Amazon's Wickr Enterprise Admin API Access and Payment Keys Allegedly Leaked on Hacking Forum

Summary

A threat actor named Orcinusorca claims to have gained access to the production infrastructure of Wickr Enterprise, an AWS-owned secure messaging platform. The actor alleges to have obtained production Admin API access, internal API keys, and Braintree production payment keys, providing response headers and a JSON snippet as proof. While the potential impact of such a compromise could be severe, especially given Wickr's user base of enterprises and governments, the claims are currently unverified and the actor's forum account is new.

Full text

ImpactAdmin API access TypeAccess + key leak CountryUnited States ActorOrcinusorca ▣Post details TargetWickr Enterprise (Amazon AWS) CountryUnited States SectorTechnology / Secure Messaging ClaimProduction Admin API access + leaked keys EvidenceResponse headers + JSON snippet ObservedJun 11, 2026 Data dumpNone shown ActorOrcinusorca (new account) !What is claimed Production Admin API access (claimed) Internal API keys (claimed leaked) Braintree production payment keys AWS internal admin console reference Envoy / CloudFront infrastructure detail Secure enterprise messaging platform No user-data dump shown New, unproven forum account ◱Screenshot Screenshot 1 Redacted preview ⚠Potential impact If genuine, access to the production Admin API of a secure enterprise messaging platform, together with leaked internal API keys and production payment-processing keys, would be a serious infrastructure compromise: payment keys could enable fraud, and admin-level access to a product marketed for confidential communications is especially sensitive given its enterprise and government user base. That said, the "proof" shown is limited to response headers and a short JSON snippet, which do not by themselves establish admin control; the account is brand-new, and the framing is grandiose. Claims of this kind are frequently exaggerated. If the access and keys are real the impact could be critical, but as presented it is unverified and warrants caution. iStatus Unverified The actor posted response headers and a JSON snippet as "proof of access" on an underground forum; the leaked keys and any specific endpoint or host details are not reproduced here. We have not validated the access or the keys, and as a precaution any named keys should be treated as potentially compromised pending review. The claim has not been independently confirmed and Amazon/Wickr has not publicly addressed it. Want the non-redacted screenshots? Paid subscribers get all of the claim details and unredacted screenshots. Check out the threat feed or ransomware feed (whichever applies to this post), then after subscribing, search there for this alert to view the unredacted version. View pricing → DARK WEB INFORMER - THREAT INTELLIGENCE

Indicators of Compromise

• domain — wickr.com

Entities