[May-05-2026] Daily Cybersecurity Threat Report

1. Executive Summary

This comprehensive intelligence report provides a detailed analysis of a massive dataset of cyber incidents recorded between May 4 and May 5, 2026. The data reveals a highly active and deeply interconnected cybercriminal ecosystem operating across open-web forums, deep-web messaging platforms, and specialized leak sites. The incidents span a vast spectrum of malicious activities, including the mass distribution of credential combo lists, high-impact data breaches involving millions of records, targeted critical infrastructure attacks, widespread website defacements, and the proliferation of Cybercrime-as-a-Service (CaaS) offerings.

The primary vector of activity involves the trade and distribution of “Combo Lists”—massive databases of usernames, emails, and passwords intended for credential stuffing attacks against platforms ranging from Hotmail to global financial services. However, the most severe threats observed involve coordinated attacks by advanced persistent threats (APTs) and hacktivist groups targeting national security, military, and critical infrastructure assets.

2. Threat Actor Profiling

The dataset highlights the activities of numerous threat actors and collectives. Below is a detailed profile of the most prominent entities operating during this period.

ShinyHunters ShinyHunters remains a top-tier threat group, focusing on massive data exfiltration and extortion. During this period, the group posted official contact information (Telegram, XMPP, and email) to facilitate ransom negotiations. Their key operations included:

Chinese Banking Sector: The exfiltration of 23 million customer records from 16 major Chinese banks, including 7.5 million from ICBC, 2 million from the Bank of China, and 1.3 million from the Construction Bank.
Corporate Data: The theft of over 30 million Salesforce records (5.4GB) from the commercial real estate brokerage Marcus & Millichap after the company failed to reach a ransom agreement.
Technology Sector: A claimed compromise of NVIDIA’s GeForce Now backend, extracting millions of user records, including 2FA status and internal roles.

Handala (and Hanzalah) Operating with claimed coordination with the Islamic Revolutionary Guard Corps (IRGC), this actor focuses on kinetic cyber-warfare and psychological operations targeting perceived adversaries of Iran.

Maritime Infrastructure: Handala claimed responsibility for a sophisticated attack on the Fujairah Port in the United Arab Emirates, exfiltrating over 430,000 confidential documents regarding ship traffic, contracts, and oil pipelines. The group threatened subsequent military strikes.
Military Targets: The group published the personal data, ranks, and operational units of 400 senior U.S. Navy officers stationed in the Persian Gulf, referring to the campaign as “Operation Premature Death” and sending direct threats to the officers’ secure phones.
Research Institutions: The affiliated group “Hanzalah” breached the Israeli Institute for National Security Studies (INSS), exfiltrating over 100,000 internal emails.

MetaCloud3 A highly prolific initial access and credential broker operating on the patched.to forum. MetaCloud3 distributes staggering volumes of URL:Login:Password (ULP) data to promote their commercial “combo cloud” service.

Distributed a 9.5 million mixed credential list.
Distributed an 8.2 million ULP combo list.
Distributed a 4.9 million ULP combo list.
Sold highly targeted lists, including 802,000 Venmo credentials , 508,000 Stripe/Venmo credentials , and 787,000 Ubisoft/Uplay gaming credentials.

MrCOMBOROBOA A major vendor of geographic and sector-specific combo lists, operating on demonforums.net and nulledbb.com.

Offered a 1 million USA email and password combo list.
Offered a 696,400-record corporate-targeted combo list.
Maintains a tiered subscription model for private group access, offering up to 10 million records.

Ebbicloud A highly active distributor of credential stuffing lists on the altenens.is (AE) forum. Ebbicloud specializes in “Ultra-High Quality” (UHQ) drops, frequently sharing lists of validated Hotmail, Microsoft, and gaming credentials. Drops ranged from sets of 212 credentials to larger lists of 11,929 pairs.

Indonesian Hacktivist Collectives (BABAYO EROR SYSTEM, Pasuruan sec Team, XmrAnonye.id) These groups dominate the website defacement landscape, primarily targeting Indonesian domestic sites, though occasionally striking international targets.

Mr.XycanKing (BABAYO EROR SYSTEM): Defaced the Institut Teknologi Kalimantan (ITK) and Fawry UAE (a financial technology firm).
BULLYXPLOIT (Pasuruan sec Team): Defaced Indonesian news site media-berita.com, a Chilean marketing agency, and the web solutions provider M-Websolutions.
Zod: Conducted mass defacements targeting picciole.com, prospectsup.com, and a Brazilian Upwork platform.

Infrastructure Destruction Squad A dangerous group focusing on ICS (Industrial Control Systems) and SCADA manipulation.

Claimed to be actively destroying an internal network belonging to Italian industrial systems.
Claimed to have disabled 270 industrial control systems within an Indian network.
Attempted to sell unauthorized access to a highly classified UNIX server containing 200GB of sensitive technical and research data for $25,000.

3. Sector-Specific Impact Analysis

3.1 Financial Services and Banking

The financial sector suffered catastrophic breaches during this reporting period.

Chinese Banking: As noted, ShinyHunters compromised 16 banks, leaking 23 million records containing PII, bank numbers, and ID cards. Another actor, ‘JAX7’, also leaked data from PBC Bank China and ICBC.
Uzbekistan Banking: Ipotekabank was breached by an actor exploiting the Log4Shell vulnerability (CVE-2021-44228) to access Active Directory and SMB shares, exfiltrating 120GB of PDF contracts, CVV codes, and credit card numbers.
Malaysian Banking: Actor ‘JAX7’ claimed data leaks targeting United Overseas Bank (UOB) Malaysia and OCBC Bank Malaysia.
Cryptocurrency: Lazarus Group (North Korea) was reported to have stolen $577 million from crypto projects in early 2026, targeting protocols like KelpDAO and Drift Protocol. Separately, ‘API Vault Drainer’ malware was sold to automate theft from 60+ exchanges (Binance, Coinbase, Kraken) via phishing. Furthermore, actor ‘XOverStm’ sold 50,000 Coinbase records containing names, emails, and Ethereum wallets for $300.

3.2 Government, Military, and National Security

Threat actors actively compromised national databases and military intelligence.

Taiwan: Actor ‘Claude’ sold a database containing the records of the entire population of Taiwan (23.5 million records) from October 2022, exposing highly sensitive household, military, and educational data.
Tajikistan: Actor ‘Claude’ also sold the Tajikistan e-visa and border control system database (evisa.tj), compromising over 216 million rows of travel, entry/exit, and citizen details from 2016 to 2025.
Uzbekistan Intelligence: ‘TheTeamForce_alesium’ breached the State Security Service (SSS) and Intelligence agencies, demanding a $200,000 ransom to prevent the release of highly sensitive staff PII.
United States: The NCIC (National Crime Information Center) suffered a leak of 171 identification records. Furthermore, actor ‘Xyph0rix’ leaked the Puerto Rico Police database.
Indonesia: Actor ‘MrJupiter’ leaked samples from the Ministry of Home Affairs civil registration system (Dukcapil), exposing National Identification Numbers (NIK). Other breached entities included the State Audit Board (BPK) and the Ministry of Religious Affairs.

3.3 Critical Infrastructure and Transportation

Kinetic cyber attacks aimed at causing physical disruption were highly prevalent.

Oil and Gas: Actor ‘OpUSA’ claimed unauthorized access to SCADA systems, manipulating oil well operations, altering pressure system controls, and forcing shutdowns with alarm activations.
Aviation: Actor ‘DataSellers’ claimed to hold a 57GB database belonging to a Shanghai airport.
Rail: The hacktivist group ‘Ababil of Minab’ breached the Tri-Rail commuter rail system serving South Florida.
Maritime: Handala’s attack on the Fujairah Port (UAE) targeted the logistics and operational data of maritime oil pipelines.

3.4 Education and Healthcare

Educational institutions were heavily targeted for both data extraction and initial access.

United Kingdom: RDP access to a network of 300 hosts at a UK technical university was sold for $400.
France: Candidate personal data from three French driving schools was leaked, exposing exam results and failure counts.
Global EdTech: Instructure, the developer of the Canvas platform, suffered a cyber incident impacting Canvas Data 2 and Beta services. Hochschule Emden/Leer in Germany was forced to shut down central IT services following an attack.
Healthcare: A database from elefan.co.id exposed Indonesian healthcare personnel data from Subang Regency.

4. Tactical Analysis: Techniques and Procedures (TTPs)

4.1 Credential Stuffing and The Combo List Economy

The absolute vast majority of observed forum posts were dedicated to “Combo Lists.” These are massive text files containing email:password or URL:Login:Password formats, used in automated credential stuffing software (like OpenBullet or SilverBullet) to mass-test logins across the internet.

Hotmail Dominance: An extraordinary amount of lists specifically targeted Hotmail/Microsoft accounts. Actors like ‘RetroCloud’, ‘JOYK’, ‘CloudBase’, ‘MimoData’, and ‘NullShop’ consistently dropped Hotmail lists ranging from 100 to 270,000 records. These are highly prized for taking over the “root” email of a victim, allowing password resets on all other linked accounts.
Geographic Slicing: Actors curate combo lists by nation to aid attackers in bypassing geo-blocking and anti-fraud heuristics. We observed dedicated lists for Italy (1.24 million) , UK (1 million) , Germany (558K) , Netherlands (149K) , Japan (173K) , Mexico (151K) , Malaysia (52K) , Kenya (19K) , and Canada (1.3M).
Platform-Specific Curations: Combo lists were strictly filtered for target platforms. Notable examples included Roblox (17,000 UHQ with verified ‘Robux’ balances) , Spotify (8,000 UHQ) , Netflix (20,000 UHQ) , and streaming bundles (Amazon Prime, Hulu, Disney+).

4.2 Cybercrime-as-a-Service (CaaS) and Malware

The dataset illustrates a thriving underground market providing tools to lower the barrier to entry for cybercrime.

Malware Tools: The ‘WizWorm RAT V4.0’ was distributed, featuring visual dashboards, credential harvesting, and worm-like propagation capabilities. The ‘Anubis Android Banking Botnet v2.5’ was sold with tutorials for bypassing MFA via SMS interception and overlay attacks.
Crypters & Obfuscation: Tools like ‘Amuse Crypt V2.0’ and ‘Apex 2 / Anubis Crypter’ were sold to render malware Fully Undetectable (FUD) to EDR and AV systems via API obfuscation and memory-only execution.
DDoS & Network Stressing: ‘Goofystress’ offered Layer 4 and Layer 7 DDoS attacks, specifically marketing bypasses for gaming servers (Fortnite, COD, Roblox) and CAPTCHA protections.
Fraud Infrastructure: Actors sold AWS Amazon SMTP services specifically pre-warmed for inbox placement to conduct massive spam and phishing campaigns. Document forgery services (JINKUSU DOC, ASRRPPO) generated fake IDs, passports, and utility bills to bypass KYC (Know Your Customer) verifications for 37 countries.

4.3 Initial Access Brokerage (IAB)

Rather than conducting full attacks, many actors focus solely on breaching networks and selling the entry point.

Actor ‘0x1Sploit’ operated as a high-end service, developing zero-day exploits, providing Phishing-as-a-Service, and selling custom LNK/HTA malware droppers with EDR bypass.
Webshells were actively sold for .gov and .edu domains by actor ‘Rici144’, indicating a targeted effort to compromise high-authority institutional sites.

4.4 Vulnerability Exploitation

Threat actors rapidly weaponize public vulnerabilities.

PHP Use-After-Free (UAF): A critical vulnerability in PHP’s unserialize() function, existing since 2005, was detailed. It allows for Remote Code Execution (RCE) requiring approximately 2,000 HTTP requests, bypassing disable_functions.
TP-Link TAPO Cameras: 16 vulnerabilities were disclosed for TP-Link IP cameras, including a pre-authentication stack buffer overflow RCE allowing exploitation from the WAN, granting attackers full cloud account takeover.

5. Geographical Heatmap

The attack data shows a truly global impact, with distinct regional targeting patterns:

United States: Heavy targeting of critical infrastructure (Navy, Tri-Rail, Oil SCADA) and corporate datasets (Marcus & Millichap, Coinbase, Infodesk).
Indonesia: Suffered the highest volume of localized attacks, predominantly website defacements by hacktivist groups and leaks of state databases (Dukcapil, BPK, Ministry of Religious Affairs).
China & Taiwan: Massive data extraction characterized this region, with the leak of 23 million Chinese bank records and 23.5 million Taiwanese citizen records.
Europe (France, Germany, Italy): Targeted heavily by credential brokers (EU-mix combo lists) and enterprise breaches, including Bouygues Telecom, La Redoute, Malakoff Humanis, and German B2B directory wlw.de. Italian infrastructure faced a 20-day persistent intrusion by Chinese-attributed hackers for intelligence gathering.

6. Conclusion

The cyber threat landscape observed between May 4 and May 5, 2026, is characterized by its extreme volume and organizational sophistication. The underground economy is highly stratified: Initial Access Brokers breach the perimeters , credential brokers process and monetize millions of accounts via Combo Lists , and advanced groups (ShinyHunters, Handala) execute high-impact extortion and cyber-kinetic warfare. The frictionless trade of automated tools, malware crypters, and pre-warmed phishing infrastructure demonstrates that advanced cyber capabilities are readily accessible to low-skill actors, posing a severe and continuous threat to global digital infrastructure. Organizations must prioritize multi-factor authentication, rigorous API security, and robust identity access management to defend against the overwhelming tide of credential-based attacks highlighted in this report.

