Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Phishing is no longer about badly written emails asking you to “click here.” Today’s attacks are business-grade, powered by AI and packaged in ready-to-use phishing kits. That means cybercriminals can now launch believable spearphishing campaigns in hours.

For companies, this raises the stakes. A single successful phishing email can expose confidential data, disrupt operations, and damage reputation. The question for managers is no longer whether phishing will target your organization, but how fast your team can detect and stop it.

****Why Modern Phishing is Harder to Catch****

Attackers have leveled up, and traditional filters struggle to keep up.

*   **AI-driven precision**: Attackers now generate flawless, personalized messages with no spelling or grammar mistakes, making them harder to spot by humans and machines.
*   **Phishkits for everyone**: These pre-built toolkits allow even inexperienced criminals to create convincing campaigns quickly.
*   **Advanced evasion**: Links hidden in QR codes, fake CAPTCHAs, and multi-step **redirect chains** slip past email filters and secure gateways.

Even well-equipped SOC teams find it challenging to separate real threats from the noise. And delays in detection create costly risks: longer investigation times, higher chances of compromise, and increased business impact.

****The Solution to Stopping Modern Phishing****

The most effective way companies are preventing data theft today is through interactive analysis. Unlike traditional tools that only scan for known indicators, interactive analysis simulates the entire attack journey as if a real user were engaging with the email or file.

This means hidden tricks, whether they involve layered redirects, fake login pages, or other evasive steps, are exposed in full. Security teams gain clear visibility into the entire execution chain, from the initial lure to the final payload.

Spearphishing attack caught inside ANY.RUN sandbox

That’s why more and more organizations are turning to interactive sandboxes like ANY.RUN. They provide teams with the insight needed to understand exactly how an attack unfolds, making it possible to block threats before they lead to data loss.

Visibility is powerful, but what makes the difference for modern teams is **automation**. This is where sandboxes like ANY.RUN excel, turning interactive analysis into a fully automated process that integrates seamlessly with existing SOC stacks. 

Let’s look at how this works in practice with a real-world phishing attempt aimed at Hitachi Energy employees.

Real Case: A Multi-Stage Phishing Attack Against Hitachi

The attack began with what looked like a normal HR email from “Hitachi Energy”, asking employees to review a new company policy. Polished design, urgent tone, even a security reminder; everything about it was convincing enough to slip past traditional filters and catch employees off guard.

With the help of automation, ANY.RUN was able to fully unravel this attack in a safe environment.

Fast verdict of malicious behaviour with relevant tags exposed inside ANY.RUN sandbox

**Malicious PDF Detected**

The attachment appeared harmless but contained a QR code instead of a clickable link; a tactic specifically designed to evade email security systems. ANY.RUN’s sandbox automatically flagged the suspicious behavior.

QR code with a hidden malicious URL detected by ANY.RUN

This early detection helps prevent employees from unknowingly scanning QR codes that lead to hidden threats.

**Hidden Link Extraction**

Once automated interactivity was enabled, the sandbox scanned the QR code, extracted the hidden URL, and opened it inside a browser, continuing the attack chain without analyst involvement.

  
**Bypassing CAPTCHA**

The attackers added another layer of defense: a Cloudflare CAPTCHA, meant to stop automated tools. ANY.RUN solved it automatically, just like a human would, and continued the investigation.

CAPTCHA verified automatically, saving time and effort

As a result, security teams don’t get stuck at roadblocks, saving hours of manual testing and guaranteeing deeper visibility.

**Credential Harvesting Page Exposed**

The final stop was a fake Microsoft login page, designed to steal employee credentials. A well-crafted replica that many people would likely trust. By exposing the fake login page safely, the sandbox provided teams with a clear malicious verdict before any real credentials could be compromised.

Fake Microsoft page designed to steal credentials

**IOC Collection and Reporting**

Along the way, ANY.RUN gathered all IOCs (indicators of compromise), mapped the attacker’s processes, and generated a detailed report ready for sharing across the SOC.

Well-structured report for sharing between team members

These IOCs can be fed directly into SIEM/SOAR systems to strengthen detection rules, train employees, and build a strategy that prevents similar data theft attempts in the future.

****How Automation Strengthens Phishing Response****

Modern phishing campaigns aren’t just technical challenges but also operational ones. Attacks like the Hitachi case are designed to drain time, mislead staff, and slip through traditional defenses. Automation changes the equation, giving organizations the ability to handle phishing with speed and confidence.

