Dark Web Informer

Extracts structured records from government registries including business registrations, corporate filings, tax records, and parliamentary data across 6 separate databases.

T1005 Data from Local System

Collects data directly from compromised government systems, extracting full database tables with millions of records including personal and corporate information.

T1560 Archive Collected Data

Organizes and packages stolen data into structured CSV and JSON formats across 6 categorized databases for distribution through a custom marketplace.

Distributes stolen government data through a purpose-built web marketplace with automated downloads, credit-based purchasing, and cryptocurrency payment processing.

Harvests personal contact information, demographics, and identification details for 8 million individuals from government registries for resale as leads.

Sector Drainer Advertised as Crypto Wallet Drainer-as-a-Service With 0-Day Phantom Bypass, Hidden Drain, and Autowithdraw Capabilities

Dark Web Informer — Wed, 18 Mar 2026 17:17:22 GMT

Quick Facts

Date & Time 2026-03-18 13:06:24 UTC

Threat Actor SectorD

Service Name Sector Drainer

Category Drainer-as-a-Service (DaaS)

Severity High

Wallets Supported 150+

Revenue Model 80/20 Revshare

Claimed Profits >$4M (Team Total)

Network Open Web

Active Since 2024 (Claimed)

Incident Overview

A threat actor going by SectorD is advertising a drainer-as-a-service platform called Sector Drainer, marketed as a full-stack crypto wallet draining solution with claimed 0-day exploits, scam warning bypasses, and turnkey phishing infrastructure. The actor claims the operation has been running since 2024 with hundreds of partners and over $4 million in total team profits.

The listing is broken into several capability categories:

Exploit Capabilities: Claims a 0-day Phantom exploit that bypasses Lighthouse and Safeguard protections to perform hidden drains starting from assets as low as $5-10. The service also claims hidden drain functionality across all wallets updated through 2025-2026, fake token receiving via honeypot techniques, and unique spoofing for Trust Wallet, Phantom, MetaMask, and Rabby.
Security Bypasses: Claims to bypass scam warnings on Phantom, MetaMask, SEAL, Blockaid, Hashdit, Scam Sniffer, and WalletGuard. Also claims full bypass of in-app browsers on Telegram, X (Twitter), and Discord.
Drainer Features: Supports over 150 wallets with deep link and QR code connection methods. Capable of draining TRC20, BEP20, ETH, SOL tokens, NFTs, native staked assets, and DeFi positions. Includes gasless transactions via fee sponsorship, automatic profit splitting, and autowithdraw that triggers on any victim wallet top-up with no expiration. Claims wallet scan times under 0.4 seconds and transaction confirmation under 0.8 seconds on self-hosted infrastructure with no external API dependencies.
Infrastructure: Includes free domains, hosting, cloaking, and DDoS protection. Provides 70+ pre-built landing pages for fake airdrops, mints, claims, and similar lures, along with a landing generation tool, site copying capabilities, and an advanced landing API.
Business Model: Operates on a revshare basis starting at 80/20 (partner keeps 80%) scaling to 90/10 after reaching $5-10K in stolen funds. Minimum deposit varies, with some examples listing $1,000. Setup is claimed to take 10 minutes.

Worth noting that the actor's forum account was created in March 2026 with only 1 post, 1 thread, and 0 reputation, which is a common profile for newly registered accounts advertising DaaS platforms. The listing includes a high-conversion wallet connect UI/UX claim of over 95%, 24/7 support via Telegram, and full documentation. The actor directs interested parties to contact via Telegram or Session messaging.

Targeted Assets & Platforms

Phantom Wallet MetaMask Trust Wallet Rabby Wallet 150+ Additional Wallets ETH / ERC-20 Tokens SOL / SPL Tokens TRC-20 / BEP-20 Tokens NFTs Native Staked Assets DeFi Positions Telegram In-App Browser X (Twitter) In-App Browser Discord In-App Browser

Image Preview

Claim URL

Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers.

Subscriber Access View the original listing URL and unredacted claim images on the feeds below.

Threat Feed Ransomware Feed

MITRE ATT&CK Mapping

T1566.002 Phishing: Spearphishing Link

Uses fake airdrop, mint, and claim landing pages to lure victims into connecting their wallets, serving as the primary delivery mechanism for the drainer.