Detected Incidents Draft Data

Alleged distribution of UHQ combo list
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud shared a combo list described as UHQ Mix containing approximately 2,653 entries on the AE forum. The post content is unavailable for further analysis, limiting attribution of targeted services or data origin. The credentials are marketed as ultra-high quality, suggesting they may have been tested or verified.
Date: 2026-05-04T23:59:19Z
Network: openweb
Published URL: https://altenens.is/threads/2653x-uhq-mix-gem-stonecollision-ebbi_cloud.2934396/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 3,825 UHQ mixed credentials shared on forum
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud shared a combo list described as containing 3,825 ultra-high-quality (UHQ) mixed credentials on a known cybercrime forum. The post provides no further detail regarding the origin of the credentials or the targeted services. The list appears to be marketed for credential stuffing or similar account takeover activity.
Date: 2026-05-04T23:56:53Z
Network: openweb
Published URL: https://altenens.is/threads/3825x-uhq-mix-check-mark-buttontrophy-ebbi_cloud.2934399/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list distribution by threat actor Ebbicloud
Category: Combo List
Content: A threat actor operating as Ebbicloud on the AE forum shared a combo list advertised as 6973x UHQ Mix, suggesting a collection of approximately 6,973 high-quality credential pairs. No post content was available to confirm targeted services, data composition, or origin of the credentials.
Date: 2026-05-04T23:54:27Z
Network: openweb
Published URL: https://altenens.is/threads/6973x-uhq-mix-rockettrophy-ebbi_cloud.2934400/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of UHQ combo list
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud shared a combo list described as UHQ Mix containing approximately 11,929 credential pairs on the AE forum. The post was shared via a Telegram channel referenced as @ebbi_cloud. No further details regarding the origin or targeted services of the credentials are available from the post content.
Date: 2026-05-04T23:52:05Z
Network: openweb
Published URL: https://altenens.is/threads/11929x-uhq-mix-hundred-pointsglowing-star-ebbi_cloud.2934402/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 180,000 mixed email and password credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias carlos080 has shared a combo list purportedly containing 180,000 mixed email and password credential pairs on the AE cybercrime forum. The credentials are marketed as fresh and high quality. No specific victim organization or targeted service is identified in the post.
Date: 2026-05-04T23:49:35Z
Network: openweb
Published URL: https://altenens.is/threads/180k-fresh-hq-combolist-email-pass-mixed.2934407/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of 78,000 mixed-domain mail access combo list
Category: Combo List
Content: A forum post on AE by user VegaM references a combo list containing approximately 78,000 mail access credentials spanning mixed domains. No additional post content was available to determine pricing, specific domains targeted, or the origin of the credentials.
Date: 2026-05-04T23:47:09Z
Network: openweb
Published URL: https://altenens.is/threads/78k-mail-access-mixed-domains.2934420/unread
Screenshots:
None
Threat Actors: VegaM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 171 NCIC identification records
Category: Data Leak
Content: A threat actor on the Breached forum has made available an alleged set of 171 NCIC (National Crime Information Center) identification records, purportedly obtained in January 2026. The data is being distributed via a MediaFire link. No further details regarding the method of acquisition or specific data fields are provided in the post.
Date: 2026-05-04T23:36:45Z
Network: openweb
Published URL: https://breached.st/threads/171-ncic-ids-breached-jan-2026.86795/unread
Screenshots:
None
Threat Actors: propose
Victim Country: United States
Victim Industry: Government
Victim Organization: National Crime Information Center (NCIC)
Victim Site: Unknown
Promotion of alleged blackhat hacking Telegram channel
Category: Alert
Content: A forum post promotes a Telegram channel called NEFFEX The Blackhat advertised as offering free web access, FTP access, and elite hacking tools. The post contains no specific breach, leak, or attack claim, functioning primarily as a channel advertisement. The linked Telegram channel is hosted at t.me/neffex_the_blackhat.
Date: 2026-05-04T23:35:22Z
Network: openweb
Published URL: https://breached.st/threads/blackhat-hacking-taligram-channel.86798/unread
Screenshots:
None
Threat Actors: momo78
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Basij member information database
Category: Data Leak
Content: A threat actor operating under the handle Org1877 has shared what they claim is a database containing detailed personal information of Basij members, including full names, national IDs, addresses, ranks, and phone numbers. The post advertises a free sample and directs interested parties to a Telegram channel (t.me/Org1877) for further details. No price is mentioned, suggesting the data is being freely distributed or shared selectively.
Date: 2026-05-04T23:34:38Z
Network: openweb
Published URL: https://breached.st/threads/basij-member-info-database.86797/unread
Screenshots:
None
Threat Actors: org1877
Victim Country: Iran
Victim Industry: Government
Victim Organization: Basij
Victim Site: Unknown
Website Defacement of Deadly Together by Komodoxploit of BadakSec Team
Category: Defacement
Content: On May 5, 2026, the Australian website deadlytogether.com.au was defaced by threat actor Komodoxploit, operating under the BadakSec Team. The attack targeted the homepage in a single, targeted defacement rather than a mass campaign. The incident has been archived and mirrored via zone-xsec.com.
Date: 2026-05-04T23:31:34Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917446
Screenshots:
None
Threat Actors: Komodoxploit, BadakSec Team
Victim Country: Australia
Victim Industry: Non-Profit / Community Organization
Victim Organization: Deadly Together
Victim Site: deadlytogether.com.au
Alleged sale of access to private cloud database with compromised Hotmail accounts and platform-specific data
Category: Initial Access
Content: Threat actor offering access to a private cloud database containing high-quality Hotmail credentials and country-specific datasets. Claims to have access to data from multiple regions (FR, IT, BR, UK, US, JP, PL, RU, ES, MX, CA, SG) and platforms including Walmart, eBay, Kleinanzeigen, Uber, and Poshmark. Soliciting inquiries for specific data requests.
Date: 2026-05-04T23:27:55Z
Network: telegram
Published URL: https://t.me/c/2613583520/75620
Screenshots:
None
Threat Actors: Yhōu
Victim Country: Unknown
Victim Industry: Multiple (e-commerce, email providers, ride-sharing, marketplace platforms)
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of access to private cloud database with credential lists and email accounts
Category: Logs
Content: Threat actor offering access to a private cloud database containing full access credentials (mailpass and cookies) for email accounts across multiple countries (UK, DE, JP, NL, BR, PL, ES, US, IT, JP). Database includes inbox access and features targeting specific platforms (eBay, Offerup, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, Neosurf). Seller claims to own private cloud infrastructure with valid webmails.
Date: 2026-05-04T23:25:17Z
Network: telegram
Published URL: https://t.me/c/2613583520/75619
Screenshots:
None
Threat Actors: liyu
Victim Country: Multiple countries
Victim Industry: Multiple (e-commerce, payment, travel, social platforms)
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of email credential lists and access to multiple platforms
Category: Combo List
Content: Seller offering combolists containing email credentials with passwords and cookies for multiple platforms including Amazon, Facebook, eBay, PayPal, Kleinanzeigen, Hotmail, Yahoo, and others. Targeting multiple geographic regions (EU, USA, Germany, etc.) with private cloud database access available by subscription.
Date: 2026-05-04T23:24:36Z
Network: telegram
Published URL: https://t.me/c/2613583520/75613
Screenshots:
None
Threat Actors: _emanthy
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list distributed on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Flexedz shared a mixed combo list on the PT Combolist forum, described as UHQ (ultra-high quality) and marked as private. The list is dated 02.05.2026 and contains approximately 870 credential pairs, with access gated behind forum registration or login.
Date: 2026-05-04T23:11:20Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-870-mix-access-acrtixx1-update-02-05
Screenshots:
None
Threat Actors: Flexedz
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged USA email access combo list
Category: Combo List
Content: A threat actor operating under the alias TraxGod is distributing a combo list advertised as approximately 1,800 USA mail access credentials. The post is labeled as old/private data and requires forum registration or login to access the hidden content. No specific breached organization is identified; the post appears to be a credential stuffing resource targeting US email accounts.
Date: 2026-05-04T23:11:00Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%9C%EF%B8%8F%E2%98%91%EF%B8%8F1-8k-usa-mail-access-mix%E2%98%91%EF%B8%8F%E2%9A%9C%EF%B8%8F-02-05
Screenshots:
None
Threat Actors: TraxGod
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Alleged 50,000-Record USA Combo List
Category: Combo List
Content: A threat actor operating under the alias Lavivalda13 is distributing a combo list claimed to contain 50,000 records targeting US-based accounts, marketed as high quality and fresh. The content is gated behind forum registration or login, requiring engagement before access. No specific target service or breach source is identified in the post.
Date: 2026-05-04T23:10:15Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-50k-hq-usa-combolist-fresh-drop
Screenshots:
None
Threat Actors: Lavivalda13
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail Combo List
Category: Combo List
Content: A threat actor operating under the alias NuggetCloud is distributing a combo list advertised as containing over 3,000 Hotmail credentials. The post references hidden content accessible only to registered or logged-in forum members. The actor also promotes a channel for additional tools and email lists.
Date: 2026-05-04T23:09:41Z
Network: openweb
Published URL: https://patched.to/Thread-hq-hotmails-x3000
Screenshots:
None
Threat Actors: NuggetCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of URL:LOG:PASS combo list containing 24.91 million records
Category: Combo List
Content: A threat actor operating under the alias Daxus has shared a URL:LOG:PASS combo list containing approximately 24.91 million records on a leak forum. The dataset is described as UHQ (ultra-high quality) and is associated with the actors commercial platform at Daxus.pro. The post directs users to a hidden download link and promotes additional content via a Telegram channel and bot.
Date: 2026-05-04T23:08:51Z
Network: openweb
Published URL: https://leakforum.io/Thread-%E2%AD%90%EF%B8%8FURL-LOG-PASS-24-91-M-%E2%9C%85-DAXUS-PRO-UHQ-%E2%AD%90%EF%B8%8F
Screenshots:
None
Threat Actors: Daxus
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 180,000-Record Email and Password Combo List Targeting Multiple Streaming and Gaming Services
Category: Combo List
Content: A threat actor operating under the alias Ra-Zi is sharing a combo list claimed to contain 180,000 email and password credential pairs, marketed as high quality and targeting services including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. The post includes links to a Telegram channel and an external website, with the download gated behind forum registration. The actor is additionally advertising bulk combo list sales across multiple geographic regions and credential formats via Telegram
Date: 2026-05-04T23:08:08Z
Network: openweb
Published URL: https://demonforums.net/Thread-180k-Fresh-HQ-Combolist-Email-Pass-Netflix-Minecraft-Uplay-Steam-Hulu-spotify–202825
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list targeting gaming and Microsoft accounts
Category: Combo List
Content: A forum post by user Ebbicloud on AE advertises a combo list targeting gaming and Microsoft accounts. No further details are available as the post content is empty. The named services are credential-stuffing targets and are not necessarily the source of the breach.
Date: 2026-05-04T23:05:26Z
Network: openweb
Published URL: https://altenens.is/threads/gaming-microsoft-accounts-ebbi_cloud.2934386/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of UHQ combo list mix
Category: Combo List
Content: A threat actor operating under the handle Ebbicloud shared a post on the AE forum advertising a set of 212 UHQ (ultra-high quality) mixed credentials. No further details regarding the content, targeted services, or source of the credentials are available from the post.
Date: 2026-05-04T22:59:54Z
Network: openweb
Published URL: https://altenens.is/threads/212x-uhq-mix-gem-stonefire-ebbi_cloud.2934387/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of custom malware droppers, initial access services, and phishing infrastructure by threat actor group
Category: Services
Content: A threat actor group operating under the handle 0x1Sploit is advertising custom malware tooling including LNK/HTA and PDF droppers with EDR bypass capabilities, shellcode/PE injection, and configurable execution methods. The group also claims to offer contract-based initial access and post-exploitation services, zero-day exploits developed by an in-house R&D team, and a phishing infrastructure used in alleged current APT campaigns, which may be offered as Phishing-as-a-Service or sold as source
Date: 2026-05-04T22:33:34Z
Network: openweb
Published URL: https://spear.cx/Thread-INITIAL-ACCESS-SERVICES-TOOLS-OFFERS
Screenshots:
None
Threat Actors: 0x1Sploit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged destructive cyber attack on Italian industrial systems
Category: Cyber Attack
Content: Infrastructure Destruction Squad claims to be actively destroying an internal network belonging to Italian industrial systems. Post includes photo evidence (unverified).
Date: 2026-05-04T22:21:06Z
Network: telegram
Published URL: https://t.me/c/2735908986/4172
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Italy
Victim Industry: industrial
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of IUNGO Cloud
Category: Data Breach
Content: A threat actor known as Fronx is offering for sale a claimed 73GiB PortaBilling database allegedly exfiltrated from IUNGO Cloud, a Brazilian hosted PBX and cloud-telephony provider. The seller claims the dataset contains customer details, call detail records, customer balances, email addresses, phone numbers, passwords, and extensive PII. The listing is described as a one-time sale, with contact via Session messenger and samples provided through external links.
Date: 2026-05-04T22:18:19Z
Network: openweb
Published URL: https://pwnforums.st/Thread-IUNGO-Cloud-Brazil-Massive-73GiB-Portabilling-Database
Screenshots:
None
Threat Actors: Fronx
Victim Country: Brazil
Victim Industry: Telecommunications
Victim Organization: IUNGO Cloud
Victim Site: iungo.cloud
Sale of Mixed Corporate and Personal Email Credential Combo List
Category: Combo List
Content: A threat actor operating under the alias CloudBase is offering a combo list of approximately 2,750 mixed and corporate email credentials with claimed full mail access. The listing is posted on a known cybercrime forum and is gated behind registration or login. The dataset is advertised as a mix of personal and corporate mail:pass combinations.
Date: 2026-05-04T22:10:21Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-2750-mix-corp-mailpass-full-mail-acces
Screenshots:
None
Threat Actors: CloudBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Forum post with hidden content on fitness aids forum thread
Category: Alert
Content: A forum post on a combolist-themed forum contains hidden content requiring registration or login to view. The visible text references fitness aids and online shopping, but no threat-relevant information can be extracted from the observable content. The actual linked resource or advertised content is concealed behind an authentication gate.
Date: 2026-05-04T22:10:04Z
Network: openweb
Published URL: https://patched.to/Thread-shopping-trusted-source-for-quality
Screenshots:
None
Threat Actors: PerryFlore11
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged valid Hotmail and mixed corporate email credentials combo list
Category: Combo List
Content: A threat actor operating under the alias CloudBase is offering a combo list of 425 alleged valid credentials, described as Hotmail, mixed, and corporate email account mailpass combinations with claimed full mail access. The post is hosted behind a registration/login wall on the Patched.to forum, obscuring the actual content. The listed credentials appear to be marketed for use in credential stuffing or account takeover activity.
Date: 2026-05-04T22:09:32Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-425-valid-hotmail-mix-corp-mailpass-full-mail-acces
Screenshots:
None
Threat Actors: CloudBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged valid Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias CloudBase is distributing a combo list advertised as containing 2,000 valid Hotmail email and password pairs with claimed full mail access. The content is gated behind forum registration or login, limiting direct verification of the data. This appears to be a credential stuffing resource targeting Hotmail accounts, not a breach of Microsoft or Hotmail infrastructure.
Date: 2026-05-04T22:08:59Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-2000-valid-hotmail-mailpass-full-mail-acces-298842
Screenshots:
None
Threat Actors: CloudBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of ULP combo list with 15 million+ lines
Category: Combo List
Content: A threat actor operating under the alias R0BIN1337 shared a combo list purportedly containing over 15 million lines in URL:Login:Password (ULP) format, reportedly dated May 2026 and associated with the domain mo-on.cloud. The content is hidden behind a login/registration wall on the forum, limiting independent verification of the claimed record count or data validity.
Date: 2026-05-04T22:08:51Z
Network: openweb
Published URL: https://patched.to/Thread-15-millions-lines-ulp-may26-mo-on-cloud-790
Screenshots:
None
Threat Actors: R0BIN1337
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 149,000 Netherlands credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias HackingRealm has shared a combo list purportedly containing 149,000 high-quality credential pairs associated with Netherlands-based accounts on a cybercrime forum. The content is gated behind forum registration or login, suggesting distribution to vetted members. The post references markoo.lol, likely indicating the tool or service used for credential validation.
Date: 2026-05-04T22:08:40Z
Network: openweb
Published URL: https://patched.to/Thread-149k-netherland-hq-combolist-markoo-lol
Screenshots:
None
Threat Actors: HackingRealm
Victim Country: Netherlands
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of mail access credentials and combo lists across multiple countries
Category: Combo List
Content: Threat actor advertising fresh database access and mail credentials from multiple countries including UK, DE, JP, NL, BR, PL, ES, US, IT, and others. Offering inbox access, combo lists, scripts, tools, and hits. Claims to have private cloud infrastructure with valid webmail access. Accepting custom requests.
Date: 2026-05-04T22:08:02Z
Network: telegram
Published URL: https://t.me/c/2613583520/75578
Screenshots:
None
Threat Actors: Dataxlogs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 746K URL:login:password credentials shared from private channel
Category: Combo List
Content: A threat actor on a leak forum shared a combo list containing approximately 746,000 lines in URL:login:password format, purportedly sourced from a private high-quality channel. The post is gated behind forum registration or login, limiting visibility into the specific contents or targeted services.
Date: 2026-05-04T22:07:43Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%AD%90%EF%B8%8F-URL-LOGIN-PASS-746K-746K-LINES-FROM-PRIVATE-CHANNEL-HQ-BASE
Screenshots:
None
Threat Actors: akrei
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of iklanvsb.id by YIIX103
Category: Defacement
Content: On May 5, 2026, a threat actor identified as YIIX103 defaced the Indonesian website iklanvsb.id, targeting the file yo.php. The attacker operated independently without an affiliated team. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-05-04T21:45:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917444
Screenshots:
None
Threat Actors: YIIX103
Victim Country: Indonesia
Victim Industry: Advertising/Marketing
Victim Organization: Iklan VSB
Victim Site: iklanvsb.id
Sale of Angolan Government Email Accounts
Category: Initial Access
Content: A threat actor operating under the alias KayoTheDon is offering Angolan government email accounts for sale on a cybercrime forum. Pricing ranges from $5 per account to $45 for ten accounts. Contact is facilitated via Telegram handle @kangored.
Date: 2026-05-04T21:42:24Z
Network: openweb
Published URL: https://breached.st/threads/gov-mails-for-cheap.86790/unread
Screenshots:
None
Threat Actors: KayoTheDon
Victim Country: Angola
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Native School Pakistan database
Category: Data Leak
Content: A threat actor using the alias MrLucxy, claiming to be Bjorka, has leaked a database purportedly belonging to Native School Pakistan. The leaked data reportedly includes tables related to comcategory, campuses, cities, and admin records. The data was made available on a breach forum at no stated cost.
Date: 2026-05-04T21:41:27Z
Network: openweb
Published URL: https://breached.st/threads/database-native-scool-pakistan.86792/unread
Screenshots:
None
Threat Actors: MrLucxy
Victim Country: Pakistan
Victim Industry: Education
Victim Organization: Native School Pakistan
Victim Site: Unknown
Alleged data breach of Azzorti intranet platforms (Guatemala and Ecuador)
Category: Data Breach
Content: Threat actors NyxarGroup, Petro_Escobar, and ArcRaidersPlayer are offering for sale the alleged complete databases of intranet.azzorti.com and intranet.azzorti.gt. The leaked data purportedly includes internal documents, Power BI reports, supplier and product data, sales records, business charts, quotes, and two databases containing personally identifiable information such as names, national identification numbers, addresses, phone numbers, and district/province details. Sample records indicate
Date: 2026-05-04T21:26:11Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-GT-EC-AZZORTI-COM
Screenshots:
None
Threat Actors: NyxarGroup
Victim Country: Guatemala
Victim Industry: Retail
Victim Organization: Azzorti
Victim Site: azzorti.com
Alleged Hotmail combo list shared on cybercrime forum
Category: Combo List
Content: A forum user shared a post titled X9833 HOTMAIL COMBOLIST on a cybercrime forum, suggesting a collection of Hotmail-associated email and password credentials intended for credential stuffing. The actual content is hidden behind a registration or login wall, preventing verification of the record count or data quality.
Date: 2026-05-04T21:18:12Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-x9833-hotmail-combolist
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 5,000 mixed email credentials including Hotmail accounts shared on forum
Category: Combo List
Content: A threat actor operating under the alias cloudkaraoke has shared a combo list containing approximately 5,000 mixed email credentials, including Hotmail accounts, on the Patched.to forum. The content is gated behind registration or login, indicating it is distributed to forum members rather than publicly accessible. The post does not reference a specific breached organization; the credentials appear to be aggregated from multiple sources for use in credential stuffing or account takeover activi
Date: 2026-05-04T21:17:44Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-5k-good-mixed-combo-mail-access-hotmail
Screenshots:
None
Threat Actors: cloudkaraoke
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ valid email combo list
Category: Combo List
Content: A threat actor on the Patched forum is offering a combo list advertised as containing 1,561 ultra-high-quality (UHQ) valid email credentials. The content is gated behind forum registration or login. No specific target service or origin breach is identified in the post.
Date: 2026-05-04T21:17:12Z
Network: openweb
Published URL: https://patched.to/Thread-1561x-uhq-valid-mail
Screenshots:
None
Threat Actors: randiman11
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged critical infrastructure attack on oil and gas operations – SCADA/ICS manipulation
Category: Cyber Attack
Content: Post describes unauthorized access and manipulation of oil well operations including pressure system controls, tubing/casing adjustments, and forced shutdown of pumping equipment. References Branch 2 operations with pressure readings and status changes to SHUT/BOOT mode with alarm activation. Tagged with #OpUSA suggesting potential coordinated critical infrastructure campaign.
Date: 2026-05-04T21:17:06Z
Network: telegram
Published URL: https://t.me/c/3584758467/876
Screenshots:
None
Threat Actors: OpUSA
Victim Country: Unknown
Victim Industry: Energy/Oil & Gas
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias liamgoat is sharing a combo list purportedly containing approximately 300 Hotmail email and password pairs. The post is hosted on a cybercrime forum and requires registration or login to access the content. The credentials are marketed as high-quality (HQ) and intended for mail access use.
Date: 2026-05-04T21:16:41Z
Network: openweb
Published URL: https://patched.to/Thread-0-3k-hq-hotmail-mail-access-combolist-298832
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Multiple Personal Data Databases Including SSN, Drivers Licenses, Passports, and Corporate Records
Category: Services
Content: A threat actor operating under the alias jannat123 is advertising multiple categories of stolen or illicit data for sale via Telegram, including government-issued identity documents (drivers licenses, passports, SSNs/SINs), consumer and citizen databases, email and phone lists, credential combos, and corporate records (LLC, EIN, LTD). No specific victim organizations, record counts, or geographic scope are disclosed in the post. Contact is directed to Telegram handle @jannat646500.
Date: 2026-05-04T20:59:42Z
Network: openweb
Published URL: https://xforums.st/threads/drivers-license-ssn-passports-combo-emails-databases-llc-ein-ltd.612247/
Screenshots:
None
Threat Actors: jannat123
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of Germany personal information database
Category: Data Breach
Content: A threat actor on PwnForums is offering for sale a database purportedly containing personal information of German individuals, with 450,347 rows, priced at $250. The post does not specify the source organization, the data fields included, or the method of acquisition. The seller requires proof of funds prior to any transaction and suggests use of an escrow service.
Date: 2026-05-04T20:26:22Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-Germany-Personal-Information-Database
Screenshots:
None
Threat Actors: moxzey
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged purchase request for compromised email credentials with IMAP support
Category: Combo List
Content: User best_ posted a request to purchase valid email address:password combinations, specifically requiring IMAP support. This indicates active demand for compromised email accounts in the underground marketplace.
Date: 2026-05-04T20:24:19Z
Network: telegram
Published URL: https://t.me/c/2613583520/75512
Screenshots:
None
Threat Actors: best_
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Nexplay.fr with plaintext credentials
Category: Data Breach
Content: A threat actor known as selluk is offering what is claimed to be a database dump from nexplay.fr containing approximately 110,000 email and plaintext (decrypted) password pairs. The content is hosted behind a points-based paywall on the forum, with a sample link provided referencing a file named nexplay.txt. The post does not specify the breach date or the method of compromise.
Date: 2026-05-04T20:24:02Z
Network: openweb
Published URL: https://pwnforums.st/Thread-NEXPLAY-FR-110K-EMAIL-PASSWORD-CLEAR-DECRYPTED
Screenshots:
None
Threat Actors: selluk
Victim Country: France
Victim Industry: Gaming
Victim Organization: Nexplay
Victim Site: nexplay.fr
Alleged sale of stolen payment card fullz and credential lists by AllCards marketplace
Category: Combo List
Content: AllCards marketplace advertising sale of stolen payment card data (fullz) with pricing at $1.2-2 USD per valid card for US cards and $2.5-3 for other countries. Claims capacity to produce and update 100k+ cards daily. Operating on clearnet and Tor domains. Additionally, xiaoyuenans shop advertising new card fullz at $6 per random card or $8 for selected BIN cards.
Date: 2026-05-04T20:21:32Z
Network: telegram
Published URL: https://t.me/c/2613583520/75503
Screenshots:
None
Threat Actors: AllCards
Victim Country: Unknown
Victim Industry: Financial services
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of IslamMore by Xy000 of System of Pekalongan
Category: Defacement
Content: On May 5, 2026, a threat actor identified as Xy000, operating under the team System of Pekalongan, defaced a page on islammore.com, an Islamic content or media website. The attack targeted a specific article or content page rather than the homepage, indicating a targeted single-page defacement. The incident was archived and mirrored on zone-xsec.com, a known defacement tracking platform.
Date: 2026-05-04T20:21:03Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917443
Screenshots:
None
Threat Actors: Xy000, System of pekalongan
Victim Country: Unknown
Victim Industry: Religious / Media
Victim Organization: IslamMore
Victim Site: www.islammore.com
Alleged Distribution of 359,062 IP Addresses with Scanning Script by APT IRAN
Category: Initial Access
Content: APT IRAN channel shared 359,062 IP addresses along with a scanning script, claiming recipients can use them for scanning and exploitation purposes. This appears to be a reconnaissance/initial access tool offering.
Date: 2026-05-04T20:18:23Z
Network: telegram
Published URL: https://t.me/c/3575098403/166
Screenshots:
None
Threat Actors: APT IRAN
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of mixed email credentials targeting USA and European users
Category: Combo List
Content: A threat actor on a cybercrime forum has shared a combo list containing approximately 6,385 email:password credential pairs described as mail access hits. The list is advertised as a mix of credentials sourced from USA and European users. The content is hidden behind a login or registration requirement on the forum.
Date: 2026-05-04T20:16:07Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-6-385-good-combo-mail-access-mix-usa-europa
Screenshots:
None
Threat Actors: cloudkaraoke
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of AI automation and workflow services for businesses
Category: Services
Content: A forum user operating under the alias TheMekanic is advertising AI automation and workflow services targeting business owners. Offered services include AI-driven sales automation, CRM integration, lead handling, and no-code workflow setup. Payment is accepted via cryptocurrency, bank transfer, or PayPal, with contact directed through a Telegram handle.
Date: 2026-05-04T20:16:00Z
Network: openweb
Published URL: https://patched.to/Thread-diamond-%E2%AD%90-1-ai-automation-for-businesses-reduce-costs-increase-revenue-fast-results
Screenshots:
None
Threat Actors: TheMekanic
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 2,781 alleged Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias NovaCloudx shared a combo list containing 2,781 alleged Hotmail credentials on a cybercrime forum. The content is hidden behind a registration or login requirement. The post uses common engagement-baiting language typical of credential-stuffing list distributions.
Date: 2026-05-04T20:15:29Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9A%A12781x-good-hotmail%E2%9A%A1%E2%9C%85
Screenshots:
None
Threat Actors: NovaCloudx
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Alleged Fresh Hotmail Combo List
Category: Combo List
Content: A threat actor operating under the alias Pirate999 is sharing a combo list advertised as containing 700 fresh Hotmail credentials on a cybercrime forum. The content is hidden behind a registration or login wall, with the post implying access is contingent on community engagement. The credentials are marketed as fresh and are likely intended for credential stuffing against Hotmail or related Microsoft services.
Date: 2026-05-04T20:15:09Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%E2%9A%A1-700x-fresh-hotmail-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Pirate999
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias RetroCloud has shared a combo list purportedly containing approximately 8,000 high-quality Hotmail credential hits on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting independent verification. The credentials are marketed as high quality and appear intended for use in credential stuffing or account takeover activity.
Date: 2026-05-04T20:14:37Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85-8k-hq-hotmail-hit-%E2%9C%85-298758
Screenshots:
None
Threat Actors: RetroCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Alleged Fresh Hotmail Combo List
Category: Combo List
Content: A threat actor operating under the alias Lowza9 is sharing a combo list purportedly containing 1,364 Hotmail credentials, marketed as premium and fresh. The content is hidden behind a registration or login requirement on the forum. No breach of Microsoft or Hotmail infrastructure is claimed; the credentials are likely aggregated from third-party sources for use in credential stuffing.
Date: 2026-05-04T20:13:55Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%E2%9A%A1-1364x-premium-fresh-hotmails-%E2%9A%A1%E2%9A%A1-298823
Screenshots:
None
Threat Actors: Lowza9
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Alleged Fresh Hotmail Credential Combo List
Category: Combo List
Content: A threat actor operating under the alias SNSS is distributing a combo list advertised as containing 300 fresh, valid Hotmail credentials. The content is hidden behind a registration or login requirement on the forum. The credentials are marketed as verified hits, likely intended for credential stuffing or account takeover activity.
Date: 2026-05-04T20:13:35Z
Network: openweb
Published URL: https://patched.to/Thread-contributor-%E2%9C%A8-300x-fresh-hotmail-valid-%E2%9C%A8-298826
Screenshots:
None
Threat Actors: SNSS
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of mixed-access combo list
Category: Combo List
Content: A threat actor operating under the alias COYYYTOOOO shared a download link to a combo list described as 1K Mixed Access on a cybercrime forum. The list reportedly contains approximately 1,000 email and password credential pairs across mixed access types. No specific target organization or breach source was identified in the post.
Date: 2026-05-04T20:12:28Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1K-MIXED-ACCESS–202809
Screenshots:
None
Threat Actors: COYYYTOOOO
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of Italian email and password credentials
Category: Combo List
Content: A threat actor operating under the alias Maxleak is distributing a combo list purportedly containing over 1.2 million email and password pairs associated with Italian users. The credentials are marketed as fresh and high quality, with a purported date of 4 May 2026. The content is gated behind forum registration or login, consistent with typical combolist distribution practices on leak forums.
Date: 2026-05-04T20:11:30Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-1-206-K-%E2%9C%A6-Italy-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-4-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: Italy
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of Japanese email and password credentials
Category: Combo List
Content: A threat actor operating under the alias Maxleak shared a combo list purportedly containing over 173,000 email and password pairs associated with Japanese accounts. The credentials are marketed as fresh and high quality, with an indicated date of April 5, 2026. The content is gated behind forum registration or login.
Date: 2026-05-04T20:11:06Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-173-K-%E2%9C%A6-Japan-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-4-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 151K+ email and password credentials targeting Mexico
Category: Combo List
Content: A threat actor operating under the alias Maxleak is sharing a combo list containing over 151,000 email and password pairs allegedly associated with Mexican users. The credentials are marketed as fresh and high quality, with a listed date of April 5, 2026. The content is gated behind forum registration or login, suggesting distribution within a closed threat actor community.
Date: 2026-05-04T20:10:40Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-151-K-%E2%9C%A6-Mexico-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-4-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: Mexico
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of Latvian email and password credentials
Category: Combo List
Content: A threat actor operating under the alias Maxleak is sharing a combo list purportedly containing over 65,000 email and password pairs associated with Latvian users. The credentials are marketed as fresh and high quality, with a stated date of May 4, 2026. The content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-04T20:10:17Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-65-K-%E2%9C%A6-Latvia-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-4-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: Latvia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 19,000+ Kenya-based email credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor using the handle CobraEgy has shared a combo list on DemonForums containing over 19,000 email and password pairs purportedly associated with Kenyan users. The credentials are marketed as fresh and high quality, with a post date of May 4, 2026. The content is hidden behind a forum registration or login requirement, and the actor promotes additional combo lists via a Telegram channel.
Date: 2026-05-04T20:10:08Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-19-K-%E2%9C%A6-Kenya-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-4-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Kenya
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 52,000+ Malaysian email and password credentials
Category: Combo List
Content: A threat actor operating under the alias Maxleak has shared a combo list containing over 52,000 email and password pairs purportedly associated with Malaysian users. The credentials are marketed as fresh and high quality, with a post date of May 4, 2026. The content is hidden behind a registration or login wall on the forum.
Date: 2026-05-04T20:09:51Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-52-K-%E2%9C%A6-Malaysia-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-4-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: Malaysia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of Kenyan email and password credentials shared on leak forum
Category: Combo List
Content: A threat actor operating under the alias Maxleak has shared a combo list purportedly containing over 19,000 email and password pairs associated with Kenyan users. The credentials are marketed as fresh and high quality, with a claimed date of May 4, 2026. The content is gated behind forum registration or login.
