Normal

For those asking, yes, I am open to discussion/interviews on Session: 05309a344b0eb88776edfe3cbf42f9bffc6db898281d6a66186e8eba64f66df64f

Those wondering the X account: @NormalLeVrai

‼️🇧🇷 Instituto Maria Schmitt (IMAS), a Brazilian health organization that manages public hospitals and clinics across the state of Santa Catarina under SUS contracts, has allegedly suffered an unauthorized access of a corporate mailbox, with the entire contents dumped for free on a popular cybercrime forum. ⠀ ‣ Threat Actor: NormalLeVrai ‣ Category: Email Compromise / Full Mailbox Dump ‣ Victim: Instituto Maria Schmitt (IMAS) ‣ Industry: Healthcare / Public Hospital Management ⠀ IMAS is an Organização Social de Saúde (OSS) recognized by Santa Catarina state decree in 2018, and operates as the managing entity for multiple public health units in the state, including Hospital Florianópolis, Hospital Regional de Araranguá, Hospital Santo Antônio, and Hospital Dom Joaquim. The organization routinely works with municipalities to administer medical services under the Sistema Único de Saúde (SUS). The dump allegedly contains: ⠀ ▪️ 1,061 retrieved emails ▪️ 742 saved attachments ▪️ Full mailbox archive posted for free download on anonfilesnew ⠀ Unlike a credential list or a database extract, a complete corporate mailbox dump from a healthcare administrator typically exposes: ⠀ ▪️ Internal communications with the Secretaria de Estado da Saúde (SES-SC) and municipal health departments ▪️ Contracts, invoices, and financial documents tied to public hospital operations ▪️ HR and payroll correspondence including staff personal data and CPFs ▪️ Supplier and vendor communications (medical equipment, pharmaceuticals, cleaning, catering) ▪️ Patient related correspondence where cases escalate to administrative channels ▪️ Login credentials and password reset links sent through email ▪️ Internal meeting notes, signed documents, and attachments covering clinical governance ▪️ Email signatures disclosing full org chart, direct phone numbers, and staff roles ⠀ Risks flowing from a dump of this type include: ⠀ ▪️ Business email compromise (BEC) and invoice fraud targeting the institute's suppliers and government counterparts using real thread context ▪️ Highly convincing spearphishing against IMAS staff and partner hospitals using genuine internal language and attachments ▪️ Regulatory exposure under Brazil's LGPD for any personal data contained in the archive, particularly if patient or staff health information is present ▪️ Downstream access to connected systems if the mailbox contains password reset links, shared drive links, or SSO recovery mail ⠀ The threat actor frames the release as a continuation of prior activity targeting Brazilian entities.

‼️🇩🇪 Six hosting/registrar providers, described by the actor as "German registrars," have allegedly suffered an unauthorized access of their internal systems after threat actors pivoted through the Axmir panel, with 7.2 million database lines and 18.2 GB of source code put up on a popular cybercrime forum. ⠀ ‣ Threat Actor: NormalLeVrai (in collaboration with "Near") ‣ Category: Data Breach / Source Code Leak / Website Defacement ‣ Victim: Axmir + 5 linked registrar/hosting domains ‣ Industry: Web Hosting / Domain Registration ⠀ The actor claims to have gained access to the Axmir panel, which was itself linked to five other registrar/hosting domains, allowing them to pull databases and source code from all six. The affected domains are: ⠀ ▪️ axmir.xyz ▪️ ajkerhoster.com ▪️ hostnomic.com ▪️ khandakarit.com ▪️ mnhost.top ▪️ rapidhostbd.com ⠀ Note: despite the "German registrar" framing, the domain names and branding on several of these providers (ajkerhoster, khandakarit, rapidhostbd) suggest Bangladeshi operators. The "German" label may refer to upstream hosting infrastructure rather than corporate origin. ⠀ The dump allegedly includes: ⠀ ▪️ 7,242,212 database lines ▪️ 18.2 GB of compressed source code ▪️ 13 subdomains also breached ▪️ 2 sites defaced ⠀ Hosting/registrar compromises of this type typically expose highly sensitive customer data. Potential exposure across the affected providers includes: ⠀ ▪️ Customer account credentials (usernames, password hashes) ▪️ Billing and contact information ▪️ Domain registration WHOIS records ▪️ Hosting control panel access data ▪️ Payment and transaction history ▪️ API keys and internal configuration

