Dark Web Informer

‼️ Footage of the LeakBase domain administrator getting arrested in Taganrog, Russia. techcrunch.com/2026/03/25/rus…

‼️🇬🇹 Universidad Rafael Landívar, a Jesuit university in Guatemala, has allegedly been breached, with 84,620 photos of students and professors leaked on a popular cybercrime forum. ⠀ ‣ Threat Actor: MrGoblinciano ‣ Category: Data Leak ‣ Victim: Universidad Rafael Landívar ‣ Industry: Education / Higher Education ⠀ The actor states the leak contains personal data belonging to students and professors, listed by their CARNE UNIVERSITARIO (university ID). ⠀ What's in it: ⠀ ▪️ 84,620 photos of students and professors ▪️ Size: 20 GB photos and 1.54 MB JSON ⠀ Fields: ⠀ ▪️ University ID (carnet) ▪️ Full name (nombre) ▪️ Date of birth (fecha_nacimiento) ▪️ ID photo

Vimeo claimed by "ShinyHunters"

Bruh, a ransomware note with Outlook.com emails. I can't.

Most “dark web monitoring” alerts arrive days, weeks, or sometimes months after the data is posted. By then, it’s already been copied, mirrored, and resold. Dark Web Informer shows threat actor activity as it happens. darkwebinformer.com

🚨 RansomHouse Ransomware names an unknown Cybersecurity Vendor as a possible victim

Most “dark web monitoring” alerts arrive days, weeks, or sometimes months after the data is posted. By then, it’s already been copied, mirrored, and resold. Dark Web Informer shows threat actor activity as it happens. darkwebinformer.com

‼️ A threat actor is allegedly selling SMTP and AWS SES accounts on a popular cybercrime forum, with sending limits ranging from 40K to 100K and prices starting at $150. ⠀ ‣ Threat Actor: ric007 ‣ Category: Illicit Service / Mailing Account Sale ‣ Victim: SendGrid, Mailgun, SparkPost, SMTP2GO, Elastic, SMTP.com, Brevo, Postmark, AWS SES ‣ Industry: Email / Cloud Mailing Services ⠀ The actor says the accounts are tested and ready for use upon delivery, providing full login credentials. Replacements are only offered for delivery-side issues, not for accounts banned due to sending content or high bounce rates. ⠀ What's offered: ⠀ SendGrid / Mailgun / SparkPost: ▪️ 50K limit: $150 ▪️ 100K limit: $220 ⠀ SMTP2GO / Elastic / SMTP.com: ▪️ 50K limit: $150 ▪️ 100K limit: $220 ⠀ Brevo: ▪️ 40K limit: $180 ▪️ 100K limit: $220 ⠀ Postmark: ▪️ 50K limit: $200 ▪️ 100K limit: $250 ⠀ AWS SES: ▪️ 50K limit: $700 ⠀ Terms: ⠀ ▪️ Full login credentials provided ▪️ Do not change password or security info (warranty voided) ▪️ Replacements only for delivery-side issues ▪️ Crypto only (BTC, USDT, ETH, LTC, etc.) ▪️ Pre-orders: 50% prepayment, 50% refund on cancellation

‼️ A threat actor is allegedly selling Active Directory Dumper & VPN Checker v2.0, a centralized AD reconnaissance and VPN credential validation toolkit, on a popular cybercrime forum starting at $1,000. ⠀ ‣ Threat Actor: Snow ‣ Category: Illicit Service / Reconnaissance Toolkit ‣ Victim: Active Directory environments and VPN/LDAP services (Cisco, WatchGuard, Forti, etc.) ‣ Industry: Malware / Exploit Tooling ⠀ The actor pitches v2.0 as a re-architected product centered around an Orchestrator web panel for centralized task management and analytics, with worker dumper instances handling automated deployment via Incus and Java. Built-in protection blocks operations against CIS countries (Russia, Belarus, etc.), Georgia, Ukraine, and China. ⠀ What's offered: ⠀ ▪️ Orchestrator web panel (centralized task management, live status of every server/instance) ▪️ Auto-Deploy (Zero-Touch): rent server, pre-install Incus + Java, add SSH credentials ▪️ Scalability and rotation across multiple VPS providers ▪️ Statistics dashboard (valid hits, discovered domain controllers) ▪️ Smart search with multi-field filtering ▪️ One-click export of all dumped logs ⠀ Active Directory Dumper modes: ⠀ ▪️ Minidump: users, admins, domain controllers, domain trusts, server/PC inventory, OS stats ▪️ Fulldump: minidump plus group structures, OUs, subnet maps ▪️ Fastdump: quick stats on users/PCs, current user groups, DC IPs ▪️ Share Enum: SMB share scanning with read/write rights verification ⠀ VPN Checker: ⠀ ▪️ Validates access against VPN/LDAP ▪️ Supported: Cisco, WatchGuard, Forti, and others ▪️ Auto-triggers data collection on successful connection ⠀ Tech stack: ⠀ ▪️ Python (dumper) ▪️ Java / Incus (infrastructure) ▪️ Sold with full source code ▪️ Self-hosted SaaS, no third-party dependencies ⠀ Pricing: ⠀ ▪️ $1,000: dumper with source, panel without source ▪️ $1,500: dumper with source, panel with source ▪️ Free upgrade to v2.0 for previous buyers (panel without source)

Make sure if you apply to be staff at the fake BF that you are 18 years of age or older. 🤣

Daily Dose of Dark Web Informer - April 27th, 2026 darkwebinformer.com/daily-dose-of-…

This is the only way. Dread: https://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad[.]onion/post/88e4e08bf4f3e9f1be38

