[May-12-2025] Daily Cybersecurity Threat Report

Executive Summary

This report details significant cybersecurity incidents reported on May 12, 2025. A high volume of activity was observed, dominated by data breaches and data leak events, with threat actors frequently leveraging dark web forums such as darkforums.st, xss.is, and exploit.in for advertisement and sale. Hacktivism remains a prominent motivator, with groups like INDOHAXSEC, Team Azrael Angel Of Death, and CyberVolk Arcanum launching attacks aligned with geopolitical tensions, particularly targeting entities in India, Pakistan, and Israel. The sale of initial access to corporate networks, including critical infrastructure like SCADA systems, continues to be a thriving market, posing substantial downstream risks. Notably, alerts from hacktivist groups signal premeditated campaigns against specific sectors, such as the Indian financial industry. One of the most concerning developments involves the alleged sale of highly sensitive data from a Brazilian state-owned nuclear company, NUCLEP, highlighting potential national security implications.

Detailed Incident Analysis

The following section provides an in-depth analysis of cybersecurity incidents reported on May 12, 2025. Each entry includes details of the incident, victim profile, threat actor analysis, and relevant source links.

Incident 1: Alleged leak of 857 Israel phone numbers

Date & Time: 2025-05-12T13:34:22Z
Category: Data Leak
Victim Profile:

Organization: Unspecified individuals
Industry: Not Applicable
Country: Israel
Site: Not Applicable

Incident Overview: A threat actor under the moniker “ZEROLEGIONCREWINDONESIAN” claims to have leaked 857 Israeli phone numbers. This type of data, while seemingly small in volume, can be exploited for targeted phishing, smishing, or harassment campaigns.
Threat Actor Analysis: ZEROLEGIONCREWINDONESIAN

Profile & Known Aliases: “ZEROLEGIONCREWINDONESIAN” appears to be an Indonesian-based hacktivist entity. The name structure is common among hacktivist crews. Indonesian hacktivist groups have been noted for their activity, sometimes promoting data leaks on platforms like Telegram.¹ Their motivations are often political or ideological.
Assessed Motivation & Objectives: Likely political or ideological, given the targeting of Israeli phone numbers and the Indonesian nexus, a region from which pro-Palestinian hacktivism often emerges. The leak aims to cause disruption or distress.
Observed Tactics, Techniques, and Procedures (TTPs): Data exfiltration and public leakage, likely via forums or social media. Hacktivist groups often use public channels to maximize the visibility of their actions.²
Relevant Past Activity & Affiliations: Specific past activities for “ZEROLEGIONCREWINDONESIAN” require further monitoring. However, the broader Indonesian hacktivist scene is active, with groups like INDOHAXSEC known for targeting entities perceived as adversarial to their interests.³
Source Links:

Published URL: https://darkforums.st/Thread-857-Phone-number-Israel
Screenshots: https://d34iuop8pidsy8.cloudfront.net/dc9a470d-98b3-4703-97fd-1964565c3332.png
Context & Significance: The leak of Israeli phone numbers by an actor identifying with Indonesia points to the ongoing use of cyber means in geopolitical conflicts. Even small-scale leaks can contribute to a climate of insecurity and provide resources for malicious actors engaged in social engineering.

Incident 2: Alleged database leak of Loyola University Of Chicago

Date & Time: 2025-05-12T13:26:03Z
Category: Data Breach
Victim Profile:

Organization: Loyola University Of Chicago
Industry: Education
Country: USA
Site: luc.edu

Incident Overview: The threat actor “klandestine” claims to have leaked a database from Loyola University Of Chicago. The compromised data is extensive, reportedly including customer IDs, names, addresses, contact information, credit card details, usernames, passwords, and demographic information such as age, income, and gender.
Threat Actor Analysis: klandestine

Profile & Known Aliases: “klandestine” is operating on darkforums.st. The name implies covert operations. While no direct profile for “klandestine” is available in the provided materials, threat actors on such forums are typically financially motivated, seeking to sell compromised data. Some actors experiment with AI tools for tasks like research and content generation, though not necessarily for developing novel attack capabilities.⁵ The sale of comprehensive datasets like the one alleged is a common tactic.
Assessed Motivation & Objectives: Primarily financial gain through the sale of the database. Such rich PII and financial data is highly sought after for identity theft, financial fraud, and targeted phishing campaigns.
Observed Tactics, Techniques, and Procedures (TTPs): Database exfiltration, likely through exploitation of web application vulnerabilities, phishing, or malware. The actor is leveraging a dark web forum for monetization.
Relevant Past Activity & Affiliations: Specific activities of “klandestine” are not detailed. However, actors like those in the Lazarus group (APT38), known for targeting diverse sectors including education for financial gain and espionage, demonstrate the capabilities that can lead to such breaches.⁶ While “klandestine” is not directly linked to such groups, the modus operandi of exfiltrating and selling valuable data is widespread.
Source Links:

Published URL: https://darkforums.st/Thread-Loyola-University-Of-Chicago-Database-Leaked
Screenshots: https://d34iuop8pidsy8.cloudfront.net/2f0eaf8b-a27a-4176-8003-1ae24834765c.PNG
Context & Significance: Educational institutions are frequent targets due to the large amounts of personal data they hold and often less robust security postures compared to financial institutions. A breach of this magnitude can lead to significant identity theft risks for students, faculty, and alumni, as well as reputational damage and regulatory penalties for the university. The inclusion of credit card data and passwords makes this particularly severe.

Incident 3: Alleged sale of unauthorized access to an unidentified Company in USA

Date & Time: 2025-05-12T12:34:28Z
Category: Initial Access
Victim Profile:

Organization: Unidentified Company
Industry: Unspecified
Country: USA
Site: Not Applicable

Incident Overview: The threat actor “pianoxltd” claims to be selling unauthorized access to an unidentified U.S. company with a reported revenue of $12.6 million. This is a typical Initial Access Broker (IAB) offering.
Threat Actor Analysis: pianoxltd

Profile & Known Aliases: “pianoxltd” is operating on the Russian-language hacking forum xss.is. This forum is known as a marketplace for various illicit cyber services, including the sale of access.⁷ IABs like “pianoxltd” specialize in breaching networks and then selling that access to other cybercriminals, who might then deploy ransomware or conduct espionage.
Assessed Motivation & Objectives: Financial gain by selling network access. The revenue figure ($12.6 million) is provided to indicate the potential value of the target to prospective buyers (e.g., ransomware operators who calculate ransom demands based on victim revenue).
Observed Tactics, Techniques, and Procedures (TTPs): Gaining initial access through various means (e.g., exploiting vulnerabilities, phishing, credential stuffing) and then monetizing this access on specialized forums. The xss.is forum facilitates such transactions, sometimes with escrow services.⁷
Relevant Past Activity & Affiliations: Specific past activities of “pianoxltd” require further investigation. However, the xss.is forum has a history of hosting sophisticated actors and discussions around ransomware and other cybercriminal activities.⁸ Threat actors on these forums can range from individual hackers to more organized groups.⁹
Source Links:

Published URL: https://xss.is/threads/137543/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/08d40735-10e7-4ae8-bf03-b39ee86d388d.png
Context & Significance: The sale of initial access is a critical component of the cybercrime ecosystem. It lowers the barrier to entry for sophisticated attacks, as specialized actors can focus on exploitation while others handle monetization. A company with $12.6 million in revenue is a viable target for various cybercriminal enterprises, including ransomware gangs.

Incident 4: Alleged database leak of National Assembly of Pakistan

Date & Time: 2025-05-12T12:12:11Z
Category: Data Breach
Victim Profile:

Organization: National Assembly of Pakistan
Industry: Government Administration
Country: Pakistan
Site: na.gov.pk

Incident Overview: “HexaForce Alliance” claims to have leaked the database of the National Assembly of Pakistan. This incident occurs via Telegram, a common platform for hacktivist announcements.
Threat Actor Analysis: HexaForce Alliance

Profile & Known Aliases: “HexaForce Alliance” appears to be a hacktivist collective. The term “Alliance” suggests a coalition of multiple groups or individuals. Such alliances often form to pool resources and expertise for politically motivated attacks.¹⁰ Their use of Telegram for dissemination is typical for hacktivist operations.¹⁰
Assessed Motivation & Objectives: Likely political, aiming to embarrass the Pakistani government, expose sensitive information, or make a political statement. Attacks against government bodies are hallmark activities of hacktivist groups.
Observed Tactics, Techniques, and Procedures (TTPs): Database exfiltration and dissemination through Telegram. The methods for obtaining the database could range from exploiting web vulnerabilities to phishing or insider threats. Alliances like “The Holy League” demonstrate how groups coordinate efforts against shared adversaries.¹⁰
Relevant Past Activity & Affiliations: Specific activities of “HexaForce Alliance” are not detailed in the provided snippets. However, the landscape is rife with hacktivist groups targeting governmental entities, often aligning with broader geopolitical conflicts. The Cloud Security Alliance notes the changing profile of threat actors targeting cloud services, which can include government infrastructure.¹²
Source Links:

Published URL: https://t.me/c/2391918007/207
Screenshots: https://d34iuop8pidsy8.cloudfront.net/86f7dd95-74d3-45f9-884d-2316b16b1ea5.png
Context & Significance: A breach of a national legislative body can expose sensitive government documents, communications, and personal information of officials. This can have implications for national security, political stability, and public trust. The choice of Telegram as a dissemination platform ensures wide and rapid visibility among interested parties.

