-news.com, a Japanese news website hosted on a Linux server. This incident is categorized as both a mass defacement and a redefacement, indicating the attacker had previously compromised the same target. The defaced page was archived at haxor.id with mirror ID 249744.
Date: 2026-05-31T16:09:38Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249744
Screenshots:
1 screenshot(s) available
Threat Actors: Zod, Zod
Victim Country: Japan
Victim Industry: News & Media
Victim Organization: Uriage News
Victim Site: uriage-news.com
Website Defacement of WPProService by Threat Actor Zod
Category: Defacement
Content: On May 31, 2026, a threat actor operating under the alias Zod defaced a subdomain of wpproservice.com, a WordPress hosting and web services provider. The defacement targeted a specific page (zod.html) on a Linux-based server and was not classified as a mass or home page defacement. The incident was archived and mirrored via haxor.id.
Date: 2026-05-31T16:08:56Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249749
Screenshots:
1 screenshot(s) available
Threat Actors: Zod, Zod
Victim Country: Unknown
Victim Industry: Web Hosting / Technology Services
Victim Organization: WPProService
Victim Site: laureno2017.wpproservice.com
Mass Defacement of K-School Website by Threat Actor Zod
Category: Defacement
Content: Threat actor Zod conducted a mass defacement targeting official-k-school.com, replacing the content of the page at /zod.html. This incident is classified as both a mass defacement and a redefacement, indicating the attacker had previously compromised this or related targets. The attack was carried out on a Linux-based server on May 31, 2026.
Date: 2026-05-31T16:08:13Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249746
Screenshots:
1 screenshot(s) available
Threat Actors: Zod, Zod
Victim Country: Unknown
Victim Industry: Education
Victim Organization: K-School
Victim Site: official-k-school.com
Mass Website Defacement by Threat Actor Zod Targeting WordPress Hosting Provider
Category: Defacement
Content: On May 31, 2026, threat actor Zod conducted a mass defacement campaign targeting a subdomain hosted on wpproservice.com, a WordPress hosting/services provider. The attacker defaced the page at zod.html on a Linux-based web server, marking it as part of a broader mass defacement operation. This incident is classified as a mass defacement, suggesting multiple sites or subdomains within the same hosting infrastructure may have been compromised simultaneously.
Date: 2026-05-31T16:07:13Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249750
Screenshots:
1 screenshot(s) available
Threat Actors: Zod, Zod
Victim Country: Unknown
Victim Industry: Web Hosting / Technology Services
Victim Organization: WP Pro Service
Victim Site: vweatherby.wpproservice.com
Mass Defacement of Egypt Tours Website by Threat Actor Zod
Category: Defacement
Content: Threat actor Zod conducted a mass defacement campaign targeting ceciliaegypttours.com, a travel and tourism website associated with Egypt tour services. The defacement was deployed on a Linux-based server and is part of a broader mass defacement operation. The incident was archived and mirrored via haxor.id on May 31, 2026.
Date: 2026-05-31T16:06:16Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249748
Screenshots:
1 screenshot(s) available
Threat Actors: Zod, Zod
Victim Country: Egypt
Victim Industry: Travel and Tourism
Victim Organization: Cecilia Egypt Tours
Victim Site: ceciliaegypttours.com
Mass Website Defacement by Threat Actor Zod Targeting WordPress Hosting Service
Category: Defacement
Content: Threat actor Zod conducted a mass defacement campaign targeting a subdomain hosted on wpproservice.com, a WordPress hosting/services platform, on May 31, 2026. The attack was identified as part of a mass defacement operation running on a Linux-based server. The defaced page was archived via haxor.id, a known defacement mirroring service.
Date: 2026-05-31T16:05:26Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249751
Screenshots:
1 screenshot(s) available
Threat Actors: Zod, Zod
Victim Country: Unknown
Victim Industry: Web Hosting / Technology Services
Victim Organization: WP Pro Service
Victim Site: zaphiro13.wpproservice.com
Alleged leak of China and Taiwan passport scans
Category: Data Leak
Content: A threat actor has freely distributed a collection of 30 passport scans belonging to individuals from China and Taiwan. The documents are described as organized and non-expired. The files are available via multiple hosting links protected by an archive password.
Date: 2026-05-31T15:59:35Z
Network: openweb
Published URL: https://crackingx.com/threads/77384/
Screenshots:
1 screenshot(s) available
Threat Actors: ketrin
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Tape à lOeil (TAOKIDS.COM) exposing 1.7 million customer records
Category: Data Breach
Content: A threat actor affiliated with the LAPSUS$ group claims to be selling a database allegedly breached from French childrens retailer Tape à lOeil (taokids.com) for 120€. The purported dataset contains 1.7 million customer records including full PII such as names, dates of birth, email addresses, phone numbers, postal addresses, account activity, and childrens personal details. Sample records included in the post appear to contain structured JSON data consistent with a customer database dump.
Date: 2026-05-31T15:51:11Z
Network: openweb
Published URL: https://breachforu.ms/Thread-FR-TAOKIDS-COM-1-2M-CUSTOMERS–189802
Screenshots:
1 screenshot(s) available
Threat Actors: xmrcat
Victim Country: France
Victim Industry: Retail
Victim Organization: Tape à lOeil
Victim Site: taokids.com
Sale of HTML phishing payload builder with 24 templates and FUD capabilities
Category: Phishing
Content: A threat actor is selling a file-to-HTML converter and payload delivery framework marketed as 100% FUD, featuring 24 lure templates impersonating services such as Adobe, OneDrive, DocuSign, and Google Drive. The tool embeds encrypted payloads in HTML/HTM/SVG files compatible with Gmail attachments, with options for multi-OS targeting, chained execution, password protection, and one-time download links. Pricing ranges from $100/month to $600/year on a subscription basis.
Date: 2026-05-31T15:47:08Z
Network: openweb
Published URL: https://hackforums.net/showthread.php?tid=6326290
Screenshots:
2 screenshot(s) available
Threat Actors: PUSU
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Claude API key with 2 million tokens
Category: Data Leak
Content: A forum user is freely sharing an alleged Claude API key with 2 million tokens remaining. The post directs users to an external site (tokies.lol) for additional offerings. No details are provided about how the key was obtained.
Date: 2026-05-31T15:44:05Z
Network: openweb
Published URL: https://cracked.st/Thread-FREE-CLAUDE-API-KEY-2M-TOKENS-AI-TOKIES
Screenshots:
1 screenshot(s) available
Threat Actors: JVZU
Victim Country: United States
Victim Industry: Technology
Victim Organization: Anthropic
Victim Site: anthropic.com
Alleged data leak of Astrolink.io user database
Category: Data Leak
Content: A threat actor has leaked an alleged database from astrolink.io containing 500 user records including email addresses and usernames. The data is made available behind a registration/login wall on the forum.
Date: 2026-05-31T15:38:58Z
Network: openweb
Published URL: https://spear.cx/Thread-Database-astrolink-io-all-users
Screenshots:
1 screenshot(s) available
Threat Actors: yeblan
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Astrolink
Victim Site: astrolink.io
Website Defacement of Ayuzing by CiaoxD_ of Brotherhood Capung Indonesia
Category: Defacement
Content: On May 31, 2026, the website www.ayuzing.com was defaced by threat actor CiaoxD_, operating under the group Brotherhood Capung Indonesia. The attack targeted the homepage of the site in a single targeted defacement operation. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-05-31T15:26:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/930424
Screenshots:
1 screenshot(s) available
Threat Actors: CiaoxD_, Brotherhood Capung Indonesia
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Ayuzing
Victim Site: www.ayuzing.com
Alleged data breach of AT&T Mobile consumer database
Category: Data Breach
Content: A threat actor is selling an alleged AT&T Mobile consumer database containing 500,000+ records dated 2025. The dataset includes full names, mobile and secondary phone numbers, street addresses, and email addresses in CSV/TXT format. The seller is directing buyers to a Telegram handle for purchase.