Date: 2026-05-04T20:08:59Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-19-K-%E2%9C%A6-Kenya-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-4-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: Kenya
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of Lithuanian email and password credentials
Category: Combo List
Content: A threat actor known as CobraEgy shared a combo list on DemonForums containing over 16,000 email and password pairs purportedly associated with Lithuanian users. The credentials are marketed as fresh and high quality, with a stated date of April 5, 2026. The content is hidden behind a registration or login requirement, and an external Telegram channel is referenced for additional combolists.
Date: 2026-05-04T20:08:52Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-16-K-%E2%9C%A6-Lithuania-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-4-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Lithuania
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyber attack and data breach of Fujairah Port, UAE by Handala threat actor with IRGC coordination
Category: Data Breach
Content: Handala threat actor claims responsibility for a sophisticated cyber operation against Fujairah Port in the UAE, resulting in the exfiltration of over 430,000 confidential documents including contract details, ship traffic data, financial transactions, and critical infrastructure maps of oil pipelines. The threat actor claims coordination with IRGC missile units for subsequent military strikes on the port. Handala warns of continued cyber operations and escalating attacks if UAE continues alleged collaboration with Israel and the United States.
Date: 2026-05-04T19:54:16Z
Network: telegram
Published URL: https://t.me/c/3686754935/86
Screenshots:
None
Threat Actors: Handala
Victim Country: United Arab Emirates
Victim Industry: Maritime/Port Operations, Energy Infrastructure
Victim Organization: Fujairah Port Authority
Victim Site: Unknown
Alleged combo list targeting Canadian users distributed on cybercrime forum
Category: Combo List
Content: A threat actor known as ImmanueKant shared what is claimed to be a combo list of 1.3 million Canadian user credentials on the AE forum. No post content was available to confirm the format, source, or validity of the credentials. The listing is categorized as a combo list based on the thread title and forum context.
Date: 2026-05-04T19:42:33Z
Network: openweb
Published URL: https://altenens.is/threads/white-circlehigh-voltagewhite-circle-canada-ca-1-3m-white-circlehigh-voltagewhite-circle.2934285/unread
Screenshots:
None
Threat Actors: ImmanueKant
Victim Country: Canada
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list targeting Chile distributed on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias ImmanueKant shared a combo list purportedly containing approximately 103,000 credential pairs associated with Chilean users, described as part two of a broader Latin America series. The post was made on the AE combo list forum. No post content was available to confirm specific data fields or targeted services.
Date: 2026-05-04T19:40:06Z
Network: openweb
Published URL: https://altenens.is/threads/white-circlehigh-voltagewhite-circlechile-cl-103k-part-2-of-latin-america-white-circlehigh-voltagewhite-circle.2934286/unread
Screenshots:
None
Threat Actors: ImmanueKant
Victim Country: Chile
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 77,888 German email credentials shared on cybercrime forum
Category: Logs
Content: A threat actor operating under the alias D4rkNetHub shared a combo list advertised as containing 77,888 good German email credentials on a cybercrime forum. The post includes links requiring forum registration to access, consistent with standard distribution practices on credential-sharing communities. The dataset is marketed as verified or high-quality hits targeting Germany-based accounts.
Date: 2026-05-04T19:36:00Z
Network: openweb
Published URL: https://xforums.st/threads/77-888-good-germany-d4rknethub-cloud-04-05-26.612246/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged DDoS-as-a-Service Platform Goofystress Advertising Layer 4/7 Attack Capabilities
Category: Malware
Content: Goofystress is advertising a DDoS-as-a-Service platform offering Layer 4 (TCP/UDP flood up to 10M pps) and Layer 7 (CAPTCHA, cache, UAM bypasses) attack capabilities. The service claims 3+ years of operation, 1000-1500 customers, and includes game-specific bypasses for Fortnite, Minecraft, Apex, COD, Roblox, and Battlefield. Operators claim reliable auto-payment system and active customer base of 190-200 monthly users.
Date: 2026-05-04T19:35:37Z
Network: telegram
Published URL: https://t.me/c/1669509146/97042
Screenshots:
None
Threat Actors: Goofystress
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Elefan.co.id
Category: Data Breach
Content: A threat actor on a cybercrime forum is offering for sale an alleged database dump from elefan.co.id, an Indonesian company. The post claims the dataset contains over 1,000 user records including usernames, full names, Gmail addresses, physical addresses, NIP (employee ID numbers), NIK (national identity numbers), dates of birth, religion, and education level. Sample data provided in SQL INSERT format appears to contain records of Indonesian healthcare personnel from the Subang Regency area of W
Date: 2026-05-04T19:29:52Z
Network: openweb
Published URL: https://breached.st/threads/elefan-co-id-database-sell.86789/unread
Screenshots:
None
Threat Actors: Kyyzo
Victim Country: Indonesia
Victim Industry: Healthcare
Victim Organization: Elefan
Victim Site: elefan.co.id
Alleged data breach of Aviso Wealth (aviso.ca)
Category: Data Breach
Content: A threat actor on a cybercrime forum is offering for sale an alleged database from Aviso (aviso.ca), a Canadian wealth management and financial services company. The post claims a breach date of May 1, 2026, with 261,382 records containing full names, street addresses, cities, provinces, postal codes, and phone numbers. Sample records appear to correspond to individuals located primarily in Alberta, Canada.
Date: 2026-05-04T19:11:58Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-Aviso-User-Database-aviso-ca-261-382–189050
Screenshots:
None
Threat Actors: lowiq
Victim Country: Canada
Victim Industry: Finance
Victim Organization: Aviso Wealth
Victim Site: aviso.ca
Alleged data leak of La Redoute customer shipping records
Category: Data Leak
Content: A threat actor using the handle Lagui shared what is claimed to be a free database dump scraped from La Redoute, a French e-commerce and retail company. The dataset allegedly contains 96,191 records including customer names, addresses, postal codes, phone numbers, email addresses, and detailed parcel/expedition tracking information. The data is made available via a hidden download link on the forum, accessible upon reply.
Date: 2026-05-04T19:09:16Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-FR-FRENCH-DATABASE-LA-REDOUTE
Screenshots:
None
Threat Actors: Lagui
Victim Country: France
Victim Industry: Retail
Victim Organization: La Redoute
Victim Site: laredoute.fr
Sale of Mixed Email Credential Combo List
Category: Combo List
Content: A threat actor operating under the alias DAXCLOUUD is distributing a mixed email access combo list advertised as containing approximately 13,000 valid credential hits. The post describes the data as private and unwrapped, and directs interested parties to contact the Telegram handle @Redline_Support4 for additional private data. The content itself is hidden behind a forum registration or login wall.
Date: 2026-05-04T19:00:22Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%90%E2%AD%9013k-mix-mail-acces-full-valid-hits%E2%AD%90-private-unrapped-data-%E2%AD%90%E2%AD%90
Screenshots:
None
Threat Actors: DAXCLOUUD
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged UHQ Roblox credential combo list with high hit rate
Category: Combo List
Content: A threat actor identified as baguja1472 is distributing a combo list of approximately 17,000 credentials purportedly targeting Roblox accounts, marketed as UHQ (ultra-high quality) with a high hit rate. The post claims some accounts contain Robux (in-game currency), suggesting pre-verified or filtered credentials. The actual download is hidden behind a registration or login requirement on the forum.
Date: 2026-05-04T18:59:46Z
Network: openweb
Published URL: https://patched.to/Thread-royal-%E2%9C%A8%E2%8E%9D17k-roblox-uhq-combo-%E2%8E%A0%E2%9C%A8%E2%9C%85private-roblox-with-robux%E2%9C%85%E2%9A%A1high-hitrate-combo%E2%9A%A1
Screenshots:
None
Threat Actors: baguja1472
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Alleged High-Quality Spotify Credential Combo List
Category: Combo List
Content: A threat actor operating under the alias baguja1472 is distributing an 8,000-entry credential combo list marketed as ultra-high quality and tailored for use against Spotify. The post claims a high hit rate and labels the content as private, suggesting the credentials have been selectively curated or tested. Access to the combo list is gated behind forum registration or login.
Date: 2026-05-04T18:59:13Z
Network: openweb
Published URL: https://patched.to/Thread-royal-%E2%9C%A8%E2%8E%9D8k-spotify-uhq-combo-%E2%8E%A0%E2%9C%A8%E2%9C%85private-spotify-combo%E2%9C%85%E2%9A%A1high-hitrate-combo%E2%9A%A1
Screenshots:
None
Threat Actors: baguja1472
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged valid Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias baguja1472 is distributing a combo list advertised as containing approximately 1,600 validated Hotmail credentials. The post markets the content as unraped (previously unused) and private, suggesting the credentials have not been widely circulated. Access to the content is restricted to registered forum members on the Patched.to cybercrime forum.
Date: 2026-05-04T18:58:39Z
Network: openweb
Published URL: https://patched.to/Thread-royal-%E2%9C%A8%E2%8E%9D1-6k-hotmail-valids-%E2%8E%A0%E2%9C%A8%E2%9C%85unraped-hotmail-acess-%E2%9C%85%E2%9A%A1private-hotmails%E2%9A%A1
Screenshots:
None
Threat Actors: baguja1472
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged UNC6040 threat actor activity referenced in Europol communication
Category: Cyber Attack
Content: Post references UNC6040 in context of communication with Europol regarding hacking activities, specifically mentioning Discord compromise.
Date: 2026-05-04T18:58:21Z
Network: telegram
Published URL: https://t.me/c/3500620464/7619
Screenshots:
None
Threat Actors: UNC6040
Victim Country: Unknown
Victim Industry: Technology/Communication Platform
Victim Organization: Discord
Victim Site: discord.com
Sale of Netflix credential combo list on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias baguja1472 is distributing a combo list marketed as 20,000 Netflix credentials, described as UHQ (ultra-high quality) with a high hit rate. The content is gated behind forum registration or login, suggesting distribution within a restricted cybercrime community. The post is sponsored by BAGUJA UHQ CLOUD AND COMBOS, indicating a recurring supplier persona.
Date: 2026-05-04T18:58:02Z
Network: openweb
Published URL: https://patched.to/Thread-royal-%E2%9C%A8%E2%8E%9D20k-netflix-uhq-combo-%E2%8E%A0%E2%9C%A8%E2%9C%85private-netflix-combo%E2%9C%85%E2%9A%A1high-hitrate-combo%E2%9A%A1
Screenshots:
None
Threat Actors: baguja1472
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of ULP combo list containing 4.9 million credential pairs
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is sharing a ULP (URL:Login:Password) combo list purportedly containing 4.9 million credential pairs, marketed as private lines and dated 2026. The content is hidden behind a registration or login wall on the forum patched.to. The post also promotes a commercial combo cloud service offering access to similar data.
Date: 2026-05-04T18:57:36Z
Network: openweb
Published URL: https://patched.to/Thread-%E3%80%8C4-9-millions-%E3%80%8D%E2%9A%A1-ulp%E2%9A%A1-100-private-lines-%E2%9A%A1-new-2026%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Mixed Mail Access Combo List
Category: Combo List
Content: A threat actor operating under the alias liamgoat is offering a combo list described as 0.7K HQ Mixed Mail Access on a cybercrime forum. The list purportedly contains approximately 700 high-quality email credentials spanning multiple mail providers. The content is hidden behind a registration or login requirement, indicating restricted access to forum members.
Date: 2026-05-04T18:57:29Z
Network: openweb
Published URL: https://patched.to/Thread-0-7k-hq-mixed-mail-access-combolist-298801
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 9.5 Million Mixed Credential Combo List
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is offering a combo list of approximately 9.5 million username, login, and password (U:L:P) combinations on the forum patched.to. The credentials are advertised as private lines of high quality, marketed as suitable for a variety of credential stuffing or account takeover use cases. The actual content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-04T18:57:05Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%8E%9D-9-5m-u-l-p-%E2%8E%A0%E2%9A%A1100-private-lines%E2%9A%A1high-quality%E2%9A%A1mix-use-for-anything-you-need%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list targeting Germany distributed on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias JOYK has shared a combo list purportedly containing 10,000 credential pairs associated with Germany on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting direct verification of the claims. No specific breached organization or service is identified in the post.
Date: 2026-05-04T18:56:59Z
Network: openweb
Published URL: https://patched.to/Thread-10k-germany-private
Screenshots:
None
Threat Actors: JOYK
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of URL:login:password combo list with 564K credentials
Category: Combo List
Content: A forum post on PT – Combolist advertises a set of approximately 564,000 URL:login:password credential pairs marketed as private, fresh, and ultra-high quality (UHQ). The content is hidden behind a registration or login requirement, limiting direct verification of the claims.
Date: 2026-05-04T18:56:45Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9C%A8-564k-url-login-pass-%E2%9C%A8leak-private-url-login-pass%E2%9A%A1fresh-uhq%E2%9A%A1
Screenshots:
None
Threat Actors: Frisbeese
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of ULP combo list containing 8.2 million lines
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is sharing a combo list advertised as containing 8.2 million URL:Login:Password (ULP) lines, described as private and new for 2026. The content is gated behind forum registration or login. The post promotes the actors broader combo cloud service offering, described as providing high-quality data via private lines.
Date: 2026-05-04T18:56:28Z
Network: openweb
Published URL: https://patched.to/Thread-%E3%80%8C-8-2-millions-%E3%80%8D%E2%9A%A1-ulp%E2%9A%A1-100-private-lines-%E2%9A%A1-new-2026%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 253K URL:login:password credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Frisbeese shared a combo list purportedly containing 253,000 URL:login:password credential pairs on a cybercrime forum. The post markets the content as fresh and UHQ (ultra-high quality), suggesting the credentials are claimed to be recently obtained and of high validity. The actual content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-04T18:56:09Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9C%A8-253k-url-login-pass-%E2%9C%A8leak-private-url-login-pass%E2%9A%A1fresh-uhq%E2%9A%A1
Screenshots:
None
Threat Actors: Frisbeese
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of combo list targeting DE, FR, IT, and USA mail access
Category: Combo List
Content: A threat actor operating under the alias MrCOMBOROBOA is offering a combo list of approximately 27,500 email and password pairs purportedly associated with users from Germany, France, Italy, and the United States. The listing is advertised as mail access credentials on the NulledBB forum. No specific breached organization is identified; the post appears to be a credential stuffing resource targeting mail services.
Date: 2026-05-04T18:55:24Z
Network: openweb
Published URL: https://nulledbb.com/thread-27-5k-DE-FR-IT-USA-COMBO-MAILS-ACCESS
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of combo lists targeting DE, FR, IT, and US email accounts
Category: Combo List
Content: A threat actor operating under the alias MrCOMBOROBOA is selling email and password combo lists purportedly containing 27,500 credentials from Germany, France, Italy, and the United States. The actor also advertises bulk combo list packages up to 10 million records, as well as gaming and shopping-specific combos, with pricing tiers for private group access. The seller provides Telegram contact details and warns of known impostor accounts.
Date: 2026-05-04T18:55:13Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-27-5k-DE-FR-IT-USA-COMBO-MAILS-ACCESS
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of multi-country email and password combo lists
Category: Combo List
Content: A threat actor operating as MrCOMBOROBOA is selling email and password combo lists across multiple countries including Germany, France, Italy, and the United States, with an advertised count of approximately 31.9K entries. The actor also promotes a tiered subscription-based private combo group offering larger volumes up to 10 million credentials at varying price points, as well as category-specific combos targeting gaming and shopping platforms. The actor advertises their Telegram channel and
Date: 2026-05-04T18:54:42Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-31-9k-DE-FR-IT-USA-COMBO-MAILS-ACCESS
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged Germany email combo list with 13.9K credentials
Category: Combo List
Content: A threat actor operating under the alias MrCOMBOROBOA is selling an alleged combo list containing approximately 13,900 email and password pairs targeting German accounts. The actor also advertises access to broader combo lists by country and category, including gaming and shopping, with pricing tiers ranging from $30 per 100K records to $300 per 10 million records. A Telegram channel and private group are promoted for distribution and subscription-based access.
Date: 2026-05-04T18:54:14Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-13-9k-GERMANY-COMBO-MAILS-ACCESS
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged 696,400-record corporate-targeted combo list
Category: Combo List
Content: A threat actor identified as MrCOMBOROBOA is selling a combo list purportedly containing 696,400 corporate-targeted email and password credentials on a criminal forum. The actor offers tiered pricing for access, including country-specific and corporate combo lists, gaming combos, and shop combos at varying price points. The seller also promotes a Telegram channel and paid private group for ongoing combo list distribution.
Date: 2026-05-04T18:53:41Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-696-4k-CORPS-TARGETED-COMBO
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged 1 million USA email and password combo list
Category: Combo List
Content: A threat actor operating under the alias MrCOMBOROBOA is selling an alleged combo list of 1 million USA email and password pairs on a cybercrime forum. The actor also advertises tiered subscription access to combo lists including gaming, shopping, and corporate mail combos at varying price points. The actor promotes a Telegram channel and private group for distribution of combo and mail lists.
Date: 2026-05-04T18:53:11Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-1M-USA-COMBO
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged ShinyHunters Threat Actor Contact and Session Information
Category: Cyber Attack
Content: ShinyHunters threat actor group posted official contact information including Telegram handle (@shinyc0rpsss), email ([email protected]), XMPP address, and session token. Post includes warnings against time-wasting contact attempts and references to group activities.
Date: 2026-05-04T18:51:23Z
Network: telegram
Published URL: https://t.me/c/3500620464/7607
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of 23 million Chinese bank customers
Category: Data Breach
Content: ShinyHunters threat actor group has leaked customer data from 16 major Chinese banks totaling approximately 23 million records. The dataset includes personally identifiable information (FName, Phone, BankNo, Id_Card_No, DOB) across multiple institutions including ICBC (7.5M records), Bank of China (2M records), Construction Bank (1.3M records), CITIC Bank (1.2M records), and others. The breach was announced on breachforums.rs.
Date: 2026-05-04T18:48:41Z
Network: telegram
Published URL: https://t.me/c/3500620464/7621
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: China
Victim Industry: Financial Services/Banking
Victim Organization: Multiple Chinese Banks
Victim Site: Unknown
Alleged breach of Uzbekistan Cybersecurity Center and State Security Service with $200K ransom demand
Category: Data Breach
Content: Threat actor claiming to have breached the Cybersecurity Center of Uzbekistans State Security Service (SSS) and Intelligence agencies. Sample data leaked includes staff personal information (first name, last name, PINFL numbers, position, department). Attacker demanding $200,000 USD to prevent full release of State Security and Intelligence databases. Contact provided via Telegram (@TheTeamForce_alesium). Full dataset reportedly contains significantly more sensitive information.
Date: 2026-05-04T18:33:57Z
Network: telegram
Published URL: https://t.me/c/3500620464/7617
Screenshots:
None
Threat Actors: TheTeamForce_alesium
Victim Country: Uzbekistan
Victim Industry: Government/National Security
Victim Organization: Cybersecurity Center, State Security Service (SSS), Intelligence Service of Uzbekistan
Victim Site: Unknown
Alleged data breach of NVIDIA GeForce Now by Shiny Hunters
Category: Data Breach
Content: Shiny Hunters claims to have compromised NVIDIAs GeForce Now backend and extracted millions of user records. The leaked data includes first names, last names, verified email addresses, usernames, dates of birth, membership status, TOTP/2FA status, internal roles, access flags, and account creation dates. The threat actor is actively selling access to this database and can be contacted via Telegram (@shinyc0rpsss), email ([email protected]), or XMPP ([email protected]).
Date: 2026-05-04T18:33:46Z
Network: telegram
Published URL: https://t.me/c/3500620464/7614
Screenshots:
None
Threat Actors: Shiny Hunters
Victim Country: United States
Victim Industry: Technology/Software
Victim Organization: NVIDIA
Victim Site: nvidia.com
Sale of initial access to Kyrgyzstan government internal network
Category: Initial Access
Content: A threat actor operating under the alias j0ystc1k is offering for sale direct access to an internal Kyrgyzstan government network on the Breached forum. The asking price is 5,000 USD, to be paid in XMR (Monero). No further details regarding the specific agency, access type, or scope of compromise were disclosed in the post.
Date: 2026-05-04T18:27:04Z
Network: openweb
Published URL: https://breached.st/threads/initial-access-kyrgyzstan-gov-networks.86785/unread
Screenshots:
None
Threat Actors: j0ystc1k
Victim Country: Kyrgyzstan
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Coinbase with 50,000+ records for sale
Category: Data Breach
Content: A threat actor operating under the alias XOverStm is offering a database purportedly sourced from Coinbase, advertised as containing over 50,000 records updated in 2025. The dataset allegedly includes full names, email addresses, phone numbers, and Ethereum wallet addresses. The seller is asking a fixed price of 400 USD (revised to 300 USD in the post body) and supports escrow, with contact via Telegram and TOX.
Date: 2026-05-04T18:26:30Z
Network: openweb
Published URL: https://breached.st/threads/50k-name-email-phone-wallet-address-eth-for-sale.86786/unread
Screenshots:
None
Threat Actors: XOverStm
Victim Country: United States
Victim Industry: Finance
Victim Organization: Coinbase
Victim Site: coinbase.com
Sale of initial access to undisclosed UK technical university
Category: Initial Access
Content: A threat actor operating under the alias XOverStm is offering RDP-based initial access to an unnamed UK technical university for $400. The access is advertised as administrative-level on a network of approximately 300 hosts, with Windows Defender listed as the only endpoint protection. The seller provides contact details via Telegram and TOX, and references escrow as a payment option.
Date: 2026-05-04T18:25:56Z
Network: openweb
Published URL: https://breached.st/threads/400-university-technical-uk-full-control-database-access.86787/unread
Screenshots:
None
Threat Actors: XOverStm
Victim Country: United Kingdom
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of PBC Bank China
Category: Data Leak
Content: A threat actor operating under the alias JAX7 claims to have leaked data associated with PBC Bank China on a cybercrime forum. The post includes a sample section but no further details regarding record count, data fields, or exfiltration method are provided in the available content.
Date: 2026-05-04T18:25:01Z
Network: openweb
Published URL: https://breached.st/threads/leak-pbc-bank-china.86781/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: China
Victim Industry: Finance
Victim Organization: PBC Bank
Victim Site: Unknown
Alleged data leak of NEMRT.COM Police database
Category: Data Leak
Content: A threat actor operating under the alias Xyph0rix has shared an alleged database associated with nemrt.com, described as a police-related entity, on the Breached forum. The post offers a download link with minimal additional context. No record count, data fields, or further details were provided in the post.
Date: 2026-05-04T18:24:26Z
Network: openweb
Published URL: https://breached.st/threads/database-nemrt-com-police.86782/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Unknown
Victim Industry: Government
Victim Organization: NEMRT.COM Police
Victim Site: nemrt.com
Alleged data leak of Puerto Rico Police database
Category: Data Leak
Content: A threat actor using the handle Xyph0rix posted what is claimed to be a database belonging to the Puerto Rico Police on a known cybercrime forum. The post includes a download link, suggesting the data is being made available for free. No additional details regarding record count, data fields, or acquisition method were provided.
Date: 2026-05-04T18:23:52Z
Network: openweb
Published URL: https://breached.st/threads/database-puerto-rico-police.86783/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: United States
Victim Industry: Government
Victim Organization: Puerto Rico Police
Victim Site: Unknown
Alleged data breach of wlw.de exposing German PII records
Category: Data Breach
Content: A threat actor operating under the alias Jeffrey Epstein is offering for sale an alleged dataset of approximately 200,000 records attributed to wlw.de, a German B2B supplier directory. The dataset reportedly includes company names, contact first and last names, gender, phone numbers, email addresses, and postal information. The actor is soliciting buyers via Telegram and Session, with a negotiable price, and has provided a sample on Pastebin.
Date: 2026-05-04T18:23:19Z
Network: openweb
Published URL: https://breached.st/threads/german-200k-pii-data-www-wlw-de-username-email-phone-number-etc.86784/unread
Screenshots:
None
Threat Actors: Jeffrey Epstein
Victim Country: Germany
Victim Industry: Retail
Victim Organization: Wer liefert was (wlw.de)
Victim Site: wlw.de
Alleged data breach of Qatar Red Crescent – sensitive PII and documents exposed
Category: Data Breach
Content: Threat actor claims to have extracted approximately 3000 GB of sensitive data from Qatar Red Crescent, including names, personal numbers, and email addresses of senior officials. Data allegedly obtained from an open-indexed server belonging to an Afghan server company. Actor reports accessing 17 domains within the compromised data and claims files are in PDF and JPG formats. Currently downloading and promises to provide extracted files within 17 hours.
Date: 2026-05-04T18:22:56Z
Network: telegram
Published URL: https://t.me/c/3500620464/7589
Screenshots:
None
Threat Actors: shinyc0rpsss
Victim Country: Qatar
Victim Industry: humanitarian/non-profit
Victim Organization: Qatar Red Crescent
Victim Site: Unknown
Sale of Document Forgery Software Supporting 37 Countries
Category: Services
Content: A threat actor is offering a software tool called JINKUSU DOC for sale at $500, advertised as capable of generating fraudulent identity documents including IDs, passports, and driver licenses for 37 countries. The seller claims the listing includes source code. This appears to be a document forgery service targeting identity verification systems.
Date: 2026-05-04T18:14:37Z
Network: openweb
Published URL: https://pwnforums.st/Thread-JINKUSU-DOC
Screenshots:
None
Threat Actors: JINKUSU
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list targeting gaming platforms shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias el_capitan shared a combo list on a cybercrime forum, described as targeted toward gaming platforms and containing approximately 2 million entries. The content is gated behind a reply requirement, limiting immediate visibility into specific services targeted or data fields included. The post is consistent with credential stuffing material marketed for use against gaming accounts.
Date: 2026-05-04T18:13:15Z
Network: openweb
Published URL: https://pwnforums.st/Thread-2M-GAMING-Targeted-Good-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list targeting United Kingdom accounts
Category: Combo List
Content: A threat actor operating under the alias el_capitan shared a combo list purportedly containing one million credential pairs associated with United Kingdom users. The post is gated behind a reply requirement, with the actual content hidden until forum members respond. The credentials are marketed as high-quality and fresh, though no specific breached organization is identified.
Date: 2026-05-04T18:12:41Z
Network: openweb
Published URL: https://pwnforums.st/Thread-1M-United-Kingdom-HQ-Fresh-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged Germany combo list with 300,000 credentials
Category: Combo List
Content: A threat actor operating under the alias el_capitan is sharing a combo list described as semi-private and containing approximately 300,000 credentials associated with Germany. The content is gated behind a reply requirement on the forum. No specific breached organization or service is identified in the post.
Date: 2026-05-04T18:12:06Z
Network: openweb
Published URL: https://pwnforums.st/Thread-300K-GERMANY-Semi-Private-Good-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 270,000 Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the handle el_capitan has shared a combo list purportedly containing 270,000 Hotmail credentials on a cybercrime forum. The content is hidden behind a reply gate, requiring forum members to respond to the thread before accessing the download. The credentials are marketed as fresh and high quality, suggesting potential use in credential stuffing campaigns targeting Hotmail or Microsoft accounts.
Date: 2026-05-04T18:11:31Z
Network: openweb
Published URL: https://pwnforums.st/Thread-270K-HOTMAIL-Fresh-HQ-Combolist
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list targeting Netflix, Amazon Prime Video, and Spotify users
Category: Combo List
Content: A threat actor operating under the alias el_capitan is sharing a combo list of approximately 2 million credentials reportedly targeted at streaming platforms including Netflix, Amazon Prime Video, and Spotify. The content is hidden behind a reply gate, requiring forum engagement to access. This post represents credential stuffing material and does not indicate a breach of the named platforms.
Date: 2026-05-04T18:10:57Z
Network: openweb
Published URL: https://pwnforums.st/Thread-2M-STREAMING-Netflix-Prime-Video-Sportify-Targeted
Screenshots:
None
Threat Actors: el_capitan
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyber attacks on UAE by Handala and IRGC missile units
Category: Cyber Attack
Content: Handala Hack channel claims ongoing combined cyber attacks against UAE targets in coordination with IRGC missile units. Post indicates documents will be released soon as evidence.
Date: 2026-05-04T18:05:21Z
Network: telegram
Published URL: https://t.me/c/3686754935/85
Screenshots:
None
Threat Actors: Handala
Victim Country: United Arab Emirates
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cyber attack on Fujairah Port by Handala Hack with threatened data release
Category: Cyber Attack
Content: Handala Hack claims responsibility for infiltrating Fujairah Port systems in the United Arab Emirates as part of a coordinated cyber and missile attack. The threat actor claims thousands of confidential documents will be released and issued a warning to the UAE.
Date: 2026-05-04T17:57:40Z
Network: telegram
Published URL: https://t.me/c/3686754935/84
Screenshots:
None
Threat Actors: Handala Hack
Victim Country: United Arab Emirates
Victim Industry: Port/Maritime/Critical Infrastructure
Victim Organization: Fujairah Port
Victim Site: Unknown
Sale of alleged fresh Hotmail credential hits on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias DAXCLOUUD is advertising what they claim to be fresh, validated Hotmail credential hits on a cybercrime forum. The post references private, unwrapped data and directs interested parties to contact the Telegram handle @Redline_Support4. The actual content is hidden behind a registration or login requirement, and no record count or price is disclosed in the visible portion of the post.
Date: 2026-05-04T17:55:38Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%90%E2%AD%90-fresh-hotmail-valid-hits-only-%E2%AD%90-private-unrapped-data-%E2%AD%90%E2%AD%90
Screenshots:
None
Threat Actors: DAXCLOUUD
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list distribution of mixed mail credentials
Category: Combo List
Content: A threat actor operating under the alias VerityVault is distributing a combo list containing approximately 2,530 mixed mail credentials on the forum PT – Combolist. The content is hidden behind a registration or login requirement, limiting direct verification of the data. The list is marketed as a mixed mail drop, suggesting credentials sourced from multiple providers.
Date: 2026-05-04T17:55:05Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%EF%B8%8F-2530x-verity-vault-mix-mail-drop-%E2%9A%A1%EF%B8%8F
Screenshots:
None
Threat Actors: VerityVault
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged valid Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias NullShop is sharing a collection of approximately 1,600 Hotmail credentials marketed as verified and fresh. The content is gated behind forum registration or login, with an external link provided for additional releases. The post is consistent with credential stuffing combo list distribution targeting Hotmail accounts.
Date: 2026-05-04T17:54:34Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-1-6-k-hotmail-access-valid-hit-fresh-%F0%9F%94%A5
Screenshots:
None
Threat Actors: NullShop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 2,238 Hotmail credentials offered on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias lpbPrivate is distributing a combo list purportedly containing 2,238 Hotmail credential pairs, marketed as high-quality and fresh. The content is hidden behind a registration or login requirement on the forum. Hotmail is referenced as the credential-stuffing target, not the source of a breach.
Date: 2026-05-04T17:52:57Z
Network: openweb
Published URL: https://leakforum.io/Thread-%E2%9A%A1%E2%9A%A1-2238x-HQ-HOTMAIL-FRESH-VALIDS-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: lpbPrivate
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Bank BRI (Indonesia)
Category: Data Breach
Content: Threat actor xyph0rix posted on Breachforums claiming access to Bank BRI database. The post references a database breach with details available on the Breachforums platform.
Date: 2026-05-04T17:44:32Z
Network: telegram
Published URL: https://t.me/DeepCoreNetwork/77
Screenshots:
None
Threat Actors: xyph0rix
Victim Country: Indonesia
Victim Industry: Financial Services
Victim Organization: Bank BRI
Victim Site: Unknown
Alleged sale of fresh database credentials from UK, DE, JP, NL, BR, PL, ES, US, IT and other countries
Category: Combo List
Content: Threat actor offering fresh database access and credentials from multiple countries including UK, Germany, Japan, Netherlands, Brazil, Poland, Spain, US, and Italy. Claims to have inbox access to e-commerce platforms (eBay, Offerup, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen), neosurf accounts, and private webmail access (ntlworld). Offering to search for specific keywords and platforms. Contact via DM for requests.
Date: 2026-05-04T17:35:07Z
Network: telegram
Published URL: https://t.me/c/2613583520/75445
Screenshots:
None
Threat Actors: Num
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy
Victim Industry: E-commerce, Financial Services, Webmail
Victim Organization: Unknown
Victim Site: Unknown
Distribution of Mixed Email Credential Combo List
Category: Combo List
Content: A threat actor operating under the alias alphacloud shared a combo list of approximately 4,112 mixed email credentials on the AE forum. The post advertises the list as premium mail hits. No specific victim organization or service is identified in the available post content.
Date: 2026-05-04T17:30:19Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltagehigh-voltage-4112x-premium-mix-mail-hitshigh-voltagehigh-voltage.2934249/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of unauthorized access to classified server with 200GB of sensitive data
Category: Initial Access
Content: Threat actor claiming to have gained unauthorized access to a sensitive classified server running on UNIX through a file transfer protocol vulnerability. Offering complete access to 200GB+ of data including compressed files (58GB and 11GB), technical information, research charts, and internal reports. Seller requesting $25,000 USD payment via Monero or Bitcoin, with full credentials to be delivered upon payment. Contact: [email protected]. Seller emphasizes time-sensitive nature due to risk of vulnerability discovery.
Date: 2026-05-04T17:29:34Z
Network: telegram
Published URL: https://t.me/c/2735908986/4167
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Badan Pemeriksa Keuangan Republik Indonesia (BPK)
Category: Data Breach
Content: A threat actor using the handle xyph0rix has posted a sample database allegedly from Badan Pemeriksa Keuangan Republik Indonesia (BPK – Indonesian State Audit Board) on Breachforums. The post includes a link to the user profile and thread discussing the breach.
Date: 2026-05-04T17:29:25Z
Network: telegram
Published URL: https://t.me/DeepCoreNetwork/76
Screenshots:
None
Threat Actors: xyph0rix
Victim Country: Indonesia
Victim Industry: Government – Financial Audit
Victim Organization: Badan Pemeriksa Keuangan Republik Indonesia (BPK)
Victim Site: Unknown
Alleged data breach of PBC Bank China
Category: Data Breach
Content: Threat actor jax7 has posted a thread on Breachforums disclosing a data breach affecting PBC Bank in China. The breach details are being shared publicly on the forum.
Date: 2026-05-04T17:29:11Z
Network: telegram
Published URL: https://t.me/bsnsbsksjsk/17
Screenshots:
None
Threat Actors: jax7
Victim Country: China
Victim Industry: Financial Services
Victim Organization: PBC Bank
Victim Site: Unknown
Alleged data breach of wlw.de exposing German PII records
Category: Data Breach
Content: A threat actor on a cybercrime forum is offering for sale a dataset allegedly sourced from wlw.de, a German B2B marketplace. The data reportedly includes company names, contact first and last names, gender, phone numbers, email addresses, physical addresses, zip codes, and cities. The actor is soliciting buyers via Telegram and Session, with a negotiable price.
Date: 2026-05-04T17:22:14Z
Network: openweb
Published URL: https://breached.st/threads/german-pii-data-www-wlw-de-username-email-phone-number-etc.86777/unread
Screenshots:
None
Threat Actors: Jeffrey Epstein
Victim Country: Germany