Incident 5: INDOHAXSEC claims to target Indian finance sector

Date & Time: 2025-05-12T10:00:11Z
Category: Alert
Victim Profile:

Organization: Unspecified Indian financial organizations
Industry: Financial Services
Country: India
Site: Not Applicable

Incident Overview: The Indonesian hacktivist group “INDOHAXSEC” has posted an alert on Telegram claiming they are targeting Indian organizations within the finance sector.
Threat Actor Analysis: INDOHAXSEC

Profile & Known Aliases: INDOHAXSEC is an identified Indonesian-based hacktivist collective active since at least October 2024.³ They are known for DDoS attacks, ransomware, website defacements, and hack-and-leak operations. They maintain a public presence on GitHub and Telegram.³
Assessed Motivation & Objectives: Primarily politically motivated, with strong pro-Palestinian sentiments and religious ideology. They frequently target entities perceived as supporting Israel or acting against Indonesian interests.³ Their targeting of India is often framed as retaliation in the context of regional geopolitical issues.⁴
Observed Tactics, Techniques, and Procedures (TTPs): DDoS attacks, website defacements, ransomware deployments, and data leaks. They use custom tools and scripts, some of which are shared on their GitHub repository. They have also shown interest in using AI tools like ChatGPT for malicious purposes.³
Relevant Past Activity & Affiliations: INDOHAXSEC has a history of targeting entities in Southeast Asia and India.³ They announced an alliance with the pro-Russian hacktivist group NoName057(16) in late 2024 ³ and have collaborated with the Pakistani group Team Azrael – Angel of Death to target Indian cyberspace.⁴
Source Links:

Published URL: https://t.me/INDOHAXSEC/3827
Screenshots: https://d34iuop8pidsy8.cloudfront.net/331c01fb-e7f1-4d41-b153-005957fa0393.png
Context & Significance: This alert is a direct statement of intent against a critical sector. Given INDOHAXSEC’s past activities and alliances, financial institutions in India should treat this as a credible threat and enhance their defensive posture against a range of potential attacks, including DDoS, ransomware, and data breaches. The group’s collaboration with other actors amplifies their potential impact.

Incident 6: J43v3r targets the website of Powerman International

Date & Time: 2025-05-12T09:36:08Z
Category: Defacement
Victim Profile:

Organization: Powerman International
Industry: Manufacturing
Country: Pakistan
Site: powerman.com.pk

Incident Overview: The threat actor “J43v3r” claims to have defaced the website of Powerman International, a manufacturing company in Pakistan. A mirror of the defacement is provided.
Threat Actor Analysis: J43v3r

Profile & Known Aliases: “J43v3r” appears to be a hacktivist focused on website defacements. The name might be a leetspeak variation. Defacements are often carried out for notoriety or to convey a political message. Cyble provides threat actor profiles that analyze TTPs and motives, which would be useful for further understanding actors like J43v3r if more data becomes available.¹³
Assessed Motivation & Objectives: Likely seeking notoriety, making a statement (political or otherwise), or simply demonstrating capability. The targeting of a Pakistani manufacturing company could be opportunistic or tied to a specific grievance if J43v3r has an anti-Pakistan stance.
Observed Tactics, Techniques, and Procedures (TTPs): Exploiting web vulnerabilities to gain unauthorized access and alter website content. Providing a mirror link is a common way to showcase the defacement even after the original site is restored. Microsoft Security Copilot offers a “threat actor profile” promptbook that could help summarize information on such actors if sufficient intelligence exists.¹⁴
Relevant Past Activity & Affiliations: Specific details for “J43v3r” are not available in the provided snippets. Defacement is a common tactic among less sophisticated hacktivists but can also be used by more organized groups as part of broader campaigns.
Source Links:

Published URL: https://t.me/j43v3r/17
Mirror: https://ownzyou.com/zone/264918
Screenshots: https://d34iuop8pidsy8.cloudfront.net/da43d273-91da-4a35-8da6-c9abbe861e0e.png
Context & Significance: Website defacements, while often causing temporary disruption, can damage an organization’s reputation and indicate underlying security weaknesses that could be exploited for more severe attacks. For Powerman International, this incident necessitates a review of their web security.

Incident 7: Alleged sale of credit card data from Turkish banks

Date & Time: 2025-05-12T08:33:38Z
Category: Data Leak
Victim Profile:

Organization: Unspecified Turkish banks
Industry: Banking & Mortgage
Country: Turkey
Site: Not Applicable

Incident Overview: The threat actor “d3fn0d3” is claiming to sell credit card data originating from Turkish banks. The dataset purportedly includes 2500 records with card numbers, expiry dates, and CVVs, with a claimed validity rate of 50-60%.
Threat Actor Analysis: d3fn0d3

Profile & Known Aliases: “d3fn0d3” is operating on the exploit.in forum, a well-known Russian-language dark web forum frequented by cybercriminals for trading illicit goods and services, including financial data.⁷ Actors on exploit.in often specialize in specific types of cybercrime.
Assessed Motivation & Objectives: Financial gain through the sale of stolen credit card data. This type of data is directly monetizable for fraudulent online purchases or can be sold to other criminals.
Observed Tactics, Techniques, and Procedures (TTPs): Acquisition of credit card data (e.g., via skimming, malware, breaches of e-commerce sites or payment processors) and selling it on specialized forums. The claimed validity rate is a common marketing tactic to attract buyers. Exploit.in is a key marketplace for such transactions.¹⁵
Relevant Past Activity & Affiliations: Specific activities for “d3fn0d3” are not detailed. However, the exploit.in forum hosts many actors involved in financial fraud. Cyble offers threat actor profiling services that could provide more details on such actors.¹³ Microsoft also tracks various threat actors, such as Silk Typhoon, though this specific actor is not mentioned.¹⁶
Source Links:

Published URL: https://forum.exploit.in/topic/258963/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/2d8b2042-570b-4e6a-994a-6a23880c99a8.png
Context & Significance: The sale of credit card data, even in relatively small batches, contributes to ongoing financial fraud. The 50-60% validity claim, if accurate, makes the data attractive to carders. This highlights risks for Turkish financial institutions and their customers.

Incident 8: Alleged database leak of AWF Contábil

Date & Time: 2025-05-12T08:05:15Z
Category: Data Breach
Victim Profile:

Organization: AWF Contábil
Industry: Accounting
Country: Brazil
Site: awfbrasil.com.br

Incident Overview: The group “CyberVolk Arcanum” claims to have leaked the database of AWF Contábil, an accounting firm in Brazil. The announcement was made via Telegram.
Threat Actor Analysis: CyberVolk Arcanum

Profile & Known Aliases: CyberVolk Arcanum (also known as CyberVolk Group) originated from India and has pro-Russian affiliations.¹⁷ It emerged in June 2024, having undergone several name changes (GLORIAMIST India, Solntsevskaya Bratva).¹⁸ The group is part of the “Holy League,” an organization established by APT44 and other Russian/Russian-aligned hackers to target NATO, Ukraine, and opposing states.¹⁷ They have developed and sold “CyberVolk Ransomware” as a RaaS.¹⁷
Assessed Motivation & Objectives: This specific attack on a Brazilian accounting firm could be opportunistic financial crime (given their ransomware activities) or part of their broader hacktivist agenda if AWF Contábil or its clients are perceived as being aligned with their adversaries. Their motivations are a mix of financial and ideological/political.¹⁷
Observed Tactics, Techniques, and Procedures (TTPs): Data exfiltration, ransomware deployment (CyberVolk Ransomware uses ChaCha20-Poly1305, AES, RSA, blocks Task Manager) ¹⁷, DDoS attacks.¹⁸ They use Telegram for communication and announcements.
Relevant Past Activity & Affiliations: Known for developing CyberVolk Ransomware.¹⁷ As a hacktivist group, they have targeted Spanish institutions in retaliation for arrests of NoName57(16) members.¹⁸ Their operations escalated after the arrest of members from NoName57(16).¹⁸
Source Links:

Published URL: https://t.me/CyberVolkArcanum/10
Screenshots: https://d34iuop8pidsy8.cloudfront.net/7aefe2d2-ffec-4104-9581-146f16d0b8e3.png
Context & Significance: Accounting firms hold highly sensitive financial data for numerous clients. A breach of such a firm can lead to widespread financial fraud, business disruption for clients, and severe reputational damage. CyberVolk Arcanum’s dual nature as both a ransomware operator and a hacktivist group makes their attacks particularly dangerous, as their motives can shift or overlap.