Most “dark web monitoring” alerts arrive days, weeks, or sometimes months after the data is posted. By then, it’s already been copied, mirrored, and resold. Dark Web Informer shows threat actor activity as it happens. darkwebinformer.com

‼️🇲🇽 The MORENA political movement in Tabasco, Mexico has allegedly been breached, with founder records and ID images leaked on a popular cybercrime forum. ⠀ ‣ Threat Actor: Memejico2026A ‣ Category: Data Leak ‣ Victim: MORENA Movement (Tabasco, Mexico) ‣ Industry: Politics / Political Party ⠀ The actor leaked 1,145 founder records and 807 images including INE national ID scans tied to MORENA's founders in the state of Tabasco. ⠀ What's in it: ⠀ ▪️ 1,145 records ▪️ 807 images including INE IDs ▪️ Size: ~300 MB ⠀ Fields: ⠀ ▪️ Full name (nombre) ▪️ Municipality (Municipio) ▪️ Section (Sección) ▪️ Federal district (DF) ▪️ Local district (DL) ▪️ State (Estado) ▪️ Sex (Sexo) ▪️ Age (Edad) ▪️ Founding year (Año Fundador) ▪️ Family member who registered (Familiar que registró) ▪️ Community (Comunidad) ▪️ Evidence files (Evidencias)

SOC teams need early signals, not post-incident summaries. Dark Web Informer monitors underground sources continuously and publishes intel in real time. Watch threats as they happen. 🛡️ darkwebinformer.com 🕵️ API: darkwebinformer.com/api-details/

‼️ A threat actor is allegedly selling a full backup of an unnamed crypto B2B affiliate company on a popular cybercrime forum, containing 46 separate product databases tied to crypto, NFT, and AI agent platforms. Pricing starts at $30,000. ⠀ ‣ Threat Actor: unico ‣ Category: Data Sale ‣ Victim: Undisclosed crypto B2B affiliate company ‣ Industry: Cryptocurrency / Web3 / NFT / AI ⠀ The actor describes the leak as a full production database backup containing live data behind roughly four dozen crypto, NFT, and "AI agent" products the company operates. They note that some lines have been recently checked but most data is untouched, and claim the buyer would profit if they know what they're doing. ⠀ What's in it: ⠀ ▪️ 26 GB total size ▪️ 73,367,423 individual records ▪️ 46 separate product databases ▪️ 119,273 unique personal email addresses (379,962 total appearances across 90 tables) ▪️ 14 admin accounts with password hashes (SCRAM-SHA-1 and SCRAM-SHA-256) ⠀ Affected products include: ⠀ ▪️ z1labs_cypher: blockchain testnet (45.5M records of token transfers, contract deployments, faucet claims) ▪️ photonchain: crypto user / points / referral platform (9.9M records) ▪️ stabilio_backend: DeFi pool analytics (8.9M records of price, yield, liquidity) ▪️ nftb_io: NFT marketplace (3.7M records: items, users, vesting, image assets) ▪️ robox_to: crypto app platform (campaigns, waitlists, beta testers) ▪️ eba: crypto-oriented social feed (users and posts, ~377,000 records) ▪️ Dozens of smaller AI agents (hypaw_ai, rivens_ai, zalen_ai, testra_ai, synthas_ai, taiagent, lylo_ai, clearpill, yodalabs_io, and others) ▪️ Token launchpad trackers ▪️ Web3 auction platform (nexus_auction) ▪️ Staking and vesting services (Seraphnet) ▪️ Internal dev / test copies of most of the above ⠀ Personal data fields: ⠀ ▪️ Email addresses ▪️ Crypto wallet addresses ▪️ Referral codes / invite chains ▪️ Points balances and reward claims ▪️ Sign-up dates and IP-linked activity logs ▪️ Beta program and whitelist memberships ▪️ Support contact messages sent to the team ▪️ Social media data attached to users ⠀ Pricing: ⠀ ▪️ $30,000 if allowed to sell multiple copies ▪️ $50,000 if kept private

SOC teams need early signals, not post-incident summaries. Dark Web Informer monitors underground sources continuously and publishes intel in real time. Watch threats as they happen. 🛡️ darkwebinformer.com 🕵️ API: darkwebinformer.com/api-details/

‼️ A threat actor is allegedly selling a React2Shell exploitation toolkit on a popular cybercrime forum, pitched as a way to mass-scan, exploit, and dump databases from vulnerable React-based servers. ⠀ ‣ Threat Actor: unico ‣ Category: Illicit Service / Exploitation Toolkit ‣ Victim: React2Shell-vulnerable web servers ‣ Industry: Malware / Exploit Tooling ⠀ The actor describes the toolkit as a full RCE against vulnerable targets, claiming thousands of sites are still unpatched. It is pitched as useful for creating dumps, harvesting industry-grade API keys, SMTPs, and payment data (such as Stripe keys), and infecting x86 web servers. ⠀ What's offered: ⠀ ▪️ Script to scan for React2Shell vulnerable sites (mass internet scanning) ▪️ Script to produce a "pseudo-shell" for manual recon and command execution ▪️ Script to automatically exfiltrate .env files, API keys, and other data ▪️ Script to automatically dump databases from compromised servers ⠀ Use cases: ⠀ ▪️ Creating custom data dumps ▪️ Harvesting API keys, SMTP credentials, payment keys (Stripe, etc.) ▪️ Infecting x86 web servers ⠀ Pricing: ⠀ ▪️ $750 without updates ▪️ $1,000 with updates

❗️ Don’t wait for the “wE rEgReT tO iNfOrM yOu” Email Companies can take days, weeks, or even months to admit your data was stolen. Threat actors don’t wait. Neither should you. 🛡️ darkwebinformer.com - Stay one step ahead of threats and slow disclosures.