Date: 2026-05-31T15:15:00Z
Network: openweb
Published URL: https://breachforu.ms/Thread-USA-AT-T-Mobile-Consumer-Database-2025
Screenshots:
1 screenshot(s) available
Threat Actors: Vyntra
Victim Country: United States
Victim Industry: Telecommunications
Victim Organization: AT&T
Victim Site: att.com
Alleged sale of RDP access and compromised accounts
Category: Initial Access
Content: Threat actor offering rental access to RDP servers hosted on Azure, AWS, and DigitalOcean for $200 daily/monthly rates. Also selling compromised domain email accounts, Gmail, Yahoo accounts, GitHub Student accounts, and unauthorized access to ChatGPT Plus and Claude subscriptions. Using escrow service for transactions.
Date: 2026-05-31T15:11:09Z
Network: telegram
Published URL: https://t.me/c/2613583520/94236
Screenshots:
1 screenshot(s) available
Threat Actors: PORTAL
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Nandos employee database
Category: Data Breach
Content: A threat actor is selling an alleged employee database from Nandos, claimed to have been breached as of May 30, 2026. The dataset reportedly contains 87,000 records including full names, job titles, phone numbers, emails, employment locations, salary information, and cost center data for past and current employees, primarily from the UK and Ireland. The data is being offered for sale at $1,000 USD.
Date: 2026-05-31T15:06:06Z
Network: openweb
Published URL: https://breached.su/threads/nandos-employee-database-phone-email.87781/unread
Screenshots:
1 screenshot(s) available
Threat Actors: failing2
Victim Country: United Kingdom
Victim Industry: Retail
Victim Organization: Nandos
Victim Site: nandos.co.uk
Alleged data leak of the Ministry of Religious Affairs of Indonesia
Category: Data Leak
Content: A threat actor on a cybercrime forum claims to be freely sharing a database allegedly belonging to the Indonesian Ministry of Religious Affairs. No further details are available from the post content.
Date: 2026-05-31T15:05:13Z
Network: openweb
Published URL: https://breached.su/threads/besplatnaa-baza-dannyh-baza-dannyh-ministerstva-po-delam-religii-v-indonezii.87780/unread
Screenshots:
1 screenshot(s) available
Threat Actors: Mrsawit
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Ministry of Religious Affairs of Indonesia
Victim Site: Unknown
Alleged sale of webshell access to US-based .com domain
Category: Initial Access
Content: Threat actor offering webshell access to a US-based .com website for sale. Post indicates 1 remaining stock with domain authority (DA) 6 and page authority (PA) 20, all directories accessible (DIR ALL GREEN). Contact via Telegram for purchase inquiries.
Date: 2026-05-31T14:47:22Z
Network: telegram
Published URL: https://t.me/c/3528849141/364
Screenshots:
1 screenshot(s) available
Threat Actors: mrsonicxtct
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Forex and Crypto FTD Leads for Germany and Austria
Category: Data Breach
Content: A threat actor is selling first-time depositor (FTD) leads associated with the forex/crypto broker InfinityFX, totaling approximately 51,179 records across Germany (37,212) and Austria (13,967). The dataset includes personally identifiable information such as full name, phone number, email address, balance details, KYC status, and sales agent attribution, with sample records dated April 2024. The seller is directing interested buyers to contact them via direct message.
Date: 2026-05-31T14:45:42Z
Network: openweb
Published URL: https://breachforu.ms/Thread-Germany-and-Austria-Forex-crypto-ftd-leads
Screenshots:
1 screenshot(s) available
Threat Actors: Manik123
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: InfinityFX
Victim Site: Unknown
Alleged data breach of chilledsites.com
Category: Data Breach
Content: A threat actor has leaked an alleged database dump from chilledsites.com, a web3 AI platform, containing approximately 1,000 records. Exposed data includes email addresses, wallet addresses, Telegram usernames, WhatsApp numbers, authentication provider details, referral stats, and other profile metadata. The data is available to registered forum members via a hidden download link.
Date: 2026-05-31T14:35:03Z
Network: openweb
Published URL: https://spear.cx/Thread-Database-chilledsites-com-web3-ai-site
Screenshots:
1 screenshot(s) available
Threat Actors: yeblan
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Chilled Sites
Victim Site: chilledsites.com
Alleged sale of forged identity documents across multiple countries
Category: Phishing
Content: Threat actor offering forged identity documents including national IDs (+70 countries), drivers licenses (+36 countries), and passports (+86 countries). Bulk purchase discounts available. Payment accepted in cryptocurrency via direct message. Service explicitly stated as non-physical (digital/fraudulent documents).
Date: 2026-05-31T14:26:37Z
Network: telegram
Published URL: https://t.me/c/2613583520/94206
Screenshots:
1 screenshot(s) available
Threat Actors: Selin
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of HQ CC Dump Service by s2lender
Category: Carding
Content: A threat actor operating as s2lender is selling access to a private credit card dump service, advertising 4,000–12,000 fresh CC dumps daily. Membership plans range from $10 for 3-day access to $200 for lifetime access. The service is marketed as exclusive, private, and encrypted.
Date: 2026-05-31T14:20:41Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-999x-hq-cc-dump-by-s2lender-txt
Screenshots:
1 screenshot(s) available
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Newport Cigarette Smoker Database
Category: Data Leak
Content: A threat actor has shared an alleged database of 414,000 Newport cigarette smokers, containing fields including email address, full name, physical address, age, gender, income, and cigarette brand. The data appears to cover US residents primarily across the Northeast. The post provides a sample and offers the full dataset via hidden content requiring forum registration.
Date: 2026-05-31T14:09:36Z
Network: openweb
Published URL: https://breachforu.ms/Thread-REPOST-NewPort-Cigarette-Smoker-Database-414-000-records-with-emails
Screenshots:
1 screenshot(s) available
Threat Actors: N3tw0rkSh4d0w
Victim Country: United States
Victim Industry: Retail
Victim Organization: Newport (Lorillard/Reynolds American)
Victim Site: Unknown
Alleged data breach of SocialCatfish.com
Category: Data Breach
Content: A threat actor operating under the alias DataDaddy is offering for sale an alleged database dump from socialcatfish.com containing credentials for approximately 1 million users in combolist format. The post includes a sample of plaintext email and password pairs as proof. Further details are available via direct message.
Date: 2026-05-31T13:36:39Z
Network: openweb
Published URL: https://breachforu.ms/Thread-socialcatfish-com-1m
Screenshots:
1 screenshot(s) available
Threat Actors: DataDaddy
Victim Country: United States
Victim Industry: Technology
Victim Organization: Social Catfish
Victim Site: socialcatfish.com
Sale of Hotmail inbox checker tool source code
Category: Phishing
Content: A threat actor is distributing the full Python source code for a Hotmail inboxer tool (V3), advertised with a CPM of 20,000 and 0% skip rate. The tool appears designed for credential stuffing or inbox validation against Hotmail accounts. The author also advertises paid custom checker development via Telegram.