Victim Industry: Retail
Victim Organization: wlw (Wer liefert was)
Victim Site: wlw.de
Alleged data leak of Bank BRI
Category: Data Leak
Content: A threat actor using the handle Mr. Hanz Xploit claims to have leaked a database allegedly belonging to Bank BRI, an Indonesian state-owned bank. The post includes a sample data section, though no further details about the volume or specific fields of the data are visible in the available content. The authenticity and scope of the alleged leak have not been independently verified.
Date: 2026-05-04T17:21:17Z
Network: openweb
Published URL: https://breached.st/threads/database-bank-bri.86778/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Finance
Victim Organization: Bank BRI
Victim Site: bri.co.id
Alleged data leak of ICBC (Industrial and Commercial Bank of China)
Category: Data Leak
Content: A threat actor operating under the alias JAX7 shared a post on the Breached forum claiming to leak data belonging to ICBC, a major Chinese state-owned bank. The post includes a sample section with a code block, though specific record counts and data field details are not disclosed in the available content. The nature and volume of the alleged leaked data remain unverified.
Date: 2026-05-04T17:20:42Z
Network: openweb
Published URL: https://breached.st/threads/leak-icbc-data-bank-china.86779/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: China
Victim Industry: Finance
Victim Organization: Industrial and Commercial Bank of China (ICBC)
Victim Site: icbc.com.cn
Alleged data breach of Bouygues Telecom
Category: Data Breach
Content: A threat actor operating under the name OverSec claims to be selling a database allegedly stolen from Bouygues Telecom, a major French telecommunications provider. The purported dataset is approximately 80.9 GB in JSONL format, with a stated date of May 1, 2026. The actor provides links to database field definitions and a sample, and directs interested parties to a Session messaging handle for proof of access.
Date: 2026-05-04T17:17:16Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-FR-Bouygues-Telecom
Screenshots:
None
Threat Actors: OverSec
Victim Country: France
Victim Industry: Telecommunications
Victim Organization: Bouygues Telecom
Victim Site: bouyguestelecom.fr
Alleged data leak of Zurich Insurance customer and policy data
Category: Data Leak
Content: A threat actor operating under the handle NormalLeVrai has freely distributed two files allegedly containing Zurich Insurance customer and policy data. The first file, zurich.com.csv, reportedly contains over 4.26 million records with structured insurance contract data including policyholder identities, vehicle details, intermediary information, and financial elements. The second file, lluch20210629.sql, is described as a complete SQL database dump covering policies, client personal data (incl
Date: 2026-05-04T17:12:39Z
Network: openweb
Published URL: https://darkforums.su/Thread-Zurich-customer-data-insurance-policies-MASSIVE
Screenshots:
None
Threat Actors: NormalLeVrai
Victim Country: Switzerland
Victim Industry: Finance
Victim Organization: Zurich Insurance
Victim Site: zurich.com
Alleged data breach of ICBC (Industrial and Commercial Bank of China)
Category: Data Breach
Content: A user named JAX7 on Breachforums has posted a thread claiming to have leaked data from ICBC, Chinas largest bank. The breach includes banking customer data made available on the dark web forum.
Date: 2026-05-04T17:09:23Z
Network: telegram
Published URL: https://t.me/bsnsbsksjsk/16
Screenshots:
None
Threat Actors: JAX7
Victim Country: China
Victim Industry: Banking/Financial Services
Victim Organization: ICBC (Industrial and Commercial Bank of China)
Victim Site: icbc.com.cn
Instagram account ban method shared on cybercrime forum
Category: Services
Content: A forum user operating under the alias Muro shared a method purportedly used to get Instagram accounts banned, described as currently working. The content is hidden behind a reply gate and no further technical details are visible in the post. The post appears to offer an account-abuse technique targeting Instagrams enforcement mechanisms.
Date: 2026-05-04T17:02:46Z
Network: openweb
Published URL: https://pwnforums.st/Thread-FREE-%C4%B0nstagram-Banned-Method-WORKING
Screenshots:
None
Threat Actors: Muro
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of three French driving schools (candidate personal data)
Category: Data Leak
Content: A threat actor identified as 111grp has freely shared three NDJSON database files containing personal data of driving school candidates from three French driving schools. The leaked records include full names, dates of birth, email addresses, dossier numbers, driving license categories, exam dates, exam results, and failure counts. The data was made available via a hidden download link requiring forum interaction to access.
Date: 2026-05-04T17:01:25Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-FR-3-auto-%C3%A9coles-fran%C3%A7aises-candidats
Screenshots:
None
Threat Actors: 111grp
Victim Country: France
Victim Industry: Education
Victim Organization: EURL Auto Ecole Vincent, Auto Ecole du Lys, SAS Auto Ecole du Moulin
Victim Site: Unknown
Sale of alleged Venmo credential combo list
Category: Combo List
Content: A threat actor known as MetaCloud3 is advertising a combo list of approximately 802,000 credentials marketed as suitable for use against Venmo, claiming a high hit rate and private data. The content is gated behind forum registration or login. The post promotes the actors broader combo cloud service, described as offering high-quality data and private lines.
Date: 2026-05-04T16:53:10Z
Network: openweb
Published URL: https://patched.to/Thread-%E3%80%8C-802k-%E3%80%8D%E2%9A%A1-venmo-%E2%9A%A1-100-private-data-%E2%9A%A1impressive-hitrate%E2%9A%A1-04-05-new%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged high-quality combo list targeting Uplay and Ubisoft accounts
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is offering a combo list of approximately 787,000 credential pairs, marketed as private lines of high quality and targeted for use against Uplay and Ubisoft platforms. The content is hidden behind a registration or login requirement on the forum. The actor promotes a broader combo cloud service in their signature, advertising affordable pricing and private data sourcing.
Date: 2026-05-04T16:52:37Z
Network: openweb
Published URL: https://patched.to/Thread-gaming-%E2%8E%9D-787k-gaming%E2%8E%A0%E2%9A%A1100-private-lines%E2%9A%A1high-quality-combo%E2%9A%A1uplay-ubisoft%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged high-quality combo list targeting Stripe and Venmo
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is advertising a combo list of approximately 508,000 credential pairs marketed as private lines and described as high quality. The list is promoted as suitable for use against Stripe and Venmo. The content is gated behind forum registration or login, and the actor promotes an ongoing combo cloud service via their forum signature.
Date: 2026-05-04T16:52:03Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%8E%9D-508k-cashout%E2%8E%A0%E2%9A%A1100-private-lines%E2%9A%A1high-quality-combo%E2%9A%A1stripe-venmo%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 800 Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias BuggracK has shared a combo list purportedly containing 800 Hotmail login credentials, marketed as UHQ (ultra-high quality). The content is hidden behind a registration or login requirement on the forum. No breach of Hotmail or Microsoft is implied; the credentials are likely harvested from third-party breaches and tested against Hotmail accounts.
Date: 2026-05-04T16:51:40Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-800x-hotmail-login-uhq
Screenshots:
None
Threat Actors: BuggracK
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Hotmail credential combo list advertised on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias RedCloud is distributing a combo list of approximately 13,600 Hotmail credentials on a cybercrime forum. The post markets the credentials as valid, private, and ultra-high quality (UHQ), dated 03.05.2026. The content is gated behind forum registration or login, suggesting controlled distribution.
Date: 2026-05-04T16:51:06Z
Network: openweb
Published URL: https://patched.to/Thread-13-6k-%E2%9A%A1hotmail%E2%9A%A1valid-mail-access-03-05
Screenshots:
None
Threat Actors: RedCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged food sector combo list with 358K credentials
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is advertising a combo list of approximately 358,000 credentials purportedly targeting food-sector platforms, marketed as 100% private data with a high hit rate. The post references a hidden content section accessible only to registered or logged-in forum members. The actor promotes an affiliated combo cloud service offering private lines and high-quality data.
Date: 2026-05-04T16:50:44Z
Network: openweb
Published URL: https://patched.to/Thread-food-%E3%80%8C-358k-%E3%80%8D%E2%9A%A1-food-%E2%9A%A1-100-private-data-%E2%9A%A1impressive-hitrate%E2%9A%A1-04-05-new%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Food & Beverage
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged private combo list mix
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is advertising a mixed combo list of approximately 519,000 credential pairs, marketed as private lines and high quality. The post promotes the sellers combo cloud service and encourages engagement for additional releases. No specific target organization or breach source is identified.
Date: 2026-05-04T16:50:08Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%8E%9D-519k-mix%E2%8E%A0%E2%9A%A1100-private-lines%E2%9A%A1high-quality-combo%E2%9A%A1any-target-you-need%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Distribution of Alleged Hotmail Credential Combo List
Category: Combo List
Content: A threat actor operating under the alias atezhub has shared a combo list advertised as containing over 2,000 valid Hotmail credentials on the PT – Combolist forum. The post claims the credentials are not reposts and are unrelated to Hulu. Access to the content requires registration or login to the forum.
Date: 2026-05-04T16:49:47Z
Network: openweb
Published URL: https://patched.to/Thread-2k-hotmail-valids-not-hulu-or-reposted-by-atezhub
Screenshots:
None
Threat Actors: dumpzeta
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of social media account banning and content removal services
Category: Services
Content: A threat actor operating under the Telegram handle @XDBROW is advertising a commercial service offering account banning, unbanning, and content removal across multiple social media platforms including Instagram, Facebook, Twitter, TikTok, Twitch, Telegram, and YouTube. The service also claims to handle negative review suppression, article removal, and video removal. The actor markets the service for use cases such as banning ex-partners or removing unwanted accounts.
Date: 2026-05-04T16:49:20Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9C%85instagram-ban%E2%9C%85facebook-ban%E2%9C%85twitter-ban%E2%9C%85tik-tok-ban%E2%9C%85twitch-ban%E2%9C%85telegram-ban%E2%9C%85100-gu-297848
Screenshots:
None
Threat Actors: marbartor
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with claimed high-hit credentials
Category: Combo List
Content: A threat actor on the Patched.to forum is distributing a Hotmail-targeted combo list claimed to contain over 5,000 valid credential hits. The content is described as high quality and is accessible via the posters signature link. The post requires forum registration or login to access the actual download.
Date: 2026-05-04T16:49:02Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-hq-hotmails-directly-download-from-signature-5k-hits
Screenshots:
None
Threat Actors: SASUKE756
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email and password combo list
Category: Combo List
Content: A threat actor operating under the handle klyne05 is offering a mixed email and password combo list on a cybercrime forum. The post advertises the credentials as private and fresh, claiming they have been checked by the author. Content is gated behind a like-to-unlock mechanism, obscuring further details about volume or composition.
Date: 2026-05-04T16:47:49Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1MIX-MAIL%E2%9A%A1%E2%9A%A1PRIVATE%E2%9A%A1%E2%9A%A1FRESH%E2%9A%A1%E2%9A%A1CHEKED-BY-klyne05-%E2%9A%A1%E2%9A%A1–202790
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email combo list claimed as private and verified
Category: Combo List
Content: A forum user on leakforum.io is offering a mixed email combo list described as private, fresh, and verified by the poster. The content is hidden behind a like-gate requiring registration or login to access. No specific record count, targeted service, or origin organization is disclosed in the visible portion of the post.
Date: 2026-05-04T16:47:23Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A1MIX-MAIL%E2%9A%A1%E2%9A%A1PRIVATE%E2%9A%A1%E2%9A%A1FRESH%E2%9A%A1%E2%9A%A1CHEKED-BY-klyne05-%E2%9A%A1%E2%9A%A1–20052
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged valid credential combo list including Hotmail and mixed sources
Category: Combo List
Content: A threat actor on DemonForums is offering a combo list of 2,530 alleged valid credentials, described as a UHQ mix including Hotmail accounts and private cloud access. The post directs interested parties to a Telegram handle for further access. The credentials are hidden behind a registration or login wall on the forum.
Date: 2026-05-04T16:47:08Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X2530-Valid-UHQ-Mix-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Distribution of Alleged Hotmail Credential Hits Combo List
Category: Combo List
Content: A threat actor on Demonforums is distributing a combo list marketed as 2,261 validated Hotmail credential hits. The post references a private cloud storage source and describes the credentials as a mixed mail format. The content is hidden behind a forum registration or login requirement, with the actor also advertising a Telegram contact.
Date: 2026-05-04T16:46:17Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F-2261x-PREMIUM-HOTMAIL-HITS-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of an undisclosed Sri Lankan university
Category: Data Breach
Content: A threat actor claims to possess data from a Sri Lankan university website, allegedly comprising over 300 records. The post offers limited detail regarding the nature of the data or the specific institution involved. The claim was shared on BreachForums.
Date: 2026-05-04T16:40:08Z
Network: openweb
Published URL: https://breachforums.rs/Thread-university
Screenshots:
None
Threat Actors: nirmala950
Victim Country: Sri Lanka
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed combo list with 25,000 credentials
Category: Combo List
Content: A threat actor operating under the handle f1veu is distributing a mixed combo list containing approximately 25,000 credential pairs on BreachForums. The post provides a download link with no additional details about the source or targeted services. The credentials are described as mixed good, suggesting they are marketed as valid or high-quality hits.
Date: 2026-05-04T16:29:11Z
Network: openweb
Published URL: https://breachforums.rs/Thread-%E2%AD%90%EF%B8%8F25K-%E2%9C%A8MIXED-GOOD-f1veu%E2%AD%90%EF%B8%8F
Screenshots:
None
Threat Actors: f1veu
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed combo list with valid credentials
Category: Combo List
Content: A threat actor operating under the handle f1veu is sharing a mixed combo list described as containing valid credentials. The post was made on BreachForums and includes a download link. No specific target service, record count, or geographic region is specified.
Date: 2026-05-04T16:21:25Z
Network: openweb
Published URL: https://breachforums.rs/Thread-MIX-WITH-VALID-f1veu–188076
Screenshots:
None
Threat Actors: f1veu
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of VPS/RDP/cPanel hosting services on HackForums
Category: Services
Content: A threat actor operating under the name Bearhost is advertising VPS, RDP, and cPanel hosting services on HackForums. Plans are offered starting at $4.49/month with Linux and Windows options, full root/admin access, KVM virtualization, and NVMe SSD storage. The service is marketed to forum members seeking scalable hosting infrastructure.
Date: 2026-05-04T16:16:06Z
Network: openweb
Published URL: https://hackforums.net/showthread.php?tid=6318871
Screenshots:
None
Threat Actors: Bearhost
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of Hotmail credentials offered on cybercrime forum
Category: Combo List
Content: A threat actor operating under the handle KiwiShio shared a combo list purportedly containing 1,425 Hotmail credentials on a cybercrime forum. The credentials are marketed as fresh and high quality. No post content was available to verify specific claims or data provenance.
Date: 2026-05-04T16:12:34Z
Network: openweb
Published URL: https://altenens.is/threads/1425x-starstar-fresh-hq-hotmail-starstar.2934216/unread
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Rising Research Analyst by PH.BL4KE of STORM BREAKER SECURITY
Category: Defacement
Content: On May 4, 2026, the website risingresearchanalyst.com was defaced by threat actor PH.BL4KE operating under the group STORM BREAKER SECURITY. The attack targeted the homepage of the research and analytics organization in a single, targeted defacement. No specific motivation or server details were disclosed alongside the incident.
Date: 2026-05-04T16:04:10Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917439
Screenshots:
None
Threat Actors: PH.BL4KE, STORM BREAKER SECURITY
Victim Country: Unknown
Victim Industry: Research and Analytics
Victim Organization: Rising Research Analyst
Victim Site: www.risingresearchanalyst.com
Alleged cyberattack on Israeli INSS research institution by Hanzalah group with exfiltration of 100,000+ emails
Category: Data Breach
Content: According to Haaretz report, Iranian-linked hacking group Hanzalah allegedly penetrated the Israeli Institute for National Security Studies (INSS) internal network and exfiltrated over 100,000 emails and files including private researcher communications. The breach exposed communications between INSS staff and Israeli security systems. The attack occurred during recent Iran-Israel tensions following missile strikes in June 2025.
Date: 2026-05-04T16:01:48Z
Network: telegram
Published URL: https://t.me/c/1283513914/21550
Screenshots:
None
Threat Actors: Hanzalah
Victim Country: Israel
Victim Industry: Research/Security
Victim Organization: Israeli Institute for National Security Studies (INSS)
Victim Site: Unknown
Alleged sale of IRGC Iran military data
Category: Data Breach
Content: A threat actor operating under the alias DataSellers is advertising what they claim to be military data belonging to Irans Islamic Revolutionary Guard Corps (IRGC) on a known cybercriminal forum. The post references a sample image and directs interested buyers to contact the seller via Telegram handle @DragonzSupport for pricing. No record count, data fields, or further technical details are disclosed in the post.
Date: 2026-05-04T16:01:42Z
Network: openweb
Published URL: https://breached.st/threads/irgc-iran-military-data.86773/unread
Screenshots:
None
Threat Actors: DataSellers
Victim Country: Iran
Victim Industry: Government
Victim Organization: Islamic Revolutionary Guard Corps (IRGC)
Victim Site: Unknown
Alleged data breach of China Shanghai Airport
Category: Data Breach
Content: A threat actor operating under the alias DataSellers is claiming to sell a 57GB database allegedly belonging to a Shanghai airport. A sample image is referenced in the post, and interested parties are directed to contact the seller via a Telegram channel. No specific record count or data fields are disclosed in the post text.
Date: 2026-05-04T16:01:07Z
Network: openweb
Published URL: https://breached.st/threads/57gb-of-china-shanghai-airport-database.86776/unread
Screenshots:
None
Threat Actors: DataSellers
Victim Country: China
Victim Industry: Transportation
Victim Organization: Shanghai Airport
Victim Site: Unknown
Alleged Initial Access to Indonesian Government Systems and Webshells
Category: Initial Access
Content: Threat actor Cinzz is distributing free access credentials to compromised Indonesian government portals (Wonogiri Regency and Indramayu Regency administrative systems) along with webshell URLs across multiple domains including Brazilian government, French pharmacy, and other organizations.
Date: 2026-05-04T15:47:54Z
Network: telegram
Published URL: https://t.me/CinCauGhast405/80
Screenshots:
None
Threat Actors: Cinzz
Victim Country: Indonesia, Brazil, France
Victim Industry: Government, Healthcare, Finance
Victim Organization: Wonogiri Regency Administration, Indramayu Regency Administration, and multiple other organizations
Victim Site: sipades.wonogirikab.go.id, akku.indramayukab.go.id, cpsmcamocim.ce.gov.br, payment.pharmao.fr, safespacefoundation.org, dev.ibtcglobal.org, raydiving.wpengine.com
Alleged sale of access to Ghana Police Service (police.gov.gh)
Category: Initial Access
Content: Threat actor claiming to sell access to police.gov.gh (Ghana Police Service government website). Contact via @DelusionalTerror. Unverified claim of government infrastructure compromise.
Date: 2026-05-04T15:46:46Z
Network: telegram
Published URL: https://t.me/c/2590737229/993
Screenshots:
None
Threat Actors: DelusionalTerror
Victim Country: Ghana
Victim Industry: Government/Law Enforcement
Victim Organization: Ghana Police Service
Victim Site: police.gov.gh
Alleged data breach of Groupe CGA
Category: Data Breach
Content: A threat actor operating under the alias DumpsecV2 claims to be selling data allegedly stolen from Groupe CGA, a French automotive dealership group. The dataset purportedly contains records for approximately 65,000 customers and 2,500 employees, including names, email addresses, phone numbers, vehicle details, VINs, contract information, and postcodes. The data is offered for sale at 150€ with a sample of 5,000 records provided as proof.
Date: 2026-05-04T15:45:25Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-FR-Groupe-CGA
Screenshots:
None
Threat Actors: DumpsecV2
Victim Country: France
Victim Industry: Automotive
Victim Organization: Groupe CGA
Victim Site: groupegca.com
Alleged data breach of Tajikistan e-visa and border control system
Category: Data Breach
Content: A threat actor on PF Leaks Market is selling an alleged dataset from evisa.tj, the Tajikistan national e-visa and border control system, covering records from 2016 to February 2025. The offering includes five CSV database tables — PR_DOCUMENT_RECORD, PR_PERSON_DETAILS, PR_PERSON_RECORD, SB_TRAVEL_RECORD, and SB_VISA_DOCUMENT_RECORD — with a combined total exceeding 216 million rows, encompassing border entry and exit records, travel records, visa documents, and citizen personal details for appro
Date: 2026-05-04T15:44:51Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-evisa-tj-23M-24M-2016-2025-02-Tajikistan
Screenshots:
None
Threat Actors: Claude
Victim Country: Tajikistan
Victim Industry: Government
Victim Organization: Tajikistan E-Visa System
Victim Site: evisa.tj
Alleged data breach of Taiwan national population registry
Category: Data Breach
Content: A threat actor on PF Leaks Market is offering for sale an alleged database dump purportedly containing records for the entire population of Taiwan, dated October 2022. The dataset includes highly sensitive personal information such as national ID numbers (PID), full names, dates of birth, addresses, household registration data, family relationship details, education, military codes, and ethnicity indicators. A sample file is provided via an external file-sharing link.
Date: 2026-05-04T15:44:16Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-23-572-055-Taiwan-The-entire-population-10-2022
Screenshots:
None
Threat Actors: Claude
Victim Country: Taiwan
Victim Industry: Government
Victim Organization: Taiwan Household Registration Office
Victim Site: Unknown
Alleged data breach of Senao International (神腦國際)
Category: Data Breach
Content: A threat actor on PF – Leaks Market is offering for sale data allegedly stolen from Senao International, Taiwans largest mobile phone retailer, in September 2022. The dataset comprises six CSV files containing member account credentials, home addresses, order records, order details, mobile device registration information, and user data, with record counts ranging from 1.2 million to 7.42 million per file. A sample download link and session token are provided for prospective buyers.
Date: 2026-05-04T15:43:42Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-senao-com-tw-The-largest-mobile-phone-retailer-in-Taiwan-09-2022-7-38M-user-etc
Screenshots:
None
Threat Actors: Claude
Victim Country: Taiwan
Victim Industry: Retail
Victim Organization: Senao International
Victim Site: senao.com.tw
Alleged data breach of Romania national database
Category: Data Breach
Content: A threat actor operating under the alias lowiq is offering for sale an alleged Romanian database containing 692,824 records, claimed to have been breached on April 4, 2026. The seller is accepting cryptocurrency payments including BTC, SOL, ETH, USDT, and XMR, with pricing listed as open to offers. Contact is facilitated via two Telegram handles, and an escrow service is referenced for transaction security.
Date: 2026-05-04T15:42:21Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SELLING-692-824-Romania-Database
Screenshots:
None
Threat Actors: lowiq
Victim Country: Romania
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 5,000 truck driver records from Ciudad Juárez and Chihuahua, Mexico
Category: Data Leak
Content: Threat actors MagoSpeak and Z3r00 claim to have conducted a campaign in May collecting personal information on 5,000 truck drivers from Ciudad Juárez and Chihuahua, Mexico. They have exposed sample records containing full names, birthdates, municipalities, email addresses, and phone numbers. The actors state the campaign is ongoing and threaten to release the complete database in coming months.
Date: 2026-05-04T15:42:08Z
Network: telegram
Published URL: https://t.me/c/3764001014/115
Screenshots:
None
Threat Actors: MagoSpeak
Victim Country: Mexico
Victim Industry: Transportation/Logistics
Victim Organization: Truck drivers database (Ciudad Juárez/Chihuahua)
Victim Site: Unknown
Sale of Tunisian passport scan document
Category: Carding
Content: A forum post on PF – Other Leaks advertises a single scan of a Tunisian passport. No further details regarding the source, pricing, or quantity are available from the post content.
Date: 2026-05-04T15:41:01Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DOCUMENTS-SINGLE-SCAN-PASSPORT-TUNISIA
Screenshots:
None
Threat Actors: tey83819
Victim Country: Tunisia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Switzerland CNI headquarters documents
Category: Data Leak
Content: A threat actor operating under the alias tey83819 posted what is claimed to be documents from Switzerlands CNI headquarters on a public forum. The content is hidden behind a reply-gate, requiring users to reply to the thread to access the material. No further details regarding the volume or specific nature of the documents are disclosed in the visible post.
Date: 2026-05-04T15:40:26Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DOCUMENTS-SWITZERLAND-CNI-HQ
Screenshots:
None
Threat Actors: tey83819
Victim Country: Switzerland
Victim Industry: Government
Victim Organization: CNI HQ Switzerland
Victim Site: Unknown
Alleged leak of French visa documents
Category: Data Leak
Content: A threat actor posted a thread titled FRENCH VISA HQ on a cybercrime forum, claiming to share French visa-related documents. The content is hidden behind a reply gate, limiting visibility into the specific nature or volume of the alleged documents. No specific organization or official body has been identified as the source of the leak.
Date: 2026-05-04T15:39:44Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DOCUMENTS-FRENCH-VISA-HQ
Screenshots:
None
Threat Actors: tey83819
Victim Country: France
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of New Deal Institut
Category: Data Leak
Content: A threat actor using the handle ChimeraZ claims to have leaked the database of newdealinstitut.com on PwnForums. The data, reportedly 30 MB in size, is available in JSON, CSV, and PDF formats across multiple file-sharing platforms at no charge.
Date: 2026-05-04T15:38:19Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-Newdealinstitut-com
Screenshots:
None
Threat Actors: ChimeraZ
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: New Deal Institut
Victim Site: newdealinstitut.com
Alleged data leak of Marcus & Millichap, Inc. by ShinyHunters
Category: Data Leak
Content: The threat actor group ShinyHunters claims to have compromised over 30 million Salesforce records from Marcus & Millichap, Inc., a commercial real estate investment sales brokerage, totaling more than 5.4GB of compressed data. The leaked data allegedly contains PII and internal corporate data including account names, billing addresses, phone numbers, industry classifications, and account types. The group states the company failed to reach an agreement and has made the data freely available to fo
Date: 2026-05-04T15:37:45Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-Marcus-Millichap-Inc-Lesk
Screenshots:
None
Threat Actors: Tanaka
Victim Country: United States
Victim Industry: Real Estate
Victim Organization: Marcus & Millichap, Inc.
Victim Site: marcusmillichap.com
Alleged data leak of Smallable.com childrens database
Category: Data Leak
Content: A threat actor using the handle ChimeraZ claims to have leaked a database allegedly belonging to Smallable.com, a French childrens fashion retailer. The dataset, approximately 60 MB in JSON format, purportedly contains 742,000 records including childrens first names, gender, and dates of birth. The data has been made available for free via multiple file-sharing platforms.
Date: 2026-05-04T15:37:11Z
Network: openweb
Published URL: https://pwnforums.st/Thread-DATABASE-742K-children-of-Smallable-com
Screenshots:
None
Threat Actors: ChimeraZ
Victim Country: France
Victim Industry: Retail
Victim Organization: Smallable
Victim Site: smallable.com
Alleged data breach of Fund for Teachers
Category: Data Breach
Content: A threat actor shared what is alleged to be a database dump from fundforteachers.org, a nonprofit grant organization for educators. The leaked data reportedly includes 51,458 unique user records containing usernames (email addresses), bcrypt-hashed passwords, password tokens, full names, phone numbers, company, title, and address information. The post also claims the database contains grant application data and statuses, and that no student information was identified in the exposed tables.
Date: 2026-05-04T15:36:37Z
Network: openweb
Published URL: https://pwnforums.st/Thread-fundforteachers-org-teachers-info-grant-application
Screenshots:
None
Threat Actors: goyim
Victim Country: United States
Victim Industry: Education
Victim Organization: Fund for Teachers
Victim Site: fundforteachers.org
Alleged combo list targeting educational sector distributed on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias ZAMPARA shared what is described as a fresh educational sector combo list on the PT – Combolist forum. The content is hidden behind a registration or login requirement, limiting visibility into the specific credentials or record count involved. The post is categorized as a credential list marketed for use against educational platforms or services.
Date: 2026-05-04T15:35:03Z
Network: openweb
Published URL: https://patched.to/Thread-fresh-edu-combolist-298725
Screenshots:
None
Threat Actors: ZAMPARA
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Sale of Germany combo list on D4rkNetHub cloud
Category: Combo List
Content: A threat actor operating under the alias D4rkNetHub is offering a combo list of 41,040 credentials reportedly associated with German accounts, hosted on a cloud platform. The content is gated behind forum registration or login. No specific breached organization is identified; the post is consistent with a credential stuffing list aggregated from multiple sources.
Date: 2026-05-04T15:34:39Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-41-040-good-germany-d4rknethub-cloud
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email account combo list with 2,537 entries
Category: Combo List
Content: A threat actor operating under the alias GoldMailAccs is offering a mixed email account combo list containing 2,537 entries, advertised as fully valid. The post is hosted on the Patched.to forum and requires registration or login to access the content. No specific email provider or breach source is identified in the visible portion of the post.
Date: 2026-05-04T15:34:21Z
Network: openweb
Published URL: https://patched.to/Thread-2537-full-valid-mix-mail-access
Screenshots:
None
Threat Actors: GoldMailAccs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email access combo list with 5,108 entries
Category: Combo List
Content: A threat actor operating under the alias GoldMailAccs is offering a combo list of 5,108 mixed email account credentials on a cybercrime forum. The listing is described as full valid, suggesting the credentials have been tested and verified. The content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-04T15:33:47Z
Network: openweb
Published URL: https://patched.to/Thread-5108-full-valid-mix-mail-access
Screenshots:
None
Threat Actors: GoldMailAccs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list with alleged fresh hits
Category: Combo List
Content: A threat actor operating under the alias MimoData is sharing approximately 1,100 Hotmail credentials marketed as fresh hits on a combolist forum. The content is hidden behind a registration or login wall, limiting full visibility into the dataset. These credentials are likely the result of credential stuffing or aggregation from prior breaches and are not indicative of a breach of Hotmail or Microsoft directly.
Date: 2026-05-04T15:32:54Z
Network: openweb
Published URL: https://patched.to/Thread-1-1k-hotmail-fresh-hits
Screenshots:
None
Threat Actors: MimoData
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 2,000 Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias MimoData shared what is described as 2,000 Hotmail credential hits on a cybercrime forum. The credentials are marketed as fresh and are being distributed via hidden content accessible only to registered forum members. This post represents a combo list intended for credential stuffing against Hotmail accounts and does not indicate a breach of Microsoft or Hotmail infrastructure.
Date: 2026-05-04T15:32:33Z
Network: openweb
Published URL: https://patched.to/Thread-2k-hotmail-fresh-hits
Screenshots:
None
Threat Actors: MimoData
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of alleged Hotmail credentials advertised as fresh hits
Category: Combo List
Content: A forum user identified as MimoData is distributing a combo list of approximately 3,000 Hotmail credentials marketed as fresh hits. The content is gated behind registration or login, limiting full visibility into the dataset. These credentials are sourced from external breaches and tested against Hotmail, not indicative of a breach of Microsoft or Hotmail directly.
Date: 2026-05-04T15:31:49Z
Network: openweb
Published URL: https://patched.to/Thread-3k-hotmail-fresh-hits
Screenshots:
None
Threat Actors: MimoData
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of mixed credential combo list
Category: Combo List
Content: A threat actor operating under the alias R0BIN1337 shared a combo list advertised as 15400 MIX BONUS on the forum patched.to. The content is hidden behind a registration or login requirement, with the password @ provided to access it. The post is sponsored by Robin Cloud and linked to a separate thread marketing logs and ULP leaks.
Date: 2026-05-04T15:31:32Z
Network: openweb
Published URL: https://patched.to/Thread-15400-mix-bonus-forza-traffic
Screenshots:
None
Threat Actors: R0BIN1337
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of Hotmail credentials advertised as fresh hits
Category: Combo List
Content: A threat actor operating under the alias MimoData shared a combo list of 984 Hotmail credentials described as fresh hits on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting visibility into the full dataset. The credentials are marketed as recently verified and likely intended for credential stuffing against Hotmail or associated Microsoft services.
Date: 2026-05-04T15:31:13Z
Network: openweb
Published URL: https://patched.to/Thread-984x-hotmail-fresh-hits
Screenshots:
None
Threat Actors: MimoData
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 5,086 credentials
Category: Combo List
Content: A threat actor identified as RedHat29 is advertising a combo list containing 5,086 Hotmail credentials on a cybercrime forum. The content is hidden behind a registration or login requirement. The listed service is a credential-stuffing target and is not the source of the breach.
Date: 2026-05-04T15:30:14Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-5086x%E2%9A%A1HOTMAIL%E2%9A%A1ACCESS%E2%9A%A1
Screenshots:
None
Threat Actors: RedHat29
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list shared on cybercrime forum by threat actor Stevee36
Category: Combo List
Content: A threat actor operating under the handle Stevee36 has shared a combo list described as HQ Mix containing an estimated 1,682 credential pairs on the DemonForums cybercrime forum. The content is hidden behind a registration or login requirement, limiting direct visibility into the specific services or data fields included. No specific victim organization or targeted service is identified in the post.
Date: 2026-05-04T15:29:51Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X1682-HQ-Mix-%E2%9A%A1%E2%9A%A1-BY-Stevee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of Hotmail credential combo list sample
Category: Combo List
Content: A threat actor identified as HollowKnight shared a sample combo list of approximately 1,020 Hotmail credentials on a cybercrime forum. The content is gated behind registration or login to the forum. No further details regarding the origin or freshness of the credentials are available from the post.
Date: 2026-05-04T15:29:11Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-1020x-SAMPLE-HOTMAIL-%E2%9A%A1%E2%9A%A1–202786
Screenshots:
None
Threat Actors: HollowKnight
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of AWS Amazon SMTP service for high-volume spam delivery
Category: Services
Content: A threat actor operating under the alias imi_jav1995 is advertising AWS Amazon SMTP accounts for sale, claiming high daily sending limits, inbox deliverability across all domains, and suitability for spam campaigns. The seller offers inbox testing prior to purchase and provides contact via Telegram handles @office_365shop and the channel @office365_channel. The service is marketed with 24/7 support and described as pre-warmed for inbox placement.
Date: 2026-05-04T15:29:05Z
Network: openweb
Published URL: https://demonforums.net/Thread-AWS-Amazon-Inbox-SMTP-High-Sending-Limit
Screenshots:
None
Threat Actors: imi_jav1995
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list targeting educational sector with 158K credentials
Category: Combo List
Content: A threat actor operating under the alias carlos080 shared a combo list on the AE forum purportedly containing approximately 158,000 credential pairs targeted at educational sector accounts. The post title indicates the list is specifically oriented toward EDU-domain targets, suggesting its intended use for credential stuffing against educational institutions. No further details regarding the post content, pricing, or specific targeted organizations were available.
Date: 2026-05-04T15:23:31Z
Network: openweb
Published URL: https://altenens.is/threads/158k-edu-targeted-combolist.2934204/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Sale of USA Homeowners Personal Data
Category: Data Breach
Content: A threat actor operating under the alias Mikhel is offering USA homeowners data for sale on BreachForums. Two packages are advertised — a trial package and a premium package — with contact facilitated via a Telegram channel. No specific source organization, record count, or data fields are disclosed in the post.
