Normal

‼️🇩🇪 Six hosting/registrar providers, described by the actor as "German registrars," have allegedly suffered an unauthorized access of their internal systems after threat actors pivoted through the Axmir panel, with 7.2 million database lines and 18.2 GB of source code put up on a popular cybercrime forum. ⠀ ‣ Threat Actor: NormalLeVrai (in collaboration with "Near") ‣ Category: Data Breach / Source Code Leak / Website Defacement ‣ Victim: Axmir + 5 linked registrar/hosting domains ‣ Industry: Web Hosting / Domain Registration ⠀ The actor claims to have gained access to the Axmir panel, which was itself linked to five other registrar/hosting domains, allowing them to pull databases and source code from all six. The affected domains are: ⠀ ▪️ axmir.xyz ▪️ ajkerhoster.com ▪️ hostnomic.com ▪️ khandakarit.com ▪️ mnhost.top ▪️ rapidhostbd.com ⠀ Note: despite the "German registrar" framing, the domain names and branding on several of these providers (ajkerhoster, khandakarit, rapidhostbd) suggest Bangladeshi operators. The "German" label may refer to upstream hosting infrastructure rather than corporate origin. ⠀ The dump allegedly includes: ⠀ ▪️ 7,242,212 database lines ▪️ 18.2 GB of compressed source code ▪️ 13 subdomains also breached ▪️ 2 sites defaced ⠀ Hosting/registrar compromises of this type typically expose highly sensitive customer data. Potential exposure across the affected providers includes: ⠀ ▪️ Customer account credentials (usernames, password hashes) ▪️ Billing and contact information ▪️ Domain registration WHOIS records ▪️ Hosting control panel access data ▪️ Payment and transaction history ▪️ API keys and internal configuration

🚨 FINANCIAL SECURITY ALERT: ALLEGED SALE OF COMPROMISED CRYPTOCURRENCY ACCOUNT (UNVERIFIED) 🚨 A post has been detected from the threat actor NormalLeVrai claiming to have gained access to a corporate cryptocurrency account with a massive balance. It is crucial to treat this information as alleged and unverified, as it could be a crypto scam targeting other cybercriminals or unsuspecting buyers. 👤 Threat Actor: NormalLeVrai 💰 Reported Asset (Unconfirmed): An account with 9.22998 BTC (approx. €592,856.38). 📂 Actor's Narrative: Claims to have extracted the credentials from the inbox of a "well-known company" following a security breach. 📅 Publication Date: April 19, 2026 🛡️ Monitor: analyzer.vecert.io ⚠️ Intelligence Note: On Dark Web forums, it is common to use forged or altered screenshots to simulate nonexistent balances and scam buyers (a technique known as exit scam or ripping). Until a real transaction on the blockchain linked to a specific company is demonstrated, this incident should be considered a potential fraud threat. #CyberSecurity #CryptoScam #Bitcoin #Fintech #Hacking #InfoSec #VECERT #Cybersecurity #FraudAlert #Unconfirmed #NormalLeVrai 🛡️₿❓

what a good day

🚨 CYBERSECURITY ALERT: MASSIVE COMPROMISE OF REGISTRARS AND HOSTING (GERMANY) 🇩🇪 A large-scale intrusion targeting the control panel of Axmir, a German registrar, has been detected, which cascaded to 5 other related entities. The attack resulted in the massive exfiltration of customer data and intellectual property. 🏢 Affected Entities: 6 German Registrars/Hosting Providers: ajkerhoster.com axmir.xyz hostnomic.com khandakarit.com mnhost.top rapidhostbd.com 👤 Threat Actors: NormalLeVrai and Near. 📂 Leak Volume: 7,242,212 lines of database data (user and registration information). 18.2 GB of compressed source code. 📊 Additional Impact: Compromise of 13 subdomains. Defacement (visual alteration) confirmed on 2 of the main sites. 📅 Publication Date: April 18, 2026. 🛡️ Monitor: analyzer.vecert.io #CyberSecurity #Germany #DataBreach #Hacking #Axmir #HostingSecurity #InfoSec #VECERT #Ciberseguridad #SourceCodeLeak #NormalLeVrai #Near 🇩🇪🛡️💻

