Normal

🚨WhatsApp allegedly targeted in 3 Billion record data leak A threat actor on an underground forum is claiming to share a large dataset allegedly tied to WhatsApp users. The actor claims the dataset contains roughly 3B records, with sample rows showing contact, location, and account activity-related fields. 𝗪𝗵𝗮𝘁’𝘀 𝗮𝗹𝗹𝗲𝗴𝗲𝗱𝗹𝘆 𝗲𝘅𝗽𝗼𝘀𝗲𝗱: • First and last names • Email address fields • Cell phone number fields • WhatsApp active status • SMS delivery and verification fields • Date fields • Address, city, state, and country records • Postal code fields 𝗗𝗲𝘁𝗮𝗶𝗹𝘀: 𝗧𝗮𝗿𝗴𝗲𝘁: WhatsApp 𝗖𝗼𝘂𝗻𝘁𝗿𝘆: Global 𝗦𝗲𝗰𝘁𝗼𝗿: Messaging / Social Platform / User Data 𝗔𝗰𝘁𝗼𝗿: NormalLeVrai 𝗖𝗹𝗮𝗶𝗺: User database leak 𝗘𝘅𝗽𝗼𝘀𝘂𝗿𝗲: Roughly 3B records 𝗣𝗿𝗶𝗰𝗲: Free 𝗢𝗯𝘀𝗲𝗿𝘃𝗲𝗱: May 23, 2026 Stop guessing what's redacted. Subscribers see everything: https://t.co/281Qjc6p2J

🚨Canva allegedly targeted in 7.7M record dataset sale A threat actor on an underground forum is claiming to sell a dataset allegedly tied to Canva, the online graphic design and visual content platform. The actor claims the dataset contains 7.7M records and is being sold for $2,000 to one buyer only. 𝗪𝗵𝗮𝘁’𝘀 𝗮𝗹𝗹𝗲𝗴𝗲𝗱𝗹𝘆 𝗲𝘅𝗽𝗼𝘀𝗲𝗱: • User records • Email address fields • Username fields • Account IDs • Password hash references • Registration date fields • IP address fields • User status and role metadata • Forum-style account record samples 𝗗𝗲𝘁𝗮𝗶𝗹𝘀: 𝗧𝗮𝗿𝗴𝗲𝘁: Canva 𝗖𝗼𝘂𝗻𝘁𝗿𝘆: Global 𝗦𝗲𝗰𝘁𝗼𝗿: Design Software / SaaS / User Data 𝗔𝗰𝘁𝗼𝗿: NormalLeVrai 𝗖𝗹𝗮𝗶𝗺: User dataset sale 𝗘𝘅𝗽𝗼𝘀𝘂𝗿𝗲: 7.7M records 𝗣𝗿𝗶𝗰𝗲: $2,000 𝗢𝗯𝘀𝗲𝗿𝘃𝗲𝗱: May 23, 2026 Stop guessing what's redacted. Subscribers see everything: https://t.co/281Qjc6WSh

🚨WhatsApp zero-day exploit allegedly advertised for sale A threat actor on an underground forum is claiming to sell a WhatsApp zero-day exploit allegedly capable of installing malware or backdoors through private messages. The actor claims the exploit works on phones and computers and is being sold for $3,000. 𝗪𝗵𝗮𝘁’𝘀 𝗮𝗹𝗹𝗲𝗴𝗲𝗱𝗹𝘆 𝗼𝗳𝗳𝗲𝗿𝗲𝗱: • WhatsApp zero-day exploit claim • Private message delivery method • Malware installation claims • Backdoor and trojan deployment claims • Phone and computer targeting claims 𝗗𝗲𝘁𝗮𝗶𝗹𝘀: 𝗧𝗮𝗿𝗴𝗲𝘁: WhatsApp 𝗖𝗼𝘂𝗻𝘁𝗿𝘆: Global 𝗦𝗲𝗰𝘁𝗼𝗿: Messaging / Social Platform 𝗔𝗰𝘁𝗼𝗿: NormalLeVrai 𝗖𝗹𝗮𝗶𝗺: Zero-day exploit sale 𝗘𝘅𝗽𝗼𝘀𝘂𝗿𝗲: Exploit access claim 𝗣𝗿𝗶𝗰𝗲: $3,000 𝗢𝗯𝘀𝗲𝗿𝘃𝗲𝗱: May 23, 2026 Stop guessing what's redacted. Subscribers see everything: https://t.co/281Qjc6p2J