Date: 2026-05-04T15:06:22Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-USA-HOME-OWNERS-DATA
Screenshots:
None
Threat Actors: Mikhel
Victim Country: United States
Victim Industry: Real Estate
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged personal data of wealthy individuals in Portugal
Category: Data Breach
Content: A threat actor on BreachForums is advertising the sale of personal data purportedly belonging to wealthy individuals in Portugal, claiming approximately 1 million records are available. The seller is offering samples upon request via Telegram and an image hosting link. No specific source organization or breach vector is identified in the post.
Date: 2026-05-04T15:02:59Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-1M-Portugal-Rich-People-Data
Screenshots:
None
Threat Actors: Nauan
Victim Country: Portugal
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged Taiwan stock and investment investors database containing 6.5 million records
Category: Data Breach
Content: A threat actor operating under the alias FuckerSpy is offering for sale an alleged database of Taiwan stock and investment investors containing 6.5 million records in XLSX format. The seller states the price is negotiable and claims samples have already been posted. Contact channels include Telegram, qTox, and Session messaging identifiers.
Date: 2026-05-04T14:52:32Z
Network: openweb
Published URL: https://breached.st/threads/taiwan-stock-investment-investors-datbase-6-5-million-lines.86769/unread
Screenshots:
None
Threat Actors: FuckerSpy
Victim Country: Taiwan
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of UOB Malaysia database
Category: Data Leak
Content: A threat actor operating under the handle JAX7 claims to have leaked a database allegedly belonging to UOB Malaysia on the Breached forum. The post includes a sample section but no further details regarding record count or specific data fields are visible in the available content. The authenticity and scope of the alleged leak have not been independently verified.
Date: 2026-05-04T14:51:33Z
Network: openweb
Published URL: https://breached.st/threads/leak-uob-database-malaysia.86763/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: Malaysia
Victim Industry: Finance
Victim Organization: United Overseas Bank Malaysia
Victim Site: uob.com.my
Alleged data leak of SNT-RF.RU Russian non-commercial gardening associations registry
Category: Data Leak
Content: A threat actor operating under the alias MDGhost claims to have obtained and is sharing a database dump from the SNT/RF registry, the official Russian register of non-commercial gardening associations (Sadaovodcheskoye Nekomercheskoye Tovarishchestvo). The dataset allegedly contains 1.8 million records including member names, addresses, cadastral numbers, OGRN, INN, phone numbers, emails, websites, registration dates, organizational forms, and financial data in rubles. The post includes a refere
Date: 2026-05-04T14:50:57Z
Network: openweb
Published URL: https://breached.st/threads/snt-rf-ru-1-8m-russian-non-commercial-gardening-entities.86764/unread
Screenshots:
None
Threat Actors: MDGhost
Victim Country: Russia
Victim Industry: Government
Victim Organization: SNT/RF Registry
Victim Site: snt-rf.ru
Alleged data leak of Badan Pemeriksa Keuangan Republik Indonesia
Category: Data Leak
Content: A threat actor operating under the alias Mr. Hanz Xploit claims to have leaked a sample database belonging to the Badan Pemeriksa Keuangan Republik Indonesia (the Supreme Audit Agency of Indonesia). The post includes a sample and code section, though the content of these sections was not provided in the source material. The actor frames the release with an anti-corruption motivation.
Date: 2026-05-04T14:50:24Z
Network: openweb
Published URL: https://breached.st/threads/sample-database-badan-pemeriksa-keuangan-republik-indonesia.86765/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Badan Pemeriksa Keuangan Republik Indonesia
Victim Site: Unknown
Alleged exposure of 400 US Navy senior officers information by Hanzalah hacking group
Category: Data Breach
Content: Hanzalah hacking group claimed responsibility for exposing confidential information of 400 senior officers of the US Navy stationed in the Persian Gulf. The group claims to have obtained a list containing ranks and operational units of these officers from a US military base in the Persian Gulf region. The group described this as more than a warning and claimed full surveillance capability over the US naval fleet in the region. The group also claimed to have sent direct warnings to the secure phones of these officers with a message stating they have chosen early death by pursuing a path of pride and aggression, and that the sea is no longer safe for them.
Date: 2026-05-04T14:50:15Z
Network: telegram
Published URL: https://t.me/c/1283513914/21545
Screenshots:
None
Threat Actors: Hanzalah
Victim Country: United States
Victim Industry: Military/Defense
Victim Organization: United States Navy
Victim Site: Unknown
Alleged data breach of Nusantara Sakti Group
Category: Data Breach
Content: A forum post by threat actor Mr.ZeroPhx100 on Breached.st alleges a database compromise of Nusantara Sakti Group. No post content was available to confirm the nature, scope, or data types involved. Details regarding record count, affected data fields, and sale conditions remain unknown.
Date: 2026-05-04T14:49:46Z
Network: openweb
Published URL: https://breached.st/threads/database-nusantara-sakti-group.86766/unread
Screenshots:
None
Threat Actors: Mr.ZeroPhx100
Victim Country: Indonesia
Victim Industry: Unknown
Victim Organization: Nusantara Sakti Group
Victim Site: Unknown
Alleged data leak of Dunia Games
Category: Data Leak
Content: A threat actor operating under the alias Mr.ZeroPhx100 claims to have leaked a database associated with Dunia Games. The post was shared on the Breached forum under the databases section. No further details regarding record count, data fields, or victim domain were provided in the available post content.
Date: 2026-05-04T14:49:11Z
Network: openweb
Published URL: https://breached.st/threads/database-dunia-games.86767/unread
Screenshots:
None
Threat Actors: Mr.ZeroPhx100
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Dunia Games
Victim Site: Unknown
Alleged Data Leak of Roblox User Database
Category: Data Leak
Content: A threat actor using the handle Mr.ZeroPhx100 claims to have leaked a database allegedly associated with Roblox. The post lists data fields including national identification numbers (NIK), phone numbers, email addresses, bank account numbers, and credit card information. No record count or additional technical details were provided in the post.
Date: 2026-05-04T14:48:36Z
Network: openweb
Published URL: https://breached.st/threads/database-roblox.86768/unread
Screenshots:
None
Threat Actors: Mr.ZeroPhx100
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Roblox
Victim Site: roblox.com
Alleged sale of email credential combolists and account access across multiple platforms
Category: Combo List
Content: Threat actor _emanthy is selling credential combolists containing email addresses, passwords, and cookies for compromised accounts across major platforms including Amazon, Facebook, eBay, PayPal, and Kleinanzeigen. Seller claims to provide access bases organized by geographic region (EU, USA, Germany, CORP mix) and also offers cloud access on weekly/monthly subscription basis with custom keyword targeting.
Date: 2026-05-04T14:47:20Z
Network: telegram
Published URL: https://t.me/c/2613583520/75361
Screenshots:
None
Threat Actors: _emanthy
Victim Country: Unknown
Victim Industry: Technology/E-commerce/Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of Hotmail credentials targeting Supercell accounts
Category: Combo List
Content: A threat actor on the PT – Combolist forum shared a combo list containing 26 Hotmail credentials described as inboxed hits for Supercell accounts. The content is hidden behind a registration or login requirement. The post encourages engagement in exchange for additional releases.
Date: 2026-05-04T14:19:56Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%94%A5-26x-hotmal-x-supercell-inboxed-%F0%9F%94%A5
Screenshots:
None
Threat Actors: xHitCheap
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged private mixed mail access combo list
Category: Combo List
Content: Threat actor R0BIN1337 is offering a combo list described as 5.2K Private Mix Mail Access on the Patched.to forum. The post content is hidden behind a registration or login wall, limiting visibility into the specific mail providers or data quality involved. The listing appears to contain mixed email credentials potentially intended for credential stuffing or account takeover activity.
Date: 2026-05-04T14:19:36Z
Network: openweb
Published URL: https://patched.to/Thread-5-2k-private-mix-mail-access
Screenshots:
None
Threat Actors: R0BIN1337
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Hotmail combo list shared via Skylight Public Cloud
Category: Combo List
Content: A threat actor operating under the alias SkylightCloud has shared what is described as a Hotmail combo list via a public cloud platform. The post is gated behind registration or login, limiting visibility into specific record counts or data quality claims. This appears to be a credential list intended for use in credential stuffing against Hotmail/Microsoft accounts.
Date: 2026-05-04T14:18:19Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-skylight-public-cloud-hotmail-298722
Screenshots:
None
Threat Actors: SkylightCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Mixed Combo List Containing 1.5 Million Credentials
Category: Combo List
Content: A threat actor operating under the alias moser is offering a mixed combo list of approximately 1.5 million credentials on the forum PT – Combolist. The content of the post is hidden behind a registration or login requirement, limiting visibility into specific targets or data fields. The listing is described as a mixed-target combo list, suggesting credentials sourced from multiple services or breach sources.
Date: 2026-05-04T14:17:53Z
Network: openweb
Published URL: https://patched.to/Thread-1-5ml-mix-target-298720
Screenshots:
None
Threat Actors: moser
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Defacement of picciole.com by Threat Actor Zod
Category: Defacement
Content: On May 4, 2026, threat actor Zod operating under the team name Zod conducted a mass defacement attack against picciole.com, targeting a Linux-based web server. The defacement was part of a broader mass defacement campaign, with the compromised page archived at haxor.id. No specific motivation or proof of concept was publicly disclosed.
Date: 2026-05-04T14:17:46Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248864
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Picciole
Victim Site: picciole.com
Sale of fraudulent identity document creation service for KYC bypass
Category: Services
Content: A threat actor operating under the handle ASRRPPO is advertising a document forgery service on DemonForums, offering Photoshop-created fake IDs, drivers licenses, passports, selfies with documents, utility bills, and bank statements intended for bypassing KYC verification processes. The actor claims high-quality output including readable barcodes and PSD templates, with payment accepted only after sample approval. Contact is facilitated via Telegram at @DroneBott2.
Date: 2026-05-04T14:16:31Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9A%A1%E2%9A%A1-Photoshop-creation-of-id-dl-statements-bills-for-KYC-verification-%E2%9A%A1%E2%9A%A1–202778
Screenshots:
None
Threat Actors: ASRRPPO
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Nulled07 is sharing a combo list containing 4,545 Hotmail credentials on a cybercrime forum. The credentials are marketed as fresh and are intended for credential stuffing or account takeover activity targeting Hotmail accounts. The post requires forum registration or login to access the content.
Date: 2026-05-04T14:16:25Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A1-4545x-FRESH-HOTMAIL-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Nulled07
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Gift Cards and Verified Financial Accounts on Cybercrime Forum
Category: Carding
Content: A threat actor operating under the alias Stonegrat3 is selling discounted gift cards across multiple platforms including Amazon, Visa, Steam, and others, alongside fully verified financial accounts such as PayPal, Coinbase Level 3, Binance, Cashapp, Stripe, and Venmo. Payment is accepted via cryptocurrency, PayPal, Steam trades, and gift cards. The actor also claims 200+ reputation points on cracking sites and advertises via Telegram handle @McClark23.
Date: 2026-05-04T14:15:58Z
Network: openweb
Published URL: https://demonforums.net/Thread-Selling-Cheapest-Giftcard-50-for-100-and-Verified-Accounts–202780
Screenshots:
None
Threat Actors: Stonegrat3
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
Alleged Disabling of 270 Industrial Control Systems in Indian Network
Category: Cyber Attack
Content: Infrastructure Destruction Squad claims to have disabled 270 industrial control systems within an Indian network. The post provides minimal technical details but indicates a significant attack on critical infrastructure.
Date: 2026-05-04T14:15:52Z
Network: telegram
Published URL: https://t.me/c/2735908986/4155
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: India
Victim Industry: critical_infrastructure
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Jornada Upwork by Threat Actor Zod
Category: Defacement
Content: On May 4, 2026, a threat actor operating under the alias Zod defaced a specific page on jornadaupwork.com.br, a Brazilian platform associated with Upwork freelance services. The attack targeted a single page rather than the homepage and was carried out on a Linux-based web server. The incident was archived and mirrored via haxor.id as part of defacement tracking efforts.
Date: 2026-05-04T14:15:32Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248866
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Brazil
Victim Industry: Professional Services / Freelance Platform
Victim Organization: Jornada Upwork
Victim Site: jornadaupwork.com.br
Website Defacement of ProspectSup by Threat Actor Zod
Category: Defacement
Content: A threat actor operating under the alias Zod defaced the website prospectsup.com on May 4, 2026, targeting a specific page (zod.html) hosted on a Linux-based server. The incident was a targeted, single-site defacement rather than a mass or home page compromise. A mirror of the defaced page has been archived at haxor.id.
Date: 2026-05-04T14:13:48Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248865
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: ProspectSup
Victim Site: prospectsup.com
Combo list of Hotmail credentials targeting users across multiple regions
Category: Combo List
Content: A threat actor operating under the alias Larry_Uchiha has shared a combo list purportedly containing 1,000 Hotmail credential pairs. The list is described as covering users from the USA, Europe, Asia, and Russia. No further details are available as the post content was not accessible.
Date: 2026-05-04T14:08:58Z
Network: openweb
Published URL: https://altenens.is/threads/1-000x-hotmail-access-combo-usa-europe-asia-russian.2934166/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Edu tech firm Instructure discloses cyber incident, probes impact
Category: Cyber Attack
Content: Instructure, developer of the Canvas platform, has announced that it suffered a cybersecurity incident and is currently conducting an investigation with the assistance of external experts. The company is committed to maintaining transparency while working swiftly to minimize the impact of this attack carried out by a threat actor. Several services, including Canvas Data 2 and Canvas Beta, have been under maintenance since May 1st, although the connection to the incident has not been confirmed.
Date: 2026-05-04T14:08:07Z
Network: openweb
Published URL: https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/
Screenshots:
None
Threat Actors: Shinyhunters
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Instructure
Victim Site: instructure.com
Hochschule Emden/Leer schaltet nach Cyberangriff zentrale IT-Dienste ab
Category: Cyber Attack
Content: Hochschule Emden/Leer fell victim to a cyberattack on May 1, 2026, which led to the preventive shutdown of central IT services and disruption of its website. Although systems were quickly contained with no reported data loss, course operations continue in person. The institution has established an information point for students and is working toward a gradual restoration of services.
Date: 2026-05-04T14:08:03Z
Network: openweb
Published URL: https://www.noz.de/lokales/rheiderland/regional/artikel/cyberangriff-auf-hochschule-emdenleer-it-teils-offline-50594356
Screenshots:
None
Threat Actors:
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Hochschule Emden/Leer
Victim Site: hs-emden-leer.de
Edu tech firm Instructure discloses cyber incident, probes impact
Category: Cyber Attack
Content: Instructure, développeur de la plateforme Canvas, a annoncé avoir subi un incident de cybersécurité et mène actuellement une enquête avec laide dexperts externes. Lentreprise sengage à maintenir la transparence tout en travaillant rapidement pour minimiser limpact de cette attaque perpétrée par un acteur malveillant. Des services, dont Canvas Data 2 et Canvas Beta, sont actuellement en maintenance depuis le 1er mai, bien que le lien avec lincident ne soit pas confirmé.
Date: 2026-05-04T14:07:58Z
Network: openweb
Published URL: https://www.bleepingcomputer.com/news/security/edu-tech-firm-instructure-discloses-cyber-incident-probes-impact/
Screenshots:
None
Threat Actors: Shinyhunters
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Instructure
Victim Site: instructure.com
Hochschule Emden/Leer schaltet nach Cyberangriff zentrale IT-Dienste ab
Category: Cyber Attack
Content: La Hochschule Emden/Leer a été victime dune nouvelle cyberattaque le 1er mai 2026, qui a entraîné larrêt préventif des services informatiques centraux et la perturbation du site web. Bien que les systèmes aient été rapidement contenus sans perte de données rapportée, le fonctionnement des cours se poursuit en présentiel. Létablissement a mis en place un point dinformation pour les étudiants et travaille à une restauration progressive des services.
Date: 2026-05-04T14:07:53Z
Network: openweb
Published URL: https://www.noz.de/lokales/rheiderland/regional/artikel/cyberangriff-auf-hochschule-emdenleer-it-teils-offline-50594356
Screenshots:
None
Threat Actors:
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Hochschule Emden/Leer
Victim Site: hs-emden-leer.de
Combo List of Mixed Email Provider Credentials Shared on Forum
Category: Combo List
Content: A forum post by user Larry_Uchiha on AE advertises a mixed email combo list targeting multiple providers including Hotmail, Outlook, AOL, GMX, Inbox, iCloud, and Live. The post is dated 2026-5-1 and appears to offer credentials for use in credential stuffing against these email services. No post content was available to confirm record count or additional details.
Date: 2026-05-04T14:06:25Z
Network: openweb
Published URL: https://altenens.is/threads/mix-mail-combo-hotmail-outlook-aol-gmx-inbox-icloud-live-2026-5-1.2934167/unread
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Social Media Ban, Unban, Recovery, and Username Claim Services Across Multiple Platforms
Category: Services
Content: A threat actor operating under the alias WhiteTshirt is advertising a range of account manipulation services on BreachForums, targeting Instagram, Snapchat, TikTok, Facebook, and other platforms including Discord, Reddit, YouTube, and Threads. Services offered include account banning, unbanning, account recovery, and username claiming. Contact is facilitated via Telegram.
Date: 2026-05-04T13:59:36Z
Network: openweb
Published URL: https://breachforums.rs/Thread-%E2%9A%A1%EF%B8%8FBAN-LOOKUPS-UNBAN-%E2%9A%A1%EF%B8%8F-AVAILABLE-WITH-HIGH-SUCCESS-RATE-%E2%9A%A1%EF%B8%8F-VOUCHED
Screenshots:
None
Threat Actors: WhiteTshirt
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged exposure of 400 U.S. Navy officers personal data by Handala threat actor
Category: Data Leak
Content: Handala threat actor claims to have obtained and published a list of 400 senior U.S. Navy officers including their ranks and operational units deployed in the Persian Gulf. The post includes direct threats against U.S. military personnel and bases, stating the sea is no longer safe for you and threatening death and destruction. A URL is provided allegedly containing the exposed officer list. The threat actor frames this as Operation Premature Death and warns of further retaliatory actions.
Date: 2026-05-04T13:56:28Z
Network: telegram
Published URL: https://t.me/c/3686754935/80
Screenshots:
None
Threat Actors: Handala
Victim Country: United States
Victim Industry: Military/Defense
Victim Organization: United States Navy
Victim Site: Unknown
Alleged sale of compromised email account access to multiple platforms (Hotmail, Yahoo, AT&T, etc.)
Category: Initial Access
Content: Threat actor Yuze is offering for sale valid, targeted email account access to multiple platforms including Hotmail, Yahoo, and AT&T accounts. Associated compromised accounts include access to Kleinanzeigen, Walmart, Reddit, Grailed, Vinted, eBay, Uber, Marriott, Poshmark, and other services. Seller claims credentials are fresh and valid, targeting users in USA, UK, and Canada. Contact via DM for specific keyword searches.
Date: 2026-05-04T13:45:24Z
Network: telegram
Published URL: https://t.me/c/2613583520/75338
Screenshots:
None
Threat Actors: Yuze
Victim Country: United States, United Kingdom, Canada
Victim Industry: Multiple (Email providers, E-commerce, Travel, Social platforms)
Victim Organization: Unknown
Victim Site: Unknown
Sale of IVR Automation Tool with SIP Exploitation Capabilities
Category: Services
Content: A threat actor operating under the alias GENERAL DARK is advertising an IVR (Interactive Voice Response) automation tool on a hacking forum, marketed as capable of high-speed SIP-based call automation, DTMF signal manipulation, and bypassing IVR protections. The tool features parallel call processing, real-time audio analysis, auto-authentication for SIP challenges, and multi-target batching capabilities designed to extract data from automated phone systems at scale. The post frames the tool a
Date: 2026-05-04T13:40:36Z
Network: openweb
Published URL: https://hackforums.net/showthread.php?tid=6324886
Screenshots:
None
Threat Actors: GENERAL DARK
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Defacement of Indonesian Technology Institute by BABAYO EROR SYSTEM
Category: Defacement
Content: On May 4, 2026, threat actor Mr.XycanKing operating under the group BABAYO EROR SYSTEM conducted a mass defacement attack targeting enviro.itk.ac.id, a subdomain belonging to Institut Teknologi Kalimantan, an Indonesian technology institute. The incident was classified as a mass defacement campaign, suggesting multiple sites were targeted simultaneously. A mirror of the defacement was archived at haxor.id.
Date: 2026-05-04T13:29:16Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248863
Screenshots:
None
Threat Actors: Mr.XycanKing, BABAYO EROR SYSTEM
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Institut Teknologi Kalimantan (ITK)
Victim Site: enviro.itk.ac.id
Alleged defacement of ITK Indonesia websites by Mr.XycanKing
Category: Defacement
Content: Two websites belonging to Institut Teknologi Kalimantan (ITK) in Indonesia were allegedly defaced by threat actor Mr.XycanKing. The defaced sites are enviro.itk.ac.id and foodtech.itk.ac.id. A mirror/archive of the defacement was posted at haxor.id. The post includes greetings to Babayo Error System alliance members.
Date: 2026-05-04T13:25:50Z
Network: telegram
Published URL: https://t.me/c/3865526389/792
Screenshots:
None
Threat Actors: Mr.XycanKing
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Institut Teknologi Kalimantan (ITK)
Victim Site: itk.ac.id
Alleged data breach of UOB Malaysia – database leak
Category: Data Breach
Content: A user named JAX7 on Breachforums has posted a thread claiming to have leaked a UOB (United Overseas Bank) Malaysia database. The breach details are shared via Breachforums thread.
Date: 2026-05-04T13:23:29Z
Network: telegram
Published URL: https://t.me/bsnsbsksjsk/15
Screenshots:
None
Threat Actors: JAX7
Victim Country: Malaysia
Victim Industry: Financial Services
Victim Organization: UOB
Victim Site: uob.com.my
Website Defacement of Institut Teknologi Kalimantan Food Technology Department by Mr.XycanKing (BABAYO EROR SYSTEM)
Category: Defacement
Content: On May 4, 2026, the Food Technology department website of Institut Teknologi Kalimantan (ITK), an Indonesian academic institution, was defaced by a threat actor operating under the alias Mr.XycanKing, affiliated with the group BABAYO EROR SYSTEM. The attack targeted a subdomain of the universitys official web infrastructure. No mass or redefacement indicators were identified, suggesting a targeted single-site intrusion.
Date: 2026-05-04T13:23:01Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248862
Screenshots:
None
Threat Actors: Mr.XycanKing, BABAYO EROR SYSTEM
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Institut Teknologi Kalimantan (ITK) – Food Technology Department
Victim Site: foodtech.itk.ac.id
Sale of Hotmail Mail Access Combo List
Category: Combo List
Content: A threat actor operating under the alias liamgoat is sharing a combo list advertised as containing approximately 700 high-quality Hotmail email account credentials. The content is hidden behind a registration or login requirement on the forum. The listed credentials are intended for mail access and are characteristic of credential stuffing material aggregated from multiple sources.
Date: 2026-05-04T13:09:07Z
Network: openweb
Published URL: https://patched.to/Thread-0-7k-hq-hotmail-mail-access-combolist-298692
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of Hotmail Credentials Shared on Forum
Category: Combo List
Content: A threat actor operating under the alias Katanat shared a combo list purportedly containing approximately 3,500 valid Hotmail credentials on a cybercrime forum. The content is hidden behind a registration or login requirement. The credentials are marketed as fully valid and may be intended for use in credential stuffing attacks.
Date: 2026-05-04T13:08:47Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9C%85%E2%9C%85full-valid-hotmail-3-5k%E2%9C%85%E2%9C%85%E2%9C%85-298698
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of European mixed combo list
Category: Combo List
Content: A threat actor on the PT – Combolist forum is sharing a mixed European combo list containing approximately 4,700 credentials. The content is gated behind forum registration or login. The post is marketed as fully valid.
Date: 2026-05-04T13:08:06Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9C%85%E2%9C%85full-valid-eu-mix-4-7k%E2%9C%85%E2%9C%85%E2%9C%85
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Katanat shared a combo list of approximately 2,800 Hotmail credentials on the PT – Combolist forum. The content is hidden behind a registration or login wall. The credentials are marketed as fully valid, suggesting they have been tested against the Hotmail service.
Date: 2026-05-04T13:07:34Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9C%85%E2%9C%85full-valid-hotmail-2-8k%E2%9C%85%E2%9C%85%E2%9C%85
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of EU Mix Combo List with 7.6K Credentials
Category: Combo List
Content: A threat actor on the PT – Combolist forum is sharing a mixed European combo list containing approximately 7,600 credential pairs, marketed as fully valid. The content is gated behind forum registration or login, indicating distribution within a closed community.
Date: 2026-05-04T13:07:06Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9C%85%E2%9C%85full-valid-eu-mix-7-6k%E2%9C%85%E2%9C%85%E2%9C%85-298703
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged 20,000 valid Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias NullShop is distributing a combo list claimed to contain 20,000 valid Hotmail credentials, marketed as fresh and verified. The content is gated behind forum registration or login. The actor references a Telegram handle (@NullShop0X) and an external paste link for additional releases.
Date: 2026-05-04T13:06:45Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-20-k-hotmail-access-valid-hit-fresh-%F0%9F%94%A5
Screenshots:
None
Threat Actors: NullShop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Alleged Valid Hotmail Combo List
Category: Combo List
Content: A threat actor operating under the alias Katanat is sharing a combo list advertised as containing approximately 4,000 valid Hotmail credentials. The content is hidden behind a registration or login wall on the forum. The credentials are marketed as fully valid, suggesting prior verification against the Hotmail service.
Date: 2026-05-04T13:06:13Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9C%85%E2%9C%85full-valid-hotmail-4k%E2%9C%85%E2%9C%85%E2%9C%85
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged free distribution of South Korea email combo list (Batch 19/100)
Category: Combo List
Content: A threat actor operating under the handle emaildbpro is distributing a South Korea-focused email list as part of an ongoing batch series (batch 19 of 100) on a cybercrime forum. The content is gated behind forum registration or login, and no record count or specific data fields are disclosed in the post. The list is offered at no charge to registered forum members.
Date: 2026-05-04T13:05:42Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-free-premium-south-korea-email-list-batch-19-100
Screenshots:
None
Threat Actors: emaildbpro
Victim Country: South Korea
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Hotmail combo list of 10,000 credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias JOYK has shared a combo list purportedly containing 10,000 high-quality Hotmail email and password pairs on the PT – Combolist forum. The credentials are distributed via a hidden download link accessible only to registered members. Hotmail is referenced as the credential-stuffing target, not as the source of a breach.
Date: 2026-05-04T13:05:23Z
Network: openweb
Published URL: https://patched.to/Thread-10k-hq-hotmail
Screenshots:
None
Threat Actors: JOYK
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 14,000 Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias RetroCloud has shared a combo list purportedly containing 14,000 Hotmail credential hits on the cybercrime forum Patched.to. The content is hidden behind a registration or login wall, limiting direct verification. The credentials are marketed as high quality and are likely intended for credential stuffing or account takeover activity.
Date: 2026-05-04T13:05:04Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85-14k-hq-hotmail-hit-%E2%9C%85-298689
Screenshots:
None
Threat Actors: RetroCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sharing of IMAP credential hits combo list
Category: Combo List
Content: A threat actor operating under the alias FlashCloud has shared a combo list advertised as containing approximately 12,000 IMAP credential hits on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting full visibility into the data. IMAP hits typically indicate tested and valid email account credentials usable for unauthorized mailbox access.
Date: 2026-05-04T13:04:19Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-12k-imap-hits
Screenshots:
None
Threat Actors: FlashCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Hotmail combo list sample shared on underground forum
Category: Combo List
Content: A threat actor using the handle Stevejobs shared a sample combo list on a credential-trading forum containing 2,580 Hotmail credentials. The content is gated behind forum registration or login. This is a credential stuffing list targeting Hotmail accounts and does not represent a breach of Microsoft or Hotmail infrastructure.
Date: 2026-05-04T13:03:18Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A1-2580x-SAMPLE-HOTMAIL-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Stevejobs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias COYYYTOOOO shared a combo list advertised as containing approximately 2,000 high-quality Hotmail email and password pairs on a cybercrime forum. The credentials were made available via an external paste service. As is typical for combo lists, Hotmail is the credential-stuffing target and not necessarily the source of the breach.
Date: 2026-05-04T13:02:37Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-2K-HQ-HOTMAIL–202777
Screenshots:
None
Threat Actors: COYYYTOOOO
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged API Vault Drainer Tool – Cryptocurrency Exchange Theft Service
Category: Malware
Content: Threat actor advertising API Vault Drainer – a malicious tool designed to steal API keys from 60+ cryptocurrency exchanges (Binance, Bybit, OKX, KuCoin, Gate.io, MEXC, HTX, Kraken, Bitget, Coinbase and 40+ others) without requiring 2FA or login credentials. The tool includes 20 free phishing pages and bots to trick victims into connecting their exchange accounts, automatically extracting API keys and draining funds to attacker-controlled wallets. Advertised as requiring approval-only access via Telegram bots (@APIVault_Bot, @Apivault) and website (Apivault.info).
Date: 2026-05-04T13:02:19Z
Network: telegram
Published URL: https://t.me/c/1397463379/11239
Screenshots:
None
Threat Actors: API Vault
Victim Country: Unknown
Victim Industry: Cryptocurrency/Finance
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Thixpro by Threat Actor systemdarkdenied
Category: Defacement
Content: On May 4, 2026, threat actor systemdarkdenied defaced the website of Thixpro at www.thixpro.com. The attack targeted a Linux-based web server and resulted in a single-page defacement rather than a mass or home page compromise. No specific motive or team affiliation was disclosed in connection with the incident.
Date: 2026-05-04T13:00:16Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248860
Screenshots:
None
Threat Actors: systemdarkdenied
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Thixpro
Victim Site: www.thixpro.com
Mass Defacement of Thixpro Website by Threat Actor systemdarkdenied
Category: Defacement
Content: On May 4, 2026, threat actor systemdarkdenied conducted a mass defacement campaign targeting the website of Thixpro, hosted on a Linux server. The incident was classified as a mass defacement, indicating multiple sites were compromised as part of the same operation. A mirror of the defaced page was archived at haxor.id.
Date: 2026-05-04T12:57:46Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248861
Screenshots:
None
Threat Actors: systemdarkdenied
Victim Country: India
Victim Industry: Unknown
Victim Organization: Thixpro
Victim Site: www.thixpro.in
Alleged distribution of Hotmail combo list
Category: Combo List
Content: A threat actor operating under the alias VegaM shared what is claimed to be a combo list of approximately 2,000 Hotmail credentials on the AE forum. The credentials are marketed as fresh and may be intended for use in credential stuffing attacks against Hotmail or associated Microsoft services. No further details are available as the post contains no additional content.
Date: 2026-05-04T12:48:18Z
Network: openweb
Published URL: https://altenens.is/threads/2k-fresh-hotmail-combolist.2934121/unread
Screenshots:
None
Threat Actors: VegaM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Twitch streamer email dataset
Category: Data Breach
Content: A threat actor is offering for sale a dataset of over 10,000 email addresses allegedly associated with Twitch streamers. The sample data pairs Twitch profile URLs with corresponding email addresses from various providers. Payment is accepted exclusively in Monero (XMR) via a Session messaging contact.
Date: 2026-05-04T12:30:09Z
Network: openweb
Published URL: https://breached.st/threads/twitch-tv.86761/unread
Screenshots:
None
Threat Actors: Fortils
Victim Country: Unknown
Victim Industry: Entertainment
Victim Organization: Twitch
Victim Site: twitch.tv
Alleged data breach of Ipotekabank involving network intrusion and exfiltration of financial documents and payment card data
Category: Carding
Content: A threat actor claiming affiliation with ShinyHunters alleges to have compromised Ipotekabanks network via Log4Shell (CVE-2021-44228) RCE, then moved laterally through Active Directory using a standard user account to access SMB shares belonging to procurement, finance, and supply departments. The actor claims to possess 120 GB of data including PDF contracts, card numbers, CVV codes, expiration dates, and internal correspondence. The data is being offered for sale via a TOX contact ID attribut
Date: 2026-05-04T12:29:12Z
Network: openweb
Published URL: https://breached.st/threads/ipotekabank-uz-hacked-by-shinyhunters-anonymous-uzbekistan-centralasia.86762/unread
Screenshots:
None
Threat Actors: XXXA
Victim Country: Uzbekistan
Victim Industry: Finance
Victim Organization: Ipotekabank
Victim Site: ipotekabank.uz
Alleged sale of Hotmail and multi-platform credential combolists
Category: Combo List
Content: Threat actor offering for sale private cloud Hotmail UHQ (ultra high quality) credential combolists and full access packages (mailpass and cookies) across multiple countries (DE, FR, IT, BR, UK, US, JP, PL, RU, ES, NL, MX, CA, SG). Also offering access to credentials for platforms including eBay, Reddit, Poshmark, Depop, Walmart, Amazon, PSN, Booking, Uber, Alibaba, Mercari, Neosurf, and Kleinanzeigen. Seller claims to own private cloud with valid webmails and offers keyword searching capability.
Date: 2026-05-04T12:26:40Z
Network: telegram
Published URL: https://t.me/c/2613583520/75297
Screenshots:
None
Threat Actors: Squad Chat Marketplace
Victim Country: Unknown
Victim Industry: Multiple (e-commerce, email, booking, gaming)
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Marcus & Millichap Salesforce records
Category: Data Leak
Content: A threat actor claims to have compromised over 30 million Salesforce records belonging to Marcus & Millichap, a commercial real estate investment brokerage, totaling more than 5.4GB of compressed data. The data allegedly contains PII and internal corporate data including account names, billing addresses, phone numbers, and investor/vendor classifications. The actor states the company failed to reach an agreement and has published the data for free download via a hidden forum link.
Date: 2026-05-04T12:25:31Z
Network: openweb
Published URL: https://spear.cx/Thread-Database-Marcus-Millichap-leak
Screenshots:
None
Threat Actors: [Mod] Tanaka
Victim Country: United States
Victim Industry: Finance
Victim Organization: Marcus & Millichap
Victim Site: marcusmillichap.com
Website Defacement of Fawry UAE by Mr.XycanKing (BABAYO EROR SYSTEM)
Category: Defacement
Content: On May 4, 2026, threat actor Mr.XycanKing, operating under the team BABAYO EROR SYSTEM, defaced the website of Fawry UAE, a financial technology or payment services company operating in the United Arab Emirates. The attack targeted a specific page rather than the home page and was conducted on a Linux-hosted server. The defacement was archived via haxor.id mirror service.
Date: 2026-05-04T12:18:37Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248857
Screenshots:
None
Threat Actors: Mr.XycanKing, BABAYO EROR SYSTEM
Victim Country: United Arab Emirates
Victim Industry: Financial Services / Fintech
Victim Organization: Fawry UAE
Victim Site: fawryuae.com
Mass Defacement of kyaigaulbatam.my.id by Irene of XmrAnonye.id
Category: Defacement
Content: On May 4, 2026, a threat actor known as Irene, affiliated with the group XmrAnonye.id, conducted a mass defacement against kyaigaulbatam.my.id, an Indonesian domain. This incident is classified as both a mass defacement and a redefacement, indicating the site had been previously compromised. The defaced page was archived and mirrored at haxor.id.
Date: 2026-05-04T12:12:38Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248856
Screenshots:
None
Threat Actors: Irene, XmrAnonye.id
Victim Country: Indonesia
Victim Industry: Unknown
Victim Organization: Kyai Gaul Batam