Incident 9: Alleged sale of unauthorized WordPress admin access to a shop in Croatia

Date & Time: 2025-05-12T07:51:46Z
Category: Initial Access
Victim Profile:

Organization: Unidentified shop
Industry: Unspecified (likely Retail/E-commerce)
Country: Croatia
Site: Unspecified (WordPress site)

Incident Overview: Threat actor “Fordnox” is advertising the sale of unauthorized WordPress admin access to an unnamed shop in Croatia on the exploit.in forum.
Threat Actor Analysis: Fordnox

Profile & Known Aliases: “Fordnox” is an Initial Access Broker operating on exploit.in. This forum is a known hub for cybercriminals trading in exploits, data, and access.⁷ Selling WordPress admin access is common, as it can be used to deploy malware, skim payment data, or launch further attacks.
Assessed Motivation & Objectives: Financial gain by selling the compromised access. WordPress sites, especially e-commerce shops, are valuable targets.
Observed Tactics, Techniques, and Procedures (TTPs): Exploiting WordPress vulnerabilities (e.g., outdated plugins, weak passwords) to gain admin access. Monetization through sale on dark web forums like exploit.in. The forum facilitates the connection between IABs and those seeking to exploit such access.¹⁵
Relevant Past Activity & Affiliations: Specific details for “Fordnox” are not available. However, the U.S. Department of Health and Human Services has profiled various state-sponsored threat actors like APT41, APT10, and APT18, some of whom also engage in financially motivated cybercrime and target a wide array of industries.¹⁹ While Fordnox is not directly linked, the TTPs of gaining and selling access are part of this broader criminal ecosystem. Secureworks also maintains threat profiles which could be consulted for more established actors.²⁰
Source Links:

Published URL: https://forum.exploit.in/topic/258961/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/b30cad57-016d-4b2c-a739-98f348e5caae.png
Context & Significance: Compromised WordPress admin access can lead to various malicious activities, including hosting phishing pages, installing e-skimmers to steal customer payment information, or using the site as part of a botnet. Small businesses are often targeted due to perceived weaker security.

Incident 10: Alleged leak of Turkish Citizens’ database

Date & Time: 2025-05-12T07:50:35Z
Category: Data Breach
Victim Profile:

Organization: Unspecified (source of Turkish citizens’ data)
Industry: Not Applicable (broad PII)
Country: Turkey
Site: Not Applicable

Incident Overview: The hacktivist group “Hindutva Warriors” claims via Telegram to have leaked a database containing personal and corporate information of Turkish citizens.
Threat Actor Analysis: Hindutva Warriors

Profile & Known Aliases: “Hindutva Warriors” appears to be a hacktivist group with an Indian nationalist ideology, targeting entities perceived as adversaries. Their name clearly indicates their ideological leaning. Hacktivist groups often use Telegram for their announcements and data dissemination.
Assessed Motivation & Objectives: Political and ideological, likely aimed at entities in Turkey due to perceived geopolitical alignments or historical grievances. The leak is intended to cause disruption, exert pressure, or make a statement. The India-Pakistan cyber conflict often sees hacktivists targeting nations perceived to be aligned with their adversaries.²¹
Observed Tactics, Techniques, and Procedures (TTPs): Data exfiltration and leaking via Telegram. The source of such a broad database could be a compromised government service or a large private company. Hacktivist groups often engage in DDoS, defacements, and data leaks.²¹
Relevant Past Activity & Affiliations: Specific activities of “Hindutva Warriors” are not detailed in the provided snippets. However, the broader context of hacktivism in the South Asian region is characterized by groups aligning with national and religious causes.⁴ Trellix has researched hacktivist groups and their links to nation-state agendas, highlighting the complex motivations that can be at play.²²
Source Links:

Published URL: https://t.me/c/2193761852/116
Screenshots: https://d34iuop8pidsy8.cloudfront.net/4169f63b-a631-4b37-b60a-a2d253771b18.png
Context & Significance: Large-scale leaks of citizen PII can lead to widespread identity theft, fraud, and social engineering campaigns. If corporate information is also included, it could be used for industrial espionage or targeted attacks against businesses. This action by “Hindutva Warriors” underscores the spillover of real-world political and ideological conflicts into cyberspace.

Incident 11: CyberVolk Arcanum targets the website of Book Magic India Pvt. Ltd.

Date & Time: 2025-05-12T07:33:02Z
Category: Defacement
Victim Profile:

Organization: Book Magic India Pvt. Ltd.
Industry: Education
Country: India
Site: bookmagicindia.in

Incident Overview: “CyberVolk Arcanum” claims to have defaced the website of Book Magic India Pvt. Ltd., an educational content provider.
Threat Actor Analysis: CyberVolk Arcanum

Profile & Known Aliases: As detailed in Incident 8, CyberVolk Arcanum is an Indian-origin, pro-Russian hacktivist and ransomware group.¹⁷
Assessed Motivation & Objectives: This defacement against an Indian educational company is consistent with their politically motivated hacktivist activities. While they originate from India, their pro-Russian stance means they target entities in countries perceived as opposing Russian interests or, in some cases, internal targets that might conflict with their ideology. Targeting an Indian entity might seem contradictory but could be driven by specific grievances or as part of a broader disruptive campaign.
Observed Tactics, Techniques, and Procedures (TTPs): Website defacement, likely by exploiting vulnerabilities in the bookmagicindia.in website. This is a common tactic for hacktivists to gain visibility.¹⁸
Relevant Past Activity & Affiliations: As per Incident 8, known for ransomware (CyberVolk Ransomware) and hacktivist attacks, including DDoS and defacements.¹⁷
Source Links:

Published URL: https://t.me/CyberVolkArcanum/9
Target: https://www.bookmagicindia.in
Archive: https://web.archive.org/web/https://www.bookmagicindia.in
Screenshots: https://d34iuop8pidsy8.cloudfront.net/8cf3a7df-c15a-474b-b116-5df9cecd4de2.png
Context & Significance: The defacement of an educational website by a group with both hacktivist and ransomware capabilities is notable. While this incident is a defacement, CyberVolk Arcanum’s broader TTPs suggest they could escalate to more damaging attacks if they maintain access or choose to do so.

Incident 12: Alleged data breach of Postel SpA

Date & Time: 2025-05-12T06:30:34Z
Category: Data Breach
Victim Profile:

Organization: Postel SpA
Industry: Computer Software/Engineering
Country: Italy
Site: postel.it

Incident Overview: The threat actor “Smartik” claims a data leak from Postel SpA, an Italian company involved in software products and e-procurement. The leaked data reportedly includes software products, documents, and e-procurement software details.
Threat Actor Analysis: Smartik

Profile & Known Aliases: “Smartik” is operating on the xss.is forum. The name may imply a focus on “smart” or sophisticated techniques. The xss.is forum is a known Russian-language platform for cybercriminals.⁷ The term “XSS” (Cross-Site Scripting) itself refers to a common web vulnerability ²⁴, and actors on a forum named xss.is might be skilled in web exploitation.
Assessed Motivation & Objectives: Financial gain from selling the proprietary data and software. E-procurement software details and other software products can be valuable for competitors or for finding further vulnerabilities.
Observed Tactics, Techniques, and Procedures (TTPs): Exfiltration of sensitive corporate data, including intellectual property (software products). The method of breach is unspecified but could involve web application attacks, given the nature of the forum. Selling on xss.is is a common monetization strategy.⁷
Relevant Past Activity & Affiliations: Specific information on “Smartik” is not available. Creating a cyber threat profile for such actors involves understanding their typical targets, TTPs, and motivations.²⁵ AI tools are increasingly used to enrich threat data and build actor profiles.²⁶
Source Links:

Published URL: https://xss.is/threads/137525/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/323a1309-ba7c-4306-88f3-2c5f0939f7be.png
Context & Significance: A breach involving software products and e-procurement systems can have severe consequences, including intellectual property theft, compromise of procurement processes for Postel’s clients, and potential for supply chain attacks if vulnerabilities in the leaked software are exploited.

Incident 13: Alleged leak of admin access to SCADA system for Oliva Panabera

Date & Time: 2025-05-12T06:24:53Z
Category: Initial Access
Victim Profile:

Organization: Oliva Panabera
Industry: Electrical & Electronic Manufacturing
Country: Spain
Site: olivapanabera.es

Incident Overview: The group “CYBER SHARK” claims via Telegram to have gained unauthorized access to the Oliva Panabera dashboard, potentially a SCADA (Supervisory Control and Data Acquisition) system, exposing sensitive data.
Threat Actor Analysis: CYBER SHARK

Profile & Known Aliases: “CYBER SHARK” appears to be a hacktivist or financially motivated group operating on Telegram. Targeting SCADA systems is a high-impact activity.
Assessed Motivation & Objectives: Could be financial (selling access to critical systems), hacktivism (disruption for political statement), or demonstrating capability. Access to SCADA systems is highly valuable and dangerous.
Observed Tactics, Techniques, and Procedures (TTPs): Gaining unauthorized access to industrial control systems (ICS) or their management interfaces. Dissemination of claims via Telegram. Groups like Shathak (TA551) target various sectors including manufacturing and energy, sometimes acting as initial access facilitators for ransomware gangs.²⁷ Iranian groups like MuddyWater and APT35 also target critical infrastructure, though their primary motivations are often espionage.²⁸
Relevant Past Activity & Affiliations: Specific activities for “CYBER SHARK” are not detailed. However, the targeting of ICS/OT systems by various actors, including hacktivists, is a growing concern.¹ Groups like DieNet have also claimed attacks against critical infrastructure sectors.²⁹
Source Links:

Published URL: https://t.me/CYBERSHARK_42/11
Screenshots: https://d34iuop8pidsy8.cloudfront.net/30c69f87-10fd-466d-b81c-ff4b21be3134.png
Context & Significance: Unauthorized access to a SCADA system in the manufacturing sector can lead to operational disruption, sabotage, intellectual property theft, or even physical safety risks. This is a serious threat that requires immediate attention from the affected organization.