Date: 2026-05-31T13:00:50Z
Network: openweb
Published URL: https://patched.to/Thread-non-auth-v3-hotmail-inboxer-full-source-v3-2026-python-anasxzerm-anasxzer00
Screenshots:
1 screenshot(s) available
Threat Actors: anasxzer00
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Air Austral (air-austral.com)
Category: Data Leak
Content: A threat actor using the handle ChimeraZ has freely leaked an alleged database of Air Austral, a French airline operating in the Indian Ocean region. The dataset, approximately 125 KB in JSON format, contains approximately 1,000 records including employee names, email addresses, job titles, departments, and locations. Multiple public file-hosting download links were provided.
Date: 2026-05-31T12:55:41Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DATABASE-FR-1K-Air-austral-com
Screenshots:
1 screenshot(s) available
Threat Actors: ChimeraZ
Victim Country: France
Victim Industry: Aviation
Victim Organization: Air Austral
Victim Site: air-austral.com
Website Defacement of IPS-EEC by CiaoxD_ of Brotherhood Capung Indonesia
Category: Defacement
Content: On May 31, 2026, the website ips-eec.com was defaced by threat actor CiaoxD_, operating under the Indonesian hacktivist group Brotherhood Capung Indonesia. The attack resulted in a homepage defacement, replacing the original content with the attackers messaging. No mass defacement campaign or prior redefacement was associated with this incident.
Date: 2026-05-31T12:38:54Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/930423
Screenshots:
1 screenshot(s) available
Threat Actors: CiaoxD_, Brotherhood Capung Indonesia
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: IPS-EEC
Victim Site: ips-eec.com
Carding training course offered by Darkode1
Category: Carding
Content: A threat actor operating as Darkode1 is selling a carding training course for 1,500 USD plus 200 USD in materials, payable in cryptocurrency. The course covers topics including working with stolen card data (VISA, MasterCard, UnionPay), bypassing anti-fraud systems, exploiting BINs and FULLz CC data, using drops and intermediaries, and cashing out via gift cards, Amazon schemes, and physical goods pickup. The curriculum also includes use of stealer logs, anti-detect browsers, and brute-forcing
Date: 2026-05-31T12:36:39Z
Network: openweb
Published URL: https://breachforu.ms/Thread-Carding-Training-from-Darkode1
Screenshots:
2 screenshot(s) available
Threat Actors: Darkode1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of SwordFantasy database containing 3.2M+ business records
Category: Data Breach
Content: A threat actor is offering for sale a database attributed to SwordFantasy, containing over 3.2 million records in CSV, Excel, and JSON formats. The dataset includes company names, industries, locations, business websites, company sizes, and public contact information. The seller is advertising the data via Telegram for market research and business intelligence use cases.
Date: 2026-05-31T12:04:12Z
Network: openweb
Published URL: https://breachforu.ms/Thread-SwordFantasy-Database-%E2%80%93-3-2M-Records
Screenshots:
1 screenshot(s) available
Threat Actors: Vyntra
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: SwordFantasy
Victim Site: Unknown
Mass Defacement of K-School Website by EbRaHiM-VaKeR (LegioN LeakeR)
Category: Defacement
Content: On May 31, 2026, threat actor EbRaHiM-VaKeR, affiliated with the Telegram-based group LegioN LeakeR, conducted a mass defacement campaign targeting official-k-school.com, a Linux-hosted educational website. The defacement was part of a broader mass defacement operation rather than a targeted single-site attack. The incident was archived and mirrored on haxor.id, indicating deliberate documentation of the attack for notoriety.
Date: 2026-05-31T11:42:37Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249742
Screenshots:
1 screenshot(s) available
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Education
Victim Organization: K-School
Victim Site: official-k-school.com
Mass Defacement of Kanda School Website by EbRaHiM-VaKeR (LegioN_LeakeR)
Category: Defacement
Content: The website official-kanda-school.com, associated with Kanda School, was defaced by threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR. The incident was classified as a mass defacement campaign targeting a Linux-based web server. A mirror of the defacement was archived at haxor.id on May 31, 2026.
Date: 2026-05-31T11:40:43Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249743
Screenshots:
1 screenshot(s) available
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Kanda School
Victim Site: official-kanda-school.com
Website defacement of uriage-news.com by EbRaHiM-VaKeR of LegioN_LeakeR
Category: Defacement
Content: The website uriage-news.com was defaced by threat actor EbRaHiM-VaKeR, affiliated with the Telegram-based group LegioN_LeakeR, on May 31, 2026. The defacement targeted a specific text file path on the domain and was not classified as a mass or home page defacement. The incident was archived and mirrored by zone-xsec.com for public record.
Date: 2026-05-31T11:34:00Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/930420
Screenshots:
1 screenshot(s) available
Threat Actors: EbRaHiM-VaKeR, T. me/LegioN_LeakeR
Victim Country: Unknown
Victim Industry: News & Media
Victim Organization: Uriage News
Victim Site: uriage-news.com
Website Defacement of Uriage News by EbRaHiM-VaKeR (LegioN_LeakeR)
Category: Defacement
Content: On May 31, 2026, the website uriage-news.com was defaced by threat actor EbRaHiM-VaKeR, affiliated with the Telegram group LegioN_LeakeR. The attack targeted a Linux-based web server hosting what appears to be a French news outlet, likely associated with Uriage-les-Bains, a commune in France. The defacement was an individual targeted attack rather than a mass or redefacement campaign.
Date: 2026-05-31T11:30:58Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249741
Screenshots:
1 screenshot(s) available
Threat Actors: EbRaHiM-VaKeR, T.me/LegioN_LeakeR
Victim Country: France
Victim Industry: Media and News
Victim Organization: Uriage News
Victim Site: uriage-news.com
Carding and payment fraud service offering via Telegram
Category: Carding
Content: A forum user is advertising PayPal and Stripe holding services via Telegram under the handle fknmega. The post provides no further details about the specific services offered. This is consistent with fraudulent payment processing or cashout services.
Date: 2026-05-31T11:29:18Z
Network: openweb
Published URL: https://cracked.st/Thread-PayPal-and-Stripe-Holding
Screenshots:
1 screenshot(s) available
Threat Actors: fknMega
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Brazilian banking correspondent credentials with access to government financial databases
Category: Initial Access
Content: A threat actor is selling 250 banking correspondent accounts with access to over 800,000 consults, claiming full permissions to query data from Brazilian government databases including INSS (retirees), SIAPE (federal public servants), state and municipal governments, and CLT/FGTS worker records. The accounts allegedly expose highly sensitive personal and financial data including CPF, RG, benefit details, loan margins, and credit card margins. The seller provides a Tox contact for negotiation.
Date: 2026-05-31T11:25:51Z
Network: openweb
Published URL: https://breachforu.ms/Thread-SELLING-250x-Fresh-accounts-Corban-Credentials
Screenshots:
1 screenshot(s) available
Threat Actors: 0bytesz
Victim Country: Brazil
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
ATM Card Cloning Tools Shared on Cybercrime Forum
Category: Carding
Content: A forum user shared cracked ATM card cloning tools via download links on a cybercrime forum. The post describes techniques targeting debit/credit card magnetic stripes and chips across ATMs, point-of-sale systems, and online banking users. The author also advertises additional tools available for purchase via Telegram.