Victim Site: kyaigaulbatam.my.id
Alleged data breach of Punjab National Bank (India) – 100k records
Category: Data Breach
Content: Threat actor NEFFEX claims to have stolen 100,000 records from Punjab National Bank (India) containing account numbers, account holder names, IFSC codes, phone numbers, and email addresses. A sample of 1,000 records is being offered as proof, with the full dataset priced at $1200 in cryptocurrency (BTC/XMR). Contact via @xanon_neffex for purchase.
Date: 2026-05-04T12:05:50Z
Network: telegram
Published URL: https://t.me/c/3865526389/789
Screenshots:
None
Threat Actors: NEFFEX
Victim Country: India
Victim Industry: Financial Services
Victim Organization: Punjab National Bank
Victim Site: Unknown
Website Defacement of blog.xxs.xx.kg by CAC./Ohang of CyberOprationCulture
Category: Defacement
Content: On May 4, 2026, a threat actor identified as CAC./Ohang, affiliated with the group CyberOprationCulture, defaced the website at blog.xxs.xx.kg, a subdomain registered under the .kg Kyrgyzstan top-level domain. The incident was a targeted single-site defacement with no further details available regarding the attackers motivation or the victim organization.
Date: 2026-05-04T12:01:08Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248855
Screenshots:
None
Threat Actors: CAC./Ohang, CyberOprationCulture
Victim Country: Kyrgyzstan
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: blog.xxs.xx.kg
Alleged distribution of URL:Log:Pass combo list with 8+ million lines
Category: Combo List
Content: A threat actor operating under the handle lexityfr shared a combo list on the Patched.to forum, advertised as containing over 8 million URL:Log:Pass credential lines. The post is part of an ongoing series (part 317), suggesting repeated free distribution of large credential sets. The content is gated behind forum registration or login.
Date: 2026-05-04T11:59:41Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-url-log-pass-free-best-lines-8-million-lines-part-317
Screenshots:
None
Threat Actors: lexityfr
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list targeting Valorant and League of Legends accounts
Category: Combo List
Content: A forum post by user ZAMPARA on a combolist forum advertises credentials purportedly targeting Valorant and League of Legends accounts. The actual content is hidden behind a registration or login requirement, preventing verification of record count or data specifics. This appears to be a credential stuffing list aimed at gaming platform accounts rather than a direct breach of either service.
Date: 2026-05-04T11:59:08Z
Network: openweb
Published URL: https://patched.to/Thread-valorant-lol
Screenshots:
None
Threat Actors: ZAMPARA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 140,000 Spain credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the handle HackingRealm has shared a combo list purportedly containing 140,000 high-quality credentials associated with Spanish users on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting direct verification. The post references the domain markoo.lol, which may indicate a credential-stuffing target or associated platform.
Date: 2026-05-04T11:58:49Z
Network: openweb
Published URL: https://patched.to/Thread-140k-spain-hq-combolist-markoo-lol
Screenshots:
None
Threat Actors: HackingRealm
Victim Country: Spain
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of alleged valid Hotmail credentials offered on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias ELJOKER1 is distributing a combo list purportedly containing 3,000 valid Hotmail email credentials on a cybercrime forum. The post is dated April 5 and the content is gated behind registration or login. Credentials are marketed as fully valid and suitable for mail access.
Date: 2026-05-04T11:58:17Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%A8%E2%9A%9C%EF%B8%8Fx3000-hotmail-mail-access-full-vaild-%E2%9A%9C%EF%B8%8F%E2%9C%A8-04-05
Screenshots:
None
Threat Actors: ELJOKER1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of alleged Hotmail premium credential hits shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Psyho70244 posted a combo list advertised as 3,260 Hotmail premium credential hits on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting direct verification of the claims. Hotmail is referenced as the credential-stuffing target, not as a breached organization.
Date: 2026-05-04T11:57:58Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%93%8C3260x-hotmail-premium-hits%F0%9F%93%8C
Screenshots:
None
Threat Actors: Psyho70244
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 158,000 French credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the handle HackingRealm has shared a combo list purportedly containing 158,000 high-quality French credentials on the forum patched.to. The content is hidden behind a registration or login requirement, limiting direct verification of the claimed data. The list is marketed under the label HQ, suggesting the credentials have been tested or validated for credential stuffing use.
Date: 2026-05-04T11:57:25Z
Network: openweb
Published URL: https://patched.to/Thread-158k-france-hq-combolist-markoo-lol
Screenshots:
None
Threat Actors: HackingRealm
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged free distribution of South Korea email combo list (Batch 18/100)
Category: Combo List
Content: A threat actor operating under the alias emaildbpro is distributing a free email list purportedly associated with South Korean users, identified as batch 18 of a 100-part series. The content is gated behind forum registration or login, suggesting it is shared within a closed threat community. No specific breached organization or record count is identified in the post.
Date: 2026-05-04T11:56:10Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-free-premium-south-korea-email-list-batch-18-100
Screenshots:
None
Threat Actors: emaildbpro
Victim Country: South Korea
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Mixed Hotmail and Email Credential Combo Lists via Subscription Service
Category: Combo List
Content: A threat actor operating under the alias mk2clode is offering a subscription-based service selling mixed email credential combo lists, with an emphasis on Hotmail and other mail access credentials. The seller markets the lines as private, duplicate-free, and fresh, with subscription tiers ranging from $10 for a 3-day trial to $45 for one month. Prospective buyers are directed to contact the seller via Telegram handle @drmux_mk2.
Date: 2026-05-04T11:55:51Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%98%81%EF%B8%8F-mk2-cloud-fresh-mix-mail-access-full-private-%F0%9F%92%8E-298673
Screenshots:
None
Threat Actors: mk2clode
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Alleged Hotmail Combo List
Category: Combo List
Content: A threat actor operating under the alias FlashCloud is advertising a combo list of approximately 2,000 Hotmail credentials on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting visibility into the full dataset. The credentials are marketed as private, suggesting they may not have been previously circulated publicly.
Date: 2026-05-04T11:54:59Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-2k-hotmail-private
Screenshots:
None
Threat Actors: FlashCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Alleged Fresh Hotmail Credential Combo List
Category: Combo List
Content: A threat actor operating under the alias He_Cloud is sharing a combo list purportedly containing 2,364 Hotmail credentials, marketed as premium and fresh. The post was made on the DemonForums combolist section and includes a download link. As with all combo lists, Hotmail is a credential-stuffing target and not necessarily the source of the breach.
Date: 2026-05-04T11:54:31Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-2364x-PREMIUM-FRESH-HOTMAILS-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of mixed email credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias NotSellerXd shared a combo list containing 4,315 mixed email and password credential pairs on a cybercrime forum. The content is hidden behind a registration or login requirement. No specific breach source or targeted service is identified in the post.
Date: 2026-05-04T11:53:39Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-4315x-MIX-MAIL
Screenshots:
None
Threat Actors: NotSellerXd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Distribution of Wi-Fi Password Recovery Tool on Cracking Forum
Category: Malware
Content: A forum user on DemonForums is distributing a tool called Tenorshare Wi-Fi Password Key 2026, advertised as a Wi-Fi password recovery utility supporting Windows, macOS, and mobile platforms. The tool is offered as a free download and claimed to perform real-time scanning and recovery of Wi-Fi credentials. The post includes a reference to a VirusTotal scan result, suggesting potential awareness of antivirus detection concerns.
Date: 2026-05-04T11:52:53Z
Network: openweb
Published URL: https://demonforums.net/Thread-Tenorshare-Wi-Fi-Password-Key-2026
Screenshots:
None
Threat Actors: harryldn92
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of stolen credit cards with full information for online fraud
Category: Combo List
Content: A threat actor operating under the alias darks69811 is advertising stolen credit cards claimed to carry high balances, accompanied by full cardholder information and email access. The cards are marketed as suitable for online shopping, bill payments, debit with PIN, and linkage to CashApp, Apple Pay, and cryptocurrency accounts. Contact is solicited via Signal and WhatsApp.
Date: 2026-05-04T11:52:43Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9C%85If-anyone-need-CC-with-good-and-high-balance-above-for-online-Shopping–202770
Screenshots:
None
Threat Actors: darks69811
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged Trade Republic forex leads across multiple European countries
Category: Data Breach
Content: A threat actor on BreachForums is offering for sale a dataset allegedly tied to Trade Republic, a financial services platform, containing 24,836 records from Spain, France, Germany, Austria, and Italy. The data fields include first name, last name, email, phone number, country, source, date, currency, first-time deposit (FTD) status, and total deposit amount. The seller is directing interested buyers to a Telegram contact for further information.
Date: 2026-05-04T11:47:09Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-Trade-Republic-Forex-High-Quality-Leads
Screenshots:
None
Threat Actors: pm_rasel
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Trade Republic
Victim Site: traderepublic.com
Alleged combo list targeting Italy with 1.245 million email:password credentials
Category: Combo List
Content: A threat actor on BreachForums is sharing a combo list of approximately 1.245 million email:password pairs associated with Italian accounts. The credentials are marketed as fresh and high quality. The content is gated behind forum registration or login.
Date: 2026-05-04T11:35:32Z
Network: openweb
Published URL: https://breachforums.rs/Thread-%E2%9C%AA-1-245-K-Combo-%E2%9C%AA-Italy-%E2%9C%AA-2-MAY-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Italy
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 657K+ credentials targeting United Kingdom
Category: Combo List
Content: A threat actor operating under the alias thejackal101 shared a combo list on a cybercrime forum containing approximately 657,000 or more email and password pairs attributed to United Kingdom-based accounts. The credentials are marketed as fresh and high quality. Access to the content requires forum registration or login.
Date: 2026-05-04T11:32:07Z
Network: openweb
Published URL: https://breachforums.rs/Thread-%E2%9C%AA-657-K-Combo-%E2%9C%AA-United-Kingdom-%E2%9C%AA-2MAY-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of documents from Bekasi City government website (simpelbang.bekasikota.go.id)
Category: Data Leak
Content: Documents allegedly leaked from simpelbang.bekasikota.go.id, a website belonging to Bekasi City government in Indonesia. The post indicates unauthorized access and exfiltration of government documents.
Date: 2026-05-04T11:30:49Z
Network: telegram
Published URL: https://t.me/c/3865526389/788
Screenshots:
None
Threat Actors: BABAYO EROR SYSTEM
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Bekasi City Government
Victim Site: simpelbang.bekasikota.go.id
Alleged combo list targeting Germany-based email accounts with 558K credentials
Category: Combo List
Content: A threat actor on BreachForums shared a combo list of approximately 558,000 email and password pairs attributed to Germany-based accounts. The credentials are marketed as fresh and high quality. The content is gated behind forum registration or login.
Date: 2026-05-04T11:28:42Z
Network: openweb
Published URL: https://breachforums.rs/Thread-%E2%9C%AA-Email-%E2%9C%AA-Password-%E2%9C%AA-558-K-%E2%9C%AA-Combo-%E2%9C%AA-Germany-%E2%9C%AA-2-MAY-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list targeting Spain with 491K+ credentials
Category: Combo List
Content: A threat actor on BreachForums shared a combo list purportedly containing over 491,000 email and password pairs associated with Spain. The credentials are marketed as fresh and high quality. Access to the list is restricted to registered forum members.
Date: 2026-05-04T11:25:19Z
Network: openweb
Published URL: https://breachforums.rs/Thread-%E2%9C%AA-491-K-Combo-%E2%9C%AA-Spain-%E2%9C%AA-2-MAY-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Spain
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list targeting Polish email credentials
Category: Combo List
Content: A threat actor on BreachForums shared a combo list purportedly containing approximately 485,000 email and password pairs associated with Polish accounts. The credentials are marketed as fresh and high quality. Access to the content requires forum registration or login.
Date: 2026-05-04T11:21:56Z
Network: openweb
Published URL: https://breachforums.rs/Thread-%E2%9C%AA-485-K-Combo-%E2%9C%AA-Poland-%E2%9C%AA-2-MAY-2026-%E2%9C%AA
Screenshots:
None
Threat Actors: thejackal101
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of admin access to Indonesian web portal (ac.id)
Category: Initial Access
Content: Threat actor offering for sale administrative access to an Indonesian web portal (ac.id domain). The access grants ability to upload articles, news, and other content. Contact via Telegram (@yatimluajg) for purchase inquiries.
Date: 2026-05-04T11:18:43Z
Network: telegram
Published URL: https://t.me/c/3865526389/775
Screenshots:
None
Threat Actors: yatimluajg
Victim Country: Indonesia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: ac.id
Alleged data breach of Indonesian educational institution with employee records and payroll data
Category: Data Breach
Content: Multiple Excel files containing sensitive employee data from an Indonesian institution are being shared in the channel, including employee lists (active/inactive), salary information, BPJS contribution records, budget allocations, and personnel classifications by religion. Files appear to originate from tkk.bekasikota.go.id (Bekasi City Technical Education Office). Additionally, a reference to a leaked OCBC database from Malaysia is posted with a Breachforums link.
Date: 2026-05-04T11:17:47Z
Network: telegram
Published URL: https://t.me/c/3865526389/761
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Education/Government
Victim Organization: Bekasi City Technical Education Office (TKK Bekasi Kota)
Victim Site: tkk.bekasikota.go.id
Alleged free webshell access to Hussey College UK Alumni website
Category: Initial Access
Content: Threat actor offering free shell access to a compromised web application at husseycollegeukalumni.com with a specific path parameter, indicating potential unauthorized access to the institutions systems.
Date: 2026-05-04T11:15:24Z
Network: telegram
Published URL: https://t.me/c/3865526389/757
Screenshots:
None
Threat Actors: BABAYO EROR SYSTEM
Victim Country: United Kingdom
Victim Industry: Education
Victim Organization: Hussey College UK Alumni
Victim Site: husseycollegeukalumni.com
Sale of web shell access to over 400 compromised websites
Category: Initial Access
Content: A threat actor operating under the alias AloneHunter is offering for sale shell access to over 400 compromised websites along with associated database access. The seller requires prospective buyers to contact them via Session or Telegram to receive the list of available targets. The post specifies that transactions must be conducted through escrow.
Date: 2026-05-04T11:04:58Z
Network: openweb
Published URL: https://breached.st/threads/the-sale-of-more-than-400-access-the-website-db.86759/unread
Screenshots:
None
Threat Actors: AloneHunter
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Politeknik Keuangan Negara STAN
Category: Data Leak
Content: A threat actor using the alias Mr. Hanz Xploit shared a sample database allegedly belonging to Politeknik Keuangan Negara STAN, an Indonesian state finance polytechnic. The post appears to offer a sample leak of the institutions database on the Breached forum. No record count or specific data fields were disclosed in the available post content.
Date: 2026-05-04T11:04:05Z
Network: openweb
Published URL: https://breached.st/threads/leak-sample-database-politeknik-keuangan-negara-stan-ac-id.86758/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Politeknik Keuangan Negara STAN
Victim Site: politeknik-keuangan-negara-stan.ac.id
Alleged free distribution of Netflix mail account access
Category: Logs
Content: User Bo is promoting a Telegram channel offering free Netflix mail account access drops. The post repeats a Telegram invite link multiple times, suggesting active recruitment for access to compromised or stolen Netflix-associated email accounts.
Date: 2026-05-04T11:03:35Z
Network: telegram
Published URL: https://t.me/c/2613583520/75263
Screenshots:
None
Threat Actors: Bo
Victim Country: Unknown
Victim Industry: Entertainment/Streaming
Victim Organization: Netflix
Victim Site: netflix.com
Sale of alleged payment transaction records from BigasPh
Category: Carding
Content: A threat actor on Breached is selling alleged payment transaction records attributed to BigasPh, a Philippine-based platform. The sample data includes transaction IDs, payment statuses, accepted payment methods (Visa, Mastercard, Amex, JCB), and transaction amounts. The records appear to contain structured payment processing data including pending, authorized, and completed transaction states.
Date: 2026-05-04T11:03:30Z
Network: openweb
Published URL: https://breached.st/threads/bigas-para-sa-bayan-user-receipts-selling-sample.86760/unread
Screenshots:
None
Threat Actors: Z4ne0days
Victim Country: Philippines
Victim Industry: Retail
Victim Organization: BigasPh
Victim Site: Unknown
Combo list of mixed email credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias ELJOKER1 shared a combo list on the PT – Combolist forum containing approximately 3,915 mixed email and password credential pairs. The post advertises the credentials as valid and full mail access. The actual content is hidden behind a registration or login requirement.
Date: 2026-05-04T10:35:24Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%A8%E2%9A%9C%EF%B8%8Fx3915-mix-mail-access-full-vaild-%E2%9A%9C%EF%B8%8F%E2%9C%A8-04-05
Screenshots:
None
Threat Actors: ELJOKER1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 605K URL-login-password credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias RandomUpload has shared a combo list containing approximately 605,000 URL, login, and password entries on a cybercrime forum. The content is gated behind registration or login, limiting direct verification of the claims. The post is dated 04.05.26 and appears to contain credential pairs associated with multiple unspecified online services.
Date: 2026-05-04T10:35:05Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-605k-url-login-pass-04-05-26
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of mixed email access combo list
Category: Combo List
Content: A forum member on PT – Combolist shared a post advertising a mixed email access combo list containing approximately 19,000 entries, described as high quality (HQ). The content is hidden behind a registration or login requirement, limiting full visibility into the data. No specific breached organization or target service is identified in the available post metadata.
Date: 2026-05-04T10:33:52Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-19k%F0%9F%90%BEhq-mix-mail%F0%9F%90%BEaccess%F0%9F%90%BE
Screenshots:
None
Threat Actors: MeiMisaki
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Mixed Valid Email Access Combo List
Category: Combo List
Content: A threat actor operating under the alias GoldMailAccs is offering a combo list of 1,405 allegedly valid mixed email account credentials on the forum PT – Combolist. The content is described as full valid mix mail access, suggesting credentials spanning multiple email providers. The actual content is gated behind forum registration or login.
Date: 2026-05-04T10:33:20Z
Network: openweb
Published URL: https://patched.to/Thread-1405-full-valid-mix-mail-access
Screenshots:
None
Threat Actors: GoldMailAccs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Mixed Mail Access Combo List
Category: Combo List
Content: A threat actor operating under the alias GoldMailAccs is advertising a combo list of 2,680 allegedly valid mixed mail access credentials on a cybercrime forum. The post claims the credentials are fully valid and span multiple mail providers. Actual content is gated behind forum registration or login.
Date: 2026-05-04T10:33:03Z
Network: openweb
Published URL: https://patched.to/Thread-2680-full-valid-mix-mail-access
Screenshots:
None
Threat Actors: GoldMailAccs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged valid Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias GoldMailAccs is advertising 419 allegedly valid Hotmail credentials on a cybercrime forum. The content is gated behind registration or login, limiting full visibility into the data. The post markets the credentials as providing mail access, consistent with a combo list intended for credential stuffing or account takeover.
Date: 2026-05-04T10:32:44Z
Network: openweb
Published URL: https://patched.to/Thread-419-full-valid-hotmail-mail-access
Screenshots:
None
Threat Actors: GoldMailAccs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 910 alleged valid credentials
Category: Combo List
Content: A threat actor operating under the handle GoldMailAccs is offering a combo list of 910 alleged valid Hotmail email account credentials on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting visibility into specific details. The credentials are marketed as fully valid mail access combinations.
Date: 2026-05-04T10:32:17Z
Network: openweb
Published URL: https://patched.to/Thread-910-full-valid-hotmail-mail-access
Screenshots:
None
Threat Actors: GoldMailAccs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 1.5 million URL log credentials
Category: Logs
Content: A forum user on PT – Other Leaks is sharing an alleged collection of 1.5 million URL-log credential pairs. The post content is hidden behind a login or registration wall, limiting visibility into specific targets or data fields. The post appears to offer stealer log output containing URLs paired with login credentials.
Date: 2026-05-04T10:32:11Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%901-5-million-url-log-pass%E2%AD%90
Screenshots:
None
Threat Actors: agha24
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged 30,000 valid Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias NullShop is distributing a combo list claimed to contain approximately 30,000 valid Hotmail account credentials, marketed as fresh and verified. The content is gated behind forum registration or login and is accessible via an external paste link. The post advertises regular updates and high accuracy, consistent with credential stuffing list offerings.
Date: 2026-05-04T10:31:53Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-30-k-hotmail-access-valid-hit-fresh-%F0%9F%94%A5
Screenshots:
None
Threat Actors: NullShop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail account combo list with 904 valid credentials
Category: Combo List
Content: A threat actor operating under the handle GoldMailAccs is offering a combo list advertised as containing 904 fully valid Hotmail email account credentials. The content is hidden behind a registration or login requirement on the forum. The listed accounts are presented as verified mail access hits, likely intended for use in credential stuffing or account takeover activity.
Date: 2026-05-04T10:31:22Z
Network: openweb
Published URL: https://patched.to/Thread-904-full-valid-hotmail-mail-access
Screenshots:
None
Threat Actors: GoldMailAccs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list mix shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the handle Nulled07 shared a combo list advertised as a fresh mix containing 2,530 credential pairs on a cybercrime forum. The post is gated behind a registration or login requirement, limiting visibility into the specific contents or targeted services. The credentials are marketed as fresh, though no verification methodology is provided.
Date: 2026-05-04T10:30:59Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A1-2530x-FRESH-MIX-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Nulled07
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged UHQ mixed mail access combo list
Category: Combo List
Content: A forum post on leakforum.io advertises a set of approximately 1,600 alleged ultra-high-quality (UHQ) mixed mail access credentials. The content is hidden behind a registration or login wall, limiting visibility into specific targets or data composition. The post is listed under a combolist-focused thread category.
Date: 2026-05-04T10:30:35Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-1-6K-UHQ-MIX-MAIL-ACCESS
Screenshots:
None
Threat Actors: MeiMisaki
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Alleged Hotmail Combo List
Category: Combo List
Content: A forum user on LF is offering a combo list marketed as containing 1,261 Hotmail credentials. The content is hidden behind a registration or login wall, limiting further verification of the datas authenticity or freshness. This post is consistent with credential stuffing material targeting Hotmail accounts.
Date: 2026-05-04T10:30:11Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-1261x-HOTMAIL-ACCESS
Screenshots:
None
Threat Actors: MeiMisaki
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of Hotmail credentials offered on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias MeiMisaki is sharing a combo list purportedly containing approximately 9,000 Hotmail credentials, marketed as ultra-high quality (UHQ). The content is hidden behind a login or registration wall on the forum, limiting verification of the claimed data.
Date: 2026-05-04T10:29:47Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-9000x-UHQ-HOTMAIL-ACCESS
Screenshots:
None
Threat Actors: MeiMisaki
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of WizWorm RAT V4.0 Remote Access Trojan Builder
Category: Malware
Content: A threat actor on DemonForums is advertising WizWorm RAT V4.0, described as a fully unlocked Windows Remote Access Trojan builder with capabilities including remote control, surveillance, credential harvesting, persistence mechanisms, and worm-like propagation. The post claims the tool features a visual dashboard, client management, file management, and system reconnaissance modules. A download link is provided alongside a reference to a VirusTotal scan result.
Date: 2026-05-04T10:29:33Z
Network: openweb
Published URL: https://demonforums.net/Thread-WizWorm-RAT-V4-0-Full-RAT-Builder–202757
Screenshots:
None
Threat Actors: louis_hartley57
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 32,000 Hotmail credentials advertised as valid hits
Category: Combo List
Content: A threat actor operating under the alias hunterX is sharing a combo list purportedly containing 32,000 Hotmail account credentials, marketed as high-quality and valid hits. The content is gated behind forum registration or login and requires user engagement to access. The credentials appear intended for credential stuffing against Hotmail accounts and are not indicative of a breach of Microsoft or Hotmail infrastructure.
Date: 2026-05-04T10:29:24Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A132k-HQ-Hotmail-Access-VALID-HITS
Screenshots:
None
Threat Actors: hunterX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Alleged FUD Malware Crypter Apex 2 / Anubis Crypter on Underground Forum
Category: Malware
Content: A threat actor operating under the alias FreyaZone1 is advertising a tool identified as Apex 2 and referencing Anubis Crypter FUD 2025 on a cracking forum. The tool is described as a fully undetectable (FUD) malware crypter with features including polymorphic code generation, memory-only execution, EDR/AV evasion, anti-analysis techniques, API obfuscation, and self-destruct mechanisms. A download link is provided, suggesting the tool is being freely distributed or made available to forum mem
Date: 2026-05-04T10:29:03Z
Network: openweb
Published URL: https://demonforums.net/Thread-Apex-2-The-All-In-One-Checker-2026
Screenshots:
None
Threat Actors: FreyaZone1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of compromised account databases and webmail access across multiple countries
Category: Combo List
Content: Threat actor advertising fresh databases containing compromised accounts from multiple countries (UK, DE, JP, NL, BR, PL, ES, US, IT) with inbox access. Specifically targeting e-commerce and service platforms including eBay, PayPal, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, and Neosurf. Seller claims to have private cloud infrastructure with valid webmail access and invites direct messages for custom requests.
Date: 2026-05-04T10:27:23Z
Network: telegram
Published URL: https://t.me/c/2613583520/75238
Screenshots:
None
Threat Actors: Num
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy
Victim Industry: E-commerce, Financial Services, Gaming, Travel, Payment Platforms
Victim Organization: Unknown
Victim Site: Unknown
Sale of hacked RDP access in the United States
Category: Initial Access
Content: A forum post on AE – Hosting advertises hacked RDP access based in the United States. No additional details regarding the victim organization, industry, or pricing are available in the post content.
Date: 2026-05-04T10:14:53Z
Network: openweb
Published URL: https://altenens.is/threads/rdp-usa-hacked.2934037/unread
Screenshots:
None
Threat Actors: noonesxx1
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Use-After-Free Vulnerability in PHP unserialize() with Remote Exploitation Capability
Category: Vulnerability
Content: A 21-year-old use-after-free (UAF) vulnerability in PHPs unserialize() function has been disclosed, affecting code paths present since PHP 5.1 (2005) and exploitable on the latest PHP 8.5.5 release. The bug stems from a missing BG(serialize_lock)++ in zend_user_unserialize() and enables a local exploit bypassing disable_functions without hardcoded offsets, as well as a remote exploit requiring approximately 2,000 HTTP requests to achieve code execution. A proof-of-concept and an open-source PHP
Date: 2026-05-04T10:11:35Z
Network: openweb
Published URL: https://tier1.life/thread/205
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Multiple Vulnerabilities Disclosed in TP-Link TAPO Smart Camera Series Including Pre-Auth RCE and Unpatched Auth Bypass
Category: Vulnerability
Content: Security researchers Laszlo Radnai and Botond Hartmann publicly disclosed 16 vulnerabilities affecting TP-Link TAPO next-generation IP cameras, including a pre-authentication stack buffer overflow RCE exploitable from WAN via a browser-based attack vector, multiple HTTP and ONVIF authentication bypasses, heap buffer overflow RCEs, and a cryptographic design weakness enabling full cloud account takeover. As of the disclosure date, 10 of 16 vulnerabilities have been patched by TP-Link, while 2 (an
Date: 2026-05-04T10:10:42Z
Network: openweb
Published URL: https://tier1.life/thread/207
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: TP-Link
Victim Site: tp-link.com
Alleged cyber attack with data exfiltration, destruction, and website defacement by Ababil of Minab
Category: Cyber Attack
Content: Ababil of Minab claims to have compromised target servers and internal systems, resulting in wiping of over 1 TB of stored data, exfiltration of 45 GB of corporate data including sensitive user information and internal documents, and defacement of the target website.
Date: 2026-05-04T10:07:08Z
Network: telegram
Published URL: https://t.me/c/3899821869/69
Screenshots:
None
Threat Actors: Ababil of Minab
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Politeknik Keuangan Negara STAN
Category: Data Breach
Content: A user named xyph0rix posted a leak sample of a database from Politeknik Keuangan Negara STAN (State Finance Polytechnic) on Breachforums. The thread contains evidence of a data breach with database samples made available.
Date: 2026-05-04T10:06:36Z
Network: telegram
Published URL: https://t.me/DeepCoreNetwork/72
Screenshots:
None
Threat Actors: xyph0rix
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Politeknik Keuangan Negara STAN
Victim Site: stan.ac.id
Alleged hack of Tri-Rail commuter rail system in South Florida
Category: Cyber Attack
Content: Ababil of Minab claims to have hacked Tri-Rail, South Floridas commuter rail system serving Miami, Fort Lauderdale, and West Palm Beach. The post indicates a compromise of the transportation infrastructure providers systems.
Date: 2026-05-04T10:03:36Z
Network: telegram
Published URL: https://t.me/c/3899821869/58
Screenshots:
None
Threat Actors: Ababil of Minab
Victim Country: United States
Victim Industry: Transportation/Critical Infrastructure
Victim Organization: Tri-Rail
Victim Site: Unknown
Sale of streaming and productivity service credentials or subscriptions
Category: Combo List
Content: A forum post on AE – Leaked Databases advertises what appear to be unauthorized access credentials or subscriptions for Microsoft 365, Netflix, Hulu, Disney+, HBO Max, and Spotify Premium, including claims of lifetime access and multi-device support. The post is attributed to user Hvsch but contains no body content, limiting detailed assessment. Based on the thread title, the offering is consistent with credential stuffing hits or account sharing marketed as premium service bundles.
Date: 2026-05-04T09:57:20Z
Network: openweb
Published URL: https://altenens.is/threads/microsoft-365-office-365-premium-lifetime-access-multi-device-netflix-hulu-disney-hbo-max-spotify-premium-4k-ad-free-bundles.2933956/unread
Screenshots:
None
Threat Actors: Hvsch
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of stolen credit card information via Telegram
Category: Carding
Content: A threat actor operating under the handle hellsiinki on Telegram is advertising stolen credit card information with claimed high balances. The post promotes the availability of multiple card types and directs potential buyers to a Telegram profile to place orders. No specific victim organization or card count is disclosed in the post.
Date: 2026-05-04T09:54:54Z
Network: openweb
Published URL: https://altenens.is/threads/cc-info-card-with-good-and-highly-recommended-balance-live-here-legally-compliant-tap-profile-t3le-hellsiinki-for-yu-card-order-all-types-here-c.2934043/unread
Screenshots:
None
Threat Actors: Herireal
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Live Backup of BreachForums.as
Category: Data Breach
Content: A threat actor identified as ra1n is offering for sale a claimed live backup of the BreachForums.as platform for 7,000 XMR (Monero). The seller is requesting contact exclusively via TOX, providing a TOX ID in the post. No details regarding the contents or size of the backup were disclosed.
Date: 2026-05-04T09:49:14Z
Network: openweb
Published URL: https://breached.st/threads/sell-live-backup-breachforums-as.86752/unread
Screenshots:
None
Threat Actors: ra1n
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: BreachForums
Victim Site: breachforums.as
Sale of 0-day IDOR vulnerability in WordPress plugin enabling coupon fraud
Category: Vulnerability
Content: A threat actor is offering for sale a claimed 0-day Insecure Direct Object Reference (IDOR) vulnerability affecting a WordPress plugin combination that ships together. The exploit allegedly allows an attacker to generate a valid coupon code using a victims discount value while binding it to the attackers email address. The seller is requesting payment in Monero (XMR) and advertises fair trade escrow via tor.taxi.
Date: 2026-05-04T09:48:40Z
Network: openweb
Published URL: https://breached.st/threads/0-day-idor-in-wordpress-plugin.86757/unread
Screenshots:
None
Threat Actors: disclosed
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged vulnerability chain enabling full account takeover of Twilio Console with persistent API access
Category: Vulnerability
Content: A threat actor disclosed a chain of 14 security vulnerabilities affecting Twilio infrastructure, including CORS misconfigurations, postMessage origin bypass flaws, source-map disclosures, and subdomain takeover conditions. The most critical chain (Chain A) allegedly enables full takeover of any authenticated Twilio Console session with persistent REST API access by leveraging control over any of 9,490+ *.twilio.com subdomains, requiring no victim credentials or social engineering. Additional fin
Date: 2026-05-04T09:47:54Z
Network: openweb
Published URL: https://breached.st/threads/14-full-twilio-account-takeover-with-persistent-api-access.86756/unread
Screenshots:
None
Threat Actors: disclosed
Victim Country: United States
Victim Industry: Telecommunications
Victim Organization: Twilio
Victim Site: twilio.com
Alleged data leak of Bank Sinarmas customer database
Category: Data Leak
Content: A threat actor using the handle Mr.ZeroPhx100 has shared what appears to be a partial database dump attributed to Bank Sinarmas, an Indonesian bank. The leaked data includes phone numbers (NOMOR HANDPHONE) and NPWP (Indonesian taxpayer identification numbers) presented as SQL INSERT statements. No record count or price was specified in the post.
Date: 2026-05-04T09:47:08Z
Network: openweb
Published URL: https://breached.st/threads/database-bank-sinarmas.86748/unread
Screenshots:
None
Threat Actors: Mr.ZeroPhx100
Victim Country: Indonesia
Victim Industry: Finance
Victim Organization: Bank Sinarmas
Victim Site: banksinarmas.com
Alleged Data Leak of Kabupaten Magelang Government Database
Category: Data Leak
Content: A threat actor identified as Mr.ZeroPhx100 shared what appears to be a partial database dump attributed to Kabupaten Magelang, an Indonesian regional government entity. The leaked data includes National Identity Numbers (NIK/Nomor Induk Kependudukan), Indonesian phone numbers, and email addresses including an official government address at magelangkab.go.id. The data was posted publicly on the Breached forum at no apparent cost.
Date: 2026-05-04T09:46:35Z
Network: openweb
Published URL: https://breached.st/threads/database-kabupaten-magelang.86749/unread
Screenshots:
None
Threat Actors: Mr.ZeroPhx100
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kabupaten Magelang (Magelang Regency Government)
Victim Site: magelangkab.go.id
Alleged data breach of Senzing CRM exposing 100,000 US user records
Category: Data Breach
Content: A threat actor on Breached forums claims to possess data captured from Senzings CRM platform, allegedly containing records for 100,000 US users. The purported dataset includes Social Security Numbers, names, phone numbers, and dates of birth. Senzing is a technology company specializing in entity resolution and identity intelligence solutions.
Date: 2026-05-04T09:46:01Z
Network: openweb
Published URL: https://breached.st/threads/100-000-usa-users-leads-captured-on-senzing-com-crm-ssn-name-phone-dob.86750/unread
Screenshots:
None
Threat Actors: BABAY2
Victim Country: United States
Victim Industry: Technology
Victim Organization: Senzing
Victim Site: senzing.com
Alleged data leak of WhatsApp
Category: Data Leak
Content: A threat actor operating under the alias x0ghost claims to have leaked a database allegedly associated with WhatsApp, purportedly containing 28,000 records. The post provides minimal technical detail, consisting largely of expletive-laden text referencing Meta CEO Mark Zuckerberg. The nature, authenticity, and content of the alleged database have not been verified.