*   **Faster, Reliable Decisions:** Move from a suspicious email to a clear, evidence-backed verdict in minutes. Faster decisions mean less downtime, lower risk of data theft, and reduced financial exposure.
*   **Reduced Operational Costs:** With automation handling phishing detection end-to-end, fewer staff hours are wasted on repetitive checks. Your team can cover more ground without increasing headcount.
*   **Optimized Talent Use:** Junior staff can confidently handle phishing triage with automated support, while senior analysts dedicate their time to higher-value activities like threat hunting and strategy.
*   **Lower Business Risk:** By exposing full attack chains, including hidden redirects and fake login pages, managers get assurance that threats are caught before credentials or sensitive data are stolen.
*   **Proven Efficiency Gains:** Organizations using ANY.RUN have reported up to **3x faster phishing detection and response times**, translating to fewer escalations, stronger compliance, and lower incident costs.

****Expose Phishing Tricks Before Data is Stolen****

  
Phishing attacks are becoming harder to spot, but with ANY.RUN, organizations don’t have to rely on guesswork or slow manual checks. By automating interactive analysis, the sandbox reveals every hidden step, so teams can act before data is compromised. 

With clear reports, ready-to-use IOCs, and seamless SOC integration, ANY.RUN helps businesses cut investigation time, reduce analyst workload, and strengthen defenses where it matters most.

How to Automate Phishing Detection to Prevent Data Theft

Australian ISP iiNet confirms data breach as hackers stole 280,000 email accounts, phone numbers and user data using…

Australian ISP iiNet confirms data breach as hackers stole 280,000 email accounts, phone numbers and user data using stolen employee credentials, TPG says.

Australian internet provider iiNet has confirmed a data breach in its order management system, with parent company TPG Telecom reporting that customer information was accessed using stolen employee credentials.

The breach was detected on Saturday, 16 August 2025, after attackers used stolen employee credentials to gain access to the system. According to TPG, the information exposed was limited in scope compared with other recent corporate breaches, but the details are still sensitive enough to cause problems for customers.

Initial investigations show that around 280,000 active iiNet email addresses were exposed, along with 20,000 landline numbers and about 10,000 usernames, street addresses, and phone numbers. A smaller but significant set of roughly 1,700 modem setup passwords was also compromised.

While the company says that no financial records, identity documents, or payment details were included, cybersecurity experts warn that personal contact information is often valuable to criminals who launch phishing and social engineering attacks.

TPG Telecom said it acted quickly once the breach was confirmed. The company disabled the compromised accounts, brought in external security specialists, and informed the Australian Cyber Security Centre, the National Office of Cyber Security, and the Office of the Australian Information Commissioner. This shows the seriousness of the case, since coordination with government agencies is only triggered in incidents considered significant.

If you are an iiNet customer, change any passwords linked to iiNet services, especially if the same credentials are used across multiple platforms. Remain alert for suspicious emails or calls that may try to exploit the exposed information.

****Second TGP Data Breach Since 2022****

This is not the first time TPG and iiNet have faced cybersecurity incidents. In December 2022, as reported by Hackread.com, hackers breached TPG Telecom’s email service and accessed client data.

This incident adds iiNet to the growing list of Australian companies that have been hit by cyberattacks in recent years. In September 2022, Optus, the country’s second-largest telecom firm, suffered a data breach that exposed the personal details of millions of customers. The incident also led the company to issue a public apology.

TPG has begun notifying both impacted and non-impacted customers as a precaution, offering resources to help them secure their accounts.

Australian ISP iiNet Reports Data Breach, Customer Accounts Stolen

Citizen Lab’s new report, Hidden Links, uncovers a network of VPN providers like Turbo VPN and VPN Monster…

Citizen Lab’s new report, Hidden Links, uncovers a network of VPN providers like Turbo VPN and VPN Monster that are controlled by a single company and use dangerous security practices, including hard-coded passwords and weak encryption.

A new research paper titled “Hidden Links: Analyzing Secret Families of VPN Apps” has exposed how some popular Virtual Private Network (VPN) providers intentionally hide their true ownership and share security flaws.

The paper was co-authored by Benjamin Mixon-Baca, Jeffrey Knockel, and Jedidiah Crandall and published by Citizen Lab. Their study involved a deep analysis of apps from the Google Play Store, looking at everything from code similarities and network communications to business filings.

