One guy. Global cybercrime. Tracked so you don't have to. Ransomware, data breaches, dark web activity, darknet markets, IOCs & emerging threats. Stay informed!

The Dark Web
‼️Copy Fail (CVE-2026-31431) is a Linux privilege escalation bug that lets any local user get root using a 732-byte Python script, and itworks on basically every major Linux distro shipped since 2017. Website: copy.fail/ Write-up: xint.io/blog/copy-fail-linux… GitHub: github.com/theori-io/copy-fa… It's a logic flaw in the kernel's crypto code (authencesn via AF_ALG and splice()) that allows a small write into the page cache, which can be used to tamper with a setuid binary like /usr/bin/su. Think how bad this is going to be for shared environments like Kubernetes, CI runners, and cloud sandboxes, where it enables container escape and tenant-to-host compromise. Found by Theori's Xint Code scanner, patched in the mainline kernel, and publicly disclosed on April 29, 2026; if you can't patch right away, the recommended workaround is to disable the algif_aead module.
61
818
3,313
427,540
‼️🇺🇸 Brain Cipher Ransomware claims 3 victims 🇺🇸 Digital Dynamics - Employee-owned technology company that designs and manufactures advanced safety-rated I/O and process control solutions. 🇺🇸 Golden State Orthopedics & Spine - California healthcare provider offering orthopedic, spine, rehabilitation, pain care, and musculoskeletal services. 🇺🇸 Printronix - Industrial printing company providing line matrix, enterprise, and high-volume printing solutions.
2
3,597
‼️🚨 An alleged member of the criminal cyber hacking group Scattered Spider has been arrested in Finland and extradited to the United States to face federal criminal conspiracy charges in the Northern District of Illinois Back in April 10, 2026, Peter Stokes, a 19-year-old Estonian-US dual citizen known by the online alias "Bouquet", was apprehended at Helsinki Airport in Finland while attempting to board a flight to Japan. More: justice.gov/opa/pr/alleged-m…
1
2
26
5,790
🚨🇹🇼🇨🇭 4i Tech source code leak claim posted on a forum A forum user claims to be releasing a source code collection allegedly stolen from 4i Tech. This claim is currently unverified. 4i Tech is described as a Taiwan-based, Swiss-managed software development company specializing in custom software, AI-powered solutions, and blockchain technology for startups and enterprises. Advertised data includes: • Source code collection • Company project code • Tree file reference • Alleged June 2026 breach reference 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing
2
5,350
‼️ A forum user claims to be selling multiple OG and semi-OG usernames, with listed BIN prices ranging from $120 to $30,000.
3
22
8,294
🚨Private Azalea RAT Rootkit sale advertised on a forum A forum user operating as spendyz21 is advertising Azalea RAT Rootkit, claiming it is a private coded remote admin / C2 tool with a modern admin UI and offline activation support. This claim is currently unverified. Azalea RAT Rootkit is described as a malware toolkit focused on remote access, credential theft, persistence, and evasion. Advertised tool claims include: • Remote admin / C2 functionality • HVNC and HRDP features • Stealer and credential dumping claims • Windows Defender bypass claim • Ring 3 rootkit functionality • Event log blocking and forensic log wiping claims • File search and network enumeration features • Privilege escalation references • Anti-analysis and AV/EDR detection bypass claims • Windows and Linux server component references • Crypto payment support 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing
1
9
5,740
🚨🇩🇪 Schleswig-Flensburg citizen medical service dataset claim posted on a forum A forum user claims a dataset tied to schleswig-flensburg.de was exposed, allegedly containing 166,652 lines of citizen medical service-related records. This claim is currently unverified. Schleswig-flensburg.de is listed as the official government website for the District of Schleswig-Flensburg in Germany. Advertised data includes: • Citizen medical service records • Patient first and last names • Patient birth dates • Patient addresses and ZIP codes • Insurance-related fields • Emergency doctor fields • Driver and co-driver names • Mission dates and mission numbers • Rescue station / location fields • Target destination fields • Protocol and signature authentication fields 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing
2
5,253
🚨🇲🇽 León citizen service system dataset claim posted on a forum A forum user claims a dataset tied to the Sistema de Atención Ciudadana in León, Guanajuato was leaked, with a sample showing citizen service and resident-related records. The Sistema de Atención Ciudadana is a municipal citizen support system used to manage reports, requests, contact details, and location-based records. Advertised data includes: • Citizen IDs • Full names • Email addresses • Dates of birth • Gender fields • Phone numbers • WhatsApp notification fields • Address details • Neighborhood / colonia fields • Street, postal code, and house number fields • Municipality and state fields • Latitude and longitude fields • Account / request status fields Claim is unverified. 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing
5
12
6,922
‼️🇺🇸 ShinyHunters has leaked the data of 3 victims 🇺🇸 Ingram Content Group, Inc. - A U.S.-based book distribution, publishing services, and content logistics company. 🇺🇸 Fluke Corporation - A U.S.-based manufacturer of electronic test, measurement, and diagnostic tools. 🇺🇸 Glendale Community College - A California community college serving students in Glendale and the greater Los Angeles area.
