[May-17-2026] Daily Cybersecurity Threat Report

This comprehensive threat intelligence report provides an in-depth analysis of global cyber incidents, threat actor activities, and underground market trends observed as of mid-May 2026. The intelligence is derived from communications across the open web, Tor network, and Telegram channels, highlighting a rapidly evolving threat landscape characterized by massive credential leaks, sophisticated enterprise breaches, and highly organized cybercrime ecosystems.

1. High-Impact Corporate Data Breaches and Supply Chain Threats

The reporting period saw a surge in massive data breaches targeting multinational corporations, cloud infrastructure providers, and enterprise SaaS platforms.

Salesforce and Global Enterprises: The notorious threat actor group “ShinyHunters” claimed a catastrophic breach of Salesforce, alleging the theft of between 989.45 million and over 1 billion records.
- The compromised data allegedly spans over 35 major organizations across various sectors, including automotive (Toyota, Stellantis), logistics (FedEx, UPS), retail (Home Depot, Gap), hospitality (Marriott, Disney), airlines (Qantas, Air France), and technology (Cisco).
- Data volumes per victim range from 1GB to 172.96GB.
AT&T Corporation: “ShinyHunters” also advertised the sale of 200 million AT&T customer records allegedly breached on May 6, 2026.
- The dataset reportedly includes full Personally Identifiable Information (PII), financial data (credit cards, bank accounts), credentials, health/medical records, and highly sensitive internal AT&T documents, including API keys and system configurations.
- The asking price for this database was set at $10,000 USD.
Live Nation / Ticketmaster: A comprehensive breach of Ticketmaster resulted in the exposure of 560 million customer records.
- The 1.3TB database includes full PII, event ticket sales history, and partial credit card information.
- The threat actor demanded $10,000 USD for the data.
Vercel Supply Chain Threat: A critical supply chain threat emerged when a threat actor claimed to have compromised the cloud platform Vercel.
- The actor offered access keys, source code, database dumps, API keys, NPM tokens, and GitHub tokens.
- The actor explicitly threatened to leverage this access to conduct a supply chain attack via Next.js package updates, potentially affecting millions of global developers.
Mythos AI: An actor claimed unauthorized access to Mythos AI, possessing over 3,000 internal documents, superuser administrative access, and zero-day vulnerabilities.
- The actor offered to rent access to the compromised 10-trillion parameter AI model for up to $2,500 annually.
Adobe Business Platform: A threat actor named “MDGhost666” claimed to have leaked 832.87GB of data associated with business.adobe.com.
- The leak purportedly covers 2025-2026 and includes databases from integrated marketing services such as Sendgrid, HubSpot, MailGun, and MailJet.
Evocon Industrial Cloud: The threat actor “Sejjil” breached Evocon’s central cloud database, extracting global factory transaction logs and industrial device operational data.
- The actor threatened to publish the data if an extortion demand was not met.

2. Critical Infrastructure, Government, and Healthcare Compromises

Cyber attacks against government infrastructure, critical services, and healthcare providers continue to pose severe national security and privacy risks.

Critical Infrastructure and Government

Bangladesh Atomic Energy Commission: The “Infrastructure Destruction Squad” announced imminent cyber attacks against the Bangladesh Atomic Energy Commission.
- The group claimed to have compromised SCADA systems using the “TRK25 ADVANCED SCADA” tool, resulting in the theft of 1GB of confidential documents.
- They also claimed to have successfully targeted systems at a Bangladeshi nuclear power plant.
Mexican Government Data: Multiple massive data exposures affected Mexican citizens.
- A Telegram bot was promoted that queried student databases (OSEP) and the National Electoral Institute (INE), exposing full names, CURP, medical records, and employment histories.
- Additionally, the actor “tabaskoss” sold 125GB of Mexican financial documents, including bank statements and tax records containing RFC and CLABE identifiers.
Serbian Ministry of Interior (MUP): A threat actor breached the Serbian MUP’s Foreigners Office database, stealing roughly 180,000 records.
- The data exposed national ID numbers (JMBG), passport numbers, and visa applications for both Serbian citizens and foreign nationals.
Global Government Leaks: A threat actor sold the complete 160-million record database of Vietnam’s National Credit Information Center.
- “ShinyHunters” claimed the theft of 5TB of data from the Cybersecurity Center State Security Service (CCSSS) of Uzbekistan.
- An actor named “mosad” advertised the sale of classified US government documents from the DoD, CIA, DHS, and DIA, including military posture statements and budgets.
- In Iran, the pro-government recruitment site “janfadaa.ir” was compromised via RDP, exposing over 31.5 million highly sensitive citizen records.

Healthcare and Education

Western European Healthcare: A threat actor offered over 500GB of European healthcare sector data for sale.
- The dataset included 1.5 million Protected Health Information (PHI) documents and private keys that allegedly allow direct API queries to European Vaccination Card infrastructure.
Hospital Universitario Nacional de Colombia: An actor named “macaroni” dumped 8 databases from the hospital, exposing REDCap clinical research data, pharmacy records, and full PII for employees.
Wolfe Eye Clinic (USA): A leaked database exposed 639,640 patient records, including Social Security numbers and detailed medical information.
Educational Institutions: Indonesian universities were heavily targeted, with data leaks affecting Politeknik Negeri Bali and LSP Tematika. The Lahore Grammar School in Pakistan suffered a breach exposing 30,000 student and parent records.

3. The Credential Ecosystem: Stealer Logs and Combo Lists

The underground economy is currently saturated with “combo lists” (combinations of stolen email addresses and passwords) and stealer logs containing URL:Login:Password (ULP) formats. These datasets are aggressively marketed to facilitate credential stuffing, brute-forcing, and account takeover (ATO) attacks.

Massive Scale Distribution

Threat actors operating under handles like “ZoneX404” and “MetaCloud3” dominated the distribution of massive credential sets.
“ZoneX404” freely distributed ultra-high-quality (UHQ) stealer log bases in staggering volumes, including distinct releases of 36.1 million , 32.4 million , 26.2 million , 21.6 million , and 10.6 million records.
“MetaCloud3” distributed a 13.8 million ULP combo list and a 9 million user:login:password list.
Another actor, “Daxus,” operated a commercial service selling access to 18.15 million UHQ stealer logs.

Targeted Platforms and Geography

Email Providers: Hotmail, Outlook, Yahoo, and Gmail were the primary targets for credential stuffing databases.
- “Vows” sold a 500,000-record Gmail list , a 50,000-record Hotmail list , and a 19,000-record Outlook list.
- “GhostlyGamer” offered a 450,000 UHQ Gmail combo list.
- An actor named “ImLupin” distributed 100,000 United States email/password pairs.
Shopping and Retail: Actors specifically tailored lists for retail fraud. A 609,000-record shopping combo list was distributed , along with a 531,000-record list targeting Nike.com , and a 403,391-record list focused on German shopping platforms.
Gaming and Streaming: A 4-million record list targeting the PlayStation Network (PSN) was sold , alongside a 1.5 million gaming mix list and a 560,000-record list targeting Roblox and Minecraft.
Geographic Targeting: Actors routinely organized credentials by region. Lists exclusively targeting Germany (e.g., 70,000 records ), France , Canada , Japan , Poland , and broader European sectors were highly prevalent.

4. Hacktivism and Mass Website Defacements

The intelligence reveals highly active hacktivist groups and individual defacers systematically exploiting Linux-based web servers to alter web pages.

Major Defacement Groups

Hidden Cyber Crime (Inside Alone7): This group executed a highly focused mass defacement campaign against the global diamond and luxury jewelry industry.
- Victims included Moti Israeli Diamonds , Regent Diamonds , David Levy Diamonds , and Eye Diamonds.
- The group also defaced Diamond Services Hong Kong and DSL Lab.
0xteam (chinafans): This threat actor conducted numerous targeted defacements globally.
- They defaced Brazilian websites such as Lancer Curitiba , iSell Brasil , and Nossa Distribuicao.
- European targets included Italian consultancy Dottoressa Rosset , Spanish establishment Kebabaretxabaleta , and UK-based Safe Hands Accounting.
Anonsec Team (Mr.spongebob): This actor focused almost entirely on the Indonesian education and financial sectors.
- They conducted mass defacements against the Universitas Akademi Sakti Nusantara (UASN) Moodle platform , the Faculty of Computer Science , and the Faculty of Economics.
TangerangXploit Team (YIIX103): This group targeted Indian academic institutions, defacing multiple educational portals including jrsc.ac.in and kmdc.ac.in.
Ushiromiya: This threat actor targeted Indonesian judicial and religious courts, defacing domains belonging to the Padang Religious Court , Pemalang Religious Court , and Maros Religious Court.
Midas Haxor Team: Conducted defacements against the Indonesian National Narcotics Agency (BNN) and the Bangkok Food System.

5. Cybercrime-as-a-Service (CaaS), Malware, and Exploits

The commodification of cybercrime tools continues to lower the barrier to entry for malicious actors, with thriving markets for malware, exploits, and fraudulent services.

Malware and Exploitation Frameworks

C2 BlackSite Framework: A highly dangerous Mobile Exploitation Framework was advertised targeting all versions of iOS and Android.
- The tool boasted zero-click capabilities, browser Remote Code Execution (RCE), kernel read/write access, persistent implants, and the ability to extract cryptocurrency wallet seed phrases.
Shai-Hulud Campaign: A sophisticated cyber operation named “Shai-Hulud” was identified distributing malware-infected packages to Linux developers.
- The actors reportedly leveraged AI capabilities to dynamically generate new security bypass methods, targeting cloud infrastructure and financial systems.
Amatera Stealer: Security operations identified a malware campaign delivering the “Amatera Stealer” via Fake CAPTCHA screens.
- The attack utilized a signed Microsoft App-V script (SyncAppvPublishingServer.vbs) as a LOLBIN, retrieved live C2 configurations from Google Calendar, and used PNG steganography to execute the final payload.

Vulnerabilities and Defensive Evasion

Ivanti EPMM Exploits: Pre-authentication RCE vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile were widely discussed as being actively exploited by Advanced Persistent Threat (APT) actors.
Evil VM PRT Theft: A novel privilege escalation technique dubbed “Evil VM” was published, detailing how to abuse Azure VM Device Identity to steal Primary Refresh Tokens (PRT) and escalate to Entra ID Admin.
EDR/AMSI Bypasses: Actors shared techniques for blinding security software, including the abuse of Windows AppLocker deny rules to block Endpoint Detection and Response (EDR) processes using the “GhostLocker” tool. Another technical writeup released a patchless bypass for AMSI (Antimalware Scan Interface) using Page Guard Exceptions.

Infrastructure and Fraud Services

DDoS Stressers: Services such as “Candystress.st” and “GoliathStress” offered powerful Distributed Denial of Service (DDoS) capabilities. These services claimed to bypass major protections like Cloudflare, AWS, and Akamai using custom UDP and game-server payloads.
Initial Access Brokers (IABs): Sellers routinely offered Remote Desktop Protocol (RDP) access to compromised AWS, Azure, and DigitalOcean cloud infrastructure for approximately $200. Webshell access to government networks was also sold openly.
Carding and Fraud: The “Boss Shop” marketplace advertised the daily supply of over 100,000 freshly stolen credit cards. Furthermore, specialized threat actors sold “mentorship courses” detailing how to commit refund fraud against Amazon and Apple by fabricating damaged goods evidence using manipulated photos and videos.

6. Concluding Strategic Analysis

The intelligence gathered from these underground forums underscores a sophisticated, multi-tiered threat environment. The sheer volume of compromised credentials—numbering in the tens of millions daily—highlights the critical necessity for organizations to enforce strict multi-factor authentication (MFA) and monitor for compromised credentials actively.

The successful breaches of tier-one technology companies like Salesforce and Vercel by groups like “ShinyHunters” emphasize that supply chain vulnerabilities and API insecurity remain paramount risks for modern enterprises. Furthermore, the rapid commodification of zero-click mobile exploits and AI-assisted malware indicates that threat actors are aggressively adopting advanced capabilities that outpace traditional signature-based defenses. Organizations must prioritize behavioral analytics, rapid patch management for public-facing edge devices (such as Ivanti), and rigorous identity and access management controls in cloud environments.