T1204.001 User Execution: Malicious Link

Relies on victims clicking malicious links and approving wallet transactions on spoofed landing pages designed to appear legitimate.

T1036 Masquerading

Spoofs legitimate wallet interfaces for Trust Wallet, Phantom, MetaMask, and Rabby to trick users into authorizing malicious transactions.

T1562.001 Impair Defenses: Disable or Modify Tools

Bypasses scam detection warnings from security tools like SEAL, Blockaid, Hashdit, Scam Sniffer, and WalletGuard to prevent victims from being alerted.

T1059 Command and Scripting Interpreter

Executes automated scripts to scan wallets in under 0.4 seconds, identify drainable assets across multiple token standards, and initiate transactions.

T1102 Web Service

Leverages Telegram, X, and Discord in-app browsers as attack vectors, and uses legitimate web infrastructure with cloaking and DDoS protection to host phishing pages.

Alleged Breach of Daryn Online Exposes 4 Million User Records From Kazakhstan's Largest Education Platform

Dark Web Informer — Wed, 18 Mar 2026 16:26:34 GMT

Quick Facts

Date & Time 2026-03-18 06:21:24 UTC

Threat Actor Shinchan

Victim Daryn Online (daryn.online)

Industry Education

Category Data Breach

Alleged Records ~4 Million Users

Data Size 1 GB+

Price Contact Seller

Network Open Web

Country Kazakhstan

Incident Overview

A threat actor going by Shinchan claims to be selling a full user database from Daryn Online, one of Kazakhstan's largest online education platforms. Launched in 2019 and backed by Bugin Holding, the platform offers 28 different educational services including school curriculum support, national exam preparation (ENT/UBT), robotics courses, and art programs, reportedly serving over 3.5 million active users across the region.

The actor is selling the complete dataset only, with no partial sales available. The listing specifies the following data fields are included:

Personal Information: First names, last names, and birthdates for each user account.
Contact Data: Phone numbers and email addresses.
Credentials: Passwords, remember tokens, email hash tokens, and mobile tokens, which could allow direct account takeover if the tokens are still valid.
Profile Data: Avatar URLs and associated profile details.
Scale: Approximately 4 million user records totaling over 1GB of data.

The inclusion of authentication tokens alongside passwords makes this particularly dangerous. Even if passwords have been changed, valid remember tokens or mobile tokens could still grant access to user accounts without needing the updated credentials. Given the platform's user base consists largely of students, many of the affected individuals are likely minors. The actor provided data proof screenshots and sample records to demonstrate authenticity, and is directing buyers to contact them via Telegram or Session for pricing.

Compromised Data Categories

Full Names Phone Numbers Email Addresses Passwords Authentication Tokens Email Hash Tokens Mobile Tokens Birthdates Avatar / Profile Data

Image Preview

Claim URL

Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers.

MITRE ATT&CK Mapping

T1190 Exploit Public-Facing Application

Targets vulnerabilities in internet-facing web applications to gain unauthorized access to backend databases containing user records.

T1555 Credentials from Password Stores

Extracts stored passwords and authentication credentials from the platform's database, enabling direct account takeover for millions of users.

T1528 Steal Application Access Token

Harvests remember tokens, email hash tokens, and mobile tokens that can be used to bypass authentication and access accounts without passwords.

Extracts structured user data from application databases, pulling personal information, credentials, and profile details from the platform's backend.

Collects email addresses and phone numbers from the breached database for resale, enabling phishing, credential stuffing, and social engineering attacks.

Uses web forums, Telegram, and Session messaging to advertise, distribute samples, and sell the stolen database to interested buyers.

Partial Leak of Knownsec Corporate Documents Resurfaces With Espionage Tradecraft, Offensive Cyber Tools, and Global Targeting Evidence

Dark Web Informer — Wed, 18 Mar 2026 15:24:27 GMT

Quick Facts

Date & Time 2026-03-18 00:56:35 UTC

Threat Actor Blastoize

Victim Knownsec (知道创宇)

Industry Cybersecurity / Government

Category Corporate Document Leak

Leak Status Partial Download

Original Breach November 2025

Original Documents 12,000+ Classified Files

Price Free (Partial Leak)

Network Open Web

Country China

Severity Critical

Incident Overview

A threat actor going by Blastoize has posted a partial download of corporate documents from Knownsec, a major Chinese cybersecurity firm with well-documented ties to the Chinese government and military. This is not a new breach but rather a redistribution of data from the original Knownsec leak that first surfaced in November 2025, which has been widely regarded as one of the most significant exposures of state-sponsored cyber capabilities in recent years.