Incident 14: Alleged sale of KYC DATA

Date & Time: 2025-05-12T05:34:23Z
Category: Data Leak
Victim Profile:

Organization: Unspecified (source of KYC data)
Industry: Unspecified (likely Financial Services or Cryptocurrency)
Country: Philippines
Site: Not Applicable

Incident Overview: Threat actor “elpatron85” is advertising the sale of a 152GB KYC (Know Your Customer) dataset from the Philippines on darkforums.st.
Threat Actor Analysis: elpatron85

Profile & Known Aliases: “elpatron85” is a data broker operating on darkforums.st. The name “El Patron” (The Boss) is common in criminal contexts. Selling KYC data is a lucrative niche. No specific information on this actor was found in the provided snippets.¹⁷
Assessed Motivation & Objectives: Financial gain. KYC data is extremely valuable for identity theft, account takeovers (especially in financial services and crypto exchanges), and creating synthetic identities.
Observed Tactics, Techniques, and Procedures (TTPs): Acquisition of large KYC databases, likely from breached financial institutions, cryptocurrency exchanges, or other services requiring identity verification. Monetization via sale on dark web forums.
Relevant Past Activity & Affiliations: Further research is needed to establish specific history for “elpatron85.”
Source Links:

Published URL: https://darkforums.st/Thread-Selling-152GB-KYC-DATA
Screenshots: https://d34iuop8pidsy8.cloudfront.net/85b09631-2c1c-4e79-9c25-c16c18275a06.png
Context & Significance: A 152GB KYC dataset represents a massive compromise of highly sensitive personal information. This data typically includes full names, addresses, dates of birth, national ID numbers, photos, and sometimes financial information. Such a leak from the Philippines would put a large number of individuals at high risk of severe identity fraud.

Incident 15: Alleged sale of full access to an unidentified Multi-Contentional insurance company

Date & Time: 2025-05-12T04:50:07Z
Category: Initial Access
Victim Profile:

Organization: Unidentified Multinational Insurance Company
Industry: Insurance (Financial Services)
Country: Unspecified (Multinational)
Site: Not Applicable

Incident Overview: Threat actor “Asipati” is offering for sale what they claim is “full access” to a multinational insurance company’s systems on darkforums.st. The offered access includes read-only database access, SMTP server credentials, hardcoded passwords enabling login to any account, and the company’s full source code.
Threat Actor Analysis: Asipati

Profile & Known Aliases: “Asipati” is an Initial Access Broker or a sophisticated actor who has deeply compromised a significant target. Operating on darkforums.st. The level of access claimed is extensive. No specific information on this actor was found in the provided snippets.¹⁷
Assessed Motivation & Objectives: Financial gain. “Full access” to a multinational insurance company, including source code and extensive credentials, would command a very high price on the dark web. This could be sold to ransomware operators, corporate spies, or other high-level criminal groups.
Observed Tactics, Techniques, and Procedures (TTPs): Deep network penetration, exfiltration of source code, credential harvesting, and database access. The claim of “hardcoded passwords enabling login to any account” suggests exploitation of severe security misconfigurations or insider knowledge.
Relevant Past Activity & Affiliations: Further research is needed for “Asipati.”
Source Links:

Published URL: https://darkforums.st/Thread-Full-access-to-a-Multi-Contentional-insurance-company
Screenshots: https://d34iuop8pidsy8.cloudfront.net/047a91b9-449d-451a-abd6-417a4987e397.png
Context & Significance: This is a potentially catastrophic breach for the unnamed insurance company if the claims are true. Access to full source code can reveal proprietary algorithms and vulnerabilities. Database access can expose vast amounts of customer PII and sensitive financial information. SMTP server access can be used for highly convincing phishing campaigns. The ability to log into any account would give an attacker complete control.

Incident 16: Team Azrael Angel Of Death claims to target India

Date & Time: 2025-05-12T03:54:44Z
Category: Alert
Victim Profile:

Organization: Unspecified organizations
Industry: Unspecified
Country: India
Site: Not Applicable

Incident Overview: “Team Azrael Angel Of Death” has posted an alert on Telegram claiming they are targeting India. This is a general threat declaration.
Threat Actor Analysis: Team Azrael Angel Of Death

Profile & Known Aliases: “Team Azrael Angel Of Death” is a hacktivist group known for targeting India. They operate on Telegram.
Assessed Motivation & Objectives: Political and ideological, often linked to the India-Pakistan conflict. Their actions aim to disrupt, defame, or steal data from Indian entities.
Observed Tactics, Techniques, and Procedures (TTPs): Website defacements, data leaks, DDoS attacks. They use Telegram for announcements and coordination.
Relevant Past Activity & Affiliations: This group has made numerous claims against Indian targets. On May 8, 2025, they claimed a breach of the Election Commission of India, though this was assessed as likely repackaged old data.³¹ On May 7, 2025, they claimed to leak Indian Army personnel data, which was also found to lack authentic corroboration, with data appearing fabricated or misattributed.³¹ They have announced collaborations with other groups like INDOHAXSEC to target Indian cyberspace, particularly in response to geopolitical events.⁴
Source Links:

Published URL: https://t.me/anonymous_Cr02x/1201
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/90d01d1e-e646-4216-9103-c85d3a1902fe.png
https://d34iuop8pidsy8.cloudfront.net/cc811d70-2d53-4b6f-8ec3-f73995218303.png
Context & Significance: While some of their past claims have been assessed as exaggerated or based on old data ³¹, the persistent targeting and collaboration with other anti-India groups like INDOHAXSEC ⁴ make their threats noteworthy. This alert, combined with their other claimed activities on the same day (Incidents 17 & 18), indicates an ongoing campaign.

Incident 17: Team Azrael Angel Of Death targets the website of STD CLICK

Date & Time: 2025-05-12T03:47:49Z
Category: Defacement
Victim Profile:

Organization: STD CLICK (Odistudents)
Industry: Education
Country: India
Site: odistudents.co.in

Incident Overview: “Team Azrael Angel Of Death” claims to have defaced the website of STD CLICK, an Indian educational portal.
Threat Actor Analysis: Team Azrael Angel Of Death

Profile & Known Aliases: As detailed in Incident 16.
Assessed Motivation & Objectives: Political/ideological, part of their broader campaign against Indian targets. Educational sites are often soft targets for defacements.
Observed Tactics, Techniques, and Procedures (TTPs): Website defacement by exploiting vulnerabilities.
Relevant Past Activity & Affiliations: As per Incident 16. This defacement is consistent with their stated intent to target India.
Source Links:

Published URL: https://t.me/anonymous_Cr02x/1205
Screenshots: https://d34iuop8pidsy8.cloudfront.net/7fbab30d-ee4a-4fe1-87ea-9ddb89756930.png
Context & Significance: This specific attack, alongside their alert (Incident 16) and another claimed data breach (Incident 18) on the same day, demonstrates their active operational tempo against Indian educational institutions.

Incident 18: Alleged data breach of Thukral Public School TPS

Date & Time: 2025-05-12T03:31:27Z
Category: Data Breach
Victim Profile:

Organization: Thukral Public School TPS
Industry: Education
Country: India
Site: tpsloharu.com

Incident Overview: “Team Azrael Angel Of Death” claims to have breached Thukral Public School (TPS) in India, leaking private data of students, staff, and administrators, including personal details, administrative records, and confidential documents.
Threat Actor Analysis: Team Azrael Angel Of Death

Profile & Known Aliases: As detailed in Incident 16.
Assessed Motivation & Objectives: Political/ideological, part of their campaign against Indian entities. Breaching a school and leaking sensitive data aims to cause distress and disruption.
Observed Tactics, Techniques, and Procedures (TTPs): Data exfiltration from the school’s systems.
Relevant Past Activity & Affiliations: As per Incident 16. This alleged breach aligns with their targeting patterns.
Source Links:

Published URL: https://t.me/anonymous_Cr02x/1201
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/768929cb-5921-4dd5-a874-70d0ad8725ce.png
https://d34iuop8pidsy8.cloudfront.net/e4629be1-a916-4cbb-9cde-01fb858a048b.png
Context & Significance: The breach of a school’s database, if confirmed, is a serious issue due to the exposure of minors’ PII and sensitive staff information. This can lead to identity theft, targeted harassment, or other harms. It underscores the vulnerability of educational institutions.