Detected Incidents Draft Data

Combo List with 4,200 email and password pairs allegedly from China
Category: Combo List
Content: A threat actor shared a combo list containing approximately 4,200 email and password pairs purportedly associated with Chinese accounts. The list was made available via an external file-sharing link. No specific victim organization or breach source is identified.
Date: 2026-05-16T23:59:03Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Combolist-China-4-2K-Email-Pass
Screenshots:
None
Threat Actors: zubicks
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List: Mixed Email/Password 3.1K
Category: Combo List
Content: A threat actor shared a mixed email and password combo list containing approximately 3,100 credential pairs via an anonymous file-sharing service. The list appears to target no specific organization and is being distributed freely on the forum.
Date: 2026-05-16T23:57:08Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Combolist-3-1K-Mix-Email-Pass
Screenshots:
None
Threat Actors: zubicks
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free sharing of Claude API keys with 2 million tokens
Category: Data Leak
Content: A forum user is freely distributing what are claimed to be Claude API keys with approximately 2 million tokens of usage available. The post advertises access to Claude Opus 4.7 and other models. The keys appear to be compromised or stolen credentials granting unauthorized access to Anthropics API services.
Date: 2026-05-16T23:57:04Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%AD%90-2-MILLION-TOKENS-CLAUDE-OPUS-4-7-AND-MORE-API-KEY-%E2%AD%90–2094945
Screenshots:
None
Threat Actors: JVZU
Victim Country: United States
Victim Industry: Technology
Victim Organization: Anthropic
Victim Site: anthropic.com
Combo List of European Email Credentials
Category: Combo List
Content: A combo list of approximately 9,501 European email and password credentials described as semi-valid was shared on a public forum. The post is categorized as a free or low-cost credential list likely intended for credential stuffing. No specific victim organization or service is identified.
Date: 2026-05-16T23:56:36Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-9-501-Semi-Valide-FA-Combolist-Europa-Good
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List: 8,053 Semi-Valid Email and Password Credentials
Category: Combo List
Content: A combo list containing 8,053 semi-validated email and password credential pairs has been shared on a cracking forum. The credentials are marketed as fresh with good hit lines. No specific victim organization or service is identified.
Date: 2026-05-16T23:56:14Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-8-053-Semi-Valide-FA-Good-Line-Fresh
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of account market setup service by forum vendor
Category: Services
Content: A forum vendor operating under the name Paxerr is offering a paid service to build and launch account marketplace websites for clients. The offering includes revisions, refunds before delivery confirmation, and 24/7 support, governed by a stated terms of service.
Date: 2026-05-16T23:55:36Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9A%A1LAUNCH-YOUR-OWN-ACCOUNT-MARKET-%E2%80%A2-100-REFUND-%E2%80%A2-UNLIMITED-REVISIONS-%E2%80%A2-24-7-SUPPORT%E2%9A%A1
Screenshots:
None
Threat Actors: BossOfBosses
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
SpoofCity caller ID spoofing service advertised on cybercrime forum
Category: Services
Content: A threat actor operating under the handle spoofcity.io is advertising a caller ID spoofing service on a cybercrime forum, claiming over 40,000 calls weekly across multiple regions including the USA, Canada, UK, Australia, and several European countries. The service supports 3CX, regular calls, and web caller interfaces. Access is provided via a Telegram bot.
Date: 2026-05-16T23:45:37Z
Network: openweb
Published URL: https://breached.st/threads/firespoofcity-calls-without-limits.87224/unread
Screenshots:
None
Threat Actors: spoofcity.io
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: spoofcity.io
Alleged threat of destructive attack against Bangladesh Atomic Energy Commission
Category: Cyber Attack
Content: Threat actor claims intention to destroy systems within the Bangladesh Atomic Energy Commission. This represents a direct threat against critical nuclear infrastructure.
Date: 2026-05-16T23:43:26Z
Network: telegram
Published URL: https://t.me/c/2735908986/4366
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Bangladesh
Victim Industry: Nuclear Energy/Government
Victim Organization: Bangladesh Atomic Energy Commission
Victim Site: Unknown
Alleged compromise of Bangladesh Atomic Energy Centre Authority SCADA systems with 1GB data exfiltration
Category: Cyber Attack
Content: Infrastructure Destruction Squad claims successful compromise of Bangladesh Atomic Energy Centre Authority systems using TRK25 ADVANCED SCADA tool. Threat actor alleges exfiltration of 1GB of confidential documents through exploitation of known control infrastructure vulnerabilities. Further details promised for future announcement.
Date: 2026-05-16T23:41:20Z
Network: telegram
Published URL: https://t.me/c/2735908986/4365
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Bangladesh
Victim Industry: Nuclear Energy / Government
Victim Organization: Bangladesh Atomic Energy Centre Authority
Victim Site: Unknown
Alleged data breach of Bangladesh Atomic Energy Commission with 1GB data theft
Category: Data Breach
Content: Infrastructure Destruction Squad claims to have targeted systems and servers belonging to the Bangladesh Atomic Energy Commission/Centre using an unspecified tool, resulting in the theft of approximately 1GB of sensitive data.
Date: 2026-05-16T23:38:54Z
Network: telegram
Published URL: https://t.me/c/2735908986/4364
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Bangladesh
Victim Industry: Nuclear/Atomic Energy
Victim Organization: Bangladesh Atomic Energy Commission/Centre
Victim Site: Unknown
Alleged cyber attack on nuclear power plant in Bangladesh by Infrastructure Destruction Squad
Category: Cyber Attack
Content: Infrastructure Destruction Squad claims to have targeted systems and servers at a nuclear power plant in Bangladesh using a specific tool. The threat actor indicates further details will be announced.
Date: 2026-05-16T23:37:38Z
Network: telegram
Published URL: https://t.me/c/2735908986/4363
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Bangladesh
Victim Industry: Energy/Nuclear
Victim Organization: Nuclear power plant
Victim Site: Unknown
Sale of HQ Mixed Mail Access Combo List
Category: Combo List
Content: A threat actor is sharing a combo list containing approximately 100 high-quality mixed mail access credentials. The content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-16T23:28:04Z
Network: openweb
Published URL: https://patched.to/Thread-0-1k-hq-mixed-mail-access-combolist-303151
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of EU mix mail access combo list (6.9K credentials)
Category: Combo List
Content: A threat actor sharing a combo list containing approximately 6,900 EU mixed valid mail access credentials, dated 15.05. The content is hidden behind a registration or login wall on the forum.
Date: 2026-05-16T23:27:32Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-6-9k-eu-mix-valid-mail-access-15-05
Screenshots:
None
Threat Actors: MonnarhTeam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 160K mixed email and password combo list
Category: Combo List
Content: A threat actor is selling a combo list of approximately 160,000 email:password and user:password credential pairs. The list is described as high quality and fresh, covering multiple email providers including AOL, Yahoo, Hotmail, and Outlook, with credentials sourced from multiple countries including the US, UK, France, Germany, and others.
Date: 2026-05-16T23:25:42Z
Network: openweb
Published URL: https://crackingx.com/threads/75500/
Screenshots:
None
Threat Actors: alex12
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of email access combo list mix (33K records)
Category: Combo List
Content: A threat actor is offering a combo list of approximately 33,000 email access credentials described as fresh. The list appears to be a mixed mail access combo. No additional details are available from the post content.
Date: 2026-05-16T23:23:42Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-33K-FRESH-MAIL-ACCESS-MIX–2094933
Screenshots:
None
Threat Actors: Alpha70
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 20,000 mixed mail access combo list
Category: Combo List
Content: A forum user is offering a combo list of approximately 20,000 mixed email and password credentials. No further details are available from the post content.
Date: 2026-05-16T23:23:17Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-20K-MIXED-MAIL-ACCESS-GOODS
Screenshots:
None
Threat Actors: MLALAKHB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Casino website setup service offered on cybercrime forum
Category: Services
Content: A forum seller operating under the name Paxerr is advertising a casino website setup service on a cybercrime forum, offering features such as unlimited revisions, 24/7 support, and a refund policy. The service includes terms covering ownership transfer, proprietary framework retention, and portfolio usage rights. No specific victim organization or malicious payload is involved.
Date: 2026-05-16T23:22:25Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9A%A1LAUNCH-YOUR-OWN-CASINO-%E2%80%A2-100-REFUND-%E2%80%A2-UNLIMITED-REVISIONS-%E2%80%A2-24-7-SUPPORT%E2%9A%A1
Screenshots:
None
Threat Actors: BossOfBosses
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Bouygues Telecom
Category: Data Leak
Content: A threat actor claims to be distributing a database allegedly belonging to Bouygues Telecom, a major French telecommunications provider. The post was made on a known breach forum and suggests the data is being shared freely. No further details regarding record count or data fields were provided in the post.
Date: 2026-05-16T23:20:18Z
Network: openweb
Published URL: https://breached.st/threads/fr-db-bouygues-telecom.87222/unread
Screenshots:
None
Threat Actors: burnout_sphere1932
Victim Country: France
Victim Industry: Telecommunications
Victim Organization: Bouygues Telecom
Victim Site: bouyguestelecom.fr
Alleged data breach of Uzbekistan Cybersecurity Center (CCSSS) – 5TB government database
Category: Data Breach
Content: ShinyHunters threat actor claims to have breached the Cybersecurity Center State Security Service (CCSSS) of Uzbekistan, obtaining approximately 5TB of database information and documents. Sample data includes personal information of government officials including first names, last names, masked PIN numbers (pinfl), job positions, and department assignments. The actor is offering the data for sale at a negotiable price starting at $50,000 USD. Contact information provided includes email ([email protected]) and XMPP ([email protected]).
Date: 2026-05-16T23:20:10Z
Network: telegram
Published URL: https://t.me/c/3500620464/7979
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Uzbekistan
Victim Industry: Government/Cybersecurity
Victim Organization: Cybersecurity Center State Security Service (CCSSS)
Victim Site: Unknown
Alleged sale of National Credit Information Center of Vietnam database (160M+ records)
Category: Data Breach
Content: Threat actor ShinyHunters is offering to sell the complete database of Vietnams National Credit Information Center containing 160+ million records. The actor claims to have access to structured database with multiple fields and is requesting $10,000 USD for the full dataset. Contact via @shinycorpsh.
Date: 2026-05-16T23:17:20Z
Network: telegram
Published URL: https://t.me/c/3500620464/7956
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Vietnam
Victim Industry: Financial/Government
Victim Organization: National Credit Information Center of Vietnam
Victim Site: Unknown
Hotmail credential combo list of 3.5K hits shared on cracking forum
Category: Combo List
Content: A threat actor is distributing 3,500 alleged UHQ Hotmail credential hits via a free drop service, with private cloud access available for purchase. The credentials are marketed as high-quality hits suitable for account access.
Date: 2026-05-16T23:02:26Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9C%85-%E2%9C%A8-3-5K-UHQ-HOTMAIL-HITS-%E2%9C%A8%E2%9C%85
Screenshots:
None
Threat Actors: lundman01
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged combo list of educational email credentials
Category: Combo List
Content: A threat actor shared a combo list of approximately 85,929 educational email and password pairs, marketed as fresh. The post was made on a public cracking forum and appears intended for credential stuffing against educational institutions.
Date: 2026-05-16T23:02:06Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-85-929-Edu-MailPass-Leaks-Fresh
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Combo List targeting Hotmail domain
Category: Combo List
Content: A threat actor shared a combo list of approximately 1.68 million email:password lines targeting the Hotmail domain. The credentials are being distributed via a cracking forum. No additional details are available from the post content.
Date: 2026-05-16T23:01:41Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-1-684-772-Lines-%E2%9C%85-Combolist-Target-Hotmail-Domain
Screenshots:
None
Threat Actors: HqComboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free release of 160K email:password combo list targeting multiple streaming and gaming services
Category: Combo List
Content: A threat actor has shared a combo list of approximately 160,000 email:password credential pairs, marketed as fresh and high quality, targeting services including Netflix, Minecraft, Uplay, Steam, Hulu, and Spotify. The post provides a hidden download link and also advertises additional combo lists for sale via Telegram. Credentials are organized by email:pass and user:pass formats across multiple countries.
Date: 2026-05-16T23:01:26Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-160k-Fresh-HQ-Combolist-Email-Pass-Netflix-Minecraft-Uplay-Steam-Hulu-spotify
Screenshots:
None
Threat Actors: chriss12
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List: Email and Password Credentials (9,294 records)
Category: Combo List
Content: A combo list containing approximately 9,294 email and password credential pairs was shared on a cracking forum. The credentials are described as semi-valid and intended for mail access. No specific victim organization or targeted service is identified in the post.
Date: 2026-05-16T23:01:19Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-9-294-Semi-Valide-FA-Mail-Access-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Canada combo list shared on cracking forum
Category: Combo List
Content: A user on a cracking forum shared a file purportedly containing a high-quality Canadian combo list. No additional details about record count or targeted services are available from the post content.
Date: 2026-05-16T23:00:22Z
Network: openweb
Published URL: https://nulledbb.com/thread-HQ-CANADA-COMBOLIST-SHROUD20-txt–2294974
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List targeting Canadian accounts
Category: Combo List
Content: A user on a combolist forum is distributing a credential list marketed as high-quality Canadian accounts. The content is hidden behind a registration or login wall, limiting further detail. No specific breached organization or record count is disclosed.
Date: 2026-05-16T23:00:15Z
Network: openweb
Published URL: https://patched.to/Thread-hq-canada-combolist-shroud20-txt-303146
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of HQ mixed combo list
Category: Combo List
Content: A forum user shared a mixed combo list file on a cracking forum. No additional details or record counts are available from the post content.
Date: 2026-05-16T23:00:03Z
Network: openweb
Published URL: https://nulledbb.com/thread-HQ-MIXED-COMBOLIST-SHROUD20-txt
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of HQ mixed combo list
Category: Combo List
Content: A forum user is offering a mixed combo list file via a hidden content gate requiring registration or login. No details on record count, format, or targeted services are visible in the post.
Date: 2026-05-16T22:59:58Z
Network: openweb
Published URL: https://patched.to/Thread-hq-mixed-combolist-shroud20-txt
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of HQ USA combo list
Category: Combo List
Content: A forum user shared a combo list advertised as high-quality US credentials. No further details are available from the post content.
Date: 2026-05-16T22:59:46Z
Network: openweb
Published URL: https://nulledbb.com/thread-HQ-USA-COMBOLIST-SHROUD20-txt–2294978
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Poland combo list allegedly shared by ShroudX
Category: Combo List
Content: A threat actor known as ShroudX has shared a combo list targeting Polish accounts on a cybercrime forum. The content is hidden behind a registration or login wall, limiting visibility into specific record counts or targeted services. The post is categorized as a credential list based on forum context and thread title.
Date: 2026-05-16T22:59:39Z
Network: openweb
Published URL: https://patched.to/Thread-hq-poland-combolist-shroud20-txt
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list targeting VPN, gaming, and streaming services
Category: Combo List
Content: A forum post on a combolist board advertises a credential list marketed as high-quality and targeting VPN, gaming, and streaming platforms. The content is hidden behind a registration or login wall, preventing direct assessment of volume or specifics.
Date: 2026-05-16T22:59:23Z
Network: openweb
Published URL: https://patched.to/Thread-hq-vpn-gaming-streaming-combolist-shroud20-txt
Screenshots:
None
Threat Actors: ShroudX
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of stealer logs containing URL:Log:Pass combos via Daxus.pro
Category: Logs
Content: A threat actor operating under the alias Daxus is offering a dataset of 18.15 million URL:LOG:PASS records, advertised as UHQ (ultra-high quality) stealer log output. The full database is available via their commercial service at daxus.pro and an associated Telegram bot.
Date: 2026-05-16T22:42:16Z
Network: openweb
Published URL: https://leakforum.io/Thread-%E2%AD%90%EF%B8%8FURL-LOG-PASS-18-15-M-%E2%9C%85-DAXUS-PRO-UHQ-%E2%AD%90%EF%B8%8F
Screenshots:
None
Threat Actors: Daxus
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged imminent cyber attack against critical infrastructure by Infrastructure Destruction Squad
Category: Cyber Attack
Content: Infrastructure Destruction Squad announced plans to conduct cyber attacks against sensitive power and hospital systems using an unspecified tool. The group indicated the attack is imminent (soon).
Date: 2026-05-16T22:38:04Z
Network: telegram
Published URL: https://t.me/c/2735908986/4362
Screenshots:
None
Threat Actors: Infrastructure Destruction Squad
Victim Country: Unknown
Victim Industry: Critical Infrastructure (Power, Healthcare)
Victim Organization: Unknown
Victim Site: Unknown
Sale of 9 million user:login:password combo list targeting multiple countries
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is offering for sale a combo list of approximately 9 million user:login:password credentials. The list is advertised as private and high quality, targeting users across multiple countries including the USA, UK, Germany, Poland, and broader Europe.
Date: 2026-05-16T22:35:28Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%8E%9D-9M-U-L-P-%E2%8E%A0%E2%9A%A1100-PRIVATE%E2%9A%A1HIGH-QUALITY-LOGS%E2%9A%A1COUNTRY-TARGET-USA-UK-DE-PL-EUROPE-ETC%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free release of 13 million URL:login:password combo list
Category: Combo List
Content: A threat actor known as MetaCloud3 has shared a combo list containing approximately 13 million URL:login:password credential pairs. The data is described as high quality and is freely distributed on the forum.
Date: 2026-05-16T22:35:04Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-13M-%E2%9A%A1-URL-LOGIN-PASS-HQ-%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of European mixed combo list with 8,225 credentials
Category: Combo List
Content: A European mixed combo list containing approximately 8,225 semi-valid email and password pairs is being shared on a cracking forum. The list is described as semi-validated and sourced from multiple European accounts. No specific breached organization is identified.
Date: 2026-05-16T22:34:30Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-8-225-Semi-Valide-FA-Europa-Mixed-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free release of mixed mail credential hits combolist
Category: Combo List
Content: A threat actor shared a combolist of 10,000 mixed mail credential hits, marketed as freshly checked and AntiPublic verified. The credentials are distributed freely via a download link sponsored by RogenCloud.
Date: 2026-05-16T22:23:00Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9C%85-%E2%9C%85-%E2%9C%85-%E2%9C%A8x10000-Mix-Mail-Hits-4-%E2%9C%A8-Freshly-Checked-AntiPublic-Checked-%E2%9C%A8-%E2%9C%85-%E2%9C%85-%E2%9C%85
Screenshots:
None
Threat Actors: RogenPlay
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of European email combo list with 10,831 records
Category: Combo List
Content: A combo list containing approximately 10,831 email and password credential pairs targeting European accounts has been shared on the forum. The list is described as semi-valid and full-address (FA) format. No specific breached organization is identified.
Date: 2026-05-16T22:22:32Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-10-831-Semi-Valide-FA-Europa-Mix-Combo
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Hotmail combo list with 7,570 lines shared on cracking forum
Category: Combo List
Content: A combo list of 7,570 email:password lines targeting Hotmail accounts has been shared on a cracking forum. The credentials are made available as a free download.
Date: 2026-05-16T22:22:08Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-7-570-LINES-LOGS-ALL-TARGETS-COMBO-HOTMAIL
Screenshots:
None
Threat Actors: kccloud01
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Job posting seeking OPSEC consultant on Dread forum
Category: Chatter
Content: A Dread forum user is seeking an OPSEC expert for hire, offering payment in Monero (XMR). The poster claims to have foundational OPSEC knowledge but seeks on-demand guidance for specific questions. No threat actor, victim, or malicious service is explicitly advertised.
Date: 2026-05-16T22:19:23Z
Network: tor
Published URL: https://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/0c67feeec0c9b5243c50
Screenshots:
None
Threat Actors: godalambo 🍼
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of combo list marketed for PayPal credential stuffing
Category: Combo List
Content: A threat actor is distributing a combo list of 350,000 mail:password pairs marketed as UHQ and fresh, intended for credential stuffing against PayPal. The content is gated behind a reply requirement on the forum.
Date: 2026-05-16T22:17:16Z
Network: openweb
Published URL: https://altenens.is/threads/star-350-000-star-mailpass-high-voltageuhq-database-good-for-paypal-high-voltage-fresh-data.2941605/unread
Screenshots:
None
Threat Actors: Prince1001
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list marketed for X and Instagram credential stuffing
Category: Combo List
Content: A threat actor is distributing a combo list of 165,000 email and password pairs, marketed as UHQ and fresh data suitable for credential stuffing against X (formerly Twitter) and Instagram. The content is gated behind a reply requirement on the forum.
Date: 2026-05-16T22:16:29Z
Network: openweb
Published URL: https://altenens.is/threads/star-165-000-star-mailpass-high-voltageuhq-database-good-for-x-and-instagramhigh-voltage-fresh-data.2941606/unread
Screenshots:
None
Threat Actors: Prince1001
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 145,000 email:password credentials marketed for social media
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 145,000 email and password pairs described as UHQ (ultra-high quality) and marketed as suitable for credential stuffing against social media platforms. The credentials are described as fresh data. Access to the list requires a forum reply.
Date: 2026-05-16T22:15:28Z
Network: openweb
Published URL: https://altenens.is/threads/star-145-000-star-mailpass-high-voltageuhq-database-good-for-social-mediahigh-voltage-fresh-data.2941607/unread
Screenshots:
None
Threat Actors: Prince1001
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of combo list marketed for banking credential stuffing
Category: Combo List
Content: A threat actor is distributing a combo list of 280,000 email and password pairs, marketed as UHQ (ultra-high quality) and fresh data suitable for banking credential stuffing. The post is gated behind a reply requirement, limiting visibility to forum members. No specific breached organization is identified.
Date: 2026-05-16T22:14:34Z
Network: openweb
Published URL: https://altenens.is/threads/star-280-000-star-mailpass-high-voltageuhq-database-good-banking-high-voltage-fresh-data.2941608/unread
Screenshots:
None
Threat Actors: Prince1001
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Crypto wallet loading service advertised on cracking forum
Category: Carding
Content: A threat actor is advertising a cryptocurrency wallet loading service across multiple countries, claiming to fund BTC, ETH, USDT, BNB, TRX, and LTC wallets. The service appears to involve fraudulent transfer of funds into victim-controlled wallets for subsequent cashout, consistent with money laundering or financial fraud schemes. Contact is directed via a Telegram handle (@KIRKJNR).
Date: 2026-05-16T22:12:47Z
Network: openweb
Published URL: https://demonforums.net/Thread-CRYPTO-WALLET-LOADING-SERVICE
Screenshots:
None
Threat Actors: Baggagane
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of SMTP services on cybercrime forum
Category: Services
Content: A threat actor is advertising the sale of various SMTP services on a cybercrime forum, claiming to be a trusted seller with competitive pricing. The seller offers daily updates and can be contacted via Telegram. SMTP access is commonly used for spam, phishing, and malware distribution campaigns.
Date: 2026-05-16T22:12:20Z
Network: openweb
Published URL: https://demonforums.net/Thread-Buy-All-Type-of-SMTPs-100-Trusted-Seller
Screenshots:
None
Threat Actors: office_365shop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
OpSec discussion on anonymity when transitioning from clearnet to darknet communications
Category: Chatter
Content: A Dread forum user posted a question on the OpSec board asking whether sharing a Session ID or other identifiers when transitioning from clearnet or Telegram to darknet communications could link a pseudonymous identity to a real one. The post contains no threat activity, breach claims, or malicious content.
Date: 2026-05-16T21:55:26Z
Network: tor
Published URL: https://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/1c918ec9ad5c56bfae87
Screenshots:
None
Threat Actors: godalambo 🍼
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Bangkok Food System by 0xNuts (Midas Haxor Team)
Category: Defacement
Content: On May 17, 2026, threat actor 0xNuts, operating under the Midas Haxor Team, defaced a subpage on bangkokfoodsystem.com, a Thai food industry website. The defacement targeted a specific page (zxc.html) rather than the homepage, indicating a partial or targeted page defacement. No specific motive or server details were disclosed in connection with the attack.
Date: 2026-05-16T21:55:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923549
Screenshots:
None
Threat Actors: 0xNuts, Midas Haxor Team
Victim Country: Thailand
Victim Industry: Food & Beverage
Victim Organization: Bangkok Food System
Victim Site: bangkokfoodsystem.com
User seeking methods to bypass Cloudflare VPN/Tor blocking
Category: Chatter
Content: A forum user on a Dread OpSec board is seeking advice on bypassing Cloudflares VPN and Tor IP blocking to access an unspecified website. The user has already attempted connections via Mullvad VPN and Tor without success and is exploring decentralized VPN alternatives. No specific threat actor, victim organization, or malicious activity is identified in the post.
Date: 2026-05-16T21:54:22Z
Network: tor
Published URL: https://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/31194f152515588d8974
Screenshots:
None
Threat Actors: kitteninmitten 🍼
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free combo list of 10,000 mixed email credentials
Category: Combo List
Content: A threat actor shared a combo list of 10,000 mixed email credentials, marketed as freshly checked and AntiPublic verified. The list was distributed for free on a public cracking forum.
Date: 2026-05-16T21:52:17Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9C%85-%E2%9C%85-%E2%9C%85-%E2%9C%A8x10000-Mix-Mail-Hits-2-%E2%9C%A8-Freshly-Checked-AntiPublic-Checked-%E2%9C%A8-%E2%9C%85-%E2%9C%85-%E2%9C%85
Screenshots:
None
Threat Actors: RogenPlay
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free combo list of 10,000 mixed mail credentials
Category: Combo List
Content: A threat actor shared a free combo list of 10,000 mixed email credentials, marketed as freshly checked and AntiPublic verified. The list was distributed via a download link sponsored by RogenCloud.
Date: 2026-05-16T21:50:49Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9C%85-%E2%9C%85-%E2%9C%85-%E2%9C%A8x10000-Mix-Mail-Hits-1-%E2%9C%A8-Freshly-Checked-AntiPublic-Checked-%E2%9C%A8-%E2%9C%85-%E2%9C%85-%E2%9C%85
Screenshots:
None
Threat Actors: RogenPlay
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of mixed email credential combo list
Category: Combo List
Content: A threat actor distributed a combo list of 10,000 mixed email credentials, marketed as freshly checked and verified against AntiPublic databases. The list was made available for free download via RogenCloud.
Date: 2026-05-16T21:50:28Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9C%85-%E2%9C%85-%E2%9C%85-%E2%9C%A8x10000-Mix-Mail-Hits-3-%E2%9C%A8-Freshly-Checked-AntiPublic-Checked-%E2%9C%A8-%E2%9C%85-%E2%9C%85-%E2%9C%85
Screenshots:
None
Threat Actors: RogenPlay
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of 4,262 mixed email credentials
Category: Combo List
Content: A threat actor shared a combo list of 4,262 mixed email credentials on a crimeware forum. The content is hidden behind a registration or login wall. No specific breached organization is identified.
Date: 2026-05-16T21:49:40Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9A%A14262x-mixmail%E2%9A%A1%E2%9C%85
Screenshots:
None
Threat Actors: NovaCloudx
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Belambra.fr
Category: Data Leak
Content: A threat actor has freely distributed an alleged database dump of Belambra.fr, a French holiday villages and leisure clubs network. The data is shared in JSON format across multiple file-hosting platforms, totaling approximately 77 MB. The post claims the dataset contains 402,000 records.
Date: 2026-05-16T21:46:29Z
Network: openweb
Published URL: https://breached.st/threads/402k-belambra-fr.87216/unread
Screenshots:
None
Threat Actors: Meowl
Victim Country: France
Victim Industry: Hospitality
Victim Organization: Belambra
Victim Site: belambra.fr
Sale of X (Twitter) combo list
Category: Combo List
Content: A threat actor is selling a combo list of 3,813 mixed credentials advertised as valid for X (Twitter). Pricing tiers range from a 24-hour trial at $3 to a 3-month subscription at $100, with a free download link also provided.
Date: 2026-05-16T21:29:36Z
Network: openweb
Published URL: https://crackingx.com/threads/75495/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 8,186 semi-valid credentials with fresh hits
Category: Combo List
Content: A combo list of 8,186 email:password pairs marketed as semi-valid and fresh was shared on a cracking forum. The post references FA Good Line hits, suggesting credentials tested against a specific service. No further details are available from the post content.
Date: 2026-05-16T21:28:16Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-8-186-Semi-Valide-FA-Good-Line-Fresh
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Unlimited Shodan Searches Key
Category: Services
Content: A threat actor is offering for sale an unlimited Shodan search key with daily credit resets for $75. The listing is advertised on a dark web forum under the sellers section.
Date: 2026-05-16T21:24:46Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-SELLING-Unlimited-Shodan-Searches-Key
Screenshots:
None
Threat Actors: swag
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Ipoteka Bank (Uzbekistan) – 120GB banking data sale
Category: Data Breach
Content: Threat actor ShinyHunters claims to have breached Ipoteka Bank (ipotekabank.uz) and obtained 120GB of sensitive data including PDF contracts, card numbers, CVVs, expiration dates, personal data (names, emails, phone numbers), account information, transaction data, and internal bank documents. The actor is offering this data for sale at $25,000 USD. Contact details provided include Telegram account @shinycorpsh and email [email protected].
Date: 2026-05-16T21:08:35Z
Network: telegram
Published URL: https://t.me/c/3500620464/7943
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Uzbekistan
Victim Industry: Banking/Financial Services
Victim Organization: Ipoteka Bank
Victim Site: ipotekabank.uz
Alleged sale of critical API access to major financial transactions company
Category: Initial Access
Content: Threat actor offering sale of critical API access from a major financial transactions company processing transactions across 20+ countries including Brazil, Colombia, Argentina, Ecuador, Peru, Chile, Venezuela, United States, Indonesia, Bangladesh, Philippines, India, Thailand, Kenya, Nigeria, Tanzania, Malaysia, United Arab Emirates, Pakistan, Turkey, and Vietnam. The API includes 2FA bypass capabilities. Company has 95,000+ employees worldwide. Price: $10,000 USD. Contact via XMPP, Telegram, and email provided.
Date: 2026-05-16T21:08:24Z
Network: telegram
Published URL: https://t.me/c/3500620464/7941
Screenshots:
None
Threat Actors: shinycorpsh
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: TDayPay
Victim Site: tdaypay.com
Alleged sale of Mythos AI internal documents and unauthorized system access
Category: Data Breach
Content: Threat actor claiming to possess approximately 3,000 internal Mythos AI files including technical documentation, administrative panels with superuser access, and zero-day vulnerabilities. Offering rental access to the compromised AI system ($500-$2,500 annually) and document sales ($10,000 USD). System specifications indicate 10 trillion parameter model using Mixture-of-Experts architecture. Contact via @shinycorpsh.
Date: 2026-05-16T21:07:51Z
Network: telegram
Published URL: https://t.me/c/3500620464/7940
Screenshots:
None
Threat Actors: shinycorpsh
Victim Country: Unknown
Victim Industry: Artificial Intelligence / Technology
Victim Organization: Mythos AI
Victim Site: Unknown
Alleged sale of Vercel access keys, source code, and employee credentials for supply chain attack
Category: Initial Access
Content: Threat actor claiming to have compromised Vercel (vercel.com) and offering to sell access keys, source code, database dumps, and employee credentials including API keys, NPM tokens, and GitHub tokens. Actor claims verified access to multiple employee accounts and internal deployments. Threat actor references April 19, 2026 incident involving third-party compromise (Context.ai) and OAuth token misuse. Actor explicitly threatens potential supply chain attack via Next.js package updates affecting millions of developers globally. Asking price: $10,000 USD. Contact: @shinycorpsh
Date: 2026-05-16T21:07:43Z
Network: telegram
Published URL: https://t.me/c/3500620464/7929
Screenshots:
None
Threat Actors: shinycorpsh
Victim Country: United States
Victim Industry: Cloud Computing / Web Development Platform
Victim Organization: Vercel Inc.
Victim Site: vercel.com
Sale or distribution of cookie/session credential pack
Category: Logs
Content: A forum user is sharing or selling a pack of cookies described as fresh hits. The actual content is hidden behind a login/registration wall, so specific details about targeted services or record counts are unavailable.
Date: 2026-05-16T21:06:19Z
Network: openweb
Published URL: https://patched.to/Thread-cookies-new-cookie-hit-pack
Screenshots:
None
Threat Actors: tkoen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of 10 million URL:Login:Pass combo list
Category: Combo List
Content: A threat actor shared a combo list containing 10 million URL:login:password credential pairs, marketed as high quality and fresh as of May 15, 2026. The content is gated behind forum registration or login. No specific victim organization is identified.
Date: 2026-05-16T21:05:54Z
Network: openweb
Published URL: https://patched.to/Thread-lupin-ulp-10-000-000-url-login-pass-high-quality-100-fresh-05-15-2026
Screenshots:
None
Threat Actors: Helpz11
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of European mix combo list with 7,558 semi-valid credentials
Category: Combo List
Content: A forum post on Cracked.st advertises a European mix combo list containing 7,558 semi-valid email:password credentials. The list is described as Full Access (FA) and targets European accounts. No additional details are available from the post content.
Date: 2026-05-16T21:04:32Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-7-558-Semi-Valide-FA-Europa-Mix-Combo
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free Hotmail combo list of 1K+ credentials
Category: Combo List
Content: A threat actor has shared a combo list containing over 1,000 Hotmail email and password pairs via an external file-sharing link. The credentials are described as high quality (HQ) and are being distributed freely on a cracking forum.
Date: 2026-05-16T21:03:04Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-1K-HOTMAILS-HQ
Screenshots:
None
Threat Actors: ECLOUDV2
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Telegram account session data (JSON/Tdata) across multiple countries
Category: Services
Content: A threat actor is selling Telegram account session files (JSON/Tdata format) sourced from multiple countries including England, Uzbekistan, Portugal, Vietnam, Cameroon, Indonesia, Laos, Morocco, and Germany, with prices ranging from $0.30 to $1.30 per account. The accounts are advertised via an external storefront at accs7.shop.
Date: 2026-05-16T20:58:35Z
Network: openweb
Published URL: https://crackingx.com/threads/75493/
Screenshots:
None
Threat Actors: Trustacc1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged DDoS Stresser Service Advertisement – Candystress.st Botnet Recruitment
Category: Malware
Content: Candystress.st is advertising DDoS botnet spots and stresser services with multiple attack methods including STDHEX (UDP hexadecimal packet manipulation), FIVEM (game server payload floods), VALVE (Source engine query floods), PUBG (game server attacks), RAKNET (UDP floods), and GAME-UDP (custom UDP payloads). The operator is recruiting botnet participants and offering testing/purchase options via Telegram contact @botnetdraco.
Date: 2026-05-16T20:52:34Z
Network: telegram
Published URL: https://t.me/c/1669509146/98800
Screenshots:
None
Threat Actors: Candystress.st
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of European mixed combo list with 8,077 credentials
Category: Combo List
Content: A European mixed combo list containing approximately 8,077 email:password pairs was shared on a cracking forum. The credentials are described as semi-valid and first-attempt (FA). No specific victim organization is identified.
Date: 2026-05-16T20:46:35Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-8-077-Semi-Valide-FA-Europa-Mixed-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Hotmail credential combo list allegedly containing 3.5K hits
Category: Combo List
Content: A threat actor is sharing and selling Hotmail credential hits, advertising 3,500 high-quality hits. Free drops are offered via a Telegram channel, with private access available for purchase through direct contact.
Date: 2026-05-16T20:46:12Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9C%85-3-5k-HQ-HOTMAIL-HIT-%E2%9C%85
Screenshots:
None
Threat Actors: lundoppp2
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list with 639 entries
Category: Combo List
Content: A threat actor is distributing 639 Hotmail credentials via a Telegram channel, with private access available for purchase. The post advertises free drops publicly and directs buyers to contact the seller on Telegram for premium content.
Date: 2026-05-16T20:45:51Z
Network: openweb
Published URL: https://cracked.st/Thread-639x-Hotmail-Access
Screenshots:
None
Threat Actors: lundman01
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Europa-targeted combo list with 190,271 lines
Category: Combo List
Content: A combo list of 190,271 email:password lines is being shared on a cracking forum, marketed as targeting European education and shopping services. No further details are available from the post content.
Date: 2026-05-16T20:45:24Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-190-271-Lines-%E2%9C%85-Europa-Edu-education-Shopping-Target
Screenshots:
None
Threat Actors: HqComboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of AI workflow guidance service on cybercrime forum
Category: Services
Content: A forum user is offering a $150 AI workflow guidance and productivity support service targeting developers, researchers, and freelancers. The service claims to provide ChatGPT Pro-style prompting tips, coding assistance, and automation guidance. No victim or breach data is involved.
Date: 2026-05-16T20:44:51Z
Network: openweb
Published URL: https://cracked.st/Thread-150-%E2%9C%85-Elite-AI-Acceleration-for-Power-Users-%E2%80%93-ChatGPT-Premium-20X-Workflow-Support
Screenshots:
None
Threat Actors: secur3rat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ mixed combo list with 199 entries
Category: Combo List
Content: A threat actor on CrackingX is offering a mixed UHQ combo list containing 199 entries via external download links. The credentials are being sold under a tiered subscription model ranging from $3 for a 24-hour trial to $100 for three months of access.
Date: 2026-05-16T20:42:09Z
Network: openweb
Published URL: https://crackingx.com/threads/75489/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of HQ combo list mix with 1,914 records
Category: Combo List
Content: A threat actor is offering a high-quality mixed combo list containing 1,914 credential pairs, marketed as fresh and untouched. The listing promotes daily supply volumes of 4,000–12,000 records through a private members-only network. No specific targeted service or breach source is identified.
Date: 2026-05-16T20:33:58Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-1914x-hq-mix-by-s2lender-txt
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of mybookqatar.com
Category: Data Breach
Content: A threat actor shared an alleged database dump from mybookqatar.com containing approximately 280,000 user records in CSV format. Exposed fields include full name, mobile number, email, hashed password, gender, date of birth, nationality, and residence. A sample of records was posted publicly on the forum.
Date: 2026-05-16T20:16:57Z
Network: openweb
Published URL: https://darkpro.net/threads/database-qatar-mybookqatar-com.23153/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: Qatar
Victim Industry: Unknown
Victim Organization: My Book Qatar
Victim Site: mybookqatar.com
Combo list of 17K mail access credentials (mixed providers)
Category: Combo List
Content: A threat actor shared a combo list of approximately 17,000 mail account credentials described as fully valid. The list is mixed across multiple email providers and is dated May 16. Access to the content requires registration or login on the forum.
Date: 2026-05-16T20:15:51Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-17kfull-valid-mail-access-mix-16-05
Screenshots:
None
Threat Actors: CitronCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Canada Life Assurance Company
Category: Data Leak
Content: A threat actor has freely shared an alleged database dump from Canada Life Assurance Company (canadalife.com), claiming it contains over 5.6 million Salesforce records with personally identifiable information. The data is made available for download on the forum.
Date: 2026-05-16T20:14:17Z
Network: openweb
Published URL: https://darkpro.net/threads/database-canada-life.23154/
Screenshots:
None
Threat Actors: CC-GuRu
Victim Country: Canada
Victim Industry: Finance
Victim Organization: Canada Life Assurance Company
Victim Site: canadalife.com
Sale of 17K mixed mail access combo list
Category: Combo List
Content: A threat actor shared a combo list of approximately 17,000 claimed valid mail access credentials across mixed providers, dated May 16. The content is hidden behind a registration/login wall on the forum.
Date: 2026-05-16T20:11:22Z
Network: openweb
Published URL: https://breachforums.rs/Thread-17K-Full-Valid-Mail-Access-MIX-16-05
Screenshots:
None
Threat Actors: MegaCloudShop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Land Surveyors Board of Kenya
Category: Data Breach
Content: A threat actor claims to have breached the Land Surveyors Board of Kenya (LSB), the official government body responsible for licensing land surveyors in Kenya. The post advertises 271 records and directs users to Telegram channels to access the exposed data. No further details on the specific data types were provided in the post.
Date: 2026-05-16T20:02:10Z
Network: openweb
Published URL: https://breached.st/threads/271-land-surveyors-board-of-kenya-breached.87215/unread
Screenshots:
None
Threat Actors: cc5ab
Victim Country: Kenya
Victim Industry: Government
Victim Organization: Land Surveyors Board of Kenya
Victim Site: lsb.go.ke
Sale of Hotmail combo list with 939 entries
Category: Combo List
Content: A threat actor is distributing a combo list marketed as 939 Hotmail credentials. The content is hidden behind a registration or login wall on the forum. No additional details about the data origin or validity are provided.
Date: 2026-05-16T19:57:59Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%94%A5-939x-hotmail-access-vault-%F0%9F%94%A5
Screenshots:
None
Threat Actors: RyuuMaster
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
NEW PRIVATE MIX DROP
Category: Alert
Content: New thread posted by Crypto_Ghost_X: NEW PRIVATE MIX DROP
Date: 2026-05-16T19:57:42Z
Network: openweb
Published URL: https://patched.to/Thread-new-private-mix-drop
Screenshots:
None
Threat Actors: Crypto_Ghost_X
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of counterfeit currency across multiple countries
Category: Chatter
Content: A forum post on a darknet market community advertises counterfeit banknotes for the US, UK, Australia, EU, Canada, and New Zealand. The post implies availability of specific denominations. No further technical details are provided.
Date: 2026-05-16T19:50:46Z
Network: tor
Published URL: https://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/33239e2f9bf65bb5bcc2
Screenshots:
None
Threat Actors: StockMONEY_AVAILABLE_ 🍼
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mixed Country Education Email Combo List (81,915 Records)
Category: Combo List
Content: A threat actor shared a combo list containing 81,915 email and password pairs associated with education sector accounts across multiple countries. The list was posted on a public forum and is available for credential stuffing or account takeover activity.
Date: 2026-05-16T19:50:28Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-81-915-Mixed-Country-Education-Mail-Pass
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Combo list targeting Hotmail distributed on leakforum.io
Category: Combo List
Content: A user on leakforum.io is distributing a combo list of 1,561 credentials marketed for use against Hotmail accounts. The content is hidden behind a registration or login gate. No breach of a specific organization is claimed.
Date: 2026-05-16T19:48:09Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%EF%B8%8F-1561x-Verity-Vault-Hotmail-Drop-%E2%9A%A1%EF%B8%8F
Screenshots:
None
Threat Actors: Verityyyy
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Wolfe Eye Clinic patient records
Category: Data Leak
Content: A threat actor has leaked a CSV database allegedly containing 639,640 patient records from Wolfe Eye Clinic, originally dated May 2021. The dataset includes highly sensitive fields such as full name, address, date of birth, Social Security number, phone number, email address, sex, race, religion, and other personally identifiable and medical information.
Date: 2026-05-16T19:43:23Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-Wolfe-Eye-Clinic-Repost
Screenshots:
None
Threat Actors: Tanaka
Victim Country: United States
Victim Industry: Healthcare
Victim Organization: Wolfe Eye Clinic
Victim Site: wolfeeyeclinic.com
Free Iranian email:password combo list targeting gaming accounts
Category: Combo List
Content: A threat actor operating under the 1877 team is freely distributing an email:password combo list described as an Iranian gaming database. The post states the credentials can be used to check accounts on various Iranian sites and is made available to the public and team members at no cost.
Date: 2026-05-16T19:42:48Z
Network: openweb
Published URL: https://breached.st/threads/iranian-email-pass-gaming-database.87213/unread
Screenshots:
None
Threat Actors: org1877
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Permata Bank
Category: Data Breach
Content: A threat actor operating under the handle jax7 on Breachforums has posted a thread claiming a data breach of Permata Bank (Indonesian financial institution). The post includes a link to the breach forum thread discussing the leak.
Date: 2026-05-16T19:39:33Z
Network: telegram
Published URL: https://t.me/Jax702/46
Screenshots:
None
Threat Actors: jax7
Victim Country: Indonesia
Victim Industry: Financial Services
Victim Organization: Permata Bank
Victim Site: Unknown
Free German combo list with 3,443 email:password pairs
Category: Combo List
Content: A threat actor shared a combo list of 3,443 German email:password pairs via an external paste link, marketed as fresh and valid. The credentials are a mix of accounts and appear to be distributed for free on a cracking forum.
Date: 2026-05-16T19:38:51Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-Germany-Daily-Fresh-3443-Mix-Valid-mtbcloud
Screenshots:
None
Threat Actors: MTB_cloud
Victim Country: Germany
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of European Email and Password Credentials
Category: Combo List
Content: A combo list of approximately 8,468 European email and password credential pairs is being shared on a cracking forum. The list is described as semi-valid and full-address (FA) formatted. No specific target organization or service is identified.
Date: 2026-05-16T19:38:33Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-8-468-Semi-Valide-FA-Europa-Mix-Combo
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list with alleged fresh valid credentials distributed on cracking forum
Category: Combo List
Content: A combo list marketed as containing 1,199 fresh valid email:password credentials was shared on a cracking forum. The post is attributed to user MTB_cloud and the credentials are described as a mixed combo list.
Date: 2026-05-16T19:38:15Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-Mix-Blaze-1199-Valid-Fresh-mtbcloud
Screenshots:
None
Threat Actors: MTB_cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed business email combo list
Category: Combo List
Content: A threat actor is sharing a mixed business email and password combo list via an external paste link. The post is categorized as a combolist offering targeting business accounts. No specific victim organization or record count is disclosed.
Date: 2026-05-16T19:37:00Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-Mix-Beast-Mode-1203-Business-mtbcloud
Screenshots:
None
Threat Actors: MTB_cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor is offering a combo list of 500 UHQ Hotmail credentials on a cybercrime forum. The post is categorized as a combo list targeting Hotmail accounts, likely for use in credential stuffing or account takeover activity.
Date: 2026-05-16T19:36:39Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-X500-UHQ-HOTMAILS
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of German corporate credential combo list
Category: Combo List
Content: A threat actor is offering a combo list of 3,443 email:password credentials purportedly associated with German corporate accounts. The post is shared via an external paste link and marketed as premium access.
Date: 2026-05-16T19:36:11Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-Germany-Corporate-3443-Access-Premium-mtbcloud
Screenshots:
None
Threat Actors: MTB_cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email access combo list subscription service
Category: Combo List
Content: A threat actor is selling daily fresh mixed email access combo lists, including Hotmail credentials, marketed as private with no duplicates. The service is offered via subscription tiers ranging from $10 for a 3-day trial to $45 for one month. The seller claims the credentials are suitable for use against any target.
Date: 2026-05-16T19:35:51Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%98%81%EF%B8%8F-mk2-cloud-fresh-mix-mail-access-full-private-%F0%9F%92%8E-303110
Screenshots:
None
Threat Actors: mk2clode
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Germany mail access combo list (4.3K credentials)
Category: Combo List
Content: A threat actor shared a combo list of approximately 4,300 Germany-based email credentials on a public forum. The post indicates the data was previously distributed in private groups 4–7 days before public release. No specific breached organization is identified.
Date: 2026-05-16T19:35:46Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E2%9C%A8%E2%84%B9%EF%B8%8F4-3k-GERMANY-MAIL-ACCESS-MIX%E2%9C%A8-15-05
Screenshots:
None
Threat Actors: SecureTrax
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of European mixed combo list with 8,353 credentials
Category: Combo List
Content: A European mixed combo list containing approximately 8,353 semi-valid email:password credential pairs is being shared on a cracking forum. The list is described as semi-valid and targets a mixed range of European accounts. No specific victim organization or service is identified.
Date: 2026-05-16T19:35:27Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-8-353-Semi-Valide-FA-Europa-Mixed-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Forum introduction and community inquiry on DarkNetFrance
Category: Chatter
Content: A user posted an introduction on the DarkNetFrance Dread board after a period of absence, asking for links to French-language darknet forums and reliable vendors for cannabis. No threat activity or cybercrime services are being advertised.
Date: 2026-05-16T19:31:11Z
Network: tor
Published URL: https://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/fa01c9058061d346c96d
Screenshots:
None
Threat Actors: Samoussa 🍼
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 1,065 mixed mail credentials shared on forum
Category: Combo List
Content: A threat actor shared a combo list of 1,065 mixed mail credentials on a leak forum. The content is hidden behind registration or login. No specific breached organization is identified.
Date: 2026-05-16T19:25:33Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%EF%B8%8F-1065x-Verity-Vault-Mix-Mail-Drop-%E2%9A%A1%EF%B8%8F
Screenshots:
None
Threat Actors: Verityyyy
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 15.6K DE/FR/IT/USA mail access combo list
Category: Combo List
Content: A threat actor is offering a combo list of approximately 15,600 email account credentials spanning Germany, France, Italy, and the United States. The list is marketed as mail access credentials suitable for credential stuffing. No specific breached organization is identified.
Date: 2026-05-16T19:24:43Z
Network: openweb
Published URL: https://nulledbb.com/thread-15-6k-DE-FR-IT-USA-MAILS-ACCESS-COMBO
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of DE/FR/IT/USA mail access combo list (32.9K records)
Category: Combo List
Content: A threat actor is offering a combo list containing approximately 32,900 email access credentials targeting users from Germany, France, Italy, and the United States. The list is marketed for mail account access across multiple countries.
Date: 2026-05-16T19:24:23Z
Network: openweb
Published URL: https://nulledbb.com/thread-32-9k-DE-FR-IT-USA-MAILS-ACCESS-COMBO
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Poland email combo list with 5.9K credentials
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 5,900 Polish email credentials. The list is advertised as mail access combos targeting Polish users. No specific breached organization is identified.