The actor references reporting from both Gopher Security and Resecurity that provide extensive analysis of the leaked material. The original breach exposed over 12,000 classified documents and revealed the inner workings of a firm that operates at the intersection of China's commercial cybersecurity sector and its state intelligence apparatus. Key revelations from the original leak include:

Offensive Cyber Tools: Remote Access Trojans (RATs) engineered for Linux, Windows, macOS, iOS, and Android, plus Android-specific malware designed to extract message histories from Chinese chat applications and Telegram.
Hardware Attack Vectors: Physical devices including a malicious power bank engineered to covertly upload data from victims' devices while appearing to function as a standard charger.
Global Target Lists: Spreadsheets documenting over 80 overseas targets across more than 20 countries, including government agencies, telecommunications providers, and critical infrastructure operators.
Stolen Data at Scale: Evidence of massive exfiltration operations including 95GB of Indian immigration records, 3TB of South Korean call records from LG U Plus, and 459GB of Taiwanese road planning data.
Government Collaboration: Documents showing direct collaboration with Chinese government agencies including Chinese Police No.3 Research Department on data collection and network entity research projects.
Internal Surveillance: Tools used not only externally against foreign targets but also internally to track Chinese companies and individuals for intelligence, control, and counterintelligence purposes.

The Chinese government has officially denied and downplayed the incident. When questioned, the Chinese Foreign Ministry stated they were unaware of any breach at Knownsec and reiterated that China "firmly opposes and combats all forms of cyberattacks." Resecurity's analysis suggests the source of the original leak was likely an insider (rogue employee) rather than an external hack, drawing parallels to the i-Soon leak that exposed similar state-linked cyber operations in 2024. The fact that this data continues to resurface and circulate months later underscores its significance to the threat intelligence community.

Exposed Data Categories

Classified Corporate Documents Offensive Cyber Tool Source Code Remote Access Trojans (RATs) Hardware Attack Tool Specifications Global Surveillance Target Lists Government Collaboration Records Stolen Foreign Government Data Telecommunications Intercept Records Critical Infrastructure Intelligence Internal Operational Procedures

Image Preview

Claim URL

Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers.

MITRE ATT&CK Mapping

T1587.001 Develop Capabilities: Malware

Develops custom malware including RATs for multiple operating systems, enabling persistent remote access to compromised targets worldwide.

T1195.002 Supply Chain Compromise: Software

Uses hardware-based attack tools like modified power banks to covertly exfiltrate data from victims' devices through supply chain manipulation.

T1005 Data from Local System

Collects massive volumes of data from compromised systems, including immigration records, telecom call logs, and critical infrastructure data across multiple countries.

T1059 Command and Scripting Interpreter

Deploys cross-platform RATs that execute commands and scripts on victim machines across Linux, Windows, macOS, iOS, and Android environments.

T1557 Adversary-in-the-Middle

Intercepts communications and data in transit, evidenced by the 3TB of telecom call records exfiltrated from South Korean provider LG U Plus.

T1592 Gather Victim Host Information

Uses ZoomEye, Knownsec's global vulnerability scanning tool, to map and enumerate target infrastructure, building a Critical Infrastructure Target Database prioritizing Taiwan, the US, Japan, India, and Korea.

T1199 Trusted Relationship

Leverages Knownsec's position as a trusted cybersecurity provider to access client systems and government networks under the guise of legitimate security services.

T1048 Exfiltration Over Alternative Protocol

Transfers massive stolen datasets out of target environments using alternative channels, with documented exfiltration of hundreds of gigabytes per operation.

changedetection.io: Self-Hosted Website Change Monitoring with 30k Stars and 203 Releases

Dark Web Informer — Tue, 17 Mar 2026 17:36:10 GMT

Tool Spotlight Monitoring Open Source Mar 15, 2026

changedetection.io: Self-Hosted Website Change Monitoring with 30k Stars and 203 Releases

A self-hosted tool that watches web pages for changes and sends you alerts via Discord, Slack, Telegram, email, and 80+ other notification channels. Supports visual element selection, browser automation steps, price/restock tracking, JSON API monitoring, PDF changes, and conditional triggers. Docker one-liner to deploy.

dgtlmoon / changedetection.io

Best and simplest tool for website change detection, web page monitoring, and website change alerts.