Incident 19: Alleged leak of unauthorized access to SCADA System for Dam Management

Date & Time: 2025-05-12T02:52:26Z
Category: Initial Access
Victim Profile:

Organization: Unspecified Dam Management entity
Industry: Critical Infrastructure (Water Management/Energy)
Country: UAE
Site: Not Applicable

Incident Overview: The group “LulzSec Black” claims via Telegram to have gained unauthorized access to a SCADA system dashboard for dam management in the United Arab Emirates.
Threat Actor Analysis: LulzSec Black

Profile & Known Aliases: “LulzSec Black” evokes the name of the infamous LulzSec hacktivist group. LulzSec was known for high-profile attacks, often motivated by “lulz” (amusement/chaos) and drawing attention to security flaws.³² The original LulzSec had key members arrested, but its legacy continues with new groups adopting the name or TTPs.³² “LulzSec Black” could be a new iteration or an inspired group.
Assessed Motivation & Objectives: Could range from traditional LulzSec motivations (causing chaos, demonstrating capability, political statement) to selling critical access for financial gain. Targeting SCADA systems for dam management is a significant escalation and could have severe real-world consequences.
Observed Tactics, Techniques, and Procedures (TTPs): Gaining unauthorized access to SCADA systems. Announcing the compromise via Telegram. Historically, LulzSec engaged in website defacement, data leaks, and DDoS attacks.³² Targeting ICS/SCADA represents a more critical threat.
Relevant Past Activity & Affiliations: If connected to the LulzSec legacy, they are part of a lineage of disruptive hacktivists. “LulzSec Indonesia” reportedly targeted a French nuclear office, indicating that LulzSec-affiliated groups have targeted critical infrastructure previously.³³
Source Links:

Published URL: https://t.me/c/2218423825/6872
Screenshots: https://d34iuop8pidsy8.cloudfront.net/090f5198-1503-4a63-9d3b-ab1d6a3465ca.png
Context & Significance: The name “LulzSec Black” suggests a continuation or revival of the LulzSec hacktivist brand. Targeting SCADA systems for dam management in the UAE is an extremely serious threat, far exceeding typical website defacements. This indicates either a higher level of sophistication or a shift in targeting priorities for groups operating under the LulzSec banner. The UAE’s role as a major political and economic power in the Middle East makes its critical infrastructure an attractive target for various state and non-state actors seeking to cause disruption or make a political statement.

Incident 20: Alleged database leak of Global Forex Leads

Date & Time: 2025-05-12T02:35:20Z
Category: Data Leak
Victim Profile:

Organization: Unspecified (source of Global Forex Leads)
Industry: Financial Services (Forex)
Country: Global (implicitly)
Site: Not specified

Incident Overview: Threat actor “XQLGhost” is selling a “Global Forex Leads Database” on darkforums.st, containing over 150,000 verified entries. The data reportedly includes first-time deposit (FTD) amounts, total deposited USD, contact information, broker details, and country. Leads are filtered by various criteria, including high depositors and recovery cases.
Threat Actor Analysis: XQLGhost

Profile & Known Aliases: “XQLGhost” is a data broker specializing in financial leads, operating on darkforums.st.
Assessed Motivation & Objectives: Financial gain. Forex leads, particularly those with detailed deposit information and categorizations like “recovery cases” or “hot prospects,” are highly valuable for orchestrating targeted financial scams.
Observed Tactics, Techniques, and Procedures (TTPs): Acquiring and selling specialized financial marketing/lead data. The detailed filtering criteria suggest the data is intended for sophisticated fraud operations.
Relevant Past Activity & Affiliations: Specific past activity for “XQLGhost” requires further investigation.
Source Links:

Published URL: https://darkforums.st/Thread-Selling-Global-Forex-Leads-Database-%E2%80%93-150K-Verified-Entries
Screenshots: https://d34iuop8pidsy8.cloudfront.net/7ca8795a-8d35-4dc2-a9bb-b26166297ada.png
Context & Significance: This type of data is prime for use in “recovery scams” or advanced fee fraud. Fraudsters can contact individuals who have previously deposited in Forex, leveraging their known financial history to offer assistance in recovering lost funds or to propose new, seemingly lucrative investment opportunities, often leading to further financial loss for the victims. The specificity of the data (FTD amounts, recovery cases) makes these scams highly targeted and potentially more successful.

Incident 21: Alleged sale of USA DOCTORS DATABASE

Date & Time: 2025-05-12T02:04:45Z
Category: Data Leak
Victim Profile:

Organization: Unspecified (source of US doctors’ data)
Industry: Healthcare
Country: USA
Site: Not specified

Incident Overview: Threat actor “Shinchan” is offering for sale a database purportedly containing information on 300,000 U.S. doctors on darkforums.st. Sample details were shared.
Threat Actor Analysis: Shinchan

Profile & Known Aliases: “Shinchan” is a data broker operating on darkforums.st. The use of a popular cartoon character name can sometimes be adopted by less mature actors, but it does not necessarily reflect their technical skill or the severity of the data they handle.
Assessed Motivation & Objectives: Financial gain. The PII of medical professionals can be valuable for various illicit purposes.
Observed Tactics, Techniques, and Procedures (TTPs): Data acquisition and sale on dark web marketplaces.
Relevant Past Activity & Affiliations: Specific past activity for “Shinchan” requires further investigation.
Source Links:

Published URL: https://darkforums.st/Thread-Selling-300K-USA-DOCTOR-PERSONNEL-DATA
Screenshots: https://d34iuop8pidsy8.cloudfront.net/b42a22d9-d3ea-4b64-873c-6360a82ff998.png
Context & Significance: While seemingly straightforward PII, a database of 300,000 U.S. doctors has several malicious applications. It could be exploited by illicit pharmaceutical marketers, scammers selling fake medical equipment, or for crafting highly convincing phishing campaigns that leverage a medical context to deceive recipients. Doctors are often perceived as high-net-worth individuals, making them attractive targets for various types of fraud. The origin of such a comprehensive list is a critical question for investigators.

Incident 22: Alleged data breach of NUCLEP

Date & Time: 2025-05-12T01:48:25Z
Category: Data Breach
Victim Profile:

Organization: NUCLEP (Nuclebrás Equipamentos Pesados S.A.)
Industry: Government Administration / Defense / Nuclear Manufacturing
Country: Brazil
Site: nuclep.gov.br

Incident Overview: Threat actor “Jack_back” is offering data allegedly exfiltrated from NUCLEP, a Brazilian state-owned nuclear company, for $1,500 on darkforums.st. The compromised data is described as highly sensitive, including files related to defense and nuclear manufacturing, military submarines, uranium mining information, AutoCAD schematics, videos, coordinates, and employee details (emails, passwords, names).
Threat Actor Analysis: Jack_back

Profile & Known Aliases: “Jack_back” is advertising highly sensitive, potentially national security-related data. The sale is occurring on darkforums.st.
Assessed Motivation & Objectives: The stated motivation appears financial, given the sale price. However, the nature of the data (if authentic and as sensitive as claimed) suggests potential for espionage or state-sponsored activity. The low asking price of $1,500 is highly unusual for data of this purported criticality.
Observed Tactics, Techniques, and Procedures (TTPs): Exfiltration of highly sensitive government and defense-related data. The method of breach is unknown.
Relevant Past Activity & Affiliations: Specific past activity for “Jack_back” requires further investigation.
Source Links:

Published URL: https://darkforums.st/Thread-Nuclep-Brazil
Screenshots: https://d34iuop8pidsy8.cloudfront.net/7f11738c-31e0-4a4f-9a8d-e4f6ec8db58d.png
Context & Significance: This incident, if the claims are accurate, represents one of the most critical threats observed. NUCLEP plays a key role in Brazil’s nuclear program, including the construction of nuclear submarines. Data such as AutoCAD schematics for military submarines, details on uranium mining, and defense manufacturing files would be of immense interest to foreign intelligence agencies and pose a severe national security risk to Brazil. The exceptionally low asking price of $1,500 is a significant anomaly. Several possibilities could explain this:

The seller may be unsophisticated and unaware of the data’s true strategic value.
The data may not be as comprehensive or critical as advertised by the seller.
The $1,500 price could be for a small sample, intended to attract serious buyers for a much larger dataset at a significantly higher price.
It could be a deliberate tactic by a state-sponsored actor to ensure wider dissemination of the sensitive information while attempting to misattribute the leak to criminal elements. Regardless of the seller’s true motive or the data’s complete authenticity, any credible claim of compromise involving a state nuclear entity warrants urgent investigation at the national level.

Incident 23: Alleged data breach of Mag Paraguay

Date & Time: 2025-05-12T01:32:10Z
Category: Data Breach
Victim Profile:

Organization: Ministry of Agriculture (MAG) Paraguay
Industry: Government Administration
Country: Paraguay
Site: mag.gov.py

Incident Overview: Threat actor “Gatito_FBI_Nz” claims on darkforums.st to have leaked data from Paraguay’s Ministry of Agriculture (MAG). The compromised information reportedly includes details of 1,414 suppliers and access credentials to a government portal.
Threat Actor Analysis: Gatito_FBI_Nz

Profile & Known Aliases: “Gatito_FBI_Nz” (which translates loosely to “Little Cat FBI New Zealand”) uses a playful or mocking name, common among some hacktivists or opportunistic data thieves. The actor is operating on darkforums.st.
Assessed Motivation & Objectives: Motivations could be political (targeting a government ministry for disruption or embarrassment), financial (selling supplier data or the valuable government portal access), or simply for notoriety within the cybercriminal community.
Observed Tactics, Techniques, and Procedures (TTPs): Data exfiltration and credential theft. The method of breach is not specified.
Relevant Past Activity & Affiliations: Specific past activity for “Gatito_FBI_Nz” requires further investigation.
Source Links:

Published URL: https://darkforums.st/Thread-PARAGUAY-MINISTERIO-DE-AGRICULTURA-SUPPLIERS-AND-OTHERS
Screenshots: https://d34iuop8pidsy8.cloudfront.net/962bbe10-ddc7-4e93-a996-23cae9788fca.png
Context & Significance: The exfiltration of supplier data from a government ministry can be leveraged for sophisticated supply chain attacks or highly targeted phishing campaigns against government contractors. Exposed government portal credentials provide a direct pathway for further unauthorized access and potential compromise of other government systems. Despite the seemingly non-serious persona suggested by the actor’s name, the potential impact of such a breach on the Paraguayan government’s operations and security could be significant.

