Lisa

🚨🇪🇸 A threat actor known as catwoman, posting under the group The Negratas, claims to have breached a massive Spanish state digital administration agency that stored identity documents and citizen data. The actor claims around 11.4 million Spanish IDs were obtained in June 2026, including DNI/national ID numbers, full names, facial photographs, signatures, dates and places of birth, parents' names, home addresses, document issue/expiry dates, machine-readable zone (MRZ) data, and security feature information. Sample ID images are placed behind a login wall, with the dataset offered for sale. Claim is unverified. 💥 Stop guessing what's redacted. Paid subscribers see everything: https://t.co/281Qjc6p2J

‼️ THIS IS HUGE 🇪🇸 Spanish energy giant Naturgy is allegedly being sold on a cybercrime forum following a claimed compromise affecting 1.6 million citizens. * Threat actor claims the database contains personal and customer records belonging to more than 1.6 million individuals * Allegedly exposed data includes names, DNI/NIF numbers, addresses, phone numbers, email addresses, contract information, and IBAN bank account details * Seller is offering sample records and advertising the dataset to potential buyers Analyst Note: Utility providers hold some of the most complete customer profiles available outside the financial sector. If authentic, this dataset could enable identity theft, financial fraud, account impersonation, and highly targeted phishing campaigns. The alleged exposure of IBAN information significantly increases the risk to affected individuals. #DDW #Intelligence #DarkWeb #Naturgy

🇪🇸 A threat actor is advertising an alleged dataset tied to MASMOVIL (https://t.co/kNdugBVm0y) containing approximately 742,000 records associated with telecom customers, orders, and support-ticket data. According to the listing, the dataset allegedly includes structured customer-identification, order-management, and customer-support information related to telecom subscribers. The exposed sample fields shown in the listing allegedly include: * Full names * Email addresses * Mobile and alternate phone numbers * Physical addresses * Tax identifiers * Date of birth information * Membership and loyalty-status data * Password hashes * Order and invoice records * Shipping and billing details * Customer-support tickets * Internal support notes * CRM and segmentation metadata * Customer satisfaction and escalation records Particularly concerning aspects of the alleged dataset include: * Password-hash exposure * Telecom subscriber information * Billing and shipping records * Internal customer-service workflows * CRM and loyalty-program metadata * Support-ticket escalation history Telecom-sector datasets are highly valuable within cybercriminal ecosystems because they often contain verified contact information, identity-linked metadata, and operational account details useful for account takeover and fraud operations. Potential abuse scenarios may include: * SIM-swapping attacks * Credential-stuffing operations * Telecom account takeovers * Identity theft and impersonation * Targeted phishing and SMS campaigns * Social-engineering attacks against subscribers * Fraud involving billing or service accounts The inclusion of password hashes and telecom-account metadata significantly increases the operational risk associated with the alleged exposure, especially if users reuse credentials across multiple services. At this stage, the authenticity and scope of the alleged dataset have not been independently verified. #DDW #Intelligence #DarkWeb #Spain

🇪🇸 A threat actor is advertising alleged access to a Spanish public management payroll administration panel containing 371 employee payroll accounts. According to the post, the actor claims the ability to: • modify employee banking details • alter IBAN-related payment information • redirect payroll deposits • access payroll records for April transactions The threat actor further alleges: • nearly €1 million in payroll transactions • persistent access for approximately two months • administrative-level privileges inside the platform If authentic, this type of compromise moves beyond traditional data theft into direct financial fraud territory. Payroll system compromises are particularly dangerous because attackers may: • reroute salaries to mule accounts • manipulate banking information before payment cycles • conduct insider-style financial fraud • leverage employee trust and HR workflows • exploit SEPA transfer ecosystems for rapid cash-out operations This also highlights the growing convergence between cybercrime and financial operations targeting public-sector administrative infrastructure. At this stage, the authenticity, persistence level, and operational impact of the alleged access remain unverified. #DDW #Intelligence #SpainPayrolls #DarkWeb