Date: 2026-05-16T19:24:01Z
Network: openweb
Published URL: https://nulledbb.com/thread-5-9k-POLAND-COMBO-MAILS-ACCESS
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Germany combo list with 5.5K email credentials
Category: Combo List
Content: A threat actor is sharing a combo list of approximately 5,500 German email credentials. The post advertises the list as mail access combos targeting German accounts.
Date: 2026-05-16T19:23:42Z
Network: openweb
Published URL: https://nulledbb.com/thread-5-5k-GERMANY-COMBOS-MAILS-ACCESS
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 40.5K Hotmail credentials
Category: Combo List
Content: A threat actor shared a combo list containing approximately 40,500 Hotmail credentials. The post was made on a public forum and appears to offer the list for free distribution. No additional details about the data origin or verification status were provided.
Date: 2026-05-16T19:23:21Z
Network: openweb
Published URL: https://nulledbb.com/thread-40-5k-HOTMAILS-COMBO-MAILS-ACCESS
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Figma Pro 1-Year Subscription Access
Category: Services
Content: A forum seller is offering a 1-year Figma Pro subscription for $14.99, marketed as Creative Workflow Support. The post appears to advertise unauthorized or resold access to Figma Pro accounts. No further details are available from the post content.
Date: 2026-05-16T19:20:43Z
Network: openweb
Published URL: https://cracked.st/Thread-14-99-%E2%9C%85-Design-Smarter-All-Years-%E2%80%93-Figma-Pro-1-Year-Creative-Workflow-Support
Screenshots:
None
Threat Actors: secur3rat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Fraud Methods and Tips Tutorial Post on Dark Web Forum
Category: Chatter
Content: A dark web forum post shares a broad collection of fraud tutorials and methods including card testing, BIN attacks, chargeback fraud, SIM swapping, phishing pages, ACH fraud, and money laundering techniques. The post covers operational security tips such as VPN chaining and encrypted communications. No specific victim organization or dataset is referenced; the content is instructional in nature targeting multiple fraud categories.
Date: 2026-05-16T19:13:43Z
Network: tor
Published URL: https://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/77ce161221dd040584f2
Screenshots:
None
Threat Actors: c2b37x62 P
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Germany mail access combo list (4.3K credentials)
Category: Combo List
Content: A threat actor is freely distributing a combo list of approximately 4,300 German email account credentials. The post indicates the data was initially shared in private closed groups 4–7 days prior to public release. The content is gated behind registration or login on the forum.
Date: 2026-05-16T19:12:59Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%A8%E2%84%B9%EF%B8%8F4-3k-germany-mail-access-mix%E2%84%B9%EF%B8%8F%E2%9C%A8-15-05
Screenshots:
None
Threat Actors: TraxGod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed mail access combo list with 1,440 lines
Category: Combo List
Content: A threat actor shared a mixed mail access combo list containing 1,440 lines on a cybercrime forum. The content is gated behind registration or login. No specific targeted organization or country is identified.
Date: 2026-05-16T19:12:39Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-1-440-lines-mixed-mail-access-base
Screenshots:
None
Threat Actors: cloudkaraoke
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of corporate mixed email combo list
Category: Combo List
Content: A threat actor is offering a combo list of approximately 28,900 corporate email and password pairs, described as mixed corporate mail access. The seller also advertises bulk combo lists at various price tiers, including gaming and shopping combos, and offers access to a private combo group for a recurring subscription fee.
Date: 2026-05-16T19:10:16Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-28-9k-CORPS-MIXED-COMBO-MAILS-ACCESS
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed corporate email combo list
Category: Combo List
Content: A threat actor is offering a mixed corporate email and password combo list containing approximately 32,400 credentials. The post advertises access to larger combo lists at tiered pricing, including gaming and shopping combos. Content is gated behind forum registration or login.
Date: 2026-05-16T19:09:43Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-32-4k-CORPS-MIXED-COMBO-MAILS-ACCESS
Screenshots:
None
Threat Actors: MrCOMBOROBOA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of email credentials, phone-password combos, and Gmail cookies
Category: Combo List
Content: A forum seller is offering email:password combos, phone number:password combos, and Gmail cookies marketed as fresh and effective. The post appears to advertise credential bundles likely suitable for credential stuffing or account takeover activity. No further details are available from the post content.
Date: 2026-05-16T18:56:19Z
Network: openweb
Published URL: https://altenens.is/threads/purchase-fresh-and-effective-email-password-phone-number-password-gmail-cookie.2941544/unread
Screenshots:
None
Threat Actors: zhurek
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of personal data, identity documents, and credential databases
Category: Services
Content: A threat actor is advertising a range of data products for sale including full company databases, scanned identity documents (IDs, drivers licenses, passports), SSN/SIN records, consumer info, phone and email lists, and credentials. The seller directs prospective buyers to contact them via Telegram.
Date: 2026-05-16T18:51:59Z
Network: openweb
Published URL: https://crackingx.com/threads/75481/
Screenshots:
None
Threat Actors: jannatmirza11
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Gmail-targeted combo list of 158K credentials offered for free
Category: Combo List
Content: A threat actor on a cracking forum has shared a Gmail-targeted combo list containing approximately 158,000 email:password credential pairs. The post also advertises additional combo lists for sale covering multiple email providers and regions including AOL, Yahoo, Hotmail, Outlook, and various countries. Contact is solicited via Telegram for purchases.
Date: 2026-05-16T18:49:05Z
Network: openweb
Published URL: https://demonforums.net/Thread-158K-GMAIL-TARGETED-COMBOLIST
Screenshots:
None
Threat Actors: Ra-Zi
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Hotmail credential hits combo list shared on forum
Category: Combo List
Content: A threat actor shared 687 alleged high-quality Hotmail credential hits on a cybercrime forum. The post references inbox access targets, suggesting the credentials may be marketed for use in account takeover or spam campaigns. The actual content is hidden behind a registration/login requirement.
Date: 2026-05-16T18:47:51Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%94%A5-687x-hq-hotmail-hits-%F0%9F%94%A5-%F0%9F%94%8E-inboxes-targets-%F0%9F%94%8E
Screenshots:
None
Threat Actors: Lowza9
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Vitpack by 0xSHALL of FOURSDEATH TEAM
Category: Defacement
Content: On May 17, 2026, the website vitpack.nl was defaced by threat actor 0xSHALL operating under the group FOURSDEATH TEAM. The defacement targeted a specific page (zxc.html) rather than the sites homepage, indicating a targeted page-level intrusion. The incident was recorded and mirrored by zone-xsec.com with mirror ID 923548.
Date: 2026-05-16T18:47:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923548
Screenshots:
None
Threat Actors: 0xSHALL, FOURSDEATH TEAM
Victim Country: Netherlands
Victim Industry: Unknown
Victim Organization: Vitpack
Victim Site: vitpack.nl
Combo List targeting Hotmail with 3,862 valid credentials
Category: Combo List
Content: A threat actor is distributing a combo list of 3,862 credentials claimed to be valid Hotmail accounts, marketed with a validity date of May 15, 2026. The content is gated behind forum registration or login.
Date: 2026-05-16T18:47:20Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%A8%F0%9F%8F%873862-hotmail-valid-access-15-05-2026
Screenshots:
None
Threat Actors: SupportHotmail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged education sector credential combo list with 101,586 lines
Category: Combo List
Content: A combo list containing 101,586 email and password pairs from mixed education domain leaks has been shared on a cracking forum. The credentials appear to target educational institutions. No specific organization or breach source is identified.
Date: 2026-05-16T18:46:22Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-101-586-Lines-%E2%9C%85-Edu-education-Mixed-Domain-leaks
Screenshots:
None
Threat Actors: HqComboSpace
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ mixed combo list (1,782 entries)
Category: Combo List
Content: A user on a cracking forum shared a UHQ mixed email:password combo list containing 1,782 entries. No additional details about the source or targeted services are available from the post content.
Date: 2026-05-16T18:45:59Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-1782x-uhq-mixed
Screenshots:
None
Threat Actors: Timi999
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Urban Lights Church by 0xSHALL (FOURSDEATH TEAM)
Category: Defacement
Content: On May 17, 2026, a threat actor identified as 0xSHALL, operating under the group FOURSDEATH TEAM, defaced a page on the Urban Lights Church website (urbanlights.church/zxc.html). The attack was a targeted single-page defacement rather than a mass or home page compromise. No specific motive or server details were disclosed in the available intelligence.
Date: 2026-05-16T18:44:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923547
Screenshots:
None
Threat Actors: 0xSHALL, FOURSDEATH TEAM
Victim Country: Unknown
Victim Industry: Religious Organization
Victim Organization: Urban Lights Church
Victim Site: urbanlights.church
Website Defacement of Mori Castello by 0xSHALL (FOURSDEATH TEAM)
Category: Defacement
Content: On May 17, 2026, the Italian website moricastello.it was defaced by threat actor 0xSHALL operating under the FOURSDEATH TEAM. The attack targeted a specific page (zxc.html) rather than the homepage, suggesting a targeted single-page defacement. The incident was recorded and mirrored by zone-xsec.com with mirror ID 923545.
Date: 2026-05-16T18:30:54Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923545
Screenshots:
None
Threat Actors: 0xSHALL, FOURSDEATH TEAM
Victim Country: Italy
Victim Industry: Hospitality / Tourism
Victim Organization: Mori Castello
Victim Site: moricastello.it
Website Defacement of kintlevoseg.hu by 0xSHALL of FOURSDEATH TEAM
Category: Defacement
Content: On May 17, 2026, the Hungarian website kintlevoseg.hu was defaced by threat actor 0xSHALL operating under the group FOURSDEATH TEAM. The attack targeted a specific page (zxc.html) rather than the sites homepage, indicating a targeted page-level defacement. The incident was recorded and mirrored by zone-xsec.com with mirror ID 923546.
Date: 2026-05-16T18:29:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923546
Screenshots:
None
Threat Actors: 0xSHALL, FOURSDEATH TEAM
Victim Country: Hungary
Victim Industry: Unknown
Victim Organization: Kintlevoseg
Victim Site: kintlevoseg.hu
Sale of UHQ combo list targeting VPN and gaming services
Category: Combo List
Content: A threat actor is sharing a combo list of approximately 250,000 email:password credentials marketed as UHQ (ultra-high quality) and intended for use against VPN and gaming services. No additional details are available from the post content.
Date: 2026-05-16T18:26:03Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-uhq-250K-VPN-GAME-COMBO-TRY
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
115K UHQ Mixed Mail Combo List
Category: Combo List
Content: A threat actor is sharing a combo list of 115,000 mixed email credentials, marketed as UHQ and fresh. The post is sponsored by slateaio.com, a known credential-stuffing tool platform.
Date: 2026-05-16T18:25:40Z
Network: openweb
Published URL: https://cracked.st/Thread-115K-UHQ-MIXED-MAIL-COMBO-FRESH
Screenshots:
None
Threat Actors: Vows
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free Outlook combo list containing 20,000 credentials
Category: Combo List
Content: A threat actor shared a combo list of 20,000 Outlook credentials, marketed as ultra-high quality and fresh. The post is sponsored by slateaio.com, suggesting use with credential-stuffing tools. No specific breach victim is identified.
Date: 2026-05-16T18:25:16Z
Network: openweb
Published URL: https://cracked.st/Thread-20K-UHQ-OUTLOOK-COMBO-FRESH–2094814
Screenshots:
None
Threat Actors: Vows
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of semi-validated email access combo list with 14,823 credentials
Category: Combo List
Content: A threat actor is sharing a combo list containing 14,823 semi-validated email address and password pairs marketed as having email access. The list is distributed via a carding/combolist forum and appears to be intended for credential stuffing or unauthorized email account access.
Date: 2026-05-16T18:24:54Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-14-823-Semi-Valide-FA-Mail-Access-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 100,000 US email:password credentials shared on forum
Category: Combo List
Content: A threat actor operating under the alias ImLupin (also referencing TheLupin) has made available a combo list of over 100,000 United States email:password credential pairs on a cracking forum. The post markets the data as ultra high quality.
Date: 2026-05-16T18:24:34Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-100-000-UNITED-STATES-MAIL-PASSWORD-DATA-ULTRA-HIGH-QUALITY
Screenshots:
None
Threat Actors: ImLupin
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 7.5K mixed mail access combo list
Category: Combo List
Content: A forum user is sharing or selling a combo list of approximately 7,500 mixed email account credentials. No further details are available from the post content.
Date: 2026-05-16T18:24:13Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-7-5k-mixed-mail-access
Screenshots:
None
Threat Actors: Timi999
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Evocon industrial cloud database
Category: Data Breach
Content: A threat actor claims to have breached Evocons central cloud database, allegedly obtaining factory transaction logs and industrial device operational data. The post threatens to publish the extracted files publicly if a ransom is not paid, and offers to share vulnerability details and delete the data upon payment. The exposed data reportedly includes global industrial operations logs and machinery outputs.
Date: 2026-05-16T18:21:02Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Estonia-Evocon-Industrial-Logs-Database-%E2%80%94-Full-Factory-Transaction-Logs-Exposed
Screenshots:
None
Threat Actors: Sejjil
Victim Country: Estonia
Victim Industry: Manufacturing
Victim Organization: Evocon
Victim Site: evocon.com
Alleged data leak of Politeknik Negeri Bali employee database
Category: Data Leak
Content: A threat actor leaked for free a database purportedly belonging to Bali State Polytechnic (Politeknik Negeri Bali) containing employee records. The exposed data includes fields such as national ID numbers, full names, gender, date and place of birth, religion, marital status, phone numbers, email addresses, home addresses, bank account numbers, tax identification numbers, and employment status. The actor indicated they are continuing to search for additional data from the organization.
Date: 2026-05-16T18:16:14Z
Network: openweb
Published URL: https://breached.st/threads/politeknik-bali-database.87212/unread
Screenshots:
None
Threat Actors: Kyyza
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Politeknik Negeri Bali
Victim Site: pnb.ac.id
Sale of Hotmail credential combo list with 4K valid hits
Category: Combo List
Content: A forum user is distributing a combo list of approximately 4,000 Hotmail credentials marketed as valid hits. Access to the content requires forum engagement. The named service is a credential-stuffing target, not the breach source.
Date: 2026-05-16T18:13:13Z
Network: openweb
Published URL: https://altenens.is/threads/4k-hotmails-valid-hits.2941533/unread
Screenshots:
None
Threat Actors: GhostlyGamer
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 450K UHQ Gmail combo list
Category: Combo List
Content: A threat actor is distributing a combo list containing 450,000 Gmail credentials, marketed as ultra-high quality and fresh. Access to the hidden content requires forum engagement. Gmail is a credential-stuffing target, not the breach victim.
Date: 2026-05-16T18:12:44Z
Network: openweb
Published URL: https://altenens.is/threads/450k-uhq-gmail-combo-fresh.2941534/unread
Screenshots:
None
Threat Actors: GhostlyGamer
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of stealer logs and ULP credentials
Category: Logs
Content: A threat actor known as WaterCloud is freely distributing stealer logs and URL:Login:Password (ULP) credential data via a Pixeldrain link. The content is partially hidden behind a forum registration wall. No specific victim organization or record count is disclosed.
Date: 2026-05-16T18:12:29Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%90%E2%AD%90%E2%AD%90-stealer-logs-and-u-l-p-16-05-2026
Screenshots:
None
Threat Actors: WaterCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Norauto France
Category: Data Leak
Content: A threat actor claims to be leaking the customer database of Norauto, a French automotive service and retail company. The leaked data reportedly includes names, addresses, phone numbers, and email addresses in TXT format totaling 522 MB. A sample of JSON-structured customer records was shared as proof.
Date: 2026-05-16T17:59:57Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DATABASE-FR-Norauto-fr
Screenshots:
None
Threat Actors: shitanus
Victim Country: France
Victim Industry: Retail
Victim Organization: Norauto
Victim Site: norauto.fr
Sale of hacked Office365 SMTP access
Category: Initial Access
Content: A threat actor is offering for sale a hacked SMTP access associated with office365.com. No further details are available from the post content.
Date: 2026-05-16T17:58:21Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-HACKED-office365-com-SMTP
Screenshots:
None
Threat Actors: CHS
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Microsoft
Victim Site: office365.com
Sale of compromised Ticketmaster accounts
Category: Initial Access
Content: A threat actor is selling compromised Ticketmaster (TM) accounts at $8 each for regular accounts and $15 each for accounts with order history, with bulk discounts available. The post does not specify the total number of accounts available or the method of compromise.
Date: 2026-05-16T17:56:36Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-TM-Accounts
Screenshots:
None
Threat Actors: EVERYWEEK
Victim Country: Unknown
Victim Industry: Entertainment
Victim Organization: Ticketmaster
Victim Site: ticketmaster.com
Combo List targeting European accounts (9,539 records)
Category: Combo List
Content: A combo list of 9,539 email:password credentials marketed as semi-valid and targeting European accounts was shared on a cracking forum. The list is described as suitable for credential stuffing or account checking. No specific victim organization is identified.
Date: 2026-05-16T17:56:05Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-9-539-Semi-Valide-FA-Combolist-Europa-Good
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of RDP access and compromised email accounts
Category: Initial Access
Content: Threat actor offering rental access to RDP instances on Azure, AWS, and DigitalOcean platforms at $200, along with compromised domain mail, Gmail, Yahoo accounts, GitHub Student accounts, and various subscription services (ChatGPT Plus, Claude, ElevenLabs). Fresh RDP with good IP reputation advertised. Escrow service offered.
Date: 2026-05-16T17:53:57Z
Network: telegram
Published URL: https://t.me/c/2613583520/83008
Screenshots:
None
Threat Actors: Squad Chat Marketplace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list
Category: Combo List
Content: A threat actor shared a combo list of approximately 7,000 Hotmail credentials, marketed as high-quality hits. The content is hidden behind a registration or login requirement on the forum.
Date: 2026-05-16T17:52:57Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85-7k-hq-hotmail-hit-%E2%9C%85-303067
Screenshots:
None
Threat Actors: RetroCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed mail access combo list with 3,691 credentials
Category: Combo List
Content: A forum user shared a mixed mail access combo list containing 3,691 credentials. The content is hidden behind registration and no further details about the data source or composition are visible.
Date: 2026-05-16T17:46:29Z
Network: openweb
Published URL: https://crackingx.com/threads/75479/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free combo list: geo mix multi-country URL:log:pass credentials
Category: Combo List
Content: A threat actor shared a free combo list containing over 10,000 URL:log:pass credential pairs sourced from multiple countries. The list is described as fresh and was made available via an external file-sharing link.
Date: 2026-05-16T17:45:56Z
Network: openweb
Published URL: https://cracked.st/Thread-URL-LOG-PASS-Geo-MIX-COUNTRY-10000-Fresh
Screenshots:
None
Threat Actors: HULKMAD
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List: Mixed Mail Access Credentials (1,440 Lines)
Category: Combo List
Content: A threat actor has shared a combo list containing 1,440 lines of mixed mail access credentials. The list is offered as a free download on a cracking forum. No specific victim organization or country is identified.
Date: 2026-05-16T17:45:27Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-1-440-LINES-MIXED-MAIL-ACCESS-DATABASE
Screenshots:
None
Threat Actors: kccloud01
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Instagram account unban and recovery service offered via claimed insider access
Category: Services
Content: A forum user is advertising an Instagram account unban and recovery service, claiming to operate through an insider representative. Services include ban removal and shadowban removal for $1,500, with an insider contact reportedly available for sale at $20,000. The seller states escrow is accepted and requests proof of funds for the contact sale.
Date: 2026-05-16T17:44:46Z
Network: openweb
Published URL: https://cracked.st/Thread-INSTANT-INSTAGRAM-UNBANS-VIA-REP-AVAILABLE-FOR-LONGTERM-WORK
Screenshots:
None
Threat Actors: richofkyc
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Website Defacement of Indonesian University Moodle Platform by Mr.spongebob (Anonsec Team)
Category: Defacement
Content: On May 17, 2026, a threat actor known as Mr.spongebob, operating under the Anonsec Team, conducted a mass defacement targeting the Moodle e-learning platform of an Indonesian university (moodle.uasn.ac.id). The attack was carried out on a Linux-based server and is classified as a mass defacement campaign. A mirror of the defaced page was archived at haxor.id.
Date: 2026-05-16T17:42:38Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249316
Screenshots:
None
Threat Actors: Mr.spongebob, Anonsec Team
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Universitas Abdurrab Pekanbaru (UASN)
Victim Site: moodle.uasn.ac.id
Mass Defacement of skilledsavers.com by Mr.spongebob of Anonsec Team
Category: Defacement
Content: On May 17, 2026, a threat actor known as Mr.spongebob, operating under the Anonsec Team, conducted a mass defacement attack against skilledsavers.com, a website likely associated with financial savings services. The attack targeted a Linux-based server and involved defacement of a specific page rather than the homepage. A mirror of the defaced page was archived at haxor.id.
Date: 2026-05-16T17:41:13Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249317
Screenshots:
None
Threat Actors: Mr.spongebob, Anonsec Team
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Skilled Savers
Victim Site: skilledsavers.com
Mass Website Defacement of Indonesian University by Mr.spongebob of Anonsec Team
Category: Defacement
Content: On May 17, 2026, a threat actor identified as Mr.spongebob, operating under the Anonsec Team, conducted a mass defacement attack targeting the Faculty of Computer Science website of an Indonesian university hosted at fasilkom.uasn.ac.id. The defacement was performed on a Linux-based server and archived via haxor.id. This incident is part of a broader mass defacement campaign attributed to the same actor and group.
Date: 2026-05-16T17:40:03Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249315
Screenshots:
None
Threat Actors: Mr.spongebob, Anonsec Team
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Universitas Amikom Surakarta – Faculty of Computer Science (Fasilkom)
Victim Site: fasilkom.uasn.ac.id
Website Defacement of UASN Academic Institution by Mr.spongebob of Anonsec Team
Category: Defacement
Content: On May 17, 2026, a threat actor identified as Mr.spongebob, operating under the Anonsec Team, defaced a page on the Indonesian academic institution uasn.ac.id. The attack targeted a specific page (uid.html) on a Linux-based web server, and was not classified as a mass or home page defacement. A mirror of the defaced page was archived at haxor.id.
Date: 2026-05-16T17:39:13Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249313
Screenshots:
None
Threat Actors: Mr.spongebob, Anonsec Team
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Universitas Akademi Sakti Nusantara (UASN)
Victim Site: uasn.ac.id
Mass Defacement of Indonesian University Website by Mr.spongebob of Anonsec Team
Category: Defacement
Content: On May 17, 2026, a threat actor known as Mr.spongebob, affiliated with Anonsec Team, conducted a mass defacement attack targeting the Faculty of Economics website of Universitas Abdurrab (UASN) in Indonesia. The attacker defaced the page at fekon.uasn.ac.id/uid.html on a Linux-based server. This incident was part of a broader mass defacement campaign, with a mirror of the defacement archived at haxor.id.
Date: 2026-05-16T17:38:00Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249314
Screenshots:
None
Threat Actors: Mr.spongebob, Anonsec Team
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: Universitas Abdurrab Pekanbaru (UASN) – Faculty of Economics
Victim Site: fekon.uasn.ac.id
Mass Website Defacement of SkilledSavers by Mr.spongebob of Anonsec Team
Category: Defacement
Content: On May 17, 2026, a threat actor identified as Mr.spongebob, operating under the Anonsec Team, conducted a mass defacement attack targeting forms.skilledsavers.com, a subdomain associated with a savings or financial services platform. The attack targeted a Linux-based server and defaced a specific page (uid.html) as part of a broader mass defacement campaign. A mirror of the defaced page was archived at haxor.id.
Date: 2026-05-16T17:36:31Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249318
Screenshots:
None
Threat Actors: Mr.spongebob, Anonsec Team
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: SkilledSavers
Victim Site: forms.skilledsavers.com
Distribution of stealer logs (1.6GB, May 2026)
Category: Logs
Content: A forum user shared a 1.6GB collection of stealer logs dated May 16, 2026. The post is a bump with no additional details about origin, target sectors, or affected organizations.
Date: 2026-05-16T17:24:56Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%AD%90%EF%B8%8FLOGS-FRESH-1-6GB-FROM-16-05-2026%E2%AD%90%EF%B8%8F-%E2%98%81
Screenshots:
None
Threat Actors: hellall
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of ai345.cn by C10F/X404
Category: Defacement
Content: Indonesian defacer group C10F/X404 claimed responsibility for defacing ai345.cn website. Multiple defacement proof URLs provided including DIT.txt, C10F.html, and Defacer.html files planted on the target domain.
Date: 2026-05-16T17:24:32Z
Network: telegram
Published URL: https://t.me/c/3755871403/500
Screenshots:
None
Threat Actors: C10F
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: ai345.cn
Victim Site: ai345.cn
Sale of European mix combo list with 7,306 records
Category: Combo List
Content: A threat actor shared a combo list of 7,306 email:password credential pairs described as semi-valid and sourced from European accounts. The list is advertised as a mix combo, suggesting credentials from multiple sources or services. No specific breached organization is identified.
Date: 2026-05-16T17:24:26Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-7-306-Semi-Valide-FA-Europa-Mix-Combo
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of Hotmail credentials
Category: Combo List
Content: A combo list of 763 Hotmail credentials marketed as UHQ (ultra-high quality) and valid was shared on a cracking forum. The credentials appear to be compiled from prior breaches and tested against Hotmail accounts.
Date: 2026-05-16T17:24:05Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-x763-HOTMAILS-UHQ-VALID
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Refund fraud service offering for Amazon and Apple
Category: Services
Content: A threat actor operating under the alias Gr33nGoblin is advertising a refund fraud service targeting Amazon and Apple, claiming high-quality results with competitive fees and turnaround times. Refund fraud services typically involve social engineering or policy abuse to obtain refunds for items that were not legitimately returned. No further details are available as the post contained no content.
Date: 2026-05-16T17:23:20Z
Network: openweb
Published URL: https://cracked.st/Thread-Shoppy-Goblin-s-Amazon-Apple-Refunds-HQ-Refunds-Best-fee-Timeframe–2094789
Screenshots:
None
Threat Actors: Gr33nGoblin
Victim Country: Unknown
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Sale of C2 Mobile Exploitation Framework Targeting iOS and Android Devices
Category: Malware
Content: A threat actor is selling C2 BlackSite, a claimed zero-click full-chain exploitation framework targeting iOS and Android devices across all versions. The tool advertises capabilities including browser RCE, kernel read/write, persistent implant delivery, keychain extraction, real-time surveillance (camera, microphone, GPS), cryptocurrency wallet seed phrase extraction, and banking credential theft. The product is offered with same-day exploit updates, 24/7 developer support, and delivery via SM
Date: 2026-05-16T17:18:03Z
Network: openweb
Published URL: https://breached.st/threads/c2-exploit-for-ios-android-supported-all-latest-versions.87210/unread
Screenshots:
None
Threat Actors: C2Exploit
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Permata Bank
Category: Data Leak
Content: A threat actor using the handle JAX7 has leaked data allegedly belonging to Permata Bank, an Indonesian financial institution. The post includes a sample code block, though the full content and record count are not specified in the available post excerpt.
Date: 2026-05-16T17:17:10Z
Network: openweb
Published URL: https://breached.st/threads/leak-permata-bank.87209/unread
Screenshots:
None
Threat Actors: JAX7
Victim Country: Indonesia
Victim Industry: Finance
Victim Organization: Permata Bank
Victim Site: permatabank.com
Wanted: Canadian personal data profiles including SIN and drivers license numbers
Category: Combo List
Content: A forum user is soliciting Canadian personal data profiles containing full name, date of birth, address, Social Insurance Number (SIN), and drivers license number. Bonus value is indicated for profiles that include tax information or business profiles. The post requests proof of legitimacy from potential sellers.
Date: 2026-05-16T17:05:42Z
Network: openweb
Published URL: https://crackingx.com/threads/75474/
Screenshots:
None
Threat Actors: Cashgang2231
Victim Country: Canada
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UUHQ ULP combo list
Category: Combo List
Content: A forum user is offering a combo list containing 793,064 credentials marketed as ultra-high quality (UUHQ) and fresh, in URL:login:password (ULP) format.
Date: 2026-05-16T17:05:30Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-793064-UUHQ-100-FRESH-UUHQ-ULP-BASE-%E2%9C%A8
Screenshots:
None
Threat Actors: EViLUMiNATUS
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of ULP combo list with 1.7 million lines
Category: Combo List
Content: A threat actor is freely distributing a URL:Login:Password (ULP) combo list containing approximately 1.7 million lines. The list is marketed as high quality and private. No specific victim organization or target service is identified.
Date: 2026-05-16T17:04:14Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%AD%90ULP-URL-LOGIN-PASS-PRIVATE-1-7M-LINES%E2%AD%90HQ%E2%AD%90LEAKED%E2%AD%90BY-ACCGIR%E2%AD%90–2094783
Screenshots:
None
Threat Actors: GoorG
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Germany-targeted shopping combo list (web.de, GMX, T-Online)
Category: Combo List
Content: A combo list of 144,289 email:password credentials targeting German email providers (web.de, GMX, T-Online) has been shared on a cracking forum. The list is described as suitable for shopping-related credential stuffing. No further details are available from the post content.
Date: 2026-05-16T17:03:44Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-144-289-web-de-gmx-t-online-Shopping-Combolist-Germany-Target
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of French email/password combo list
Category: Combo List
Content: A combo list containing approximately 1,400 French email and password pairs has been shared on BreachForums. The credentials are sourced from France-based accounts and appear to be intended for credential stuffing purposes.
Date: 2026-05-16T17:03:01Z
Network: openweb
Published URL: https://breachforums.rs/Thread-1-4K-France-combo-Email-Pass
Screenshots:
None
Threat Actors: zubicks
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ Outlook combo list containing 19K credentials
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 19,000 Outlook credentials, marketed as ultra-high quality and fresh. The list is intended for credential stuffing against Outlook/Microsoft accounts. No further details are available from the post content.
Date: 2026-05-16T17:02:27Z
Network: openweb
Published URL: https://cracked.st/Thread-19K-UHQ-OUTLOOK-COMBO-FRESH
Screenshots:
None
Threat Actors: Vows
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 1.8K Japanese email and password credentials
Category: Combo List
Content: A threat actor shared a combo list containing 1,800 email and password credential pairs associated with Japan. The list was made available via an external file-sharing link.
Date: 2026-05-16T17:01:34Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Combo-1-8K-Japan-Email-Pass
Screenshots:
None
Threat Actors: zubicks
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ Yahoo combo list (25K credentials)
Category: Combo List
Content: A threat actor is sharing a combo list of 25,000 Yahoo credentials marketed as UHQ and fresh. The post is sponsored by slateaio.com, suggesting the list may be intended for credential stuffing use.
Date: 2026-05-16T17:01:11Z
Network: openweb
Published URL: https://cracked.st/Thread-25K-UHQ-YAHOO-COMBO-FRESH
Screenshots:
None
Threat Actors: Vows
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of UK email credentials (2.7K)
Category: Combo List
Content: A threat actor shared a combolist containing approximately 2,700 UK email and password pairs on a cybercrime forum. The post targets no specific organization; credentials appear to be aggregated from multiple sources.
Date: 2026-05-16T17:01:06Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Combolist-Uk-2-7K-Email-Pass
Screenshots:
None
Threat Actors: zubicks
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 8,679 email:password credentials marketed as semi-valid and fresh
Category: Combo List
Content: A combo list of 8,679 email and password pairs is being shared on a cracking forum, described as semi-valid and fresh. The credentials appear to be marketed for credential stuffing or account takeover activity.
Date: 2026-05-16T16:59:43Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-8-679-Semi-Valide-FA-Good-Line-Fresh
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Russian combo list of 1.4K email/password credentials
Category: Combo List
Content: A threat actor shared a combo list containing approximately 1,400 email and password pairs, described as Russian in origin, via an external file-sharing link.
Date: 2026-05-16T16:59:32Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Russian-Combo-1-4K-Email-Pass
Screenshots:
None
Threat Actors: zubicks
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ Gmail combo list with 500K credentials
Category: Combo List
Content: A threat actor is distributing a combo list marketed as 500K UHQ Gmail credentials described as fresh. The post is sponsored by slateaio.com, likely a credential-checking tool service. As a combo list, Gmail is a credential-stuffing target, not the breach victim.
Date: 2026-05-16T16:59:15Z
Network: openweb
Published URL: https://cracked.st/Thread-500K-UHQ-GMAIL-COMBO-FRESH–2094778
Screenshots:
None
Threat Actors: Vows
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List: Gmail credentials (94K)
Category: Combo List
Content: A threat actor is distributing a combo list containing approximately 94,000 Gmail email and password pairs. The list is shared via an external file-hosting link. Gmail is a credential-stuffing target, not the breach source.
Date: 2026-05-16T16:59:04Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Combolist-Gmail-94K-Email-Pass
Screenshots:
None
Threat Actors: zubicks
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
125K UHQ Mixed Mail Combo List
Category: Combo List
Content: A threat actor is distributing a combo list containing approximately 125,000 mixed email credentials, marketed as fresh and high quality. The post is sponsored by slateaio.com. No specific breached organization is identified.
Date: 2026-05-16T16:58:47Z
Network: openweb
Published URL: https://cracked.st/Thread-125K-UHQ-MIXED-MAIL-COMBO-FRESH
Screenshots:
None
Threat Actors: Vows
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ Hotmail combo list containing 50,000 credentials
Category: Combo List
Content: A threat actor is offering a combo list of 50,000 Hotmail credentials marketed as high quality and fresh. The list is advertised on a cracking forum and appears intended for credential stuffing use. The post is sponsored by vows.solutions.
Date: 2026-05-16T16:58:28Z
Network: openweb
Published URL: https://cracked.st/Thread-50K-UHQ-HOTMAIL-COMBO-FRESH–2094774
Screenshots:
None
Threat Actors: Vows
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of Hotmail credentials (2.3K)
Category: Combo List
Content: A threat actor shared a combo list of 2,300 Hotmail email and password pairs on a public forum. The list was made available via an external file-sharing link.
Date: 2026-05-16T16:57:22Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Combolist-Hotmail-2-3K-Email-Pass
Screenshots:
None
Threat Actors: zubicks
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Valorant account combo list with over 400,000 credentials
Category: Combo List
Content: A threat actor is selling private Valorant account combo lists claimed to contain over 400,000 credentials marketed as fresh with guaranteed hits. A credential checker (with source code) is also offered for sale via a Discord server. The combo list targets mixed-region Valorant accounts and is available through a private Discord channel.
Date: 2026-05-16T16:57:04Z
Network: openweb
Published URL: https://patched.to/Thread-gaming-2350x-valorant-mixed-region-account-combolist-303056
Screenshots:
None
Threat Actors: cdrgod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged DDoS Stresser Service Advertisement – GoliathStress
Category: Malware
Content: GoliathStress is being advertised as a Layer 4 & 7 DDoS stresser service claiming to bypass major protection systems including Cloudflare, OVH, Hetzner, Amazon, Akamai, and others. The service offers custom attack methods targeting game servers (PUBG, FiveM) with extreme GBPS power capabilities.
Date: 2026-05-16T16:56:59Z
Network: telegram
Published URL: https://t.me/c/1669509146/98795
Screenshots:
None
Threat Actors: GoliathStress
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of combo list targeting Libero.it
Category: Combo List
Content: A threat actor is sharing 623 high-quality credentials associated with Libero.it accounts. The post advertises daily supply of 4,000–12,000 fresh credentials marketed as untouched and optimized for credential stuffing.
Date: 2026-05-16T16:56:45Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-623x-hq-libero-it-by-s2lender-txt
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Hotmail credential combo list with inbox access claims
Category: Combo List
Content: A threat actor is distributing a combo list of 287 claimed high-quality Hotmail credential hits, marketed as valid inbox accesses. The content is gated behind forum registration or login. Hotmail is the credential-stuffing target, not the breach victim.
Date: 2026-05-16T16:56:17Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9D%84-287x-hq-hotmail-hits-%E2%9D%84-%F0%9F%94%8E-inboxes-targets-%F0%9F%94%8E
Screenshots:
None
Threat Actors: Lowza9
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free combo list of 2,000 mixed mail credentials
Category: Combo List
Content: A combo list of approximately 2,000 mixed email account credentials is being shared on a clearnet forum. The content is gated behind registration or login. The list is attributed to the user Kommander0 and dated May 16.
Date: 2026-05-16T16:55:45Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-2k-mix-mail-access-full-valid-by-kommander0-16-05
Screenshots:
None
Threat Actors: AnticaCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of premium mixed mail combo list with 4,807 hits
Category: Combo List
Content: A threat actor is distributing a combo list containing 4,807 mixed mail credentials, including Hotmail hits, marketed as premium and valid. The content is gated behind forum registration or login.
Date: 2026-05-16T16:55:16Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%E2%9A%A1-4807x-premium-mix-mail-hits%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: alphaaxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List sharing by BatmanMail
Category: Combo List
Content: A forum user shared a hidden combo list file titled Private Mix on a combolist forum. The content is restricted to registered or logged-in members. No additional details about the data composition or record count are available.
Date: 2026-05-16T16:54:57Z
Network: openweb
Published URL: https://patched.to/Thread-private-mix-batmanmail-2-txt
Screenshots:
None
Threat Actors: BatmanMail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Distribution of alleged fresh stealer logs
Category: Logs
Content: A forum user shared a post in the stealer logs section titled MAY FRESH LOGS with minimal content referencing Leaky Pro. The post appears to advertise or distribute fresh stealer log data, though specific details regarding volume, origin, or victims are not provided.
Date: 2026-05-16T16:53:01Z
Network: openweb
Published URL: https://breached.st/threads/may-fresh-logs.87208/unread
Screenshots:
None
Threat Actors: webbrunch
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of LSP Tematika
Category: Data Breach
Content: A threat actor is selling a 14GB+ database allegedly exfiltrated from LSP Tematika, an Indonesian professional certification body. The dataset reportedly contains tens of thousands of personal records of assessees and assessors, including names, national ID numbers, dates of birth, contact details, credentials, and company documents. The actor claims this is a follow-up to an unmet ransom demand and threatens to release additional victim data if payment is not received.
Date: 2026-05-16T16:52:20Z
Network: openweb
Published URL: https://breached.st/threads/sell-database-lsptematika.87207/unread
Screenshots:
None
Threat Actors: Kyyzo
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: LSP Tematika
Victim Site: lsptematika.net
Alleged sale of stolen payment cards and email access credentials
Category: Combo List
Content: Threat actor operating Boss Shop marketplace advertising sale of first-hand stolen payment cards (100K+ daily updates) at $0.01-$0.1 per card with validity guarantees. Also offering daily free stolen cards. Separate post advertising stolen email access credentials across multiple countries (FR, BE, AU, CA, UK, US, NL, PL, DE, JP) with proof-of-life testing available. Both offerings include contact information for purchases.
Date: 2026-05-16T16:46:42Z
Network: telegram
Published URL: https://t.me/c/2613583520/82972
Screenshots:
None
Threat Actors: Boss Shop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Office 365 combo list
Category: Combo List
Content: A threat actor is offering a combo list of 2 million credentials purportedly valid for Office 365, advertised via Telegram channels. The post directs interested parties to contact the seller directly or join associated Telegram groups for free combos and tools.
Date: 2026-05-16T16:36:12Z
Network: openweb
Published URL: https://crackingx.com/threads/75467/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of gaming combo list with 1.5 million mixed credentials
Category: Combo List
Content: A threat actor posted a gaming-themed combo list containing approximately 1.5 million mixed credentials on BreachForums. No additional details are available as the post content was not captured.
Date: 2026-05-16T16:34:17Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Combolist-Gaming-1-5M-Mixed
Screenshots:
None
Threat Actors: zubicks
Victim Country: Unknown
Victim Industry: Gaming
Victim Organization: Unknown
Victim Site: Unknown
Hotmail combo list freely distributed and offered for sale
Category: Combo List
Content: A threat actor is distributing Hotmail credential hits via a free cloud service and offering a private version for purchase via Telegram. The post advertises high-quality hits suitable for credential stuffing against Hotmail accounts. No record count or sample data is provided in the visible portion of the post.
Date: 2026-05-16T16:33:36Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9C%85-hq-hotmail-hit-%E2%9C%85-303047
Screenshots:
None
Threat Actors: aurexopforu
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of HQ combo list mix
Category: Combo List
Content: A threat actor is offering a combo list marketed as HQ Mix containing approximately 1,938 credential pairs. The post claims daily supply of 4,000–12,000 fresh and untouched credentials available through a private members-only network.
Date: 2026-05-16T16:33:15Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-1938x-hq-mix-by-s2lender-txt
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed mail access combo list (14K credentials)
Category: Combo List
Content: A threat actor on DemonForums is sharing a mixed mail access combo list containing approximately 14,000 credentials. The content is hidden behind a registration or login wall. No specific targeted service or origin breach is identified.
Date: 2026-05-16T16:32:51Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-14K-MIXED-MAIL-ACCESS-GOODS
Screenshots:
None
Threat Actors: StrawHatBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List: Mixed mail credentials with keyword targets
Category: Combo List
Content: A threat actor is distributing a combo list of 4,259 mixed email and password credentials on a cybercrime forum. The post includes a separate download for keyword-targeted credentials. No specific victim organization or country is identified.
Date: 2026-05-16T16:32:28Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9D%84%E2%9D%84-4259x-HQ-MIXED-MAILS-%E2%9D%84%E2%9D%84-KEYWORD-TARGETS–204328
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free combo list targeting Hotmail accounts
Category: Combo List
Content: A threat actor shared a combo list of 2,020 Hotmail credentials, marketed as fresh. The content is hidden behind a registration or login wall on the forum.
Date: 2026-05-16T16:31:30Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A1-2020x-FRESH-HOTMAIL-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Nulled07
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass defacement of Inkara online store by attacker lxrdk1773n
Category: Defacement
Content: On May 16, 2026, the attacker known as lxrdk1773n conducted a mass defacement campaign targeting store.inkara.co.id, an Indonesian e-commerce platform operating on a Linux server. The defacement was part of a broader mass defacement operation, with the mirror archived at haxor.id. No specific motive or team affiliation was disclosed.
Date: 2026-05-16T16:30:02Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249312
Screenshots:
None
Threat Actors: lxrdk1773n
Victim Country: Indonesia
Victim Industry: Retail / E-Commerce
Victim Organization: Inkara
Victim Site: store.inkara.co.id
Alleged data breach of SLPTEMATIKA.NET
Category: Data Breach
Content: A threat actor is offering for sale a 14GB+ database allegedly exfiltrated from slptematika.net, an Indonesian professional certification body. The dataset reportedly includes tens of thousands of personal records of assessees and assessors, private conversations, decrees, and company documents. The actor states this is a ransomware-related extortion action, with additional data to be released if ransom demands are not met.
Date: 2026-05-16T16:28:35Z
Network: openweb
Published URL: https://breached.st/threads/slptematika-net-database.87206/unread
Screenshots:
None
Threat Actors: Kyyzo
Victim Country: Indonesia
Victim Industry: Education
Victim Organization: LSP Tematika
Victim Site: slptematika.net
Alleged European combo list with 10,053 semi-valid credentials
Category: Combo List
Content: A threat actor has shared a combo list advertised as containing 10,053 semi-valid European email and password pairs. The list is marketed as suitable for credential stuffing or account access attempts. No specific target organization or service was identified.
Date: 2026-05-16T16:19:00Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-10-053-Semi-Valide-FA-Combolist-Europa-Good
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 21,000 fresh email access combo list
Category: Combo List
Content: A threat actor is sharing a combo list advertised as containing 21,000 fresh email credentials. The list is described as a mixed mail access collection. No further details are available from the post content.
Date: 2026-05-16T16:18:35Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-21K-FRESH-MAIL-ACCESS-MIX
Screenshots:
None
Threat Actors: Alpha70
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of email access combo list with 9,567 credentials
Category: Combo List
Content: A combo list containing 9,567 email and password combinations is being shared on a cracking forum. The credentials are described as semi-valid with full access. No specific victim organization or breach source is identified.
Date: 2026-05-16T16:18:14Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-9-567-Semi-Valide-FA-Mail-Access-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Crypto-Targeted Yahoo Combo List with 552,804 Lines
Category: Combo List
Content: A threat actor on a cracking forum is distributing a combo list of 552,804 email:password lines sourced from Yahoo accounts, marketed as targeting cryptocurrency users. No additional details are available from the post content.
Date: 2026-05-16T16:17:53Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-552-804-Lines-%E2%9C%85-Crypto-target-Combolist-Yahoo
Screenshots:
None
Threat Actors: HqComboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of discounted ChatGPT Plus subscription upgrades
Category: Services
Content: A forum seller is offering ChatGPT Plus one-month subscription upgrades for $7 with same-day activation, claiming the accounts are legally purchased. The seller disclaims responsibility for any misuse or policy violations by the buyer after delivery.
Date: 2026-05-16T16:17:09Z
Network: openweb
Published URL: https://cracked.st/Thread-Supreme-CHEAPEST-CHATGPT-UPGRADE-1MONTH-LEGAL-7
Screenshots:
None
Threat Actors: ChoDesign
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of discounted Amazon Prime Video subscription upgrade service
Category: Services
Content: A forum user is offering Amazon Prime Video 1-year subscription upgrades for $24.99, requiring customers to provide their Amazon account credentials. The service claims to be legal and delivers worldwide. The mechanism suggests possible unauthorized subscription manipulation or resale of fraudulently obtained Prime access.
Date: 2026-05-16T16:16:37Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%AD%90AMAZON-PRIME-VIDEO-1-YEAR%E2%AD%90UPGRADE-YOUR-ACCOUNT%E2%AD%90100-LEGAL%E2%9C%85FAST-DELIVERY%E2%AD%90ONLY-24-99
Screenshots:
None
Threat Actors: pollymydolly
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of damaged goods fraud video mentorship service
Category: Services
Content: A threat actor is selling a video mentorship course priced at €80–€100, limited to 5 customers, instructing buyers on how to fabricate damaged item videos from undamaged photos. The service is intended to facilitate refund fraud against retail stores by creating false evidence of damaged shipments.
Date: 2026-05-16T16:15:09Z
Network: openweb
Published URL: https://patched.to/Thread-v-i-p-101-dmg-video-mentorship-free-lifetime-update-easy-profit
Screenshots:
None
Threat Actors: Cows
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of image and video damage (DMG) services
Category: Services
Content: A forum user is offering image and video damage (DMG) services at $15 for images and $30 for videos, with middleman accepted. No target organization or victim details are specified.
Date: 2026-05-16T16:14:30Z
Network: openweb
Published URL: https://patched.to/Thread-v-i-p-%E2%AD%90-dmg-image-video-%E2%AD%90unmatched-quality%E2%AD%90100-sr%E2%AD%90
Screenshots:
None
Threat Actors: Cows
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged leak of 180,000 proxies from XSSF Russian hacking forum
Category: Data Leak
Content: IT ARMY OF RUSSIA forwarded a post from XSSF (Russian Hack Forum) announcing a leak of 180,000 proxies. The leaked proxies are shared via a forum link on xssf.is. This represents infrastructure that could be leveraged for malicious cyber activities including DDoS attacks, credential stuffing, and anonymized attack operations.
Date: 2026-05-16T16:13:57Z
Network: telegram
Published URL: https://t.me/xssf_forum/50
Screenshots:
None
Threat Actors: IT ARMY OF RUSSIA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: xssf.is
Sale of 1 million Czech email and password combo list
Category: Combo List
Content: A threat actor is sharing a combo list of 1 million Czech email address and password pairs on a cybercrime forum. The list is hosted on an external file-sharing platform. No specific breached organization is identified.
Date: 2026-05-16T16:13:33Z
Network: openweb
Published URL: https://breachforums.rs/Thread-1M-Combo-CZ-Email-Pass
Screenshots:
None
Threat Actors: zubicks
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 6,519 mail access credentials (EU/USA/UK)
Category: Combo List
Content: A threat actor has shared a combo list containing 6,519 email access credentials targeting users across the EU, USA, and UK. The content is gated behind registration or login on the forum.
Date: 2026-05-16T16:13:24Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-6-519-good-combo-mail-access-eu-usa-uk
Screenshots:
None
Threat Actors: cloudkaraoke
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of Hotmail credentials offered on forum
Category: Combo List
Content: A threat actor known as VerityVault is distributing a combo list containing 1,919 Hotmail credentials on a cybercrime forum. The content is gated behind registration or login. The named service is a credential-stuffing target, not the breach victim.
Date: 2026-05-16T16:12:53Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%EF%B8%8F-1919x-verity-vault-hotmail-drop-%E2%9A%A1%EF%B8%8F
Screenshots:
None
Threat Actors: VerityVault
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of 759 HQ Hotmail credentials
Category: Combo List
Content: A threat actor is sharing a combo list of 759 alleged high-quality Hotmail credentials on a cybercrime forum. The content is hidden behind a registration or login requirement. Hotmail is the credential-stuffing target, not the breach victim.
Date: 2026-05-16T16:12:39Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9D%84%E2%9D%84-759x-hq-premium-hotmails-%E2%9D%84%E2%9D%84
Screenshots:
None
Threat Actors: Lowza9
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Website Defacement of Indonesian Judicial Authority Site by Ushiromiya