Python 80.9% HTML 7.6% JavaScript 7.3% ★ 30.7k stars v0.54.4 Apache-2.0 1.7k forks 2,249 commits 125 contributors

There's a surprisingly large category of problems that boil down to "tell me when this web page changes." Price drops on a product you're watching. Government regulatory updates that only appear on a website. Job postings on a company's careers page. A PDF that gets silently updated. Restock alerts. Security advisories. Legal document revisions. The list goes on.

changedetection.io is a self-hosted Python application that solves this with a web UI, a massive notification ecosystem, and support for everything from simple text changes to complex JavaScript-rendered pages behind login walls. With 30.7k stars, 203 releases, and active development, it's the most popular open-source website change monitoring tool available.

// Key Capabilities

👁️

Visual Selector

Point-and-click tool to select exactly which parts of a page to monitor. No need to write CSS selectors or XPath manually.

🤖

Browser Steps

Automate interactions before monitoring: login to sites, click buttons, fill forms, accept cookies, navigate search results.

💰

Price & Restock Tracking

Dedicated mode for product pages. Extracts pricing metadata, tracks price history, alerts on drops, back-in-stock notifications.

🔔

80+ Notification Channels

Discord, Slack, Telegram, email, Teams, webhooks, custom APIs, and everything else via the Apprise library. Jinja2 templating for content.

📊

JSON API Monitoring

Monitor API responses with JSONPath or jq filters. Parse embedded JSON in HTML pages. Conditional logic with jq operators.

📄

PDF Change Detection

Monitor text changes in PDF files, plus track filesize and checksum changes for binary-level detection.

// How It Works

Add URL → Set check interval → Filter (CSS/XPath/JSON) → Detect change → Notify

You add URLs through a web UI running on port 5000, configure how often to check (from minutes to days), optionally set filters to target specific page elements, and configure notification channels. When a change is detected, you get a diff view showing exactly what changed — by word, line, or character. The tool supports both a fast built-in HTTP fetcher and Chrome/Playwright-based fetching for JavaScript-heavy sites.

For more complex scenarios, Browser Steps let you script interactions before the actual monitoring happens: log into a site, navigate to a specific page, fill in search criteria, accept cookie prompts. After the browser steps execute, the Visual Selector lets you pick which elements to watch. This combination handles the common case of monitoring content that's behind authentication or requires navigation to reach.

// Filtering & Triggers

Feature	Description
CSS Selectors	Target specific elements by class, ID, or structure
XPath 1.0 / 2.0	Advanced element selection with regex support via LXML
JSONPath / jq	Filter and restructure JSON API responses with logic operators
Trigger on Text	Only alert when specific text appears or disappears
Ignore Text	Exclude volatile content (timestamps, ad blocks) from diffs
Regex Filters	Regular expression matching for extract and trigger rules
Conditional Actions	Trigger only when price is above/below threshold, keyword present/absent
Scheduling	Timezone-aware schedules, business hours only, weekday/weekend limits

// Deployment

🐳 Docker One-Liner

docker run -d --restart always -p "127.0.0.1:5000:5000" -v datastore-volume:/datastore --name changedetection.io dgtlmoon/changedetection.io

— that's it. Also available via docker compose, pip install, or the hosted SaaS at $8.99/month.

The self-hosted version runs as a single Docker container (or via pip) and stores data in a local volume. For JavaScript-rendered pages, you add a Playwright-based browser container alongside it (included in the docker-compose.yml). The project also supports Raspberry Pi and ARM devices, per-watch proxy configuration, and importing watch lists from Excel files. A Chrome extension lets you add the current page to your monitoring list directly from the browser.

// Use Cases

The project's README lists an extensive set of real-world applications: price drop alerts, restock monitoring, government regulatory updates, job posting tracking, security advisory monitoring, website defacement detection, API response monitoring, RSS feed generation from web changes, PCI compliance monitoring, real estate listing changes, and regulatory compliance (RegTech). The tool is used across industries from network security to aerospace to data journalism.