Date: 2026-05-31T11:23:54Z
Network: openweb
Published URL: https://spear.cx/Thread-Free-ATM-Card-Cloning-Tools-Cracked
Screenshots:
1 screenshot(s) available
Threat Actors: zerodark
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Iraqi Companies Registrar (rss.gov.iq)
Category: Data Breach
Content: A threat actor is selling an alleged database dump from rss.gov.iq, an Iraqi government entity. The dataset purportedly contains personal information on over 450,000 employees including passport and ID details, along with company and holder records totaling over 100,000 entries. The seller is asking $200 and has provided sample screenshots as proof.
Date: 2026-05-31T10:56:07Z
Network: openweb
Published URL: https://breachforu.ms/Thread-rss-gov-iq-full-leaked-database
Screenshots:
1 screenshot(s) available
Threat Actors: tkoent
Victim Country: Iraq
Victim Industry: Government
Victim Organization: Iraqi Companies Registrar
Victim Site: rss.gov.iq
Alleged data breach of Monicare USA
Category: Data Breach
Content: A threat actor on a darknet forum is distributing an alleged database dump from MoniCare, a Chicago-based domestic staffing agency. The leaked data reportedly includes over 40,000 consumer records containing names, email addresses, phone numbers, physical addresses, ages, and attached identity documents such as drivers licenses, passports, and resumes. The data is offered as hidden content gated behind forum replies.
Date: 2026-05-31T10:49:20Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DATABASE-Monicare-USA-40K-Consumers
Screenshots:
1 screenshot(s) available
Threat Actors: 2019
Victim Country: United States
Victim Industry: Staffing and Recruiting
Victim Organization: MoniCare
Victim Site: monicare.com
Alleged data breach of US Squash (ussquash.org) exposing 684K member records
Category: Data Breach
Content: A threat actor is selling an alleged dataset from ussquash.org containing approximately 684,000 records of registered squash players. The data is structured across three sections — Contact, Membership, and Login Activity — and includes full names, dates of birth, email addresses, phone numbers, physical addresses, membership details, and authentication metadata such as IP addresses, login counts, and MFA status. The seller is asking $1,300 and accepts forum escrow for the transaction.
Date: 2026-05-31T10:48:40Z
Network: openweb
Published URL: https://breached.su/threads/684k-us-https-www-ussquash-org-personal-and-contact-info-of-registered-squash-players.87763/unread
Screenshots:
1 screenshot(s) available
Threat Actors: Databasehooligan
Victim Country: United States
Victim Industry: Sports & Recreation
Victim Organization: US Squash
Victim Site: ussquash.org
Alleged data breach of guiaempresas.com.uy — Uruguayan business registry dataset
Category: Data Breach
Content: A threat actor is offering a dataset allegedly sourced from guiaempresas.com.uy, a Uruguayan company registry platform. The dataset spans approximately 184,000 records across three tables — Accounts, Orders, and Support Tickets — containing business contact details, tax IDs, financial terms, order history, and support data. Sample download links are provided via Gofile.
Date: 2026-05-31T10:48:08Z
Network: openweb
Published URL: https://breached.su/threads/184k-uruguay-https-www-guiaempresas-com-uy-comprehensive-company-registry-with-business-and-contact-details.87769/unread
Screenshots:
1 screenshot(s) available
Threat Actors: Databasehooligan
Victim Country: Uruguay
Victim Industry: Business Services
Victim Organization: Guia Empresas
Victim Site: guiaempresas.com.uy
Alleged data leak of Coinbase user leads
Category: Data Leak
Content: A threat actor is freely distributing a dataset allegedly containing Coinbase user leads targeting US customers. A sample is provided via an external paste link along with a full download. The post does not specify the record count or data fields included.
Date: 2026-05-31T10:47:13Z
Network: openweb
Published URL: https://breached.su/threads/coinbase-usa-leads-free.87767/unread
Screenshots:
1 screenshot(s) available
Threat Actors: adminarotebalu
Victim Country: United States
Victim Industry: Finance
Victim Organization: Coinbase
Victim Site: coinbase.com
Bulk purchase solicitation for social engineering and refund fraud products on cybercrime forum
Category: Carding
Content: A forum user is soliciting bulk suppliers for SE products and B4U products — terms commonly associated with social engineering fraud and refund scams targeting retailers. The actor offers payment via cryptocurrency, use of a middleman, and multiple verified shipping addresses, indicating an established fraud operation. Payment is offered at 20-30%+ of eBay sold price, suggesting resale of fraudulently obtained merchandise.
Date: 2026-05-31T10:24:37Z
Network: openweb
Published URL: https://cracked.st/Thread-Supreme-Buying-All-Products
Screenshots:
1 screenshot(s) available
Threat Actors: DarkElysium
Victim Country: Unknown
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Hampr
Category: Data Breach
Content: A threat actor is advertising a database allegedly sourced from Hampr, an Australian workplace food and catering management platform. The exposed data reportedly includes user records with names, emails, mobile numbers, roles, and extensive order/invoice details including delivery addresses, payment references, and dietary preferences. The dataset is claimed to contain over 360,000 records.
Date: 2026-05-31T10:15:16Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DATABASE-Hampr-Organization-Data-Australia-360K
Screenshots:
1 screenshot(s) available
Threat Actors: 2019
Victim Country: Australia
Victim Industry: Technology
Victim Organization: Hampr
Victim Site: hampr.com.au
Alleged data breach of Copart — 533K US user records including contact, auction, and support ticket data
Category: Data Breach
Content: A threat actor is selling an alleged dataset from Copart, a vehicle auction platform, containing approximately 533,000 US user records. The dataset is structured across three sections — Contacts, Auction Orders, and Support Tickets — and includes PII such as names, emails, phone numbers, dates of birth, and financial transaction data. The seller is offering the data for $900.
Date: 2026-05-31T10:14:12Z
Network: openweb
Published URL: https://breached.su/threads/533k-united-states-https-www-copart-com-active-user-contact-profiles-with-timestamps-and-account-details.87760/unread
Screenshots:
1 screenshot(s) available
Threat Actors: Databasehooligan
Victim Country: United States
Victim Industry: Retail
Victim Organization: Copart
Victim Site: copart.com
Alleged data breach of Sportsmans Warehouse exposing customer contacts, addresses, and payment data
Category: Data Breach
Content: A threat actor is selling an alleged dataset originating from Sportsmans Warehouse containing approximately 715,000 records across three sections: customer contacts (including usernames, hashed passwords, and login metadata), customer addresses (billing and shipping), and payment methods (including masked card numbers, encrypted CVV2, SSN hashes, and fraud scores). The dataset is priced at $1,300 and samples are provided via external file-sharing links.
Date: 2026-05-31T10:13:41Z
Network: openweb
Published URL: https://breached.su/threads/715k-us-https-www-sportsmanswarehouse-com-customer-contacts-usernames-emails-and-activity-logs-dataset.87762/unread
Screenshots:
1 screenshot(s) available
Threat Actors: Databasehooligan
Victim Country: United States
Victim Industry: Retail
Victim Organization: Sportsmans Warehouse
Victim Site: sportsmanswarehouse.com
Website Redefacement of Batuah Sakti Library by Irene (XmrAnonye.id)
Category: Defacement
Content: On May 31, 2026, a threat actor identified as Irene from the group XmrAnonye.id conducted a redefacement attack against the Batuah Sakti Library website hosted on a Linux server. The defacement targeted the admin.txt file and marks a repeat compromise of the same target. A mirror of the defacement was archived at haxor.id.