It seems that 7 million Germans, from 6 registars, have fallen 🥰

@leandrorr @nearlevrai

@NormalLeVrai @nearlevrai stop hacking us!!! 🤬

Brazilian Government with @nearlevrai 😋

🚨 INTELLIGENCE ALERT: CRITICAL COMPROMISE OF GOVERNMENT EMAIL SYSTEM (BRAZIL) 🇧🇷 A high-impact security breach targeting the Brazilian government's infrastructure has been detected. The threat actor claims to have gained full access to the email system and its administrative control panel, exfiltrating communications and attachments. 🏢 Affected Entity: Brazilian Government (Email Systems and Control Panels) 🇧🇷 👤 Threat Actor: NormalLeVrai 📂 Compromised Assets: Email System: Complete download of emails and their attachments. Data Exposed (Sample): Power BI reports ("2025 State Present"), mailing logs, and institutional notifications dated April 18, 2026. 📅 Incident Date: April 17-18, 2026. #CyberSecurity #Brazil #GovBr #DataBreach #Hacking #EmailLeak #NormalLeVrai #PowerBI #InfoSec #VECERT #Cybersecurity #IntelligenceAlert 🇧🇷🛡️⚠️

🚨 CRITICAL SECURITY ALERT: CORPORATE EMAIL COMPROMISE (ENERGIE1 - FRANCE) 🇫🇷⚡ The hijacking and subsequent sale of the main email account of the French company Energie1 has been detected. The threat actor, NormalLeVrai, claims to have exfiltrated all communications and attachments from the account, representing an imminent risk of corporate espionage and financial fraud. 🏢 Affected Entity: Energie1, France. 👤 Threat Actor: NormalLeVrai 📊 Data Volume: 405 emails and 185 attachments (590 items in total). 📅 Detection Date: April 12, 2026 📑 Compromised Information: Credentials: Login codes and private access details. Financial Documentation: Bank statements and invoices. Communications: Confidential company information and possibly customer information. 🔍 Monitor: analyzer.vecert.io #CyberSecurity #France #Energie1 #DataBreach #EmailCompromise #NormalLeVrai #VECERT #Cybersecurity #Hacking #InfoSec #France #BEC

🚨 SECURITY ALERT: E-LEARNING PLATFORM COMPROMISED (VOSFORMATEURS - FRANCE) 🇫🇷 A breach of the database and source code of the VosFormateurs online training subdomain (elearning.vosformateurs.fr) has been detected. The threat actor, NormalLeVrai, claims to have compromised this system just one month after compromising the company's main domain in March, indicating critical persistence in their infrastructure. 👤 Threat Actor: NormalLeVrai 📊 Data Volume: 40,000 lines of database records 📂 Exfiltrated Assets: Full SQL dump and source code (SRC) of the subdomain. Compromised Information: Geolocation and Logistics: Detailed city tables (iso_cities) with GPS coordinates, postal codes, population densities, and administrative data for France. Email Infrastructure: The attacker demonstrated control over the email server, sending messages from the institutional address @elearning.vosformateurs.fr. Monitor: analyzer.vecert.io #CyberSecurity #France #VosFormateurs #DataBreach #Elearning #NormalLeVrai #SourceCodeLeak #VECERT #Cybersecurity #Hacking #InfoSec #EdTech

A second time, guys, are you doing this on purpose ?

🚨 SECURITY ALERT: MASSIVE DATA LEAK AND EXTORTION (RANDOMPAZAR) 🎮 A massive database belonging to Randompazar, a digital asset and account marketplace platform described as an "Arabic version of Steam," has been leaked. The threat actor, NormalLeVrai, released the files after a failed ransom negotiation. The leaked data includes financial information, personal data, and the site's source code. 👤 Threat Actor: NormalLeVrai 📊 Data Volume: 714,667 lines of records 📑 Compromised Information (Highly Sensitive): Financial: Creditcard.txt file (alleged credit card information) and PDF invoices. Gaming Accounts: Login credentials (username:password) for platforms such as Valorant, Steam, PUBG, Discord, and social media. PII Data: Images containing personally identifiable information. Infrastructure: Complete site source code (random .zip) and full SQL database dump (localhost.sql). Context: The attacker defaced the site prior to the breach and claims to have had access to the support email inbox. Monitor: analyzer.vecert.io #CyberSecurity #RandomBreach #DataBreach #GamingSecurity #Valorant #SteamLeak #VECERT #Cybersecurity #Hacking #InfoSec #Ransomware

‼️🇫🇷 Threat actor NormalLeVrai is selling alleged Service Telecom database containing 2,835,372 user records, 16GB source code, and email backups for $2,200. The database reportedly includes customer profiles, change logs, feedback, and administrator data from the French telecommunications company.