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the handle Ushiromiya conducted a mass defacement campaign targeting the Indonesian Pengadilan Agama Padang (Padang Religious Court) web portal at panjar.pa-padang.go.id. The attacker successfully compromised the admin path of the Linux-hosted government subdomain. This incident was part of a broader mass defacement operation, with the defaced mirror archived on haxor.id.
Date: 2026-05-16T16:09:59Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249311
Screenshots:
None
Threat Actors: Ushiromiya, Ushiromiya
Victim Country: Indonesia
Victim Industry: Government – Judiciary
Victim Organization: Pengadilan Agama Padang (Padang Religious Court)
Victim Site: panjar.pa-padang.go.id
Combo List: 2,329 Hotmail credential hits
Category: Combo List
Content: A threat actor is sharing a combo list of 2,329 claimed valid Hotmail credentials, described as premium hits. The content is gated behind forum registration or login and is associated with a Telegram contact for further distribution.
Date: 2026-05-16T16:08:42Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F-2329x-PREMIUM-HOTMAIL-HITS-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F
Screenshots:
None
Threat Actors: alphaxdd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged PII from moi.gov.eg (Egyptian Ministry of Interior – Tourism)
Category: Data Breach
Content: A threat actor on BreachForums is advertising the sale of personally identifiable information (PII) allegedly sourced from moi.gov.eg, the Egyptian Ministry of Interior, with data described as related to tourism. No further details regarding record count or data fields are available from the post.
Date: 2026-05-16T15:54:20Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-moi-gov-eg-for-Tourism-PII
Screenshots:
None
Threat Actors: Revesky
Victim Country: Egypt
Victim Industry: Government
Victim Organization: Egyptian Ministry of Interior
Victim Site: moi.gov.eg
Sale of Hotmail combo list
Category: Combo List
Content: A threat actor is offering a set of 666 Hotmail credentials marketed as private and fresh. The post directs interested parties to contact via Telegram. Content is gated behind registration or sign-in on the forum.
Date: 2026-05-16T15:51:28Z
Network: openweb
Published URL: https://crackingx.com/threads/75464/
Screenshots:
None
Threat Actors: KiwiShio
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of verified credit cards, dumps with PIN, and fraudulent payment transfers
Category: Carding
Content: A threat actor is offering verified credit cards with online access and balances ranging from $2,000 to $6,000, as well as dumps with PIN (Track 1/2) for in-store and ATM cashout. The seller also advertises fraudulent payment transfers via PayPal, Cash App, Zelle, and other platforms, along with carding tutorials and contact via Telegram and WhatsApp.
Date: 2026-05-16T15:48:28Z
Network: openweb
Published URL: https://altenens.is/threads/hello-everyone-am-honest-and-respectful-man-here-i-have-100-verified-cc-with-online-access-is-available-with-great-and-highly-balance-of-2000-to-600.2941426/unread
Screenshots:
None
Threat Actors: Caato
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ mixed credential combo list including Hotmail accounts
Category: Combo List
Content: A threat actor is offering a combo list of 4,188 claimed valid credentials described as a UHQ mixed combo including Hotmail accounts. The content is shared via a hidden forum link requiring registration or login, with contact directed to a Telegram handle.
Date: 2026-05-16T15:46:26Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A1-X4188-Valid-UHQ-Mix-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 10 million URL:Log:Pass stealer log credentials
Category: Logs
Content: A threat actor is offering access to a private cloud containing approximately 10 million URL:LOG:PASS stealer log entries via a Telegram bot. The data is described as high quality and has been indexed in a ULP searcher database for rapid querying. Access to the full dataset is available for purchase through the actors Telegram service.
Date: 2026-05-16T15:45:25Z
Network: openweb
Published URL: https://cracked.st/Thread-10M-URL-LOG-PASS-%E2%9C%85-PRIVATE-%E2%AD%90%EF%B8%8F-HQ
Screenshots:
None
Threat Actors: LeakZero
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 10 million URL:Log:Pass stealer log credentials
Category: Logs
Content: A threat actor is selling access to a private cloud containing approximately 10 million URL:log:pass credentials described as high quality. The dataset is available via a Telegram bot and has been indexed in a ULP searcher database for rapid querying. A sample is offered to forum members who reply to the thread.
Date: 2026-05-16T15:45:18Z
Network: openweb
Published URL: https://darkforums.su/Thread-10M-%F0%9F%94%A5-URL-LOG-PASS-%E2%9C%85-PRIVATE-%E2%AD%90%EF%B8%8F-HQ
Screenshots:
None
Threat Actors: LeakZero
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
VPN service offering based on Xray/VLESS with Reality bypass
Category: Services
Content: A forum user is advertising a commercial VPN service called INFOCROSS, built on Xray/VLESS with Reality bypass technology. The service is offered with multiple subscription plans and a partner/referral program, with promotional discounts available.
Date: 2026-05-16T15:44:24Z
Network: openweb
Published URL: https://breached.st/threads/vpn-on-xray-reality-that-actually-works-in-2026-infocross-deep-dive.87204/unread
Screenshots:
None
Threat Actors: gosee
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged US government classified documents including DOD, CIA, DHS, and intelligence agency reports
Category: Data Breach
Content: A threat actor is offering for sale alleged classified and sensitive US government documents, including military posture statements from AFRICOM and CENTCOM, Navy and Marine Corps budget documents, GAO reports, and Air Force testimony. The seller claims to have additional documents beyond the listed samples and is soliciting buyers via multiple messaging platforms. Escrow is accepted, and the actor claims access is not limited to US government data.
Date: 2026-05-16T15:42:59Z
Network: openweb
Published URL: https://breached.st/threads/usa-top-secret-dod-cia-dhs-court-dia-reports.87205/unread
Screenshots:
None
Threat Actors: mosad
Victim Country: United States
Victim Industry: Government
Victim Organization: US Department of Defense / CIA / DHS / DIA
Victim Site: Unknown
Combo List: Semi-Valid Email Access Credentials (8,712 Records)
Category: Combo List
Content: A threat actor shared a combo list containing 8,712 semi-validated email credentials, marketed as suitable for mail access. The list was distributed on a public forum at no specified cost.
Date: 2026-05-16T15:28:07Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-8-712-Semi-Valide-FA-Mail-Access-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list by threat actor s2lender
Category: Combo List
Content: Threat actor s2lender is offering a combo list of approximately 956 Hotmail credentials, marketed as high-quality and fresh. The post advertises daily supply of 4,000–12,000 credentials through a private members-only network with encrypted access.
Date: 2026-05-16T15:23:07Z
Network: openweb
Published URL: https://crackingx.com/threads/75458/
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List sample release targeting Hotmail accounts
Category: Combo List
Content: A threat actor shared a sample combo list of 1,425 Hotmail credentials on a cracking forum. The post provides a download link for the sample data, marketed for credential stuffing against Hotmail accounts.
Date: 2026-05-16T15:22:48Z
Network: openweb
Published URL: https://crackingx.com/threads/75459/
Screenshots:
None
Threat Actors: HollowKnight07
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Jays Group of Companies by lxrdk1773n
Category: Defacement
Content: On May 16, 2026, the Australian business website of Jays Group of Companies was defaced by the threat actor lxrdk1773n. The attack targeted a Linux-based web server and resulted in unauthorized modification of the websites content. The incident was a standalone, non-mass defacement with no attributed team affiliation.
Date: 2026-05-16T15:22:37Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249310
Screenshots:
None
Threat Actors: lxrdk1773n
Victim Country: Australia
Victim Industry: Corporate / Business Services
Victim Organization: Jays Group of Companies
Victim Site: www.jaysgroupofcompanies.com.au
Sale of Hotmail account combo list
Category: Combo List
Content: A forum post advertises 950 Hotmail accounts, likely credentials marketed for credential stuffing. The thread appears sponsored by a proxy and SMS verification service.
Date: 2026-05-16T15:21:50Z
Network: openweb
Published URL: https://nulledbb.com/thread-X950-Hotmail-Accounts–2294941
Screenshots:
None
Threat Actors: EarlHickey
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed mail combo list
Category: Combo List
Content: A forum post in the cracking section advertises a mixed mail combo list of approximately 2,900 lines. The post appears to be sponsored by a proxy and SMS verification service. No further details about the source or content of the credentials are provided.
Date: 2026-05-16T15:21:30Z
Network: openweb
Published URL: https://nulledbb.com/thread-X2900-Mixed-Mail-Lines–2294942
Screenshots:
None
Threat Actors: EarlHickey
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Defacement of Indonesian Judicial Website by Ushiromiya
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Ushiromiya conducted a mass defacement campaign targeting the website of Pengadilan Agama Pemalang, an Indonesian religious court operating under the judiciary. The attack defaced a specific path on the site and was executed on a Linux-based server. This incident was part of a broader mass defacement operation attributed to the same actor.
Date: 2026-05-16T15:15:50Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249309
Screenshots:
None
Threat Actors: Ushiromiya, Ushiromiya
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Pengadilan Agama Pemalang (Pemalang Religious Court)
Victim Site: www.pa-pemalang.go.id
Website Defacement of Jays Group of Companies by lxrdk1773n
Category: Defacement
Content: On May 16, 2026, the homepage of Jays Group of Companies, an Australian business entity, was defaced by the threat actor lxrdk1773n. The attacker successfully compromised and altered the main page of the website in a targeted, non-mass defacement operation. No team affiliation, stated motive, or technical details regarding the server environment were disclosed.
Date: 2026-05-16T15:08:50Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923467
Screenshots:
None
Threat Actors: lxrdk1773n, No team
Victim Country: Australia
Victim Industry: Corporate/Business Services
Victim Organization: Jays Group of Companies
Victim Site: www.jaysgroupofcompanies.com.au
Alleged data breach of Adecco affecting 4,284,538 accounts
Category: Data Breach
Content: In March 2021, Adecco suffered a massive data breach exposing over 4 million customer records from South America. The compromised data included email addresses, genders, dates of birth, marital statuses, phone numbers, and bcrypt-hashed passwords. The breach was subsequently sold on hacking forums.
Date: 2026-05-16T15:06:04Z
Network: telegram
Published URL: https://t.me/c/1887244124/1640
Screenshots:
None
Threat Actors: Jokers world of Database 😈
Victim Country: Argentina
Victim Industry: Human Resources / Staffing
Victim Organization: Adecco
Victim Site: adecco.com
Sale of European mixed combo list with 10,833 credentials
Category: Combo List
Content: A European mixed combo list containing approximately 10,833 semi-validated email:password credential pairs was shared on a cracking forum. The list is described as partially validated and sourced from multiple European accounts. No specific breached organization is identified.
Date: 2026-05-16T15:02:51Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-10-833-Semi-Valide-FA-Europa-Mixed-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of Hotmail credentials
Category: Combo List
Content: A threat actor shared a combo list of 2,163 Hotmail email and password pairs on a cracking forum. The credentials are marketed as high quality (HQ). Hotmail is the credential-stuffing target, not the breach victim.
Date: 2026-05-16T15:02:32Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X2163-HQ-Hotmail-%E2%9A%A1%E2%9A%A1-BY-Stevee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: steevee
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List: 70,000 German Email Credentials
Category: Combo List
Content: A threat actor shared a combo list of approximately 70,000 German email credentials, marketed as mail access hits dated 16.05. The content is hidden behind a registration/login wall on the forum.
Date: 2026-05-16T15:02:11Z
Network: openweb
Published URL: https://patched.to/Thread-70k-germany-just-mail-access-16-05
Screenshots:
None
Threat Actors: CitronCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of Hotmail credentials
Category: Combo List
Content: A threat actor shared a combo list of 2,163 Hotmail credentials on a cracking forum. The list is offered as a free download and is marketed as high quality.
Date: 2026-05-16T15:01:42Z
Network: openweb
Published URL: https://crackingx.com/threads/75456/
Screenshots:
None
Threat Actors: stevee36
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of vigedo.de
Category: Data Breach
Content: A threat actor is selling an alleged database dump from vigedo.de, a German online retailer, containing approximately 110,000 records. The data is offered in CSV-SQL format and includes customer names, email addresses, birthdates, customer numbers, and MD5/bcrypt-hashed passwords. Sample records were provided as proof of validity.
Date: 2026-05-16T15:00:09Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-vigedo-de-Database-Germany110K
Screenshots:
None
Threat Actors: camillaDF
Victim Country: Germany
Victim Industry: Retail
Victim Organization: Vigedo
Victim Site: vigedo.de
Alleged Salesforce data breach affecting 35+ organizations including Toyota, FedEx, Disney, UPS, Home Depot by ShinyHunters
Category: Data Breach
Content: ShinyHunters threat actor claims to have obtained approximately 989.45 million to 1 billion+ records from Salesforce and is offering stolen data from 35+ major organizations for sale. Victims span multiple industries including automotive (Toyota, Stellantis), logistics (FedEx, UPS), retail (Home Depot, Gap, Saks Fifth Avenue), hospitality (Marriott, Disney/Hulu), airlines (Vietnam Airlines, Qantas, Air France/KLM), technology (Google Adsense, Cisco), and others. Data volumes range from 1GB to 172.96GB per organization.
Date: 2026-05-16T14:59:26Z
Network: telegram
Published URL: https://t.me/c/3500620464/7916
Screenshots:
None
Threat Actors: ShinyHunters
Victim Country: Unknown
Victim Industry: Multiple (SaaS, automotive, logistics, retail, hospitality, airlines, technology)
Victim Organization: Salesforce, Inc. and 35+ organizations
Victim Site: salesforce.com
Alleged data breach of Rocks & Gold jewelry store (Israel)
Category: Data Breach
Content: A threat actor is selling an alleged SQL database dump containing 3,500 customer records from Rocks & Gold, an Israeli boutique jewelry retailer. The dataset reportedly includes usernames, hashed passwords, full names, and email addresses. A proof screenshot was shared via an external file host.
Date: 2026-05-16T14:59:22Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Israel-3-500X-Customer-Pii-from-rocksandgold-co-il
Screenshots:
None
Threat Actors: BigBrother
Victim Country: Israel
Victim Industry: Retail
Victim Organization: Rocks & Gold
Victim Site: rocksandgold.co.il
Sale of stealer logs including Yahoo, Outlook, and mixed domain credentials
Category: Logs
Content: A threat actor is advertising a private cloud service offering fresh stealer logs on a daily basis, including Yahoo, Outlook, and mixed domain accounts. Free samples are available via a Telegram channel. The logs are described as updated daily.
Date: 2026-05-16T14:58:22Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%98%81%EF%B8%8FPrivate-Cloud-%E2%98%81%EF%B8%8F-Fresh-Logs-daily-yahoos-outlooks-and-mixed-domain
Screenshots:
None
Threat Actors: Heimdaller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Armenian residents database containing personal data
Category: Data Breach
Content: A threat actor is selling a database of Armenian residents containing phone numbers, first and last names, email addresses, and dates of birth for approximately 82,000 individuals. The data is claimed to be relevant as of May 15, 2026. The seller is asking $400 and can be contacted via Telegram.
Date: 2026-05-16T14:58:18Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Armenian-Residents-Database
Screenshots:
None
Threat Actors: c0mmandor
Victim Country: Armenia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged Western European healthcare sector PHI, PII, and source code
Category: Data Breach
Content: A threat actor is offering for sale over 500 GB of data allegedly sourced from the Western European healthcare sector, including professional, citizen, and clinical data, 200+ GB of source code, 1.5 million PHI documents, and private keys claimed to enable direct API queries to European Vaccination Card infrastructure. The seller states the data spans multiple countries and is seeking verified buyers via private message.
Date: 2026-05-16T14:57:35Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-PHI-Medical-Health-Buyer
Screenshots:
None
Threat Actors: cutecar
Victim Country: Unknown
Victim Industry: Healthcare
Victim Organization: Unknown
Victim Site: Unknown
Sale of 83K mixed fresh combo list
Category: Combo List
Content: A threat actor shared a combo list of approximately 83,000 mixed credentials via Pasteview, marketed as valid and fresh. The list appears to contain credentials from multiple sources and is being distributed freely on the forum.
Date: 2026-05-16T14:57:08Z
Network: openweb
Published URL: https://altenens.is/threads/83k-mixed-valid-fresh-combolist.2941380/unread
Screenshots:
None
Threat Actors: VegaM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Serbian Ministry of Interior (MUP) — Foreigners Office database
Category: Data Breach
Content: A threat actor claims to have breached the Serbian Ministry of Interior (MUP) Foreigners Office database, extracting approximately 180,000 records covering 150,000 foreign nationals and 30,000 Serbian citizens with data dated 2024–2026. Exposed fields reportedly include full names, JMBG (national ID numbers), passport numbers, visa IDs, application status, reason of stay, and additional personal details. The actor is offering the database for sale and has issued a ransom-style notice to Serbian
Date: 2026-05-16T14:56:58Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-RS-Foreigners-Citizen-Sector-180k-Police
Screenshots:
None
Threat Actors: vvvv
Victim Country: Serbia
Victim Industry: Government
Victim Organization: Serbian Ministry of Interior (MUP)
Victim Site: mup.gov.rs
Alleged data leak of Sirun (斯润) Technology companies following ransom refusal
Category: Data Leak
Content: A threat actor operating as SnowSoul has publicly leaked data allegedly belonging to two related Chinese technology companies — Sirun Hefei Technology and Sirun Tianlang (Beijing) Technology — after the victims purportedly refused to pay a $2,000 USD ransom. The leaked files reportedly include database files (MDF/LDF, approximately 500M records), spreadsheets containing bills of materials, personnel lists, production orders, procurement data, and financial records. Download links to the data h
Date: 2026-05-16T14:55:18Z
Network: openweb
Published URL: https://darkforums.su/Thread-Chinese-data-%E4%B8%AD%E5%9B%BD%E6%95%B0%E6%8D%AE-SnowSoul-ID-1314
Screenshots:
None
Threat Actors: SnowSoul
Victim Country: China
Victim Industry: Technology
Victim Organization: Sirun Hefei Technology Co., Ltd. / Sirun Tianlang (Beijing) Technology Co., Ltd.
Victim Site: Unknown
Sale of webshell access
Category: Initial Access
Content: A threat actor is offering a webshell for sale at a price of 400K (likely Indonesian Rupiah) via Telegram. No specific victim organization or domain is disclosed in the post.
Date: 2026-05-16T14:53:54Z
Network: openweb
Published URL: https://darkforums.su/Thread-WEBSHELL–76665
Screenshots:
None
Threat Actors: Y4nz404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Adobe Business platform and associated marketing services
Category: Data Leak
Content: A threat actor operating under the alias MDGhost666 claims to have leaked 832.87GB of data associated with business.adobe.com, purportedly covering 2025-2026. The post also references databases from associated marketing and email services including Sendgrid, HubSpot, MailGun, and MailJet, totaling millions of unique lines. The data appears to be made available for free distribution on a darknet forum.
Date: 2026-05-16T14:53:10Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-832-87GB-Business-adobe-com-leaked-2025-2026
Screenshots:
None
Threat Actors: MDGhost666
Victim Country: United States
Victim Industry: Enterprise Software
Victim Organization: Adobe
Victim Site: business.adobe.com
Request for B2B email database in large quantity
Category: Alert
Content: A forum user is requesting a large quantity of fresh B2B email databases. No specific target organization, country, or data volume is mentioned. This appears to be a procurement request rather than an active threat or sale.
Date: 2026-05-16T14:52:34Z
Network: openweb
Published URL: https://darkforums.su/Thread-I-need-Fresh-B2B-Email-database-in-Large-quantity
Screenshots:
None
Threat Actors: greena001
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Live Nation/Ticketmaster – 560 million customer records
Category: Data Breach
Content: Threat actor claiming to possess comprehensive database breach of Live Nation/Ticketmaster containing 560 million customer records with full personal details (name, address, email, phone), ticket sales history, event information, order details, credit card information (customer name, last 4 digits, expiration date), and fraud details. Total data volume approximately 1.3TB across multiple CSV and sales order files. Seller requesting $10,000 USD and providing contact methods via XMPP, Telegram, and email.
Date: 2026-05-16T14:49:36Z
Network: telegram
Published URL: https://t.me/c/3500620464/7912
Screenshots:
None
Threat Actors: shinycorpsh
Victim Country: United States
Victim Industry: Entertainment/Ticketing
Victim Organization: Live Nation Entertainment / Ticketmaster
Victim Site: ticketmaster.com
Alleged defacement of Thai government website (nongpo.go.th) by Lei$
Category: Defacement
Content: Thai government website nongpo.go.th reportedly defaced by threat actor Lei$. Defacement evidence provided via original URL and mirror link (zone-xsec.com). Post includes hashtags #FuckThai and #Defacement indicating malicious intent.
Date: 2026-05-16T14:45:39Z
Network: telegram
Published URL: https://t.me/c/2590737229/1065
Screenshots:
None
Threat Actors: Lei$
Victim Country: Thailand
Victim Industry: Government
Victim Organization: Nongpo (Thai Government)
Victim Site: nongpo.go.th
Alleged leak of Claude API tokens
Category: Data Leak
Content: A threat actor on a cracking forum is freely distributing what they claim to be 2 million Claude API tokens. The post offers a free sample and solicits community engagement in exchange for the data.
Date: 2026-05-16T14:44:32Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9D%A4%EF%B8%8F-CLAUDE-API-TOKENS-2-MILLION-AI-TOKIES-%E2%9D%A4%EF%B8%8F
Screenshots:
None
Threat Actors: JVZU
Victim Country: United States
Victim Industry: Technology
Victim Organization: Anthropic
Victim Site: anthropic.com
Combo List targeting AOL users
Category: Combo List
Content: A user on a cracking forum shared an AOL email and password combo list. The post contains minimal detail regarding record count or data origin. Users were cautioned not to leech the content without contributing.
Date: 2026-05-16T14:44:05Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-AOL–2094713
Screenshots:
None
Threat Actors: FlightUSA
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of email checker and IMAP viewer tool supporting Yahoo and Gmail
Category: Services
Content: A forum user is advertising Heimdallr, an email checker and IMAP viewer tool supporting Yahoo and Gmail with inboxing capabilities. The tool is offered for sale on a cracking forum, with exclusive discounts mentioned for a separate channel. No specific victim organization or breach is referenced.
Date: 2026-05-16T14:43:33Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9A%A1%EF%B8%8FHeimdallar-Email-checker-and-Imap-Viewer-Yahoo-Gmail-supported-Inboxing-supported
Screenshots:
None
Threat Actors: Heimdaller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of 200 million AT&T customer records including PII, financial data, and health information
Category: Data Breach
Content: Threat actor claiming to possess 200 million AT&T customer records allegedly breached on 6 May 2026. Data includes full PII (names, addresses, SSNs, DOBs), financial information (credit/debit cards, bank accounts, transaction history), credentials (usernames, password hashes, PINs), communication metadata, health/medical records, biometric data, and internal AT&T documents including business strategy, API keys, and system configurations. Seller requesting $10,000 USD and providing contact methods via XMPP, Telegram, and email.
Date: 2026-05-16T14:42:52Z
Network: telegram
Published URL: https://t.me/c/3500620464/7909
Screenshots:
None
Threat Actors: shinycorpsh
Victim Country: United States
Victim Industry: Telecommunications
Victim Organization: AT&T Corporation
Victim Site: att.com
Alleged sale of stolen payment cards, RDP access, and compromised accounts
Category: Initial Access
Content: Multiple threat actors operating in Squad Chat Marketplace advertising: (1) stolen credit card data with 100K+ daily updates at $0.01-$0.10 per card via Boss Shop; (2) RDP access to cloud infrastructure (Azure, AWS, DigitalOcean) for $200 daily/monthly rental; (3) compromised domain email accounts, Gmail, Yahoo accounts; (4) stolen GitHub Student accounts and subscription services (ChatGPT Plus, Claude, ElevenLabs Creator Plan). Boss Shop claims daily free card giveaways and operates on clearnet and Tor. Escrow services offered.
Date: 2026-05-16T14:41:16Z
Network: telegram
Published URL: https://t.me/c/2613583520/82923
Screenshots:
None
Threat Actors: Boss Shop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Israeli personally identifiable information
Category: Data Leak
Content: A threat actor has freely shared a sample dataset purportedly containing Israeli personally identifiable information, including names, national ID numbers, email addresses, physical addresses, and phone numbers. The post is politically motivated, referencing the Palestinian cause. The source organization of the data is not identified.
Date: 2026-05-16T14:35:38Z
Network: openweb
Published URL: https://breached.st/threads/israel-pii-mosad.87203/unread
Screenshots:
None
Threat Actors: 053o
Victim Country: Israel
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of 1.7 million URL:Login:Password credentials shared on cracking forum
Category: Combo List
Content: A threat actor shared a combo list containing approximately 1.7 million URL:login:password credential pairs on a cracking forum. The post references cloud and link services as targets, marketed as high-quality credentials. No specific organization is identified as the breach source.
Date: 2026-05-16T14:27:41Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-GETCLOUD-GETLINKS-HQ-URL-LOGIN-PASSWORD-1-7kk
Screenshots:
None
Threat Actors: Getpaid777
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of email access combo list with 9,948 credentials
Category: Combo List
Content: A threat actor shared a combo list containing approximately 9,948 semi-validated email and password credentials on a public forum. The post is categorized as a mail access combo list, suggesting the credentials are intended for use in credential stuffing or account takeover attempts against email services.
Date: 2026-05-16T14:27:05Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-9-948-Semi-Valide-FA-Mail-Access-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free release of mixed email:password combo list
Category: Combo List
Content: A threat actor shared a mixed email:password combo list containing approximately 2,850 credentials, marketed as fresh. No specific target organization or breach source was identified.
Date: 2026-05-16T14:26:43Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-2850x-FRESH-MIX-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Nulled07
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List targeting Hotmail accounts
Category: Combo List
Content: A threat actor has shared a combo list advertised as 384 Hotmail premium hits on a cybercrime forum. The content is hidden behind a registration or login requirement. These credentials are likely intended for credential stuffing or account takeover activity targeting Hotmail accounts.
Date: 2026-05-16T14:23:46Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%AD%90384x-hotmail-premium-hits%E2%9C%85%E2%AD%90
Screenshots:
None
Threat Actors: Psyho70244
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 4,891 credentials
Category: Combo List
Content: A forum user is sharing a combo list of 4,891 Hotmail credentials marketed as fresh UHQ (ultra-high quality). The content is gated behind registration or login on the forum.
Date: 2026-05-16T14:23:29Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-4-891x-fresh-hotmail-uhq-veen0m
Screenshots:
None
Threat Actors: ELJOKER1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of ali-altheeb.com by Threat Actor Zod
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Zod defaced the website ali-altheeb.com, targeting a specific page (zod.html) on a Linux-hosted server. The attack was a targeted single-page defacement rather than a mass or home page compromise. The incident was archived and mirrored via haxor.id.
Date: 2026-05-16T14:21:53Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249308
Screenshots:
None
Threat Actors: Zod, Zod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Ali Al-Theeb
Victim Site: ali-altheeb.com
Alleged data leak of Belambra.fr
Category: Data Leak
Content: A threat actor has freely distributed an alleged database dump from Belambra.fr, a French holiday villages and leisure clubs operator. The leaked data, shared in JSON format across multiple file-hosting platforms, includes reservation records, user credentials (hashed passwords), names, email addresses, and childrens personal details. The dataset reportedly comprises approximately 402,000 records across three JSON files totaling 77 MB.
Date: 2026-05-16T14:17:28Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DATABASE-FR-402K-Belambra-fr
Screenshots:
None
Threat Actors: ChimeraZ
Victim Country: France
Victim Industry: Hospitality
Victim Organization: Belambra
Victim Site: belambra.fr
Combo List of 65,205 corporate email credentials for leads targeting
Category: Combo List
Content: A threat actor shared a combo list containing 65,205 email:password lines described as corporate mail credentials marketed as suitable for leads targeting. No specific victim organization or country is identified.
Date: 2026-05-16T14:06:51Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-65-205-Lines-%E2%9C%85-Corp-Mail-Good-For-leads-target
Screenshots:
None
Threat Actors: HqComboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of email:password combo list (mixed USA and Worldwide)
Category: Combo List
Content: A threat actor is selling a combo list of 550,000 email:password pairs described as mixed USA and worldwide. The listing is offered at a cheap price with no refund or replacement policy, but a test option is available.
Date: 2026-05-16T14:06:21Z
Network: openweb
Published URL: https://cracked.st/Thread-Supreme-WTS-GOOD-COMBOS-EMAIL-PASS–2094697
Screenshots:
None
Threat Actors: Reoza
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of PSN-targeted combo list (4 million records)
Category: Combo List
Content: A threat actor is offering a combo list of 4 million credentials marketed as targeted for PlayStation Network (PSN) account credential stuffing. The list is advertised via Telegram channels where free combos and tools are also distributed.
Date: 2026-05-16T14:03:00Z
Network: openweb
Published URL: https://crackingx.com/threads/75454/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 0.5K credentials
Category: Combo List
Content: A threat actor shared a combo list of approximately 500 Hotmail email account credentials on a combolist forum. The content is hidden behind a registration/login wall and requires user engagement to access. No further details about the data source or quality are available.
Date: 2026-05-16T14:02:37Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-0-5k-hotmail-mail-access-%E2%9C%85-303000
Screenshots:
None
Threat Actors: D47
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mix email combo list with 6,510 entries
Category: Combo List
Content: A threat actor shared a mixed email combo list containing 6,510 entries on a cybercrime forum. The content is hidden behind a login/registration wall. No specific victim organization or targeted service is identified.
Date: 2026-05-16T14:02:06Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%94%A5%F0%9F%94%A5-6510x-mix-mail-%F0%9F%94%A5%F0%9F%94%A5
Screenshots:
None
Threat Actors: NotSellerXd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Nikkou-Exp by Ng1ndex (Team D704T)
Category: Defacement
Content: On May 16, 2026, threat actor Ng1ndex operating under team D704T defaced the website nikkou-exp.com, uploading a defacement file at the path /pwn.txt. The incident was a targeted single-site defacement with no indication of mass or repeated compromise. The attackers motivation and server details remain unknown.
Date: 2026-05-16T14:01:39Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923445
Screenshots:
None
Threat Actors: Ng1ndex, D704T
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Nikkou Express
Victim Site: nikkou-exp.com
Combo List targeting Hotmail accounts with claimed 100% hit rate
Category: Combo List
Content: A threat actor is sharing a combo list claimed to have a 100% hit rate against Hotmail accounts, marketed as UHQ (ultra-high quality). The actual content is hidden behind a registration or login wall. No record count or additional details are available from the post.
Date: 2026-05-16T14:01:35Z
Network: openweb
Published URL: https://patched.to/Thread-%F0%9F%94%A5-fresh-hotmail-combo-100-hit-rate-uhq-%F0%9F%94%A5
Screenshots:
None
Threat Actors: VenerableDarl
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of tipi0905.jp by Ng1ndex (Team D704T)
Category: Defacement
Content: On May 16, 2026, the Japanese website tipi0905.jp was defaced by threat actor Ng1ndex, operating under the team D704T. The attacker uploaded a defacement file (pwn.txt) to the target server. The incident was a targeted single-site defacement with no further technical details such as vulnerability or server information disclosed.
Date: 2026-05-16T13:59:03Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923444
Screenshots:
None
Threat Actors: Ng1ndex, D704T
Victim Country: Japan
Victim Industry: Unknown
Victim Organization: Tipi0905
Victim Site: tipi0905.jp
Sale of Hotmail combo list marketed as high-quality credentials
Category: Combo List
Content: A threat actor is offering 380 high-quality Hotmail credentials, marketed as fresh and untouched, through a private members-only network. The post claims daily supply of 4,000–12,000 credentials optimized for credential stuffing or account takeover activity.
Date: 2026-05-16T13:46:57Z
Network: openweb
Published URL: https://crackingx.com/threads/75452/
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed domain combo list targeting shopping platforms
Category: Combo List
Content: A combo list containing approximately 1.65 million email and password pairs is being distributed, marketed as targeting shopping platforms across mixed domains.
Date: 2026-05-16T13:46:36Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-1-650-715-Mixed-Domain-Shopping-target
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Combo List targeting Hotmail accounts
Category: Combo List
Content: A forum user is sharing a combo list of 403 Hotmail credentials. The content is hidden behind a registration or login wall on the forum.
Date: 2026-05-16T13:44:33Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-403x%E2%9A%A1HOTMAIL%E2%9A%A1ACCESS%E2%9A%A1
Screenshots:
None
Threat Actors: RedHat29x
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Brazilian individuals personal records
Category: Data Leak
Content: A forum post on a combolist forum shares detailed personal information of a Brazilian individual, including full name, national ID (RG), tax ID (CPF), date of birth, address, phone numbers, email addresses, old passwords, and business registration (CNPJ). The data was posted publicly with no price indicated. The origin or source of the breach is not specified.
Date: 2026-05-16T13:41:45Z
Network: openweb
Published URL: https://breached.st/threads/leak-data-from-brazil.87202/unread
Screenshots:
None
Threat Actors: Deuteronomy3235
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 11 million combo list targeting Alibaba, Temu, AliExpress, and streaming services
Category: Combo List
Content: A threat actor is offering a combo list of 11 million credentials allegedly targeting Alibaba, Temu, AliExpress, and unspecified streaming services. The actor directs interested parties to a Telegram channel for access to the combo list and related tools. The post implies both free and paid distribution via Telegram groups.
Date: 2026-05-16T13:35:12Z
Network: openweb
Published URL: https://crackingx.com/threads/75445/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 8,000 alleged valid credentials
Category: Combo List
Content: A forum user posted a combo list of 8,000 alleged valid Hotmail credentials on a cracking forum. The content is gated behind registration. The credentials are marketed as fresh and valid.
Date: 2026-05-16T13:34:49Z
Network: openweb
Published URL: https://crackingx.com/threads/75450/
Screenshots:
None
Threat Actors: RandomUpload
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of HQ combo list targeting Germany
Category: Combo List
Content: A threat actor is offering a high-quality (HQ) mixed combo list of approximately 8,563 credentials purportedly associated with German users. The post advertises daily supply of 4,000–12,000 fresh credentials through a private members-only network.
Date: 2026-05-16T13:32:28Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-7563x-hq-mix-germany-by-s2lender-txt
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of HQ mix combo list with 15,129 credentials
Category: Combo List
Content: A threat actor is offering a high-quality mixed combo list containing 15,129 credential pairs via a private members-only network. The post advertises daily supply of 4,000–12,000 fresh credentials optimized for credential stuffing. The content is hidden behind forum registration or login.
Date: 2026-05-16T13:31:57Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-15129x-hq-mix-by-s2lender-txt
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list by threat actor s2lender
Category: Combo List
Content: A threat actor operating as s2lender is offering a combo list of 125 Hotmail credentials marketed as high quality and fresh. The seller advertises daily supply of 4,000–12,000 credentials described as untouched, with claims of private and encrypted access to their network.
Date: 2026-05-16T13:31:15Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-125x-hq-hotmail-by-s2lender-txt
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Federal Polytechnic Ede
Category: Data Breach
Content: A message forwarded from Pharaohs_Team channel references federalpolyede.edu.ng (Federal Polytechnic Ede, Nigeria) with a direct message request to the threat actor. This suggests a potential breach claim or data exfiltration by the Pharaohs_Team threat group targeting this Nigerian educational institution.
Date: 2026-05-16T13:30:57Z
Network: telegram
Published URL: https://t.me/Pharaoh_e/31
Screenshots:
None
Threat Actors: Pharaohs_Team
Victim Country: Nigeria
Victim Industry: Education
Victim Organization: Federal Polytechnic Ede
Victim Site: federalpolyede.edu.ng
Free distribution of URL:Log:Pass combo list with 8+ million lines
Category: Combo List
Content: A threat actor on a cybercrime forum is distributing a URL:Log:Pass combo list containing over 8 million lines as part of an ongoing free release series (part 346). The content is hidden behind a registration/login wall on the forum.
Date: 2026-05-16T13:30:44Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-url-log-pass-free-best-lines-8-million-lines-part-346
Screenshots:
None
Threat Actors: lexityfr
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list sample
Category: Combo List
Content: A threat actor is distributing a sample combo list of 1,075 Hotmail credentials on a forum. The content is gated behind registration or login. No further details about the datas origin are available.
Date: 2026-05-16T13:30:26Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%E2%9A%A1-1075x-sample-hotmail-%E2%9A%A1%E2%9A%A1-302991
Screenshots:
None
Threat Actors: Stevejobsxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential hits sorted by country
Category: Combo List
Content: A threat actor is sharing 137 alleged high-quality Hotmail credential hits, marketed as sorted by country and targeting inboxes. The content is gated behind registration or login on the forum. These credentials are intended for credential stuffing or inbox access, not indicative of a breach of Hotmail itself.
Date: 2026-05-16T13:30:09Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9D%84-137x-hq-hotmail-hits-%E2%9D%84-%F0%9F%94%8E-inboxes-targets-%F0%9F%94%8E-%F0%9F%8C%8Esorted-countries-%F0%9F%8C%8E
Screenshots:
None
Threat Actors: Lowza9
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free combo list of 8.2 million URL:login:password credentials
Category: Combo List
Content: A threat actor shared a combo list containing approximately 8.2 million URL:login:password credential pairs, marketed as high quality. The data was distributed freely and attributed to MetaCloud.
Date: 2026-05-16T13:29:10Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-8-2M-%E2%9A%A1-URL-LOGIN-PASS-HQ-%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of URL:Log:Pass combo list with 10 million records
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 has freely distributed a URL:log:pass combo list containing approximately 10 million credential pairs. The list is marketed as targeting any service and is dated May 16, 2026. No specific victim organization or sector is identified.
Date: 2026-05-16T13:28:45Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%AD%90-10-MILLION-URL-LOG-PASS%E2%AD%90-16-05-2026-%E2%AD%90-NEW-ANY-TARGET
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of access to Federal Polytechnic Ede subdomains
Category: Initial Access
Content: Pharaohs_Team is offering access to 11 subdomains belonging to Federal Polytechnic Ede (federalpolyede.edu.ng), a Nigerian educational institution. The subdomains include critical systems such as student accounts, LMS, medical portal, and administrative systems. Each access is being sold individually at a price determined by @phteam_1. Domain authority (DA) and page authority (PA) metrics are provided for each subdomain.
Date: 2026-05-16T13:28:10Z
Network: telegram
Published URL: https://t.me/Pharaoh_e/30
Screenshots:
None
Threat Actors: Pharaohs_Team
Victim Country: Nigeria
Victim Industry: Education
Victim Organization: Federal Polytechnic Ede
Victim Site: federalpolyede.edu.ng
Alleged combo list of 14,788 semi-valid email credentials
Category: Combo List
Content: A threat actor shared a combo list containing approximately 14,788 email address and password pairs described as semi-valid. The list was posted on a public cracking forum and appears intended for credential stuffing or account access attempts.
Date: 2026-05-16T13:28:04Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-14-788-Semi-Valide-FA-Mail-Access-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of combo list with NFA and mail access
Category: Combo List
Content: A threat actor is offering a combo list advertised as UHQ quality with NFA (No Further Action) credentials and mail access for various sites. The seller requests buyers test before purchasing and directs interested parties to a Telegram contact.
Date: 2026-05-16T13:27:18Z
Network: openweb
Published URL: https://cracked.st/Thread-COMBO-NFA-AND-MAIL-ACCESS-ANY-SITE
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list with 364 hits
Category: Combo List
Content: A threat actor is distributing a combo list advertised as 364 premium Hotmail credential hits. The post includes a download link for the credentials. Hotmail is the credential-stuffing target, not the breach victim.
Date: 2026-05-16T13:26:08Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-364x-PREMIUM-HOTMAIL-HITS-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: He_Cloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Community Choice Credit Union
Category: Data Breach
Content: A threat actor is offering a database allegedly sourced from communitychoicecu.com containing over 1 million records of premium credit card members. The dataset purportedly includes card numbers, full names, issuing bank, card type, addresses, email addresses, and mobile numbers. The data is offered in CSV format and is focused on US-based clients in California.
Date: 2026-05-16T13:25:57Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-1M-communitychoicecu-com-Top-Credit-Card-Members
Screenshots:
None
Threat Actors: OxO
Victim Country: United States
Victim Industry: Finance
Victim Organization: Community Choice Credit Union
Victim Site: communitychoicecu.com
Alleged data breach of Shanghai National Police (SHGA.gov.cn)
Category: Data Breach
Content: A threat actor is selling data allegedly obtained from the Shanghai National Police, associated with the Chinese government domain shga.gov.cn. The seller claims the data is 100% real and provides a sample via an external paste link. Contact is facilitated through a Telegram channel.
Date: 2026-05-16T13:25:22Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Shanghai-National-Police
Screenshots:
None
Threat Actors: OxO
Victim Country: China
Victim Industry: Government
Victim Organization: Shanghai National Police
Victim Site: shga.gov.cn
Alleged data breach of Bank Saderat Iran
Category: Data Breach
Content: A threat actor is offering a database purportedly belonging to Bank Saderat Iran, containing over 63 million data rows. A sample has been shared via an external paste site, with contact directed through a Telegram channel.
Date: 2026-05-16T13:24:47Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Bank-Saderat-Iran-63-000-000
Screenshots:
None
Threat Actors: OxO
Victim Country: Iran
Victim Industry: Finance
Victim Organization: Bank Saderat Iran
Victim Site: banksaderat.ir
Alleged data leak of UAE investor database (30GB)
Category: Data Leak
Content: A threat actor is distributing a purported 30GB database containing UAE investor data. A sample has been made available via an external paste site. The post directs interested parties to a Telegram channel for further information.
Date: 2026-05-16T13:24:09Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-UAE-Investors-30GB
Screenshots:
None
Threat Actors: OxO
Victim Country: United Arab Emirates
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of US Chamber of Commerce members
Category: Data Breach
Content: A threat actor is offering for sale an alleged database of 34 million US Chamber of Commerce members via Telegram. The dataset purportedly includes full names, addresses, phone numbers, email addresses, dates of birth, gender, IP addresses, and asset class information in XLSX format. The actor claims the data was updated as of 2026.
Date: 2026-05-16T13:23:32Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Leak-of-34-million-US-Chamber-of-Commerce-Members-data–76719
Screenshots:
None
Threat Actors: OxO
Victim Country: United States
Victim Industry: Government
Victim Organization: US Chamber of Commerce
Victim Site: uschamber.com
Alleged data breach of Coinbase
Category: Data Breach
Content: A threat actor claims to be selling a database of approximately 1 million Coinbase user records. The alleged dataset includes personally identifiable information such as name, address, phone number, IP address, and gender, as well as financial data including deposit and withdrawal totals, transaction counts, and annual income. A sample has been posted to Pastebin.
Date: 2026-05-16T13:23:13Z
Network: openweb
Published URL: https://breached.st/threads/1m-coinbase-data.87199/unread
Screenshots:
None
Threat Actors: Meowl
Victim Country: United States
Victim Industry: Finance
Victim Organization: Coinbase
Victim Site: coinbase.com
Alleged data breach of Vandenborre (vandenborre.be)
Category: Data Breach
Content: A threat actor is selling an alleged dataset originating from vandenborre.be, a Belgian electronics retailer, comprising approximately 264,000 records. The dataset is structured across three sections — Contacts, Order History, and Support Tickets — containing personally identifiable information including names, email addresses, birthdates, job titles, phone numbers, billing/shipping addresses, payment methods, and customer support case details. The seller is offering the data for purchase via Te
Date: 2026-05-16T13:22:41Z
Network: openweb
Published URL: https://breached.st/threads/264k-belgium-https-www-vandenborre-be-customer-contacts-with-emails-job-titles-and-birthdates-dataset.87201/unread
Screenshots:
None
Threat Actors: Moelester
Victim Country: Belgium
Victim Industry: Retail
Victim Organization: Vandenborre
Victim Site: vandenborre.be
Alleged website defacement of manc.top by C10F./X404
Category: Defacement
Content: Threat actor C10F./X404, claiming affiliation with Defacer Indonesian Team, claims to have defaced manc.top. Defacement pages allegedly accessible at multiple URLs including the root domain and subdirectories.
Date: 2026-05-16T13:20:56Z
Network: telegram
Published URL: https://t.me/c/3755871403/496
Screenshots:
None
Threat Actors: C10F./X404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: manc.top
Victim Site: manc.top
Alleged data shared for doxing purposes
Category: Combo List
Content: A thread titled Data for doxing was posted on a combolist forum section, but no content is available for analysis. No further details can be determined from the post.
Date: 2026-05-16T13:14:02Z
Network: openweb
Published URL: https://breachforums.rs/Thread-Data-for-doxing
Screenshots:
None
Threat Actors: Deuteronomy3235
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Website Defacement of Indonesian Judicial Authority Site by Ushiromiya
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the handle Ushiromiya conducted a mass defacement campaign targeting the Indonesian Mempawah Religious Courts permit/licensing web portal (izin.pa-mempawah.go.id). The attack affected a Linux-based server and was part of a broader mass defacement operation. The defacement was archived and mirrored via haxor.id, a known defacement tracking platform.
Date: 2026-05-16T13:12:08Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249307
Screenshots:
None
Threat Actors: Ushiromiya, Ushiromiya
Victim Country: Indonesia
Victim Industry: Government – Judiciary
Victim Organization: Pengadilan Agama Mempawah (Mempawah Religious Court)
Victim Site: izin.pa-mempawah.go.id
Sale of HQ mix combo list by threat actor s2lender
Category: Combo List
Content: Threat actor s2lender is offering a high-quality mixed combo list containing approximately 140,240 credential pairs. The post advertises daily fresh supplies of 4,000–12,000 credentials through a private members-only network. The credentials are marketed as untouched and optimized for credential stuffing.
Date: 2026-05-16T13:09:05Z
Network: openweb
Published URL: https://crackingx.com/threads/75444/
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free combo list distribution with over 7 million URL:login:password credentials
Category: Combo List
Content: A threat actor shared a free combo list containing over 7.1 million URL:login:password credential pairs, marketed as fresh. The list is formatted as ULP (URL:Login:Password) and distributed via a download link protected with a passphrase.
Date: 2026-05-16T13:07:49Z
Network: openweb
Published URL: https://nulledbb.com/thread-URL-LOGIN-PASS-16-05-26-Daily-Free-Lines-7-104-826-Fresh-Cloudberry-ULP
Screenshots:
None
Threat Actors: idsfgofdu213
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of 1 million ULP credentials
Category: Combo List
Content: A combo list of approximately 1 million username:login:password (ULP) credentials marketed as ultra-high quality (UHQ) and fresh was shared on the forum. No additional details about the targeted service or origin of the credentials were provided.
Date: 2026-05-16T13:07:09Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-1M-ULP-UHQ-FRESH
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List: 970K UHQ Email:Password Credentials
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 970,000 unique email and password pairs, marketed as high quality and fresh. The post was shared on a public cracking forum. No specific victim organization or target service was identified.
Date: 2026-05-16T13:06:36Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-970k-UHQ-ULP-FRESH
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mix Mail Combo List Including Hotmail, Outlook, AOL, GMX, Inbox, iCloud, and Live
Category: Combo List
Content: A threat actor shared a mixed mail combo list targeting multiple email providers including Hotmail, Outlook, AOL, GMX, Inbox, iCloud, and Live. The content is hidden behind a registration or login requirement. No additional details regarding record count or data format are available.
Date: 2026-05-16T13:05:15Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-mix-mail-combo-hotmail-outlook-aol-gmx-inbox-icloud-live-2026-5-13
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 17,000 entries across multiple regions
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 17,000 Hotmail credentials sourced from users across the USA, Europe, Asia, and Russia. The content is hidden behind a registration or login wall on the forum. No breach of a specific organization is claimed; the list appears intended for credential stuffing against Hotmail accounts.
Date: 2026-05-16T13:04:44Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-17-000x-hotmail-access-combo-usa-europe-asia-russian
Screenshots:
None
Threat Actors: Larry_Uchiha
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of NASA
Category: Data Leak
Content: A forum post on Breached claims a database leak of nasa.gov. No further details or content are available in the post to verify the claim or assess the scope of the alleged leak.
Date: 2026-05-16T13:02:45Z
Network: openweb
Published URL: https://breached.st/threads/nasa-gov-database-leak.87196/unread
Screenshots:
None
Threat Actors: MrLucxy
Victim Country: United States
Victim Industry: Government
Victim Organization: NASA
Victim Site: nasa.gov
Alleged website defacement of manc.top by Indonesian defacer group
Category: Defacement
Content: Indonesian defacer group C10F/X404 (Defacer Indonesian Team) claims responsibility for defacing manc.top and related pages. Defacement proof/shell allegedly hosted at wendao-ai.com. Multiple hashtags reference Brotherhood Capung Indonesia (BCI) and related defacer teams.
Date: 2026-05-16T13:00:53Z
Network: telegram
Published URL: https://t.me/brotheroodbci/139
Screenshots:
None
Threat Actors: C10F
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: manc.top
Victim Site: manc.top
Alleged free release of mixed combo list by FATETRAFFIC
Category: Combo List
Content: A forum user shared what appears to be a mixed combo list of 5,957 credentials, distributed as a bonus release attributed to FATETRAFFIC. The content is hidden behind a login/registration wall, limiting further verification of its contents or origin.
Date: 2026-05-16T12:49:15Z
Network: openweb
Published URL: https://patched.to/Thread-bonus-fatetraffic-5957-mix-15-05-2026
Screenshots:
None
Threat Actors: R0BIN1337
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Distribution of URL:Log:Pass combo list with 13.8 million records
Category: Combo List
Content: A threat actor operating as MetaCloud3 is distributing a combo list of 13.8 million URL:log:pass credentials, marketed as new and targeting any service. The post offers no additional details beyond a reference to the authors signature for further information.
Date: 2026-05-16T12:48:59Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%AD%90-13-8-MILLION-URL-LOG-PASS%E2%AD%90-16-05-2026-%E2%AD%90-NEW-ANY-TARGET
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List targeting Germany mail accounts
Category: Combo List