Date: 2026-05-31T10:12:39Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249740
Screenshots:
1 screenshot(s) available
Threat Actors: Irene, XmrAnonye.id
Victim Country: Indonesia
Victim Industry: Education / Library Services
Victim Organization: Batuah Sakti Library
Victim Site: library.batuahsakti.com
Sale of SMTP extraction and verification tool for credential testing
Category: Phishing
Content: A threat actor is distributing an SMTP extraction and verification tool via Mega.nz, marketed as an Advanced SMTP Security & Verification Suite. The tool accepts combo lists (email:password pairs) as input, auto-discovers SMTP hosts, probes standard mail ports, and filters verified live SMTP credentials using 200+ threads. This tooling is commonly used to harvest functional SMTP accounts for spam or phishing campaign infrastructure.
Date: 2026-05-31T09:58:27Z
Network: openweb
Published URL: https://crackingx.com/threads/77317/
Screenshots:
1 screenshot(s) available
Threat Actors: h3llegy
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Indonesian e-government portal gunungkidulkab.go.id
Category: Data Leak
Content: A threat actor has leaked data allegedly sourced from the Indonesian e-government portal e-gov.gunungkidulkab.go.id. The exposed data includes database records containing user credentials and organizational unit information, along with application source code snippets. The post includes a sample SQL INSERT statement and a download link for the alleged evidence.
Date: 2026-05-31T09:42:33Z
Network: openweb
Published URL: https://breachforu.ms/Thread-LEAKED-INDONESIA-e-gov-gunungkidulkab-go-id
Screenshots:
2 screenshot(s) available
Threat Actors: doyokSX
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Gunungkidul Regency Government
Victim Site: e-gov.gunungkidulkab.go.id
Alleged data leak of Bridges Bay Resort (koko-bridgesbayresort.biz)
Category: Data Leak
Content: A threat actor has freely distributed an alleged database dump from Bridges Bay Resort, containing records for approximately 52,744 visitors and 85 users. The leaked data includes names, email addresses, phone numbers, room numbers, visitor consent signatures, and associated S3-hosted PDF and image links. The data appears to originate from a visitor management system and spans at least mid-2023.
Date: 2026-05-31T09:41:59Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DATABASE-koko-bridgesbayresort-biz-Database-Leaked-Download
Screenshots:
1 screenshot(s) available
Threat Actors: MirrorShell
Victim Country: United States
Victim Industry: Hospitality
Victim Organization: Bridges Bay Resort
Victim Site: koko-bridgesbayresort.biz
Alleged sale of counterfeit currency (fake banknotes)
Category: Cyber Attack
Content: Multiple users (Banti, Pretty) are advertising the sale of counterfeit banknotes through Telegram links. Posts use Chinese text advertising premium counterfeit banknotes and top-tier fake currency with direct links to restricted Telegram channels for transactions.
Date: 2026-05-31T08:59:59Z
Network: telegram
Published URL: https://t.me/c/2613583520/93998
Screenshots:
1 screenshot(s) available
Threat Actors: Banti
Victim Country: Unknown
Victim Industry: Financial/Currency
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Semantob by CiaoxD_ of Brotherhood Capung Indonesia
Category: Defacement
Content: On May 31, 2026, the website semantob.com was defaced by threat actor CiaoxD_, operating under the group Brotherhood Capung Indonesia. The attack resulted in a homepage defacement, replacing the sites content with the attackers message. No mass defacement campaign was associated with this incident.
Date: 2026-05-31T08:43:28Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/930416
Screenshots:
1 screenshot(s) available
Threat Actors: CiaoxD_, Brotherhood Capung Indonesia
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Semantob
Victim Site: semantob.com
Website Defacement of dytools.click by Ruiixh4xor of SHENHAXSEC
Category: Defacement
Content: On May 31, 2026, the website dytools.click was defaced by threat actor Ruiixh4xor, operating under the group SHENHAXSEC. The attack targeted the homepage in a single, non-mass defacement operation. No specific motive or server details were disclosed in the incident report.
Date: 2026-05-31T07:14:21Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/930409
Screenshots:
1 screenshot(s) available
Threat Actors: Ruiixh4xor, SHENHAXSEC
Victim Country: Unknown
Victim Industry: Technology Tools / Web Services
Victim Organization: DY Tools
Victim Site: dytools.click
Website Defacement of aitip.me by Ruiixh4xor of SHENHAXSEC
Category: Defacement
Content: On May 31, 2026, the website aitip.me was defaced by threat actor Ruiixh4xor, operating under the group SHENHAXSEC. The attack targeted the homepage of the site in a singular, non-mass defacement operation. No specific motive or technical details regarding the server environment were disclosed in the available intelligence.
Date: 2026-05-31T07:08:01Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/930408
Screenshots:
1 screenshot(s) available
Threat Actors: Ruiixh4xor, SHENHAXSEC
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: AI Tip
Victim Site: aitip.me
Website Defacement of ChinaBuyHelper by Ruiixh4xor of SHENHAXSEC
Category: Defacement
Content: On May 31, 2026, the website chinabuyhelper.com was defaced by threat actor Ruiixh4xor, operating under the group SHENHAXSEC. The attack targeted the homepage of the site, which appears to be a China-based buying assistance or e-commerce service. This was identified as a single targeted defacement rather than a mass or repeat defacement event.
Date: 2026-05-31T07:01:47Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/930407
Screenshots:
1 screenshot(s) available
Threat Actors: Ruiixh4xor, SHENHAXSEC
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: ChinaBuyHelper
Victim Site: chinabuyhelper.com
Alleged data leak of ratakan.com
Category: Data Leak
Content: A threat actor has freely published an alleged database dump from ratakan.com, an Indonesian e-commerce platform. The leaked data includes transactional records with vendor and buyer email addresses, sales IDs, product IDs, pricing, and purchase status fields. The dataset reportedly contains approximately 80,000 records and is available via a hidden download link on the forum.
Date: 2026-05-31T07:00:34Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DATABASE-ratakan-com-80K-DataBase-Free
Screenshots:
2 screenshot(s) available
Threat Actors: Bambi
Victim Country: Indonesia
Victim Industry: Retail
Victim Organization: Ratakan
Victim Site: ratakan.com
Website Defacement of rohpo.in by CiaoxD_ of Brotherhood Capung Indonesia
Category: Defacement
Content: On May 31, 2026, the website rohpo.in was defaced by threat actor CiaoxD_, operating under the hacktivist group Brotherhood Capung Indonesia. The attack was a homepage defacement targeting the Indian domain, with no mass defacement or prior redefacement recorded. The incident was mirrored and archived on zone-xsec.com.
Date: 2026-05-31T06:39:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/930406
Screenshots:
1 screenshot(s) available
Threat Actors: CiaoxD_, Brotherhood Capung Indonesia
Victim Country: India
Victim Industry: Unknown
Victim Organization: Rohpo
Victim Site: www.rohpo.in
Alleged data breach of Yad Vashem Holocaust Center by Handala Hack
Category: Data Breach
Content: Handala Hack claims to have breached the National Center for Holocaust Victims Support (k-shoa.org) and extracted over 2 million confidential documents totaling 1TB+. The group claims to have obtained databases, classified documents, emails, and sensitive correspondence, which they state are freely available for download. The post contains political and ideological rhetoric criticizing Israeli defense companies and includes threats directed at Israeli intelligence.