// Considerations

⚠️ Commercial Licensing

The source code is Apache-2.0 for self-hosting, but there's a separate COMMERCIAL_LICENCE.md that applies if you're reselling the software as part of a commercial arrangement. Review this before integrating into a commercial product.

JavaScript pages need a browser container. The built-in fetcher handles static HTML efficiently, but JavaScript-rendered pages require running a separate Playwright/Chrome container. This increases resource usage and deployment complexity. The SaaS plan includes this out of the box.

Scale considerations. changedetection.io is designed for individual or small-team use. If you're monitoring thousands of URLs at high frequency, you'll need to consider the resource implications — especially with browser-based fetching. There's no built-in distributed architecture for horizontal scaling.

Website terms of service. Automated page monitoring at high frequency can violate some websites' terms of service or trigger rate limiting. The tool includes per-watch proxy support and configurable check intervals, but users should be mindful of the targets they're monitoring.

291 open issues. With 30k+ stars and active usage, there's a substantial backlog of feature requests and bug reports. The project is actively maintained (203 releases, latest March 2026), but the issue count reflects the breadth of use cases people bring to it.

// Bottom Line

changedetection.io fills a need that most people don't realize they have until they need it. The ability to monitor any web page for changes — with visual element selection, browser automation, conditional triggers, and 80+ notification channels — covers an enormous range of practical scenarios. The Docker one-liner deployment and web UI make it accessible to non-technical users, while the XPath/JSONPath/jq filtering, REST API, and proxy configuration serve power users and automation workflows.

At 30.7k stars with 203 releases over active development, it's the clear leader in the self-hosted website monitoring space. Whether you're tracking price drops, monitoring competitor pages, watching for regulatory updates, or building automated workflows triggered by web content changes, changedetection.io is the tool most likely to do what you need out of the box.

GitHub Repository changedetection.io (SaaS)

FreeRDP: The Open-Source RDP Implementation That Powers Linux Remote Desktop

Dark Web Informer — Mon, 16 Mar 2026 17:49:18 GMT

Tool Spotlight Remote Access Open Source Mar 14, 2026

FreeRDP: The Open-Source RDP Implementation That Powers Linux Remote Desktop

A free, Apache-licensed implementation of Microsoft's Remote Desktop Protocol. 15 years of development, 23k+ commits, 419 contributors, and 79 releases. FreeRDP is the RDP library under the hood of Remmina, GNOME Connections, KRDC, and most Linux RDP clients. It's also a standalone client, server, and proxy.

FreeRDP / FreeRDP

FreeRDP is a free remote desktop protocol library and clients

C 87.8% C++ 3.5% CMake 3.1% Obj-C 2.6% ★ 12.9k stars v3.24.0 Apache-2.0 15.3k forks 23,291 commits 419 contributors

Microsoft's Remote Desktop Protocol is the standard for remote access to Windows machines, but Microsoft doesn't provide an official RDP client for Linux, macOS (beyond a basic app), Android, or iOS. That gap has been filled for over 15 years by FreeRDP — an open-source implementation of the full RDP protocol that serves as both a standalone client and a library that other applications build on top of.

If you've ever used Remmina, GNOME Connections, or KRDC to connect to a Windows machine from Linux, you were using FreeRDP under the hood. It's the de facto RDP engine for the non-Windows world, and with 23,291 commits across 419 contributors and 79 releases (latest v3.24.0 in March 2026), it's one of the most actively developed open-source infrastructure projects in the remote desktop space.

// What FreeRDP Provides

📚

libfreerdp (Core Library)

Full RDP protocol implementation as a C library. This is what Remmina, GNOME Connections, KRDC, and other clients link against for their RDP support.

🖥️

Client Implementations

Standalone clients for X11, Wayland (SDL-based), Windows, macOS, iOS, and Android. The SDL3 client is no longer considered experimental as of v3.16.

🔧

Server & Proxy

Shadow server for screen sharing and a proxy server for RDP connection brokering. Enables building custom RDP infrastructure.

⚙️

WinPR (Portable Runtime)

A Windows API compatibility layer that lets FreeRDP's codebase use Windows-style APIs portably across Linux, macOS, and other platforms.