Researchers identified three families of VPNs that are secretly operated by the same entity. The most notable group includes Innovative Connecting, Autumn Breeze, and Lemon Clove, which have over 700 million downloads combined.

These companies distribute apps such as Turbo VPN, VPN Monster, and Snap VPN, and are linked to a Chinese national security firm, Qihoo 360, which has been sanctioned by the US government.

It is worth noting that Turbo VPN and Snap VPN were also named in the Tech Transparency Project’s June 2025 report, which cited national security concerns related to the possibility of these VPNs transferring US data to China.

A second family of providers, with over 380 million downloads, included MATRIX MOBILE PTE LTD and ForeRaya Technology Limited. A third family included Fast Potato Pte. Ltd and Free Connected Limited.

Further probing revealed that many of these VPNs use a specific technology called Shadowsocks, which was originally created to bypass internet censorship in China, not to provide privacy. The apps used outdated and unsafe methods for encryption, making them easier to hack. Some apps were also caught collecting a user’s location and sending it to a server, even though their privacy policies promised they wouldn’t.

Another key finding (PDF)was that these apps share not only code but also serious security vulnerabilities. For example, two of the families used a single, hard-coded password for their VPN apps. For your information, a hard-coded password is a secret key permanently built into an app, which means it’s the same for every single user. This allows anyone who discovers the password to decrypt the traffic of all users of that app, making their private information visible to eavesdroppers.

Researchers were able to use these shared passwords to confirm that different-looking VPN services were actually sharing the same servers. They also noted three other apps from VPN Super Inc., Miczon LLC, and Secure Signal Inc. that did not appear to have these hidden links.

Nonetheless, the shared security flaws mean that if one app in a family is vulnerable, so are all the others. These findings highlight that what appear to be distinct VPN apps are often part of a single, malicious network, putting millions of users at risk.

This is why it’s so important for users to know who is really behind their VPN service. The study emphasizes the critical need for transparency from VPN providers and calls on app stores like Google Play to improve how they verify the identity of app developers and audit app security.

Citizen Lab Reports Hidden VPN Networks Sharing Ownership and Security Flaws

The UK’s South Yorkshire Police lost 96,000 bodycam videos in a data transfer mishap, impacting 126 cases. Poor…

The UK’s South Yorkshire Police lost 96,000 bodycam videos in a data transfer mishap, impacting 126 cases. Poor backups and IT failures led to the deletion.

South Yorkshire Police (SYP) has been officially reprimanded by the Information Commissioner’s Office (ICO) after an investigation revealed the force deleted over 96,000 pieces of body-worn video (BWV) evidence. The incident, which happened on July 26, 2023, was a result of serious failures in the force’s IT systems and record-keeping.

In its official statement, the ICO, the UK’s data protection regulator, announced it had reprimanded SYP because the force “did not have the appropriate technical and organisational measures in place to keep the evidence secure.”

The investigation highlighted several key issues, including a delay in creating IT backup policies and poor record-keeping, which made it impossible for SYP to confirm exactly how many videos were permanently lost.

****How the Data Was Lost****

The issue started in May 2023 after an IT system upgrade. The main system, which officers used to upload their BWV footage, began to struggle with the data. To fix this, a temporary solution was put in place where the videos were stored on a local drive.

However, a few months later, on August 7, 2023, an SYP IT manager noticed a huge number of files were missing. A deeper inspection found that the mass deletion of 96,174 original video files had happened on July 26, 2023.

The deletion was part of a data transfer being done by a third-party company. While some of the footage had been copied to a new system (95,033 pieces), the police force’s poor record-keeping meant they couldn’t confirm exactly how many files were permanently lost.

An example of a South Yorkshire bodycam video

****Impact and Recommendations****

The lost data was connected to 126 criminal cases, but only three of those cases were directly affected. SYP stated that one case might have gone to court if the video evidence had been available.

The Information Commissioner’s Office has given SYP several recommendations to prevent this from happening again, including making sure they have a good backup solution and improving how they handle data with outside companies. SYP has since stated that they have implemented all of the recommendations.

According to Sally Anne Poole, the Head of Investigations at the ICO, this incident is a major lesson for all police forces using this type of technology. She emphasized that the public expects police forces to protect the personal information they handle. As Poole stated, “This incident highlights the importance of having detailed policies and procedures in place to mitigate against the loss of evidence.”

The full reprimand can be read here (PDF).