Date: 2026-05-31T06:07:47Z
Network: telegram
Published URL: https://t.me/c/3686754935/161
Screenshots:
11 screenshot(s) available
Threat Actors: Handala Hack
Victim Country: Israel
Victim Industry: Memorial/Cultural Institution
Victim Organization: National Center for Holocaust Victims Support (Yad Vashem)
Victim Site: k-shoa.org
Alleged breach of Bangladesh Army systems at Qadirabad Military Base
Category: Initial Access
Content: A threat actor claims to have exploited an SNMP vulnerability on a MikroTik CCR1036 router at the Bangladesh Army Qadirabad Cantonment, gaining access to the bases primary network infrastructure. The actor alleges exposure of over 500 connected devices, 50 internal networks, MAC addresses, routing tables, and interface configurations, and claims the ability to disable internet connectivity, intercept communications, and target internal devices. The post solicits cooperation from third parties a
Date: 2026-05-31T06:07:08Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-RDP-Bangladesh-Army-Systems-at-Qadirabad-Military-Base-Breached
Screenshots:
1 screenshot(s) available
Threat Actors: blacknet00
Victim Country: Bangladesh
Victim Industry: Government
Victim Organization: Bangladesh Army
Victim Site: Unknown
Alleged data breach of mydukaan.io exposing 100 million users
Category: Data Breach
Content: A threat actor is selling an alleged full database dump of mydukaan.io, an Indian e-commerce platform, claiming approximately 100 million user records across multiple tables. The exposed data reportedly includes user accounts, buyer addresses, transaction history, order costs, seller records, and encrypted payment API keys. Sample rows indicate the data contains names, phone numbers, email addresses, and physical addresses predominantly tied to Indian users.
Date: 2026-05-31T06:03:53Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-SELLING-mydukaan-io-100M-users
Screenshots:
1 screenshot(s) available
Threat Actors: stalker8083
Victim Country: India
Victim Industry: Retail
Victim Organization: MyDukaan
Victim Site: mydukaan.io
Alleged counterfeit currency sales operation
Category: Cyber Attack
Content: Multiple threat actors advertising counterfeit banknote distribution channels on Telegram. Users Pretty and Banti are promoting fake currency sales with Chinese language posts claiming to offer premium counterfeit banknotes and top-tier fake currency. The operation uses forwarded messages and Telegram channel links for distribution.
Date: 2026-05-31T05:21:20Z
Network: telegram
Published URL: https://t.me/c/2613583520/93870
Screenshots:
1 screenshot(s) available
Threat Actors: Pretty
Victim Country: Unknown
Victim Industry: Financial
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Witherspoon Meat Market by CiaoxD_ (Brotherhood Capung Indonesia)
Category: Defacement
Content: On May 31, 2026, the homepage of Witherspoon Meat Market was defaced by threat actor CiaoxD_, affiliated with the Indonesian hacktivist group Brotherhood Capung Indonesia. The attack was a targeted single-site homepage defacement, with the mirror archived on zone-xsec.com. No specific motivation or exploited vulnerability was disclosed.
Date: 2026-05-31T05:09:40Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/930405
Screenshots:
1 screenshot(s) available
Threat Actors: CiaoxD_, Brotherhood Capung Indonesia
Victim Country: United States
Victim Industry: Retail / Food & Beverage
Victim Organization: Witherspoon Meat Market
Victim Site: witherspoonmeatmarket.com
Alleged sale of admin panel and credential checker tools
Category: Initial Access
Content: Threat actor selling multiple credential checking tools including Admin Panel Checker ($100), WordPress Checker ($20), Clientarea Checker ($20), Webmail Checker ($20), cPanel Checker ($20), and WHM Checker ($20). These tools perform mass login verification against various platforms (Synology, PhpMyAdmin, PrestaShop, Confluence, WordPress, OwnCloud, cPanel, WHM, Webmail, Jira, etc.) and support credential list formats. Each tool purchase includes a private ULP for three days.
Date: 2026-05-31T04:57:52Z
Network: telegram
Published URL: https://t.me/c/3865526389/1122
Screenshots:
2 screenshot(s) available
Threat Actors: BABAYO EROR SYSTEM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged exposure of development credentials and infrastructure configuration for Indonesian Ministry of Energy and Mineral Resources website
Category: Initial Access
Content: A Docker Compose configuration file for jdih.esdm.go.id (Indonesian Ministry of Energy and Mineral Resources legal information system) has been shared, exposing development infrastructure details including hardcoded MySQL root password (password), internal port mappings (20080, 21080, 3306), and application architecture. This represents a significant security exposure of government infrastructure.
Date: 2026-05-31T04:34:58Z
Network: telegram
Published URL: https://t.me/BhayangkaraID/29
Screenshots:
1 screenshot(s) available
Threat Actors: BhayangkaraID
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Ministry of Energy and Mineral Resources (ESDM)
Victim Site: jdih.esdm.go.id
Sale of stolen payment cards and bank login credentials
Category: Carding
Content: A threat actor is offering stolen credit cards with full details (card number, expiration date, CVV, cardholder name, address, and bank name) as well as bank login credentials and card dumps (track 1 and track 2) for sale. The seller claims the cards are fresh and functional globally without regional restrictions. Contact is solicited via Telegram handle @lamar089.
Date: 2026-05-31T03:32:21Z
Network: openweb
Published URL: https://breachforu.ms/Thread-I-sell-Cc-WIth-Good-and-Highly-balance-for-Online-Payment-l
Screenshots:
1 screenshot(s) available
Threat Actors: Chaser80
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Groupe IMA (Inter Mutuelles Habitat)
Category: Data Leak
Content: A threat actor on a dark web forum has allegedly leaked 6.2 GB of data attributed to Groupe IMA (Inter Mutuelles Habitat), a French mutual insurance group. No further details are available regarding the contents of the dataset or the method of compromise.
Date: 2026-05-31T03:30:08Z
Network: openweb
Published URL: https://darkforums.su/Thread-FR-6-2GB-Groupe-IMA-Inter-Mutuelles-Habitat–78152
Screenshots:
1 screenshot(s) available
Threat Actors: Night
Victim Country: France
Victim Industry: Finance
Victim Organization: Groupe IMA (Inter Mutuelles Habitat)
Victim Site: Unknown
Alleged data breach of Colombias National Electoral Council (CNE)
Category: Data Leak
Content: A threat actor operating under the name EsqueleSquad claims to have obtained confidential documents from Colombias National Electoral Council (CNE), including internal audit reports, electoral irregularity complaints, sensitive correspondence between officials and campaign teams, and 2026 campaign financing records allegedly revealing undisclosed donors and suspicious financial transfers. The post was timed to coincide with Colombian election day and includes a sample archive hosted on MediaFir
Date: 2026-05-31T03:26:31Z
Network: openweb
Published URL: https://breached.su/threads/cne-national-electoral-council-by-esquelesquad.87758/unread
Screenshots:
3 screenshot(s) available
Threat Actors: Hydr0gen
Victim Country: Colombia
Victim Industry: Government
Victim Organization: Consejo Nacional Electoral (CNE)
Victim Site: cne.gov.co
Sale of BINs and carding resources via Telegram
Category: Carding
Content: A forum user is advertising active BINs via a Telegram channel, targeting newcomers to carding. The post claims the BINs are high-performing and directs users to an external Telegram link for access.
Date: 2026-05-31T02:59:26Z
Network: openweb
Published URL: https://demonforums.net/Thread-If-you-a-newbie–206252
Screenshots:
1 screenshot(s) available
Threat Actors: nocali
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of optioncarriere.tn Tunisian job board exposing 274K records
Category: Data Breach
Content: A threat actor is selling a dataset allegedly sourced from optioncarriere.tn, a Tunisian job board, for $1,300. The dataset reportedly contains approximately 274,000 records across three sections — Contacts (job seekers with PII including full name, email, phone, address, date of birth, and LinkedIn URLs), Job Applications, and Employers. A sample has been made available via an external file-sharing link.
