Normal

🚨🔴🇫🇷 Rebondissement dans la cyberattaque de l'ANTS - un cybercriminel français demande 20 000$ et menace sans cela de diffuser la base de données ! La saga du piratage autour de l'ANTS continue. 👉🏾 Après la revendication du piratage 👉🏾 Après l'arrestation d'un jeune cybercriminel de 15ans en Corse 👉🏾 Voici que maintenant, un autre cybercriminel menace de diffuser gratuitement la base de données si l'ANTS ne paie pas 20 000$ avant le lundi 18 mai ! Ce cybercriminel, NormalLeVrai, prétend détenir aussi la base de données et menace de diffuser gratuitement 13M de données administratives de français. Il dit dans sa revendication le faire en représailles de l'arrestation de son ami breach3d, arrêté suite au piratage de l'ANTS avec une faille hyper simple... Il a publié un échantillon de quelques lignes pour prouver qu'il détient la base de données... Nouvel épisode dans une des cyberattaques les plus médiatisées en France... On a décidément pas fini avec cette affaire. À suivre de très près ! Cybèrement vôtre, SaxX ¯\_(ツ)_/¯

‼️🇮🇷 Iran Nuclear allegedly breached with 77.56 GB of data threatened for release under "Pay Or Leak" ransom A threat actor claims to have obtained 77.56 GB of data related to Iran, including archives tied to the Iranian nuclear program, government databases, and a nuclear authority website. The actor has issued a "Pay Or Leak" ultimatum, demanding €5,000 by May 15th and threatening to publicly release all collected information if the ransom is not paid. The actor frames the operation as a response to events involving Israel and Iran, and claims to have also defaced Iranian websites and exfiltrated their databases during the intrusion. Post details: ▸ Actor(s): NormalLeVrai ▸ Sector: Government / Nuclear / Insurance ▸ Type: Ransom / Pre-Leak Extortion ▸ Format: RAR, ZIP, JSON, XLSX, TXT ▸ Price: €5,000 (ransom) / Free if unpaid by deadline ▸ Records: 77.56 GB ▸ Country: Iran ▸ Deadline: 15/05/2026 ▸ Date: 10/05/2026 Compromised data: ▪ Data_Iran_Nuclear_Program - ~1.6 GB per file, archives related to the Iranian nuclear program (multiple files) ▪ Nuclear Iranian Database.part01–35.rar - database divided into 35 parts, up to ~1.48 GB each ▪ Iran 4.63GB.json.002 - part of a large structured JSON file ▪ Iran & RF 95.000.000.zip.001 - ~1.84 GB ▪ Iran & RF 95.000.000database.zip - additional part of a 95 million record database ▪ iran_insurances_samples.zip - Iranian insurance data ▪ IranBudget-Table-07-1-Bill1399.xlsx - Iranian budget table ▪ Iran 500k.txt - large list of telephone number data ▪ bapeten.go.id - ~1.47 GB, archive related to Iranian nuclear authority / government website ▪ Defacement evidence and extracted databases from additional Iranian websites Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing

‼️9,500 passport and national ID card scans allegedly being sold mainly from France and Turkey A threat actor is selling a 4.01GB compressed archive of 9,542 passport and national identity card scans, advertised as primarily sourced from France and Turkey but spanning multiple countries. The listing is priced at $1,000. Post details: ▸ Actor(s): NormalLeVrai ▸ Sector: Identity documents (multi-country) ▸ Type: Data Sale ▸ Format: PDF and image scans, 4.01GB compressed ▸ Price: $1,000 ▸ Records: 9,542 documents ▸ Countries: Primarily France and Turkey (mixed others) ▸ Date: 10/05/2026 Compromised data: ▪ Passport scans ▪ National identity card scans ▪ Holder full names and dates of birth ▪ Document numbers ▪ Issue and expiry dates ▪ Issuing country and authority ▪ Photographs and signatures Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing

@taxisboy_ohio @leoarronchester @DailyDarkWeb They interviewed me, don't worry.

@leoarronchester @DailyDarkWeb everyone knows this is a fake shiny hunter why is dark web intelligence interviewing them if he could instead interview hasanbroker or normallevrai 🥀

For the first time, Daily Dark Web interviewed the individuals claiming to be behind the ShinyHunters identity. But that’s not all. We also spoke with the person who allegedly leaked the internal conversations connected to the ShinyHunters ecosystem. Two sides. One story. This investigation covers: • Internal conflicts • Identity disputes • Underground ecosystem dynamics • Telegram leaks • Attribution claims • The evolution of the ShinyHunters name The interview will be published soon exclusively on Daily Dark Web. Disclaimer: This content is shared strictly for journalistic, research, and cybersecurity awareness purposes. Daily Dark Web does not support, encourage, or participate in illegal activities. #DDW #DarkWeb #CyberSecurity #ThreatIntelligence #ShinyHunters #CyberCrime #OSINT #DataBreach #ThreatActors #InfoSec #Intelligence

🇫🇷 A threat actor is advertising an alleged dataset associated with SFR, one of France’s major telecommunications providers, claiming the database contains information tied to approximately 27 million records. The forum post provides limited technical details regarding the contents of the alleged dataset, but the actor claims to possess a large-scale customer-related database. At this time: • The claims remain unverified • There is no confirmation that SFR systems were breached • The authenticity, origin, and recency of the alleged dataset remain unknown Large telecom-related datasets may potentially contain: • Customer contact information • Phone numbers • Subscriber records • Address and billing-related information • Account metadata and service details If legitimate, exposure of telecommunications-related records could create significant risks including: • SIM-swapping attacks • Smishing and phishing campaigns • Identity theft • Account takeover attempts • Social engineering targeting telecom customers Users should remain cautious of: • Unexpected SIM activation or carrier transfer notifications • SMS messages requesting verification codes • Suspicious calls impersonating telecom support personnel Daily Dark Web is continuing to monitor underground channels for additional validation, samples, or official statements regarding the alleged dataset. #DDW #Intelligence #CyberSecurity #DataLeak #DarkWeb #ThreatIntelligence #France #Telecom #SFR #DataBreach

@bati21675 PTDR 😂

Sad to say that I have your data..

‼️🇦🇺 1,169 Australian websites allegedly being sold as full panel access by a single threat actor The threat actor claims to be selling full access to 1,169 Australian websites in their possession, delivered as a url:user:pass list that the seller says grants entry to the panels, databases, source code, and emails of each site. The listing is priced at $400. Post details: ▸ Actor(s): NormalLeVrai (Immortal) ▸ Sector: Mixed (1,169 Australian websites) ▸ Type: Access Sale ▸ Format: url:user:pass list ▸ Price: $400 (one buyer only) ▸ Targets: 1,169 sites ▸ Country: Australia ▸ Date: 07/05/2026 Compromised data and capabilities: ▪ Admin panel credentials for 1,169 Australian websites ▪ Database access for each site ▪ Source code access ▪ Hosted email accounts and inboxes ▪ Site configuration and stored content Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing

‼️🇫🇷 Deezer allegedly leaked exposing 2.5 million Russian user records from the French music streaming platform A threat actor claims to have leaked a Russian-region subset of Deezer, the French music streaming platform, releasing 2,557,577 records. The CSV sample (filename "deezer_russian.csv") shows user IDs, full names, gender, dates of birth, emails, and country/language codes. Post details: ▸ Actor(s): NormalLeVrai ▸ Sector: Music streaming / Entertainment ▸ Type: Data Leak ▸ Format: CSV ▸ Price: Free ▸ Records: 2,557,577 ▸ Country: France (Russian user subset) ▸ Date: 07/05/2026 Compromised data: ▪ User ID ▪ First name and last name ▪ Gender ▪ Date of birth ▪ Email address ▪ Country code ▪ Language code Don't like the redacted screenshots? Subscribe... darkwebinformer.com/pricing

‼️🇫🇷 NRJ Mobile allegedly leaked exposing 266K customer records from the French MVNO A threat actor claims to have leaked a database from NRJ Mobile (nrjmobile.fr), a French mobile virtual network operator, releasing it for free under the hashtag #freebreach3d. The 266,345-record sample includes full customer profiles with banking identifiers (IBAN/BIC) and Freebox account references in JSONL format. Post details: ▸ Actor(s): NormalLeVrai ▸ Sector: Telecommunications (MVNO) ▸ Type: Data Leak ▸ Format: JSONL ▸ Price: Free ▸ Records: 266,345 ▸ Country: France Compromised data: ▪ Internal ID and customer code ▪ Title, first name, last name ▪ Email address ▪ Phone numbers (primary and secondary) ▪ Street address, postal code, city, country ▪ Individual type ▪ IBAN and BIC banking identifiers ▪ Freebox ID ▪ Account status (active/inactive) ▪ Registration date ▪ Retention offer flag and additional mobile loan flag

🚨 CYBER THREAT INTELLIGENCE BULLETIN: ACTIVITY OF THREAT ACTOR "NORMALLEVRAI" 🌍💻📂 [STATUS: ACTIVE THREAT] An international data exfiltration campaign perpetrated by the threat actor NormalLeVrai has been detected. Through incident monitoring dashboards (Threat Intelligence Report), two new data breaches—recorded simultaneously on May 6, 2026—have been classified, affecting infrastructure and citizens in Europe and Latin America. Sector: Telecommunications (> TELECOM). Entity / Target: NRJ Mobile (Mobile Virtual Network Operator). Volume: 266K (266,000) records. Threat Actor: NormalLeVrai. Date Recorded: 2026-05-06. Case #5873: +24M Mexican Civilians (Mexico 🇲🇽) Sector: Unclassified (> UNCLASSIFIED) – Direct impact on citizen records. Entity / Target: Civilian population of Mexico. Volume: Over 24 million records (+24M). Threat Actor: NormalLeVrai. Date Recorded: 2026-05-06. 🛡️ Strategic Recommendations 🔗 IoC Correlation: SOC/CTI teams are advised to cross-reference Indicators of Compromise (IoCs) and technical infrastructure across both incidents to identify shared patterns or tools utilized by this attacker. Monitor: analyzer.vecert.io #CyberSecurity #DataBreach #NormalLeVrai #Mexico #France #ThreatIntelligence #VECERT #CyberAlert 🌍🛡️⚠️🚨💻

‼️🇲🇽 Over 24 million Mexican civilian records allegedly leaked across two combined files A threat actor claims to have posted two files together containing more than 24 million Mexican civil records, released for free. The samples include personal identifiers, demographic details, employment, and relationship status, with one database alone listed at 24,730,562 entries. Post details: ▸ Actor(s): NormalLeVrai ▸ Sector: Government / Civil Records ▸ Type: Data Leak ▸ Format: TXT and XLSX (two files) ▸ Price: Free ▸ Records: 24M+ (one DB listed at 24,730,562) ▸ Country: Mexico Compromised data: ▪ Numeric ID and secondary ID ▪ First name and last name(s) ▪ Gender ▪ Marital/relationship status ▪ Employer or workplace ▪ Birth year / age indicator ▪ City, state, and country of residence ▪ Free-text personal notes/descriptions ▪ Occupation or housewife status

