-
The following interview, which we publish in full, was conducted in May 2026 by me, fastfire. “BreachForums” (often referred to as “Breached”) is an English-language cybercriminal forum. It functioned as a clear-net marketplace and platform for threat actors to trade stolen databases, tools, access credentials, and other illicit services. A few days ago, the forum…
-
The following interview, which we publish in full, was conducted in May 2026 by Erez, a member of the deepdarkCTI community. The MedusaLocker ransomware gang is a persistent cybercriminal operation first observed in late 2019. It operates primarily as a Ransomware-as-a-Service (RaaS) model, where developers provide the malware to affiliates in exchange for a percentage…
-
In recent days, the Handala group has publicly released information regarding more than 180 profiles associated to the Israeli Air Force and other strategic organizations/sectors. Who is Handala? Handala (also known as Handala Hack Team, Hatef, and Hamsa) is a pro-Iran hacktivist persona that has been active since at least December 2023. The group is…
-
The following interview, which we publish in full, was conducted in December 2025 by Erez, a member of the deepdarkCTI community. The Benzona ransomware gang is a cybercriminal entity employing a double-extortion model, which involves both encrypting victims’ files and exfiltrating sensitive data with threats of public release should the ransom not be paid. Upon…
-
Here we present an interview with Gabi, a member of the Cyber Toufan team. We contacted Gabi on Telegram and shared a list of questions, which we make available here in full. This team, active since October 2024, has published details of 13 operations it has conducted against Israeli targets on its website since late…
-
In this timeline (currently being updated) we show the main events related to the alleged seizure of the XSS underground forum. In addition, here you can find an analysis of the moderators present on the date of the alleged seizure and their latest activities performed on the forum (updated to July 24, 2025). Links to…
-
The following interview, which we publish in full, was conducted in July2025 by Erez, a member of the deepdarkCTI community. Q (Erez): Devman first appeared in April 2025 and, only two months later, released Devman 2, what drove that rapid evolution and which lessons from version 1 pushed you to move so quickly to version…
-
We interviewed Se7en, the founder of Exodus Market, a platform for selling infostealers logs. This market, active for almost a year, has been expanding its business in recent months and is becoming an increasingly popular alternative to what is currently the most popular market, Russian Market. The market, accessible at the urls indicated within our…
-
On June 3, a message appeared on the Threat Actor GhostSec channel accusing an Italian company (which was not named) that had requested the group to carry out offensive activities against Macedonian government targets. The company that requested the activity later refused to pay for the services that had been agreed upon, and so GhostSec…
-
The following interview, which we publish in full, was conducted in December 2024 by Erez, a member of the deepdarkCTI community. Q (Erez): Lockbit has been one of the most resilient ransomware groups despitenumerous disruptions. How do you maintain operational secrecy and continuity in the face of global law enforcement efforts like Operation Cronos?A (Lockbit):…