Incident 24: Alleged data breach of Beeline

Date & Time: 2025-05-12T01:19:18Z
Category: Data Breach
Victim Profile:

Organization: Beeline (Russian mobile operator)
Industry: Network & Telecommunications
Country: Russia
Site: moskva.beeline.ru

Incident Overview: Threat actor “IShowLeak” claims on darkforums.st to have leaked data from the Russian mobile operator Beeline. The compromised data reportedly contains 9.6 million records, including full names, phone numbers, email addresses, physical addresses, and connected services of customers who installed wired internet in 2017.
Threat Actor Analysis: IShowLeak

Profile & Known Aliases: “IShowLeak” is a data broker or leaker, with a name that clearly indicates their primary activity. They are operating on darkforums.st.
Assessed Motivation & Objectives: Likely financial gain from selling the data or notoriety from leaking it. While the data is dated (from 2017), a dataset of 9.6 million records can still be valuable for identity theft, large-scale phishing, or spam campaigns.
Observed Tactics, Techniques, and Procedures (TTPs): Acquisition and leaking/selling of large PII databases.
Relevant Past Activity & Affiliations: Specific past activity for “IShowLeak” requires further investigation.
Source Links:

Published URL: https://darkforums.st/Thread-Russian-mobile-operator-Beeline
Screenshots: https://d34iuop8pidsy8.cloudfront.net/f9b8042a-7060-48db-8ad1-e7e1c51ddf75.png
Context & Significance: Large-scale breaches of telecommunications companies are unfortunately common. Even though the data is from 2017, many personal details such as names, physical addresses, and potentially email addresses may still be current and exploitable. For a Russian mobile operator, this data could be of interest to domestic law enforcement or intelligence agencies if it contains records on specific individuals of interest. Alternatively, it could be used by criminals for widespread fraud or spam targeting Russian citizens. The act of leaking Russian citizen data on a predominantly Russian-speaking forum could also be an attempt to damage Beeline’s reputation or have other internal competitive or political dimensions.

Incident 25: Alleged data leak of Xplay

Date & Time: 2025-05-12T01:05:07Z
Category: Data Leak
Victim Profile:

Organization: Xplay (Tor.onion site)
Industry: Unspecified (Dark Web Service)
Country: Not applicable (Tor site)
Site: Not specified (.onion address implied)

Incident Overview: Threat actor “l33tfg” claims on darkforums.st to have leaked 783 database entries from a Tor.onion site named “Xplay.”
Threat Actor Analysis: l33tfg

Profile & Known Aliases: “l33tfg” (a derogatory term using leetspeak, common in older hacker subcultures) is likely a hacker targeting dark web entities.
Assessed Motivation & Objectives: Motivations could include gaining notoriety within the hacking community, a desire to expose users or services on the dark web, or a specific dispute with the operators of “Xplay.”
Observed Tactics, Techniques, and Procedures (TTPs): Hacking Tor/.onion sites to exfiltrate databases. Leaking the data on a public dark web forum.
Relevant Past Activity & Affiliations: Specific past activity for “l33tfg” requires further investigation. The actor’s chosen name suggests an adherence to an older, more provocative style of hacker culture.
Source Links:

Published URL: https://darkforums.st/Thread-Xplay-database
Screenshots: https://d34iuop8pidsy8.cloudfront.net/72c1ef77-8881-46d3-a43b-7098dcaefaf8.png
Context & Significance: Attacks against.onion sites represent “dark-on-dark” cybercrime. The impact of such a leak depends heavily on the nature of the “Xplay” site. If “Xplay” hosted illicit services, a marketplace, or a forum for sensitive discussions, the exposure of its user database could have significant real-world consequences for individuals who believed their activities were anonymous. This type of incident highlights the fact that even dark web platforms are vulnerable to breaches.

Incident 26: Alleged data leak of Government of Telangana, India

Date & Time: 2025-05-12T01:02:22Z
Category: Data Breach
Victim Profile:

Organization: Government of Telangana
Industry: Government Administration
Country: India
Site: telangana.gov.in

Incident Overview: The hacktivist group “INDOHAXSEC” claims on darkforums.st to have leaked data from the Government of Telangana, India.
Threat Actor Analysis: INDOHAXSEC

Profile & Known Aliases: As detailed in Incident 5, INDOHAXSEC is an Indonesian hacktivist group known for its anti-India activities and collaborations.³
Assessed Motivation & Objectives: Political and ideological, consistent with their declared anti-India stance and past actions.³ Targeting an Indian state government aligns with their campaign.
Observed Tactics, Techniques, and Procedures (TTPs): Data exfiltration from government systems. In this instance, they are using a dark web forum (darkforums.st) for dissemination, which might indicate an attempt to sell the data or reach a different audience compared to their Telegram announcements.
Relevant Past Activity & Affiliations: As per Incident 5. This includes DDoS, ransomware, defacements, and data leaks, often in collaboration with groups like NoName057(16) and Team Azrael – Angel of Death.³
Source Links:

Published URL: https://darkforums.st/Thread-TELENGANA-INDIA-GOVERNMENT-DATABASE-LEAKED
Screenshots: https://d34iuop8pidsy8.cloudfront.net/a27add9d-6d89-43b7-89ac-22d879029165.png
Context & Significance: This incident further solidifies INDOHAXSEC’s ongoing and focused campaign against Indian targets. The choice to announce this particular leak on darkforums.st, as opposed to their more typical Telegram channel for alerts (like Incident 5), could suggest a different operational approach for this dataset, possibly involving monetization or broader distribution within the cybercriminal underground. A breach of a state government like Telangana can expose a wide variety of sensitive information, including citizen PII, internal government documents, and operational data, all of which aligns with INDOHAXSEC’s broader geopolitical motivations.

Key Emerging Threats & Alerts

This section focuses on incidents categorized as “Alerts,” where threat actors have proactively declared their intentions to target specific entities or sectors. Such declarations provide a crucial, albeit often narrow, window for potential victims to bolster defenses.

INDOHAXSEC Targets Indian Finance Sector (Incident 5)

Detailed Analysis: The alert from INDOHAXSEC ³ declaring their intent to target the Indian finance sector is a significant development. The Indian financial sector represents critical national infrastructure, and any successful large-scale attack could have severe economic and public trust repercussions. INDOHAXSEC’s established TTPs, which include Distributed Denial of Service (DDoS) attacks, ransomware deployment, website defacements, and data leaks ³, suggest that a multi-faceted campaign could be underway or in advanced planning stages.
Their known alliances, particularly with the pro-Russian group NoName057(16) ³ and the Pakistani hacktivist group Team Azrael – Angel of Death ⁴, are concerning. These collaborations could provide INDOHAXSEC with additional resources, attack vectors, or coordinated operational support, amplifying their potential impact. The motivation behind this targeting is clearly political and ideological, stemming from pro-Palestinian sentiments and broader anti-India stances often observed in the context of regional geopolitical conflicts.³
Implications: Financial institutions in India must treat this alert with utmost seriousness. This requires immediate action, including heightening security monitoring across all attack surfaces, reviewing and testing incident response plans specifically for scenarios involving DDoS, ransomware, and data exfiltration. Vigilance against sophisticated phishing campaigns, often a precursor to ransomware or credential theft, is also paramount.
Team Azrael Angel Of Death Targets India (Incident 16)

Detailed Analysis: The general alert issued by Team Azrael Angel Of Death, proclaiming India as a target, gains further weight when viewed in conjunction with their simultaneous claims of defacing an Indian educational website (STD CLICK, Incident 17) and breaching an Indian school (Thukral Public School TPS, Incident 18). This pattern indicates an active and aggressive ongoing campaign.
Their collaboration with INDOHAXSEC ⁴ reinforces the notion of a coordinated threat landscape targeting India. While CloudSEK analysis suggests that some of Team Azrael’s more grandiose claims in the past (such as the alleged breach of the Election Commission of India or Indian Army data) were likely based on repackaged historical data or were unsubstantiated ³¹, their persistent intent and continuous activity remain a valid concern. Even if some claims are exaggerated for propaganda purposes, the group demonstrably possesses capabilities for defacement and potentially data exfiltration from less hardened targets.
Implications: Organizations across India, with a particular emphasis on government, defense, and educational sectors (which appear to be primary targets for this group), should maintain a heightened state of alert. The threat is ongoing and involves a variety of TTPs, necessitating comprehensive security measures.
Broader Implications of Alerts:

These alerts from hacktivist groups represent a shift from purely reactive reporting of past breaches to proactive declarations of intent. This dynamic, while threatening, offers defenders a potential, albeit often limited, opportunity to preemptively strengthen defenses and increase vigilance.
The predominant use of Telegram for these alerts and for coordinating hacktivist activities ² underscores the platform’s critical role as a command-and-control, recruitment, and dissemination hub for these groups. Monitoring such channels can provide valuable, timely intelligence.