96,000 UK Police Bodycam Videos Lost After Data Transfer Mishap

Microsoft warns that a fake ChatGPT desktop app was used to deliver PipeMagic malware, linked to ransomware attacks…

Microsoft warns that a fake ChatGPT desktop app was used to deliver PipeMagic malware, linked to ransomware attacks exploiting a Windows zero-day.

Cybersecurity researchers at Microsoft discovered a new backdoor called PipeMagic while investigating attacks that abused a zero-day flaw in Windows CLFS (CVE-2025-29824). What makes this backdoor dangerous is how it poses as a legitimate open-source ChatGPT desktop application while delivering a framework for running ransomware operations.

PipeMagic relies on a modular design that loads different components as needed. These modules handle everything from command-and-control communication to payload execution, all while staying hidden through encrypted named pipes and in-memory operations. By separating its functions this way, the backdoor makes it far more difficult for defenders to detect or analyze.

It is worth noting that the ChatGPT Desktop project on GitHub mentioned by Microsoft (available here) is not malicious. What happened is that attackers used a trojanized copy of this app, since it’s open source, modified with hidden code, to deliver the PipeMagic backdoor. The legitimate version remains safe, but downloading from unofficial or compromised sites carries the risk of infection.

> _“The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source ChatGPT Desktop Application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.”_
> 
> Microsoft

****PipeMagic Attributed to Storm-2460****

Microsoft attributes PipeMagic to a financially motivated group known as Storm-2460. In recent campaigns, the group used it alongside CVE-2025-29824, a privilege escalation vulnerability, to move from initial access to ransomware deployment.

The attacks have not been limited to one industry or geography, with victims identified targeting financial and real estate organizations in the United States, Europe, South America, and the Middle East.

Researchers examining PipeMagic found that it manages payloads through a set of linked lists that act like internal queues. Some lists hold modules waiting to be executed, others manage network communication, while one list remains unexplained but appears to be used dynamically by loaded payloads. This structure allows Storm-2460 to update or replace components on the fly, giving them flexibility without having to redeploy the entire backdoor.

According to Microsoft’s long technical blog post, the communication layer of PipeMagic is equally sophisticated. Instead of connecting directly to its command server, the backdoor loads a dedicated networking module that establishes a WebSocket-style connection with its operators.

This design keeps network traffic isolated from the rest of the backdoor, limiting detection opportunities. Once a secure channel is active, PipeMagic sends detailed system information, including bot ID, domain details, process integrity, and user context, before receiving instructions on what modules to run or which data to exfiltrate.

Storm-2460 can also insert new modules, update existing ones, gather hashes, enumerate processes, and even rename the backdoor executable for self-deletion. Therefore, Microsoft has released detections across Microsoft Defender products and is urging organizations to review their security.

PipeMagic shows just how far backdoors have evolved. By using a zero-day exploit with a modular backdoor, Storm-2460 built a tool that easily bypasses detection. The full Microsoft analysis goes deep into its internal structures and also offers mitigation guidance.

Fake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft

Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links and…

Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links and DLL side-loading to steal data.

A new, highly advanced cyber threat is on the rise, using fake copyright claims to trick businesses into downloading dangerous software. According to a new report from cybersecurity firm Morphisec, this malware is an upgraded version of the Noodlophile Stealer, which is now targeting companies in the US, Europe, Baltic countries, and the Asia-Pacific region.

Morphisec’s latest threat analysis, exclusively shared with Hackread.com, describes how the threat has evolved from its earlier method of using fake AI platforms to a more sophisticated approach. The diagram illustrates the step-by-step process of the attack, from the initial lure to the final data theft.

Attack Flow (Source: Morphisec)

Researchers found that this new attack uses highly personalized phishing emails disguised as official copyright infringement notices. The messages, which can be in multiple languages, are sent to key employees or the general company inboxes and often contain specific details about the company’s Facebook page, such as its unique ID.

This makes the emails appear genuine and creates a sense of urgency. The goal is to pressure a recipient into clicking a link to “view evidence” of the supposed violation, which is actually a download link for the malicious software.

One of the phishing emails disguising itself as a legal notice (Image via Morphisec)

****Delivery Method****

According to Morphisec’s blog post shared with Hackread.com, published ahead of publishing on Monday, 18, 2025, instead of fake websites, the malware is delivered via a Dropbox link that downloads a compressed archive like a ZIP file. This archive contains a legitimate application that has been tampered with to load a hidden malicious file, a technique known as DLL side-loading.

This method tricks trusted software (like PDF readers) into unknowingly running the malware. The final malicious code is disguised and uses the messaging app Telegram to evade detection by security tools.

****Stolen Data and Future Threat****

Once executed, the malware focuses on stealing a wide range of sensitive data from web browsers, including login credentials, credit card numbers, and autofill information. It also collects computer details like usernames and operating system versions.

Researchers note that the malware’s code contains placeholder functions, indicating that its creators plan to add more dangerous capabilities in the future, such as keylogging and capturing screenshots.

A key part of the process is bypassing security features in browsers like Chrome, allowing it to steal saved login data. The process of getting the final malware onto the computer is also heavily disguised, with files renamed to look like documents or images.

Considering the evolving nature of this threat, businesses must carefully monitor suspicious emails and inspect even those that appear to be from a trusted source to protect their valuable data.

Fake Copyright Notices Drop New Noodlophile Stealer Variant

A cyberattack on Manpower’s Michigan office compromised data for 144,000 people. Meanwhile, Workday reveals a data breach in…

A cyberattack on Manpower’s Michigan office compromised data for 144,000 people. Meanwhile, Workday reveals a data breach in a widespread scam. Read about these incidents and the growing threat of social engineering.

Two major companies, global staffing agency Manpower and business software provider Workday, have recently disclosed that they were victims of cyberattacks. These separate incidents affected the personal information of thousands of individuals and highlight the growing threat of data breaches to both businesses and their customers.

****Manpower Breach****

Manpower, a leading staffing firm, announced that a cyberattack on one of its franchise offices in Lansing, Michigan, exposed the personal data of 144,189 people. The company discovered the unauthorized access on January 20th, 2025, after an IT outage.

A subsequent investigation found that a hacker had been in their network from late December 2024 to mid-January 2025. Although the company did not name the attackers, a group called RansomHub claimed responsibility for the breach.

While Manpower is a part of ManpowerGroup, a spokesperson confirmed that the franchise operates on its own data platform, making the incident isolated and not affecting the larger corporate network.

To help those affected, Manpower is providing free credit monitoring and identity theft protection for one year. The company has also informed the FBI and plans to cooperate fully in holding the culprits responsible.

****Workday Breach****

Separately, business software giant Workday revealed a data breach related to a third-party Customer Relationship Management (CRM) platform, a software used to manage customer interactions. The company stated that the breach was part of a “social engineering campaign” targeting many large organizations.

For your information, social engineering is a way of tricking people into giving up information, often by pretending to be someone trustworthy, like an IT person. In this case, hackers got access to basic business contact details like names, emails, and phone numbers. Workday says there’s no sign that customer data was accessed.

“There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future,” Workday’s statement reads.

The attack is similar to a wider series of breaches linked to the notorious ShinyHunters group. Hackread.com has previously covered this group’s activities, which have been targeting employees with fake calls, impersonating IT support to access corporate databases.

Its recent targets include well-known firms like Google, LVMH, Chanel, and Adidas. Google’s threat intelligence group, which had been investigating ShinyHunters, recently confirmed that their own Salesforce database was breached by the group.

Manpower Data Breach Hits 144K, Workday Confirms 3rd-Party CRM Hack

WarLock ransomware claims breach at Colt and Hitachi, with Colt investigating and working to restore systems while experts…

WarLock ransomware claims breach at Colt and Hitachi, with Colt investigating and working to restore systems while experts review the alleged data theft.

When a new ransomware group shows up, many in the industry usually wait to see whether they can actually deliver on their threats. WarLock, which surfaced only two months ago, is trying to prove it can. This week, the group added Colt (colt.net) and Hitachi (hitachi.hta.com) to its victim list, claiming to have stolen sensitive data from both companies.

****Colt Data Being Sold for $200,000****

On its dark web leak site, WarLock claimed it has over one million documents linked to the UK-based telecommunications provider Colt. Instead of making a clear ransom demand, the group is offering the alleged trove for $200,000 through an associate account on a Russian cybercrime forum.

The data up for sale is said to include executive emails, employee salary information, financial records, customer contracts, internal personal details, and even network architecture and software development files.

A WarLock ransomware group affiliate using the alias “cnkjasdfgd” advertising alleged Colt data for sale (Image credit: KELA Cyber via BleepingComputer)

****Hitachi****

Hitachi was also named as a victim, though its case remains uncertain. The Japanese conglomerate briefly appeared on WarLock’s leak site before its name was taken down. Whether this means negotiations are ongoing or the data was overstated is still unclear.

Screenshot from the WarLock ransomware leak site showing Colt listed as a victim, along with Hitachi which has since been removed (Image credit: Hackread.com).

WarLock itself is a relatively new player in the ransomware market. The group was first advertised on a Russian forum in June 2025 and operates as a ransomware-as-a-service model, where affiliates carry out attacks under its banner.

Analysts link WarLock to a China-based threat actor known as Storm-2603, active since March this year. Since mid-July, the ransomware has been used in at least 11 confirmed attacks, several targeting government institutions. The same group was also spotted exploiting critical Sharepoint flaws in July.

Colt has since responded, but stopped short of confirming WarLock’s claims. In a statement to BleepingComputer, a company spokesperson said they are aware of the allegations and are investigating. The spokesperson added that technical teams are working to restore impacted internal systems with support from third-party cybersecurity experts, and thanked customers for their understanding while efforts continue to resolve the disruption.

Cybersecurity experts have been quick to weigh in on the Colt incident. Evan Powell, CEO of DeepTempo, shared his thoughts with Hackreadcom, emphasizing how service providers are especially vulnerable.

“Service providers have an immense challenge. They are attractive targets. They can be used for surveillance and to penetrate user environments by attackers, so they themselves are perhaps the most attractive attack vector to attackers. And service providers are responsible for keeping a network safe that has systems on it that they do not control, their own customer’s systems.”

Powell was also critical of Colt’s public response. “The announcements from Colt Telecom that they have taken ‘proactive measures’ to respond to the attackers are a bit cringy. It appears from reports that Colt was unaware of the severity of the attack as it unfolded, and as it continues to unfold. The attackers are moving faster than they are. Being truly proactive would have meant using advanced threat detection for the ever more advanced threats that are disrupting countless organizations around the world.”

He added that this situation is far from unique. “Unfortunately this is a common pattern in high stakes cybersecurity environments. Legacy vendors are extracting ever higher license fees for aging rules and traditional ML based detection systems, even while attackers are increasingly deploying methods that avoid such detections. We can expect to see many more successful attacks on especially service providers until they and their vendors deploy truly ‘proactive’ defenses, based upon the ability to actually see when they are being attacked.”

Hitachi’s situation is less clear, but its brief listing alone shows how aggressive the group wants to appear. Nevertheless, with a new ransomware outfit proving its reach so quickly, companies across the telecom and technology sectors need to remain alert.

WarLock Ransomware group Claims Breach at Colt Telecom and Hitachi

A seller named Chucky_BF is offering 15.8M PayPal logins with emails, passwords, and URLs. The data may come…

A seller named Chucky\_BF is offering 15.8M PayPal logins with emails, passwords, and URLs. The data may come from infostealer malware logs.

A threat actor using the name Chucky\_BF on a cybercrime and hacker forum is advertising what they claim to be a massive **PayPal** data dump. The post describes a trove labeled “Global PayPal Credential Dump 2025,” allegedly containing more than 15.8 million records of email and plaintext password pairs.

The size of the dataset is said to be 1.1GB, and according to the seller, the leak covers accounts from many email providers and users in different parts of the world. What makes this claim threatening is not just the number of exposed accounts but also the type of data said to be included. Other than the email and password combinations, the seller mentions that many records come with URLs directly linked to PayPal services.

Endpoints like /signin, /signup, /connect, and Android-specific URIs are also referenced in the listing. These details suggest that the dump is structured in a way that could make it easier for criminals to automate logins or abuse services.

The description provided by Chucky\_BF describes the dataset as a goldmine for cybercriminals. The threat actor claims the records are “raw email:password:url entries across global domains,” warning that this could lead to credential stuffing, phishing schemes, and fraud operations.

A closer look by Hackread.com at the samples posted in the forum shows Gmail addresses paired with passwords and linked directly to PayPal’s login pages, while another features a user account appearing in both web and mobile formats, showing that the same account details were found in different versions of PayPal’s services, both web and mobile.

The way the data is put together is important. It seems to include a mix of real accounts and test or fake ones, which is often the case with stolen databases. The seller claims most of the passwords look strong and unique, but also admits many are reused. That means people who used the same password on other websites could be at risk well outside PayPal.

As for pricing, Chucky\_BF is asking for 750 US dollars for full access to the 1.1GB dump. That figure positions it in line with other credential dumps of similar size sold in cybercrime markets, which often find buyers among groups looking to monetize stolen accounts through fraud or resale.

If the claims are accurate, this would represent one of the larger PayPal-focused leaks of recent years, with millions of users across Gmail, Yahoo, Hotmail, and country-specific domains implicated.

Screenshot shows alleged PayPal data being sold on a hacker and cybercrime forum (Image credit: Hackread.com)

****Infostealer Logs as the Likely Source****

PayPal has never suffered a direct data breach in which attackers broke into its systems and stole millions of user records. Past incidents, including the one that **involved 35,000 users**, linked to the company have usually been the result of credential stuffing or data harvested elsewhere.

This makes it possible that the newly advertised dataset is not the product of a PayPal system breach at all, but rather the result of **infostealer malware** collecting login details from infected devices and bundling them together.

Additionally, the structure of the dataset shown in the samples shared by the threat actor suggests it may have been collected through infostealer **malware logs**. Infostealers infect personal devices and steal saved login details, browser data, and website activity, which later appear in bulk on cybercrime markets.

The presence of PayPal login URLs and mobile URIs in this dump makes it possible that the information was gathered from infected users worldwide, then compiled to be sold as a single **PayPal-focused leak**.

PayPal itself has not confirmed any such incident, and it is not yet clear whether the dataset is entirely authentic, a mix of real and fabricated records, or a repackaging of older leaks. Hackread.com has also not been able to verify whether the data is genuine, and only PayPal can confirm or deny the claims. The company has been contacted for comment, and this article will be updated accordingly.

Threat Actor Claims to Sell 15.8 Million Plain-Text PayPal Credentials

The Las Vegas Metropolitan Police Department announced the arrest of eight individuals, including a top Israeli official, in…

The Las Vegas Metropolitan Police Department announced the arrest of eight individuals, including a top Israeli official, in a sting operation combating internet crimes against children.

A high-ranking Israeli cybersecurity official was among eight men arrested in a major two-week undercover sting operation, according to a press release from the Las Vegas Metropolitan Police Department.

The operation, which targeted online users seeking to exploit children, was a joint effort by the Nevada Internet Crimes Against Children (ICAC) task force, the FBI’s Child Exploitation Task Force, and multiple local agencies, including the Henderson Police Department and Homeland Security Investigations.

The official has been identified as Tom Artiom Alexandrovich, 38. He was arrested alongside seven other suspects: David Wonnacott-Yahnke, 40; Jose Alberto Perez-Torres, 35; Aniket Brajeshkumar Sadani, 23; James Ramon Reddick, 23; Ramon Manuel Parra Valenzuela, 29; Neal Harrison Creecy, 46; and John Charles Duncan, 49. All eight men face felony charges of luring a child with a computer for a sex act.

A now-deleted LinkedIn profile under his name identified him as the executive director of the Israel Cyber Directorate, an Israeli government agency. At the time of his arrest, Alexandrovich was reportedly in Las Vegas for a major cybersecurity conference called Black Hat Briefings held from August 2-to-7, 2025, in Mandalay Bay, Las Vegas.

Tom Artiom Alexandrovich LinkedIn Profile (Source: X.com (@vxunderground))

A Post Likely from Tom Artiom Alexandrovich after Black Hat Briefings (Source: @icu\_luci )

According to the press release, Alexandrovich was booked into the Henderson Detention Center following his arrest. It is worth noting that under Nevada law, luring a child with a computer for a sex act can carry a prison sentence of one to ten years.

However, the incident has caused some confusion due to conflicting reports from the US and Israeli officials. While the LVMPD confirmed that all eight suspects were arrested and booked, Israel’s Prime Minister’s office has stated that the employee was not arrested but only questioned.

“A state employee who travelled to the US for professional matters was questioned by American authorities during his stay. The employee, who does not hold a diplomatic visa, was not arrested and returned to Israel as scheduled,” the prime minister’s office’s statement reads. Moreover, an Israeli news outlet, Ynet, reported that an employee of the Israel National Cyber Directorate had been questioned by US authorities and was back in his home country.

However, according to The Guardian’s report, Alexandrovich was charged with luring a child for a sex act but was later released and returned to Israel.

Nevertheless, the case shows the real dangers children face online and the ongoing work by law enforcement to protect them. It also shows why international cooperation and constant caution are necessary to bring offenders to justice.

Source

HackRead