Content: A combo list purportedly containing 15,000 German email account credentials was shared on a cracking forum. No additional details are available from the post content.
Date: 2026-05-16T12:48:17Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%AD%9015K-GERMANY-MAIL-ACCESS-%E2%AD%90–2094668
Screenshots:
None
Threat Actors: Posts
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 12K Mixed Mail Access Combo List
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 12,000 mixed mail access credentials on a cybercrime forum. The content is hidden behind a registration or login requirement. No additional details about the source or composition of the credentials are available.
Date: 2026-05-16T12:47:53Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%9012k-mixed-mail-access-%E2%AD%90-302973
Screenshots:
None
Threat Actors: XLM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 15K Germany mail access combo list
Category: Combo List
Content: A threat actor is offering a combo list of approximately 15,000 German email account credentials on a cybercrime forum. The content is hidden behind a registration or login wall, limiting further details. The dataset is marketed as mail access credentials targeting Germany-based accounts.
Date: 2026-05-16T12:47:37Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%9015k-germany-mail-access-%E2%AD%90-302974
Screenshots:
None
Threat Actors: XLM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 26.2 million URL:Log:Pass combo list
Category: Logs
Content: A threat actor is distributing a collection of 26.2 million URL:log:pass entries, described as fresh and high-quality stealer log output. The post advertises the content as free with additional unwrapped bases available via Telegram or forum contact.
Date: 2026-05-16T12:32:48Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9C%A8-26-2-MILLION-URL-LOG-PASS-%E2%9C%A8-PRIVATE-%E2%9C%A8-BEST-FOR-EVERYTHING-%E2%9C%A8
Screenshots:
None
Threat Actors: ZoneX404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of 36.1 million URL:log:pass credential logs
Category: Logs
Content: A threat actor on Cracked.st has made available a collection of 36.1 million URL:log:pass entries, described as fresh UHQ stealer log output. The post markets the credentials as valid hits and directs interested parties to contact the author via Telegram or the forum for higher-quality unwrapped databases.
Date: 2026-05-16T12:31:19Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9C%A8-36-1-MILLION-URL-LOG-PASS-%E2%9C%A8-PRIVATE-%E2%9C%A8-BEST-FOR-EVERYTHING-%E2%9C%A8
Screenshots:
None
Threat Actors: ZoneX404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 32.4 million URL:login:password log credentials
Category: Logs
Content: A threat actor is distributing a dataset of 32.4 million URL:login:password entries described as fresh UHQ stealer log output. The post markets the credentials as valid hits suitable for a variety of uses. The actor also advertises private, unwrapped bases available via Telegram or the forum.
Date: 2026-05-16T12:31:00Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9C%A8-32-4-MILLION-URL-LOG-PASS-%E2%9C%A8-PRIVATE-%E2%9C%A8-BEST-FOR-EVERYTHING-%E2%9C%A8
Screenshots:
None
Threat Actors: ZoneX404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free release of 10.6 million URL:Log:Pass combo list
Category: Combo List
Content: A threat actor on Cracked.st has shared a combo list containing approximately 10.6 million URL:log:pass credential pairs, marketed as fresh and high-quality. The post describes the content as stealer log output suitable for credential stuffing across various services.
Date: 2026-05-16T12:30:42Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9C%A8-10-6-MILLION-URL-LOG-PASS-%E2%9C%A8-PRIVATE-%E2%9C%A8-BEST-FOR-EVERYTHING-%E2%9C%A8
Screenshots:
None
Threat Actors: ZoneX404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of 21.6 million URL:login:password stealer log credentials
Category: Logs
Content: A threat actor is freely distributing a collection of 21.6 million URL:login:password entries described as fresh UHQ stealer log output. The post markets the credentials as high quality and working, with additional unwrapped bases available via Telegram or forum contact.
Date: 2026-05-16T12:30:23Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9C%A8-21-6-MILLION-URL-LOG-PASS-%E2%9C%A8-PRIVATE-%E2%9C%A8-BEST-FOR-EVERYTHING-%E2%9C%A8
Screenshots:
None
Threat Actors: ZoneX404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Distribution of 9.6 million URL:log:pass credentials
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 is distributing a list of 9.6 million URL:log:pass credential pairs, marketed as new and targeting any service. The post references additional details available via the authors signature.
Date: 2026-05-16T12:30:02Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%AD%90-9-6-MILLION-URL-LOG-PASS%E2%AD%90-16-05-2026-%E2%AD%90-NEW-ANY-TARGET
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of 34.7 million URL:login:password stealer log credentials
Category: Logs
Content: A threat actor on a cracking forum is freely distributing a collection of 34.7 million URL:login:password entries described as UHQ (ultra-high quality) stealer log output. The post markets the credentials as fresh and working, and advertises premium unwrapped bases available via Telegram or forum contact.
Date: 2026-05-16T12:29:40Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9C%A8-34-7-MILLION-URL-LOG-PASS-%E2%9C%A8-PRIVATE-%E2%9C%A8-BEST-FOR-EVERYTHING-%E2%9C%A8
Screenshots:
None
Threat Actors: ZoneX404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free release of 34.1 million URL:Login:Password combo list
Category: Combo List
Content: A threat actor has freely shared a combo list containing 34.1 million URL:login:password entries, marketed as fresh and high-quality. The post promotes the credentials as suitable for credential stuffing across various services and advertises additional unwrapped databases available via Telegram.
Date: 2026-05-16T12:29:21Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9C%A8-34-1-MILLION-URL-LOG-PASS-%E2%9C%A8-PRIVATE-%E2%9C%A8-BEST-FOR-EVERYTHING-%E2%9C%A8
Screenshots:
None
Threat Actors: ZoneX404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of 12.8 million URL:Login:Password combo list
Category: Combo List
Content: A threat actor operating as MetaCloud3 has freely distributed a combo list containing approximately 12.8 million URL:login:password credential pairs. The post describes the data as high quality. No specific victim organization or sector is identified.
Date: 2026-05-16T12:29:03Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-12-8M-%E2%9A%A1-URL-LOGIN-PASS-HQ-%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of 29.6 million URL:log:pass credential logs
Category: Logs
Content: A threat actor is freely distributing a dataset of 29.6 million URL:log:pass entries, described as fresh UHQ stealer log output. The post markets the credentials as valid hits suitable for a wide range of uses, with higher-quality unwrapped bases available via Telegram or the forum.
Date: 2026-05-16T12:28:41Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9C%A8-29-6-MILLION-URL-LOG-PASS-%E2%9C%A8-PRIVATE-%E2%9C%A8-BEST-FOR-EVERYTHING-%E2%9C%A8
Screenshots:
None
Threat Actors: ZoneX404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free release of 14.7 million URL:log:pass credential logs
Category: Logs
Content: A threat actor on Cracked.st has shared a dataset of 14.7 million URL:log:pass entries, described as fresh UHQ stealer log output. The post markets the credentials as working and valid, with the actor also offering unwrapped bases via Telegram for purchase.
Date: 2026-05-16T12:28:22Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9C%A8-14-7-MILLION-URL-LOG-PASS-%E2%9C%A8-PRIVATE-%E2%9C%A8-BEST-FOR-EVERYTHING-%E2%9C%A8–2094664
Screenshots:
None
Threat Actors: ZoneX404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of German combo list with 69,545 credentials
Category: Combo List
Content: A threat actor is offering a high-quality mixed combo list of 69,545 credentials targeting German accounts. The post advertises daily supply of 4,000–12,000 fresh credentials through a private, members-only network. The credentials are marketed as untouched and optimized for credential stuffing use.
Date: 2026-05-16T12:28:14Z
Network: openweb
Published URL: https://crackingx.com/threads/75443/
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of 22.4 million URL:login:password combo list
Category: Combo List
Content: A threat actor on a cracking forum is distributing a combo list containing approximately 22.4 million URL:login:password entries, marketed as fresh and high-quality. The post claims the credentials are valid and suitable for credential stuffing across multiple services. The actor also advertises premium unwrapped bases available via Telegram or the forum.
Date: 2026-05-16T12:28:02Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9C%A8-22-4-MILLION-URL-LOG-PASS-%E2%9C%A8-PRIVATE-%E2%9C%A8-BEST-FOR-EVERYTHING-%E2%9C%A8
Screenshots:
None
Threat Actors: ZoneX404
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of IRS tax payment phishing page
Category: Phishing
Content: A threat actor is offering for sale a phishing page impersonating the IRS tax payment portal. The kit harvests personal details including full name, address, SSN, and date of birth, as well as full payment card data including card number, expiration, and CVV2. The seller states that the captured data fields can be customized upon request.
Date: 2026-05-16T12:24:51Z
Network: openweb
Published URL: https://breached.st/threads/sell-irs-tax-payment-scampage.87192/unread
Screenshots:
None
Threat Actors: tgov02
Victim Country: United States
Victim Industry: Government
Victim Organization: Internal Revenue Service
Victim Site: irs.gov
Sale of forged legal documents, government email access, and domain takedown services
Category: Services
Content: A threat actor is selling a range of illicit services including forged legal documents (subpoenas, court orders, seizure warrants, MLAT requests) designed to impersonate law enforcement for Emergency Disclosure Requests, access to government email accounts across multiple countries, and a domain takedown method claimed to force administrative locks on target domains. Pricing ranges from $5 to $5,000 depending on the service or asset.
Date: 2026-05-16T12:12:35Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-SELLING-FORGED-COURT-ORDERS-DOMAIN-TAKEDOWNS-GOV-EMAILS-PRIVATE-EDR-ASSETS–188957
Screenshots:
None
Threat Actors: convince
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of education sector combo list with 145,223 lines
Category: Combo List
Content: A threat actor on a cracking forum is distributing a combo list containing 145,223 email:password lines targeting educational institutions. The list is described as a mixed-target education sector combolist. No further details are available from the post content.
Date: 2026-05-16T12:11:58Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-145-223-Lines-%E2%9C%85-Edu-education-Mixed-Target-Combolist
Screenshots:
None
Threat Actors: HqComboSpace
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Sale of 609K shopping combo list
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 609,000 email:password credential pairs advertised for use against shopping platforms. The post claims the list originates from a private base and is suitable for credential stuffing across various services.
Date: 2026-05-16T12:11:31Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E2%9A%A1609K-SHOPPING%E2%9A%A1PRIVATE-BASE-GOOD-ON-ANYTHING-YOU-NEED%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list targeting MSN Outlook accounts (644K credentials)
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 644,000 MSN/Outlook email and password pairs, marketed as private data with many hits. The credentials are intended for credential stuffing against Microsoft email services.
Date: 2026-05-16T12:11:08Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E3%80%8C-644K-%E3%80%8D%E2%9A%A1-MSN-OUTLOOK-%E2%9A%A1-100-PRIVATE-DATA-%E2%9A%A1GOOD-QUALITY-AND-MANY-HITS%E2%9A%A1-16-05-26%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Twitter combo list of 698K credentials offered for free
Category: Combo List
Content: A threat actor operating under the alias MetaCloud3 has shared a combo list of approximately 698,000 email and password pairs marketed as a private base suitable for credential stuffing against Twitter. The post is categorized as a combo list and does not represent a breach of Twitter itself.
Date: 2026-05-16T12:10:44Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E2%9A%A1698K-TWITTER%E2%9A%A1PRIVATE-BASE-GOOD-ON-ANYTHING-YOU-NEED%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list targeting DoorDash accounts
Category: Combo List
Content: A threat actor on a cracking forum is distributing a combo list of 573K email:password pairs marketed for use against DoorDash accounts. The post claims the credentials are private and of good quality with many hits. Per combo list conventions, DoorDash is the credential-stuffing target, not the breach source.
Date: 2026-05-16T12:10:20Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E3%80%8C-573K-%E3%80%8D%E2%9A%A1-DOORDASH-%E2%9A%A1-100-PRIVATE-DATA-%E2%9A%A1GOOD-QUALITY-AND-MANY-HITS%E2%9A%A1-16-05-26%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Reddit combo list with 757K credentials
Category: Combo List
Content: A threat actor is sharing a combo list marketed as containing 757,000 Reddit email:password credentials. The post describes the base as private and claims the credentials are usable across multiple services. Reddit is the credential-stuffing target, not necessarily the breach source.
Date: 2026-05-16T12:09:00Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E2%9A%A1757K-REDDIT%E2%9A%A1PRIVATE-BASE-GOOD-ON-ANYTHING-YOU-NEED%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of 1.5 million URL:log:pass credentials
Category: Combo List
Content: A threat actor shared a Mega.nz link containing approximately 1.5 million URL:log:pass credential pairs, described as stealer log output. The data was made available freely on a cracking and combolist forum.
Date: 2026-05-16T12:07:40Z
Network: openweb
Published URL: https://crackingx.com/threads/75441/
Screenshots:
None
Threat Actors: WashingtonDC
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of France combo list with 10,000 credentials
Category: Combo List
Content: A forum member is distributing a combo list purportedly containing 10,000 credentials associated with French users. No additional details about the targeted services or data fields are available from the post content.
Date: 2026-05-16T11:55:00Z
Network: openweb
Published URL: https://cracked.st/Thread-10k-France-Private-Combolist
Screenshots:
None
Threat Actors: BygBB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list targeting PlayStation and Xbox accounts
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 535,000 email:password credentials marketed for use against PlayStation and Xbox accounts. The post claims the data is private and of good quality with many hits. No breach of PlayStation or Xbox infrastructure is claimed.
Date: 2026-05-16T11:54:40Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E3%80%8C-535K-%E3%80%8D%E2%9A%A1-PLAYSTAION-XBOX-%E2%9A%A1-100-PRIVATE-DATA-%E2%9A%A1GOOD-QUALITY-AND-MANY-HITS%E2%9A%A1-16-05-26%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed combo list with 15,000 credentials
Category: Combo List
Content: A threat actor posted a mixed combo list containing approximately 15,000 credential pairs on a cracking forum. The list is described as private. No additional details about the targeted services or data origins are available.
Date: 2026-05-16T11:53:08Z
Network: openweb
Published URL: https://cracked.st/Thread-15k-Mix-Private-Combolist
Screenshots:
None
Threat Actors: BygBB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of combo list targeting Nike.com with 531K credentials
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 531,000 email and password pairs described as a private base suited for credential stuffing against Nike.com. The post claims the credentials are effective for various purposes. Nike.com is the targeted service, not the breach source.
Date: 2026-05-16T11:52:49Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E2%9A%A1531K-NIKE-COM%E2%9A%A1PRIVATE-BASE-GOOD-ON-ANYTHING-YOU-NEED%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of RDP access and compromised accounts
Category: Initial Access
Content: Threat actor offering rental of RDP access to Azure, AWS, and DigitalOcean instances at $200, along with compromised domain email accounts, Gmail, Yahoo accounts, GitHub Student accounts, and stolen subscription credentials (ChatGPT Plus, Claude, ElevenLabs Creator Plan). Services offered on daily/monthly rental basis with escrow protection.
Date: 2026-05-16T11:51:48Z
Network: telegram
Published URL: https://t.me/c/2613583520/82840
Screenshots:
None
Threat Actors: PORTAL
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List targeting Hotmail
Category: Combo List
Content: A threat actor shared a combo list of approximately 600 Hotmail credentials marketed as fresh hits validated on 16.05. The content is restricted to registered forum users.
Date: 2026-05-16T11:50:21Z
Network: openweb
Published URL: https://crackingx.com/threads/75440/
Screenshots:
None
Threat Actors: MailAccesss
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Japan mix email combo list
Category: Combo List
Content: A combo list of approximately 1,900 Japan-based email and password combinations is being shared on a cracking forum. The list is described as UHQ (ultra-high quality). No additional details about the source or target service are available.
Date: 2026-05-16T11:49:18Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-1-9K-UHQ-JAPAN-MIX-MAILS
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of Hotmail credentials
Category: Combo List
Content: A threat actor shared a combo list of approximately 4,000 Hotmail credentials, marketed as high-quality hits. The list appears intended for credential stuffing or account takeover activity against Hotmail accounts.
Date: 2026-05-16T11:48:58Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-4K-HQ-HOTMAIL-HITS
Screenshots:
None
Threat Actors: SOMUCHCOM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List targeting Eneba and G2A credential stuffing
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 621,000 email:password pairs marketed as a private base suitable for credential stuffing against Eneba and G2A platforms. The post was shared on a public cracking forum by the user MetaCloud3.
Date: 2026-05-16T11:48:38Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E2%9A%A1621K-ENEBA-G2A%E2%9A%A1PRIVATE-BASE-GOOD-ON-ANYTHING-YOU-NEED%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free combo list targeting Hotmail accounts
Category: Combo List
Content: A threat actor shared a combo list of 100,000 claimed valid Hotmail credentials via an external paste platform. The list is distributed freely on the forum.
Date: 2026-05-16T11:47:35Z
Network: openweb
Published URL: https://altenens.is/threads/100k-valid-hotmail-txt.2941343/unread
Screenshots:
None
Threat Actors: Vekko
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Indonesian Religious Court (PA Cibinong) by Ushiromiya
Category: Defacement
Content: On May 16, 2026, a threat actor identified as Ushiromiya defaced the admin panel of the Pengadilan Agama Cibinong (Cibinong Religious Court) web application hosted on a Linux server. The targeted subdomain panjar.pa-cibinong.go.id is associated with an Indonesian government judicial institution under the .go.id domain. The incident was a targeted single-site defacement with a mirror archived on haxor.id.
Date: 2026-05-16T11:44:29Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249306
Screenshots:
None
Threat Actors: Ushiromiya, Ushiromiya
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Pengadilan Agama Cibinong (PA Cibinong Religious Court)
Victim Site: panjar.pa-cibinong.go.id
Combo list targeting music streaming services distributed on forum
Category: Combo List
Content: A threat actor distributed a combo list of approximately 639,000 credential pairs marketed as a private base suitable for music streaming services. The post advertises the data as usable for credential stuffing across multiple services.
Date: 2026-05-16T11:38:21Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1639k-music%E2%9A%A1private-base-good-on-anything-you-need%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
USA Hotmail combo list with 802K credentials
Category: Combo List
Content: A threat actor is sharing a combo list of approximately 802,000 USA Hotmail credentials, marketed as private and high-quality with many hits. The post is associated with a combo cloud service offering affordable access to credential data.
Date: 2026-05-16T11:37:50Z
Network: openweb
Published URL: https://patched.to/Thread-%E3%80%8C-802k-%E3%80%8D%E2%9A%A1-usa-hotmail-%E2%9A%A1-100-private-data-%E2%9A%A1good-quality-and-many-hits%E2%9A%A1-16-05-26%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Hotmail combo list of 2,500 credentials offered
Category: Combo List
Content: A threat actor is distributing a combo list advertised as 2,500 UHQ Hotmail hits. The credentials are shared freely with additional private access available for purchase via Telegram handle @window_linux01.
Date: 2026-05-16T11:37:28Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9C%85-2-5k-uhq-hotmail-hit-%E2%9C%85
Screenshots:
None
Threat Actors: aurexopforu
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Hotmail combo list allegedly containing 666K credentials
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 666,000 Hotmail credentials, described as a private base suitable for credential stuffing. The post is gated behind registration or login on the forum.
Date: 2026-05-16T11:36:57Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9A%A1666k-hotmail%E2%9A%A1private-base-good-on-anything-you-need%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of combo list targeting Roblox and Minecraft accounts
Category: Combo List
Content: A threat actor is offering a combo list of approximately 560,000 credentials marketed as targeting Roblox and Minecraft accounts, advertised as private data with high hit rates. The post is dated May 16, 2026, and is associated with a self-described combo cloud service offering affordable access to credential data.
Date: 2026-05-16T11:36:21Z
Network: openweb
Published URL: https://patched.to/Thread-gaming-%E3%80%8C-560k-%E3%80%8D%E2%9A%A1-roblox-minecraft-%E2%9A%A1-100-private-data-%E2%9A%A1good-quality-and-many-hits%E2%9A%A1-16-05-26%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Office365 combo list of 740K credentials
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 740,000 credentials marketed as suitable for use against Office365 services. The post describes the data as sourced from a private base. The author promotes a broader combo cloud service offering additional credential sets.
Date: 2026-05-16T11:35:50Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9A%A1740k-office365%E2%9A%A1private-base-good-on-anything-you-need%E2%9A%A1
Screenshots:
None
Threat Actors: MetaCloud3
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of carding full course including clone card techniques
Category: Carding
Content: A threat actor is selling a carding course priced at $140 (BTC/USDT) covering topics such as clone card creation using Track1/Track2 data and card cashing techniques. The course is advertised as a comprehensive guide for conducting carding operations globally.
Date: 2026-05-16T11:34:35Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-Carding-Full-Course-NEW-2026
Screenshots:
None
Threat Actors: Darkode1
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of FortiSSL IP list with 50,000 entries
Category: Services
Content: A threat actor is offering a list of 50,000 FortiSSL IP addresses with port and geolocation data, claiming the data was gathered using proprietary mass-scanning servers rather than third-party tools such as Fofa or Shodan. The data is provided in the format https://ip:port,GEO and hosted on an external file-sharing link.
Date: 2026-05-16T11:33:23Z
Network: openweb
Published URL: https://tier1.life/thread/236
Screenshots:
None
Threat Actors: AccessTracker
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ Hotmail combo list
Category: Combo List
Content: A forum post advertises a combo list of 333 purported high-quality (UHQ) Hotmail credentials. No further details are available as the post content is empty.
Date: 2026-05-16T11:30:59Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-X333-UHQ-HOTMAILS
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of mail access credentials and infostealer logs by DataxLogs and EngineeringPhantom
Category: Logs
Content: Threat actors advertising mail access credentials and infostealer logs (combo lists, configs, scripts, tools) for multiple countries including FR, BE, AU, CA, UK, US, NL, PL, DE, and JP. Posts claim proof/live testing available. Contact handles: @DataxLogs and @EngineeringPhantom.
Date: 2026-05-16T11:30:21Z
Network: telegram
Published URL: https://t.me/c/2613583520/82817
Screenshots:
None
Threat Actors: DataxLogs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 37K email access combo list targeting USA, EU, Asia, and Russia
Category: Combo List
Content: A threat actor is offering a combo list of approximately 37,000 email credentials spanning USA, EU, Asia, and Russia, marketed as fully valid mail access. The content is paywalled behind registration or login on the forum, with the seller directing buyers to their storefront at megacloudshop.top.
Date: 2026-05-16T11:29:07Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-37K-Usa-EU-Asia-Ru-Full-Valid-Mail-Access-16-05
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of arbiko.pl
Category: Data Leak
Content: A threat actor group identified as Org1877 claims to have dumped the database of arbiko.pl and is freely distributing it to forum members. The leaked data allegedly includes first and last names, email addresses, and passwords (potentially hashed).
Date: 2026-05-16T11:26:40Z
Network: openweb
Published URL: https://breached.st/threads/arbiko-pl-databases.87189/unread
Screenshots:
None
Threat Actors: org1877
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Arbiko
Victim Site: arbiko.pl
Sale of 70K German email access combo list
Category: Combo List
Content: A threat actor is offering a combo list of approximately 70,000 German email credentials marketed as fully valid mail access. The content is hidden behind a registration/login gate and linked to an external store at megacloudshop.top.
Date: 2026-05-16T11:11:15Z
Network: openweb
Published URL: https://demonforums.net/Thread-70K-Germay-Full-Valid-Mail-Access-Just-top-Quality-16-05
Screenshots:
None
Threat Actors: MegaCloudshop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website defacement of Indonesian National Narcotics Agency (BNN) by Obelix1337 of Midas Haxor Team
Category: Defacement
Content: On May 16, 2026, a threat actor identified as Obelix1337, affiliated with Midas Haxor Team, defaced a subdomain of the Indonesian National Narcotics Agency (BNN) at sin.bnn.go.id. The defacement targeted a specific page (ft.html) rather than the homepage, indicating a targeted intrusion into the Indonesian governments drug enforcement agency web infrastructure. A mirror of the defaced page was archived at haxor.id.
Date: 2026-05-16T11:10:42Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249305
Screenshots:
None
Threat Actors: Obelix1337, Midas Haxor Team
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Badan Narkotika Nasional (BNN) – National Narcotics Agency of Indonesia
Victim Site: sin.bnn.go.id
Free combo list of 70K German email credentials
Category: Combo List
Content: A threat actor shared a combo list of approximately 70,000 German email credentials, described as fully valid mail access. The list is gated behind a reply requirement and is marketed as high quality, dated May 16.
Date: 2026-05-16T11:10:33Z
Network: openweb
Published URL: https://altenens.is/threads/70k-germay-full-valid-mail-access-just-top-quality-16-05.2941329/unread
Screenshots:
None
Threat Actors: Megacloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Hospital Universitario Nacional de Colombia
Category: Data Leak
Content: A threat actor claims to have dumped 8 databases and 197 tables from Hospital Universitario Nacional de Colombia, reportedly extracted on 2026-05-02 with 5 active admin sessions. The dump allegedly includes REDCap clinical research data with 2FA secrets, pharmacy records with plaintext credentials (10,000+ entries), full PII for 583 employees, and a WordPress multisite intranet with API keys. phpMyAdmin root access is also claimed to have been confirmed.
Date: 2026-05-16T11:09:03Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-COLLECTION-Hospital-Universitario-Nacional-de-Colombia-hun-edu-co-%E2%80%93-Full-Dump
Screenshots:
None
Threat Actors: macaroni
Victim Country: Colombia
Victim Industry: Healthcare
Victim Organization: Hospital Universitario Nacional de Colombia
Victim Site: hun.edu.co
Website Defacement of samplebaz.com by 0xSHALL of FOURSDEATH TEAM
Category: Defacement
Content: On May 16, 2026, threat actor 0xSHALL, operating under the group FOURSDEATH TEAM, defaced the website samplebaz.com, targeting the page at /zxc.html. The incident was a targeted single-page defacement, not classified as a mass or home page defacement. Server and infrastructure details remain unknown, and no specific motive was disclosed.
Date: 2026-05-16T11:07:50Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923129
Screenshots:
None
Threat Actors: 0xSHALL, FOURSDEATH TEAM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: samplebaz.com
Mass Website Defacement of e-UMKM Kediri by Irene of XmrAnonye.id
Category: Defacement
Content: On May 16, 2026, a threat actor identified as Irene operating under the group XmrAnonye.id conducted a mass defacement attack against e-umkmkediri.com, a platform supporting small and medium enterprises (UMKM) in Kediri, Indonesia. The defacement was hosted at a dedicated path on the target domain and is part of a broader mass defacement campaign. The compromised server runs on a Linux operating system, and a mirror of the defacement has been archived at haxor.id.
Date: 2026-05-16T11:00:41Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249304
Screenshots:
None
Threat Actors: Irene, XmrAnonye.id
Victim Country: Indonesia
Victim Industry: Small and Medium Enterprises / Government Services
Victim Organization: e-UMKM Kediri
Victim Site: e-umkmkediri.com
Free distribution of 2.5 million URL:Login:Password combo list
Category: Combo List
Content: A threat actor operating under the alias KURZL0GS has leaked a private combo list containing approximately 2.5 million URL:login:password credential pairs. The dataset is described as UHQ (ultra-high quality) and was made available for free on the cracked.st forum.
Date: 2026-05-16T10:57:16Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9A%A1-2-5M-URL-LOG-PASS-PRIVATE-UHQ-BY-KURZL0GS-16-05-2026%E2%9A%A1
Screenshots:
None
Threat Actors: KURZL0GS
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of USA fullz with personal information
Category: Carding
Content: A threat actor is selling US fullz packages containing full name, email, SSN, drivers license, and other personal information. The seller claims limited stock described as UHQ (ultra-high quality).
Date: 2026-05-16T10:56:31Z
Network: openweb
Published URL: https://cracked.st/Thread-Supreme-Selling-USA-Fullz-w-Full-Information
Screenshots:
None
Threat Actors: Nedz
Victim Country: United States
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of debit cards, bank logs, and fullz on cybercrime forum
Category: Carding
Content: A threat actor is advertising the sale of debit cards, bank logs, and fullz (full identity records) via Telegram. No specific victim organization or record count is disclosed. The seller directs prospective buyers to a Telegram channel.
Date: 2026-05-16T10:55:22Z
Network: openweb
Published URL: https://altenens.is/threads/hmu-call-me-hand-fa-debit-cards-credit-card-bank-logs-fullz-identification-card-telegram-yunginsbucks-come-money-ready-no-bad-business-over-here-channel-https-t-me-sudbyw.2941324/unread
Screenshots:
None
Threat Actors: modajad205
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of compromised mail access and credential lists by DataxLogs
Category: Initial Access
Content: Threat actor DataxLogs is advertising mail access availability across multiple countries (France, Belgium, Australia, Canada, UK, US, Netherlands, Poland, Germany, Japan) along with configs, scripts, tools, hits, and combo lists. Multiple posts indicate active marketing of initial access and credential materials.
Date: 2026-05-16T10:51:44Z
Network: telegram
Published URL: https://t.me/c/2613583520/82789
Screenshots:
None
Threat Actors: DataxLogs
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of embiz.co by 0xSHALL of FOURSDEATH TEAM
Category: Defacement
Content: On May 16, 2026, a threat actor identified as 0xSHALL, operating under the group FOURSDEATH TEAM, defaced a page on embiz.co. The defacement targeted a specific page (zxc.html) rather than the homepage, indicating a targeted single-page intrusion. No specific motive or technical details regarding the attack vector were disclosed.
Date: 2026-05-16T10:34:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923128
Screenshots:
None
Threat Actors: 0xSHALL, FOURSDEATH TEAM
Victim Country: Unknown
Victim Industry: Business Services
Victim Organization: Embiz
Victim Site: embiz.co
Sale of SONY mixed combo list
Category: Combo List
Content: A threat actor is offering a mixed combo list advertised as suitable for Sony platforms, containing approximately 2 million credential pairs. The list is promoted as UHQ (ultra-high quality) and is available via Telegram.
Date: 2026-05-16T10:33:44Z
Network: openweb
Published URL: https://crackingx.com/threads/75435/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Edu Combo List with 117,532 Credentials
Category: Combo List
Content: A combo list advertised as fresh and targeting educational accounts was shared on a cracking forum. The list reportedly contains 117,532 email and password pairs. No additional details about the source or verification method are available.
Date: 2026-05-16T10:32:38Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-117-532-%E2%9A%9C%EF%B8%8F-Good-Edu-Fresh-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Combo List: France email access credentials (2.8K)
Category: Combo List
Content: A threat actor shared a combo list of approximately 2,800 French email access credentials on a forum. The content is hidden behind registration or login, limiting further detail. The post is categorized as a combo list targeting French mail accounts.
Date: 2026-05-16T10:31:29Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%AD%902-8k-france-mail-access-%E2%AD%90
Screenshots:
None
Threat Actors: XLM
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of European combo list by threat actor s2lender
Category: Combo List
Content: Threat actor s2lender is offering a European combo list containing approximately 11,720 credential pairs, marketed as high quality and fresh. The seller claims daily supply of 4,000–12,000 credentials optimized for credential stuffing. Access appears to be restricted to registered forum members.
Date: 2026-05-16T10:30:58Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-1172x-hq-mix-europe-by-s2lender-txt
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Indonesian Court Library by Ushiromiya
Category: Defacement
Content: The library website of Pengadilan Agama Maros, an Indonesian religious court institution, was defaced by the attacker known as Ushiromiya. This incident is classified as a redefacement, indicating the site had been previously compromised. The attack targeted a Linux-based server hosting the courts library subdomain under the official Indonesian government domain.
Date: 2026-05-16T10:27:00Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249303
Screenshots:
None
Threat Actors: Ushiromiya, Ushiromiya
Victim Country: Indonesia
Victim Industry: Government
Victim Organization: Pengadilan Agama Maros (Maros Religious Court) Library
Victim Site: perpustakaan.pa-maros.go.id
Website Defacement of IIFSE India by Ruiixh4xor (SHENHAXSEC)
Category: Defacement
Content: On May 16, 2026, the attacker Ruiixh4xor, operating under the team SHENHAXSEC, defaced the homepage of IIFSE India (www.iifseindia.in), an Indian financial services education institute. The incident was a targeted single-site homepage defacement, with the mirror archived on zone-xsec.com. No specific motive or server details were disclosed.
Date: 2026-05-16T10:24:54Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923127
Screenshots:
None
Threat Actors: Ruiixh4xor, SHENHAXSEC
Victim Country: India
Victim Industry: Education / Financial Services
Victim Organization: Indian Institute of Financial Services Education (IIFSE India)
Victim Site: www.iifseindia.in
Sale of HQ Hotmail combo list
Category: Combo List
Content: A threat actor is offering 251 high-quality Hotmail credentials, marketed as fresh and untouched. The post advertises daily supply of 4,000–12,000 credentials with claims of private, encrypted access for members.
Date: 2026-05-16T10:15:00Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-251x-hq-hotmail-by-s2lender-txt
Screenshots:
None
Threat Actors: s2lender
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free combo list of Hotmail credentials
Category: Combo List
Content: A threat actor is distributing 1,919 purported Hotmail credential hits described as premium and valid. The content is hidden behind a registration or login requirement on the forum. These credentials appear to be the result of credential stuffing or prior breach aggregation, not a breach of Hotmail itself.
Date: 2026-05-16T10:10:57Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F-1919x-PREMIUM-HOTMAIL-HITS-%E2%9D%84%EF%B8%8F%E2%9D%84%EF%B8%8F
Screenshots:
None
Threat Actors: alphaaxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Hotmail combo list freely shared by threat actor
Category: Combo List
Content: A threat actor posted a Hotmail combo list on a leak forum, described as private and fresh, checked by the same user. The content is hidden behind a login/registration wall and requires a like to unlock, suggesting free distribution to forum members.
Date: 2026-05-16T10:10:34Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9A%A1%E2%9A%A1HOTMAIL%E2%9A%A1%E2%9A%A1PRIVATE%E2%9A%A1%E2%9A%A1FRESH%E2%9A%A1%E2%9A%A1CHEKED-BY-klyne05-%E2%9A%A1%E2%9A%A1–20724
Screenshots:
None
Threat Actors: klyne05
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of CSI India (csi-india.org)
Category: Data Leak
Content: A threat actor operating under the alias MR ELANG XPLOIT, claiming affiliation with Cyber Team Indonesia, has freely distributed an alleged database dump from csi-india.org via a MediaFire link. The leak was posted on a public forum with no price indicated.
Date: 2026-05-16T10:08:19Z
Network: openweb
Published URL: https://breached.st/threads/leaks-database-csi-indian.87188/unread
Screenshots:
None
Threat Actors: MR ELANG XPLOIT
Victim Country: India
Victim Industry: Unknown
Victim Organization: CSI India
Victim Site: csi-india.org
Alleged data breach of Egypt Professional Academy for Teachers
Category: Data Breach
Content: A threat actor is offering for sale an alleged dataset pertaining to Egypts Professional Academy for Teachers, claiming to possess data on approximately 1.2 million teachers (including 200K Azhar teachers), STEM student records, 3,500 teacher images, Microsoft Access files, and MSSQL backups totaling over 80GB uncompressed. The seller states the target website is currently down and provides image-based proof samples. Contact and pricing are shared privately.
Date: 2026-05-16T10:00:24Z
Network: openweb
Published URL: https://breachforums.rs/Thread-SELLING-Egypt-Professional-Academy-For-Teachers-1-2M-Teachers-Data-Images-Etc
Screenshots:
None
Threat Actors: INT3X
Victim Country: Egypt
Victim Industry: Education
Victim Organization: Professional Academy for Teachers
Victim Site: Unknown
Sale of 1.5M Gaming Mix Email:Password Combo List
Category: Combo List
Content: A threat actor is distributing a combo list containing 1.5 million email:password credential pairs described as a gaming mix. The content is hidden behind a registration or login requirement on the forum. No specific breached organization is identified.
Date: 2026-05-16T09:57:41Z
Network: openweb
Published URL: https://breachforums.rs/Thread-1-5M-Combo-Gaming-Mix-Email-Pass
Screenshots:
None
Threat Actors: byakuya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of PayPal email and password combo list with 1.8 million credentials
Category: Combo List
Content: A threat actor shared a combo list containing 1.8 million email and password pairs marketed for use against PayPal accounts. The content is gated behind forum registration or login. PayPal is the credential-stuffing target, not the breach source.
Date: 2026-05-16T09:57:11Z
Network: openweb
Published URL: https://breachforums.rs/Thread-1-8M-Combolist-Paypal-Email-Pass
Screenshots:
None
Threat Actors: byakuya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Abuse of AppLocker Rules to Block EDR Processes
Category: Malware
Content: A forum article describes a technique where adversaries abuse Windows AppLocker by deploying deny rules that block EDR processes, enabling arbitrary code execution without security tool interference. The post references a publicly available proof-of-concept tool called GhostLocker that automates creation of such deny rules targeting EDR executables. The Azorult loader malware was cited as a known example of this behavior, previously identified by Splunk in 2022.
Date: 2026-05-16T09:54:47Z
Network: openweb
Published URL: https://tier1.life/thread/235
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of server.oncyprus.com (208 sites dumped)
Category: Data Leak
Content: A threat actor claims to have dumped data from 208 sites hosted on server.oncyprus.com, including what may be an online shopping site. The leaked data reportedly contains email addresses associated with government entities from multiple countries including Cyprus, the United States, the United Kingdom, Israel, Poland, and Australia, and is being made available for free download via a hidden forum link.
Date: 2026-05-16T09:53:53Z
Network: openweb
Published URL: https://breachforums.rs/Thread-server-oncyprus-com-208-site-Dumped
Screenshots:
None
Threat Actors: justscyprus
Victim Country: Cyprus
Victim Industry: Technology
Victim Organization: oncyprus.com
Victim Site: server.oncyprus.com
Free distribution of URL:Log:Pass combo list with 8+ million lines
Category: Combo List
Content: A threat actor is distributing a URL:Log:Pass combo list containing over 8 million lines at no cost on a clearnet forum. The content is gated behind registration or login. No specific victim organization or targeted service is identified.
Date: 2026-05-16T09:52:51Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-url-log-pass-free-best-lines-8-million-lines-part-345
Screenshots:
None
Threat Actors: lexityfr
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of 430K URL:Login:Password credentials
Category: Combo List
Content: A threat actor has shared a combo list containing approximately 430,000 URL:login:password credential pairs on a public forum. The post was made in the Other Leaks section and appears to offer the list as a free release. No specific targeted organization or service was identified.
Date: 2026-05-16T09:50:25Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%AD%90430K-URL-LOGIN-PASS%E2%AD%90
Screenshots:
None
Threat Actors: Posts
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Hotmail combo list leak of 1.14 million lines
Category: Combo List
Content: A threat actor has shared a combo list containing approximately 1.14 million email and password pairs targeting Hotmail.com accounts. The list is advertised as high quality and was distributed on a cracking forum. No additional details are available from the post content.
Date: 2026-05-16T09:49:55Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-1-141-136-Lines-%E2%9C%85-Hotmail-com-Combolist-HQ-LEaks
Screenshots:
None
Threat Actors: HqComboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free combo list shared on DM forum
Category: Combo List
Content: A combo list marketed as HQ Mix containing approximately 2,850 email and password pairs has been shared on a cybercrime forum. The content is hidden behind a registration or login requirement. No specific target organization or country is identified.
Date: 2026-05-16T09:49:03Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X2850-HQ-Mix-%E2%9A%A1%E2%9A%A1-BY-Stevee36-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: erwinn91
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged Israeli passport documents
Category: Carding
Content: A threat actor is offering 126 Israeli passports for sale, directing interested buyers to a Telegram account for pricing. No further details about the source or authenticity of the documents are provided.
Date: 2026-05-16T09:45:33Z
Network: openweb
Published URL: https://breached.st/threads/126-israel-passports.87187/unread
Screenshots:
None
Threat Actors: Meowl
Victim Country: Israel
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged Pre-Auth RCE vulnerabilities in Ivanti EPMM (CVE-2026-1281 and CVE-2026-1340) actively exploited
Category: Vulnerability
Content: A forum post details two pre-authentication Remote Command Execution vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340. The vulnerabilities are reported as actively exploited by APT actors and have been added to the CISA Known Exploited Vulnerabilities catalog. Temporary RPM-based patches have been released by Ivanti, with a full fix expected in version 12.8.0.0 in Q1 2026.
Date: 2026-05-16T09:28:14Z
Network: openweb
Published URL: https://tier1.life/thread/234
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Ivanti
Victim Site: ivanti.com
Alleged data breach of Taiwan External Trade Development Council (TAITRA)
Category: Data Breach
Content: A threat actor claims to have breached TAITRA, Taiwans official trade promotion agency, via its API. The actor alleges 271 records were exposed and is distributing the data via a Telegram link. No further details on data fields or types were specified in the post.
Date: 2026-05-16T09:24:46Z
Network: openweb
Published URL: https://breached.st/threads/271-taitra-breached-api.87185/unread
Screenshots:
None
Threat Actors: cc5ab
Victim Country: Taiwan
Victim Industry: Government
Victim Organization: Taiwan External Trade Development Council (TAITRA)
Victim Site: taitra.org.tw
Combo List of Hotmail credentials
Category: Combo List
Content: A threat actor is sharing a combo list of approximately 1,600 Hotmail credentials marketed as private and fully valid. The post is categorized as a credential stuffing resource targeting Hotmail accounts. No additional details are available from the post content.
Date: 2026-05-16T09:12:27Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-1600X-Hotmail-Full-Private-Full-Valid
Screenshots:
None
Threat Actors: MerotosCob
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Evil VM privilege escalation technique in Entra ID via PRT theft published on cybercrime forum
Category: Vulnerability
Content: A forum post details a multi-stage attack technique dubbed Evil VM that abuses Azure VM Device Identity and Device Code Phishing to steal Primary Refresh Tokens (PRT) and escalate privileges to Entra ID Admin. The technique chains guest account compromise, subscription transfer abuse, TPM-less VM Entra join, device certificate extraction, and phishing via Device Code Flow. The post includes defensive mitigations and is framed as original security research.
Date: 2026-05-16T09:09:53Z
Network: openweb
Published URL: https://tier1.life/thread/233
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of janfadaa.ir (Iranian pro-government recruitment site)
Category: Data Breach
Content: A threat actor claims to have gained RDP backup access to janfadaa.ir, an Iranian website reportedly used to recruit volunteers for military deployment. The actor alleges exfiltration of over 31.5 million records containing personal data including full name, fathers name, national code, ID number, phone number, education, occupation, and activity type. The full dataset (~35 GB) is offered for sale via Telegram, with a sample shared on Pastebin.
Date: 2026-05-16T09:06:34Z
Network: openweb
Published URL: https://darkforums.su/Thread-Document-janfadaa-ir-Databases
Screenshots:
None
Threat Actors: OxO
Victim Country: Iran
Victim Industry: Government
Victim Organization: janfadaa.ir
Victim Site: janfadaa.ir
Alleged data breach of janfadaa.ir (Iranian pro-government recruitment site)
Category: Data Breach
Content: A threat actor claiming to be group #1877 alleges they gained access via RDP backup to janfadaa.ir, an Iranian website reportedly used to recruit volunteers for military deployment. The actor claims to have obtained over 31.5 million records including names, national codes, ID numbers, phone numbers, education, occupation, and request texts, totaling approximately 35 GB, and is offering the full dataset for sale via Telegram.
Date: 2026-05-16T09:06:09Z
Network: openweb
Published URL: https://breached.st/threads/janfadaa-ir-databases.87183/unread
Screenshots:
None
Threat Actors: org1877
Victim Country: Iran
Victim Industry: Government
Victim Organization: Janfadaa
Victim Site: janfadaa.ir
Combo list of Hotmail credentials (7K)
Category: Combo List
Content: A threat actor is sharing a combo list of approximately 7,000 Hotmail credentials marketed as UHQ and fresh. The list is posted on a public cracking forum and is intended for credential stuffing or account takeover activity.
Date: 2026-05-16T08:59:17Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-7K-HOTMAILS-UHQ-FRESH
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List of 32K Mixed Email Credentials
Category: Combo List
Content: A threat actor shared a combo list of approximately 32,000 mixed email and password pairs on a cracking forum. No additional details regarding the source or targeted services were provided.
Date: 2026-05-16T08:58:58Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-32K-MIX-MAILS–2094594
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ mixed email combo list (3.3K credentials)
Category: Combo List
Content: A threat actor shared a combo list of approximately 3,300 mixed email and password credentials on a cracking forum. The post is categorized as UHQ (ultra-high quality), suggesting the credentials may be recently verified or of high validity.
Date: 2026-05-16T08:58:36Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-3-3K-UHQ-MIX-MAILS
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List: 1.8K UHQ Hotmail credentials
Category: Combo List
Content: A threat actor shared a combo list of 1,800 UHQ Hotmail email:password credentials on a cracking forum. The credentials are marketed as high quality and are likely intended for credential stuffing or account takeover activity.
Date: 2026-05-16T08:58:09Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-1-8K-UHQ-HOTMAILS–2094597
Screenshots:
None
Threat Actors: Cloudredhat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of stolen credit card data by Boss Shop
Category: Logs
Content: Boss Shop advertises the sale of first-hand stolen credit cards, claiming to update over 100,000 cards daily. They offer daily free activities with 10,000 free cards priced at $0.01-$0.1, all verified as valid. The operation includes a clearnet website, Tor mirror, and Telegram channel for customer access.
Date: 2026-05-16T08:55:09Z
Network: telegram
Published URL: https://t.me/BossShopallqo/3
Screenshots:
None
Threat Actors: Boss Shop
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of stealer logs mix by fatetraffic
Category: Logs
Content: A threat actor operating under the alias fatetraffic has publicly shared a batch of approximately 1,700 mixed stealer logs via a file-sharing link. The logs are dated 16-05-2026 and made available at no cost with a shared password.
Date: 2026-05-16T08:51:53Z
Network: openweb
Published URL: https://darkforums.su/Thread-%F0%9F%93%97-FATETRAFFIC-1700-MIX-16-05-2026-STEALER-LOGS
Screenshots:
None
Threat Actors: fatetraffic
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Malware campaign delivering Amatera Stealer via Fake CAPTCHA and PNG steganography
Category: Malware
Content: Blackpoint SOC identified a Fake CAPTCHA campaign delivering Amatera Stealer using a signed Microsoft App-V script (SyncAppvPublishingServer.vbs) as a LOLBIN to proxy execution. The kill chain includes behavior-gated execution stages, live C2 configuration retrieved from Google Calendar, and PNG steganography to deliver an encrypted in-memory payload. The campaign is notable for its use of legitimate infrastructure and signed components to evade detection throughout the delivery chain.
Date: 2026-05-16T08:50:53Z
Network: openweb
Published URL: https://tier1.life/thread/232
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 1,931 fresh credentials
Category: Combo List
Content: A threat actor is offering a combo list of 1,931 Hotmail credentials marketed as fresh drops. The list is available via external paste and Telegram links, with VIP subscription tiers priced between $3 and $100.
Date: 2026-05-16T08:43:25Z
Network: openweb
Published URL: https://crackingx.com/threads/75427/
Screenshots:
None
Threat Actors: snowstormxd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Defacement of Interior Rugs India by lxrdk1773n
Category: Defacement
Content: On May 16, 2026, threat actor lxrdk1773n conducted a mass defacement campaign targeting interiorrugs.in, an Indian retail website specializing in home furnishings and rugs. The incident was classified as a mass defacement, indicating multiple sites were compromised as part of the same operation. The defacement was archived and documented via haxor.id mirror service.
Date: 2026-05-16T08:42:19Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249302
Screenshots:
None
Threat Actors: lxrdk1773n
Victim Country: India
Victim Industry: Retail / Home Furnishings
Victim Organization: Interior Rugs
Victim Site: interiorrugs.in
Website Defacement of Interior Rugs by Attacker lxrdk1773n
Category: Defacement
Content: On May 16, 2026, the website interiorrugs.in, an Indian retail business specializing in interior rugs and home furnishings, was defaced by the attacker known as lxrdk1773n. The attack targeted the homepage of the site in a single, non-mass defacement operation. No specific motivation or technical details regarding the server were disclosed.
Date: 2026-05-16T08:36:16Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923126
Screenshots:
None
Threat Actors: lxrdk1773n, No team
Victim Country: India
Victim Industry: Retail / Home Furnishings
Victim Organization: Interior Rugs
Victim Site: interiorrugs.in
Finland Email:Pass Combo List (12K+)
Category: Combo List
Content: A combo list of approximately 12,000 or more Finland-based email and password pairs was shared on a public forum. The credentials are marketed as fresh, dated 16-5-2026. No specific breached organization is identified.
Date: 2026-05-16T08:32:43Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-12-K-%E2%9C%A6-Finland-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-16-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of PT Wijaya Karya (WIKA)
Category: Data Breach
Content: A threat actor is selling a database allegedly exfiltrated from PT Wijaya Karya (WIKA), an Indonesian state-owned construction company. The dataset reportedly includes personal identity records, internal documents, and company files totaling over 18GB, with fields such as full name, date of birth, national ID number, tax ID, address, education, and employment details. The actor claims to have published only 1% of the data and states they remain open to ransom negotiations with the company.
Date: 2026-05-16T08:30:53Z
Network: openweb
Published URL: https://breached.st/threads/database-lsp-pt-wijaya-karya-persero.87182/unread
Screenshots:
None
Threat Actors: Kyyzo
Victim Country: Indonesia
Victim Industry: Construction
Victim Organization: PT Wijaya Karya (WIKA)
Victim Site: perizinan.pu.go.id
Denmark email:password combo list with 41K credentials
Category: Combo List
Content: A threat actor shared a combo list of approximately 41,000 email and password pairs targeting Denmark-based accounts. The credentials are marketed as fresh and high quality, dated 16 May 2026.
Date: 2026-05-16T08:19:48Z
Network: openweb
Published URL: https://nulledbb.com/thread-%E2%9C%A6%E2%9C%A6-41-K-%E2%9C%A6-Denmark-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-16-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: t4ctici4n
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Greece Email:Pass Combo List
Category: Combo List