2
10
35
8,028
To keep up with transparency, and give you all a place to go if anyone is having an account issue... there is now a Help Center on the footer of the website. Support for elite subscribers remains at the top. Questions about your subscription, the threat feed, IOC feed, ransomware intel, or API access? The Help Center covers it. Filterable, no ticket required. darkwebinformer.com/help-cen… I will add to it as I think of questions that would be helpful.
2
4,958
🚨🇵🇰🇮🇳 Pakistani Cyber Warriors claim they hacked several Indian digital media channels in response to the Geo TV hack. ▪️ TV9 Telugu Live has over 14.4M subscribers and 509K+ videos, making it one of South India’s major digital news platforms. The group claims they interrupted the channel while the President of India was addressing an event in Visakhapatnam, replacing the broadcast with Pakistan’s national anthem for around 5 minutes and 48 seconds. ▪️Freedom TV Live is an Indian digital channel with roughly 1.34M subscribers, was also allegedly targeted during the same period. ▪️ABP Live, one of India’s major digital news platforms, was also allegedly impacted as part of the same campaign.
1
2
12
6,934
💥 The forum BreachStars 2.0 has launched. Clearnet: https://breachstars[.]vc/ - New domain https://breachsta[.]rs/ - Backup old domain Onion: http://bstarsfokayqtywueiwujpvwgqoth2t4ldutzil7qfhsadawueajjsyd[.]onion
7
16
82
10,702
Dark Web Informer retweeted
🤡
‼️ Huntress' CEO says it's not illegal that an employee of theirs tipped off a threat actor about the FBI looking for them, then closes his blog post with "protecting ALL businesses while wrecking adversaries in the process." How exactly are you wrecking adversaries when you act as their informant by allegedly sending them screenshots that named FBI agents? Their CEO, Kyle Hanslovan, said in an interview today that a current employee told a ransomware actor that law enforcement had reached out asking about that actor. He calls it "poor judgment," says it was not illegal, and rejects the "insider threat" label. The former employee who raised it, Ben Folland, says that admission proves his point. He alleges the employee forwarded FBI communications to the DevMan ransomware group, then refused to cooperate with the FBI. His supporting evidence is not public yet. Threat-intel teams routinely talk to criminals for research, but once a researcher warns a target that law enforcement is circling, an active case can collapse, and that is the line Huntress now has to defend in public. We've reached out to Huntress with questions about the employee who allegedly sent DevMan information, and they pointed us to their CEO's blog post.
1
5
78
19,655
🚨🇨🇦 Yocale appointment dataset breach claim posted on a forum A forum user operating as Kazu claims data tied to Yocale was obtained, allegedly including 6,055,490 appointment records and 51.02GB of data. The actor lists a $500,000 ransom and a deadline of July 15, 2026, threatening to edit the post and sell the data if payment is not made. Yocale is a Canada-based cloud business management and appointment platform used by service-based businesses to manage bookings, clients, payments, and communications. Advertised data includes: • Appointment and booking records • Client names • Client emails and phone numbers • Location and business details • Provider / staff information • Appointment dates and status fields • Payment and invoice-related fields • Timezone and currency fields • Client images and profile references • Business tax and address fields Claim is unverified. 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing
3
9
8,844
Dark Web Informer retweeted
When the company has one DBA and he’s been carrying prod since 1998.
11
120
18,110
💥Kali Linux 2026.2 has been released. Full change log: bugs.kali.org/changelog_page… Summary: kali.org/blog/kali-linux-202… Below is a summary of the changelog since the March 2026.1 release: • Desktop Environments - Bump to GNOME 50 and KDE Plasma 6.6 • Helper Scripts Consistency - Consistency to our little launches at starting services • APT Format - Goodbye sources.list, hello sources.list.d/kali.source • VM Boot Optimisation - Smaller initrd + faster boot times = happy virtual machine users • Reboot Warning - Heads-up, polkit and xrdp upgrades require a system reboot • Kali Kernel Incoming - Staying with 6.19 for now, how to get 7.0 early • Build Scripts Incoming - Heads-up with some changing on the way • New Tools - As always, various new shiny packages have been added (9!)
3
16
71
9,703
🚨TON crypto drainer kit advertised on a forum A forum user is advertising a TON-focused crypto drainer, claiming it includes full setup materials, a video guide, Telegram bot logs, and support for multiple TON ecosystem wallets. The tool is being promoted for wallet-draining scam pages, fake airdrops, and crypto-themed phishing sites. Advertised tool claims include: • TON wallet drainer setup • Full source code and setup video claim • Telegram bot logging • Fake reward / bonus page demo • Wallet connection flow • TON Connect-style wallet prompt • Claimed support for multiple TON wallets • Listed price of $69 Claim is unverified. 💥 Stop guessing what's redacted. Paid subscribers see everything: darkwebinformer.com/pricing
2
7
65
14,344