The Underground Economist: Volume 5, Issue 10

Alleged Network Access Associated with U.S. and Chinese Institutions Advertised on DarkForums

On May 19, 2025, actor “shine” posted in the deep and dark web (DDW) forum DarkForums, advertising access to an unspecified U.S. government organization with an alleged annual revenue of USD 80 billion. According to the advertisement, the remote code execution (RCE) is enabled via a custom script.

• Shine is a newly-registered user on DarkForums, having joined in May 2025; they stated in the post that they are offering network access for fixed prices and are not interested in profit-sharing deals, providing only initial access services.
• ZeroFox has observed an increase of activity and traffic on the DarkForums platform since the recent and ongoing closure of the DDW site BreachForums on April 15, 2025.

Later on the same day, shine advertised network access to five additional, allegedly compromised entities and included some minimal detail as to the nature of the access available:

• U.S. Municipal Government in California – RCE
• U.S. Local Bank – RCE
• Chinese Ministry Website – Secure Shell (SSH) Access
• Chinese Furniture Company – Domain Admin Access
• Hong Kong Executive Government Entity – RCE

Shine’s previous activity in DarkForums is limited with no established reputation observed, rendering the actor’s reliability and that of their services unclear as of the writing of this report. It is likely that shine was active on BreachForums prior to its recent disruption, with many actors seemingly perceiving DarkForums as the most lucrative and convenient alternative.

Advertisements implicating both alleged China-based and Western-based entities are rarely observed within DDW forums. While China-based entities are not considered “off-limits” in the majority of forums—in part due to them not falling within the category of Commonwealth of Independent States (CIS), the targeting of which is often forbidden—the majority of network compromises observed implicate Western targets. The inclusion of both is very likely indicative of shine’s financial motivations, with a roughly even chance that the actor is not Russia-based.

Salt Typhoon Data Advertised on DarkForums

On May 18, 2025, actor “ChinaBob” advertised the sale of files allegedly containing data associated with several companies that have previously leveraged the services of “Salt Typhoon” on the DDW forum DarkForums. A price for the data was not advertised, with ChinaBob instead requesting that interested parties contact them directly. ChinaBob is new to DarkForums, having joined in May 2025, and as such has a limited—albeit positive—reputation. As of the writing of this report, the data has allegedly been sold to an unspecified buyer.

• Salt Typhoon is an advanced persistent threat (APT) group that almost certainly is closely associated with China's Ministry of State Security (MSS). The collective has previously been linked to several high-profile cyber incidents targeting well-known companies, including Verizon, AT&T, and T-Mobile.
• In the post, ChinaBob provided sample data of the victim organizations, accessible via two GoFile download links. Using these links, ZeroFox obtained images seemingly depicting both stolen customer data and a configuration file from a compromised router.

The data available for purchase allegedly contains personal identifiable information (PII)—including employee names, phone numbers, email addresses, and passwords—as well as internal communications between employees and officials “under investigation”, though it is not clear to what these investigations pertain. ChinaBob provided a list of organizations that have allegedly acquired the services of of Salt Typhoon, which includes the following:

• People's Liberation Army of China, Unit 61419
• Unit 152 (unclear what this refers to)
• Unit 0718 (unclear what this refers to)
• Beijing Foreign Service Office, Room 3
• Qinghai 9711 Institute
• Chengdu Bureau of Economy and Information Technology
• Qi'anxin Legendsec Information Technology (Beijing) Co., Ltd.
• Beijing Integrity Technology Group Co., Ltd.
• Beijing Jingyuan Shengda Information Technology Co., Ltd.
• Beijing VenusTech Information Security Technology Co., Ltd.
• Institute of Information Engineering, Chinese Academy of Sciences
• Granpect Co., Ltd.
• Yu Yang
• Beijing Huanyu Tianqiong Information Technology Co., Ltd.

The specific relationship between the organizations listed by ChinaBob and Salt Typhoon is unclear as of the writing of this report. However, there is a likely chance that the listed organizations—many of which are public or semi-public—have previously sought the services of Salt Typhoon, likely in the pursuit of corporate espionage or other intelligence-gathering initiatives against unknown targets. 