Content: A threat actor shared a combo list of approximately 54,000 email and password pairs targeting Greek accounts, marketed as fresh and high quality. The list was dated May 16, 2026 and is available to registered forum members. This is a credential stuffing resource, not a breach of a specific organization.
Date: 2026-05-16T08:19:02Z
Network: openweb
Published URL: https://leakforum.io/Thread-Leak-%E2%9C%A6%E2%9C%A6-54-K-%E2%9C%A6-Greece-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-16-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: Maxleak
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of mixed corporate mail combo list with 7,150 valid credentials
Category: Combo List
Content: A threat actor on a combolist forum is sharing a mixed corporate MAILPASS combo list claiming 7,150 valid credentials with full mail access. The content is hidden behind a registration or login requirement. No specific targeted organization or country is identified.
Date: 2026-05-16T08:18:07Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-7150-valid-mix-corp-mailpass-full-mail-acces
Screenshots:
None
Threat Actors: CloudBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed corporate mail credentials combo list with 7,150 valid entries
Category: Combo List
Content: A threat actor is offering a combo list of 7,150 claimed valid mixed and corporate email:password credentials with full mailbox access. The post is hosted on a public cracking forum and marketed as high-quality and fresh.
Date: 2026-05-16T08:17:45Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-7150-VALID-MIX-CORP-MAILPASS-FULL-MAIL-ACCES
Screenshots:
None
Threat Actors: CloudBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail, Mix, and Corporate email credentials combo list
Category: Combo List
Content: A threat actor is offering a combo list of 700 claimed valid credentials targeting Hotmail, mixed email providers, and corporate email accounts with full mailbox access. The content is gated behind forum registration or login. No specific breached organization is identified.
Date: 2026-05-16T08:17:36Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-700-valid-hotmail-mix-corp-mailpass-full-mail-acces-302923
Screenshots:
None
Threat Actors: CloudBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail and corporate email credential combo list
Category: Combo List
Content: A threat actor is offering a combo list of approximately 700 email:password credentials advertised as valid Hotmail, mixed, and corporate accounts with full mail access. The post is categorized as a credential stuffing resource rather than a breach of any specific organization.
Date: 2026-05-16T08:17:27Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-700-VALID-HOTMAIL-MIX-CORP-MAILPASS-FULL-MAIL-ACCES–2094577
Screenshots:
None
Threat Actors: CloudBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Ecuador email:password combo list with 45K+ credentials
Category: Combo List
Content: A threat actor shared a combo list containing over 45,000 email:password credential pairs purportedly associated with Ecuadorian accounts, marketed as fresh and dated May 16, 2026. The content is restricted to registered forum members.
Date: 2026-05-16T08:17:17Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%A6%E2%9C%A6-45-k-%E2%9C%A6-ecuador-%E2%9C%A6email-pass%E2%9C%A6fresh%E2%9C%A6-16-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Ecuador
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
France Email:Password Combo List
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 1.3 million French email and password pairs, marketed as fresh and high quality. The list is shared via hidden content on the forum and promoted through a Telegram channel.
Date: 2026-05-16T08:16:25Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-1-301-K-%E2%9C%A6-France-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-16-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: France
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail credential combo list with 2,750 valid email:password pairs
Category: Combo List
Content: A threat actor is sharing or selling a combo list of 2,750 claimed valid Hotmail email and password credentials with full mailbox access. The list is marketed as verified hits suitable for credential stuffing or account takeover. No additional details are available from the post content.
Date: 2026-05-16T08:16:13Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-2750-VALID-HOTMAIL-MAILPASS-FULL-MAIL-ACCES
Screenshots:
None
Threat Actors: CloudBase
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Germany Email:Pass Combo List with 426K credentials
Category: Combo List
Content: A threat actor shared a combo list of approximately 426,000 email:password credential pairs associated with German users, marketed as fresh and dated May 16, 2026. The list was posted on a public forum and appears intended for credential stuffing use. No specific breached organization is identified.
Date: 2026-05-16T08:15:37Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-426-K-%E2%9C%A6-Germany-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-16-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Czech email and password combo list with 222K+ credentials
Category: Combo List
Content: A threat actor is distributing a combo list containing over 222,000 email and password pairs targeting Czech accounts, marketed as fresh and high quality. The list is shared as hidden content requiring registration or login to access. The post links to a Telegram channel for additional combo lists.
Date: 2026-05-16T08:14:58Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9C%A6%E2%9C%A6-222-K-%E2%9C%A6-Czech-%E2%9C%A6Email-Pass%E2%9C%A6FRESH%E2%9C%A6-16-5-2026-%E2%9C%A6%E2%9C%A6
Screenshots:
None
Threat Actors: CobraEgy
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of combo list with 3 million leads
Category: Combo List
Content: A threat actor is offering a combo list advertised as containing 3 million leads via a Telegram channel and group. The post provides links to Telegram resources where free combos and related tools are distributed.
Date: 2026-05-16T08:13:43Z
Network: openweb
Published URL: https://crackingx.com/threads/75425/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 12K valid credentials
Category: Combo List
Content: A threat actor shared a link to a combo list marketed as 12K UHQ valid Hotmail credentials. The list is described as having valid access and is being distributed via an external paste site.
Date: 2026-05-16T08:13:24Z
Network: openweb
Published URL: https://crackingx.com/threads/75426/
Screenshots:
None
Threat Actors: Vmoon
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged Shai-Hulud Malware Campaign Distributing Infected Packages to Linux Developers
Category: Malware
Content: A sophisticated cyber operation named Shai-Hulud has been identified distributing infected packages targeting Linux developers since September 2025. Attackers are leveraging AI capabilities to develop new infiltration and security bypass methods. Primary targets include cloud infrastructure, Linux servers, and financial systems.
Date: 2026-05-16T08:10:00Z
Network: telegram
Published URL: https://t.me/c/1283513914/21742
Screenshots:
None
Threat Actors: Shai-Hulud
Victim Country: Unknown
Victim Industry: Technology, Finance, Cloud Infrastructure
Victim Organization: Unknown
Victim Site: Unknown
Mass Defacement of Indian Academic Institution by TangerangXploit Team (YIIX103)
Category: Defacement
Content: On May 16, 2026, threat actor YIIX103 operating under the TangerangXploit Team conducted a mass defacement attack targeting www.jrsc.ac.in, an Indian academic institution. The attack was executed on a Linux-based server and involved a non-homepage defacement, with a mirror of the defacement archived at haxor.id. This incident is part of a broader mass defacement campaign attributed to the group.
Date: 2026-05-16T07:55:53Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249301
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: JRSC Academic Institution
Victim Site: www.jrsc.ac.in
Mass Defacement of Indian Medical College Website by TangerangXploit Team
Category: Defacement
Content: On May 16, 2026, threat actor YIIX103 of the TangerangXploit Team conducted a mass defacement campaign targeting the website of Shri Krishna Medical College Begusarai, an Indian academic medical institution. The attacker compromised a PHP file on the Linux-based server, leaving a defacement page archived at haxor.id. This incident is part of a broader mass defacement operation attributed to the same threat group.
Date: 2026-05-16T07:55:22Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249298
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education / Healthcare
Victim Organization: Shri Krishna Medical College Begusarai
Victim Site: www.skmcbegusarai.ac.in
Mass Website Defacement of HPS College by TangerangXploit Team (YIIX103)
Category: Defacement
Content: On May 16, 2026, a threat actor identified as YIIX103, operating under the TangerangXploit Team, conducted a mass defacement campaign targeting HPS Colleges web server running on Linux. The defacement was deployed via a PHP script (yo.php) on the colleges domain, indicating unauthorized access to the web server. This incident is part of a broader mass defacement operation attributed to the same threat actor group.
Date: 2026-05-16T07:54:46Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249289
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: HPS College
Victim Site: www.hpscollege.ac.in
Sale of UHQ mix mail access combo list
Category: Combo List
Content: A threat actor is offering a private combo list of 1,500 UHQ mixed mail access credentials for sale. Interested buyers are directed to contact the seller via the handle @window_linux01.
Date: 2026-05-16T07:54:02Z
Network: openweb
Published URL: https://cracked.st/Thread-RE-%E2%AD%901-5K-UHQ-MIX-MAIL-ACCESS%E2%AD%90
Screenshots:
None
Threat Actors: cloud_man01
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Website Defacement of Womens College Samastipur by TangerangXploit Team
Category: Defacement
Content: On May 16, 2026, threat actor YIIX103 of TangerangXploit Team conducted a mass defacement attack against Womens College Samastipur, an educational institution in India. The defacement was hosted on a Linux-based server and targeted a non-homepage path (/yo.php), consistent with mass defacement campaign tactics. The incident has been archived and mirrored via haxor.id.
Date: 2026-05-16T07:53:56Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249293
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: Womens College Samastipur
Victim Site: www.womenscollegesamastipur.ac.in
Combo List of 1.6 Million Email:Password Credentials
Category: Combo List
Content: A threat actor shared a combo list containing approximately 1.6 million email and password pairs on a cracking forum. The post advertises a high hit rate, suggesting the credentials have been tested against online services. No specific breached organization is identified.
Date: 2026-05-16T07:53:42Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9C%A8-1-6M-EMAIL-PASS-%E2%9C%A8LEAK-PR%C4%B0VATE-EMAIL-PASS%E2%9C%A8HIGH-HITRATE-%E2%9C%A8
Screenshots:
None
Threat Actors: Frisbeese
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Website Defacement of CMB College by TangerangXploit Team
Category: Defacement
Content: On May 16, 2026, threat actor YIIX103 operating under the TangerangXploit Team conducted a mass defacement attack targeting CMB Colleges web server running on Linux. The defacement was applied to a non-homepage PHP file (yo.php), indicating a targeted file-level compromise as part of a broader mass defacement campaign. The incident was archived and mirrored on haxor.id.
Date: 2026-05-16T07:53:15Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249292
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: CMB College
Victim Site: www.cmbcollege.ac.in
Mass Website Defacement of VSJ College by TangerangXploit Team (YIIX103)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias YIIX103, affiliated with TangerangXploit Team, conducted a mass defacement campaign targeting the Indian academic institution VSJ College. The attack compromised a PHP file on the colleges Linux-based web server, replacing content with the attackers defacement page. This incident is part of a broader mass defacement operation attributed to the same threat actor.
Date: 2026-05-16T07:52:37Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249290
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: VSJ College
Victim Site: www.vsjcollege.ac.in
Mass Website Defacement of Indian Academic Institution by TangerangXploit Team
Category: Defacement
Content: On May 16, 2026, threat actor YIIX103 operating under the TangerangXploit Team conducted a mass defacement attack against www.lnjc.ac.in, an Indian academic institution. The attack targeted a Linux-based web server and compromised the file yo.php as part of a broader mass defacement campaign. The incident has been archived and mirrored via haxor.id.
Date: 2026-05-16T07:52:04Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249291
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: LNJC Academic Institution
Victim Site: www.lnjc.ac.in
Mass Website Defacement of MCK Hagaria College by TangerangXploit Team
Category: Defacement
Content: On May 16, 2026, threat actor YIIX103 operating under the TangerangXploit Team conducted a mass defacement attack targeting the Indian academic institution MCK Hagaria College. The attacker compromised the Linux-based web server and defaced the site at the path /yo.php. This incident was part of a broader mass defacement campaign attributed to the same threat group.
Date: 2026-05-16T07:51:33Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249296
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: MCK Hagaria College
Victim Site: www.mckhagaria.ac.in
Mass Website Defacement of Indian Educational Institution by TangerangXploit Team
Category: Defacement
Content: On May 16, 2026, threat actor YIIX103 operating under the TangerangXploit Team conducted a mass defacement attack against www.rsctarapur.ac.in, an Indian academic institution. The defacement targeted a non-homepage URL on a Linux-based server and was part of a broader mass defacement campaign. The incident was archived and mirrored on haxor.id.
Date: 2026-05-16T07:50:51Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249300
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: RSC Tarapur
Victim Site: www.rsctarapur.ac.in
Alleged data leak of University of Agriculture Pakistan staff database
Category: Data Leak
Content: A threat actor operating under the alias FlipperOne has freely shared a staff database allegedly belonging to the University of Agriculture Pakistan. The leaked data includes personal and professional fields such as names, gender, address, phone numbers, email addresses, qualifications, designations, and social media links. The actor indicated a second part containing student information is forthcoming.
Date: 2026-05-16T07:50:42Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DATABASE-%C2%A9-2026-University-of-Agriculture-Pakistan-Staff-Database-PART-1
Screenshots:
None
Threat Actors: Flipperone
Victim Country: Pakistan
Victim Industry: Education
Victim Organization: University of Agriculture Pakistan
Victim Site: Unknown
Mass Defacement of Indian Educational Institution by TangerangXploit Team (YIIX103)
Category: Defacement
Content: On May 16, 2026, threat actor YIIX103 operating under TangerangXploit Team conducted a mass defacement attack against JMDPL Mahila College, an Indian educational institution. The attack targeted a Linux-based web server, deploying a defacement page at a non-root path indicating a targeted file upload or injection. This incident is part of a broader mass defacement campaign attributed to the same threat actor and team.
Date: 2026-05-16T07:50:19Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249294
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: JMDPL Mahila College
Victim Site: www.jmdplmahilacollege.ac.in
Mass Website Defacement of MLS College by TangerangXploit Team
Category: Defacement
Content: On May 16, 2026, the threat actor YIIX103, operating under the TangerangXploit Team, conducted a mass defacement attack targeting MLS Colleges web server running on Linux. The defacement was deployed via a PHP shell (yo.php), indicating unauthorized file upload or remote code execution capabilities. This incident is part of a broader mass defacement campaign attributed to the same threat actor.
Date: 2026-05-16T07:49:38Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249299
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: MLS College
Victim Site: www.mlscollege.ac.in
Mass Web Defacement by TangerangXploit Team Targeting HSC Academic Institution
Category: Defacement
Content: On May 16, 2026, threat actor YIIX103 operating under the TangerangXploit Team conducted a mass web defacement against hsc.ac.in, an academic institution in India. The attack targeted a Linux-based server and compromised a secondary page (yo.php) rather than the homepage, indicating a targeted intrusion within a broader mass defacement campaign. A mirror of the defaced page was archived at haxor.id.
Date: 2026-05-16T07:49:00Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249295
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: HSC (Higher Secondary Certificate) Academic Institution
Victim Site: www.hsc.ac.in
Mass Web Defacement of Indian Academic Institution by TangerangXploit Team
Category: Defacement
Content: On May 16, 2026, threat actor YIIX103 operating under the TangerangXploit Team conducted a mass web defacement targeting www.kmdc.ac.in, an Indian academic institution running on a Linux server. The attack involved the placement of a defacement page at a non-homepage URL, indicating a targeted file-level compromise rather than a full site takeover. This incident is part of a broader mass defacement campaign attributed to the TangerangXploit Team, a likely Indonesian hacktivist group.
Date: 2026-05-16T07:48:30Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249297
Screenshots:
None
Threat Actors: YIIX103, TangerangXploit Team
Victim Country: India
Victim Industry: Education
Victim Organization: Karnataka Milk Federation Development Cooperative (KMDC)
Victim Site: www.kmdc.ac.in
Sale of UK shopping-targeted combo list (Hotmail, Blueyonder, AOL)
Category: Combo List
Content: A combo list of 134,641 email:password credentials associated with Hotmail, Blueyonder, and AOL UK accounts is being distributed on a cracking forum. The list is marketed as targeting shopping services. No additional details are available from the post content.
Date: 2026-05-16T07:41:13Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-134-641-%E2%AD%90%EF%B8%8F-hotmail-blueyonder-aol-UK-Shopping-Target-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Germany-targeted shopping combo list with 403,391 lines
Category: Combo List
Content: A threat actor is distributing a combo list of 403,391 email:password credential pairs marketed as high-quality and targeting German shopping platforms. The post is categorized as a credential stuffing resource rather than a breach of any specific organization.
Date: 2026-05-16T07:40:54Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-403-391-Lines-%E2%9C%85-Shopping-Target-HQ-Germany-De-Combolist
Screenshots:
None
Threat Actors: HqComboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of DataCamp 12-month learning workflow support service
Category: Services
Content: A forum user is selling a $19.99 service advertised as 12-month learning workflow guidance for DataCamp-style data science and analytics education. The offering includes study support for Python, SQL, and machine learning, as well as course planning and portfolio project guidance. No threat activity or victim organization is identified in this post.
Date: 2026-05-16T07:19:57Z
Network: openweb
Published URL: https://cracked.st/Thread-Supreme-19-99-%E2%9C%85-Master-Data-Skills-All-Year-%E2%80%93-DataCamp-12-Month-Learning-Workflow-Support
Screenshots:
None
Threat Actors: secur3rat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Rate Limit Bypass Techniques Article Published on Cybercrime Forum
Category: Alert
Content: A forum article published on T1 details techniques for bypassing rate limiting mechanisms, including header manipulation (X-Forwarded-For, X-Real-IP), User-Agent spoofing, URL case variation, parameter pollution, and IP rotation. The content is framed as a reference for penetration testers and bug bounty hunters but covers offensive bypass methods applicable to brute-force and abuse scenarios.
Date: 2026-05-16T07:17:58Z
Network: openweb
Published URL: https://tier1.life/thread/231
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Non-threat content: automotive reference material shared on forum
Category: Alert
Content: A forum member shared a compressed archive containing a two-part book on Chevrolet Big Block engines via an external file-hosting link. The post contains no threat-relevant content and does not appear to be related to cybercrime activity.
Date: 2026-05-16T07:16:23Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-For-those-who-do-something-other-than-sit-on-their-dead-ass-lol
Screenshots:
None
Threat Actors: OriginalCrazyOldFart
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Galatasaray University
Category: Data Breach
Content: A threat actor claims to have breached Galatasaray University in Istanbul, Turkey. The post alleges the compromised data includes names, identity information, and credentials that purportedly allow access to and control of the universitys systems. No specific record count or price was mentioned.
Date: 2026-05-16T07:14:39Z
Network: openweb
Published URL: https://breached.st/threads/galatasaray-universitesi.87181/unread
Screenshots:
None
Threat Actors: karlsssaaa1
Victim Country: Turkey
Victim Industry: Education
Victim Organization: Galatasaray University
Victim Site: gsu.edu.tr
Website Defacement of coupleserrageroue.com by Y4NZ404
Category: Defacement
Content: On May 16, 2026, the website coupleserrageroue.com was defaced by a lone threat actor operating under the handle Y4NZ404 with no affiliated team group beyond SOLO. The attack resulted in a homepage defacement, replacing the sites content with the attackers messaging. No specific motivation or vulnerability details were disclosed in connection with the incident.
Date: 2026-05-16T07:14:35Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923109
Screenshots:
None
Threat Actors: Y4NZ404, SOLO
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Couples Errage Roue
Victim Site: coupleserrageroue.com
Publication of AMSI Bypass Technique Using Page Guard Exceptions with Proof-of-Concept Code
Category: Vulnerability
Content: A threat actor published a detailed technical writeup describing a patchless AMSI bypass technique leveraging Page Guard Exceptions and Vectored Exception Handlers (VEH) to intercept and neutralize AmsiScanBuffer before a full scan occurs. The technique is implemented as both shellcode and a PowerShell-native solution, with source code published on GitHub. The post claims the method successfully bypasses Windows Defender for Endpoint during malicious payload execution inside PowerShell.
Date: 2026-05-16T06:59:43Z
Network: openweb
Published URL: https://tier1.life/thread/230
Screenshots:
None
Threat Actors: RedQueen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of web shell access and automated exploitation tools
Category: Initial Access
Content: Threat actor offering shell access (GSC, DR 17, Terminal) and cyber tools package including brute force, shell finder, auto exploit, RCE, web grabber, and CMS checkers (cPanel, WordPress, Joomla). Priced at 400K (currency unspecified). Contact via @person131.
Date: 2026-05-16T06:44:10Z
Network: telegram
Published URL: https://t.me/c/3755871403/491
Screenshots:
None
Threat Actors: Rakyat Digital Crew
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free distribution of URL:Log:Pass combo list with 8+ million lines
Category: Combo List
Content: A threat actor shared a URL:Log:Pass combo list containing over 8 million lines on a cybercrime forum. The content is offered for free to registered forum members. The post is part of a recurring series (part 344), suggesting ongoing distribution of credential data.
Date: 2026-05-16T06:43:37Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-url-log-pass-free-best-lines-8-million-lines-part-344
Screenshots:
None
Threat Actors: lexityfr
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Stansberry Research
Category: Data Breach
Content: A threat actor has shared a dataset allegedly sourced from Stansberry Research containing approximately 1,179,000 records. The data includes email addresses, full names, phone numbers, physical addresses, and internal account identifiers such as TradeSmith and SNA IDs. No prices were mentioned, suggesting the data was freely distributed on the forum.
Date: 2026-05-16T06:40:26Z
Network: tor
Published URL: http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DATABASE-Stansberry-Research
Screenshots:
None
Threat Actors: STOMP2
Victim Country: United States
Victim Industry: Finance
Victim Organization: Stansberry Research
Victim Site: stansberry.com
Website Defacement of Bandenspanningauto.nl by Y4NZ404
Category: Defacement
Content: On May 16, 2026, the Dutch automotive website bandenspanningauto.nl was defaced by a solo threat actor operating under the handle Y4NZ404. The attack targeted the homepage and is classified as a single-site defacement. The incident was mirrored and documented by zone-xsec.com with reference ID 923108.
Date: 2026-05-16T06:40:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923108
Screenshots:
None
Threat Actors: Y4NZ404, SOLO
Victim Country: Netherlands
Victim Industry: Automotive
Victim Organization: Bandenspanningauto
Victim Site: bandenspanningauto.nl
Website Defacement of Nigerian Government Portal by T-XpLoiT
Category: Defacement
Content: On May 16, 2026, a threat actor identified as T-XpLoiT defaced a subdomain of the Katsina Investment Promotion Agency (KIPA), a Nigerian state government entity, by replacing the hosted content with a defacement page. The targeted URL was fdi.kipa.kt.gov.ng/deface.html, hosted on a Linux-based server. This was a targeted single-site defacement, not part of a mass defacement campaign.
Date: 2026-05-16T06:17:20Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249288
Screenshots:
None
Threat Actors: T-XpLoiT
Victim Country: Nigeria
Victim Industry: Government
Victim Organization: Katsina State Government – Katsina Investment Promotion Agency (KIPA)
Victim Site: fdi.kipa.kt.gov.ng
Free combo list of 18K mixed credentials
Category: Combo List
Content: A threat actor shared a combo list of approximately 18,000 mixed email:password credentials via an external paste link. The list is described as valid and is available for free download.
Date: 2026-05-16T06:11:47Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-18K-MIXED-VALID
Screenshots:
None
Threat Actors: COYYT
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Hotmail credential combo list shared on cracking forum
Category: Combo List
Content: A forum post on Cracked.st advertises Hotmail credential hits. No further details are available as the post content is empty.
Date: 2026-05-16T06:11:30Z
Network: openweb
Published URL: https://cracked.st/Thread-HOTMAIL-HITS–2094566
Screenshots:
None
Threat Actors: racola
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Website Defacement of sschnitzer.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement campaign targeting sschnitzer.com, a Linux-based web server. The defacement was confirmed as part of a broader mass defacement operation, with a mirror of the defaced page archived at haxor.id. No specific motivation or server software details were disclosed in the available data.
Date: 2026-05-16T06:11:22Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249281
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: S. Schnitzer
Victim Site: sschnitzer.com
Mass Defacement of Mor Diamonds by Inside Alone7 (Hidden Cyber Crime)
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting mor-diamonds.com, a jewelry-related website hosted on a Linux server. The defacement was confirmed via a mirror archived at haxor.id, indicating the attackers intent to publicly claim the compromise. This incident is part of a broader mass defacement campaign attributed to the same actor.
Date: 2026-05-16T06:10:48Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249271
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Retail / Jewelry
Victim Organization: Mor Diamonds
Victim Site: mor-diamonds.com
Mass Defacement of Vivial Diamonds by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting vivialdiamonds.com, a jewelry-related website hosted on a Linux server. The defacement was part of a broader mass defacement campaign, with the compromised page archived at haxor.id. No specific motivation or proof-of-concept details were disclosed.
Date: 2026-05-16T06:10:20Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249286
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Retail / Jewelry
Victim Organization: Vivial Diamonds
Victim Site: vivialdiamonds.com
Mass Defacement of Lazarov Diamonds by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement campaign targeting lazarovdiamonds.com, a jewelry-related website hosted on a Linux server. The defacement was identified as part of a broader mass defacement operation rather than an isolated or repeated attack. A mirror of the defaced page was archived at haxor.id.
Date: 2026-05-16T06:09:47Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249268
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Retail / Jewelry
Victim Organization: Lazarov Diamonds
Victim Site: lazarovdiamonds.com
Mass Defacement of Skymoon Diamonds by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, the threat actor Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement campaign targeting skymoondiamonds.com. The defacement was hosted on a cloud-based server and is part of a broader mass defacement operation. A mirror of the defacement was archived at haxor.id.
Date: 2026-05-16T06:09:15Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249279
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Retail / Jewelry
Victim Organization: Skymoon Diamonds
Victim Site: skymoondiamonds.com
Combo list targeting Hotmail domains distributed on cracking forum
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 6 million credentials targeting Hotmail domains (.com, .fr, .es) via a cracking forum and associated Telegram channels. The post advertises free combo lists and tools through two Telegram groups. The credentials are intended for social-oriented credential stuffing attacks.
Date: 2026-05-16T06:09:02Z
Network: openweb
Published URL: https://crackingx.com/threads/75423/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Defacement of tbdstock.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack against tbdstock.com, a stock-related web platform running on a Linux server. The defacement was not targeting the homepage and is part of a broader mass defacement campaign. The incident was archived and mirrored on haxor.id.
Date: 2026-05-16T06:08:44Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249283
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Finance / Stock Trading
Victim Organization: TBD Stock
Victim Site: tbdstock.com
Mass Defacement Campaign by Inside Alone7 of Hidden Cyber Crime targeting sasportasdiam.com
Category: Defacement
Content: The threat actor Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement attack against sasportasdiam.com on May 16, 2026. The attack targeted a Linux-based server and was part of a broader mass defacement campaign rather than an isolated incident. A mirror of the defacement was archived at haxor.id.
Date: 2026-05-16T06:08:14Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249278
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Sas Portas Diam
Victim Site: sasportasdiam.com
Mass Web Defacement by Inside Alone7 of Hidden Cyber Crime targeting technoshvavltd.com
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass web defacement targeting technoshvavltd.com. The attack was carried out on a Linux-based server, with the defacement content hosted at the path /1000.txt. This incident is part of a broader mass defacement campaign attributed to the same actor.
Date: 2026-05-16T06:07:46Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249285
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Techno Shvavl Ltd
Victim Site: technoshvavltd.com
Mass Web Defacement by Inside Alone7 of Hidden Cyber Crime targeting ydvash.com
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass web defacement campaign that included the domain ydvash.com. The defacement was recorded and archived via haxor.id, indicating it is part of a broader coordinated mass defacement operation. No specific motivation or additional technical indicators were disclosed.
Date: 2026-05-16T06:07:15Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249287
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Ydvash
Victim Site: ydvash.com
Mass Defacement of Maroz Diamonds by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack against marozdiamonds.com, a jewelry-related website running on a Linux server. The defacement was part of a broader mass defacement campaign, with the altered page archived at haxor.id. No specific motivation or proof-of-concept details were disclosed.
Date: 2026-05-16T06:06:51Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249269
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Retail / Jewelry
Victim Organization: Maroz Diamonds
Victim Site: marozdiamonds.com
Mass Defacement of nourican.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement campaign targeting nourican.com, a Linux-based web server. The defacement was confirmed via a mirrored archive and represents one of multiple sites compromised in this operation. No specific motivation or proof-of-concept details were disclosed.
Date: 2026-05-16T06:06:16Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249274
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Nourican
Victim Site: nourican.com
Mass Defacement of Israeli Diamond Retailer by Hidden Cyber Crime Group
Category: Defacement
Content: On May 16, 2026, a threat actor identified as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack against moti-israeli-diamonds.com, a website associated with the Israeli diamond trade industry. The attack targeted a Linux-based server and was confirmed as part of a broader mass defacement campaign. The defacement was archived and mirrored via haxor.id.
Date: 2026-05-16T06:05:48Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249273
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Israel
Victim Industry: Retail / Luxury Goods (Diamond Trade)
Victim Organization: Moti Israeli Diamonds
Victim Site: moti-israeli-diamonds.com
Mass Defacement of Regent Diamonds by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement campaign targeting regentdiam.com, a domain associated with the diamond or gemstone industry. The defacement was hosted on a Linux-based server and archived via haxor.id. This incident was part of a broader mass defacement operation rather than an isolated single-site attack.
Date: 2026-05-16T06:05:21Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249275
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Jewelry / Diamonds
Victim Organization: Regent Diamonds
Victim Site: regentdiam.com
Website Redefacement of Skymoon Diamonds by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: The threat actor Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a redefacement attack against the jewelry retailer Skymoon Diamonds on May 16, 2026. This incident marks a repeated compromise of the same target, indicating persistent access or recurring vulnerability exploitation. The defacement was not classified as a mass or home page defacement, suggesting a specific subdirectory or page was targeted.
Date: 2026-05-16T06:04:53Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923100
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Retail / Jewelry
Victim Organization: Skymoon Diamonds
Victim Site: www.skymoondiamonds.com
Mass Defacement of moshenamdar.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement campaign targeting moshenamdar.com, a Linux-based web server. The defacement was confirmed via a mirrored archive and represents one of multiple sites targeted in the same operation. No specific motivation or server software details were disclosed.
Date: 2026-05-16T06:04:12Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249272
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Moshe Namdar
Victim Site: moshenamdar.com
Mass Defacement of Israeli Website by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement attack targeting restartilana.co.il, an Israeli website hosted on a Linux server. The defacement was confirmed as part of a broader mass defacement campaign, with the compromised page archived at haxor.id. No specific motive or proof-of-concept details were disclosed.
Date: 2026-05-16T06:03:40Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249276
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Israel
Victim Industry: Unknown
Victim Organization: Restart Ilana
Victim Site: restartilana.co.il
Mass Defacement of sleipnirworld.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting sleipnirworld.com hosted on a Linux server. The defacement was confirmed as part of a mass defacement campaign, with a mirror of the attack archived at haxor.id. No specific motivation or proof-of-concept details were disclosed.
Date: 2026-05-16T06:03:10Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249280
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Sleipnir World
Victim Site: sleipnirworld.com
Mass Defacement Campaign by Hidden Cyber Crime Targeting Israeli Website s-yahalom.co.il
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting the Israeli website s-yahalom.co.il. The defacement was carried out on a Linux-based server, with the compromised content archived at haxor.id. This incident is part of a broader mass defacement campaign attributed to the same threat actor.
Date: 2026-05-16T06:02:37Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249277
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Israel
Victim Industry: Unknown
Victim Organization: S. Yahalom
Victim Site: s-yahalom.co.il
Alleged cyberattack on US gas station fuel monitoring systems
Category: Cyber Attack
Content: According to CNN reporting, monitoring systems for fuel reserves at gas stations across multiple US states were targeted in a cyberattack. Attackers gained access to these systems and manipulated the readings displayed on fuel tank monitoring displays. US cybersecurity experts warned that this access could enable attackers to conceal actual fuel leaks or gas leaks from monitoring systems.
Date: 2026-05-16T06:02:25Z
Network: telegram
Published URL: https://t.me/c/1283513914/21731
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: United States
Victim Industry: Energy/Fuel Distribution
Victim Organization: US gas station networks (multiple states)
Victim Site: Unknown
Mass Defacement of msdiamtx.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement targeting store.msdiamtx.com, a Linux-based e-commerce platform. The defacement was confirmed via a mirror archived at haxor.id and was part of a broader mass defacement campaign rather than an isolated or repeated attack. No specific motivation or server software details were disclosed in the available data.
Date: 2026-05-16T06:02:07Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249282
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Retail / E-Commerce
Victim Organization: MS Diamtx Store
Victim Site: store.msdiamtx.com
Email traffic service sought for cryptocurrency exchange targets
Category: Services
Content: A forum user is seeking individuals capable of delivering bulk emails targeting cryptocurrency exchanges. The post solicits contact from providers and suggests financial incentives for successful email traffic delivery.
Date: 2026-05-16T05:57:08Z
Network: openweb
Published URL: https://breachforums.rs/Thread-EMAIL-TRAFFIC
Screenshots:
None
Threat Actors: sillyrhymes
Victim Country: Unknown
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of drjeanvieira.com.br by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Brazilian website drjeanvieira.com.br, likely belonging to a medical professional named Dr. Jean Vieira. The defacement was a targeted, non-mass incident with a mirror archived at zone-xsec.com.
Date: 2026-05-16T05:56:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923036
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Healthcare
Victim Organization: Dr. Jean Vieira
Victim Site: drjeanvieira.com.br
Mass Defacement of gilkimchi.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement attack against gilkimchi.com, a website likely associated with a kimchi or Korean food brand. The attack targeted a Linux-based web server and was confirmed as part of a broader mass defacement campaign. A mirror of the defacement was archived at haxor.id.
Date: 2026-05-16T05:55:24Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249260
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Food and Beverage
Victim Organization: Gil Kimchi
Victim Site: gilkimchi.com
Mass Website Defacement by Inside Alone7 of Hidden Cyber Crime targeting dsl-lab.net
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack against dsl-lab.net, a Linux-based web server. The defacement was recorded and mirrored at haxor.id, indicating it is part of a broader mass defacement campaign. No specific motive or proof-of-concept details were disclosed.
Date: 2026-05-16T05:55:01Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249249
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Technology / Research
Victim Organization: DSL Lab
Victim Site: dsl-lab.net
Mass Defacement by Inside Alone7 of Hidden Cyber Crime targeting dorith-teichman.com
Category: Defacement
Content: On May 16, 2026, a threat actor identified as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack against dorith-teichman.com, a Linux-based web server. The defacement was confirmed as part of a broader mass defacement campaign, with the compromised page archived at haxor.id. No specific motivation or proof-of-concept details were disclosed.
Date: 2026-05-16T05:54:36Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249248
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Dorith Teichman
Victim Site: dorith-teichman.com
Mass Web Defacement by Inside Alone7 of Hidden Cyber Crime targeting eglasia.com.hk
Category: Defacement
Content: On May 16, 2026, a threat actor identified as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass web defacement targeting eglasia.com.hk, a domain associated with Hong Kong. The attack was executed on a Linux-based server and is classified as a mass defacement campaign. A mirror of the defacement was archived at haxor.id.
Date: 2026-05-16T05:54:12Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249254
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Hong Kong
Victim Industry: Unknown
Victim Organization: EGL Asia
Victim Site: eglasia.com.hk
Mass Defacement of Israeli Stock/Finance Site by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement campaign targeting easystock.co.il, an Israeli stock or financial services website running on a Linux server. The defacement was part of a broader mass defacement operation, with a mirror of the attack archived at haxor.id. No specific motivation or proof-of-concept details were provided.
Date: 2026-05-16T05:53:50Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249250
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Israel
Victim Industry: Finance / Stock Trading
Victim Organization: EasyStock
Victim Site: easystock.co.il
Mass Defacement Campaign by Hidden Cyber Crime (Inside Alone7) Targeting easystockdiam.com
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement attack against easystockdiam.com, a likely diamond or stock trading related website hosted on a Linux server. The defacement was part of a broader mass defacement campaign, with the compromised page archived at haxor.id. No specific geopolitical motive or server IP was disclosed in the available data.
Date: 2026-05-16T05:53:23Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249251
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Finance / Retail (Diamonds/Stocks)
Victim Organization: Easy Stock Diam
Victim Site: easystockdiam.com
Mass Defacement of Israeli Website by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement campaign targeting daiky.co.il, an Israeli website hosted on a Linux server. The defacement was confirmed as part of a broader mass defacement operation, with the compromised page archived at haxor.id. No specific motive or exploited vulnerability was publicly disclosed.
Date: 2026-05-16T05:52:57Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249242
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Israel
Victim Industry: Unknown
Victim Organization: Daiky
Victim Site: daiky.co.il
Website Defacement of Lancer Curitiba by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the Brazilian website lancercuritiba.com.br was defaced by threat actor chinafans, operating under the group 0xteam. The defacement targeted a specific file path (0x.txt) and was neither a mass nor a home page defacement, suggesting a targeted file-level intrusion. No specific motive or proof of concept was disclosed.
Date: 2026-05-16T05:52:30Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923040
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Automotive / Sports
Victim Organization: Lancer Curitiba
Victim Site: lancercuritiba.com.br
Mass defacement of Diamond Services Hong Kong by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement campaign targeting diamondservices.com.hk, a professional services organization based in Hong Kong. The defacement was carried out on a Linux-based server and was confirmed as part of a broader mass defacement operation. The incident was archived via haxor.id with mirror reference 249247.
Date: 2026-05-16T05:51:49Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249247
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Hong Kong
Victim Industry: Professional Services
Victim Organization: Diamond Services
Victim Site: diamondservices.com.hk
Website Defacement of isellbrasil.com.br by chinafans of 0xTeam
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xTeam, defaced the Brazilian website isellbrasil.com.br by placing a defacement file at the path /0x.txt. The incident was a targeted, single-site defacement with no mass or redefacement indicators, and server details remain unknown.
Date: 2026-05-16T05:51:21Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923038
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: E-commerce / Retail
Victim Organization: iSell Brasil
Victim Site: isellbrasil.com.br
Website Defacement of Nossa Distribuicao by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor identified as chinafans, affiliated with 0xteam, defaced the Brazilian website nossadistribuicao.com.br. The attack was a targeted single-page defacement, not classified as a mass or home page defacement. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-05-16T05:50:40Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923044
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Distribution/Retail
Victim Organization: Nossa Distribuicao
Victim Site: nossadistribuicao.com.br
Combo list of EU mixed credentials distributed on forum
Category: Combo List
Content: A threat actor operating under the alias BedrockDB has shared a combo list of approximately 200 email:password credential pairs targeting mixed European users. The content is hidden behind a forum registration/login wall. No specific breached organization is identified.
Date: 2026-05-16T05:50:26Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%F0%9F%92%8E-0-2k-elite-eu-mixed-email-pass-bedrockdb-premier-drop-%F0%9F%92%8E
Screenshots:
None
Threat Actors: BedrockDB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Defacement of David Levy Diamonds by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting davidlevydiamonds.com, a jewelry retail website. The defacement was carried out on a Linux-based server and is part of a broader mass defacement campaign. A mirror of the defacement has been archived at haxor.id.
Date: 2026-05-16T05:49:57Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249243
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: United States
Victim Industry: Retail / Jewelry
Victim Organization: David Levy Diamonds
Victim Site: davidlevydiamonds.com
Sale of SMTP credential cracking tool
Category: Combo List
Content: A forum post advertises what is claimed to be a best-in-class SMTP cracker tool for 2026. No further content was available to assess capabilities, pricing, or targeted services.
Date: 2026-05-16T05:49:48Z
Network: openweb
Published URL: https://cracked.st/Thread-Other-%E2%9A%A1-BEST-SMTP-CRACKER-IN-2026-%E2%9A%A1
Screenshots:
None
Threat Actors: racola
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Mass Defacement of easystockhosting.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack against easystockhosting.com, a web hosting provider running on a Linux server. The defacement was confirmed as a mass defacement campaign, with the compromised page archived at haxor.id. No specific motivation or exploited vulnerability was publicly disclosed.
Date: 2026-05-16T05:49:29Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249252
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Web Hosting / Technology
Victim Organization: Easy Stock Hosting
Victim Site: easystockhosting.com
Mass Defacement of Ilan Diamonds by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting ilandiamonds.com, a diamonds retail or wholesale organization. The defacement was hosted on a Linux-based server and has been archived via haxor.id. This incident was part of a broader mass defacement campaign rather than an isolated targeted attack.
Date: 2026-05-16T05:49:03Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249264
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Retail / Jewelry
Victim Organization: Ilan Diamonds
Victim Site: ilandiamonds.com
Mass Website Defacement of EasyStockDiam by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting demo.easystockdiam.com, a Linux-based web server. The defacement was confirmed as part of a mass defacement campaign, with the compromised page archived at haxor.id. The targeted domain appears to be associated with a stock or diamond trading e-commerce platform.
Date: 2026-05-16T05:48:41Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249244
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: E-Commerce / Retail
Victim Organization: EasyStockDiam
Victim Site: demo.easystockdiam.com
Mass Defacement of Korn Diamonds by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement attack targeting korndiamonds.com, a jewelry retailer. The attack was carried out on a Linux-based server, with the defacement artifact hosted at the path /1000.txt. This incident was part of a broader mass defacement campaign attributed to the same threat actor.
Date: 2026-05-16T05:48:10Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249266
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: United States
Victim Industry: Retail / Jewelry
Victim Organization: Korn Diamonds
Victim Site: korndiamonds.com
Website Defacement of Eyal Italy by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, defaced the website eyalitaly.co.il, an Israeli fashion or retail entity. The defacement was a targeted single-site attack hosted on a cloud-based server. A mirror of the defaced page was archived at haxor.id.
Date: 2026-05-16T05:47:44Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249257
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Israel
Victim Industry: Retail / Fashion
Victim Organization: Eyal Italy
Victim Site: eyalitaly.co.il
Mass Defacement Campaign by Hidden Cyber Crime Team Targeting ben-yona.com
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement attack against ben-yona.com, a website hosted on a Linux server. The defacement was catalogued and mirrored on haxor.id, indicating it is part of a broader mass defacement campaign rather than a targeted single-site attack. No specific motivation or proof-of-concept details were disclosed alongside the incident.
Date: 2026-05-16T05:47:18Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249238
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Israel
Victim Industry: Unknown
Victim Organization: Ben Yona
Victim Site: ben-yona.com
Website Defacement of Carol Beauty by 0xTeam (chinafans)
Category: Defacement
Content: The threat actor chinafans, operating under the group 0xTeam, defaced the Brazilian beauty and cosmetics e-commerce website pedidoscarolbeauty.com.br on May 16, 2026. The attack was a targeted single-site defacement, not a mass or home page defacement. A mirror of the defaced page was archived at zone-xsec.com.
Date: 2026-05-16T05:46:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923045
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Retail / Beauty & Cosmetics
Victim Organization: Carol Beauty
Victim Site: pedidoscarolbeauty.com.br
Mass Web Defacement of DiamBroker by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass web defacement targeting diambroker.com, a diamond or commodities brokerage platform. The defacement was hosted on a Linux-based server and archived via haxor.id. This incident is part of a broader mass defacement campaign attributed to the same threat actor.
Date: 2026-05-16T05:46:08Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249246
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Finance / Commodities Brokerage
Victim Organization: DiamBroker
Victim Site: diambroker.com
Website defacement of Vardi Jewelry by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, the website VARDIJEWELRY.COM was defaced by threat actor Inside Alone7, operating under the group Hidden Cyber Crime. The attack targeted a Linux-based web server hosting the jewelry retailers site. The incident was a targeted defacement, not classified as a mass or home page defacement, with a mirror of the defaced content archived at haxor.id.
Date: 2026-05-16T05:45:43Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249234
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Retail – Jewelry
Victim Organization: Vardi Jewelry
Victim Site: VARDIJEWELRY.COM
Mass Web Defacement by Inside Alone7 of Hidden Cyber Crime targeting balidiam.com
Category: Defacement
Content: On May 16, 2026, a threat actor identified as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass web defacement targeting balidiam.com, a Linux-hosted website. The attack was part of a broader mass defacement campaign, with a mirror of the defacement archived at haxor.id. No specific motive or proof of concept was disclosed.
Date: 2026-05-16T05:45:14Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249237
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Indonesia
Victim Industry: Unknown
Victim Organization: Bali Diam
Victim Site: balidiam.com
Mass Defacement of Cedar Trading Inc by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, the threat actor Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement campaign targeting cedartradinginc.com, a trading company. The defacement was deployed on a Linux-based server and is part of a broader mass defacement operation. A mirror of the defacement has been archived at haxor.id.
Date: 2026-05-16T05:44:46Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249241
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Trade and Commerce
Victim Organization: Cedar Trading Inc
Victim Site: cedartradinginc.com
Mass Defacement of brotfeld.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor identified as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement operation targeting brotfeld.com hosted on a Linux server. The defacement was confirmed as part of a broader mass defacement campaign rather than a targeted single-site attack. A mirror of the defaced content was archived at haxor.id.
Date: 2026-05-16T05:44:19Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249240
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Brotfeld
Victim Site: brotfeld.com
Mass Defacement of Israeli Diamond Retailer by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting alma-diamonds.co.il, an Israeli diamond retailer. The attack was carried out on a Linux-based server and the defaced page was archived at haxor.id. This incident is part of a broader mass defacement campaign rather than an isolated single-target attack.
Date: 2026-05-16T05:43:52Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249236
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Israel
Victim Industry: Retail / Luxury Goods (Diamond Industry)
Victim Organization: Alma Diamonds
Victim Site: alma-diamonds.co.il
