Daily Dose of Dark Web Informer - April 30th, 2026
Dark Web Informer daily digest reports multiple breaches, threat actor recruitment, and new vulnerabilities across
Summary
A daily dark web threat intelligence digest aggregates multiple reported breaches, threat actor activities, and vulnerability disclosures from April 30, 2026. Incidents include compromises of Brazilian payment gateway Creedx/MonsterGateway, Venezuelan telecom Movilnet, Vietnamese hotel software ezCloud, Mexican port security system, and Saudi logistics firm SMSA Express, alongside threat actor recruitment for initial access brokers and sales of exploits and bulletproof hosting services.
Full text
Dark Web Informer — Daily Threat Intelligence Digest 🔑 API Access Available High-volume threat intelligence, ransomware data, IOC exports, and comprehensive feed access for security teams and researchers. Explore API → 🔁 Follow across all official platforms — darkwebinformer.com/socials 🔥 Advertising Opportunities Reach a highly engaged audience of 75,300+ unique users monthly and growing. View details 75.3k Unique Visitors 154.1k Pageviews Last 30 days as of Mar 30, 2026. Next update Apr 30th. 🔒 Unlock Premium Intelligence Real-time breach tracking, expert analysis, high-resolution evidence, unredacted feeds, and 5,100+ blog posts. View all plans and features on the pricing page. View Plans & Subscribe → 📌 Legend 📰Law Enforcement — LEA updates, investigations ⚠️Dark Web Notices — forums, markets, announcements ❗️Urgent Threats — breaches, ransomware, vulnerabilities 💡Insights & Tools — guides, OSINT, learning resources 🔒Subscribers Only — X/Twitter subscribe 🧾 Today's Intelligence Threat Intelligence ❗️ Threat Actor 0056113 Selling Compromised Law-Enforcement Emails and EDR-as-a-Service for Fraudulent Emergency Data Requests FREE 📰 Hacker Ring Busted in Lviv Oblast After Stealing Gaming Accounts and Selling Them in Russia for Nearly UAH 10 Million FREE X/Twitter Updates ❗️ cPanel just released a critical security vulnerability notification. ❗️ Creedx / MonsterGateway, a Brazilian white-label payment gateway supporting PIX, Boleto, and Credit Card transactions, has allegedly been fully breached on a popular cybercrime forum. The actor claims a complete takeover of the main Supabase CRM serving approximately 30 ❗️ Movilnet, Venezuela's state-owned mobile telecommunications operator, has allegedly been breached, with 200,000 phone numbers and associated subscriber data leaked. The actor states this is part of an ongoing coordinated campaign against Venezuela carried out with Team ❗️ Preparafaculdade, a large Brazilian educational platform used for pre-vestibular and faculdade preparation courses across multiple units, has allegedly been breached, with a 3.6 GB full database dump put up for sale. ❗️ Bordeaux Métropole's tourist tax (taxe de séjour) system has allegedly been breached, with a partial database covering 11,000 lodging records leaked. ❗️ Puerto Inteligente Seguro (PIS), a Mexican government program under the Administración del Sistema Portuario Nacional (Marina) covering port security and management, has allegedly been breached, with a complete database put up for sale. ❗️ 1/2 ezCloud (http://ezcloud.vn), the first Vietnamese company to provide hotel management software solutions, has allegedly been breached, with 55.8 GB of data including 1.5M+ guest records and worldwide passport scans put up for sale. ❗️ Aman Resorts and Vimeo have been leaked by "ShinyHunters" ❗️ A service called http://offshore.lc is being advertised on a popular cybercrime forum as bulletproof hosting marketed to threat actors, offering VPS/RDP, dedicated servers, and shared hosting with anonymous signup, no KYC, and crypto-only payments. The seller markets the ❗️ A threat actor is selling a "domain suspension service" and a methodology kit on a popular cybercrime forum, advertising the ability to forcibly take down arbitrary domains, including .com, .net, .org, .io, and .ai, by abusing registrar abuse-reporting and legal-takedown ❗️ A Russian-speaking threat actor group is recruiting an Initial Access Broker (IAB) to supply corporate network access on an ongoing basis. The group advertises that they operate "by date, without a locker," meaning they exfiltrate data and extort victims without deploying 💡 I'm releasing the offline viewer for the Telegram Scraper with Forwarder 2 days early. The only issues you may see using it is performance if adding many chats and lots of media. Also the viewer was partially vibe coded and again, idgaf. Work smarter, not harder. ❗️ A threat actor is selling a previously unpatched cPanel information disclosure vulnerability that allegedly exposes website login data, including panel and site link, username, and password. The seller claims this is a follow-up vulnerability discovered after the patching of ❗️ A service called http://offshore.lc is being advertised on a popular cybercrime forum as bulletproof hosting marketed to threat actors, offering VPS/RDP, dedicated servers, and shared hosting with anonymous signup, no KYC, and crypto-only payments. The seller markets the ❗️ Copy Fail (CVE-2026-31431) is a Linux privilege escalation bug that lets any local user get root using a 732-byte Python script, and it works on basically every major Linux distro shipped since 2017. ❗️ SMSA Express, a Saudi Arabian logistics and shipping company providing domestic and international parcel delivery, has allegedly been breached, with 1,202,891 customer shipment records put up for sale.
Indicators of Compromise
- url — http://ezcloud.vn
- url — http://offshore.lc
- cve — CVE-2026-31431
- malware — Telegram Scraper with Forwarder