// Protocol Features

FreeRDP implements the RDP protocol comprehensively, including the virtual channel system that handles most of the features users care about in a remote desktop session:

Feature	Description
Clipboard	Bidirectional text, image, and file transfer between local and remote
Audio	Sound redirection from remote to local, plus microphone input
Drive Redirection	Mount local drives on the remote machine for file access
Printer Redirection	Use local printers from the remote session
Smart Card	Smart card authentication passthrough
Multi-Monitor	Span sessions across multiple displays
Graphics Codecs	RemoteFX, GFX pipeline, H.264/AVC, progressive rendering
Gateway	RD Gateway and TS Gateway support for NAT traversal
NLA / TLS	Network Level Authentication and TLS encryption
Serial / Parallel	Legacy port redirection (yes, still maintained)

// Architecture

Client (X11/SDL/Mac/iOS/Android) → libfreerdp → Transport (TCP/TLS/Gateway) → RDP Server

The architecture separates the protocol implementation (libfreerdp) from the client frontends and server implementations. This is what makes FreeRDP useful both as a standalone tool and as a library. The core handles the RDP state machine, PDU processing, virtual channel management, graphics decoding, and security negotiation. Client implementations then just need to handle platform-specific rendering and input.

The codebase is primarily C (87.8%) with C++ for some components, Objective-C for macOS/iOS clients, and Java for the Android client. The build system uses CMake with extensive CI across platforms including ARM, PowerPC, RISC-V, FreeBSD, macOS, and MinGW cross-compilation.

// Platform Support

Platform	Client	Notes
Linux (X11)	xfreerdp	Most mature client, full feature support
Linux (Wayland)	sdl-freerdp	SDL3-based, no longer experimental as of v3.16
Windows	wfreerdp	Native Windows client
macOS	Mac client	Objective-C based
iOS	iOS client	Mobile client
Android	Android client	Java-based, builds updated in v3.13

// The Ecosystem Role

🔗 The RDP Engine for Open Source

FreeRDP isn't just a client — it's the RDP library that most open-source remote desktop tools depend on. Remmina, GNOME Connections, KRDC, Apache Guacamole, and numerous other projects use libfreerdp for their RDP implementation. When these tools support the latest RDP protocol features, it's because FreeRDP implemented them first.

This ecosystem role makes FreeRDP's 15.3k forks less surprising — many of those are downstream projects and Linux distribution maintainers. The 374 watchers reflect infrastructure teams and downstream maintainers tracking the project. With Microsoft's Open Specifications providing the protocol documentation, FreeRDP serves as the open-source bridge that keeps RDP interoperable across platforms.

// Considerations

⚠️ Security Surface

As an RDP implementation, FreeRDP processes complex binary protocol data from potentially untrusted sources. The project has had 134 security advisories over its lifetime. The team maintains an active security policy and responds to vulnerabilities, but users should keep FreeRDP updated — especially on internet-facing deployments.

Configuration complexity. FreeRDP is powerful but not simple. The xfreerdp command-line interface has hundreds of flags and options. Getting the right combination of settings for a specific server configuration (NLA, gateway, graphics mode, redirection) often requires consulting documentation. GUI wrappers like Remmina exist specifically to address this.

Wayland maturity. While the SDL3-based Wayland client graduated from experimental status in v3.16, the X11 client remains significantly more battle-tested. Users on Wayland-only setups may encounter edge cases that don't exist on X11.

Documentation gaps. Despite the project's maturity, documentation can be sparse or outdated for some features. The wiki is the primary resource, supplemented by the API documentation and a FAQ. For advanced use cases, reading the source or asking in the Matrix room is often necessary.

Build complexity. Compiling FreeRDP from source involves a substantial dependency tree (OpenSSL, FFmpeg for H.264, PulseAudio/PipeWire for audio, various X11/Wayland libraries). Most Linux distributions package FreeRDP, but those packages may lag behind the latest release.

// Bottom Line

FreeRDP is one of those foundational open-source projects that quietly powers a massive amount of infrastructure. If you connect to a Windows machine from Linux, there's a very high chance FreeRDP is involved. With 23,291 commits, 419 contributors, and 79 releases over 15 years, it's among the most actively maintained protocol implementations in the open-source ecosystem.