🚨 CYBERINTEL ALERT: ALLEGED MASS DATA LEAK – BURGER KING RUSSIA 🇷🇺🍔📂🔓 [STATUS: UNDER INVESTIGATION] A post has been detected from threat actor "NormalLeVrai," claiming to have compromised the database of the Russian branch of the fast-food chain Burger King (burgerkingrus.ru). The actor has publicly claimed responsibility for this compromise; however, the scope and veracity of the breach have not yet been independently verified. 🏢 Allegedly Affected Entity: Burger King Russia. 👤 Threat Actor: NormalLeVrai 📂 Allegedly Compromised Asset: Customer and delivery service database. 📊 Leak Volume: Approximately 16,883,039 records. 📅 Publication Date: May 5, 2026. 📊 Scope of Shared Samples (PII) The actor has provided a data sample containing Personally Identifiable Information (PII) belonging to customers in various cities, including Moscow, Saint Petersburg, and Krasnodar: Identity and Contact: Names, phone numbers, and email addresses. Demographic Data: Gender and date of birth. Geographic Information: Physical addresses and time zones. Consumption Profile: Favorite categories and dishes, loyalty segments, and transaction timestamps. Security: Email and phone verification status. 🛡️ Preventive Response Recommendations 🔒 Credential Change: Users of burgerkingrus.ru are advised to change their passwords immediately, particularly if they reuse those credentials across other services. 👁️ Contact Vigilance: Exercise extreme caution regarding suspicious phone calls or emails that reference specific order details or loyalty accounts. Monitor: analyzer.vecert.io #CyberSecurity #Russia #BurgerKing #DataBreach #NormalLeVrai #PwnerSec #PII #VECERT #InfoSec #CyberAlert 🇷🇺🛡️⚠️🚨🍔

With @PwnedLeVrai 😶🧨

🚨 CYBERINTEL ALERT: TOTAL BREACH AT OPERATIONS SUPPORT COMPANY (OSC) – INFRASTRUCTURE COMPROMISE 🇸🇦🛡️🔓 A massive data exfiltration and a deep compromise of the infrastructure belonging to Operations Support Company (OSC) have been detected. The threat actor NormalLeVrai (linked to recent leaks in the region) has published the company's database and is offering privileged access to its server and critical assets for sale. 🏢 Affected Entity: Operations Support Company (OSC). 👤 Threat Actor: NormalLeVrai 🛠️ Access Level: Total compromise of cPanel, granting administrative control over the server, files, and web configurations. 📂 Leak Volume: 172,272 data rows. 📅 Publication Date: May 3, 2026. 📊 Breach Scope (Infrastructure and PII) Evidence provided by the attacker confirms persistent and multifaceted access: cPanel Access: The attacker possesses control over the backend of the osc.sa website, allowing for the manipulation of server infrastructure. Defacement: The official website was defaced as proof of the system's vulnerability. Email System: Control over—and an offer to sell—four corporate email accounts, including the ability to export messages. Intellectual Property: Access to the complete source code for the company's applications and portal. Database: Exfiltration of over 172k records, currently available for free download. 🛡️ Immediate Response Recommendations 🔒 cPanel Recovery: Immediately change cPanel access credentials and review all recently created administrator accounts. 🔑 Email Account Reset: Disable and reset the passwords for all corporate email accounts, and enable Multi-Factor Authentication (MFA). Monitor: analyzer.vecert.io #CyberSecurity #OSC #DataBreach #cPanelAccess #SaudiArabia #Defacement #SourceCodeLeak #VECERT #NormalLeVrai #InfoSec 🇸🇦🛡️⚠️🚨🏛️

‼️🇰🇭 The National Center for HIV/AIDS, Dermatology and STD (NCHADS), a government agency under the Cambodian Ministry of Health, has allegedly been breached, with the entire contents of the agency's mailbox leaked. ⠀ ‣ Threat Actor: NormalLeVrai ‣ Category: Government Email Compromise ‣ Victim: NCHADS ‣ Industry: Government / Public Health ⠀ The actor leaked the full email inbox from NCHADS, the Cambodian government body responsible for HIV/AIDS, dermatology, and STD programs. Sample correspondence shows procurement communications, supplier quotes, and coordination with international partners including UNFPA. ⠀ What's in it: ⠀ ▪️ Full email inbox contents from NCHADS ▪️ Internal correspondence with Ministry of Health staff ▪️ Procurement records (medical supplies, lubricants, water, lab equipment) ▪️ Supplier and vendor communications (e.g. Kam Hing International Holdings) ▪️ International partner correspondence (UNFPA) ▪️ Attached scans, product catalogs, and price lists ▪️ Email addresses of agency staff and external contacts