Date: 2026-05-31T02:57:44Z
Network: openweb
Published URL: https://breached.su/threads/274k-tunisia-https-www-optioncarriere-tn-active-job-board-contacts-with-emails-and-registration-dates.87754/unread
Screenshots:
1 screenshot(s) available
Threat Actors: Databasehooligan
Victim Country: Tunisia
Victim Industry: Recruitment
Victim Organization: Option Carriere
Victim Site: optioncarriere.tn
Alleged data breach of Checkatrade
Category: Data Breach
Content: A threat actor is selling an alleged dataset from Checkatrade, a UK-based trade directory platform, containing approximately 624,000 records. The dataset is structured across three sections: Contacts (customer and tradesperson details including emails, phone numbers, and addresses), Contractor Profiles (business information, verification status, and ratings), and Job Booking History (booking records including customer contact details, payment information, and job details). Sample files were shar…
Date: 2026-05-31T02:57:12Z
Network: openweb
Published URL: https://breached.su/threads/624k-united-kingdom-https-www-checkatrade-com-verified-business-contacts-and-construction-industry-leads.87755/unread
Screenshots:
1 screenshot(s) available
Threat Actors: Databasehooligan
Victim Country: United Kingdom
Victim Industry: Retail
Victim Organization: Checkatrade
Victim Site: checkatrade.com
Alleged data breach of UK Course Finder (ukcoursefinder.com)
Category: Data Breach
Content: A threat actor is selling an alleged dataset of approximately 417,000 records originating from ukcoursefinder.com. The dataset is structured across three sections — Contacts, Enrollments, and Payments — containing personal contact details, educational enrollment data, and financial transaction records linked to prospective and enrolled students. Sample files are hosted on Gofile.
Date: 2026-05-31T02:56:40Z
Network: openweb
Published URL: https://breached.su/threads/417k-united-kingdom-https-www-ukcoursefinder-com-user-profiles-with-contact-and-educational-data.87756/unread
Screenshots:
1 screenshot(s) available
Threat Actors: Databasehooligan
Victim Country: United Kingdom
Victim Industry: Education
Victim Organization: UK Course Finder
Victim Site: ukcoursefinder.com
Alleged data breach of Rightmove (rightmove.co.uk) exposing personal and security credential data
Category: Data Breach
Content: A threat actor is selling an alleged dataset originating from Rightmove, a UK real estate platform, containing approximately 357,000 records across three structured tables: contact details (names, emails, phone numbers, addresses), property owner addresses with geolocation data, and owner security credentials including password hashes, salts, login emails, MFA status, and session data. The dataset is priced at $1,400 and offered via Telegram.
Date: 2026-05-31T02:56:08Z
Network: openweb
Published URL: https://breached.su/threads/357k-united-kingdom-https-www-rightmove-co-uk-personal-and-contact-data-from-real-estate-leads.87757/unread
Screenshots:
1 screenshot(s) available
Threat Actors: Databasehooligan
Victim Country: United Kingdom
Victim Industry: Real Estate
Victim Organization: Rightmove
Victim Site: rightmove.co.uk
Alleged counterfeit currency sales operation
Category: Cyber Attack
Content: Multiple users posting advertisements for counterfeit banknote (假钞) sales with claims of being first-hand source and ceiling quality. Posts include direct Telegram channel links for purchasing fake currency. This represents an organized illegal operation distributing counterfeit money.
Date: 2026-05-31T02:54:52Z
Network: telegram
Published URL: https://t.me/c/2613583520/93801
Screenshots:
1 screenshot(s) available
Threat Actors: Pretty
Victim Country: Unknown
Victim Industry: Financial/Currency
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged 0day RCE exploit for NGINX web server with PHP-FPM (pre-auth, file upload chain)
Category: Vulnerability
Content: A threat actor is selling an alleged pre-authenticated 0day exploit targeting NGINX mainline and stable releases (multiple versions from 1.14.x through 1.31.x, with limited exceptions) combined with PHP-FPM default configurations. The exploit is claimed to chain an HTTP/2 RCE vulnerability with arbitrary file upload to achieve web shell deployment, reportedly affecting 80-90% of active NGINX servers. The seller is offering exclusive rights to a single buyer for $32,000 USD, with proof-of-concept…
Date: 2026-05-31T02:21:36Z
Network: openweb
Published URL: https://crackingx.com/threads/77289/
Screenshots:
1 screenshot(s) available
Threat Actors: innocentzero
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of US Law Enforcement RemoteCom compliance monitoring system
Category: Data Leak
Content: A threat actor has leaked what is claimed to be a structured database export from RemoteCom, a compliance and communication monitoring platform used by US law enforcement agencies. The dataset includes personally identifiable information for monitored individuals (probationers/parolees), device and software details, officer and client email addresses, and compliance tracking metrics. Sample records reference law enforcement agency email domains and computer aliases tagged with unit designations
Date: 2026-05-31T02:16:33Z
Network: openweb
Published URL: https://breachforu.ms/Thread-US-Law-Enforcement-RemoteCom-Database-2026
Screenshots:
2 screenshot(s) available
Threat Actors: Vyntra
Victim Country: United States
Victim Industry: Government
Victim Organization: RemoteCom (US Law Enforcement)
Victim Site: Unknown
Sale of stolen payment cards, bank logins, and financial fraud services
Category: Carding
Content: A threat actor operating as BigBoris is selling stolen credit cards (CVV/CCV, dumps with Track 1/2 + PIN), bank logins, PayPal accounts, and full identity information (SSN, DOB, DL) for individuals across the US, UK, Canada, and Australia. Additional services advertised include money exchange, Western Union transfers, and compromised e-commerce accounts for platforms such as Walmart, eBay, and Target. The actor claims over 10 years of experience and requests payment via Bitcoin, MoneyGram, or
Date: 2026-05-31T02:16:24Z
Network: openweb
Published URL: https://altenens.is/threads/hello-my-name-is-bigboris-im-46-years-old-and-respectful-man-here-i-have-100-verified-cc-with-online-access-is-available-with-great-and-highly-bala.2946525/unread
Screenshots:
2 screenshot(s) available
Threat Actors: Volticc
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Justeet (justeet.co.uk)
Category: Data Breach
Content: A threat actor is selling an alleged database from justeet.co.uk, a food delivery platform in Wales, containing approximately 398,000 records. The dataset includes personally identifiable information such as names, email addresses, phone numbers, dates of birth, loyalty member IDs, and account metadata. A data sample is provided via Pastebin and purchase is offered through Telegram.
Date: 2026-05-31T02:12:36Z
Network: openweb
Published URL: https://breached.su/threads/398k-wales-justeet-co-uk-personal-data.87752/unread
Screenshots:
1 screenshot(s) available
Threat Actors: Moelester
Victim Country: United Kingdom
Victim Industry: Food Delivery
Victim Organization: Justeet
Victim Site: justeet.co.uk
Alleged data leak of Subsecretaría de Salud Neuquén
Category: Data Leak
Content: A threat actor known as Black0ut_Exi has freely distributed a dataset allegedly sourced from the Subsecretaría de Salud Neuquén, Argentina. The leaked data reportedly contains personal and demographic information including national ID numbers (DNI), full names, sex, nationality, place of birth, social health coverage, phone numbers, email addresses, physical addresses, and parental data. The data was made available via a gofile.io link and attributed to the Exiliados group.
