The Underground Economist: Volume 5, Issue 24

Unnamed U.S. Tax Preparation Software Company Access for Sale

On December 3, 2025, the threat actor known as “manoleta” posted on the dark web forum Exploit, advertising employee access to an unnamed tax preparation software corporation. Manoleta listed the access for auction starting at USD 5,000 with a minimum bid increment of USD 1,000, or it can be purchased outright for USD 8,000. The seller provided images from the company’s software and dialer in the post, likely as proof of their access.

• According to manoleta, the tax prep software company is among the top five in the U.S. market, which will likely attract a host of financially motivated threat actors and those seeking to conduct social engineering campaigns with the data acquired.
• Manoleta first joined the Exploit forum in February 2025 and has garnered a positive reaction score of one, which likely lends credibility to the actor’s advertisement.

Manoleta claims that the insider access includes access to tax information about customers and tax professionals, Employer Identification Number/Electronic Filing Identification Number (EIN/EFIN), tax forms, tax return documents, bank products, and tax refunds. The seller also claims to have access to the company’s Customer Relationship Management (CRM) platform, which likely includes recorded phone calls containing sensitive personally identifiable information (PII). In addition, the buyer would also allegedly receive:

• Access to the company’s dialer and email system, enabling them to send custom emails and call customers using the company’s number and email;
• Access to customers’ accounts and routing numbers;
• A “private” access originating from a previous legitimate job that is not shared with others;
• Access to resources of a company that directly competes with firms like TaxAct, Drake, and TaxSlayer; and
• The ability to create new accounts with credit cards and send valid tax forms to the Internal Revenue Service (IRS).

The upcoming U.S. tax season is typically a time of increased fraud activity on the deep and dark web (DDW). Tax fraud remains a common practice among cybercriminals, and ZeroFox assesses that, if legitimate, the access advertised in manoleta’s post is likely to allow fraudsters to exfiltrate and manipulate large volumes of sensitive tax data and other PII. Such data would almost certainly be used in social engineering campaigns—particularly spear phishing attacks and impersonations.

WhatsApp Look-up Service Advertised on Dark Web

On November 24, 2025, an actor known as “NikolaiHell” advertised a service called Advanced Communication Network Analysis (ACNA) on the Exploit dark web forum. The offering is essentially a WhatsApp look-up service that claims to provide a full CSV file of a target phone number’s entire contact network. The price for the service ranges from USD 650–3,000, depending on the number of contacts.

According to NikolaiHell, the information provided by the service is valuable for collecting intelligence on competitors that regularly conduct business over WhatsApp. Buyers must provide a single query for a seed phone number, and ACNA will reportedly provide:

• All contact list entries associated with the number
• All numbers that sent messages to the target (even if not saved)
• All numbers that received messages from the target (even if not saved)

Additionally, the service reportedly provides solutions for users banned on WhatsApp, Instagram, TikTok, or Facebook. It is likely that NikolaiHell is exfiltrating data and manipulating statuses on social media platforms and WhatsApp through insiders or compromised access to management accounts.

NikolaiHell is a registered user on the Exploit forum with a very solid reputation, indicating that this offering is likely legitimate and works as advertised. WhatsApp look-up and scraping services are common in law enforcement and intelligence, so it is almost certain that actors in the underground economy would seek to duplicate this capability.

Reputed Threat Actor Claims Top Secret Leak of U.S. Navy Documents

On November 24, 2025, well-known threat actor “jrintel” claimed in a DarkForums post to have accessed “top secret” U.S. Navy blueprints of the Arleigh Burke-Class destroyer. Jrintel shared a 2.3 MB file that appeared to show the schematics of MK 46 and MK 50 torpedoes. It is unclear whether the shared file is a sample of the leaked documents or the complete leak.

• The 2.3 MB file was shared free-of-charge, and the post did not specify further leaks, suggesting it is not a sample before the main leak. The post also included contact links via Telegram and Session. The post has received reactions from other users of DarkForums (mostly comments thanking jrintel).
• Jrintel joined DarkForums in August 2025 and has a positive reputation. The actor is known for advertising government and military information on dark web platforms and claiming it is “top secret.”
• In November 2025, jrintel advertised for sale allegedly classified files related to the Barak-8 missile system used by Israel and India, as well as documents about a U.S. unmanned aerial vehicle (UAV).

The U.S. Navy has not publicly acknowledged any data breach related to the torpedo schematics, but the documents appear to be legitimate. Some of the information in the schematics, including stowage chock alignment, would almost certainly be classified at least “Secret” due to the sensitive nature of weapon systems transport procedures. The schematics provided are likely not available from public sources.

MK 46 torpedoes are widely exported and used by militaries worldwide, suggesting there is a roughly even chance that jrintel sourced the schematics from non-U.S. military sources. 

• It is also possible, though less likely, that jrintel’s information is the result of a cyber intrusion and data breach involving private military contractors working with the U.S. military.

The post and its contents are likely to be of interest to geopolitically motivated actors and foreign adversaries of the United States. Jrintel is likely to have shared the information free-of-charge to attract interest and garner a positive reputation as a legitimate broker of government and defense-related information.

Initial Network Access to U.S. Financial Institutions Advertised for Sale on Dark Web

On November 19, 2025, an actor using the alias “luckdaniel” posted on the dark web forum RAMP, advertising one of the most expensive initial network accesses ever observed on the DDW. According to the post, the target is an undisclosed U.S. financial institution, and the price of the access is USD 1 million.

• On November 21, 2025, luckdaniel provided an update on their post, stating that they could provide proof to the forum administrators. Again, they reiterated that they would not deal with users who had not demonstrated a strong reputation on the DDW.
• Luckdaniel joined RAMP in April 2023 and has conducted very little activity on the forum since then; therefore, ZeroFox cannot determine the credibility of the actor at the time of writing.

Luckdaniel emphasized that security researchers and undercover agencies are strictly prohibited from acquiring access and that any further negotiations with a potential buyer are to be conducted through private messaging via Tox. In the post, luckdaniel claims that the access has “endless capabilities” for any credible threat actor which, given the sale price, implies the offering provides:

• High-privilege and persistent access—likely domain administrator (DA) or enterprise admin-level;
• Access to internal financial systems, such as internal banking applications or payment processing systems;
• Access to privileged data, such as PII and internal emails and communications; and
• Ransomware deployment capability.

Due to the substantial price of USD 1 million and the target being U.S. financial institutions, the advertisement is very likely to gain significant interest and traction on RAMP among financially motivated threat actors. If the access described is accurate, it is likely to provide threat actors with an array of significantly malicious capabilities which almost certainly will cause significant disruption to victim institutions and their clients.

Recommendations

• Develop a comprehensive incident response strategy.
• Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.

• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in DDW forums.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 10:30 AM (EST) on December 4, 2025; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.