🚨 FINANCIAL SECURITY ALERT: ALLEGED SALE OF COMPROMISED CRYPTOCURRENCY ACCOUNT (UNVERIFIED) 🚨 A post has been detected from the threat actor NormalLeVrai claiming to have gained access to a corporate cryptocurrency account with a massive balance. It is crucial to treat this information as alleged and unverified, as it could be a crypto scam targeting other cybercriminals or unsuspecting buyers. 👤 Threat Actor: NormalLeVrai 💰 Reported Asset (Unconfirmed): An account with 9.22998 BTC (approx. €592,856.38). 📂 Actor's Narrative: Claims to have extracted the credentials from the inbox of a "well-known company" following a security breach. 📅 Publication Date: April 19, 2026 🛡️ Monitor: analyzer.vecert.io ⚠️ Intelligence Note: On Dark Web forums, it is common to use forged or altered screenshots to simulate nonexistent balances and scam buyers (a technique known as exit scam or ripping). Until a real transaction on the blockchain linked to a specific company is demonstrated, this incident should be considered a potential fraud threat. #CyberSecurity #CryptoScam #Bitcoin #Fintech #Hacking #InfoSec #VECERT #Cybersecurity #FraudAlert #Unconfirmed #NormalLeVrai 🛡️₿❓

what a good day

🚨 CYBERSECURITY ALERT: MASSIVE COMPROMISE OF REGISTRARS AND HOSTING (GERMANY) 🇩🇪 A large-scale intrusion targeting the control panel of Axmir, a German registrar, has been detected, which cascaded to 5 other related entities. The attack resulted in the massive exfiltration of customer data and intellectual property. 🏢 Affected Entities: 6 German Registrars/Hosting Providers: ajkerhoster.com axmir.xyz hostnomic.com khandakarit.com mnhost.top rapidhostbd.com 👤 Threat Actors: NormalLeVrai and Near. 📂 Leak Volume: 7,242,212 lines of database data (user and registration information). 18.2 GB of compressed source code. 📊 Additional Impact: Compromise of 13 subdomains. Defacement (visual alteration) confirmed on 2 of the main sites. 📅 Publication Date: April 18, 2026. 🛡️ Monitor: analyzer.vecert.io #CyberSecurity #Germany #DataBreach #Hacking #Axmir #HostingSecurity #InfoSec #VECERT #Ciberseguridad #SourceCodeLeak #NormalLeVrai #Near 🇩🇪🛡️💻

It seems that 7 million Germans, from 6 registars, have fallen 🥰

@leandrorr @nearlevrai

@NormalLeVrai @nearlevrai stop hacking us!!! 🤬

Brazilian Government with @nearlevrai 😋

🚨 INTELLIGENCE ALERT: CRITICAL COMPROMISE OF GOVERNMENT EMAIL SYSTEM (BRAZIL) 🇧🇷 A high-impact security breach targeting the Brazilian government's infrastructure has been detected. The threat actor claims to have gained full access to the email system and its administrative control panel, exfiltrating communications and attachments. 🏢 Affected Entity: Brazilian Government (Email Systems and Control Panels) 🇧🇷 👤 Threat Actor: NormalLeVrai 📂 Compromised Assets: Email System: Complete download of emails and their attachments. Data Exposed (Sample): Power BI reports ("2025 State Present"), mailing logs, and institutional notifications dated April 18, 2026. 📅 Incident Date: April 17-18, 2026. #CyberSecurity #Brazil #GovBr #DataBreach #Hacking #EmailLeak #NormalLeVrai #PowerBI #InfoSec #VECERT #Cybersecurity #IntelligenceAlert 🇧🇷🛡️⚠️

🚨 CRITICAL SECURITY ALERT: CORPORATE EMAIL COMPROMISE (ENERGIE1 - FRANCE) 🇫🇷⚡ The hijacking and subsequent sale of the main email account of the French company Energie1 has been detected. The threat actor, NormalLeVrai, claims to have exfiltrated all communications and attachments from the account, representing an imminent risk of corporate espionage and financial fraud. 🏢 Affected Entity: Energie1, France. 👤 Threat Actor: NormalLeVrai 📊 Data Volume: 405 emails and 185 attachments (590 items in total). 📅 Detection Date: April 12, 2026 📑 Compromised Information: Credentials: Login codes and private access details. Financial Documentation: Bank statements and invoices. Communications: Confidential company information and possibly customer information. 🔍 Monitor: analyzer.vecert.io #CyberSecurity #France #Energie1 #DataBreach #EmailCompromise #NormalLeVrai #VECERT #Cybersecurity #Hacking #InfoSec #France #BEC

🚨 SECURITY ALERT: E-LEARNING PLATFORM COMPROMISED (VOSFORMATEURS - FRANCE) 🇫🇷 A breach of the database and source code of the VosFormateurs online training subdomain (elearning.vosformateurs.fr) has been detected. The threat actor, NormalLeVrai, claims to have compromised this system just one month after compromising the company's main domain in March, indicating critical persistence in their infrastructure. 👤 Threat Actor: NormalLeVrai 📊 Data Volume: 40,000 lines of database records 📂 Exfiltrated Assets: Full SQL dump and source code (SRC) of the subdomain. Compromised Information: Geolocation and Logistics: Detailed city tables (iso_cities) with GPS coordinates, postal codes, population densities, and administrative data for France. Email Infrastructure: The attacker demonstrated control over the email server, sending messages from the institutional address @elearning.vosformateurs.fr. Monitor: analyzer.vecert.io #CyberSecurity #France #VosFormateurs #DataBreach #Elearning #NormalLeVrai #SourceCodeLeak #VECERT #Cybersecurity #Hacking #InfoSec #EdTech

A second time, guys, are you doing this on purpose ?

🚨 SECURITY ALERT: MASSIVE DATA LEAK AND EXTORTION (RANDOMPAZAR) 🎮 A massive database belonging to Randompazar, a digital asset and account marketplace platform described as an "Arabic version of Steam," has been leaked. The threat actor, NormalLeVrai, released the files after a failed ransom negotiation. The leaked data includes financial information, personal data, and the site's source code. 👤 Threat Actor: NormalLeVrai 📊 Data Volume: 714,667 lines of records 📑 Compromised Information (Highly Sensitive): Financial: Creditcard.txt file (alleged credit card information) and PDF invoices. Gaming Accounts: Login credentials (username:password) for platforms such as Valorant, Steam, PUBG, Discord, and social media. PII Data: Images containing personally identifiable information. Infrastructure: Complete site source code (random .zip) and full SQL database dump (localhost.sql). Context: The attacker defaced the site prior to the breach and claims to have had access to the support email inbox. Monitor: analyzer.vecert.io #CyberSecurity #RandomBreach #DataBreach #GamingSecurity #Valorant #SteamLeak #VECERT #Cybersecurity #Hacking #InfoSec #Ransomware

‼️🇫🇷 Threat actor NormalLeVrai is selling alleged Service Telecom database containing 2,835,372 user records, 16GB source code, and email backups for $2,200. The database reportedly includes customer profiles, change logs, feedback, and administrator data from the French telecommunications company.

The next attack targeting 714K people has already taken place ; I'm waiting a bit before posting it.

oupsi !🫣I should post more on Twitter about my ops, I think.

@ZnaeW @chum1ng0 It seems like they don't care about their customers or their informations.🧐

@chum1ng0 300 es un precio súper bajo, que paguen y resuelvan el problema

🇨🇱: Hasta ahora el sitio de FreeSAP Toda la información confidencial ha sido comprometida. Si no desea que esto se publique, páguenos $300 a la siguiente dirección de BTC: #ciberseguridad #Chile

🚨 Data Breach Alert: EchoVPS A threat actor is offering for sale data allegedly linked to: ☁️ EchoVPS (European VPS hosting provider) 📂 Claimed exposed data includes: • ~85,000 database records • Customer email addresses • Source code 💰 Listed price: $150 ⚠️ Threat actor claims ransom demand already issued 🚨 Potential risks: • Account takeovers (if credentials reused) • Infrastructure targeting using leaked source code • Phishing campaigns against customers Organizations and users should: • Reset passwords immediately • Enable MFA across all services • Monitor for suspicious login activity #DataBreach #ThreatIntel #CyberSecurity #DarkWeb #Infosec