The proactive alerts from INDOHAXSEC and Team Azrael Angel Of Death, especially when considering their documented collaboration ⁴, point towards a more strategic and potentially coordinated multi-pronged campaign against Indian interests. This is indicative of an evolution beyond isolated, opportunistic incidents towards a level of planning and shared objectives among these hacktivist collectives. The explicit targeting of critical sectors like finance by INDOHAXSEC highlights a concerning trend where hacktivist ambitions are escalating beyond simple defacements to potentially more impactful and disruptive attacks. The “Alert” category itself signifies a forward-looking threat that demands immediate attention and proactive defensive measures from the targeted entities.

Observed Trends & Patterns (May 12, 2025)

Analysis of the incidents reported on May 12, 2025, reveals several key trends and patterns in the current cyber threat landscape:

Dominance of Data-Driven Attacks: A substantial majority of the reported incidents involve data leaks and data breaches (Incidents 1, 2, 4, 7, 8, 10, 12, 14, 20, 21, 22, 23, 24, 25, 26). Threat actors are consistently focused on exfiltrating sensitive information—including Personally Identifiable Information (PII), financial data, corporate secrets, and access credentials—for subsequent sale on dark web markets or public leakage for hacktivist purposes. This underscores the high value attributed to data in the underground economy.
Prevalence of Politically Motivated Hacktivism: Multiple incidents are attributed to hacktivist groups such as ZEROLEGIONCREWINDONESIAN, HexaForce Alliance, INDOHAXSEC, J43v3r, CyberVolk Arcanum, Hindutva Warriors, Team Azrael Angel Of Death, and LulzSec Black. Their activities, which include website defacements, data leaks, and direct alerts of impending attacks, are primarily aimed at entities in countries like India, Pakistan, and Israel. These actions often mirror and amplify ongoing geopolitical tensions and ideological conflicts.³
Thriving Initial Access Brokerage (IAB) Ecosystem: The sale of unauthorized access to corporate and government networks (Incidents 3, 9, 13, 15, 19) remains a robust segment of the cybercrime-as-a-service model. Forums like xss.is, exploit.in, and darkforums.st serve as key marketplaces where IABs connect with other criminals, such as ransomware operators or espionage actors, who then leverage this access for their own campaigns.⁷ The offering of access to SCADA systems (Incidents 13, 19) is particularly alarming due to the potential for disruption of critical infrastructure.
Targeting of Critical and Sensitive Sectors: Threat actors demonstrated a broad range of targets, including Government (Incidents 4, 22, 23, 26), Education (Incidents 2, 11, 17, 18), Financial Services (Incident 5 alert, Incident 20, Incident 15), Manufacturing (Incident 6, Incident 13), and Critical Infrastructure (SCADA systems in Incidents 13, 19). This widespread targeting indicates that organizations across all sectors must remain vigilant.
Central Role of Dark Web Forums and Telegram: Dark web forums such as darkforums.st, xss.is, and exploit.in continue to be pivotal platforms for the advertisement and sale of stolen data, exploits, and unauthorized access.⁷ Simultaneously, the encrypted messaging platform Telegram is extensively used by hacktivist groups for issuing announcements, coordinating activities, recruiting members, and disseminating leaked data.²
Geopolitical Hotspots Fueling Cyber Activity: The concentration of hacktivist attacks and cyber incidents related to India, Pakistan, and Israel suggests that these regions are currently experiencing heightened levels of cyber conflict. This activity is frequently driven by groups with strong nationalistic or religious ideologies, using cyber operations as a tool to project power or retaliate for real-world events.

A notable characteristic of the current threat landscape is the increasing convergence of motivations and the interconnectedness of various illicit activities. We are observing instances where actors, such as CyberVolk Arcanum, demonstrate both financially motivated criminal behavior (e.g., operating a Ransomware-as-a-Service) and ideologically driven hacktivism.¹⁷ This blurring of lines makes actor attribution and motive assessment more complex. Furthermore, the IAB market directly fuels more impactful subsequent attacks, such as ransomware incidents, creating a deeply interconnected web of threats. An access sold by an IAB today can easily become a headline-grabbing ransomware attack or a significant data breach tomorrow, illustrating how different facets of the cybercrime ecosystem feed into and amplify one another, thereby increasing the overall risk to organizations globally.

Key Threat Actors Active on May 12, 2025

The following table summarizes the key threat actors involved in the incidents reported on May 12, 2025, along with their observed platforms, primary motivations, and common TTPs.

Threat Actor	Observed Platform(s)	Assessed Primary Motivation(s)	Common TTPs Observed/Associated
ZEROLEGIONCREWINDONESIAN	darkforums.st	Political/Ideological	Data leak
klandestine	darkforums.st	Financial	Data breach, PII & financial data sale
pianoxltd	xss.is	Financial (IAB)	Sale of unauthorized network access
HexaForce Alliance	Telegram	Political/Ideological	Data breach (government target), Telegram dissemination
INDOHAXSEC	Telegram, darkforums.st	Political/Ideological (Anti-India)	Alerts, data breach (government target), DDoS, ransomware, defacement ³
J43v3r	Telegram	Notoriety/Political	Website defacement
d3fn0d3	exploit.in	Financial	Sale of credit card data
CyberVolk Arcanum	Telegram	Political (Pro-Russian), Financial	Data breach, defacement, Ransomware-as-a-Service (RaaS) ¹⁷
Fordnox	exploit.in	Financial (IAB)	Sale of WordPress admin access
Hindutva Warriors	Telegram	Political/Ideological (Pro-India)	Data leak (targeting Turkey)
Smartik	xss.is	Financial	Data breach (software/corporate data)
CYBER SHARK	Telegram	Political/Financial/Notoriety	Sale/leak of SCADA system access
elpatron85	darkforums.st	Financial	Sale of KYC data
Asipati	darkforums.st	Financial (IAB)	Sale of extensive corporate access (insurance sector)
Team Azrael Angel Of Death	Telegram	Political/Ideological (Anti-India)	Alerts, defacement, data breach (education targets) ⁴
LulzSec Black	Telegram	Political/Notoriety (“Lulz”)/Financial	Sale/leak of SCADA system access (dam management) ³²
XQLGhost	darkforums.st	Financial	Sale of financial leads database (Forex)
Shinchan	darkforums.st	Financial	Sale of PII (doctors’ database)
Jack_back	darkforums.st	Financial/Espionage (anomalous price)	Data breach (highly sensitive nuclear/defense data)
Gatito_FBI_Nz	darkforums.st	Political/Financial/Notoriety	Data breach (government suppliers, portal credentials)
IShowLeak	darkforums.st	Financial/Notoriety	Data breach (telecom customer data)
l33tfg	darkforums.st	Notoriety/Disruption	Data leak (dark web.onion site)

Strategic Considerations & Outlook

The cybersecurity incidents of May 12, 2025, present several strategic considerations for organizations and security professionals:

Heightened Threat to Critical Infrastructure: The repeated targeting of SCADA systems (Incidents 13, 19 involving Oliva Panabera and the UAE dam management system) and the explicit declaration by INDOHAXSEC to target the Indian finance sector (Incident 5) underscore a persistent and increasing risk to critical national infrastructure (CNI). Organizations operating within these sectors must prioritize Operational Technology (OT) security alongside traditional IT security. This includes network segmentation, regular vulnerability assessments of ICS/SCADA environments, and specialized threat intelligence feeds focused on OT threats.
Evolving Hacktivist Capabilities and Coordination: The formation of alliances like “HexaForce Alliance” and the documented collaborations of groups such as INDOHAXSEC with NoName057(16) and Team Azrael Angel Of Death ³ suggest that hacktivist operations are becoming more organized and potentially more impactful. These groups are leveraging shared resources and coordinating campaigns, moving beyond simple defacements to more complex data breaches and targeted disruptions. Continuous monitoring of their primary communication channels, predominantly Telegram, is crucial for early warnings and understanding evolving TTPs.
The Unabated Data Breach Pandemic: The sheer volume of data breaches and leaks (e.g., Loyola University, Postel SpA, Beeline, NUCLEP, Telangana Government) indicates that many organizations continue to struggle with implementing and maintaining fundamental cybersecurity hygiene. The ready availability of stolen PII, financial details, and corporate data on dark web markets fuels a vast underground economy and enables further cybercrime, from identity theft to sophisticated social engineering and targeted attacks.
Vigilance for Nation-State Activity Disguised as Cybercrime: While many of the day’s incidents appear to be criminally motivated or driven by hacktivism, the nature of certain targets and the data involved raise concerns about potential nation-state involvement. The alleged breach of NUCLEP (Incident 22), involving highly sensitive Brazilian nuclear and defense information, is a prime example. The anomalously low asking price of $1,500 for such data is a significant red flag. It could be a tactic by a state actor to ensure wider dissemination of the compromised information while misattributing the leak to common cybercriminals, or it might be an attempt by an unsophisticated actor to quickly monetize assets whose true value they do not comprehend. Regardless, such incidents demand careful scrutiny for indicators of state-sponsored operations.
The Imperative of Proactive Defense: The “Alert” category incidents (Incidents 5 and 16) serve as a stark reminder that threat actors often signal their intentions before launching attacks. Organizations, particularly those operating in regions or sectors explicitly named by these groups, must leverage such intelligence to transition to a proactive defense posture. This includes threat hunting, reviewing security controls against known TTPs of the threatening actors, and ensuring incident response plans are current and tested.
Persistent Third-Party and Supply Chain Risks: Breaches such as the one affecting MAG Paraguay, which exposed supplier data and government portal credentials (Incident 23), highlight the ongoing risks associated with third-party vendors and the broader supply chain. Organizations must extend their security diligence and risk management practices to include their partners and suppliers who may have access to their systems or data.

