Arkanix Stealer, an information‑stealing operation promoted on dark web forums in late 2025, offered modular Python and premium C++ builds with VMProtect and extensive data‑theft capabilities across browsers, wallets, messengers, and gaming platforms. Kaspersky researchers found indicators of LLM‑assisted development, a short‑lived Discord community and referral program, and published IoCs while the operator abruptly took down the project two months after launch. #ArkanixStealer #Kaspersky
Tag: DARK WEB
A threat actor using the handle Angel_Batista posted on BreachForums claiming to have leaked approximately 65,000 rows of employee data from the French Gendarmerie Nationale sourced from gendarmerie.interieur.gouv.fr. The exposed dataset reportedly includes names, landline and mobile phone numbers, personal and professional email addresses, authentication credentials, device and cloud connection details,…
HexDex published a “Final Thread” leaking 8,861 unique email agent records from French government domains, including 6,129 from @interieur.gouv.fr and 3,335 from @intradef.gouv.fr. The post, described as a “final salvo,” includes sample email and credential pairs and is publicly accessible on the open web. #HexDex #interieur.gouv.fr…
A 45-year-old Romanian national, Catalin Dragomir, pleaded guilty to hacking Oregon’s Office of Emergency Management in June 2021, selling administrative access on cybercriminal platforms and exposing an employee’s personal data. He admitted to breaching 10 other U.S. companies causing at least $250,000 in losses and faces up to seven years in…
In October 2025 researchers discovered forum posts advertising a previously unknown MaaS called “Arkanix Stealer” offering both native C++ and Python implants, a configurable control panel, and payload generation. The malware harvested browser credentials, cryptocurrency wallets (using an embedded ChromElevator injector), system and application data, communicated with C2 endpoints on arkanix[.]pw, and the affiliate program and panel were subsequently taken down. #ArkanixStealer #ChromElevator
A threat actor using the handle cyandiboo is selling an alleged 4 GB SQL dump from the National Bank of Ukraine’s souvenir coin sales site (coins.bank.gov.ua) on DarkForums. The dataset reportedly contains ~1.5 million records across customer and orders tables, including emails, phone numbers, MD5 password hashes, full names, shipping addresses,…
The report analyzes a range of cyber threats against the financial sector, including database leaks, sales of access rights on dark web forums, phishing campaigns, and ransomware incidents affecting major financial organizations. It highlights specific cases involving leaked credentials and datasets (H***, V***, T***), threat actors claiming access (PanchoVilla, Solonik, CLOP),…
An initial access broker using the handle Big-Bro listed an auction claiming to sell domain administrator access to an unidentified Peruvian logistics and business services company with estimated revenue of about $10 million. The listing identifies a compromised Fortinet VPN appliance as the access vector and shows an auction starting at…
Hackers stole personal and contact information from nearly 1 million accounts after breaching Figure Technology Solutions in a social engineering attack, with Have I Been Pwned reporting data from 967,200 accounts dating to January 2026. Extortion group ShinyHunters claimed responsibility and posted roughly 2.5GB of stolen loan applicant data, and the incident is linked to broader vishing campaigns targeting SSO providers and multiple high‑profile organizations. #Figure #ShinyHunters
A Glendale man, 36-year-old Davit Avalyan, was sentenced to 57 months in federal prison after pleading guilty to conspiracy to distribute narcotics for his role in a darknet drug trafficking operation that sold cocaine, methamphetamine, MDMA, and ketamine nationwide. The long-running network operated multiple darknet storefronts—including JoyInc, PlanetHollywood, and LaFarmacia—shipped packages via the U.S. Postal Service, and was dismantled by an FBI JCODE-led task force. #DavitAvalyan #JoyInc
Sinobi is a Ransomware-as-a-Service operation that emerged in mid-2025 and appears to be a rebrand or successor to the Lynx and INC Ransom families based on significant code overlap. The group uses a closed affiliate model and double-extortion tactics—gaining access via compromised credentials and CVE exploits, exfiltrating data with Rclone, and encrypting files with Curve-25519/AES-128-CTR to demand payment. #Sinobi #Lynx
Eurail disclosed a mid-January breach in which attackers stole customer personal, order, reservation, passport, and sensitive DiscoverEU data and are now offering the stolen records for sale. The hackers claim to have exfiltrated roughly 1.3 TB from AWS S3, Zendesk, and GitLab and have posted samples on Telegram while threatening to…
Industrial Control Systems (ICS) remain highly vulnerable because decades‑old hardware, outdated protocols, and operators’ inability to accept downtime prevent effective patching and replacement amid growing nation‑state pre‑positioning and ransomware pressure. To build long‑term resilience in 2026, experts recommend OT‑aware zero trust, identity‑centric controls, microsegmentation, continuous threat exposure management (CTEM), supply‑chain transparency,…
A January breach of Eurail’s customer database has escalated into a large-scale identity theft crisis after attackers began offering millions of travelers’ sensitive records for sale on criminal marketplaces and publishing a sample on Telegram. The compromised information—names, passport numbers, ID numbers, IBANs, health data and contact details—puts DiscoverEU participants at…
A threat actor using the handle “Angel_Batista” claims to be selling the databases of Russian EdTech platform Foxford, alleging a breach impacting approximately 13.6 million customers. The listing reportedly appeared on Tor and, if verified, would be one of the largest education-sector data breaches reported this year. #Angel_Batista #Foxford…