Date: 2026-05-04T09:45:27Z
Network: openweb
Published URL: https://breached.st/threads/28k-database-whatsapp-com.86753/unread
Screenshots:
None
Threat Actors: x0ghost
Victim Country: United States
Victim Industry: Technology
Victim Organization: WhatsApp
Victim Site: whatsapp.com
Alleged data leak of OCBC Malaysia database
Category: Data Leak
Content: A threat actor operating under the alias JAX7 has publicly shared what is alleged to be a database belonging to OCBC Malaysia on a cybercrime forum. The post includes a sample section, though record count and specific data fields are not detailed in the available content. The data has been made available for free as a leak.
Date: 2026-05-04T09:45:05Z
Network: openweb
Published URL: https://breached.st/threads/leak-ocbc-database-malaysia.86754/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: Malaysia
Victim Industry: Finance
Victim Organization: OCBC
Victim Site: ocbc.com.my
Alleged data leak of OVO.ID
Category: Data Leak
Content: A threat actor using the alias Mr. Hanz Xploit has shared what is claimed to be a sample database belonging to OVO, an Indonesian digital payment platform operating at ovo.id. The post was made on a known breach forum and includes a code section, suggesting a partial database dump was made available. No record count or additional details about the scope of the alleged leak were provided in the post.
Date: 2026-05-04T09:44:28Z
Network: openweb
Published URL: https://breached.st/threads/sample-database-ovo-id.86755/unread
Screenshots:
None
Threat Actors: Mr. Hanz Xploit
Victim Country: Indonesia
Victim Industry: Finance
Victim Organization: OVO
Victim Site: ovo.id
Alleged database breach of WhatsApp.com – 28k records
Category: Data Breach
Content: A database allegedly containing 28,000 records from WhatsApp.com has been shared on Breachforums by user x0ghost. The breach was attributed to Xyph0rix. The data has been made available on the breach forum platform.
Date: 2026-05-04T09:41:37Z
Network: telegram
Published URL: https://t.me/c/3755871403/383
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: Unknown
Victim Industry: Technology/Messaging
Victim Organization: WhatsApp.com
Victim Site: whatsapp.com
Alleged data breach of OVO ID – sample database shared
Category: Data Breach
Content: A Breachforums user mr-hanz-xploit has posted a thread claiming to share a sample database from OVO ID, an Indonesian digital payment and identity service platform. The claim is being circulated through the DeepCore Network channel.
Date: 2026-05-04T09:20:20Z
Network: telegram
Published URL: https://t.me/DeepCoreNetwork/70
Screenshots:
None
Threat Actors: mr-hanz-xploit
Victim Country: Indonesia
Victim Industry: Financial Services / Digital Payments
Victim Organization: OVO ID
Victim Site: ovo.id
Sale of alleged UHQ EU mixed combo list
Category: Combo List
Content: A threat actor on the PT forum is offering approximately 700 ultra-high quality (UHQ) mixed credentials purportedly associated with European users. The post is restricted to registered or logged-in members, limiting visibility of additional details. The listing is marketed as VIP exclusive access with high conversion rates, suggesting the credentials have been tested for validity.
Date: 2026-05-04T09:17:15Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%91%91-0-7k-uhq-eu-mixed-vip-exclusive-access-high-conversion-%F0%9F%91%91
Screenshots:
None
Threat Actors: BedrockDB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of OCBC Bank Malaysia
Category: Data Breach
Content: Threat actor JAX7 has posted on Breachforums claiming a database leak from OCBC Bank, a major Malaysian financial institution. The post includes links to the breach forum thread and user profile, indicating potential compromise of banking data.
Date: 2026-05-04T09:15:27Z
Network: telegram
Published URL: https://t.me/byjax7/465
Screenshots:
None
Threat Actors: JAX7
Victim Country: Malaysia
Victim Industry: Financial Services/Banking
Victim Organization: OCBC Bank
Victim Site: ocbc.com.my
Sale of alleged 3,300 valid European combo list
Category: Combo List
Content: A threat actor on a cybercrime forum is sharing a combo list advertised as containing 3,300 valid credential pairs targeting European users. The content is hidden behind a registration or login wall, limiting direct verification. No specific breached organization or service is identified in the post.
Date: 2026-05-04T09:15:15Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%92%8Ex-3300-valid-full-europe%F0%9F%92%8E
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 194,000 Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Nomefor74 shared a combo list reportedly containing approximately 194,000 Hotmail credentials on the cybercrime forum PT – Combolist. The content is hidden behind a registration or login requirement, limiting direct verification of the dataset. Hotmail is referenced as the credential-stuffing target, not as the breach origin.
Date: 2026-05-04T09:14:57Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%8E%81-194k-hotmail-%F0%9F%8E%81
Screenshots:
None
Threat Actors: Nomefor74
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 508K US email and password credentials
Category: Combo List
Content: A threat actor operating under the alias Glowlex shared a combo list purportedly containing 508,000 email and password credential pairs associated with US individuals. The content is described as private data in mail:pass format. The actual content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-04T09:14:25Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-508k-usa-private-data-mail-pass
Screenshots:
None
Threat Actors: Glowlex
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 449K US email and password credentials
Category: Combo List
Content: A threat actor identified as Glowlex is sharing a combo list purportedly containing 449,000 email and password credential pairs associated with US individuals. The content is gated behind forum registration or login, limiting direct verification. The post is consistent with credential stuffing resource distribution on underground forums.
Date: 2026-05-04T09:13:53Z
Network: openweb
Published URL: https://patched.to/Thread-449k-usa-private-data-mail-pass
Screenshots:
None
Threat Actors: Glowlex
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of 620,000-record USA combo list targeting gaming platforms
Category: Combo List
Content: A threat actor operating under the alias WhyHappy is offering a purported 620,000-record combo list described as a private USA base. The list is advertised as particularly effective against gaming targets and marketed as containing high-value credential pairs. Full content is gated behind forum registration or login.
Date: 2026-05-04T09:13:21Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-620k-usa-private-base-good-on-gaming-targets-juicy-lines
Screenshots:
None
Threat Actors: WhyHappy
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged 353K US credential combo list targeting gaming platforms
Category: Combo List
Content: A threat actor operating under the alias WhyHappy is advertising a combo list of approximately 353,000 credentials sourced from US-based accounts, marketed as particularly effective against gaming targets. The content is hidden behind a registration or login requirement on the forum, limiting full visibility into the dataset. The post describes the lines as juicy and private base, suggesting the credentials are presented as previously unpublished or high-quality.
Date: 2026-05-04T09:12:48Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-353k-usa-private-base-good-on-gaming-targets-juicy-lines
Screenshots:
None
Threat Actors: WhyHappy
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias ELJOKER1 is distributing a combo list of 500 alleged Hotmail credentials, marketed as valid mail access. The post is dated April/May and requires forum registration or login to access the hidden content.
Date: 2026-05-04T09:12:07Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%A8%E2%9A%9C%EF%B8%8Fx500-hotmail-mail-access-full-vaild-%E2%9A%9C%EF%B8%8F%E2%9C%A8-04-05
Screenshots:
None
Threat Actors: ELJOKER1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged combo list targeting European accounts
Category: Combo List
Content: A forum user on PT – Combolist is sharing a combo list advertised as containing 1,500 valid credentials associated with European accounts. The content is hidden behind a login/registration gate, limiting direct verification. The post does not specify a particular breached organization or service.
Date: 2026-05-04T09:11:35Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%92%8Ex-1500-valid-full-europe%F0%9F%92%8E
Screenshots:
None
Threat Actors: Katanat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Hotmail combo list shared publicly by SkylightCloud
Category: Combo List
Content: A threat actor operating under the alias SkylightCloud has shared a combo list targeting Hotmail accounts on a cybercrime forum. The content is gated behind registration or login, limiting full visibility into record count or credential quality. The list appears to be distributed publicly as part of a broader combolist release activity.
Date: 2026-05-04T09:10:41Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-skylight-cloud-public-hotmail-298618
Screenshots:
None
Threat Actors: SkylightCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Mixed Mail Access Combo List
Category: Combo List
Content: A threat actor operating under the alias liamgoat is offering a combo list of approximately 4,400 mixed mail access credentials on a cybercrime forum. The list is advertised as high quality (HQ) and contains mixed mail provider credentials suitable for credential stuffing or account takeover activity. The content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-04T09:10:23Z
Network: openweb
Published URL: https://patched.to/Thread-4-4k-hq-mixed-mail-access-combolist-298637
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of stealer logs marketed as high-quality and fresh
Category: Logs
Content: A threat actor on LF is advertising a collection of stealer logs totaling 3.66 million lines in URL:LOG:PASS format. The logs are marketed as high-quality, fresh, and private. No specific victim organization or country is identified in the post.
Date: 2026-05-04T09:08:33Z
Network: openweb
Published URL: https://leakforum.io/Thread-3-66M-LINES%E2%AD%90%EF%B8%8FURL-LOG-PASS%E2%AD%90%EF%B8%8FHQ-LOGS%E2%AD%90%EF%B8%8FFRESH-PRIVATE%E2%AD%90%EF%B8%8F
Screenshots:
None
Threat Actors: XVF33t
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of email:password credentials advertised for shopping and social media platforms including Facebook
Category: Combo List
Content: A threat actor operating under the alias mustaphine shared a combo list of email:password credentials on a leak forum. The credentials are marketed as freshly extracted and suitable for credential stuffing against shopping and social media platforms, including Facebook. The actual content is hidden behind a login/registration wall, limiting further detail on volume or origin.
Date: 2026-05-04T09:08:24Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-freshly-extracted-email-pass-good-for-shopping-and-social-sites-facebook
Screenshots:
None
Threat Actors: mustaphine
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Anubis Android Banking Botnet v2.5 with Tutorial
Category: Malware
Content: A threat actor on DemonForums is distributing Anubis Android Banking Botnet v2.5, a well-known Android banking trojan offered as a malware-as-a-service tool. The package includes a tutorial and features such as banking credential theft via overlay attacks, SMS interception for MFA bypass, keylogging, remote access control, and a botnet command-and-control panel. A download link and VirusTotal scan result are referenced in the post.
Date: 2026-05-04T09:07:58Z
Network: openweb
Published URL: https://demonforums.net/Thread-Anubis-Android-Banking-Botnet-v-2-5-with-Tutorial
Screenshots:
None
Threat Actors: JackJayden07
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Hotmail combo list shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the handle klyne05 is sharing a combo list of Hotmail email and password pairs on a cybercrime forum. The content is described as private and fresh, and is gated behind a like-to-unlock mechanism. The credentials are marketed as checked by the original poster.
Date: 2026-05-04T09:07:16Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1HOTMAIL%E2%9A%A1%E2%9A%A1PRIVATE%E2%9A%A1%E2%9A%A1FRESH%E2%9A%A1%E2%9A%A1CHEKED-BY-klyne05-%E2%9A%A1%E2%9A%A1–202753
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Data Leak of Pakistan Government Personnel Database
Category: Data Leak
Content: A threat actor on BreachForums has leaked a database allegedly belonging to the Pakistan government, specifically associated with the Services and General Administration Department (S&GAD). The dataset includes sensitive personal and professional information such as full names, home addresses, mobile and emergency contact numbers, father names, dates of birth, blood groups, designations, grades, personal numbers, email addresses, and service history. Sample records indicate employees from the Ag
Date: 2026-05-04T08:59:53Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-Pakistan-Government-Personal-Database
Screenshots:
None
Threat Actors: shalimaar13
Victim Country: Pakistan
Victim Industry: Government
Victim Organization: Pakistan Government (S&GAD)
Victim Site: Unknown
Alleged Hotmail combo list shared on cybercrime forum
Category: Logs
Content: A threat actor known as D4rkNetHub has shared a combo list of approximately 5,099 Hotmail credentials on a cybercrime forum. The post includes links to external resources, likely hosting the credential list. The credentials are marketed as good hits, suggesting they have been tested and verified against Hotmail accounts.
Date: 2026-05-04T08:47:09Z
Network: openweb
Published URL: https://xforums.st/threads/5-099-good_hotmail-goods-d4rknethub-cloud_-04-05-26.612242/
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of webshell-compromised .COM domains
Category: Initial Access
Content: Threat actor offering webshell access to compromised .COM domains for sale. Three domains listed with varying domain authority (DA) and page authority (PA) metrics: one with DA 10/PA 18, and two with DA 1/PA 13 and DA 1/PA 17 respectively. The higher authority domain suggests compromise of an established website.
Date: 2026-05-04T08:46:01Z
Network: telegram
Published URL: https://t.me/c/3841736872/359
Screenshots:
None
Threat Actors: DEWATA BLACKHAT
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 1,932 Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias alphacloud posted a combo list advertised as 1,932 premium Hotmail credential hits on the AE cybercrime forum. The post is categorized as a credential stuffing resource targeting Hotmail accounts. No additional content or context was available to further assess the nature or origin of the credentials.
Date: 2026-05-04T08:40:20Z
Network: openweb
Published URL: https://altenens.is/threads/snowflakesnowflake-1932x-premium-hotmail-hits-snowflakesnowflake.2933939/unread
Screenshots:
None
Threat Actors: alphacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged cryptocurrency theft by North Korean hacking groups totaling $577 million in 2026
Category: Cyber Attack
Content: North Korean hacking groups, including Lazarus Group, have stolen approximately $577 million from cryptocurrency projects since the beginning of 2026. Two major attacks on Drift Protocol and KelpDAO accounted for the majority of industry losses. Experts note increasing attack sophistication and potential use of AI in operations.
Date: 2026-05-04T08:34:06Z
Network: telegram
Published URL: https://t.me/c/1397463379/11237
Screenshots:
None
Threat Actors: Lazarus Group
Victim Country: Unknown
Victim Industry: Cryptocurrency
Victim Organization: Drift Protocol, KelpDAO
Victim Site: Unknown
Alleged distribution of Hotmail and mixed email credential combo list
Category: Combo List
Content: A threat actor operating under the alias nikyofficial is distributing a combo list described as high-quality and fresh Hotmail and mixed email credentials on the PT forum. The post indicates the content was previously shared in a private Telegram channel approximately 24 hours prior, with the actor referencing an older channel with over 2,000 members. The actual file content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-04T07:59:29Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%B4%EF%B8%8F-hq-fresh-hotmails-mix-%E2%9C%B4%EF%B8%8F-dropped-in-private-channel-24h-ago-%F0%9F%94%A5%F0%9F%94%A5-298613
Screenshots:
None
Threat Actors: nikyofficial
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of EU mixed combo list on cybercrime forum
Category: Combo List
Content: A threat actor on the PT – Combolist forum is offering approximately 400 credentials described as UHQ EU Mixed, marketed as high-conversion and exclusive to VIP members. The post content is hidden behind a registration or login wall, limiting full visibility into the specific targets or data composition.
Date: 2026-05-04T07:59:11Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%91%91-0-4k-uhq-eu-mixed-vip-exclusive-access-high-conversion-%F0%9F%91%91
Screenshots:
None
Threat Actors: BedrockDB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 465,000-line USA combo list targeting gaming and shopping services
Category: Combo List
Content: A threat actor operating under the alias AstroBella is distributing a combo list purportedly containing 465,000 email and password credential pairs sourced from United States users. The list is marketed as targeting gaming and shopping platforms and is described as unverified but fresh. The actual content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-04T07:58:29Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-465k-usa-combolist-%E2%9C%94%EF%B8%8F-unraped-and-fresh-lines-%E2%9C%94%EF%B8%8Fgaming-shopping-mix-good
Screenshots:
None
Threat Actors: AstroBella
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 655,000 USA credential combo list targeting gaming and shopping services
Category: Combo List
Content: A threat actor operating under the alias AstroBella is advertising a combo list of approximately 655,000 credential pairs purportedly sourced from United States users. The list is marketed as targeting gaming and shopping services and described as unverified fresh lines. The content is hidden behind forum registration or login, indicating controlled distribution.
Date: 2026-05-04T07:57:59Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-655k-usa-combolist-%E2%9C%94%EF%B8%8F-unraped-and-fresh-lines-%E2%9C%94%EF%B8%8Fgaming-shopping-mix-good
Screenshots:
None
Threat Actors: AstroBella
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Mixed Email-Password Combo List Containing 873K Lines
Category: Combo List
Content: A threat actor identified as XVF33t is advertising a mixed email-password combo list containing approximately 873,000 lines on a cybercrime forum. The list is marketed as high-quality and private, with credentials described as fresh. Access to the content requires forum registration or login.
Date: 2026-05-04T07:56:55Z
Network: openweb
Published URL: https://leakforum.io/Thread-873K-Lines-%E2%AD%90%EF%B8%8FHQ-MIX-MAILPASS-COMBOLIST%E2%AD%90%EF%B8%8FPRIVATE-FRESH%E2%AD%90%EF%B8%8F
Screenshots:
None
Threat Actors: XVF33t
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged 20-Day Intrusion by Chinese-Attributed Hackers into Italian Infrastructure
Category: Cyber Attack
Content: Chinese-attributed hackers allegedly maintained access to Italian public infrastructure systems for approximately 20 days. The intrusion was conducted without causing disruption and focused on information gathering and reconnaissance of sensitive infrastructure components. Security experts note this represents a shift in cyber warfare tactics toward persistent access and long-term intelligence collection rather than immediate system destruction.
Date: 2026-05-04T07:56:47Z
Network: telegram
Published URL: https://t.me/c/1283513914/21538
Screenshots:
None
Threat Actors: Chinese-attributed hackers
Victim Country: Italy
Victim Industry: Critical Infrastructure
Victim Organization: Italian Public Infrastructure
Victim Site: Unknown
Alleged IDOR Vulnerability Exploitation via Hash Reversal and ID Prediction
Category: Vulnerability
Content: Security researcher demonstrates IDOR vulnerability in a web application where hashed user IDs were predictable. The attacker created a wordlist of potential IDs (0-100,000), cracked their own hashed ID using John the Ripper to identify the pattern (MD5 hash of sequential numbers), then successfully predicted and exploited another users hashed ID to gain unauthorized account edit access. Post emphasizes that hashing alone is insufficient without proper server-side authorization checks.
Date: 2026-05-04T07:51:26Z
Network: telegram
Published URL: https://t.me/c/3793980891/3280
Screenshots:
None
Threat Actors: ./xorcat~files
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged website defacements by Mr.PIMZZZXploit
Category: Defacement
Content: Threat actor Mr.PIMZZZXploit claims to have defaced multiple websites including lawyer.creative71academy.com, energoteam029.rs.komfornisistemi.rs, caseyauve.com, ivsoftdesign.com subdomains, igsminimart.clotsoftwaresolutions.com, porselenelektrot.com, and rabona.m-websolutions.com. Posts attributed to Babayo Eror System group.
Date: 2026-05-04T07:50:04Z
Network: telegram
Published URL: https://t.me/c/3865526389/755
Screenshots:
None
Threat Actors: Mr.PIMZZZXploit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of large-scale URL:Log:Pass combo list
Category: Combo List
Content: A forum user on PT – Combolist shared a free combo list containing over 8 million URL:login:password credential pairs, labeled as part 316 of an ongoing series. The content is hidden behind a registration or login requirement on the forum. No specific victim organization or targeted service is identified in the post.
Date: 2026-05-04T07:01:38Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-url-log-pass-free-best-lines-8-million-lines-part-316
Screenshots:
None
Threat Actors: lexityfr
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of pirated film content via file-sharing platform
Category: Data Leak
Content: A forum post on NulledBB shares a link to what is claimed to be a 1080p WEBRip copy of the 2025 film Whistle hosted on filejoker.net. The post includes technical metadata such as duration, resolution, format, and file size. This appears to be unauthorized distribution of pirated video content rather than a traditional data breach or cyber attack.
Date: 2026-05-04T07:00:59Z
Network: openweb
Published URL: https://nulledbb.com/thread-Ali-Skovbye-Dafne-Keen-Sophie-Nelisse-Whistle-2025-1080p-WEBRip
Screenshots:
None
Threat Actors: gerrick54
Victim Country: Unknown
Victim Industry: Entertainment
Victim Organization: Unknown
Victim Site: filejoker.net
Alleged distribution of URL:Log:Pass combo list containing 25.8 million lines
Category: Logs
Content: A threat actor operating under the alias Max095 shared a hidden-content post on a leak forum advertising a URL:Log:Pass dataset containing approximately 25.836 million lines and approximately 1.4 GB in size. The content is gated behind forum registration or login, suggesting it is distributed to verified members. No specific victim organization or targeted service is identified in the post.
Date: 2026-05-04T07:00:33Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-Url-Log-Pass-25-836-181-M%C4%B1ll%C4%B1on-L%C4%B1nes-1-4gb
Screenshots:
None
Threat Actors: Max095
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Distribution of alleged CloudAIO checker cracking tool
Category: Malware
Content: A forum post on DemonForums advertises a cracked version of CloudAIO, a credential checking or account cracking tool, distributed via multiple download mirrors. The post provides no additional technical details about the tools capabilities or target services. The accompanying link appears to be an unrelated adult dating spam URL embedded in the post.
Date: 2026-05-04T06:59:45Z
Network: openweb
Published URL: https://demonforums.net/Thread-cloudaio-checker-crack
Screenshots:
None
Threat Actors: makitabosch
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of EMV chip card reading and writing software on cybercrime forum
Category: Carding
Content: A forum post on DemonForums advertises X2 2021 EMV Writer, software purportedly capable of reading and writing EMV chip card data, handling Track 2 data, and supporting ARQC/ARPC cryptographic operations. The tool is promoted with features including smart card personalization, ICC public key handling, and Omnikey reader integration. A download link is provided alongside a VirusTotal scan reference, indicating distribution to forum members for payment card fraud purposes.
Date: 2026-05-04T06:59:17Z
Network: openweb
Published URL: https://demonforums.net/Thread-x2-2021-Emv-Writer
Screenshots:
None
Threat Actors: ZoeWillow22
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias Stevee36 has shared a combo list advertised as containing 2,107 high-quality Hotmail credentials on a cybercrime forum. The content is hidden behind a registration or login requirement. No additional details regarding the origin or freshness of the credentials are provided in the post.
Date: 2026-05-04T06:59:12Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X2107-HQ-Hotmail-%E2%9A%A1%E2%9A%A1-BY-Stevee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Westgate Uniforms by DimasHxR
Category: Defacement
Content: On May 4, 2026, the threat actor DimasHxR defaced a media directory page on westgateuniforms.com, a uniform and apparel retailer. The attack was a targeted single-page defacement, not part of a mass or home page defacement campaign. No specific motive or team affiliation was identified for this incident.
Date: 2026-05-04T06:44:25Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917427
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Retail / Apparel
Victim Organization: Westgate Uniforms
Victim Site: westgateuniforms.com
Website Defacement of Petmore Online by DimasHxR
Category: Defacement
Content: On May 4, 2026, a threat actor identified as DimasHxR defaced a media/customer directory path on petmore.online, an online pet-related retail website. The attack was a targeted single-site defacement with no team affiliation reported. Technical details such as the server software and exploit method were not disclosed.
Date: 2026-05-04T06:42:57Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917424
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / Pet Supplies
Victim Organization: Petmore
Victim Site: petmore.online
Website Defacement of Jenco Wholesale by DimasHxR
Category: Defacement
Content: On May 4, 2026, a threat actor identified as DimasHxR defaced a page on the Jenco Wholesale website. The attack targeted a subdirectory of the domain and was not classified as a mass or home page defacement. No team affiliation, motive, or technical details regarding the server environment were disclosed.
Date: 2026-05-04T06:41:14Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917430
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: United States
Victim Industry: Wholesale/Retail
Victim Organization: Jenco Wholesale
Victim Site: www.jencowholesale.com
Website Defacement of Aminimart by DimasHxR
Category: Defacement
Content: On May 4, 2026, a threat actor identified as DimasHxR defaced a subdirectory of aminimart.com, a retail or e-commerce website. The defacement targeted a specific media path rather than the homepage, indicating a partial or targeted page defacement. No team affiliation, stated motive, or server details were disclosed in connection with this incident.
Date: 2026-05-04T06:39:21Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917421
Screenshots:
None
Threat Actors: DimasHxR
Victim Country: Unknown
Victim Industry: Retail / E-Commerce
Victim Organization: Aminimart
Victim Site: aminimart.com
Sale of AIO credential checker tool with multiple modules
Category: Combo List
Content: A threat actor is advertising Luxify 6, described as an all-in-one (AIO) credential checker and combo editor featuring 87 modules. The tool is marketed for credential stuffing and account checking across multiple services. No post content was available to provide further technical details.
Date: 2026-05-04T06:39:11Z
Network: openweb
Published URL: https://altenens.is/threads/luxify-6-the-best-fastest-aio-checker-87-modules-combo-editor.2933879/unread
Screenshots:
None
Threat Actors: ananalbzoor
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of URL:Login:Pass combo list with 6.18 million lines
Category: Logs
Content: A threat actor on BreachForums shared a URL:Login:Pass combo list purportedly containing approximately 6.183 million lines totaling around 400MB in size. The content is hidden behind a login/registration wall, indicating it is accessible only to registered forum members. No specific victim organization or targeted service is identified in the post.
Date: 2026-05-04T06:29:28Z
Network: openweb
Published URL: https://breachforums.rs/Thread-URL-LOGIN-PASS-Url-Log-Pass-6-183-939-M%C4%B1ll%C4%B1on-L%C4%B1nes-400mb
Screenshots:
None
Threat Actors: Marat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of URL:Login:Pass combo list with 24.67 million lines
Category: Logs
Content: A threat actor using the handle Marat shared a URL:Login:Pass combo list on BreachForums allegedly containing 24,673,084 lines (~1.4 GB). The content is hidden behind a forum registration or login requirement, limiting direct verification. No specific victim organization or targeted service is identified in the post.
Date: 2026-05-04T06:26:05Z
Network: openweb
Published URL: https://breachforums.rs/Thread-URL-LOGIN-PASS-Url-Log-Pass-24-673-084-M%C4%B1ll%C4%B1on-L%C4%B1nes-1-4gb
Screenshots:
None
Threat Actors: Marat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Indonesian National ID Numbers
Category: Data Leak
Content: A threat actor operating under the alias JAX7 has shared or made available a collection of Indonesian National ID numbers on a known cybercrime forum. No further details regarding the source, record count, or specific organization affected are available from the post content. The data appears to involve government-issued identification records belonging to Indonesian nationals.
Date: 2026-05-04T06:19:23Z
Network: openweb
Published URL: https://breached.st/threads/collection-of-indonesian-national-id-numbers.86747/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Mass Redefacement of Indonesian News Media Site by BULLYXPLOIT (Pasuruan sec Team)
Category: Defacement
Content: On May 4, 2026, threat actor BULLYXPLOIT, affiliated with Pasuruan sec Team, conducted a mass defacement targeting the admin panel of www.media-berita.com, an Indonesian news media website running on a Linux server. This incident is classified as both a mass defacement and a redefacement, indicating the attacker had previously compromised the same target. A mirror of the defacement was archived at haxor.id.
Date: 2026-05-04T06:16:16Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248854
Screenshots:
None
Threat Actors: BULLYXPLOIT, Pasuruan sec Team
Victim Country: Indonesia
Victim Industry: Media & News
Victim Organization: Media Berita
Victim Site: www.media-berita.com
Website Defacement of Media Berita by BULLYXPLOIT (Pasuruan sec Team)
Category: Defacement
Content: On May 4, 2026, the Indonesian news/media website media-berita.com had its admin panel defaced by a threat actor operating under the handle BULLYXPLOIT, affiliated with Pasuruan sec Team. The attack targeted the /admin path of the website and was recorded as a single, non-mass defacement. A mirror of the defacement was archived on zone-xsec.com.
Date: 2026-05-04T06:14:15Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/917419
Screenshots:
None
Threat Actors: BULLYXPLOIT, Pasuruan sec Team
Victim Country: Indonesia
Victim Industry: Media and News
Victim Organization: Media Berita
Victim Site: www.media-berita.com
Alleged credit card drops offered by Vaild_Carding
Category: Data Leak
Content: User @Vaild_Carding is advertising the sale of stolen credit cards (cc drops) in the marketplace channel.
Date: 2026-05-04T06:04:56Z
Network: telegram
Published URL: https://t.me/c/2613583520/75114
Screenshots:
None
Threat Actors: Vaild_Carding
Victim Country: Unknown
Victim Industry: Financial
Victim Organization: Unknown
Victim Site: Unknown
Alleged Hotmail credential combo list shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias RetroCloud shared a combo list purportedly containing approximately 9,000 high-quality Hotmail credential hits on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting direct verification of the claims. The credentials are marketed as high-quality hits, suggesting they have been tested against the Hotmail service.
Date: 2026-05-04T05:50:57Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85-9k-hq-hotmail-hit-%E2%9C%85-298606
Screenshots:
None
Threat Actors: RetroCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias KiwiShio has shared a combo list consisting of 1,075 Hotmail credentials on a cybercrime forum. The content is marketed as fresh and high quality and is gated behind a registration or login requirement. No specific breach origin is identified; the list appears intended for credential stuffing against Hotmail accounts.
Date: 2026-05-04T05:50:38Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-1075x-%E2%AD%90%E2%AD%90-fresh-hq-hotmail-%E2%AD%90%E2%AD%90-298607
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Amuse Crypt V2.0 Crypter and Obfuscation Tool on Cracking Forum
Category: Malware
Content: A threat actor operating under the alias LeviAiden07 is advertising Amuse Crypt V2.0 on a cracking forum, describing it as a file crypter and obfuscation tool designed to render executable payloads fully undetectable (FUD) against antivirus solutions. The tool purportedly supports EXE and DLL payload types, incorporates anti-analysis and anti-debugging mechanisms, and includes loader functionality for stealthy payload execution. A download link and VirusTotal scan result are referenced in the po
Date: 2026-05-04T05:49:21Z
Network: openweb
Published URL: https://demonforums.net/Thread-Amuse-Crypt-V-2-0–202740
Screenshots:
None
Threat Actors: LeviAiden07
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Egyptian educational and HR institutions exposing student PII, ID scans, and employment records
Category: Data Breach
Content: A threat actor on BreachForums is offering for sale two alleged SQL databases totaling approximately 61.5 million records. The first database contains roughly 1 million student records including full names, Egyptian national ID numbers, dates and places of birth, home addresses, contact details, and high-resolution BLOB scans of student, mother, and father national IDs as well as passport or visa documents. The second database contains approximately 60 million records including master PII, natio
Date: 2026-05-04T05:42:35Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-Egyptian-37GB-1-5M-Student-PII-ID-Scans-Parents-Passport-HR-DB-60M-RECORDS
Screenshots:
None
Threat Actors: bigF
Victim Country: Egypt
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Sale of financial transfer services across multiple payment platforms
Category: Services
Content: A threat actor operating under the alias Angelme is advertising fraudulent transfer services across multiple payment platforms including Cash App, PayPal, Skrill, Zelle, and Western Union. The post is listed under a combo list forum and describes the offerings as strict, suggesting a transactional service model. No additional post content was available to confirm specific pricing, methods, or volumes.
Date: 2026-05-04T05:35:14Z
Network: openweb
Published URL: https://altenens.is/threads/good-bins-and-methods-ready-instock-loading-cash-app-transfer-paypal-transfer-skrill-transfer-zelle-transfer-western-union-transfer-strict.2933861/unread
Screenshots:
None
Threat Actors: Angelme
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of Indonesian national ID numbers collection
Category: Data Leak
Content: A user named JAX7 on Breachforums has posted a collection of Indonesian national ID numbers. The thread on breached.st indicates a significant PII leak targeting Indonesian citizens identity documents.
Date: 2026-05-04T05:31:30Z
Network: telegram
Published URL: https://t.me/bsnsbsksjsk/12
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Government/National ID System
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of M-Websolutions by BULLYXPLOIT (Pasuruan sec Team)
Category: Defacement
Content: On May 4, 2026, a threat actor identified as BULLYXPLOIT, operating under the Pasuruan sec Team, defaced the development subdomain of M-Websolutions, a web solutions and technology services provider. The attack targeted a Linux-based server hosting the development environment at dev.m-websolutions.com. The incident was a targeted single-site defacement, with a mirror archived at haxor.id.
Date: 2026-05-04T05:29:06Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248852
Screenshots:
None
Threat Actors: BULLYXPLOIT, Pasuruan sec Team
Victim Country: Unknown
Victim Industry: Technology / Web Development
Victim Organization: M-Websolutions
Victim Site: www.dev.m-websolutions.com
Website Defacement of Mepiache Agencia Sobremesa by BULLYXPLOIT (Pasuruan sec Team)
Category: Defacement
Content: On May 4, 2026, a threat actor identified as BULLYXPLOIT, affiliated with Pasuruan sec Team, defaced the website of Mepiache Agencia Sobremesa, a Chilean marketing or advertising agency. The attack targeted a Linux-based web server and resulted in a single-page defacement. No specific motive was publicly stated for the attack.
Date: 2026-05-04T05:26:38Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/248853
Screenshots:
None
Threat Actors: BULLYXPLOIT, Pasuruan sec Team
Victim Country: Chile
Victim Industry: Marketing / Advertising
Victim Organization: Mepiache Agencia Sobremesa
Victim Site: www.mepiache.agenciasobremesa.cl
Sale of Solana cryptocurrency drainer with cooperative partnership offering
Category: Malware
Content: A threat actor on BreachForums is advertising a tier 1 Solana drainer tool and seeking cooperative partners. The seller claims the ability to create custom phishing landing pages tailored to the buyers traffic sources. The post solicits direct messages from interested parties for collaboration arrangements.
Date: 2026-05-04T05:25:47Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-Solana-drainer-co-op
Screenshots:
None
Threat Actors: lordrings10
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Indonesia government domain database
Category: Data Leak
Content: A threat actor using the handle Mr.ZeroPhx100 claims to have leaked a database associated with Indonesian government domains under the go.id top-level domain. The post offers a download link for the alleged data. No additional details regarding record count, affected agency, or data fields were provided.
Date: 2026-05-04T05:11:42Z
Network: openweb
Published URL: https://breached.st/threads/database-indonesia-go-id.86744/unread
Screenshots:
None
Threat Actors: Mr.ZeroPhx100
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Unknown
Victim Site: go.id
Alleged Data Leak of Indonesian National Civil Administration Database (Dukcapil Kemendagri)
Category: Data Leak
Content: A threat actor using the alias MrJupiter has freely shared a 100-row sample dataset allegedly sourced from the Indonesian Ministry of Home Affairs civil registration system (Dukcapil). The leaked data purportedly contains National Identification Numbers (NIK) and full residential addresses of Indonesian citizens. The post implies a broader dataset exists beyond the shared sample, framing the release as evidence of inadequate security controls.
Date: 2026-05-04T05:11:08Z
Network: openweb
Published URL: https://breached.st/threads/free-database-samples-dukcapil-kemendagri-go-id.86745/unread
Screenshots:
None
Threat Actors: MrJupiter
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Directorate General of Population and Civil Registration (Dukcapil Kemendagri)
Victim Site: dukcapil.kemendagri.go.id