The daily cadence of high-impact cyber threats, including sales of SCADA access, major government and corporate data breaches, and massive PII leaks, is at risk of becoming a “new normal.” This normalization can lead to “breach fatigue,” desensitizing defenders and organizations to the severe potential impact of each individual event. However, the strategic implications of incidents like the NUCLEP data compromise or the repeated targeting of SCADA systems remain exceptionally high. The unusual circumstances surrounding the NUCLEP data sale, particularly its low price, warrant deep investigation, as it could signify more sophisticated motives than simple financial gain, such as a state-level actor aiming for widespread dissemination of sensitive intelligence or seeking to create geopolitical instability under the guise of a criminal transaction. A strategic outlook must therefore not only quantify the number of incidents but also qualitatively weigh their potential strategic impact and the nuanced motivations that might drive them.

Conclusion

The cyber threat landscape of May 12, 2025, was characterized by a high tempo of operations, with significant activity from both financially motivated cybercriminals and ideologically driven hacktivist groups. Data breaches and the sale of compromised information remain central to the underground economy, while hacktivist collectives continue to leverage cyber operations as a tool in geopolitical conflicts. The targeting of critical infrastructure and the proactive alerts issued by threat groups underscore the need for heightened vigilance and robust, intelligence-driven cybersecurity strategies across all sectors. The potential for nation-state actors to operate under the guise of criminal or hacktivist activities, particularly in breaches involving highly sensitive national security data, necessitates careful analysis and a strategic approach to threat assessment. Organizations must prioritize not only reactive incident response but also proactive defense measures informed by continuous monitoring of the evolving threat landscape.

Works cited

Rise in hacktivist threats to critical sector, as pro-Russian groups cause 50% rise in ICS/OT attacks in March – Industrial Cyber, accessed May 12, 2025, https://industrialcyber.co/reports/rise-in-hacktivist-threats-to-critical-sector-as-pro-russian-groups-cause-50-rise-in-ics-ot-attacks-in-march/
Russia-Ukraine war: Telegram-based hacktivism in 2023 – SecAlliance, accessed May 12, 2025, https://www.secalliance.com/blog/russia-ukraine-war-telegram-based-hacktivism-in-2023
INDOHAXSEC Indonesian Hacking Collective | Arctic Wolf, accessed May 12, 2025, https://arcticwolf.com/resources/blog/indohaxsec-emerging-indonesian-hacking-collective/
Reflections of the India–Pakistan Kashmir Escalation on the Cyber World – SOCRadar, accessed May 12, 2025, https://socradar.io/india-pakistan-kashmir-escalation-on-cyber-world/
Adversarial Misuse of Generative AI | Google Cloud Blog, accessed May 12, 2025, https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai
Threat actor profile: Lazarus | Hunt & Hackett, accessed May 12, 2025, https://www.huntandhackett.com/members/actors/apt38
Dynamics on Hacking Forums: How do Threat Actors Trust Each Other? – Searchlight Cyber, accessed May 12, 2025, https://slcyber.io/blog/dynamics-on-hacking-forums-how-do-threat-actors-trust-each-other/
Russian cybercrime forum XSS claims to ban ransomware following Colonial Pipeline hack, accessed May 12, 2025, https://cyberscoop.com/colonial-pipeline-ransomware-xss-criminal/
What is a Threat Actor? Types & Examples – SentinelOne, accessed May 12, 2025, https://www.sentinelone.com/cybersecurity-101/threat-intelligence/threat-actor/
Exploring Telegram DDoS Groups: Threats, Tools, and Evolving Strategies – SOCRadar, accessed May 12, 2025, https://socradar.io/exploring-telegram-ddos-groups-threats-tools/
Cyberattack Suspected in Worldwide X Outage – ZeroFox, accessed May 12, 2025, https://www.zerofox.com/intelligence-feed/cyberattack-suspected-in-worldwide-x-outage/
Cloud Security Alliance Issues Top Threats to Cloud Computing Deep Dive 2025, accessed May 12, 2025, https://www.01net.it/cloud-security-alliance-issues-top-threats-to-cloud-computing-deep-dive-2025/
Threat Actor Profiles – Cyble, accessed May 12, 2025, https://cyble.com/threat-actor-profiles/
Use promptbooks in Microsoft Security Copilot, accessed May 12, 2025, https://learn.microsoft.com/en-us/copilot/security/using-promptbooks
Exploit Forum, Initial Access Brokers, and Cybercrime on the Dark Web – Flare, accessed May 12, 2025, https://flare.io/learn/resources/blog/exploit-forum/
Silk Typhoon targeting IT supply chain | Microsoft Security Blog, accessed May 12, 2025, https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/
CyberVolk Ransomware Technical & Malware Analysis Report …, accessed May 12, 2025, https://threatmon.io/cybervolk-ransomware-technical-malware-analysis-report/
Ransomware Groups Demystified: CyberVolk Ransomware | Rapid7 …, accessed May 12, 2025, https://old.rapid7.com/blog/post/2024/10/03/ransomware-groups-demystified-cybervolk-ransomware/
202308161700_China-Based Threat Actor Profiles_TLPCLEAR – HHS.gov, accessed May 12, 2025, https://www.hhs.gov/sites/default/files/china-based-threat-actor-profiles-tlpclear.pdf
Cyber Threat Group Profiles: Their Objectives, Aliases, and Malware Tools | Secureworks, accessed May 12, 2025, https://www.secureworks.com/research/threat-profiles
Escalating Hacktivist Attacks Amidst India-Pakistan Tensions – Radware, accessed May 12, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/escalating-hacktivist-attacks-amidst-india-pakistan-tensions/
Hacktivist Groups: The Shadowy Links to Nation-State Agendas – Trellix, accessed May 12, 2025, https://www.trellix.com/blogs/research/hacktivist-groups-the-shadowy-links-to-nation-state-agendas/
“This Forum is a Bunch of Communists and They Set Me Up”, LockBit Spills the Tea Regarding Their Recent Ban on Russian-Speaking Forums | Analyst1, accessed May 12, 2025, https://analyst1.com/this-forum-is-a-bunch-of-communists-and-they-set-me-up-lockbit-spills-the-tea-regarding-their-recent-ban-on-russian-speaking-forums/
What is Cross-site Scripting and How to Prevent It | Ping Identity, accessed May 12, 2025, https://www.pingidentity.com/en/resources/cybersecurity-fundamentals/threats/cross-site-scripting.html
Cyber Threat Profile | Google Cloud, accessed May 12, 2025, https://cloud.google.com/security/resources/datasheets/cyber-threat-profile
Activating AI Agents: Building a Smarter Cyber Threat Intelligence System – Cyware, accessed May 12, 2025, https://www.cyware.com/blog/activating-ai-agents-building-a-smarter-cyber-threat-intelligence-system
Threat Actor Profile – Shathak malware group – Outpost24, accessed May 12, 2025, https://outpost24.com/blog/threat-actor-profile-shathak/
The Iranian Cyber Capability – Trellix, accessed May 12, 2025, https://www.trellix.com/blogs/research/the-iranian-cyber-capability/
Hacktivist Group DieNet Claims DDoS Attacks against U.S. CNI, accessed May 12, 2025, https://www.cisecurity.org/insights/blog/hacktivist-group-dienet-claims-ddos-attacks-against-u-s-c-n-i
Hacktivism Unveiled Q1 2025: How Hacktivists Zeroed In on the US – Radware, accessed May 12, 2025, https://www.radware.com/blog/threat-intelligence/hacktivism-unveiled-q1-2025/
Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge | CloudSEK, accessed May 12, 2025, https://www.cloudsek.com/blog/brief-disruptions-bold-claims-the-tactical-reality-behind-the-india-pakistan-hacktivist-surge
LulzSec – Wikipedia, accessed May 12, 2025, https://en.wikipedia.org/wiki/LulzSec
Operation Deface: A New Alliance of Hacktivists on Telegram – Cyberint, accessed May 12, 2025, https://cyberint.com/blog/threat-intelligence/operation-deface-a-new-alliance-of-hacktivists-on-telegram/

Executive Summary

Detailed Incident Analysis

Key Emerging Threats & Alerts

Observed Trends & Patterns (May 12, 2025)

Key Threat Actors Active on May 12, 2025

Strategic Considerations & Outlook

Conclusion

Works cited

Related Posts

[April-22-2025] Daily Cybersecurity Threat Report – Part 2

[May-05-2025] Daily Cybersecurity Threat Report

[April-14-2025] Daily Cybersecurity Threat Report – Part 1