Riding the Wave: Threat Actors Tout Social Security Data to Build Brand, Drive Sales
by Jill Cagliostro

We’ve all been here, trying to “ride the wave” of the current trend or news cycle to stay relevant. Threat actors are no different, with the small exception of malicious intent.
The recent potential Social Security Administration (SSA) data exposure has become a major headline, raising concerns that millions of Social Security numbers (SSNs) may be at risk. ZeroFox has observed a surge in dark web advertisements tied to the alleged leak, with threat actors promoting databases of stolen SSNs and personally identifiable information (PII). While the postings are not verified, the timing shows how quickly cybercriminals exploit headlines to drive interest and sales.
Here, I’ll review what ZeroFox has uncovered about the potential data exposure, and share recommendations to protect yourself against identity theft.
Overview: Potential Exposure of Social Security Administration Data
This week the news cycles have turned to the potential exposure of Social Security Administration (SSA) data and the underground (dark web) economy has taken notice. The media cycle about this potential data exposure has put identity theft at the top of many people’s minds, including myself. The truth is, it’s not just Americans watching the headlines, but threat actors as well.
ZeroFox has observed a notable increase between May and July 2025 in dark web actors advertising the sale of US Citizen data allegedly procured from SSA, a trend likely to continue into September. The advertisements follow increases in the media coverage of alleged mishandling of SSA data, implying that threat actors may be attempting to leverage the media attention to boost sales of US Citizen data on deep and dark web forums.
- On May 21, 2025 untested threat actor “Jack_Back” advertised U.S. Social Security Administration database for sale titled as “ssa.gov USA fresh data,” on predominantly English-language deep web forum, claiming the time range of the dataset is from December 21, 2024 till March 12, 2025.
- On June 28, 2025, well-regarded threat actor "Nick Diesel" advertised to sell 423 million records collection of U.S. citizens data, on predominantly Russian language dark web forum XSS.
- On July 9, 2025, untested threat actor "SSNHUB" advertised to sell a U.S.-based database containing personally identifiable information (PII) on approximately 4 million individuals on a predominantly English-language deep web forum.
So what? Why This Threat Actor Activity Is Interesting
The key word in all of these reports is “advertised”. When I first started looking into this, I got really excited reviewing the existing ZeroFox Finished Intelligence Reports related to social security data. As I dove in further, the story started to get even more interesting because here’s the thing…We all know advertisements tend to stretch the truth, especially as threat actors look for ways to exploit the media coverage and drive sales. At the end of the day, threat actors are simply running a (malicious) business, which includes marketing efforts and riding whatever wave the news cycle brings their way.
What You Should Do to Protect Yourself
To protect yourself from Identity Theft, follow these simple steps:
- Monitor your credit report. Stay vigilant for any new lines of credit opened or unrequested credit checks.
- Watch for changes to contact information like your address or phone number on key accounts. For example, a threat actor can use the stolen information to impersonate you to companies like banks or credit card companies, taking over your existing accounts and rerouting mailing addresses before ordering a new credit card to their address.
Threat actors may use the purchased stolen personal information to reach out directly to conduct more scams. To avoid falling victim to social engineering attempts where the attacker reached out directly, follow these guidelines:
- Do not click links received in text messages (SMS) unless you personally requested the text from a service.
- If a caller is unknown or unexpected, have them provide their name, department, and organization. If they are unwilling to provide this information or become aggressive, it's a scam. If they provide the information, end the call and contact the organization via a phone number featured on an official website, such as their portal.
- Malicious callers may pose security questions to increase their perceived authenticity. Do not divulge personal information to unknown callers.
Investigate SSA Data Exposure with the ZeroFox Platform
Investigate further levering our new Intel Search in the ZeroFox platform using this query in our new Intel Search feature:
is:advanced_dark_web AND "social security" AND "sale" AND created:>now-180d
This will bring you to a series of Advisories produced by the ZeroFox Intelligence team related to the sale of Social Security data in the deep and dark web. Current ZeroFox customers can explore these advisories further on the platform:
- May 21, 2025 - DarkForums: Alleged Sale of U.S. Social Security Administration Database (Jack_back)
- Jun 10, 2025- DarkForums: Actor Advertised Fresh U.S. Social Security Administration Database for Sale (Jack_back)
- July 1, 2025 - XSS: Actor Advertises to Sell 423 Million Records of U.S. Citizens Data Collection (Nick Diesel)
- July 9, 2025 - DarkForums: Threat Actor Advertises 4M-Record U.S. "Fullz" Database (SSNHUB)
If you really want to get into the weeds, you can include results from deep and dark web forums securely from our platform using this query in Intel Search:
(is:advanced_dark_web OR is:dark_web) AND "social security" AND "sale" AND created:>now-180d
If you find something of concern, you can always engage the ZeroFox Intelligence team to investigate further, leveraging our “Request for Intelligence” option:
Learn More About Monitoring and Disruption with ZeroFox
ZeroFox Intelligence continuously monitors the deep and dark web for threats like the Social Security Administration data exposure, giving organizations visibility into emerging risks long before they become headlines. Our analysts track chatter, validate claims, and deliver finished intelligence so security teams can separate fact from hype and act on what truly matters.
Whether it’s an advertised SSA database for sale or a newly exposed trove of stolen SSNs, ZeroFox helps you:
- Detect exposures early by monitoring underground marketplaces and forums.
- Assess credibility of threat actor claims with analyst-vetted intelligence.
- Reduce identity theft risk by responding quickly to emerging threats.
With ZeroFox, you don’t just hear about data exposures after they’ve made the news. You gain preemptive insight into the dark web economy driving them.
Get a demo with ZeroFox Intelligence to learn how we can help your organization investigate, monitor, and disrupt external threats like these.
Jill Cagliostro
Jill Cagliostro is a “Double Jacket,” earning both her bachelor’s and master’s degrees in Computer Science and Cybersecurity from Georgia Tech. She began her career in the Security Operations Center of a large financial institution, where she helped establish its threat intelligence program. Since then, she has held product leadership roles at Anomali, Recorded Future, Splunk, Censys, and DataBee (a Comcast company). Jill now serves as Sr. Director of Product Management at ZeroFox, where she brings enterprise security solutions to market that help organizations stay ahead of emerging threats.
Tags: Cyber Trends, Dark Web Monitoring