Mass Defacement of Goldiamint by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor identified as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement attack targeting goldiamint.com, a platform likely associated with gold-backed digital assets or cryptocurrency services. The defacement was executed on a Linux-based server and was confirmed as part of a mass defacement campaign. The incident was archived and mirrored via haxor.id.
Date: 2026-05-16T05:43:21Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249261
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Financial Services / Cryptocurrency
Victim Organization: Goldiamint
Victim Site: goldiamint.com
Website Defacement of Vitalcorpo by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor identified as chinafans, operating under the group 0xteam, defaced the Brazilian website vitalcorpo.com.br. The defacement was a targeted single-site incident, leaving a text-based payload at the path /0x.txt. No specific motivation or vulnerability details were disclosed in the available intelligence.
Date: 2026-05-16T05:42:55Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923049
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Health & Wellness
Victim Organization: Vitalcorpo
Victim Site: vitalcorpo.com.br
Website Defacement of marcojenner.com by chinafans (0xteam)
Category: Defacement
Content: The website marcojenner.com was defaced by threat actor chinafans, operating under the team 0xteam, on May 16, 2026. The defacement was recorded as a single, non-mass, non-redefacement incident targeting a specific file path on the domain. A mirror of the defacement was archived at zone-xsec.com.
Date: 2026-05-16T05:42:10Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923041
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Marco Jenner
Victim Site: marcojenner.com
Mass Defacement of albert-robinson.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting albert-robinson.com. The attack was carried out on a Linux-based server, with a defacement file placed at the path /1000.txt. This incident was part of a broader mass defacement campaign attributed to the same actor.
Date: 2026-05-16T05:41:28Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249235
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Albert Robinson
Victim Site: albert-robinson.com
Mass Web Defacement by Inside Alone7 of Hidden Cyber Crime targeting easystockhosting.com hosted site
Category: Defacement
Content: A threat actor identified as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass web defacement targeting a site hosted on easystockhosting.com on May 16, 2026. The defacement was not a re-defacement and was classified as part of a mass defacement campaign, affecting a Linux-based server. The incident was archived and mirrored on haxor.id.
Date: 2026-05-16T05:41:00Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249239
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Web Hosting / Technology
Victim Organization: Benyona
Victim Site: benyona-new.easystockhosting.com
Mass Defacement by Inside Alone7 of Hidden Cyber Crime targeting EGL Hong Kong hosting infrastructure
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement attack against a Linux-based web server hosted at egl-hk.easystockhosting.com. The attack targeted what appears to be a Hong Kong-based web hosting service, with the defacement artifact archived at haxor.id. This incident is classified as a mass defacement, suggesting multiple sites hosted on the same infrastructure were compromised simultaneously.
Date: 2026-05-16T05:40:35Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249253
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Hong Kong
Victim Industry: Web Hosting / Technology
Victim Organization: EGL Easy Stock Hosting
Victim Site: egl-hk.easystockhosting.com
Website Defacement of Trade Finance Company Services by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias chinafans, affiliated with 0xteam, defaced the website of Trade Finance Company Services. The attack was a targeted single-site defacement, with the mirror of the defaced page archived at zone-xsec.com. No specific motive or vulnerability details were disclosed in association with the incident.
Date: 2026-05-16T05:40:09Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923052
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Trade Finance Company Services
Victim Site: tradefinancecompanyservices.co…
Mass Defacement of Israeli Jewelry Retailer by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement targeting engagementrings.co.il, an Israeli jewelry retailer. The attack targeted a Linux-based web server and was part of a broader mass defacement campaign. A mirror of the defacement was archived at haxor.id.
Date: 2026-05-16T05:39:23Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249255
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Israel
Victim Industry: Retail / Jewelry
Victim Organization: Engagement Rings
Victim Site: engagementrings.co.il
Mass Defacement of Israeli Jewelry Retail Site by Hidden Cyber Crime (Inside Alone7)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting dev.engagementrings.co.il, an Israeli jewelry retail website. The attack was part of a broader mass defacement campaign and was executed on a Linux-based server. A mirror of the defacement was archived at haxor.id.
Date: 2026-05-16T05:38:56Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249245
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Israel
Victim Industry: Retail / Jewelry
Victim Organization: Engagement Rings
Victim Site: dev.engagementrings.co.il
Mass defacement of havivmoreno.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting havivmoreno.com. The attack was carried out on a Linux-based server and involved the defacement of multiple sites as part of a coordinated mass defacement campaign. A mirror of the defaced page has been archived at haxor.id.
Date: 2026-05-16T05:38:33Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249262
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Haviv Moreno
Victim Site: havivmoreno.com
Mass Defacement of Eydiamonds.com by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, operating under the group Hidden Cyber Crime, conducted a mass defacement campaign targeting eydiamonds.com, a jewelry retail website hosted on a Linux server. The defacement was confirmed via a mirror archived at haxor.id and was part of a broader mass defacement operation rather than an isolated incident. No specific motive or proof-of-concept details were publicly disclosed.
Date: 2026-05-16T05:38:08Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249258
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Unknown
Victim Industry: Retail / Jewelry
Victim Organization: Eye Diamonds
Victim Site: eydiamonds.com
Mass Website Defacement of laurakoren.co.il by Inside Alone7 of Hidden Cyber Crime
Category: Defacement
Content: On May 16, 2026, a threat actor known as Inside Alone7, affiliated with the group Hidden Cyber Crime, conducted a mass defacement attack targeting laurakoren.co.il, a website hosted on a Linux server in Israel. The defacement was confirmed as part of a mass defacement campaign, with a mirror of the attack archived at haxor.id. No specific motive or server details were disclosed in connection with this incident.
Date: 2026-05-16T05:37:44Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249267
Screenshots:
None
Threat Actors: Inside Alone7, Hidden Cyber Crime
Victim Country: Israel
Victim Industry: Unknown
Victim Organization: Laura Koren
Victim Site: laurakoren.co.il
Website Defacement of Africa Trade Finance Company by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website of Africa Trade Finance Company was defaced by threat actor chinafans, operating under the group 0xteam. The attack was a targeted single-site defacement with no specified motive recorded. A mirror of the defacement was archived at zone-xsec.com.
Date: 2026-05-16T05:37:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923050
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Africa Trade Finance Company
Victim Site: africatradefinancecompany.com
Sale of private torrent tracker invitations on cracking forum
Category: Services
Content: A forum user is selling invitations to multiple private torrent and usenet trackers including PassThePopcorn, Empornium, Nebulance, UHDBits, NZBs.in, and PixelHD, with prices ranging from $100 to $350 per invite. Payment is accepted in LTC or BTC. No breach or compromised data is involved; the seller is offering legitimate-style membership access to invite-only communities.
Date: 2026-05-16T05:33:34Z
Network: openweb
Published URL: https://nulledbb.com/thread-Selling-PassThePopcorn-invite-350–2294907
Screenshots:
None
Threat Actors: KenTAur
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Dra. Daniela Cordeiro by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias chinafans, affiliated with 0xteam, defaced the website of Dra. Daniela Cordeiro, a Brazilian healthcare professional. The incident was a targeted, single-site defacement with a mirror archived on zone-xsec.com. No specific motive or server details were disclosed.
Date: 2026-05-16T05:31:08Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923035
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Healthcare
Victim Organization: Dra. Daniela Cordeiro
Victim Site: dradanielecordeiro.com.br
Combo List: Mixed Email:Password Credentials (25,000 Records)
Category: Combo List
Content: A mixed email:password combo list containing 25,000 records was shared on a cracking forum. The post was made under the username UniqueCombo and appears to offer credentials for credential stuffing or account takeover activity. No specific targeted service or origin breach was identified.
Date: 2026-05-16T05:30:42Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-MIX-Unique-Combo-1-25000
Screenshots:
None
Threat Actors: UniqueCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo List targeting European and German shopping platforms
Category: Combo List
Content: A combo list of 330,254 email:password lines is being shared on a cracking forum, marketed as targeting European and German shopping platforms. No further details about the data source or specific targeted services are provided in the post.
Date: 2026-05-16T05:30:18Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-330-254-Lines-%E2%9C%85-Europa-Germany-Shopping-Target
Screenshots:
None
Threat Actors: HqComboSpace
Victim Country: Unknown
Victim Industry: Retail
Victim Organization: Unknown
Victim Site: Unknown
Sale of compromised streaming and service accounts including Netflix, ChatGPT, and NordVPN
Category: Carding
Content: A threat actor operating via fastsub.vip and Telegram (@Fastsubvip) is selling accounts for streaming and online services including Netflix, ChatGPT, and NordVPN. The post advertises full support for buyers and directs customers to an external shop.
Date: 2026-05-16T05:29:48Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%AD%90-Ultimate-Streaming-Accounts-%E2%9A%A1-NETFLIX-CHATGPT-NORDVPN-%E2%AD%90-Full-Support-%E2%9A%A1
Screenshots:
None
Threat Actors: ZapDiZen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of premium account subscriptions including ChatGPT, YouTube, and Prime Video
Category: Services
Content: A threat actor operating under the alias ZapDiZen is advertising a service selling premium accounts for platforms including ChatGPT, YouTube, and Amazon Prime Video via their shop at Fastsub.vip and a Telegram channel. The post is listed under the Services forum section and references high ratings, suggesting an established seller. No specific breach or data leak is claimed.
Date: 2026-05-16T05:29:16Z
Network: openweb
Published URL: https://cracked.st/Thread-%E2%9A%A1-Cinematic-Social-Premium-%E2%AD%90-ChatGPT-YouTube-Prime-Video-%E2%9A%A1-Highly-Rated-%E2%9A%A1
Screenshots:
None
Threat Actors: ZapDiZen
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged defacement of Ghana Army website by Nullsec Philippines
Category: Defacement
Content: Nullsec Philippines claims to have defaced the Ghana Army website. A screenshot is provided as proof of the defacement.
Date: 2026-05-16T05:18:17Z
Network: telegram
Published URL: https://t.me/c/2590737229/1061
Screenshots:
None
Threat Actors: Nullsec Philippines
Victim Country: Ghana
Victim Industry: Government/Military
Victim Organization: Ghana Army
Victim Site: Unknown
Alleged compromise of German hydroelectric power plant SCADA system by DDoSia Project
Category: Cyber Attack
Content: DDoSia Project volunteers claim to have gained full control of a small hydroelectric power plants SCADA/HMI system in Germany running Windows CE. The post details real-time access to critical infrastructure including turbine control (T1/T2), hydraulic systems, pressure monitoring, valves, and all analog signals. The threat actor claims the industrial controller was exposed on the internet without proper protection.
Date: 2026-05-16T04:56:19Z
Network: telegram
Published URL: https://t.me/c/3087552512/1959
Screenshots:
None
Threat Actors: DDoSia Project
Victim Country: Germany
Victim Industry: Energy/Utilities
Victim Organization: Hydroelectric power plant
Victim Site: Unknown
Combo list of Hotmail credentials freely shared on cracking forum
Category: Combo List
Content: A threat actor known as D4rkNetHub shared a combo list of 3,279 Hotmail credentials via a Mega.nz link on a cracking forum. The credentials are marketed as verified hits and distributed for free.
Date: 2026-05-16T04:55:20Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-3-279-Good-HOTMAIL-GOODS-D4RKNETHUB-CLOUD-16-05-26
Screenshots:
None
Threat Actors: D4rkNetHub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Lahore Grammar School
Category: Data Breach
Content: A threat actor claims to have breached Lahore Grammar School (LGS) in Pakistan, allegedly exfiltrating approximately 30,000 records covering students and their parents. Exposed data reportedly includes names, CNIC numbers, cell phone numbers, email addresses, residential addresses, dates of birth, health information, and other personal details. Sample records containing parent and student PII were posted to substantiate the claim.
Date: 2026-05-16T04:54:48Z
Network: openweb
Published URL: https://breachforums.rs/Thread-DATABASE-Lahore-Grammar-School-Flagship-Elite-Students-Parents-Database-PAKISTAN
Screenshots:
None
Threat Actors: Flipperone
Victim Country: Pakistan
Victim Industry: Education
Victim Organization: Lahore Grammar School
Victim Site: lgs.edu.pk
Combo List: 29.9K Alleged HQ Hotmail Credentials
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 29,900 Hotmail credentials marketed as high-quality valid hits. The content is gated behind registration or login on the forum. Hotmail is the credential-stuffing target, not the breach victim.
Date: 2026-05-16T04:52:06Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1%E2%9A%A129-9k-hq-hotmail-access-valid-hits-frash-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: gostjac
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of OpenAI – Internal credentials and information stolen in TanStack supply chain attack
Category: Data Breach
Content: OpenAI disclosed that during a cyberattack on the open-source TanStack project, a limited portion of internal information and credentials were stolen. The company confirmed no evidence of access to user data or main systems. Compromised versions contained malware designed to steal credentials and propagate to other systems. OpenAI has replaced digital certificates for some of its software.
Date: 2026-05-16T04:51:35Z
Network: telegram
Published URL: https://t.me/c/1283513914/21727
Screenshots:
None
Threat Actors: خبرگزاری سایبربان| Cyberban News
Victim Country: United States
Victim Industry: Artificial Intelligence / Software
Victim Organization: OpenAI
Victim Site: openai.com
Free South Korea email list distribution (Batch 44/100)
Category: Combo List
Content: A threat actor is freely distributing a batch of South Korea email credentials, labeled as batch 44 of 100. The content is gated behind forum registration or login. No further details about record count or data source are provided.
Date: 2026-05-16T04:33:50Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-free-premium-south-korea-email-list-batch-44-100
Screenshots:
None
Threat Actors: emaildbpro
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of webshell access to Indonesian government websites
Category: Initial Access
Content: Threat actor MR.X MARKET is offering webshell access to multiple Indonesian websites for sale, including government desa (village) portals and Mandiri Tech infrastructure. Contact via Telegram @Mr_Lonely403 for purchase.
Date: 2026-05-16T04:32:50Z
Network: telegram
Published URL: https://t.me/webshellRandom/19
Screenshots:
None
Threat Actors: MR.X MARKET
Victim Country: Indonesia
Victim Industry: Government, Financial Technology
Victim Organization: Multiple Indonesian government institutions and Mandiri Tech
Victim Site: gandasolidesa.id, kawungluwukdesa.id, buniaradesa.id, kmv14.mandiritech.my.id, webapp.mandiritech.my.id, tanjungsiangdesa.id, sdp.mandiritech.my.id, sirapdesa.id, rancamanggungdesa.id, notabis.mandiritech.my.id
Sale of combo list targeting Hotmail, Yahoo, and French streaming services
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 4 million credentials targeting Hotmail, Yahoo, French email providers (orange.fr), and streaming services. The list is advertised as free via Telegram channels, with additional combos available on request.
Date: 2026-05-16T04:21:10Z
Network: openweb
Published URL: https://crackingx.com/threads/75420/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of educational sector combo list
Category: Combo List
Content: A combo list marketed for educational sector credential stuffing is being offered on a cracking forum. The thread title suggests a hit rate of 98,180 or 98.180 valid credentials. No further details are available from the post content.
Date: 2026-05-16T04:20:08Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-98-180-%E2%9A%A1-Good-Edu-Combolist
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
BreachForums announces partnership with The Gentlemen Ransomware-as-a-Service operation
Category: Data Breach
Content: BreachForums announced a formal partnership with a ransomware group calling itself The Gentlemen, advertising an active Ransomware-as-a-Service (RaaS) program. The post solicits affiliates including pentesters and access brokers to join the operation. A dedicated subdomain and a Tor-based data leak site (DLS) are provided as part of the partnership infrastructure.
Date: 2026-05-16T04:16:15Z
Network: openweb
Published URL: https://breached.st/threads/breachforums-the-gentlemen-raas-partnership.87178/unread
Screenshots:
None
Threat Actors: diencracked
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Swan Bitcoin
Category: Data Breach
Content: A threat actor is sharing an alleged database dump from Swan Bitcoin containing 235,000+ records. The dataset includes personally identifiable information such as email addresses, names, phone numbers, physical addresses, birthdates, KYC status, account details, and Bitcoin transaction data. Sample records indicate affected individuals are primarily US-based customers and account holders.
Date: 2026-05-16T04:16:07Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-Swan-Bitcoin
Screenshots:
None
Threat Actors: david20
Victim Country: United States
Victim Industry: Finance
Victim Organization: Swan Bitcoin
Victim Site: swanbitcoin.com
Alleged data leak of FTX claimants data from Kroll breach
Category: Data Leak
Content: A threat actor has shared a dataset attributed to the 2023 Kroll data breach, containing 198,000 records of FTX bankruptcy claimants. The data includes applicant IDs, email addresses, phone numbers, countries, AML review statuses, and compliance tags. The content is gated behind a reply or account upgrade requirement on the forum.
Date: 2026-05-16T04:15:29Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-FTX-Claimants-Kroll-Breach
Screenshots:
None
Threat Actors: david20
Victim Country: United States
Victim Industry: Finance
Victim Organization: Kroll
Victim Site: kroll.com
Sale of initial access to a Brazilian raffle website with winner manipulation capability
Category: Initial Access
Content: A threat actor is offering administrative access to an unnamed Brazilian raffle website for R$50,000. The seller claims the access allows manipulation of the raffle outcome, including switching vendors or selecting the winner of an active R$650,000 prize draw.
Date: 2026-05-16T04:09:02Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Selling-access-to-a-Brazilian-raffle-website-you-can-change-the-winner
Screenshots:
None
Threat Actors: justicedos
Victim Country: Brazil
Victim Industry: Gambling
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of Kintetsu World Express Singapore
Category: Data Breach
Content: A threat actor is selling approximately 130 GB of data allegedly stolen from Kintetsu World Express Singapore. The offering includes what appears to be a database backup file (Tradenet41_backup_2026_02_05) of approximately 27 GB along with additional files. Screenshots have been posted as proof of the data.
Date: 2026-05-16T04:08:09Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Kintetsu-World-Express-KWE-Singapore
Screenshots:
None
Threat Actors: Moneyistime
Victim Country: Singapore
Victim Industry: Logistics
Victim Organization: Kintetsu World Express
Victim Site: kwe.com
Alleged data breach of ANDE (ande.gov.py)
Category: Data Breach
Content: A threat actor is selling an alleged database dump from ande.gov.py, the official site of Paraguays national electricity administration. The dataset reportedly contains 50,000 records in CSV/SQL format with fields including full name, email, phone number, address, and NIS (customer identifier). Sample data provided in the post appears to show customer service contact submissions.
Date: 2026-05-16T04:07:33Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-ande-gov-py%C2%A0Database-Paraguay-50K
Screenshots:
None
Threat Actors: camillaDF
Victim Country: Paraguay
Victim Industry: Government
Victim Organization: ANDE (Administración Nacional de Electricidad)
Victim Site: ande.gov.py
Alleged data leak of Israeli company Shany Tech
Category: Data Leak
Content: A threat actor known as MDGhost666 has leaked approximately 246.32 GB of data allegedly belonging to Shany Tech, an Israeli testing and measuring equipment company. The leaked data includes CSV files containing user records, device information, enterprise applications, role assignments, and group data. Sample records include employee names, email addresses, phone numbers, account identifiers, and directory synchronization details.
Date: 2026-05-16T04:06:34Z
Network: openweb
Published URL: https://darkforums.su/Thread-Israeli-company-SHANY-TECH-leaks-246-32GB-of-data
Screenshots:
None
Threat Actors: MDGhost666
Victim Country: Israel
Victim Industry: Technology
Victim Organization: Shany Tech
Victim Site: shany-tech.com
Alleged data breach of Nike
Category: Data Breach
Content: A threat actor is offering for sale an alleged database belonging to Nike (nike.com). The post provides a session ID as a contact method but does not disclose the number of records, data fields, or pricing details.
Date: 2026-05-16T04:06:00Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-nike-com
Screenshots:
None
Threat Actors: Saika
Victim Country: United States
Victim Industry: Retail
Victim Organization: Nike
Victim Site: nike.com
Sale of SSH and RCE access to undisclosed organizations
Category: Initial Access
Content: A threat actor is offering SSH and remote code execution (RCE) access to multiple unspecified organizations, categorized by resource tier (high, medium, low). Access is priced starting at $7 and is offered via direct message to verified buyers.
Date: 2026-05-16T04:05:23Z
Network: openweb
Published URL: https://darkforums.su/Thread-SSH-RCE-access
Screenshots:
None
Threat Actors: aptelleralone
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of DrChadda by Ruiixh4xor of SHENHAXSEC
Category: Defacement
Content: On May 16, 2026, the website drchadda.in, believed to be associated with a medical professional or healthcare entity in India, was defaced by threat actor Ruiixh4xor operating under the group SHENHAXSEC. The attack targeted the homepage and was a singular, non-mass defacement incident, with a mirror of the defacement archived on zone-xsec.com.
Date: 2026-05-16T04:05:15Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923023
Screenshots:
None
Threat Actors: Ruiixh4xor, SHENHAXSEC
Victim Country: India
Victim Industry: Healthcare
Victim Organization: Dr. Chadda
Victim Site: drchadda.in
Sale of alleged military operations data for China and United States
Category: Data Breach
Content: A threat actor is claiming to sell alleged military future operations data pertaining to China and the United States, described as never previously leaked. The seller requests proof of funds as an initial message and states that escrow is accepted. No further details regarding the source, volume, or nature of the data were provided.
Date: 2026-05-16T04:04:47Z
Network: openweb
Published URL: https://darkforums.su/Thread-China-and-US-data-never-leaked
Screenshots:
None
Threat Actors: Donnie_Brasco
Victim Country: Unknown
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of US and China military operations data
Category: Data Breach
Content: A threat actor operating under the alias Donnie_Brasco claims to be selling data related to future military operations involving the United States and China. The post solicits long-term buyers via an encrypted messaging platform and states that samples and a data list will be provided upon contact. No further details about the source, volume, or nature of the data are provided.
Date: 2026-05-16T04:04:12Z
Network: openweb
Published URL: https://darkforums.su/Thread-China-and-Us-Military-Operation-data
Screenshots:
None
Threat Actors: Donnie_Brasco
Victim Country: Unknown
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Alleged sale of US and China military operations data
Category: Data Breach
Content: A threat actor operating under the alias Donnie_Brasco claims to be selling data related to future military operations involving the United States and China. The seller is soliciting buyers via a Session messaging handle, accepts escrow, and offers samples upon contact. No source, volume, or further details of the alleged data are provided in the post.
Date: 2026-05-16T04:03:28Z
Network: openweb
Published URL: https://darkforums.su/Thread-China-x-US-future-military-operation-data-for-sale
Screenshots:
None
Threat Actors: Donnie_Brasco
Victim Country: Unknown
Victim Industry: Government
Victim Organization: Unknown
Victim Site: Unknown
Sale of alleged PLA, CIA, DOD, and DARPA reports and documents
Category: Services
Content: A threat actor is offering for sale purported internal reports and documents attributed to the PLA, CIA, DOD, and DARPA. The seller is soliciting long-term clients via Session messenger and states that escrow is accepted. No further details about the volume, origin, or authenticity of the documents are provided.
Date: 2026-05-16T04:02:44Z
Network: openweb
Published URL: https://darkforums.su/Thread-selling-PLA-CIA-DOD-and-DARPA-reports-documents
Screenshots:
None
Threat Actors: Donnie_Brasco
Victim Country: United States
Victim Industry: Government
Victim Organization: CIA, DOD, DARPA, PLA
Victim Site: Unknown
Alleged Cyber Attack on Aran Group packaging company infrastructure
Category: Cyber Attack
Content: A threat actor identifying as MDGhost666/BlackH4t claims to have completely destroyed IT infrastructure belonging to Aran Group, an industrial packaging company with operations in Israel, the United States, Germany, and Spain. The actor claims full access was obtained and over 500 TB of data was wiped. The attack is framed as a politically motivated hacktivist campaign targeting Israels food supply chain.
Date: 2026-05-16T04:02:11Z
Network: openweb
Published URL: https://darkforums.su/Thread-Israeli-aranp-group-com-ARAN-GRUP-bag-in-box-BIB
Screenshots:
None
Threat Actors: MDGhost666
Victim Country: Israel
Victim Industry: Manufacturing
Victim Organization: Aran Group
Victim Site: aranp-group.com
Alleged data breach of undisclosed Spanish insurance company
Category: Data Breach
Content: A threat actor is selling a database allegedly dumped from a small Spanish insurance company. The dataset reportedly contains 90,000 client records including full names, addresses, mobile numbers, and account numbers, with a total backup size of 50GB.
Date: 2026-05-16T04:01:35Z
Network: openweb
Published URL: https://darkforums.su/Thread-SPAIN-SMALL-INSURANCE-COMPANY-DB
Screenshots:
None
Threat Actors: notjoukin
Victim Country: Spain
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
Sale of fresh Australian payment cards on cybercrime forum
Category: Carding
Content: A threat actor is selling Australian payment card data including cardholder name, card number, expiry date, and CVV. Cards are priced on a tiered scale starting at $5 per card. The seller markets the cards as fresh and real.
Date: 2026-05-16T04:00:54Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-Real-Fresh-Australia-CC
Screenshots:
None
Threat Actors: lazarus
Victim Country: Australia
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of doxing service targeting lawyers in Baja California, Mexico
Category: Services
Content: A threat actor is offering a doxing service for $100 USD that claims to retrieve detailed personal and professional information on any licensed lawyer in the state of Baja California, Mexico. The data reportedly includes full name, photographs, national IDs (CURP, RFC, Voter ID), contact details, home and office addresses, and personal documents. Contact is conducted via Signal.
Date: 2026-05-16T04:00:03Z
Network: openweb
Published URL: https://darkforums.su/Thread-MEXICO-SYSTEM-TO-DOX-ANY-LAWYER-IN-THE-STATE-OF-BAJA-CALIFORNIA-MEXICO
Screenshots:
None
Threat Actors: Thelizard001
Victim Country: Mexico
Victim Industry: Legal
Victim Organization: Unknown
Victim Site: Unknown
Sale of database query bot exposing Mexican student and electoral records (OSEP + INE)
Category: Services
Content: A threat actor is promoting a Telegram bot that queries an alleged database of students from across Mexico and records from the National Electoral Institute (INE). The bot exposes extensive personal data including full name, CURP, date of birth, contact details, home address, emergency contacts, medical records (blood type, illnesses, allergies, medications), vaccination status, and employment information. The actor states the complete database will be offered for sale, noting that a recent leak
Date: 2026-05-16T03:59:22Z
Network: openweb
Published URL: https://darkforums.su/Thread-Selling-BOT-Mexico-OSEP-INE
Screenshots:
None
Threat Actors: Alz_157s
Victim Country: Mexico
Victim Industry: Government
Victim Organization: National Electoral Institute (INE)
Victim Site: ine.mx
Mass Defacement of Taraba Polytechnic by Alpha Wolf (XYZ)
Category: Defacement
Content: On May 16, 2026, the attacker known as XYZ, operating under the team Alpha Wolf, conducted a mass defacement targeting tarabapoly.edu.ng, the official website of Taraba State Polytechnic in Nigeria. The attack was not directed at the homepage but was part of a broader mass defacement campaign. A mirror of the defaced page has been archived at haxor.id.
Date: 2026-05-16T03:58:36Z
Network: openweb
Published URL: https://haxor.id/archive/mirror/249233
Screenshots:
None
Threat Actors: XYZ, Alpha wolf
Victim Country: Nigeria
Victim Industry: Education
Victim Organization: Taraba State Polytechnic
Victim Site: tarabapoly.edu.ng
Alleged data leak of 1cartoriosbc.com.br via SQL injection
Category: Data Leak
Content: A threat actor claims to have breached the official Brazilian institute website 1cartoriosbc.com.br via SQL injection, extracting personal data including email addresses, passwords, contact numbers, identity codes, ID card photos, and certificates. A portion of the extracted data is being made available for free. The actor operates under the handle 1877 and promotes associated Telegram channels.
Date: 2026-05-16T03:58:03Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-1cartoriosbc-com-br-Databases-User-pass-HQ
Screenshots:
None
Threat Actors: 1877
Victim Country: Brazil
Victim Industry: Government
Victim Organization: 1 Cartório SBC
Victim Site: 1cartoriosbc.com.br
Alleged data leak of 97,000 drivers licenses from Acapulco, Mexico
Category: Data Leak
Content: A threat actor leaked a dataset purportedly containing over 97,000 vehicle or drivers licenses from Acapulco, Mexico, sourced from calidad.acapulco.gob.mx. The approximately 28GB archive reportedly includes CURP (national ID numbers), photographs, and fingerprints. The data is described as recent and of high quality, and a free download link was shared on the forum.
Date: 2026-05-16T03:57:26Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-90K-Licencias-De-Acapulco-MEXICO–76612
Screenshots:
None
Threat Actors: homie157
Victim Country: Mexico
Victim Industry: Government
Victim Organization: Gobierno de Acapulco
Victim Site: calidad.acapulco.gob.mx
Alleged data leak of Morocco government (.gov.ma) domains
Category: Data Leak
Content: A threat actor known as Fexus claims to have leaked data from multiple Moroccan government domains including education, tax, and regional administration portals. The leak is distributed freely via a file-sharing link and reportedly contains over 78,000 lines of data across at least nine .gov.ma subdomains.
Date: 2026-05-16T03:56:49Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-gov-ma-BREACH
Screenshots:
None
Threat Actors: fexus
Victim Country: Morocco
Victim Industry: Government
Victim Organization: Morocco Government
Victim Site: gov.ma
Website Defacement of SkillsToDo by Threat Actor ZynxSec
Category: Defacement
Content: On May 16, 2026, threat actor ZynxSec successfully defaced the homepage of skillstodo.com, an online skills and learning platform. The attack was a targeted single-site defacement with no affiliation to a known hacking team. No specific motivation or technical exploitation details were disclosed alongside the incident report.
Date: 2026-05-16T03:52:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923021
Screenshots:
None
Threat Actors: ZynxSec
Victim Country: Unknown
Victim Industry: Education / Online Learning
Victim Organization: SkillsToDo
Victim Site: skillstodo.com
Sale of mixed corporate and educational email:password combo list
Category: Combo List
Content: A threat actor is distributing a combo list of 13,441 corporate and educational email:password pairs, marketed as fully valid. The list spans mixed organization types including corporate and educational sectors.
Date: 2026-05-16T03:46:11Z
Network: openweb
Published URL: https://breachforums.rs/Thread-%E2%AD%90%E2%AD%90%E2%AD%9013441-MIX-CORP-EDU-MAIL-PASS-FULL-VALID-100-%E2%AD%90%E2%AD%90%E2%AD%90
Screenshots:
None
Threat Actors: DexterCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged mixed-country education combo list with 166,273 lines
Category: Combo List
Content: A threat actor is distributing a combo list of 166,273 email:password pairs purportedly sourced from education-sector accounts across multiple countries. The list is shared on a public forum and marketed as education-related credential pairs.
Date: 2026-05-16T03:27:26Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-166-273-Lines-%E2%9C%85-Mixed-Country-Edu-education-Leaks
Screenshots:
None
Threat Actors: HqComboSpace
Victim Country: Unknown
Victim Industry: Education
Victim Organization: Unknown
Victim Site: Unknown
Sale of EU Hotmail combo list
Category: Combo List
Content: A threat actor is offering a combo list of approximately 100 EU Hotmail credentials, marketed as high-quality with no junk entries. The content is gated behind forum registration or login.
Date: 2026-05-16T03:08:15Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9A%A1-0-1k-elite-eu-hotmail-zero-junk-pure-hits-%E2%9A%A1-302893
Screenshots:
None
Threat Actors: BedrockDB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 0.1K credentials
Category: Combo List
Content: A threat actor is sharing a combo list of approximately 100 Hotmail credentials marketed as high quality. The content is hidden behind a registration or login requirement on the forum. No breach of Microsoft or Hotmail infrastructure is implied; the credentials are intended for credential stuffing against Hotmail accounts.
Date: 2026-05-16T03:07:58Z
Network: openweb
Published URL: https://patched.to/Thread-0-1k-hq-hotmail-mail-access-combolist-302892
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of stolen payment cards, dumps, fullz, and bank logs
Category: Carding
Content: A threat actor is advertising the sale of stolen payment card data including CC/CVV, VBV and non-VBV cards, dumps, fullz, and bank logs. The post claims high-quality linkable products but provides no additional details in the post body.
Date: 2026-05-16T02:53:29Z
Network: openweb
Published URL: https://altenens.is/threads/cc-cvv-vbv-non-vbv-dumps-fullz-bank-logs-full-info-best-all-linkables-quality-product-list-always-selling-stuff-high-qualit.2941084/unread
Screenshots:
None
Threat Actors: Hanntillsd
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail email:password combo list
Category: Combo List
Content: A threat actor is offering for sale a combo list of approximately 11,000 Hotmail email:password credentials, marketed as high quality and private. The content is paywalled and requires forum registration or login to access.
Date: 2026-05-16T02:52:55Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-11k-hotmail-mailaccess-%E2%9A%AA-high-quality-private-combolist-1-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 100K credentials
Category: Combo List
Content: A threat actor is offering a combo list of 100,000 Hotmail email and password pairs, marketed as high quality and private. The content is gated behind forum registration or login. This is a credential stuffing resource, not a breach of Hotmail or Microsoft.
Date: 2026-05-16T02:52:25Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-hotmail-%E2%9A%AA-high-quality-private-combolist-4-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 100K credentials
Category: Combo List
Content: A threat actor is offering a combo list of 100,000 Hotmail email and password pairs on a cybercrime forum. The content is gated behind registration or login. The credentials are marketed as high quality and private.
Date: 2026-05-16T02:51:54Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-hotmail-%E2%9A%AA-high-quality-private-combolist-3-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Germany-targeted shopping combo list (3 million records)
Category: Combo List
Content: A threat actor is distributing a combo list of approximately 3 million credentials allegedly targeting German shopping platforms. The list is marketed as high quality and is being shared via Telegram channels. No specific breached organization is identified.
Date: 2026-05-16T02:51:38Z
Network: openweb
Published URL: https://crackingx.com/threads/75416/
Screenshots:
None
Threat Actors: CODER
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Hotmail combo list offered for mixed target credential stuffing
Category: Combo List
Content: A threat actor shared a combo list containing 601,692 Hotmail credentials (hotmail.com, .fr, .es) marketed as suitable for mixed-target credential stuffing attacks. The list was distributed on a public cracking forum.
Date: 2026-05-16T02:50:38Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-601-692-%E2%9A%9C%EF%B8%8F-hotmail-com-fr-es-Good-For-Mixed-Target
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 1-day RCE exploit for macOS 10.11 and later
Category: Vulnerability
Content: A threat actor is selling a claimed 1-day, 1-click remote code execution exploit affecting Apple macOS versions 10.11 through macOS 26. The seller states no public exploit exists and that successful exploitation yields root-level permissions (GID 81). Payment is requested in Monero with middleman escrow required.
Date: 2026-05-16T02:49:03Z
Network: openweb
Published URL: https://spear.cx/Thread-Selling-1-DAY-1-click-RCE-MacOS-10-11-up-to-macOS-26-No-public-exploit
Screenshots:
None
Threat Actors: 303
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list with 100K credentials
Category: Combo List
Content: A threat actor is offering a 100K Hotmail email:password combo list marketed as high quality and private. The content is paywalled and requires registration or login to access. Hotmail is the credential-stuffing target, not the breach victim.
Date: 2026-05-16T02:35:33Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-hotmail-%E2%9A%AA-high-quality-private-combolist-1-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Hotmail combo list containing 100K credentials
Category: Combo List
Content: A threat actor is offering a combo list of 100,000 Hotmail email and password combinations on a cybercrime forum. The content is gated behind registration or login. The credentials are marketed as high quality and private.
Date: 2026-05-16T02:35:16Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-hotmail-%E2%9A%AA-high-quality-private-combolist-2-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Free South Korea email combo list (Batch 43/100)
Category: Combo List
Content: A threat actor is freely distributing a South Korea email list as part of an ongoing batch series (Batch 43 of 100). The content is gated behind forum registration or login. No further details about record count or data fields are provided in the post.
Date: 2026-05-16T02:34:58Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-free-premium-south-korea-email-list-batch-43-100
Screenshots:
None
Threat Actors: emaildbpro
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email:password combo list
Category: Combo List
Content: A threat actor is offering for sale a mixed email:password combo list marketed as high quality and private. The listing contains 100,000 credential pairs. Full content is hidden behind a forum registration or login requirement.
Date: 2026-05-16T02:20:00Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-mixed-%E2%9A%AA-high-quality-private-combolist-6-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email:password combo list
Category: Combo List
Content: A threat actor is offering a mixed email:password combo list of 100,000 credentials marketed as high quality. The content is gated behind forum registration or login. No specific breached organization is identified.
Date: 2026-05-16T02:19:44Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-mixed-%E2%9A%AA-high-quality-private-combolist-7-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email:password combo list
Category: Combo List
Content: A threat actor is offering a mixed email:password combo list of 100,000 credentials marketed as high quality. The content is gated behind forum registration or login. No specific breached organization is identified.
Date: 2026-05-16T02:19:28Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-mixed-%E2%9A%AA-high-quality-private-combolist-8-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email:password combo list
Category: Combo List
Content: A threat actor is offering a mixed email:password combo list of 100,000 credentials marketed as high quality and private. The content is paywalled and requires forum registration or login to access. No specific breached organization or service is identified.
Date: 2026-05-16T02:19:12Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-mixed-%E2%9A%AA-high-quality-private-combolist-9-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of stealer logs with 18.24 million URL:log:pass records
Category: Combo List
Content: A threat actor operating under the alias vultapower is advertising a dataset of 18.24 million URL:log:pass records marketed as fresh stealer log output, available via vulta.pw. The content is gated behind registration on the cracking forum. The seller also advertises a Telegram channel (vultanetworks) for access.
Date: 2026-05-16T02:17:31Z
Network: openweb
Published URL: https://crackingx.com/threads/75415/
Screenshots:
None
Threat Actors: vultapower
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of private combo lists and stealer logs targeting US and EU accounts
Category: Combo List
Content: A threat actor operating as antalya_H is selling private combo lists and stealer logs, including UHQ Hotmail combos, mixed combolists, and geo-targeted credentials for USA and EU regions. The offering includes mail checkers and is marketed as fresh, high-quality private data with high hit rates. Access is sold via Telegram with a free trial sample available.
Date: 2026-05-16T02:15:26Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-PRIVATE-USA-MAIL-BY-antalya-H
Screenshots:
None
Threat Actors: cloudantalya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data breach of ReferralRock.com referral marketing platform
Category: Data Breach
Content: A threat actor claims to have obtained the internal database of ReferralRock, a US-based referral marketing platform, following an alleged intrusion in May 2026. The leaked data spans 1,947 CSV files totaling approximately 5GB and over 11.2 million records, containing fields including names, emails, phone numbers, addresses, payout details, and referral program metadata.
Date: 2026-05-16T02:13:59Z
Network: openweb
Published URL: https://darkforums.su/Thread-DATABASE-ReferralRock-com-Referral-Marketing-Platform-11M-PART
Screenshots:
None
Threat Actors: zSenior
Victim Country: United States
Victim Industry: Technology
Victim Organization: ReferralRock
Victim Site: referralrock.com
Sale of 100K mixed email:password combo list
Category: Combo List
Content: A threat actor is offering a mixed email:password combo list of 100,000 credentials, marketed as high quality and private. The content is gated behind registration or login on the forum. No specific targeted service or origin breach is identified.
Date: 2026-05-16T02:00:42Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-mixed-%E2%9A%AA-high-quality-private-combolist-1-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email:password combo list
Category: Combo List
Content: A threat actor is offering a mixed email:password combo list of 100,000 credentials, marketed as high quality and private. The content is hidden behind a registration or login wall on the forum.
Date: 2026-05-16T02:00:11Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-mixed-%E2%9A%AA-high-quality-private-combolist-2-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email:password combo list
Category: Combo List
Content: A threat actor is offering a mixed email:password combo list of 100,000 credentials, marketed as high quality and private. The content is paywalled behind forum registration or login. No specific victim organization or country is identified.
Date: 2026-05-16T01:59:50Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-mixed-%E2%9A%AA-high-quality-private-combolist-3-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of private Germany-targeted combo lists and UHQ Hotmail credentials
Category: Combo List
Content: A threat actor operating under the handle @antalya_H is selling private combo lists described as UHQ Hotmail credentials, mixed combos, and geo-targeted lists including Germany, USA, and EU regions. The offering also includes premium logs and mail checker tools. Access is sold via direct message with a free trial sample advertised.
Date: 2026-05-16T01:59:41Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-PRIVATE-GERMANY-MAIL-BY-antalya-H
Screenshots:
None
Threat Actors: cloudantalya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email:password combo list
Category: Combo List
Content: A threat actor is selling a mixed email:password combo list of 100,000 credentials, marketed as high quality and private. The content is gated behind registration or login on the forum.
Date: 2026-05-16T01:59:28Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-mixed-%E2%9A%AA-high-quality-private-combolist-4-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of URL:LOG:PASS combo list with 18.85 million credentials
Category: Combo List
Content: A threat actor operating as DaxusHub is offering a URL:LOG:PASS combo list containing approximately 18.85 million credential pairs, marketed as UHQ (ultra-high quality). The post directs interested parties to a Telegram channel for additional content.
Date: 2026-05-16T01:59:18Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E2%AD%90%EF%B8%8FURL-LOG-PASS-18-85-M-%E2%9C%85-DAXUS-PRO-UHQ-%E2%AD%90%EF%B8%8F
Screenshots:
None
Threat Actors: DaxusHub
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed email:password combo list
Category: Combo List
Content: A threat actor is offering a mixed email:password combo list of 100,000 credentials marketed as high quality. The content is gated behind registration or login on the forum. No specific breach source or target organization is identified.
Date: 2026-05-16T01:58:58Z
Network: openweb
Published URL: https://patched.to/Thread-email-pass-100k-mixed-%E2%9A%AA-high-quality-private-combolist-5-%E2%9A%AA
Screenshots:
None
Threat Actors: uhqcomboseller
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed valid mail access combo list
Category: Combo List
Content: A threat actor operating as RedCloud is distributing a combo list of approximately 87.1K mixed valid mail credentials, dated 16.05.2026. The content is marketed as private and UHQ (ultra-high quality), suggesting credentials have been verified. Access to the list requires registration or login on the forum.
Date: 2026-05-16T01:58:09Z
Network: openweb
Published URL: https://demonforums.net/Thread-87-1K-%E2%9C%A8-Mix-%E2%9C%A8-Valid-Mail-Access-16-05
Screenshots:
None
Threat Actors: RedCloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of BlackSexFinder.com user database
Category: Data Leak
Content: A threat actor has shared a database dump purportedly from BlackSexFinder.com, a US-based hookup website, containing 180,515 records. Exposed fields include user IDs, usernames, email addresses, registration IPs, registration dates, cities, ZIP codes, and dates of birth. The data is described as originally posted on the Exploit forum.
Date: 2026-05-16T01:56:19Z
Network: openweb
Published URL: https://spear.cx/Thread-BlackSexFinder-com-180k-users
Screenshots:
None
Threat Actors: animal
Victim Country: United States
Victim Industry: Entertainment
Victim Organization: BlackSexFinder
Victim Site: blacksexfinder.com
Sale of UHQ combo lists and stealer logs targeting US and EU accounts
Category: Combo List
Content: A threat actor operating as antalya_H is selling access to a private cloud service offering UHQ Hotmail combos, mixed combo lists, geo-targeted credentials for USA and EU regions, and stealer logs. The service includes email checkers and claims to provide fresh, high-hit-rate credentials marketed as private and deduplicated. Access is sold via direct message with a free trial sample available.
Date: 2026-05-16T01:46:26Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-pravet-usa-%F0%9F%87%BA%F0%9F%87%B8-by-antalya-h
Screenshots:
None
Threat Actors: cloudantalya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ combo lists and stealer logs targeting Germany and global regions
Category: Combo List
Content: A threat actor operating as Antalya Private Cloud is offering UHQ Hotmail combos, mixed combo lists, geo-targeted country combos, and premium stealer logs for sale. The service advertises high hit rates, private and fresh data, and includes mail/Hotmail checkers. Access is sold via Telegram with a free trial sample available.
Date: 2026-05-16T01:46:08Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-pravet-germany-%F0%9F%87%A9%F0%9F%87%AA-by-antalya-h
Screenshots:
None
Threat Actors: cloudantalya
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Alleged data leak of Argentine BCRA, IOMA, and PFA records by EsqueleSquad
Category: Data Leak
Content: A threat actor operating under the name EsqueleSquad has leaked multiple Argentine government datasets for free, including over 32 million BCRA credit scoring records, over 1 million IOMA affiliate and patient records, and approximately 903 classified PFA documents. The actor claims to also possess personal information on provincial governor Axel Kicillof, including phone numbers, chats, and addresses, with partial release contingent on community engagement. Data is distributed via a Telegram ch
Date: 2026-05-16T01:43:20Z
Network: openweb
Published URL: https://xforums.st/threads/argentina-bcra-gdeba-ioma-all-leak-free.615211/
Screenshots:
None
Threat Actors: Server1172
Victim Country: Argentina
Victim Industry: Government
Victim Organization: BCRA / IOMA / PFA
Victim Site: bcra.gob.ar
Website Defacement of felipequiro.com.br by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Brazilian website felipequiro.com.br. The defacement was a targeted, non-mass attack with no stated motive recorded. A mirror of the defacement was archived at zone-xsec.com.
Date: 2026-05-16T01:42:52Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922964
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Felipe Quiro
Victim Site: felipequiro.com.br
Website Defacement of CargoSmart Mada by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website cargosmartmada.com was defaced by threat actor chinafans, operating under the group 0xteam. The attack targeted a cargo and logistics organization likely based in Madagascar, as inferred from the mada suffix in the domain. The defacement was a single targeted incident, not part of a mass or repeated defacement campaign.
Date: 2026-05-16T01:42:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923014
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Madagascar
Victim Industry: Logistics and Freight
Victim Organization: CargoSmart Mada
Victim Site: cargosmartmada.com
Website Defacement of IGX Engenharia by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the threat actor chinafans, operating under the group 0xteam, defaced the website of IGX Engenharia, a Brazilian engineering firm. The defacement was a targeted, single-site attack rather than a mass or redefacement campaign. The incident was catalogued with a mirror archived at zone-xsec.com.
Date: 2026-05-16T01:41:28Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923018
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Engineering / Construction
Victim Organization: IGX Engenharia
Victim Site: igxengenharia.com
Website defacement of brandstore.biz by chinafans of 0xteam
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website brandstore.biz, targeting a likely retail or brand merchandise platform. The defacement was a targeted single-site compromise, not a mass or home page defacement. The incident was archived and mirrored via zone-xsec.com for record purposes.
Date: 2026-05-16T01:40:48Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923001
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Retail/E-commerce
Victim Organization: Brand Store
Victim Site: brandstore.biz
Website defacement of messypdf.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website messypdf.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement targeted a specific file path (0x.txt) rather than the homepage, suggesting a targeted file-level compromise. No specific motivation or technical details regarding the attack vector were disclosed.
Date: 2026-05-16T01:40:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922975
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology/Software
Victim Organization: MessyPDF
Victim Site: messypdf.com
Website Defacement of ialphai.com by chinafans (0xteam)
Category: Defacement
Content: The website ialphai.com was defaced by threat actor chinafans, operating under the group 0xteam, on May 16, 2026. The defacement targeted a specific file path (/0x.txt) rather than the homepage, indicating a targeted file-level intrusion. The incident was neither a mass defacement nor a redefacement, and server details remain unknown.
Date: 2026-05-16T01:39:22Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923020
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: ialphai.com
Website Defacement of Tsiry Virtual SAV Assistant by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the team 0xteam, defaced the website of Tsiry, a virtual SAV (after-sales service) assistant provider. The incident was a single-target, non-mass defacement, with the mirror of the defaced page archived on zone-xsec.com. No additional technical details regarding the server infrastructure or attack vector were disclosed.
Date: 2026-05-16T01:38:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922998
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Business Services / Virtual Assistance
Victim Organization: Tsiry Virtual SAV Assistant
Victim Site: tsiry-assistante-sav-virtuelle…
Website Defacement of Arviax.ai by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website arviax.ai was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement targeted a specific file path (0x.txt) on the domain, which appears to be an AI-related technology platform. The incident was a single-target, non-mass defacement with no redefacement history recorded.