The latest v3.24.0 release (March 2026) continues active development with C23 support, improved SDL3 client, and ongoing protocol feature parity. For sysadmins managing Windows infrastructure from Linux, developers building remote desktop tooling, or anyone who needs cross-platform RDP access, FreeRDP is the project that makes it possible.

GitHub Repository freerdp.com

FBI Watchdog Feed

Dark Web Informer — Mon, 16 Mar 2026 15:58:10 GMT

FBI Watchdog Feed

Alleged Breach of Therapeutes Exposes 71,500 Patient Records and 199,000 Therapy Appointments From French Mental Health Platform

Dark Web Informer — Fri, 13 Mar 2026 16:21:43 GMT

Quick Facts

Date & Time 2026-03-13 09:29:28 UTC

Threat Actor HexDex

Victim Therapeutes.com

Industry Healthcare / Mental Health

Category Data Breach

Alleged Records 71,502 Patients

Appointments 199,697

Unique Emails 95,985

Unique Phones 97,518

Price Make Offer

Network Open Web

Country France

Incident Overview

A threat actor going by HexDex claims to be selling sensitive data from Therapeutes.com, a French online platform that has been connecting users with licensed therapists and mental health professionals since 2013. The platform allows people to find, book, and attend therapy sessions either in person or through video calls, meaning the underlying database contains deeply personal information about individuals seeking mental health support.

What makes this breach particularly concerning is the nature of the data involved. This isn't just emails and phone numbers, the listing explicitly mentions therapy appointment records with consultation and reason fields, which would reveal why individuals sought therapy in the first place. The actor provided the following breakdown:

Patient Records - 71,502 patients with associated personal information.
Appointment Data - 199,697 appointments total, including 56,225 entries with a "consultation" field and 23,492 entries with a "reason" field describing the purpose of the therapy visit.
Contact Data - 95,985 unique email addresses and 97,518 unique phone numbers.
Government Emails - 27 gouv.fr email addresses were identified in the dataset, indicating some French government employees are among those affected.
Samples - The actor provided proof links and a 500-line sample to demonstrate the data's authenticity.

The actor is accepting offers rather than listing a fixed price, and recommends using escrow for secured transactions. Given that this involves healthcare data protected under the EU's GDPR and potentially France's additional health data regulations, the exposure of therapy reasons and consultation details represents a severe privacy risk for affected individuals.

Compromised Data Categories

Patient Records Therapy Appointment Details Consultation Fields Therapy Reason / Purpose Email Addresses Phone Numbers Government Employee Emails (gouv.fr)

Image Preview

Claim URL

Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers.

MITRE ATT&CK Mapping

T1190 Exploit Public-Facing Application

Targets vulnerabilities in internet-facing web applications to gain unauthorized access to backend databases and patient records.

Extracts structured data from application databases, pulling patient records, appointment histories, and consultation details from the platform's backend.

T1530 Data from Cloud Storage

Accesses cloud-hosted databases or storage buckets containing user data, appointment records, and sensitive health information.

Collects unique email addresses from the breached database, including government employee accounts (gouv.fr), for resale or targeted attacks.

Uses web platforms and forums to advertise, sample, and distribute stolen healthcare data to potential buyers.

T1078 Valid Accounts

Uses compromised or stolen credentials to gain access to the platform's administrative systems or database infrastructure.

Threat Actor Selling Alleged Databases From Crypto, AI, and Finance Platforms Including MagicSlides, TLDR.Tech, and 365.loans

Dark Web Informer — Fri, 13 Mar 2026 15:47:43 GMT

Quick Facts

Date & Time 2026-03-13 04:28:44 UTC

Threat Actor Sythe

Victims Multiple Platforms

Industry Crypto / AI / Finance

Category Database Sale

Alleged Records ~3.8 Million Emails

Databases Listed 7

Price Contact Seller

Network Open Web

Samples Available via Channel/PM

Incident Overview

A threat actor going by Sythe is advertising the sale of multiple alleged databases spanning cryptocurrency, artificial intelligence, and finance platforms. The actor claims their group has been collecting private data across these sectors and is offering individual databases for purchase, with samples available through their channel or direct messages.

The listing breaks down into three categories with the following databases:

Crypto - BTC.Allo.xyz (91K unique emails), Metaxseed.io (5K unique emails), and YesNoError.com Crypto/AI Database (100K unique emails).
Finance - 365.loans (26K emails) and an unnamed 71K-user ecommerce website.
AI - MagicSlides.App (2.3 million emails), TLDR.Tech (1.2 million emails), and YesNoError.com Crypto/AI Database (100K unique emails).

The two largest databases by far are MagicSlides.App and TLDR.Tech, which are both AI-focused platforms - MagicSlides is a presentation generation tool and TLDR.Tech is a popular technology newsletter. Combined, those two alone account for roughly 3.5 million of the approximately 3.8 million total email addresses being offered. The actor notes that YesNoError.com appears in both the crypto and AI categories, suggesting it straddles both spaces. No pricing was listed publicly; interested buyers are directed to contact the seller directly.

Compromised Data Categories

Email Addresses User Account Data Cryptocurrency Platform Records Financial Service Records AI Platform User Data Ecommerce User Records

Image Preview

Claim URL

Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers.

MITRE ATT&CK Mapping

Collects email addresses from compromised platforms for resale, enabling phishing campaigns, credential stuffing, and targeted social engineering.

T1078 Valid Accounts

Uses compromised or stolen credentials to gain unauthorized access to platforms and extract user databases.

T1530 Data from Cloud Storage

Accesses and extracts data from cloud-hosted databases and storage services used by SaaS platforms like MagicSlides and TLDR.Tech.

Extracts structured user data from application databases, CRM systems, or internal repositories containing email and account records.

Uses web services and forums to distribute and sell stolen databases, leveraging public platforms for advertising and sample distribution.

T1114 Email Collection

Harvests email addresses and associated account data at scale from multiple platforms, aggregating them for bulk resale.

Alleged Data Leak Exposes 30 Million Colombian Citizens From ICFES National Education Database

Dark Web Informer — Fri, 13 Mar 2026 14:58:50 GMT

Quick Facts

Date & Time 2026-03-13 03:48:06 UTC

Threat Actor CryptoDead

Victim ICFES (Colombia)

Industry Education / Government

Category Data Leak

Alleged Records 30+ Million

Data Size ~100 GB

Motivation Hacktivism / Political

Network Open Web

Price Free (Public Leak)

Incident Overview

A threat actor operating under the alias CryptoDead has allegedly leaked approximately 100GB of data from ICFES (Instituto Colombiano para la Evaluación de la Educación), Colombia's national education testing institute responsible for administering standardized exams like the Saber tests to millions of students across the country.

The actor framed the leak as a politically motivated act of protest, citing frustration with Colombia's healthcare system and calling on Colombian citizens to demand accountability from their government. The post claims the dataset contains personal information on more than 30 million Colombians. Key details from the listing include:

Data Volume - Approximately 100GB of compressed data distributed as a .tar.zst archive, requiring the zstd decompression tool to extract.
Alleged Scope - The actor claims the leak covers more than 30 million Colombian citizens, which would represent a significant portion of the country's population.
Motivation - The leak was explicitly framed as hacktivism, with the actor stating dissatisfaction with the Colombian healthcare system and government leadership as the driving reason.
Distribution - The data was posted freely with a direct download link, not offered for sale, making it immediately accessible to anyone.

ICFES manages education evaluation data for the entire Colombian population that participates in standardized testing, meaning the database likely contains sensitive personal identification details, academic records, and potentially contact information spanning years of test administration. If verified, this would be one of the largest data exposures affecting Colombian citizens.

Compromised Data Categories

Personal Identification Information Education & Academic Records Test Scores & Exam Data Contact Information Demographic Data

Image Preview

Claim URL

Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers.

MITRE ATT&CK Mapping

T1530 Data from Cloud Storage

Accesses data stored in cloud services or online databases, extracting large volumes of records from centralized storage systems.

T1005 Data from Local System

Collects files and data directly from compromised systems, including database exports and document archives.

T1560 Archive Collected Data

Compresses stolen data into archives before distribution. In this case, a .tar.zst compressed archive was used to package approximately 100GB of data.

T1048 Exfiltration Over Alternative Protocol

Transfers stolen data out of the target environment using channels other than the primary command-and-control connection.