🇪🇸 A threat actor is advertising an alleged dataset tied to Spain’s Agencia Tributaria electronic platform — the country’s official tax administration portal. According to the listing, the exposed records allegedly include: • full names • DNI/NIE/CIF national identity identifiers • birth dates • residential information • multiple phone numbers • country/province data • taxpayer-related metadata • technical indicators/flags And if authentic, this is exactly the kind of dataset cybercriminals love most: high-confidence identity infrastructure. Why? Because government-linked identity datasets dramatically increase the effectiveness of: • financial fraud • tax scams • identity theft • synthetic identity creation • banking impersonation • social engineering • telecom fraud • SIM swapping • account recovery abuse One especially important point: DNI/NIE identifiers are foundational identity attributes in Spain. When attackers combine: • national IDs • phone numbers • birth dates • residence information they can often build highly convincing fraud profiles. And modern cybercrime is increasingly about: identity correlation. Not just “stealing passwords.” Another major concern: tax-related data carries unusually high trust value. People panic when they receive: • tax notices • audit warnings • refund alerts • “missing payment” messages Attackers know this extremely well. So datasets like these can become fuel for: • phishing campaigns impersonating tax authorities • fake refund operations • identity verification fraud • malicious e-signature requests • banking takeover attempts tied to tax filings And yes… some phishing emails now have better branding consistency than government portals themselves. The listing also references: • electronic certificates • digital signatures • taxpayer verification systems which is particularly notable because trust ecosystems around digital identity infrastructure are now prime targets globally. Governments increasingly rely on: • centralized citizen identity systems • e-government platforms • electronic signatures • digital tax workflows which means compromise impact scales rapidly. Another trend worth watching: large citizen identity datasets are becoming strategic underground assets. They are reused repeatedly across: • fraud marketplaces • credential stuffing ecosystems • KYC bypass operations • crypto onboarding fraud • mule recruitment • financial identity laundering because verified identity data is now effectively a commodity. At this stage, the authenticity and scope remain unverified. However, organizations operating national-scale digital identity infrastructure should continuously monitor for: • credential exposure • unauthorized API access • abnormal taxpayer queries • identity enumeration activity • phishing campaigns abusing government branding • suspicious document verification requests • e-signature abuse attempts • underground marketplace activity targeting citizen records Because once identity infrastructure data enters criminal ecosystems, the downstream effects can persist for years. 🇪🇸 #DDW #Intelligence #CyberSecurity #DarkWeb #Spain #DataLeak #ThreatIntelligence #IdentityTheft #Infosec #Fraud

🚨Cyber Alert ‼️ 🇪🇸Spain - Naturgy Threat actor “spain” claims to have breached Naturgy Empresas, exfiltrating a 74.2 GB database allegedly affecting approximately 1.8 million customers. Threat actor: spain Sector: Energy / Utilities Data exposure (claimed): 74.2 GB of data (1.8 million customers) Data type: Customer data Observed: Apr 30, 2026 Status: Pending verification ESIX©: 6.15 Full details and impact assessment on https://t.co/eB7qgxKFAa

‼️ We have just updated the TeamPCP supply chain attack tracker at https://t.co/8f2faeDfw1 after TeamPCP supplied us with a small list. Bringing the total to 89❗️ total affected orgs of which 68 alleged victims: 🇺🇸 MedWork (medwork[.]io) 🇧🇷 Tuna Pagamentos (tunapagamentos[.]com[.]br) — [data sold] 🇨🇭 Sportradar (sportradar[.]com) — [data open for sale, NASDAQ ~$4.98B] 🇧🇷 Nuvidio (nuvidio[.]com[.]br) 🇨🇦 IDMelon / SecurityKey (idmelon[.]com)

🚨 TeamPCP Supply Chain Attack — Multi-Stage Cloud-Native Campaign Uncovered A sophisticated campaign attributed to TeamPCP has compromised multiple ecosystems through a chained supply chain attack impacting Trivy, KICS, LiteLLM, and 45+ npm packages. Key highlights: • Initial access via exposed PAT (Pwn Request) • Malicious packages pushed into CI/CD pipelines • Lateral movement through Aqua Security’s Trivy ecosystem • Deployment of Kubernetes wiper + worm (https://t.co/Yk62fLIMRF evolution) • Expansion into Checkmarx and broader developer ecosystems ⚠️ The attack propagated in under 5 days, combining credential theft, poisoned dependencies, and automated distribution pipelines. This campaign demonstrates how modern supply chain attacks are fast, scalable, and cloud-native by design, targeting developers as the new attack surface. #CyberSecurity #SupplyChainAttack #ThreatIntel #DevSecOps #CloudSecurity #Kubernetes #Infosec #DailyDarkWeb

🚨Cyber Alert ‼️ 🇪🇸Spain - Ministerio de Hacienda The threat actor going by the name ‘HaciendaSec’ claims to have breached the Ministerio de Hacienda. Allegedly, the attackers are offering for sale an updated database covering 47.3 million citizens, including DNI/NIF numbers, full names, residential addresses, phone numbers, email addresses, IBAN bank details, and tax-related financial information. Sector: Government Threat class: Cybercrime Observed: Jan 31, 2026 Status: Pending verification — About this post: Hackmanac provides early warning and cyber situational awareness through its social channels. This alert is based on publicly available information that our analysts retrieved from clear and dark web sources. No confidential or proprietary data was downloaded, copied, or redistributed, and sensitive details were redacted from the attached screenshot(s). For more details about this incident, our ESIX impact score, and additional context, visit https://t.co/eB7qgxLdpI.

🚨Cyber Alert Update‼️ 🇪🇸Spain - Endesa The hacker who claimed to have breached Endesa has leaked data from 300,000 customers and is threatening to sell over 1TB of data, affecting more than 20 million people, unless the company responds by February 2–3, 2026. The attacker reportedly accessed Endesa’s commercial platform and exfiltrated customer contact details, identity documents, and IBANs. A small sample was released earlier, followed by a larger leak to escalate pressure. Endesa has confirmed the unauthorized access. Source: https://t.co/oUXxlko4Z3