Date: 2026-05-16T01:37:55Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923004
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology / Artificial Intelligence
Victim Organization: Arviax
Victim Site: arviax.ai
Website Defacement of limten.co.za by chinafans of 0xteam
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the South African website limten.co.za. The defacement was recorded as a singular targeted attack rather than a mass or redefacement event. A mirror of the defacement was archived via zone-xsec.com.
Date: 2026-05-16T01:37:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922978
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: South Africa
Victim Industry: Unknown
Victim Organization: Limten
Victim Site: limten.co.za
Website Defacement of Naples Fishing Charter by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website naplesfishingcharter.com, belonging to a fishing charter service based in Naples, was defaced by threat actor chinafans operating under the group 0xteam. The attack was a targeted single-site defacement, with a mirror of the defaced page archived at zone-xsec.com. No specific motive or additional technical details were disclosed.
Date: 2026-05-16T01:36:27Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922985
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Tourism and Recreation
Victim Organization: Naples Fishing Charter
Victim Site: naplesfishingcharter.com
Website Defacement of Dualis Contabilidade by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the Brazilian accounting firm Dualis Contabilidade had its website defaced by a threat actor known as chinafans, operating under the group 0xteam. The attack was a targeted single-site defacement, not part of a mass defacement campaign. No specific motive or server details were disclosed in the available intelligence.
Date: 2026-05-16T01:35:43Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922990
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Financial Services / Accounting
Victim Organization: Dualis Contabilidade
Victim Site: dualiscontabilidade.com.br
Website Defacement of Bezpiecznakostka.pl by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Polish website bezpiecznakostka.pl by placing a defacement file at the path /0x.txt. The incident was a targeted single-site defacement with no indication of mass or repeated defacement activity. A mirror of the defaced content was archived via zone-xsec.com.
Date: 2026-05-16T01:34:57Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922972
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Poland
Victim Industry: Unknown
Victim Organization: Bezpieczna Kostka
Victim Site: bezpiecznakostka.pl
Website Defacement of ICT Scripts by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website ictscripts.tech by altering the file located at /0x.txt. The incident was a targeted, single-site defacement with no indicators of mass or repeated defacement activity. The server environment and specific attack vector remain unknown.
Date: 2026-05-16T01:34:10Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923003
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology / Software
Victim Organization: ICT Scripts
Victim Site: ictscripts.tech
Website Defacement of Anviet Lashing by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website anvietlashing.com was defaced by threat actor chinafans operating under the group 0xteam. The attacker placed a defacement file at the path /0x.txt, indicating a targeted single-site compromise. No specific motive or technical vector was disclosed in the available metadata.
Date: 2026-05-16T01:33:21Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923006
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Vietnam
Victim Industry: Logistics / Marine & Cargo Services
Victim Organization: Anviet Lashing
Victim Site: anvietlashing.com
Website Defacement of famfam.cat by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias chinafans, affiliated with 0xteam, defaced a file hosted on famfam.cat, a domain registered under the Catalan (.cat) top-level domain associated with Spain. The defacement targeted a specific text file path (0x.txt) rather than the sites homepage, indicating a targeted file-level intrusion. No mass or redefacement indicators were observed in this incident.
Date: 2026-05-16T01:32:38Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/923007
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Spain
Victim Industry: Unknown
Victim Organization: Famfam
Victim Site: famfam.cat
Website Defacement of Clinica Cetotrio by chinafans (0xteam)
Category: Defacement
Content: The Brazilian healthcare website clinicacetotrio.com.br was defaced by threat actor chinafans operating under the group 0xteam on May 16, 2026. The defacement was recorded at a specific file path (/0x.txt) rather than the homepage, indicating a targeted file-level compromise. The incident was catalogued with a mirror archived by zone-xsec.com.
Date: 2026-05-16T01:31:57Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922977
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Healthcare
Victim Organization: Clínica Cetotrio
Victim Site: clinicacetotrio.com.br
Website Defacement of Transportes Uriarte by chinafans (0xteam)
Category: Defacement
Content: The threat actor chinafans, operating under the group 0xteam, defaced the website of Transportes Uriarte, a transportation company likely based in Spain. The defacement was recorded on May 16, 2026, targeting a specific file path (0x.txt) on the domain. The incident was a singular, targeted defacement rather than a mass or repeated attack.
Date: 2026-05-16T01:31:07Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922995
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Spain
Victim Industry: Transportation and Logistics
Victim Organization: Transportes Uriarte
Victim Site: transportesuriarte.com
Website Defacement of sdds.co.th by chinafans (0xteam)
Category: Defacement
Content: A threat actor known as chinafans, operating under the team 0xteam, defaced the Thai website sdds.co.th on May 16, 2026. The defacement was a targeted single-site incident, not part of a mass defacement campaign. No specific motive or server details were disclosed in association with the attack.
Date: 2026-05-16T01:30:25Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922979
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Thailand
Victim Industry: Unknown
Victim Organization: SDDS
Victim Site: sdds.co.th
Website Defacement of Tiff Marie Photography by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website of Tiff Marie Photography was defaced by threat actor chinafans operating under the group 0xteam. The attack was a targeted single-site defacement, not classified as a mass or home page defacement. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-05-16T01:29:44Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922961
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Photography / Creative Services
Victim Organization: Tiff Marie Photography
Victim Site: tiffmariephotography.com
Website Defacement of Sutherland Landscaping by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website of Sutherland Landscaping was defaced by a threat actor operating under the alias chinafans, affiliated with the hacking group 0xteam. The attack targeted a subdirectory or file path on the domain and was a single, targeted defacement rather than a mass or home page compromise. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-05-16T01:28:24Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922957
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Landscaping / Agriculture & Horticulture Services
Victim Organization: Sutherland Landscaping
Victim Site: sutherlandlandscaping.org
Combo List of 3,000 Hotmail credentials
Category: Combo List
Content: A threat actor on a cracking forum has shared a combo list allegedly containing 3,000 Hotmail credentials. The post includes a download link and a prompt to join the actors group. No further details about the data origin or format are provided.
Date: 2026-05-16T01:28:19Z
Network: openweb
Published URL: https://cracked.st/Thread-3K-HOTMAIL-ACCESS
Screenshots:
None
Threat Actors: Re4perr2
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Hotmail combo list with 3.4K credentials offered for free
Category: Combo List
Content: A threat actor shared a combo list of approximately 3,400 Hotmail credentials via a Mediafire link. The post markets the credentials as valid and UHQ (ultra-high quality). The list appears to be distributed freely.
Date: 2026-05-16T01:28:10Z
Network: openweb
Published URL: https://crackingx.com/threads/75412/
Screenshots:
None
Threat Actors: redcloud
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Iglesia Refugio by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website iglesiarefugiocr.com, belonging to a Costa Rican religious organization known as Iglesia Refugio, was defaced by threat actor chinafans operating under the group 0xteam. The defacement was a targeted single-site attack, with the defaced content accessible via the path /0x.txt and mirrored on zone-xsec.com.
Date: 2026-05-16T01:27:41Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922981
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Costa Rica
Victim Industry: Religious Organization
Victim Organization: Iglesia Refugio
Victim Site: iglesiarefugiocr.com
Website Defacement of FreeFlashtutorials.com by chinafans (0xteam)
Category: Defacement
Content: The website freeflashtutorials.com was defaced by threat actor chinafans, operating under the group 0xteam, on May 16, 2026. The defacement was a targeted, single-site attack with a text file (0x.txt) used as the defacement artifact. No specific motivation or server details were disclosed in connection with this incident.
Date: 2026-05-16T01:26:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922956
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Education / Online Tutorials
Victim Organization: Free Flash Tutorials
Victim Site: freeflashtutorials.com
Website Defacement of BPA Export by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website bpaexport.cl, belonging to BPA Export, a Chilean export or trade-related organization, was defaced by a threat actor known as chinafans operating under the group 0xteam. The defacement was a targeted, non-mass incident affecting a specific page on the domain. A mirror of the defacement was archived via zone-xsec.com.
Date: 2026-05-16T01:26:11Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922971
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Chile
Victim Industry: Export / Trade
Victim Organization: BPA Export
Victim Site: bpaexport.cl
Website Defacement of Sejapiloto by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the Brazilian website sejapiloto.com.br. The defacement was a targeted, single-site attack and was not classified as a mass or home page defacement. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-05-16T01:25:15Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922970
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Seja Piloto
Victim Site: sejapiloto.com.br
Sale of HQ mixed mail access combo list
Category: Combo List
Content: A threat actor is sharing a combo list of approximately 1,300 high-quality mixed mail access credentials on a cybercrime forum. The content is hidden behind a registration or login requirement. No specific victim organization or country is identified.
Date: 2026-05-16T01:24:56Z
Network: openweb
Published URL: https://patched.to/Thread-1-3k-hq-mixed-mail-access-combolist-302861
Screenshots:
None
Threat Actors: liamgoat
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Greenwill by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, affiliated with 0xteam, defaced the website greenwill.co, leaving a defacement file at the path /0x.txt. The incident was a targeted single-site defacement with no mass or repeat defacement indicators recorded. Server and infrastructure details were not disclosed in available intelligence.
Date: 2026-05-16T01:18:50Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922862
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Greenwill
Victim Site: greenwill.co
Website defacement of Shinohara Group by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced a file hosted on shinohara.group, a domain associated with the Shinohara Group organization. The defacement was a targeted single-site attack, with the mirror of the defaced content archived at zone-xsec.com. No specific motivation or technical details regarding the server environment were disclosed.
Date: 2026-05-16T01:18:06Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922839
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Japan
Victim Industry: Corporate/Business
Victim Organization: Shinohara Group
Victim Site: shinohara.group
Website Redefacement of Briques Finserve by chinafans (0xteam)
Category: Defacement
Content: The threat actor chinafans, operating under the team 0xteam, conducted a redefacement of briquesfinserve.com on May 16, 2026. This incident marks a repeated compromise of the target, suggesting the underlying vulnerability was not fully remediated after the initial defacement. The defacement was not classified as a mass or home page defacement, indicating a targeted file-level intrusion.
Date: 2026-05-16T01:17:22Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922857
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Financial Services
Victim Organization: Briques Finserve
Victim Site: briquesfinserve.com
Website Defacement of Cool Comfort Repair Service by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website of Cool Comfort Repair Service, an Indian home services and HVAC repair business. The defacement targeted the domain coolcomfirtrepairservice.in and was recorded as a single, non-mass defacement event. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-05-16T01:16:32Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922875
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: India
Victim Industry: Home Services / HVAC Repair
Victim Organization: Cool Comfort Repair Service
Victim Site: coolcomfirtrepairservice.in
Website Defacement of Eagle International Logistic by chinafans (0xteam)
Category: Defacement
Content: The website of Eagle International Logistic was defaced by threat actor chinafans, affiliated with the hacking group 0xteam, on May 16, 2026. The attack was a targeted single-site defacement, with a mirror of the defacement archived at zone-xsec.com. No additional technical details such as server software, IP address, or attack vector were disclosed.
Date: 2026-05-16T01:15:51Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922848
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Logistics and Transportation
Victim Organization: Eagle International Logistic
Victim Site: eagleinternationallogistic.com
Website Redefacement of Laarhagro by chinafans (0xteam)
Category: Defacement
Content: The website laarhagro.com was redefaced by threat actor chinafans operating under the group 0xteam on May 16, 2026. This incident is classified as a redefacement, indicating the site had been previously compromised and defaced by the same or another actor. The defacement was not a mass or homepage defacement, targeting a specific path on the domain.
Date: 2026-05-16T01:15:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922865
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Agriculture
Victim Organization: Laarhagro
Victim Site: laarhagro.com
Website Defacement of sra17.xyz by chinafans (0xteam)
Category: Defacement
Content: A threat actor operating under the handle chinafans, affiliated with 0xteam, defaced the website sra17.xyz on May 16, 2026. The defacement was a targeted single-site attack, not part of a mass defacement campaign. Limited technical details are available regarding the server infrastructure or exploitation method used.
Date: 2026-05-16T01:14:19Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922855
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: sra17.xyz
Website Defacement of imotoshare.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website imotoshare.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement was a targeted single-site incident, with the attacker leaving a text-based payload at the path /0x.txt. The incident was archived and mirrored by zone-xsec.com for record-keeping purposes.
Date: 2026-05-16T01:13:35Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922851
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Automotive / Motorsports Sharing Platform
Victim Organization: iMotoShare
Victim Site: imotoshare.com
Website Defacement of Masterigrandecoast.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website masterigrandecoast.com was defaced by a threat actor operating under the alias chinafans, affiliated with the group 0xteam. The attack involved the placement of a defacement file (0x.txt) on the target server. The incident was a singular, targeted defacement with no indication of mass or repeat defacement activity.
Date: 2026-05-16T01:12:47Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922892
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Masteri Grande Coast
Victim Site: masterigrandecoast.com
Website Defacement of Terena.io by chinafans (0xteam)
Category: Defacement
Content: The website terena.io was defaced by a threat actor known as chinafans, operating under the group 0xteam, on May 16, 2026. The defacement was a targeted single-site attack, with the defaced content accessible at the path /0x.txt. A mirror of the defacement was archived by zone-xsec.com under ID 922889.
Date: 2026-05-16T01:12:05Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922889
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Terena
Victim Site: terena.io
Sale of UHQ Hotmail combo list
Category: Combo List
Content: A threat actor is distributing approximately 4,500 UHQ Hotmail credential hits, with free drops advertised and a private cloud available for purchase via Telegram handle @window_linux01.
Date: 2026-05-16T01:12:00Z
Network: openweb
Published URL: https://patched.to/Thread-%E2%9C%85-4-5k-uhq-hotmail-hit-%E2%9C%85
Screenshots:
None
Threat Actors: aurexopforu
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Kebabaretxabaleta by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website kebabaretxabaleta.es, a Spanish food and beverage establishment. The defacement was a targeted, non-mass incident affecting a single page on the domain. The attack was documented and mirrored via zone-xsec.com.
Date: 2026-05-16T01:11:15Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922860
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Spain
Victim Industry: Food & Beverage / Restaurant
Victim Organization: Kebabaretxabaleta
Victim Site: kebabaretxabaleta.es
Combo list of mixed corporate targets distributed on forum
Category: Combo List
Content: A combo list containing 74,411 email:password lines targeting mixed corporate accounts was shared on a cracking forum. The list is marketed as suitable for credential stuffing against various corporate targets. No further details are available from the post content.
Date: 2026-05-16T01:11:08Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-74-411-Lines-%E2%9C%85-Combolist-Corp-Mixed-target-2026
Screenshots:
None
Threat Actors: HqComboSpace
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of mixed corporate domain combo list with 121,950 credentials
Category: Combo List
Content: A threat actor is offering a combo list of 121,950 mixed corporate domain email and password pairs on a cracking forum. The list appears to target corporate email accounts across multiple organizations or domains. No additional details are available from the post content.
Date: 2026-05-16T01:10:48Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-121-950-%E2%9A%A1-Mixed-Corp-Domain
Screenshots:
None
Threat Actors: AiCombo
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Redefacement of Thuannong.vn by chinafans (0xteam)
Category: Defacement
Content: The website thuannong.vn, a Vietnamese agricultural domain, was redefaced by threat actor chinafans operating under the team 0xteam on May 16, 2026. This incident is classified as a redefacement, indicating the site had been previously compromised and defaced by the same or a different actor. The defacement was not a mass or homepage defacement, targeting a specific path (0x.txt) on the server.
Date: 2026-05-16T01:10:35Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922861
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Vietnam
Victim Industry: Agriculture
Victim Organization: Thuan Nong
Victim Site: thuannong.vn
Website Redefacement of skcreator.in by chinafans of 0xteam
Category: Defacement
Content: The website skcreator.in was defaced by threat actor chinafans, operating under the group 0xteam. This incident is classified as a redefacement, indicating the site had been previously compromised by the same or another actor. The defacement was recorded on May 16, 2026, and is mirrored at zone-xsec.com.
Date: 2026-05-16T01:09:44Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922842
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: India
Victim Industry: Unknown
Victim Organization: SK Creator
Victim Site: skcreator.in
Website Defacement of Suhana Realtors by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias chinafans, affiliated with 0xteam, defaced the website of Suhana Realtors at suhanarealtors.com. The defacement targeted a specific file path (0x.txt) rather than the homepage, indicating a targeted file-level intrusion. The incident was recorded and mirrored by zone-xsec.com under mirror ID 922871.
Date: 2026-05-16T01:08:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922871
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Real Estate
Victim Organization: Suhana Realtors
Victim Site: suhanarealtors.com
Website Defacement of japclima.com by chinafans (0xteam)
Category: Defacement
Content: The website japclima.com was defaced by a threat actor identified as chinafans, operating under the team 0xteam, on May 16, 2026. The defacement was a targeted single-site incident, with the attacker leaving a text file (0x.txt) as proof of compromise. No additional details regarding the attackers motive or server infrastructure were disclosed.
Date: 2026-05-16T01:08:12Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922858
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Japclima
Victim Site: japclima.com
Website Redefacement of Cours-Escalade by chinafans (0xteam)
Category: Defacement
Content: The website cours-escalade.com, a French climbing course platform, was redefaced by threat actor chinafans operating under the group 0xteam on May 16, 2026. This incident is classified as a redefacement, indicating the site had been previously compromised and targeted again. The defacement was not categorized as a mass or homepage defacement, suggesting a targeted file-level intrusion.
Date: 2026-05-16T01:07:25Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922866
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: France
Victim Industry: Sports and Recreation
Victim Organization: Cours Escalade
Victim Site: cours-escalade.com
Website Defacement of Leorian Outfits by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website leorianoutfits.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The attacker placed a defacement file at the path /0x.txt on the target server. No specific motive or server details were disclosed in connection with this incident.
Date: 2026-05-16T01:06:34Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922876
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Retail / Fashion
Victim Organization: Leorian Outfits
Victim Site: leorianoutfits.com
Website Defacement of Reebo Consult by chinafans (0xteam)
Category: Defacement
Content: The website reeboconsult.com was defaced by threat actor chinafans, operating under the group 0xteam, on May 16, 2026. The defacement targeted a specific file path (0x.txt) on the consulting firms web server. This was a single targeted defacement rather than a mass or home page compromise.
Date: 2026-05-16T01:05:50Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922881
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Consulting
Victim Organization: Reebo Consult
Victim Site: reeboconsult.com
Website Defacement of 3D Print Shape by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website 3dprintshape.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The attack targeted a specific text file path (/0x.txt) on the domain. The incident was a singular, non-mass defacement with no prior redefacement history recorded.
Date: 2026-05-16T01:05:05Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922845
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Manufacturing / 3D Printing
Victim Organization: 3D Print Shape
Victim Site: 3dprintshape.com
Website Redefacement of Yuwraj Computer by chinafans (0xteam)
Category: Defacement
Content: The threat actor chinafans, operating under the group 0xteam, conducted a redefacement of the Indian computer services website yuwrajcomputer.in on May 16, 2026. This incident marks at least a second successful compromise of the target, indicating persistent targeting or inadequate remediation following the initial defacement. No specific motive or vulnerability details were disclosed.
Date: 2026-05-16T01:04:17Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922852
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: India
Victim Industry: Technology / Computer Services
Victim Organization: Yuwraj Computer
Victim Site: yuwrajcomputer.in
Website Defacement of lanaalarab.com by chinafans of 0xteam
Category: Defacement
Content: On May 16, 2026, the website lanaalarab.com was defaced by a threat actor identified as chinafans, operating under the group 0xteam. The attack targeted a specific file path (/0x.txt) rather than the site homepage, indicating a targeted file-level defacement. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-05-16T01:03:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922888
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Media/Entertainment
Victim Organization: Lana Al Arab
Victim Site: lanaalarab.com
Website Defacement of Dewan Fashion Hub by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website dewanfashionhub.com was defaced by a threat actor operating under the handle chinafans, affiliated with the group 0xteam. The defacement was a targeted single-site compromise, with the attacker leaving a marker at the path /0x.txt. No specific motive or technical details regarding the server environment were disclosed.
Date: 2026-05-16T00:56:50Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922827
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Retail / Fashion
Victim Organization: Dewan Fashion Hub
Victim Site: dewanfashionhub.com
Website Defacement of Sysplorer by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the Italian website sysplorer.it was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement targeted a text file (0x.txt) hosted on the domain. The incident was a targeted, non-mass defacement with no specific motivation publicly disclosed.
Date: 2026-05-16T00:56:05Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922815
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Italy
Victim Industry: Technology
Victim Organization: Sysplorer
Victim Site: sysplorer.it
Website Defacement of mrdan.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website mrdan.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The attacker uploaded a defacement file at mrdan.com/0x.txt. The incident was a targeted, non-mass defacement with no specific reason publicly disclosed.
Date: 2026-05-16T00:55:12Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922816
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Mr. Dan
Victim Site: mrdan.com
Website Defacement of livingmx360.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website livingmx360.com was defaced by a threat actor operating under the alias chinafans, affiliated with the group 0xteam. The defacement was a targeted single-site attack, with a mirror of the defaced page archived at zone-xsec.com. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-05-16T00:54:20Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922806
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Mexico
Victim Industry: Unknown
Victim Organization: Living MX 360
Victim Site: livingmx360.com
Website Defacement of ranimo.co.uk by chinafans (0xteam)
Category: Defacement
Content: The website ranimo.co.uk was defaced by a threat actor using the handle chinafans, operating under the group 0xteam. The defacement was recorded on May 16, 2026, and involved the placement of a defacement file at ranimo.co.uk/0x.txt. The incident was a targeted single-site defacement with no additional technical indicators such as server software or IP address disclosed.
Date: 2026-05-16T00:53:26Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922804
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United Kingdom
Victim Industry: Unknown
Victim Organization: Ranimo
Victim Site: ranimo.co.uk
Website Defacement of Cajun AG Drones by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website cajunagdrones.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement targeted a Louisiana-based agricultural drone services company, with the attack recorded as a single, non-mass defacement. A mirror of the defaced page was archived at zone-xsec.com.
Date: 2026-05-16T00:52:03Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922800
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Agriculture / Drone Services
Victim Organization: Cajun AG Drones
Victim Site: cajunagdrones.com
Website Defacement of pronarikka.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website pronarikka.com was defaced by a threat actor using the handle chinafans, operating under the group 0xteam. The defacement was a targeted, single-site incident with the defaced content accessible at the path /0x.txt. No specific motive or server details were disclosed in connection with this attack.
Date: 2026-05-16T00:51:28Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922814
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Pronarikka
Victim Site: pronarikka.com
Website Defacement of Italian Accounting/Tax Consultancy by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor identified as chinafans, operating under the group 0xteam, defaced the website of an Italian commercial accountant (commercialista) known as Dottoressa Rosset. The incident was a targeted single-site defacement with no indication of mass or repeated defacement activity. No specific motive or technical exploitation details were disclosed.
Date: 2026-05-16T00:50:46Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922820
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Italy
Victim Industry: Financial Services / Accounting
Victim Organization: Dottoressa Rosset (Commercialista)
Victim Site: commercialistadottoressarosset…
Website Defacement of Safe Hands Accounting by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor identified as chinafans, operating under the group 0xteam, defaced the website of Safe Hands Accounting, a UK-based accounting firm. The incident was a targeted single-site defacement, not classified as a mass or home page defacement. No specific motivation or server details were disclosed in the available intelligence.
Date: 2026-05-16T00:50:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922819
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United Kingdom
Victim Industry: Financial Services / Accounting
Victim Organization: Safe Hands Accounting
Victim Site: safehandsaccounting.co.uk
Sale of stolen credit cards for multiple countries with balances up to $5,000
Category: Carding
Content: A threat actor is offering stolen credit cards purportedly valid for multiple countries including the UK, USA, Canada, and Australia, with claimed balances between $1,000 and $5,000. The cards are advertised as suitable for online payments, bill payments, shopping, and linking to accounts. The seller offers free replacements for non-working cards and directs buyers to contact via Telegram handle @kaiotp.
Date: 2026-05-16T00:49:51Z
Network: openweb
Published URL: https://demonforums.net/Thread-I-got-valid-CC%E2%80%99s-for-all-countries-with-the-balance-of-1k-5k-with-All-Access-Info–204244
Screenshots:
None
Threat Actors: poisonBM265
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of hesinhisbag.com by chinafans (0xteam)
Category: Defacement
Content: The website hesinhisbag.com was defaced by threat actor chinafans, operating under the team name 0xteam, on May 16, 2026. The defacement was a targeted single-site attack, leaving a text file at the path /0x.txt as evidence of the intrusion. No specific motive or reason was provided for the attack.
Date: 2026-05-16T00:49:15Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922823
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: hesinhisbag.com
Sale of Hotmail combo list with 1,845 valid credentials
Category: Combo List
Content: A threat actor is offering a combo list of 1,845 purportedly valid Hotmail credentials on a cybercrime forum. The post markets the list as UHQ (ultra-high quality) and references private cloud access. Contact is directed via Telegram.
Date: 2026-05-16T00:48:48Z
Network: openweb
Published URL: https://demonforums.net/Thread-Email-Pass-%E2%9A%A1%E2%9A%A1-X1845-Valid-UHQ-HOTMAIL-%E2%9A%A1%E2%9A%A1
Screenshots:
None
Threat Actors: Roronoa044
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Sri Suryas International by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website of Sri Suryas International, an Indian commercial entity, was defaced by threat actor chinafans operating under the group 0xteam. The attack was a targeted, non-mass defacement of a subdirectory or specific page on the domain. The incident was archived and mirrored by zone-xsec.com under mirror ID 922813.
Date: 2026-05-16T00:48:25Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922813
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: India
Victim Industry: Commerce / Trade
Victim Organization: Sri Suryas International
Victim Site: srisuryasinternational.in
Website Defacement of theartitech-hub.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website theartitech-hub.com was defaced by a threat actor operating under the handle chinafans, affiliated with the group 0xteam. The defacement was a targeted, non-mass attack against what appears to be a technology-oriented organization. The incident was archived and mirrored via zone-xsec.com.
Date: 2026-05-16T00:47:39Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922824
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: ArtiTech Hub
Victim Site: theartitech-hub.com
Website Defacement of dieciterre.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website dieciterre.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement was a targeted, single-site incident with no indication of mass or repeated defacement activity. The server details and motive behind the attack remain unknown.
Date: 2026-05-16T00:46:57Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922811
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Dieciterre
Victim Site: dieciterre.com
Website Defacement of AG International Group by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the threat actor chinafans, operating under the group 0xteam, successfully defaced the website of AG International Group at aginternationalgroup.net. The attack was a targeted single-site defacement, with no indication of mass or repeated defacement activity. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-05-16T00:46:16Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922812
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Business Services
Victim Organization: AG International Group
Victim Site: aginternationalgroup.net
Website Defacement of tcboton.com by chinafans (0xteam)
Category: Defacement
Content: The website tcboton.com was defaced by a threat actor identified as chinafans, operating under the group 0xteam, on May 16, 2026. The defacement was recorded as a single, non-mass, non-repeated incident targeting a specific file path on the domain. No additional details regarding the attackers motivation, server configuration, or proof of concept were provided.
Date: 2026-05-16T00:45:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922817
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: TC Boton
Victim Site: tcboton.com
Website Defacement of Comforth by chinafans (0xteam)
Category: Defacement
Content: The threat actor chinafans, operating under the group 0xteam, defaced the Brazilian website comforth.com.br on May 16, 2026. The defacement was a targeted single-site attack, not part of a mass defacement campaign. The incident was mirrored and archived by zone-xsec.com for record-keeping purposes.
Date: 2026-05-16T00:44:46Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922826
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Unknown
Victim Organization: Comforth
Victim Site: comforth.com.br
Website Defacement of Hope McGill by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website hopemcgill.com was defaced by a threat actor operating under the handle chinafans, affiliated with the group 0xteam. The attacker targeted a specific file path (/0x.txt) on the domain. The incident was a single, non-mass, non-home page defacement, with a mirror of the defacement archived at zone-xsec.com.
Date: 2026-05-16T00:43:56Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922805
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Hope McGill
Victim Site: hopemcgill.com
Website Defacement of Ashoka Empire by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the Indian website ashokaempire.in was defaced by threat actor chinafans operating under the group 0xteam. The attacker uploaded a defacement file at the path /0x.txt. The incident was a targeted, non-mass defacement with no specific motivation publicly disclosed.
Date: 2026-05-16T00:37:58Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922733
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: India
Victim Industry: Unknown
Victim Organization: Ashoka Empire
Victim Site: ashokaempire.in
Website Defacement of azurprotectsystem.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor identified as chinafans, operating under the group 0xteam, defaced the website azurprotectsystem.com by placing a defacement file at the path /0x.txt. The targeted domain appears to belong to a technology or cybersecurity-oriented organization. The incident was recorded as a standalone, non-mass defacement with no additional technical server details available.
Date: 2026-05-16T00:37:17Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922739
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology / Cybersecurity
Victim Organization: Azur Protect System
Victim Site: azurprotectsystem.com
Website Defacement of Balboa Rare Books by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website balboararebooks.com was defaced by threat actor chinafans, operating under the group 0xteam. The attacker placed a defacement file at balboararebooks.com/0x.txt. This was a targeted, non-mass defacement with no prior redefacement history recorded.
Date: 2026-05-16T00:36:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922728
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Retail / Books and Collectibles
Victim Organization: Balboa Rare Books
Victim Site: balboararebooks.com
Website Defacement of daviddesant.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website daviddesant.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The attacker targeted a specific text file path (/0x.txt) on the domain. No additional technical details such as server software, IP address, or motivation were disclosed in connection with this incident.
Date: 2026-05-16T00:35:42Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922744
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: David De Sant
Victim Site: daviddesant.com
Website Defacement of AK Art Space by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website ak-artspace.com was defaced by a threat actor identified as chinafans, operating under the group 0xteam. The defacement was a targeted single-site incident, with a mirror of the defaced page archived at zone-xsec.com. The victim organization appears to be an art-related entity based on the domain name, though further attribution details including server configuration and attacker motive remain unknown.
Date: 2026-05-16T00:34:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922727
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Arts and Culture
Victim Organization: AK Art Space
Victim Site: ak-artspace.com
Website defacement of AAP Social Media by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias chinafans, affiliated with 0xteam, defaced the website aapsocialmedia.org. The defacement targeted a file at the path /0x.txt and was not classified as a mass or home page defacement. No specific motive or server details were disclosed for this incident.
Date: 2026-05-16T00:34:15Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922752
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Political/Social Media
Victim Organization: AAP Social Media
Victim Site: aapsocialmedia.org
Website Defacement of MSD Consulting Services by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, threat actor chinafans operating under the group 0xteam defaced the website of MSD Consulting Services. The attack targeted a specific page on the domain rather than the homepage, indicating a targeted page-level defacement. No specific motive or server details were disclosed in association with this incident.
Date: 2026-05-16T00:33:31Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922726
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Professional Services / Consulting
Victim Organization: MSD Consulting Services
Victim Site: msdconsultingservices.com
Website Defacement of CUYCPC by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website cuycpc.org by uploading a defacement file at the path /0x.txt. The incident was a targeted, single-site defacement with no indication of mass or repeated defacement activity. No specific motive or technical details regarding the server infrastructure were disclosed.
Date: 2026-05-16T00:32:45Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922734
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: CUYCPC
Victim Site: cuycpc.org
Germany mail access combo list (1.8K)
Category: Combo List
Content: A threat actor shared a combo list of approximately 1,800 German mail account credentials. The content is hidden behind a registration/login wall and is described as private data from the posters collection.
Date: 2026-05-16T00:32:20Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%A8%E2%84%B9%EF%B8%8F1-8k-germany-mail-access-mix%E2%84%B9%EF%B8%8F%E2%9C%A8-15-05
Screenshots:
None
Threat Actors: TraxGod
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of Stylish Jewelry Wholesale by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website stylishjewelrywholesale.com was defaced by a threat actor using the handle chinafans, operating under the group 0xteam. The attack was a targeted single-site defacement, and a mirror of the defaced page was archived at zone-xsec.com. No specific motive, server details, or proof-of-concept were disclosed.
Date: 2026-05-16T00:32:01Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922748
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Retail / Jewelry Wholesale
Victim Organization: Stylish Jewelry Wholesale
Victim Site: stylishjewelrywholesale.com
Sale of 20K private combo list
Category: Combo List
Content: A threat actor is offering a private combo list of 20,000 email and password pairs on a cracking forum. No additional details about the targeted services or data origin are available from the post content.
Date: 2026-05-16T00:31:30Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-20k-Private-Combolist
Screenshots:
None
Threat Actors: BygBB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of ghostelf.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website ghostelf.com was defaced by a threat actor using the handle chinafans, operating under the group 0xteam. The defacement targeted a specific text file path (0x.txt) and was neither a mass defacement nor a redefacement, suggesting a targeted singular intrusion. A mirror of the defaced content was archived at zone-xsec.com.
Date: 2026-05-16T00:31:22Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922738
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Ghost Elf
Victim Site: ghostelf.com
Sale of HQ Email:Pass Combo Lists
Category: Combo List
Content: A threat actor is advertising high-quality email:password combo lists for sale via Telegram, with additional free combos available through a Telegram group. No specific victim organization, record count, or data origin is disclosed.
Date: 2026-05-16T00:31:11Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-NEW-HQ-7-Email-Pass-Combolists
Screenshots:
None
Threat Actors: Orthorons
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Combo list of 43,000 Hotmail credentials
Category: Combo List
Content: A threat actor is sharing or selling a combo list of approximately 43,000 Hotmail email and password pairs, advertised as private. No further details are available from the post content.
Date: 2026-05-16T00:30:52Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-43k-Hotmail-Full-Private
Screenshots:
None
Threat Actors: BygBB
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of meethubz.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website meethubz.com was defaced by a threat actor using the handle chinafans, operating under the group 0xteam. The defacement was a targeted, single-site incident with a text-based payload hosted at meethubz.com/0x.txt. No additional details regarding the attackers motivation or server infrastructure were disclosed.
Date: 2026-05-16T00:30:37Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922751
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: MeetHubz
Victim Site: meethubz.com
Hotmail combo list freely shared on cracking forum
Category: Combo List
Content: A threat actor shared a combo list of 996 Hotmail email and password pairs on a cracking forum. The post is labeled as old data and marketed as VIP Cloud access. No price is mentioned, suggesting the credentials were freely distributed.
Date: 2026-05-16T00:30:25Z
Network: openweb
Published URL: https://cracked.st/Thread-Email-Pass-%E2%9C%A8%E2%84%B9%EF%B8%8FX996-HOTMAIL-MAIL-ACCESS%E2%84%B9%EF%B8%8F%E2%9C%A8-15-05
Screenshots:
None
Threat Actors: SecureTrax
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Website Defacement of plenum-vs.ch by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the Swiss website plenum-vs.ch was defaced by a threat actor operating under the handle chinafans, associated with the hacking group 0xteam. The defacement was a targeted, single-site incident and not part of a mass defacement campaign. A mirror of the defacement was archived via zone-xsec.com.
Date: 2026-05-16T00:29:50Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922746
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Switzerland
Victim Industry: Unknown
Victim Organization: Plenum VS
Victim Site: plenum-vs.ch
Website Defacement of Settvisual by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the Brazilian website settvisual.com.br was defaced by threat actor chinafans, affiliated with the hacking group 0xteam. The defacement was recorded as a targeted single-site incident, with the attacker leaving a text file (0x.txt) as evidence of the compromise. No specific motive or server details were disclosed in the available incident data.
Date: 2026-05-16T00:29:04Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922736
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Brazil
Victim Industry: Visual Arts / Creative Services
Victim Organization: Settvisual
Victim Site: settvisual.com.br
Website defacement of utility.cl by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced a file hosted on utility.cl, a Chilean website likely associated with utility services. The defacement targeted a specific text file (0x.txt) rather than the homepage, indicating a targeted file-level intrusion. The attack was neither a mass defacement nor a redefacement event.
Date: 2026-05-16T00:28:18Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922730
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Chile
Victim Industry: Utilities
Victim Organization: Utility.cl
Victim Site: utility.cl
Website Defacement of calibelle.fr by chinafans (0xteam)
Category: Defacement
Content: The website calibelle.fr was defaced by threat actor chinafans, operating under the group 0xteam, on May 16, 2026. The defacement targeted a specific file path (0x.txt) rather than the homepage, indicating a targeted file drop or partial defacement. No specific motive or server details were disclosed in connection with this incident.
Date: 2026-05-16T00:27:38Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922756
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: France
Victim Industry: Unknown
Victim Organization: Calibelle
Victim Site: calibelle.fr
Website Defacement of Tomorrow Studios by chinafans (0xteam)
Category: Defacement
Content: The website tomorrow-studios.com was defaced by a threat actor known as chinafans, operating under the group 0xteam. The defacement targeted a subdirectory file (0x.txt) and was recorded on May 16, 2026. The incident was a singular, non-mass defacement with no prior redefacement history noted.
Date: 2026-05-16T00:26:59Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922732
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: United States
Victim Industry: Entertainment / Media Production
Victim Organization: Tomorrow Studios
Victim Site: tomorrow-studios.com
Website defacement of Reva Group by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced a page on revagrup.com.tr, a Turkish domain associated with Reva Group. The defacement targeted a specific URL path rather than the homepage, indicating a targeted file-level intrusion. No specific motivation or server details were disclosed in connection with this incident.
Date: 2026-05-16T00:26:14Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922737
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Turkey
Victim Industry: Unknown
Victim Organization: Reva Group
Victim Site: revagrup.com.tr
Website Defacement of victoriabafi-yeboa.com by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor operating under the alias chinafans and affiliated with 0xteam defaced the website victoriabafi-yeboa.com, uploading a defacement file at the path /0x.txt. The incident was a targeted single-site defacement with no additional technical indicators such as server software or IP address recorded. The attack was documented and mirrored by zone-xsec.com.
Date: 2026-05-16T00:25:28Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922731
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Victoria Bafi-Yeboa
Victim Site: victoriabafi-yeboa.com
Website Defacement of Roboops by chinafans (0xteam)
Category: Defacement
Content: The website roboops.com was defaced by threat actor chinafans operating under the group 0xteam on May 16, 2026. The defacement was a targeted single-site attack, leaving a text-based payload at the path /0x.txt. No specific motive or server details were disclosed in connection with the incident.
Date: 2026-05-16T00:24:44Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922743
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Technology
Victim Organization: Roboops
Victim Site: roboops.com
Website Defacement of Dainteadecor by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website dainteadecor.com, a home decor business. The defacement was a targeted, single-site incident with no mass or re-defacement indicators, and was archived via zone-xsec.com.
Date: 2026-05-16T00:24:02Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922750
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Retail / Home Decor
Victim Organization: Dainte a Decor
Victim Site: dainteadecor.com
Website Defacement of Pressure Cleaning Sunshine Coast by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, a threat actor known as chinafans, operating under the group 0xteam, defaced the website of Pressure Cleaning Sunshine Coast, a small business offering pressure cleaning services in Australia. The attack was a targeted single-site defacement, with no indication of mass or repeated defacement activity. The incident was documented and mirrored via zone-xsec.com.
Date: 2026-05-16T00:23:17Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922747
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Australia
Victim Industry: Home Services / Cleaning Services
Victim Organization: Pressure Cleaning Sunshine Coast
Victim Site: pressurecleaningsunshinecoast.com.au
Website Defacement of Brandlux by chinafans (0xteam)
Category: Defacement
Content: On May 16, 2026, the website brandlux.shop was defaced by threat actor chinafans operating under the group 0xteam. The defacement targeted a specific file path (0x.txt) on the e-commerce domain, consistent with the groups naming convention. The incident was a single-target, non-mass defacement with no known stated motive or exposed server details.
Date: 2026-05-16T00:22:36Z
Network: openweb
Published URL: https://zone-xsec.com/mirror/id/922753
Screenshots:
None
Threat Actors: chinafans, 0xteam
Victim Country: Unknown
Victim Industry: Retail / E-commerce
Victim Organization: Brandlux
Victim Site: brandlux.shop
Combo List targeting Hotmail
Category: Combo List
Content: A threat actor shared a combo list of 1,920 Hotmail credentials on a cybercrime forum. The content is gated behind registration or login. The credentials are marketed as verified valid (good) hits for Hotmail accounts.
Date: 2026-05-16T00:16:13Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%85%E2%9A%A11920x-good-hotmail%E2%9A%A1%E2%9C%85
Screenshots:
None
Threat Actors: NovaCloudx
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of 980 Hotmail credentials combo list
Category: Combo List
Content: A forum post on a combolist section advertises 980 alleged valid Hotmail credentials dated May 15, 2026. The content is hidden behind a login/registration wall, limiting further detail. These credentials are marketed as valid access for credential stuffing purposes.
Date: 2026-05-16T00:15:40Z
Network: openweb
Published URL: https://patched.to/Thread-file-upload-%E2%9C%A8%F0%9F%8F%87980-hotmail-valid-access-15-05-2026
Screenshots:
None
Threat Actors: SupportHotmail
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Forum co-ownership announcement by TeamPCP on Breached forum
Category: Alert
Content: TeamPCP announced their new role as co-owners of the Breached forum, outlining responsibilities including platform operations, staff management, community growth, and resource quality verification. The post includes contact details via Session and TOX messaging handles.
Date: 2026-05-16T00:11:17Z
Network: openweb
Published URL: https://breached.st/threads/teampcp-partnership-forum-co-ownership.87176/unread
Screenshots:
None
Threat Actors: TeamPCP
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of Mexican bank statements and financial documents
Category: Data Breach
Content: A threat actor is offering for sale over 900,000 files totaling 125GB of Mexican personal and financial documents dated 2021. The dataset allegedly includes bank statements, payroll receipts, utility bills, tax documents, and ID scans, with PII fields such as full name, RFC, CURP, CLABE, home address, employer details, salary, and transaction history. The originating organization has not been identified.
Date: 2026-05-16T00:10:13Z
Network: openweb
Published URL: https://breached.st/threads/mexico-900k-bank-statements-financial-documents-125gb-2021.87175/unread
Screenshots:
None
Threat Actors: tabaskoss
Victim Country: Mexico
Victim Industry: Finance
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ Yahoo combo list with 1.3K credentials
Category: Combo List
Content: A threat actor is distributing a combo list marketed as UHQ and fresh containing approximately 1,300 Yahoo credentials. The list is intended for credential stuffing or account takeover activity targeting Yahoo accounts.
Date: 2026-05-16T00:01:18Z
Network: openweb
Published URL: https://cracked.st/Thread-1-3K-UHQ-YAHOO-COMBO-FRESH–2094496
Screenshots:
None
Threat Actors: Vows
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown
Sale of UHQ Outlook combo list
Category: Combo List
Content: A combo list of approximately 1,300 Outlook credentials is being shared on a cybercrime forum, marketed as UHQ and fresh. The list is intended for credential stuffing against Outlook/Microsoft accounts.
Date: 2026-05-16T00:00:00Z
Network: openweb
Published URL: https://cracked.st/Thread-1-3K-UHQ-OUTLOOK-COMBO-FRESH–2094497
Screenshots:
None
Threat Actors: Vows
Victim Country: Unknown
Victim Industry: Unknown
Victim Organization: Unknown
Victim Site: Unknown