Alleged sale of Japanese population database with 20 million records
Category: Data Breach
Content: A threat actor operating under the alias CY8ER N4TI0N, claiming affiliation with SULAWESI HACKTIVIST INDONESIA, is offering for sale an alleged Japanese population database containing approximately 20 million records priced at $9,500 USD. The dataset includes fields such as national ID number, date of birth, full name, city, address, and phone number. Sample records containing Japanese personal information are provided as proof of the claimed data.
Date: 2026-05-04T05:10:33Z
Network: openweb
Published URL: https://breached.st/threads/database-japanese-population-database-20-million-lines.86746/unread
Screenshots:
None
Threat Actors: CY8ER N4TI0N
Victim Country: Japan
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Sale of Government and Law Enforcement Email Accounts for Data Requests, Surveillance, and Impersonation
Category: Services
Content: A threat actor on the Sellers Place forum is advertising the sale of compromised government and law enforcement email accounts spanning multiple regions including Africa, Asia, Europe, and Spanish-speaking countries. The accounts allegedly grant access to law enforcement portals for major social media platforms, enabling emergency data requests, subpoena filing, account suspension, and content removal. The seller claims these accounts can also be used for subpoena forgery, impersonation of offic
Date: 2026-05-04T05:06:49Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-1-Government-Law-Enforcement-Email-Access–1022
Screenshots:
None
Threat Actors: Governer
Victim Country: Unknown
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 4,968 mixed email credentials shared on forum
Category: Combo List
Content: A threat actor operating under the alias NovaCloudx shared a combo list containing 4,968 mixed email credentials on a cybercrime forum. The content is gated behind a registration or login requirement. No specific breach origin or target service is identified in the post.
Date: 2026-05-04T04:40:09Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9A%A14968x-mixmail%E2%9A%A1%E2%9C%85
Screenshots:
None
Threat Actors: NovaCloudx
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Advertisement of SMTP-to-SMS Gateway Tutorial Service on Cybercrime Forum
Category: Services
Content: A forum post on DemonForums advertises a tutorial or guide on leveraging SMTP-to-SMS gateways to send SMS messages via email protocols. The post appears to be promoting a service or instructional content related to SMS delivery using SMTP infrastructure. No specific victim, breach, or malicious payload is identified in the available content.
Date: 2026-05-04T04:37:45Z
Network: openweb
Published URL: https://demonforums.net/Thread-%E2%9C%85-Send-SMS-Like-Email-Master-SMTP-to-SMS-Gateways-in-2026%E2%9C%85
Screenshots:
None
Threat Actors: smtps4foryou
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged WhiteDns Malicious DNS Tool Distribution by Iranian Threat Actor Group
Category: Malware
Content: Iranian threat actor group distributing WhiteDns, an Android application that functions as a DNS proxy tool built on StormDns core. The tool allows users to input DNS servers and operates in multiple phases with enhanced capabilities beyond stated functionality. Analysis includes GitHub repository link, direct APK download, and 54 identified DNS server IP addresses used for command & control and proxy operations.
Date: 2026-05-04T04:37:24Z
Network: telegram
Published URL: https://t.me/c/3575098403/155
Screenshots:
None
Threat Actors: WhiteDns Group
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of compromised email accounts and marketplace credentials across multiple countries
Category: Combo List
Content: Threat actor advertising fresh database of compromised accounts across UK, DE, JP, NL, BR, PL, ES, US, IT and other countries. Offering access to webmail accounts (ntlworld), eBay, Offerup, PSN, Booking, Uber, Poshmark, Alibaba, Walmart, Amazon, Mercari, Kleinanzeigen, and Neosurf accounts. Claims to have private cloud infrastructure and offers custom searches by keyword.
Date: 2026-05-04T04:22:53Z
Network: telegram
Published URL: https://t.me/c/2613583520/75073
Screenshots:
None
Threat Actors: Num
Victim Country: United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, United States, Italy
Victim Industry: Multiple (e-commerce, email, gaming, travel, payment services)
Victim Organization: Unknown
Victim Site: Unknown
Sale of Europe and USA Combo Lists
Category: Combo List
Content: A threat actor on AE forum is offering combo lists purportedly covering Europe and USA regions, marketed as high quality and fully valid. No post content was available to confirm specific details such as record count, targeted services, or pricing.
Date: 2026-05-04T04:11:46Z
Network: openweb
Published URL: https://altenens.is/threads/star100-full-validstarhigh-qualitystareurope-usa-combolists-star.2933817/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
WordPress admin login credentials combo list shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias hangover934 shared a combo list on the AE forum containing WordPress admin panel login credentials in login:password format along with associated URLs. The post advertises the credentials as usable for accessing WordPress admin dashboards. No specific victim organizations, record counts, or pricing details are available from the post content.
Date: 2026-05-04T04:09:21Z
Network: openweb
Published URL: https://altenens.is/threads/check-mark-buttonstarwordpresscheck-mark-buttonstaradminstarurlsstarlogin-pass.2933825/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of stolen credit card data and compromised email accounts
Category: Combo List
Content: Multiple threat actors operating in Squad Chat Marketplace advertising the sale of stolen credit card data, combolists, and access to compromised email accounts (Hotmail, webmail). Vendors claim to have 100k+ daily supply of valid cards from US, UK, DE, JP, NL, BR, PL, ES, IT and other countries. Pricing ranges from $1-3 USD per valid card depending on country. Also advertising access to private cloud databases containing Hotmail credentials and geo-specific datasets for platforms including eBay, Walmart, Uber, Poshmark, and Kleinanzeigen.
Date: 2026-05-04T04:06:25Z
Network: telegram
Published URL: https://t.me/c/2613583520/75048
Screenshots:
None
Threat Actors: AllCards
Victim Country: United States, United Kingdom, Germany, Japan, Netherlands, Brazil, Poland, Spain, Italy, France, Russia, Mexico, Canada, Singapore
Victim Industry: Financial services, E-commerce, Email providers
Victim Organization: Unknown
Victim Site: Unknown
Combo list of alleged valid Hotmail credentials
Category: Combo List
Content: A threat actor operating under the alias redcloud shared a combo list purportedly containing 7,400 valid Hotmail email credentials. The post is dated 04.05 and the credentials are marketed as verified mail access. As is typical for combo lists, the named service is a credential-stuffing target and not the source of a breach.
Date: 2026-05-04T04:05:48Z
Network: openweb
Published URL: https://altenens.is/threads/7-4k-high-voltagehotmailhigh-voltagevalid-mail-access-04-05.2933823/unread
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged stealer logs with URL/credential data
Category: Logs
Content: A threat actor operating under the alias RedCloud is offering a collection of stealer logs advertised as containing URLs, login names, and passwords. The dataset is described as private and high quality, with approximately 3.5 million records dated April 5, 2026. Access to the download is restricted to forum members who reply to the thread or hold a premium account, with a Telegram contact provided for further communication.
Date: 2026-05-04T03:52:29Z
Network: openweb
Published URL: https://darkforums.su/Thread-%E2%9A%A1-3-5M-URL-LOG-PASS-PRIVATE-UHQ%E2%9A%A1
Screenshots:
None
Threat Actors: RedCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of multiple French sports federations
Category: Data Leak
Content: A threat actor is sharing data purportedly obtained from ten or more French sports federations, including those for swimming, archery, boxing, badminton, basketball, kickboxing, motorcycling, handball, and hockey. The content is gated behind a points-based paywall on the forum. No specific record counts or data field details are provided in the post.
Date: 2026-05-04T03:39:05Z
Network: openweb
Published URL: https://pwnforums.st/Thread-FEDERATIONS-SPORTIVES-FRANCAISES-10-et-plus
Screenshots:
None
Threat Actors: selluk
Victim Country: France
Victim Industry: Sports & Recreation
Victim Organization: Multiple French Sports Federations
Victim Site: Unknown
Alleged data breach of Malakoff Humanis
Category: Data Breach
Content: A threat actor on a cybercrime forum is offering an alleged database dump attributed to Malakoff Humanis, a French insurance and mutual protection group. The dataset purportedly contains approximately 498,000 records including email addresses, IP addresses, geolocation data (longitude and latitude), site information, and other unspecified fields. The content is locked behind a point-based paywall on the forum.
Date: 2026-05-04T03:38:27Z
Network: openweb
Published URL: https://pwnforums.st/Thread-French-DB-malakoffhumanis-com-498k
Screenshots:
None
Threat Actors: selluk
Victim Country: France
Victim Industry: Insurance
Victim Organization: Malakoff Humanis
Victim Site: malakoffhumanis.com
Alleged CVV Code Sales Operation
Category: Logs
Content: User advertising CVV (Card Verification Value) code sales through Telegram account @Nikiccv. Post indicates a marketplace for purchasing stolen or fraudulent payment card data across multiple regions.
Date: 2026-05-04T03:30:13Z
Network: telegram
Published URL: https://t.me/Nikita1ccv/15
Screenshots:
None
Threat Actors: Nikiccv
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of large-scale URL:Log:Pass combo list
Category: Combo List
Content: A forum user on a cybercrime platform has shared a combo list advertised as containing over 8 million URL:login:password credential pairs, distributed as part 315 of an ongoing free release series. The content is gated behind registration or login on the forum. No specific victim organization or targeted service is identified in the post.
Date: 2026-05-04T03:29:00Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-url-log-pass-free-best-lines-8-million-lines-part-315
Screenshots:
None
Threat Actors: lexityfr
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of phone number and password combo list
Category: Combo List
Content: A threat actor on a cybercrime forum is advertising a combo list consisting of phone number and password credential pairs, marketed as high quality and private. No specific victim organization, record count, or targeted service is identified in the post.
Date: 2026-05-04T03:27:30Z
Network: openweb
Published URL: https://nulledbb.com/thread-%E2%AD%90%EF%B8%8F%E2%98%81PHONE-NUMBER-PASS%E2%AD%90%EF%B8%8FHQ-PRIVATE%E2%AD%90%EF%B8%8F–2290292
Screenshots:
None
Threat Actors: hangover2055
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Distribution of Multi-Country Credential Combo List Targeting USA and Europe
Category: Combo List
Content: A forum user on NulledBB shared a combo list described as containing credential hits from the United States and European countries. The post markets the content as an exclusive mix of verified credentials organized by country. No specific victim organization or record count was disclosed.
Date: 2026-05-04T03:27:00Z
Network: openweb
Published URL: https://nulledbb.com/thread-%E2%AD%90%EF%B8%8FBY-COUNTRIES%E2%AD%90%EF%B8%8FHITS-MIX-USA%E2%AD%90%EF%B8%8FEUROPE%E2%AD%90%EF%B8%8FEXCLUSIVE-COMBOLIST%E2%98%81%E2%AD%90%EF%B8%8F–2290289
Screenshots:
None
Threat Actors: hangover2055
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged valid mixed email access combo list
Category: Combo List
Content: A threat actor operating under the alias RedCloud is distributing a combo list advertised as 17,100 mixed valid mail access credentials on a cybercrime forum. The post markets the list as private and ultra-high quality (UHQ), dated 04.05.2026. Distribution is facilitated via a hidden download link requiring forum registration, with contact offered through Telegram handle @tutuba5m.
Date: 2026-05-04T03:26:54Z
Network: openweb
Published URL: https://demonforums.net/Thread-17-1K-%E2%9C%A8-Mix-%E2%9C%A8-Valid-Mail-Access-04-05
Screenshots:
None
Threat Actors: RedCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged valid Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias Roronoa044 is advertising a combo list of alleged valid Hotmail credentials, described as UHQ (ultra-high quality) and stored on a private cloud. The post directs interested parties to a Telegram contact for access, with the actual content hidden behind a forum registration or login requirement.
Date: 2026-05-04T03:25:54Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A1-X1421-Valid-UHQ-Hotmail-%E2%9A%A1%E2%9A%A1–20026
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged mixed valid email access combo list
Category: Combo List
Content: A threat actor operating under the alias RedCloud is distributing a combo list advertised as containing 17,100 mixed valid email access credentials. The post is dated 04.05.2026 and markets the list as private and ultra-high quality (UHQ). A Telegram contact is provided alongside a hidden download link requiring forum registration or login.
Date: 2026-05-04T03:25:32Z
Network: openweb
Published URL: https://leakforum.io/Thread-17-1K-%E2%9C%A8-Mix-%E2%9C%A8-Valid-Mail-Access-04-05
Screenshots:
None
Threat Actors: RedCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Distribution of Combo List Parsing and Cleaning Tool on Cracking Forum
Category: Combo List
Content: A threat actor operating under the alias AWSCRACKSISTEM shared a tool titled Fast Combo Parser v2.0 on a cracking forum, advertised as capable of cleaning and extracting combo lists across multiple folders. The tool is designed to facilitate the processing and organization of credential lists for use in credential stuffing or related attacks. No specific victim organization, record count, or pricing details were disclosed in the post.
Date: 2026-05-04T03:24:37Z
Network: openweb
Published URL: https://demonforums.net/Thread-TOOL-Fast-Combo-Parser-v2-0-Clean-Extract-Multi-Folder
Screenshots:
None
Threat Actors: AWSCRACKSISTEM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list offering URL:Login:Pass credentials
Category: Combo List
Content: A forum post on AE by user hangover934 advertises a high-quality private combo list in URL:Login:Pass (ULP) format. No post content was available for further analysis. The credentials are likely intended for credential stuffing use across multiple services.
Date: 2026-05-04T03:10:44Z
Network: openweb
Published URL: https://altenens.is/threads/star-url-login-passstar-ulp-starhq-privatestar.2933801/unread
Screenshots:
None
Threat Actors: hangover934
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of prepaid linkable debit cards for payment platform fraud
Category: Carding
Content: A forum actor is advertising prepaid linkable debit cards claimed to be compatible with multiple digital payment platforms including CashApp, Apple Pay, PayPal, Skrill, Zelle, and Venmo. The post markets these as clone cards available in stock. No further details regarding pricing, quantity, or card origin are available from the post content.
Date: 2026-05-04T02:53:29Z
Network: openweb
Published URL: https://altenens.is/threads/fresh-prepaid-linkable-debits-available-instock-for-cashapp-applepay-paypal-skrill-zelle-venmo-etc-and-they-really-hitting-lit-asf-clone-card.2933796/unread
Screenshots:
None
Threat Actors: Calij
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Arc Reinsurance Brokers SAL and Fidelity United
Category: Data Breach
Content: A threat actor operating under the alias XOverStm is offering for sale a 400GB dataset allegedly exfiltrated from Arc Reinsurance Brokers SAL and Fidelity United. The data purportedly includes legal licenses, tax documents, official contracts, KYC and KYC TOBA files, employee personal data (passports, ID cards, emails, career details), and internal management communications. The seller provides a 5GB sample and offers contact via Telegram and TOX, with escrow available, and is affiliated with th
Date: 2026-05-04T02:48:20Z
Network: openweb
Published URL: https://breached.st/threads/arc-reinsurance-brokers-sal-and-fidelity-united-for-sale.86741/unread
Screenshots:
None
Threat Actors: XOverStm
Victim Country: Lebanon
Victim Industry: Finance
Victim Organization: Arc Reinsurance Brokers SAL, Fidelity United
Victim Site: Unknown
Alleged data leak of Kementerian Agama Indonesia (Ministry of Religious Affairs)
Category: Data Leak
Content: A threat actor operating under the alias x0ghost, claiming affiliation with Killer Sec Team, has shared what they allege to be a database belonging to the Indonesian Ministry of Religious Affairs (Kementerian Agama Indonesia). The post includes a download link for the alleged database dump and contains politically motivated messaging directed at the Indonesian government. No record count or specific data fields were disclosed in the post.
Date: 2026-05-04T02:47:22Z
Network: openweb
Published URL: https://breached.st/threads/database-kementrian-agama-indonesia.86742/unread
Screenshots:
None
Threat Actors: x0ghost
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kementerian Agama Indonesia (Ministry of Religious Affairs)
Victim Site: kemenag.go.id
Alleged data leak of Kartu Indonesia Pintar database
Category: Data Leak
Content: A threat actor operating under the handle x0ghost and affiliated with Killer Sec Team claims to have leaked a database associated with Kartu Indonesia Pintar, an Indonesian government social assistance program. The data has been made available for download via a forum post on Breached. No further details regarding record count or specific data fields were provided in the post.
Date: 2026-05-04T02:46:49Z
Network: openweb
Published URL: https://breached.st/threads/database-lrak-kartu-indonesia-pintar.86743/unread
Screenshots:
None
Threat Actors: x0ghost
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Kartu Indonesia Pintar
Victim Site: Unknown
Alleged data breach of Infodesk exposing employee records from multiple organizations
Category: Data Breach
Content: A threat actor is selling data allegedly obtained from a February 2026 breach of Infodesk, a software provider. The exposed dataset contains employee email addresses and names across 18 client organizations including Johnson & Johnson, Moderna, Merck, GSK, Sanofi, and the IMF, organized in per-client CSV files. Total record counts across the sampled files exceed 10,000 individual employee records.
Date: 2026-05-04T02:44:29Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-Infodesk-Database-employee-lists-from-JNJ-Moderna-Novonesis-and-more–1014
Screenshots:
None
Threat Actors: art
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Infodesk
Victim Site: infodesk.com
Sale of Kick.com Viewer Bot Source Code with Proxy Support and Anti-Ban Features
Category: Services
Content: A threat actor on PwnForums is offering the source code of a viewer bot targeting Kick.com, a live streaming platform. The tool supports proxy rotation, anti-ban mechanisms, and configurable viewer counts up to 5,000 simulated viewers, with delivery times of 1 to 15 minutes. The source code is gated behind a points-based paywall on the forum.
Date: 2026-05-04T02:29:42Z
Network: openweb
Published URL: https://pwnforums.st/Thread-SOURCE-CODE-KICK-COM-VIEWER-BOT-HIGH-SPEED-PROXY-SUPPORT-ANTI-BAN
Screenshots:
None
Threat Actors: Muro
Victim Country: Unknown
Victim Industry: Entertainment
Victim Organization: Kick.com
Victim Site: kick.com
Alleged sale of webshells and mass exploitation tools for government and educational institutions
Category: Initial Access
Content: Threat actor offering webshells for government (.gov), educational (.edu), academic (.ac), and other institutional domains (.go, .gob) along with WHM exploit tools and methods for extracting WordPress login credentials and cPanel access. Seller contact: @Rici144
Date: 2026-05-04T02:16:15Z
Network: telegram
Published URL: https://t.me/worldofshells/47
Screenshots:
None
Threat Actors: Rici144
Victim Country: Unknown
Victim Industry: Government, Education
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of Hotmail combo list
Category: Combo List
Content: A threat actor on BreachForums shared a combo list advertised as containing 3,001 high-quality, fresh Hotmail credentials via a LimeWire download link. The credentials are marketed as high-quality and recently obtained. This is a credential stuffing resource and does not represent a breach of Hotmail or Microsoft.
Date: 2026-05-04T02:02:21Z
Network: openweb
Published URL: https://breachforums.rs/Thread-3001-HQ-FRESH-HOTMAILS
Screenshots:
None
Threat Actors: Lvx2Grn
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of LinkedIn database
Category: Data Leak
Content: A threat actor operating under the alias Xyph0rix claims to be sharing a 15GB LinkedIn database file via a download link. The post does not specify the number of records, the data fields contained, or the origin of the alleged dataset. No price is mentioned, suggesting the data is being made available for free.
Date: 2026-05-04T01:53:25Z
Network: openweb
Published URL: https://breached.st/threads/15gb-database-linkedin.86737/unread
Screenshots:
None
Threat Actors: Xyph0rix
Victim Country: United States
Victim Industry: Technology
Victim Organization: LinkedIn
Victim Site: linkedin.com
Alleged data leak of SMP Islam Terpadu Assalaam
Category: Data Leak
Content: A threat actor operating under the alias Mr.ZeroPhx100 leaked a partial database allegedly belonging to SMP Islam Terpadu Assalaam, an Indonesian Islamic middle school. The leaked data includes Indonesian national identity numbers (NIK/Nomor Induk Kependudukan), phone numbers, and employee identification numbers (NIP/Nomor Induk Pegawai) published as SQL INSERT statements. The data appears to pertain to students and/or staff affiliated with the institution.
Date: 2026-05-04T01:52:51Z
Network: openweb
Published URL: https://breached.st/threads/database-smp-islam-terpandu-assalaam.86738/unread
Screenshots:
None
Threat Actors: Mr.ZeroPhx100
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: SMP Islam Terpadu Assalaam
Victim Site: Unknown
Alleged data breach of Universitas Udayana
Category: Data Breach
Content: A threat actor operating under the alias Mr.ZeroPhx100 posted a thread on a known cybercrime forum alleging a database breach of Universitas Udayana, an Indonesian public university. No post content was available to confirm the nature, scope, or authenticity of the claimed data. The record count and specific data types exposed remain unknown.
Date: 2026-05-04T01:52:16Z
Network: openweb
Published URL: https://breached.st/threads/database-universitas-udayana.86739/unread
Screenshots:
None
Threat Actors: Mr.ZeroPhx100
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Universitas Udayana
Victim Site: unud.ac.id
Alleged sale of custom DDoS infrastructure and stress testing services
Category: Malware
Content: Threat actor offering fully customizable DDoS infrastructure services including CNC panels, stress testing sites, and APIs with custom branding. Minimum purchase of 10 slots required. L7 DDoS attacks supported. Contact via Telegram for pricing and details.
Date: 2026-05-04T01:51:51Z
Network: telegram
Published URL: https://t.me/cashnetworkc2/359
Screenshots:
None
Threat Actors: muchbetterkyless
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of SMAN 60 Jakarta
Category: Data Leak
Content: A threat actor operating under the alias Mr.ZeroPhx100 claims to have leaked a database associated with SMAN 60 Jakarta, a state senior high school in Indonesia. The post was published on the Breached forum and attributed solely to the threat actor. No further details regarding record count, data fields, or method of compromise were provided in the post.
Date: 2026-05-04T01:51:41Z
Network: openweb
Published URL: https://breached.st/threads/database-sman-60-jakarta.86740/unread
Screenshots:
None
Threat Actors: Mr.ZeroPhx100
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: SMAN 60 Jakarta
Victim Site: Unknown
Alleged sale of credential combolists and email access across multiple platforms
Category: Combo List
Content: Vendor advertising sale of credential combolists (email:password combinations) for Hotmail, Yahoo, and access to multiple platforms including Amazon, Facebook, eBay, PayPal, and Kleinanzeigen. Seller offers private cloud hotmail UHQ combos and bases for multiple countries (DE, FR, IT, BR, UK, US, JP, PL, RU, ES, NL, MX, CA, SG). Pricing structure mentioned with per-valid-credential charges.
Date: 2026-05-04T01:29:57Z
Network: telegram
Published URL: https://t.me/c/2613583520/74975
Screenshots:
None
Threat Actors: _emanthy
Victim Country: Unknown
Victim Industry: Multiple (email providers, e-commerce platforms)
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed mail access combo list
Category: Combo List
Content: A threat actor using the handle itswolfx is offering a mixed mail access combo list described as private and fresh on a cybercrime forum. The content is hidden behind a registration or login requirement, limiting visibility into the specific volume or mail providers included. The credentials are marketed as full access and of recent validity.
Date: 2026-05-04T01:28:55Z
Network: openweb
Published URL: https://patched.to/Thread-mixed-%E2%9A%A1mail-access-full-private-fresh-298581
Screenshots:
None
Threat Actors: itswolfx
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of EU Hotmail combo list on cybercrime forum
Category: Combo List
Content: A threat actor operating under the alias BedrockDB is distributing a combo list of approximately 100 EU-based Hotmail credentials on a cybercrime forum. The post markets the credentials as fresh, private, and previously unused. The content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-04T01:28:37Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%94%A5-0-1k-fresh-eu-hotmail-100-private-untouched-no-recycle-%F0%9F%94%A5
Screenshots:
None
Threat Actors: BedrockDB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail email access combo list
Category: Combo List
Content: A threat actor identified as liamgoat is sharing a combo list purportedly containing approximately 100 Hotmail email credentials with mail access. The content is hidden behind a registration or login requirement on the forum. This post represents a credential stuffing resource targeting Hotmail accounts, not a breach of Microsoft or Hotmail directly.
Date: 2026-05-04T01:28:17Z
Network: openweb
Published URL: https://patched.to/Thread-0-1k-hq-hotmail-mail-access-combolist-298583
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 860 Hotmail credential hits shared by threat actor
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud shared a combo list purportedly containing 860 valid Hotmail credential hits on the AE forum. The credentials are marketed as fresh and valid, suggesting recent testing against Hotmail accounts. No additional details regarding the source or composition of the list were provided in the post.
Date: 2026-05-04T01:20:16Z
Network: openweb
Published URL: https://altenens.is/threads/860x-fresh-valid-hotmail-hits-ebbi_cloud.2933755/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of alleged valid Hotmail credentials shared on forum
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud shared a combo list purportedly containing 964 validated Hotmail credentials, marketed as fresh hits. The post was made available on the AE combo list forum section. No additional details regarding the source or composition of the credentials were provided in the post content.
Date: 2026-05-04T01:17:59Z
Network: openweb
Published URL: https://altenens.is/threads/964x-fresh-valid-hotmail-hits-ebbi_cloud.2933756/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 15GB LinkedIn database
Category: Data Leak
Content: A user named xyph0rix has posted a thread on Breachforums offering a 15GB database allegedly from LinkedIn. The post includes a link to the users profile and the specific thread discussing the leaked data.
Date: 2026-05-04T01:17:18Z
Network: telegram
Published URL: https://t.me/Xyph0rix/281
Screenshots:
None
Threat Actors: xyph0rix
Victim Country: United States
Victim Industry: Technology/Social Media
Victim Organization: LinkedIn
Victim Site: linkedin.com
Distribution of 3.3GB URL:Login:Password credential logs from stealer output
Category: Logs
Content: A threat actor identified as WhiteMelly shared a 3.3GB dataset containing URL:login:password lines described as originating from stealer logs. The data was made available on the AE – Leaked Databases forum. No specific victim organization or targeted service was identified in the post.
Date: 2026-05-04T01:15:22Z
Network: openweb
Published URL: https://altenens.is/threads/3-3gb-url-login-pass-lines-from-logs.2933736/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of stealer logs (1.4GB)
Category: Logs
Content: A threat actor operating under the alias WhiteMelly shared a post on the AE forum advertising 1.4GB of stealer logs. No additional details regarding the content, origin, or targeted organizations were provided in the post. The nature and scope of the data cannot be further verified from the available information.
Date: 2026-05-04T01:12:54Z
Network: openweb
Published URL: https://altenens.is/threads/1-4gb-full-logs.2933733/unread
Screenshots:
None
Threat Actors: WhiteMelly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Samut Sakhon Provincial Administration Office database
Category: Data Leak
Content: A threat actor known as Mr.ZeroPhx100 claims to have leaked a database attributed to the Samut Sakhon Provincial Administration Office in Thailand. The post includes SQL INSERT statements containing email addresses and NPWP (tax identification) numbers. The data was shared publicly on the Breached forum at no charge.
Date: 2026-05-04T00:50:19Z
Network: openweb
Published URL: https://breached.st/threads/database-samut-sakhon-provincial-administration-office-thailand.86736/unread
Screenshots:
None
Threat Actors: Mr.ZeroPhx100
Victim Country: Thailand
Victim Industry: Government
Victim Organization: Samut Sakhon Provincial Administration Office
Victim Site: Unknown
Alleged distribution of private combo list by threat actor Nexus Cloud
Category: Combo List
Content: A threat actor operating under the alias mrglitchxxxx is distributing an alleged 2 million-record ULP (URL:Login:Password) combo list attributed to Nexus Cloud on a cybercrime forum. Access to the hidden content requires forum registration or login, with the post soliciting replies and engagement for further drops. No specific targeted service, industry, or geographic region is identified in the post.
Date: 2026-05-04T00:25:35Z
Network: openweb
Published URL: https://patched.to/Thread-2m-private-ulp-by-nexus-cloud-05-03-2026
Screenshots:
None
Threat Actors: mrglitchxxxx
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 4,140 mixed EU mail access credentials shared on forum
Category: Combo List
Content: A threat actor on the Patched.to forum shared a combo list containing 4,140 lines of mixed email access credentials targeting European Union mail services. The content is hidden behind a registration or login requirement. The post markets the credentials as verified working mail access.
Date: 2026-05-04T00:25:02Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-4-140-lines-good-mail-access-mixed-eu
Screenshots:
None
Threat Actors: cloudkaraoke
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of verified EU mixed combo list
Category: Combo List
Content: A threat actor operating under the alias BedrockDB is distributing a combo list advertised as containing approximately 200 verified EU mixed credentials. The post claims the list is anti-public, suggesting it has not been previously circulated. Access to the content requires forum registration or login.
Date: 2026-05-04T00:24:19Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1-0-2k-verified-eu-mixed-combo-anti-public-pull-%E2%9A%A1-298580
Screenshots:
None
Threat Actors: BedrockDB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias sakuraCloud5 is offering a combo list of Hotmail email credentials on the forum PT – Combolist. The credentials are marketed as fresh and private. The actual content is hidden behind a registration or login wall, limiting further verification of record count or data scope.
Date: 2026-05-04T00:23:25Z
Network: openweb
Published URL: https://patched.to/Thread-mixed-hotmail%F0%9F%8C%B8-mail-access-full-private-fresh-298573
Screenshots:
None
Threat Actors: sakuraCloud5
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of URL:Log:Pass combo list via Vulta.pw service
Category: Logs
Content: A threat actor operating under the handle vultapower is advertising a dataset of 22.85 million URL:login:password credential records marketed as fresh, distributed via the Vulta.pw platform and a Telegram channel. The post promotes access to an automated bot and support infrastructure, suggesting an ongoing commercial credential distribution service.
Date: 2026-05-04T00:22:43Z
Network: openweb
Published URL: https://nulledbb.com/thread-%E2%9A%A1URL-LOG-PASS-22-85-M-%E2%AD%90%EF%B8%8FVULTA-PW%E2%AD%90%EF%B8%8F-FRESH-%E2%9A%A1
Screenshots:
None
Threat Actors: vultapower
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of stealer logs with URL, login, and password data via Vulta.pw
Category: Logs
Content: A threat actor operating under the handle vultapower is offering a dataset of approximately 22.85 million URL, login, and password records via the Vulta.pw platform, with Telegram support at vultanetworks. The post advertises the logs as fresh and provides access through a hidden content gate requiring forum registration or login. The offering includes bot and admin automation infrastructure associated with the Vulta service.
Date: 2026-05-04T00:22:29Z
Network: openweb
Published URL: https://leakforum.io/Thread-%E2%9A%A1URL-LOG-PASS-22-85-M-%E2%AD%90%EF%B8%8FVULTA-PW%E2%AD%90%EF%B8%8F-FRESH-%E2%9A%A1
Screenshots:
None
Threat Actors: vultapower
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Malaysian citizens personal and contact information
Category: Data Leak
Content: A threat actor on a darknet forum is distributing a database of 50,001 alleged Malaysian citizen records, including full names, mobile numbers, WhatsApp-linked numbers, SMS delivery status, and regional information. The dataset claims 100% unique mobile numbers with verified SMS deliverability, with coverage across multiple Malaysian states including Kuala Lumpur and Penang. No source organization or breach origin is identified in the post.
Date: 2026-05-04T00:21:47Z
Network: openweb
Published URL: https://darkpro.net/threads/malaysia-citizens-%E2%80%94-50k-verified-phone-numbers-database.23014/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: Malaysia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 190,000 mixed email and password credentials shared on forum
Category: Combo List
Content: A threat actor operating under the alias carlos080 shared a combo list containing approximately 190,000 mixed email and password credential pairs on the AE forum. The credentials are marketed as fresh and high quality. No specific target organization or service is identified in the post.
Date: 2026-05-04T00:20:40Z
Network: openweb
Published URL: https://altenens.is/threads/190k-fresh-hq-combolist-email-pass-mixed.2933700/unread
Screenshots:
None
Threat Actors: carlos080
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the handle Ebbicloud is distributing a combo list advertised as containing 245 Hotmail credentials, marketed as 100% valid. The post, shared on the AE forum, promotes the list under the Gold Edition branding. No additional context or post content was available to verify claims.
Date: 2026-05-04T00:18:14Z
Network: openweb
Published URL: https://altenens.is/threads/sparkles-245-hotmail-gold-edition-100-valid-rocket-ebbi_cloud.2933714/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged distribution of Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the handle Ebbicloud shared a combo list purportedly containing 256 Hotmail credentials, marketed as 100% valid. The post was published on the AE forum under the combo list section. No additional context or post content was available to further verify the claims.
Date: 2026-05-04T00:15:49Z
Network: openweb
Published URL: https://altenens.is/threads/sparkles-256-hotmail-super-valid-100-valid-trophy-ebbi_cloud.2933716/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud is advertising a combo list of 80 Hotmail credentials, claimed to be 100% valid. The post was shared on the AE forum under the combo list section. No additional details regarding the source or composition of the credentials are available from the post content.
Date: 2026-05-04T00:13:32Z
Network: openweb
Published URL: https://altenens.is/threads/high-voltage-80-hotmail-elite-access-100-valid-fire-ebbi_cloud.2933718/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the handle Ebbicloud is distributing a combo list purportedly containing 115 Hotmail credentials marketed as 100% valid. The post was shared on the AE forum under a combo list thread. No additional technical details or pricing information are available from the post content.
Date: 2026-05-04T00:11:05Z
Network: openweb
Published URL: https://altenens.is/threads/direct-hit-115-hotmail-elite-access-100-valid-rocket-ebbi_cloud.2933719/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale and rental of LinkedIn accounts
Category: Initial Access
Content: Threat actor offering multiple LinkedIn accounts available for both rental and sale. No specific pricing mentioned in the excerpt. This represents a potential initial access vector for account compromise, credential fraud, and social engineering campaigns.
Date: 2026-05-04T00:09:40Z
Network: telegram
Published URL: https://t.me/c/2613583520/74949
Screenshots:
None
Threat Actors: Elias
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: linkedin.com
Combo List of 248 Hotmail Credentials Advertised as Valid
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud has shared or distributed a combo list containing 248 Hotmail credentials, marketed as fresh and fully valid. The post was made on the AE forum and attributed to the @ebbi_cloud handle. No additional details regarding the origin of the credentials are available from the post content.
Date: 2026-05-04T00:08:40Z
Network: openweb
Published URL: https://altenens.is/threads/direct-hit-248-hotmail-ultra-fresh-100-valid-rocket-ebbi_cloud.2933720/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor operating under the handle Ebbicloud is sharing or selling a combo list of 287 Hotmail credentials, marketed as 100% valid. The post was shared on the AE forum under a combo list thread. No additional details about the origin of the credentials or pricing are available from the post content.
Date: 2026-05-04T00:06:14Z
Network: openweb
Published URL: https://altenens.is/threads/sparkles-287-hotmail-gold-edition-100-valid-star-ebbi_cloud.2933717/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of 264 Hotmail credentials
Category: Combo List
Content: A threat actor operating under the alias Ebbicloud shared a combo list purportedly containing 264 Hotmail credentials, advertised as 100% valid. The post was made on the AE forum and attributed to the Telegram channel @ebbi_cloud. No additional content or context was available in the post.
Date: 2026-05-04T00:03:48Z
Network: openweb
Published URL: https://altenens.is/threads/crown-264-hotmail-premium-valid-100-valid-ringed-planet-ebbi_cloud.2933721/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 145 alleged valid Hotmail credentials shared on cybercrime forum
Category: Combo List
Content: A threat actor operating under the handle Ebbicloud shared a combo list containing 145 Hotmail credentials on the AE forum, marketed as 100% valid. The post is consistent with credential stuffing material targeting Microsoft Hotmail accounts.
Date: 2026-05-04T00:01:21Z
Network: openweb
Published URL: https://altenens.is/threads/rocket-145-hotmail-premium-valid-100-valid-high-voltage-ebbi_cloud.2933722/unread
Screenshots:
None
Threat Actors: Ebbicloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown