Live Underground Intelligence

From The Dark Side

Intelligence from the criminal underground — ransomware gang activity, credential markets, initial access brokers, data breach tracking, and emerging attack tooling. Curated by Security Arsenal analysts so your team has what it needs to stay ahead.

15+Intel Sources
5mRefresh Interval
6Threat Categories
24/7Analyst Coverage
LIVE INTEL
⚠ RANSOMWARE: RansomHub — double-extortion op targeting healthcare sector⚠ IAB: RDP access to mid-market manufacturing firm listed on underground forum⚠ INFOSTEALER: Lumma Stealer campaign — 1.4M credentials harvested from browser sessions⚠ APT: Nation-state actor targeting critical infrastructure with spear-phishing⚠ RANSOMWARE: Akira affiliate — network access via exposed VPN credential⚠ CREDENTIALS: Combo list from enterprise SSO breach surfaced on Telegram⚠ IAB: Cloud admin access to financial sector org listed at $18K⚠ MALWARE: New evasion-capable RAT advertised on criminal forums — C2 via Telegram⚠ DATABREACH: Tor leak site posting — legal sector data including PII and contracts⚠ RANSOMWARE: LockBit variant — active RaaS affiliate recruitment observed⚠ CREDENTIALS: Vidar stealer log drop — corporate VPN credentials included⚠ APT: Supply chain compromise targeting software vendors in critical sectors⚠ RANSOMWARE: RansomHub — double-extortion op targeting healthcare sector⚠ IAB: RDP access to mid-market manufacturing firm listed on underground forum⚠ INFOSTEALER: Lumma Stealer campaign — 1.4M credentials harvested from browser sessions⚠ APT: Nation-state actor targeting critical infrastructure with spear-phishing⚠ RANSOMWARE: Akira affiliate — network access via exposed VPN credential⚠ CREDENTIALS: Combo list from enterprise SSO breach surfaced on Telegram⚠ IAB: Cloud admin access to financial sector org listed at $18K⚠ MALWARE: New evasion-capable RAT advertised on criminal forums — C2 via Telegram⚠ DATABREACH: Tor leak site posting — legal sector data including PII and contracts⚠ RANSOMWARE: LockBit variant — active RaaS affiliate recruitment observed⚠ CREDENTIALS: Vidar stealer log drop — corporate VPN credentials included⚠ APT: Supply chain compromise targeting software vendors in critical sectors

Live Ransomware Victims

refreshed every 5 min

Active ransomware gang postings from public leak sites. For awareness and defensive intelligence only.

Threat GroupVictimSectorCountryDiscovered
qilin
S.J. Louis
Not FoundBRJul 8, 2026Details
krybit
xuerong.com
TechnologyCNJul 8, 2026Details
krybit
shelby.com.mx
Not FoundMXJul 8, 2026Details
chaos
opportune.com
🇺🇸 US COMPANY
Business ServicesUSJul 8, 2026Details
chaos
corepharma.com
🇺🇸 US COMPANY
HealthcareUSJul 8, 2026Details
akira
Wade's Dairy
Agriculture and Food ProductionGBJul 8, 2026Details
play
Preneed Funeral Programs
🇺🇸 US COMPANY
Consumer ServicesUSJul 7, 2026Details
qilin
Next Clinics
HealthcareCZJul 7, 2026Details
play
Kevin Bao Lenguyen
Not FoundJul 7, 2026Details
play
United Infrastructure
🇺🇸 US COMPANY
EnergyUSJul 7, 2026Details

Showing latest 10 victims. Full searchable database available.

View All & Search

Underground Intelligence Feed

Frequently Asked Questions

Is Your Organization in the Underground?

Security Arsenal monitors dark web markets, ransomware leak sites, and criminal forums for your domains, IP ranges, and executive identities. We'll tell you if you're already being sold — before the attack begins.