🚨🔴🇫🇷 Rebondissement dans la cyberattaque de l'ANTS - un cybercriminel français demande 20 000$ et menace sans cela de diffuser la base de données ! La saga du piratage autour de l'ANTS continue. 👉🏾 Après la revendication du piratage 👉🏾 Après l'arrestation d'un jeune cybercriminel de 15ans en Corse 👉🏾 Voici que maintenant, un autre cybercriminel menace de diffuser gratuitement la base de données si l'ANTS ne paie pas 20 000$ avant le lundi 18 mai ! Ce cybercriminel, NormalLeVrai, prétend détenir aussi la base de données et menace de diffuser gratuitement 13M de données administratives de français. Il dit dans sa revendication le faire en représailles de l'arrestation de son ami breach3d, arrêté suite au piratage de l'ANTS avec une faille hyper simple... Il a publié un échantillon de quelques lignes pour prouver qu'il détient la base de données... Nouvel épisode dans une des cyberattaques les plus médiatisées en France... On a décidément pas fini avec cette affaire. À suivre de très près ! Cybèrement vôtre, SaxX ¯\_(ツ)_/¯

‼️🇮🇷 Iran Nuclear allegedly breached with 77.56 GB of data threatened for release under "Pay Or Leak" ransom A threat actor claims to have obtained 77.56 GB of data related to Iran, including archives tied to the Iranian nuclear program, government databases, and a nuclear authority website. The actor has issued a "Pay Or Leak" ultimatum, demanding €5,000 by May 15th and threatening to publicly release all collected information if the ransom is not paid. The actor frames the operation as a response to events involving Israel and Iran, and claims to have also defaced Iranian websites and exfiltrated their databases during the intrusion. Post details: ▸ Actor(s): NormalLeVrai ▸ Sector: Government / Nuclear / Insurance ▸ Type: Ransom / Pre-Leak Extortion ▸ Format: RAR, ZIP, JSON, XLSX, TXT ▸ Price: €5,000 (ransom) / Free if unpaid by deadline ▸ Records: 77.56 GB ▸ Country: Iran ▸ Deadline: 15/05/2026 ▸ Date: 10/05/2026 Compromised data: ▪ Data_Iran_Nuclear_Program - ~1.6 GB per file, archives related to the Iranian nuclear program (multiple files) ▪ Nuclear Iranian Database.part01–35.rar - database divided into 35 parts, up to ~1.48 GB each ▪ Iran 4.63GB.json.002 - part of a large structured JSON file ▪ Iran & RF https://t.co/IZns4JKw6E.001 - ~1.84 GB ▪ Iran & RF https://t.co/aQH2dosELj - additional part of a 95 million record database ▪ iran_insurances_samples.zip - Iranian insurance data ▪ IranBudget-Table-07-1-Bill1399.xlsx - Iranian budget table ▪ Iran 500k.txt - large list of telephone number data ▪ https://t.co/sxjTOX7ZzP - ~1.47 GB, archive related to Iranian nuclear authority / government website ▪ Defacement evidence and extracted databases from additional Iranian websites Stop guessing what's redacted. Subscribers see everything → https://t.co/281Qjc6p2J

