Vulta Intelligence Launches as Credential Lookup Service With 14.2 Billion Indexed Records, Telegram Bot, and Pay-Per-Query ULP Extraction

Summary

A threat actor operating as vultapower has launched Vulta Intelligence, a pay-per-query credential extraction service offering searchable access to 14.2 billion stolen credentials in URL:Login:Password format sourced from infostealer logs and combolists. The service is accessible via Telegram bot (@VULTABOT) and web portal (vulta.pw), with real-time synchronization and instant delivery of extracted credentials at $0.50 per 1,000 lines. The offering enables large-scale credential stuffing and account takeover attacks against any domain or service.

Full text

Dark Web Informer - Cyber Threat Intelligence Vulta Intelligence Launches as Credential Lookup Service With 14.2 Billion Indexed Records, Telegram Bot, and Pay-Per-Query ULP Extraction April 1, 2026 - 12:47:00 AM UTC N/A Cybercrime Service Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-04-01 00:47:00 UTC Threat Actor vultapower Service Name Vulta Intelligence Category Credential Lookup Service Indexed Records 14.2 Billion Data Format URL:Login:Password (ULP) Pricing $0.50 / 1,000 Lines Payment Crypto Access Methods Telegram Bot + Web Dashboard Network Open Web Incident Overview A threat actor going by vultapower has launched Vulta Intelligence, a credential lookup and extraction service that claims to index 14.2 billion records in URL:Login:Password (ULP) format. The service is accessible through both a Telegram bot and a web dashboard at vulta.pw, with real-time synchronization between the two interfaces. It's marketed as a tool for searching domains, emails, or keywords against massive databases of stolen credentials sourced from infostealer logs and combolists. The service works in a straightforward four-step process: Search: Users type a domain, email address, or keyword into the Telegram bot or web interface. The demo screenshot shows a search for "binance" returning 4,146,129 hits. Results: The system returns a hit count and asks how many lines the user wants to extract. Extraction: Users select a tier (1,000 lines for $0.50, 5,000 lines for $2.50, 10,000 lines for $5.00) or enter a custom line count. Delivery: Clean URL:Login:Password files are delivered instantly to the user's Telegram chat or web dashboard. The service advertises several key features: Deep ULP Extraction: Access to massive databases with millisecond latency. Real-Time Sync: Data is synchronized between the Telegram bot and web interface. High Accuracy: Clean, formatted ULP results described as ready for use with existing tools. Instant Delivery: Files delivered directly to Telegram or the dashboard. The ecosystem includes a Telegram bot (@VULTABOT), a web portal (@VULTANETWORKS), the main site (vulta.pw), and a support channel. A promotional code (WELCOMEVULTA) offers a 20% bonus on the first deposit. Credits are deposited via cryptocurrency. The 14.2 billion record claim and the Binance search returning 4.1 million hits suggest the database is aggregated from multiple large-scale infostealer log collections. Service Capabilities 14.2B Indexed Credential Records URL:Login:Password Extraction Domain Search Email Search Keyword Search Telegram Bot Delivery Web Dashboard Real-Time Sync Infostealer Log Aggregation Combolist Database Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe Subscriber Access View the original listing URL and unredacted claim images on the feeds below. Threat Feed Ransomware Feed MITRE ATT&CK Mapping T1589.001 Gather Victim Identity: Credentials Provides a searchable index of 14.2 billion stolen credentials in URL:Login:Password format, enabling targeted credential lookups against any domain, email, or service. T1078 Valid Accounts Extracted ULP credentials can be used directly for account takeover, enabling attackers to authenticate as legitimate users across banking, email, social media, and corporate platforms. T1110.004 Credential Stuffing The clean URL:Login:Password format is specifically designed for automated credential stuffing tools, enabling mass account takeover attempts across targeted services. T1102 Web Service Uses Telegram as a delivery mechanism and command interface for the credential lookup service, blending operations into normal messaging platform traffic. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com

Indicators of Compromise

• domain — vulta.pw
• malware — Vulta Intelligence
• mitre_attack — T1589.001
• mitre_attack — T1078
• mitre_attack — T1110.004
• mitre_attack — T1102