The next attack targeting 714K people has already taken place ; I'm waiting a bit before posting it.

oupsi !🫣I should post more on Twitter about my ops, I think.

@ZnaeW @chum1ng0 It seems like they don't care about their customers or their informations.🧐

@chum1ng0 300 es un precio súper bajo, que paguen y resuelvan el problema

🇨🇱: Hasta ahora el sitio de FreeSAP Toda la información confidencial ha sido comprometida. Si no desea que esto se publique, páguenos $300 a la siguiente dirección de BTC: #ciberseguridad #Chile

🚨 Data Breach Alert: EchoVPS A threat actor is offering for sale data allegedly linked to: ☁️ EchoVPS (European VPS hosting provider) 📂 Claimed exposed data includes: • ~85,000 database records • Customer email addresses • Source code 💰 Listed price: $150 ⚠️ Threat actor claims ransom demand already issued 🚨 Potential risks: • Account takeovers (if credentials reused) • Infrastructure targeting using leaked source code • Phishing campaigns against customers Organizations and users should: • Reset passwords immediately • Enable MFA across all services • Monitor for suspicious login activity #DataBreach #ThreatIntel #CyberSecurity #DarkWeb #Infosec

🚨 CYBER THREAT ALERT: MULTIPLE BREACHES AND EXTORTION – UK TRAVEL AGENCIES 🇬🇧 🌐 The sale of data and source code belonging to three UK-based travel agencies has been detected. The threat actor "NormalLeVrai" claims to have full control over these entities' infrastructure, including access to messaging systems and email inboxes. 👤 Threat Actor: NormalLeVrai. 📍 Affected Entities: airdeals.co.uk airtips.co.uk payair.co.uk 📊 Database Volume: 102,220 records. 📂 Source Code Size: 2.97 GB (compressed; includes configuration files and backups). 📦 COMPROMISED INFORMATION (HIGHLY SENSITIVE): The exposed dataset includes financial and personal information that facilitates direct fraud: 💳 Banking and Card Data: The sample reveals customer names, dates, and what appear to be associated credit card or account numbers. 📧 Access to Communications: The attacker claims to possess direct access to the agencies' email inboxes and messaging systems, enabling the interception of communications with customers and suppliers. 💻 Intellectual Property: Complete source code for the websites, including configuration files that may contain API keys and database credentials. Monitor: analyzer.vecert.io #Cybersecurity #UK #TravelSecurity #DataLeak #Airlines #CyberAttack #InfoSec #Ransomware #FinancialFraud

🚨 CYBER THREAT ALERT: ALLEGED DATA EXFILTRATION - FREESAP.CL 🇨🇱 🌐 A critical compromise has been detected affecting the Chilean IT consultancy FreeSAP (freesap.cl). The attacker, identified as NormalLeVrai, claims to have taken control of the website and exfiltrated both the source code and the entire database following a failed ransom negotiation. 👤 Threat Actor: NormalLeVrai. 📍 Affected Entity: FreeSAP (Chilean consultancy specializing in SAP). 📊 Database Volume: 40,081 records. 📂 Source Code Size: 1.55 GB (includes configurations and backups). 🛠️ Site Status: Offline, displaying an active ransom message. 📦 COMPROMISED INFORMATION: The exfiltrated dataset and files pose a high risk to the company's business continuity and reputation: 💻 Intellectual Property: Complete website source code, sensitive configuration files, and internal backups. 👤 User and Administrator Data: The sample (PoC) reveals WordPress tables (wp_users) containing usernames, email addresses, and password hashes. 📝 Operational Content: Additional tables containing comments, posts, and activity logs related to professional clients. Monitor: analyzer.vecert.io #Cybersecurity #Chile #FreeSAP #DataLeak #SAP #CyberAttack #VECERT #InfoSec #Ransomware #WordPressBreach

The estate belongs to the Industrial Training Fund (FFI), a Nigerien government agency established in 1971. Which government is next ?🧨