‼️9,500 passport and national ID card scans allegedly being sold mainly from France and Turkey A threat actor is selling a 4.01GB compressed archive of 9,542 passport and national identity card scans, advertised as primarily sourced from France and Turkey but spanning multiple countries. The listing is priced at $1,000. Post details: ▸ Actor(s): NormalLeVrai ▸ Sector: Identity documents (multi-country) ▸ Type: Data Sale ▸ Format: PDF and image scans, 4.01GB compressed ▸ Price: $1,000 ▸ Records: 9,542 documents ▸ Countries: Primarily France and Turkey (mixed others) ▸ Date: 10/05/2026 Compromised data: ▪ Passport scans ▪ National identity card scans ▪ Holder full names and dates of birth ▪ Document numbers ▪ Issue and expiry dates ▪ Issuing country and authority ▪ Photographs and signatures Stop guessing what's redacted. Subscribers see everything → https://t.co/281Qjc6p2J

🇫🇷 A threat actor is advertising an alleged dataset associated with SFR, one of France’s major telecommunications providers, claiming the database contains information tied to approximately 27 million records. The forum post provides limited technical details regarding the contents of the alleged dataset, but the actor claims to possess a large-scale customer-related database. At this time: • The claims remain unverified • There is no confirmation that SFR systems were breached • The authenticity, origin, and recency of the alleged dataset remain unknown Large telecom-related datasets may potentially contain: • Customer contact information • Phone numbers • Subscriber records • Address and billing-related information • Account metadata and service details If legitimate, exposure of telecommunications-related records could create significant risks including: • SIM-swapping attacks • Smishing and phishing campaigns • Identity theft • Account takeover attempts • Social engineering targeting telecom customers Users should remain cautious of: • Unexpected SIM activation or carrier transfer notifications • SMS messages requesting verification codes • Suspicious calls impersonating telecom support personnel Daily Dark Web is continuing to monitor underground channels for additional validation, samples, or official statements regarding the alleged dataset. #DDW #Intelligence #CyberSecurity #DataLeak #DarkWeb #ThreatIntelligence #France #Telecom #SFR #DataBreach

‼️🇦🇺 1,169 Australian websites allegedly being sold as full panel access by a single threat actor The threat actor claims to be selling full access to 1,169 Australian websites in their possession, delivered as a url:user:pass list that the seller says grants entry to the panels, databases, source code, and emails of each site. The listing is priced at $400. Post details: ▸ Actor(s): NormalLeVrai (Immortal) ▸ Sector: Mixed (1,169 Australian websites) ▸ Type: Access Sale ▸ Format: url:user:pass list ▸ Price: $400 (one buyer only) ▸ Targets: 1,169 sites ▸ Country: Australia ▸ Date: 07/05/2026 Compromised data and capabilities: ▪ Admin panel credentials for 1,169 Australian websites ▪ Database access for each site ▪ Source code access ▪ Hosted email accounts and inboxes ▪ Site configuration and stored content Stop guessing what's redacted. Subscribers see everything → https://t.co/281Qjc6WSh

‼️🇫🇷 Deezer allegedly leaked exposing 2.5 million Russian user records from the French music streaming platform A threat actor claims to have leaked a Russian-region subset of Deezer, the French music streaming platform, releasing 2,557,577 records. The CSV sample (filename "deezer_russian.csv") shows user IDs, full names, gender, dates of birth, emails, and country/language codes. Post details: ▸ Actor(s): NormalLeVrai ▸ Sector: Music streaming / Entertainment ▸ Type: Data Leak ▸ Format: CSV ▸ Price: Free ▸ Records: 2,557,577 ▸ Country: France (Russian user subset) ▸ Date: 07/05/2026 Compromised data: ▪ User ID ▪ First name and last name ▪ Gender ▪ Date of birth ▪ Email address ▪ Country code ▪ Language code Don't like the redacted screenshots? Subscribe... https://t.co/281Qjc6p2J