Date: 2026-05-31T02:12:05Z
Network: openweb
Published URL: https://breached.su/threads/dataleak-of-subscretaria-de-salud-neuquen.87753/unread
Screenshots:
1 screenshot(s) available
Threat Actors: Black0ut_Exi
Victim Country: Argentina
Victim Industry: Healthcare
Victim Organization: Subsecretaría de Salud Neuquén
Victim Site: Unknown
Alleged data leak of 10010.com with 472K records including email, phone, and contact data
Category: Data Leak
Content: A threat actor on a dark web forum has allegedly leaked a dataset associated with 10010.com, a Chinese telecommunications platform, containing approximately 472,000 records including email addresses, phone numbers, and contact information. The post provides no additional details regarding the method of compromise or the timeframe of the breach.
Date: 2026-05-31T01:39:25Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78385
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: China
Victim Industry: Telecommunications
Victim Organization: 10010.com
Victim Site: 10010.com
Alleged data breach of T-Mobile Czech Republic
Category: Data Breach
Content: A threat actor is allegedly selling customer contact and CRM data records purportedly sourced from T-Mobile Czech Republic. The dataset is claimed to contain approximately 387,000 records. No further details are available as the post content was not captured.
Date: 2026-05-31T01:34:05Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78386
Screenshots:
1 screenshot(s) available
Threat Actors: Rupert
Victim Country: Czech Republic
Victim Industry: Telecommunications
Victim Organization: T-Mobile Czech Republic
Victim Site: t-mobile.cz
Alleged data breach of Aukro.cz
Category: Data Breach
Content: A threat actor claims to be selling a database of approximately 312,000 records from Aukro.cz, a Czech online marketplace. The alleged dataset includes user profiles with email addresses and activity logs.
Date: 2026-05-31T01:32:08Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78387
Screenshots:
None
Threat Actors: Rupert
Victim Country: Czech Republic
Victim Industry: Retail
Victim Organization: Aukro
Victim Site: aukro.cz
Alleged data breach of Firmy.cz with business contacts
Category: Data Breach
Content: A threat actor is offering what appears to be a database allegedly sourced from firmy.cz, a Czech business directory. The dataset reportedly contains 462,000 business contact records including email addresses and phone numbers. No further details are available as the post content was not provided.
Date: 2026-05-31T01:24:58Z
Network: openweb
Published URL: https://darkforums.su/showthread.php?tid=78388
Screenshots:
None
Threat Actors: Rupert
Victim Country: Czech Republic
Victim Industry: Technology
Victim Organization: Firmy.cz
Victim Site: firmy.cz
Sale of alleged CEX Spain full customer database
Category: Data Breach
Content: A threat actor is selling what they claim to be the full customer database of CEX Spain. The dataset allegedly contains full names, email addresses, phone numbers, dates of birth, national ID document numbers, billing and shipping addresses, store credit balances, payment method references, and detailed purchase, sale, return, and warranty histories in JSON format. A sample row is provided showing highly granular customer and transaction data.
Date: 2026-05-31T00:46:51Z
Network: openweb
Published URL: https://breached.su/threads/cex-spain-full-leak-for-sale.87748/unread
Screenshots:
6 screenshot(s) available
Threat Actors: cex_leaked
Victim Country: Spain
Victim Industry: Retail
Victim Organization: CEX
Victim Site: es.webuy.com
Sale of alleged Chinese PLA military test reports (2026)
Category: Documents
Content: A threat actor is offering for sale alleged 2026 Peoples Liberation Army (PLA) military test reports via multiple encrypted messaging platforms. The post provides no further detail on the number of documents or their specific content, directing interested parties to contact the seller directly. If authentic, this material would represent a significant leak of sensitive Chinese military information.
Date: 2026-05-31T00:19:51Z
Network: openweb
Published URL: https://crackingx.com/threads/77273/
Screenshots:
1 screenshot(s) available
Threat Actors: mosad
Victim Country: China
Victim Industry: Government
Victim Organization: Peoples Liberation Army
Victim Site: Unknown
Sale of Alleged SECRET//NOFORN US Agency Intelligence Reports
Category: Data Breach
Content: A threat actor is offering for sale documents purportedly classified as SECRET//NOFORN originating from a US government agency. The seller is soliciting contact via Telegram, Session, Tox, Matrix, and Jabber, and claims to provide samples upon request. The specific agency and volume of documents have not been disclosed in the post.
Date: 2026-05-31T00:19:32Z
Network: openweb
Published URL: https://crackingx.com/threads/77274/
Screenshots:
1 screenshot(s) available
Threat Actors: mosad
Victim Country: United States
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged NATO Cosmic Top Secret documents
Category: Data Leak
Content: A threat actor operating under the alias mosad is allegedly offering NATO Cosmic Top Secret classified reports for sale via multiple contact channels including Telegram, Session, Tox, Matrix, and Jabber. The post invites prospective buyers to request samples or a full document list. No further details on the volume, origin, or authenticity of the alleged documents are provided.
Date: 2026-05-31T00:19:13Z
Network: openweb
Published URL: https://crackingx.com/threads/77277/
Screenshots:
1 screenshot(s) available
Threat Actors: mosad
Victim Country: Unknown
Victim Industry: Government
Victim Organization: NATO
Victim Site: nato.int
Alleged Sale of Counterfeit Currency
Category: Data Leak
Content: User Pretty and Banti are advertising the sale of counterfeit banknotes (fake currency) with links to Telegram channels for purchasing. Posts reference 精品假抄 (premium counterfeit) and 精品一手货源 (premium first-hand source).
Date: 2026-05-31T00:16:45Z
Network: telegram
Published URL: https://t.me/c/2613583520/93699
Screenshots:
1 screenshot(s) available
Threat Actors: Pretty
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Fullz, Identity Documents, and Payment Card Data for Multiple Countries
Category: Carding
Content: A threat actor on a cracking forum is offering a wide range of fraudulent and stolen data including fullz (SSN, DL, passport scans with selfies), credit card dumps with PIN tracks, tax return documents, KYC bypass materials, and various lead databases covering the USA, UK, Canada, and Australia. Products are marketed for identity fraud, payment card fraud, and KYC circumvention across multiple platforms. Contact is provided via Telegram and Signal.
Date: 2026-05-31T00:01:55Z
Network: openweb
Published URL: https://crackingx.com/threads/77266/
Screenshots:
1 screenshot(s) available
Threat Actors: silasclark
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Initial Access and Exfiltrated Documents from Pakistan Government Ministry (dgmp.gov.pk / mofa.gov.pk)
Category: Initial Access
Content: A threat actor is offering for sale both active email access to a mofa.gov.pk (Ministry of Foreign Affairs) account and exfiltrated confidential communications from dgmp.gov.pk, including CPAC-related documents. The seller is soliciting offers via encrypted messaging platforms. This post represents a claimed intrusion into Pakistani government infrastructure with ongoing access available for purchase.
Date: 2026-05-31T00:01:35Z
Network: openweb
Published URL: https://crackingx.com/threads/77272/
Screenshots:
1 screenshot(s) available
Threat Actors: mosad
Victim Country: Pakistan
Victim Industry: Government
Victim Organization: Directorate General Military Lands and Cantonments / Ministry of Foreign Affairs
Victim Site: dgmp.gov.pk