If the data for sale is as advertised, it is very likely to appeal to an array of actors, including government intelligence organizations and rival corporations, as well as financially motivated actors seeking to conduct digital extortion activity.

Access to Israeli Internet Exchange Advertised on xss

On May 13, 2025, newly registered actor “HAX0RTeam” posted in the Russian-speaking dark web forum xss advertising alleged unauthorized network access to the Israeli Internet Exchange (IIX) for a notably high price of USD 150,000. No specific technical details about the access were disclosed in the post.

• The IIX is a critical internet exchange point (IXP) that facilitates the direct exchange of Israeli internet traffic between internet service providers (ISPs), content delivery networks (CDNs), and other network operators within the country.
• On October 7, 2023, Hamas launched an attack on Israel which led to a major escalation of conflict in Gaza that, despite various ceasefires, is ongoing.
• On May 19, 2025, Israeli Prime Minister Benjamin Natanyahu announced plans to take control of the entire Gaza Strip, a move that has been condemned by countries such as the United Kingdom, France, and Canada.

HAX0RTeam claimed in the post that the access would enable potential buyers to:

• Intercept sensitive communications between Israeli government agencies, institutions, and influential organizations
• Obtain valuable intelligence on internal operations
• Manipulate and redirect traffic to exfiltrate data, conduct espionage, or deploy malware
• Launch targeted attacks against critical Israeli infrastructure
• Steal intellectual property, financial data, or other sensitive information
• Disrupt essential infrastructure and services
• Enable further exploitation and deep infiltration

Notably, the advertisement is HAX0RTeam’s first and only post, having joined the forum on May 11, 2025. ZeroFox has not observed the threat actor’s name in other known forums, though it is a common alias within hacker communities and is often linked to the "1337" (Leet) culture, which strongly suggests that the user has historical connections in the hacker community.

• The xss forum imposes strict protocols for new-user registrations to prevent previous users from returning after being banned, eliminate users who do not meaningfully contribute, facilitate trust between buyers and sellers, and mitigate scraping by cyber threat intelligence companies.

It is likely that HAX0RTeam was able to establish an account on the forum by either contacting the administrators directly, with an exception being made due to the prominence of the advertisement, or by being vouched for by existing and reputable members. 

HAX0RTeam’s claims about the types of subsequent exploitation that could be conducted by buyers are extremely varied in nature. Further, they seemingly omit any mention of the significant technical expertise that would very likely be required to achieve them—even once in possession of the network access. As such, this data is likely to appeal primarily to entities in possession of the knowledge, tools, and funds necessary to deploy information-stealing malware or conduct Man-in-the-Middle (MitM) or session hijacking activity. Despite HAX0RTeam’s offering, the theft of “sensitive communications between Israeli government agencies” would likely be significantly more difficult to achieve due to their common use of encryption methods and various types of closed networking.

Actor Seemingly Claims Responsibility for Recent Breaches

A prominent and well-regarded threat actor known as both “Machine1337” and “EnergyWeaponUser” has claimed responsibility for at least seven recent cyberattacks within both the primarily Russian-speaking dark web forum xss and the actor’s Telegram channel. 

• Machine1337 is a likely English-speaking threat actor that first registered on the xss forum in January 2024. Based on the actor’s history, it is likely that Machine1337 is or has been associated with several prominent threat actors including, but not limited to, “IntelBroker” and “Zjj”.
• In October 2024, Machine1337 and IntelBroker were almost certainly involved in a prominent network breach of the U.S.-based digital communications organization Cisco.
• As of the writing of this report, Machine1337 has been banned from xss for seven days ending May 22, 2025. According to a moderator notice, the account was banned for “spam activity” following several posts.

On May 14, 2025, Machine1337 posted in xss, claiming to have obtained data stolen from numerous technology companies based in the United States and China. According to the actor’s post, the breaches vary in extent and the type of data stolen, with limited samples made available. All of the alleged breaches seemingly took place between February and May 2025.