🚨 CYBER THREAT INTELLIGENCE BULLETIN: ACTIVITY OF THREAT ACTOR "NORMALLEVRAI" 🌍💻📂 [STATUS: ACTIVE THREAT] An international data exfiltration campaign perpetrated by the threat actor NormalLeVrai has been detected. Through incident monitoring dashboards (Threat Intelligence Report), two new data breaches—recorded simultaneously on May 6, 2026—have been classified, affecting infrastructure and citizens in Europe and Latin America. Sector: Telecommunications (> TELECOM). Entity / Target: NRJ Mobile (Mobile Virtual Network Operator). Volume: 266K (266,000) records. Threat Actor: NormalLeVrai. Date Recorded: 2026-05-06. Case #5873: +24M Mexican Civilians (Mexico 🇲🇽) Sector: Unclassified (> UNCLASSIFIED) – Direct impact on citizen records. Entity / Target: Civilian population of Mexico. Volume: Over 24 million records (+24M). Threat Actor: NormalLeVrai. Date Recorded: 2026-05-06. 🛡️ Strategic Recommendations 🔗 IoC Correlation: SOC/CTI teams are advised to cross-reference Indicators of Compromise (IoCs) and technical infrastructure across both incidents to identify shared patterns or tools utilized by this attacker. Monitor: https://t.co/wk9bZJ2Nli #CyberSecurity #DataBreach #NormalLeVrai #Mexico #France #ThreatIntelligence #VECERT #CyberAlert 🌍🛡️⚠️🚨💻

‼️🇲🇽 Over 24 million Mexican civilian records allegedly leaked across two combined files A threat actor claims to have posted two files together containing more than 24 million Mexican civil records, released for free. The samples include personal identifiers, demographic details, employment, and relationship status, with one database alone listed at 24,730,562 entries. Post details: ▸ Actor(s): NormalLeVrai ▸ Sector: Government / Civil Records ▸ Type: Data Leak ▸ Format: TXT and XLSX (two files) ▸ Price: Free ▸ Records: 24M+ (one DB listed at 24,730,562) ▸ Country: Mexico Compromised data: ▪ Numeric ID and secondary ID ▪ First name and last name(s) ▪ Gender ▪ Marital/relationship status ▪ Employer or workplace ▪ Birth year / age indicator ▪ City, state, and country of residence ▪ Free-text personal notes/descriptions ▪ Occupation or housewife status

🚨 CYBERINTEL ALERT: ALLEGED MASS DATA LEAK – BURGER KING RUSSIA 🇷🇺🍔📂🔓 [STATUS: UNDER INVESTIGATION] A post has been detected from threat actor "NormalLeVrai," claiming to have compromised the database of the Russian branch of the fast-food chain Burger King (https://t.co/3o21fRBlCR). The actor has publicly claimed responsibility for this compromise; however, the scope and veracity of the breach have not yet been independently verified. 🏢 Allegedly Affected Entity: Burger King Russia. 👤 Threat Actor: NormalLeVrai 📂 Allegedly Compromised Asset: Customer and delivery service database. 📊 Leak Volume: Approximately 16,883,039 records. 📅 Publication Date: May 5, 2026. 📊 Scope of Shared Samples (PII) The actor has provided a data sample containing Personally Identifiable Information (PII) belonging to customers in various cities, including Moscow, Saint Petersburg, and Krasnodar: Identity and Contact: Names, phone numbers, and email addresses. Demographic Data: Gender and date of birth. Geographic Information: Physical addresses and time zones. Consumption Profile: Favorite categories and dishes, loyalty segments, and transaction timestamps. Security: Email and phone verification status. 🛡️ Preventive Response Recommendations 🔒 Credential Change: Users of https://t.co/3o21fRBlCR are advised to change their passwords immediately, particularly if they reuse those credentials across other services. 👁️ Contact Vigilance: Exercise extreme caution regarding suspicious phone calls or emails that reference specific order details or loyalty accounts. Monitor: https://t.co/wk9bZJ3laQ #CyberSecurity #Russia #BurgerKing #DataBreach #NormalLeVrai #PwnerSec #PII #VECERT #InfoSec #CyberAlert 🇷🇺🛡️⚠️🚨🍔