The actor alleged that the U.S.-based technology giant Apple Inc. suffered a “data breach and load to the exposure of some of their internal tools.” The extent of the breach is not specified, though Machine1337 provided a link to a supposed data sample of 3,000 records. The post gained minimal traction in the xss forum, and some users reported that the link provided to sample data does not function. The allegedly stolen data is available for a purchase price of USD 5,000.

U.S.-based technology organization Steam allegedly suffered a data breach comprising 89 million user records, one-time access codes, and user phone numbers, which is also available for USD 5,000. Steam issued a statement claiming that the stolen data cannot be linked to other PII and that the breach remains under investigation. Machine1337’s post gained some traction from fellow xss users, many of whom are claiming the sample data is inaccessible. 

• Reporting suggests the incident may be the result of a supply-chain compromise implicating cloud communications organization Twilio, which has publicly denied these claims. In April 2025, an actor named “Satanic” advertised an alleged Twilio data breach in the hacking forum BreachForums, though the claims remain unsubstantiated.

U.S.-based social media company and instant messaging app Snapchat was also allegedly breached, resulting in five million records being stolen; these are available for

USD 2,000. Machine1337 does not specify the type of user data stolen but offers a data sample comprising 3,000 records.

China-based technology companies Huawei and Temu were also allegedly victims of a breach. ZeroFox has not observed any public statement from either organization, and the correlating xss threads gained very little traction.

• Machine1337 is offering 129 million unspecified records they claim were stolen from Huawei, which are available for USD 20,000. A sample of 3,000 records was made available for download.
• The actor is also advertising 17 million unspecified records allegedly stolen from Temu for USD 5,000. A sample of 3,000 records was made available for download.

Separately, on May 15, 2025, the U.S.-based cryptocurrency exchange platform Coinbase released a statement acknowledging a recent breach resulting in stolen customer data, which was subsequently leveraged to facilitate social engineering attacks. The attackers reportedly attempted to extort Coinbase for USD 20 million, which was not paid. 

• Coinbase alleges that the compromise was facilitated by an unnamed threat actor that bribed customer support agents, offering financial incentive in exchange for “copied data from Coinbase’s customer support tools.” The stolen information reportedly resulted in users mistakenly sending funds to the attackers.

The data extracted by the attacker reportedly includes PII, masked Social Security numbers, government ID images, Coinbase user transaction history, and masked bank account information.

• Coinbase also asserted it will be investing more resources into insider-threat detection, security threat simulation, and automated responses to prevent future incidents.

Coinbase confirmed via its statement that login credentials, private keys, and access to customer wallets were not impacted by the breach. However, if leaked, the impacted data would likely afford actors the ability to conduct further social engineering campaigns targeting Coinbase users. Such subsequent attacks would likely leverage Coinbase customers’ PII to impersonate official communications and manipulate users into sharing passwords and multifactor authentication codes or transferring assets into the possession of malicious actors.

On May 15, 2025, ZeroFox observed that Machine1337 posted a message on their Telegram channel that stated “CoinBase: Coming soon”. The image included in the post contained several messages in Spanish, along with password reset URLs associated with Coinbase. The messages, translated from Spanish, were: 

• “Reset your Coinbase password via this link:”
• “Your Coinbase password has been changed. If you haven't changed it yourself, please call +1 (888) 908-7930 to automatically lock your account.”

The meaning and context for the inclusion of these messages are unclear as of the writing of this report, and they do not provide evidence of Machine1337’s involvement in a compromise of Coinbase. However, they do allude to a possible connection between Machine1337 and this recent incident, which has yet to be officially claimed by any threat actor or group. 

There is a roughly even chance that the password reset messaging alludes to misleading communications that could be deployed against Coinbase users during targeted social engineering campaigns, resulting in victims interacting with malicious links that they believe to have originated from official Coinbase platforms.

It is likely that Machine1337 is involved, to an unknown extent, in the Coinbase data breach. If this is the case, there is a likely chance that subsequent information will be posted to the actor’s Telegram channel or xss account in the coming days claiming responsibility for the breach, seeking collaborators, or offering associated data for sale.

ZeroFox Intelligence Recommendations

• Develop a comprehensive incident response strategy.
• Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.

• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in DDW forums.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 9:00 AM (EDT) on May 22, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

Appendix: ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.