Our summer plans: Keep tabs on dark web activity and arm security teams with better identity intelligence to disrupt cybercrime. How ‘bout yours?
In this month’s cybercrime recap, we’re sharing commentary on trending news stories as well as more of our own research so your team stays in the know. Keep reading for:
- What’s new with the Telegram crackdown saga
- Attack trends and the latest breach news, including ongoing fallout from the PowerSchool incident and the inflated hype around the alleged Steam breach
- What we found when we dug into ULP combolists (hint: there’s quite a bit of overlap with stealer logs, unfortunately)
- What we’re celebrating following the LummaC2 takedown, as well as an initial look at expectations vs. reality
- Details about the BreachForums void, which has quickly morphed into a “Forum Wars” of sorts, with LeakBase and DarkForums contending to become the new “it” place for cybercriminals
Let’s dig in.
May cybercrime news
Telegram crackdown continues
Over the last few weeks, more prominent cybercriminal accounts and channels appear to have been removed from the Telegram platform. In particular, we noticed apparent takedowns of prominent channels and accounts related to ransomware, as well as channels dedicated to posting breached and leaked data.
As a result of these continued channel takedowns, we are seeing many group admins transition their channels to private groups which require admin approval to join. A few groups have also announced, or are contemplating, a move to a different privacy-centric chat platform called SimpleX Chat.
SimpleX advertises itself as a privacy-focused messaging platform that emphasizes maximum anonymity and security by removing traditional metadata exposure, such as user identifiers, message headers, and centralized servers. It differentiates itself by not requiring any phone number, email, or username to operate, however, it lacks many of the features of Telegram and other messaging services, especially regarding API functionality.
Image 1: Users in a popular data leak Telegram channel discuss moving to SimpleX Chat after some of their channels were deleted.
Image 2: User in a cybercriminal Telegram channel laments that “the good times on Telegram are over.”
This moderation activity continues almost a year after Pavel Durov, the CEO of Telegram, was arrested in Paris for allegedly allowing criminal activity on his platform. Following the arrest, Telegram announced a moderation “crackdown” on illegal activity on the platform. However, as we noted at the time, we did not observe a mass migration of discussions of cybercrime off of the platform.
As increased moderation levels continue to disrupt criminal communities, the friction may eventually become sufficient to drive some criminal actors off of the platform, despite a lack of full-featured alternatives.
PowerSchool data extortion, part two
In December 2024, a large education technology company called PowerSchool was compromised, impacting over 62 million students. At the time, PowerSchool disclosed the data theft, informing their customers that they paid a ransom to the threat actors to prevent them from leaking the data.
Now, over five months later, multiple school districts whose data was stolen in the initial incident have stated that they directly received new extortion attempts by actors threatening to leak their data that was stolen from PowerSchool.
These new extortion attempts against multiple of the original victim’s customers illustrate that:
- There are never any guarantees that stolen data has been deleted after it has been exfiltrated by threat actors. In this case, PowerSchool stated that they had received a video of the threat actors deleting the stolen data in exchange for their ransom payment, but clearly this did not happen. In the past, other ransomware groups have done things like re-extort the same victims or post data to their leak site even after a ransom was paid.
- Ransomware threat actors continue to maximize their opportunities to make money while minimizing effort through data-theft extortion. Originally ransomware centered around encrypting devices and files, and demanding payment in exchange for decryption. Over time, threat actors began turning to double-extortion, stealing data prior to network encryption and also threatening to leak that data if victims didn’t pay. Now, pure data-theft extortion (with no network encryption) is increasingly common for “ransomware” actors who aim to extort victims for as much money as possible with minimal effort. This PowerSchool example follows this general trend – the threat actors are attempting to extort as many entities as possible using the same dataset, maximizing their opportunities to extort victims from a single intrusion.
Alleged Steam breach proves underwhelming
In mid-May, a threat actor using the screen name ‘Machine1337’ attempted to sell alleged Steam user account details, pricing the dataset at $5,000. Our team reviewed the samples circulating the dark web, which consisted only of a list of phone numbers and one or more one-time password (OTP) codes for each phone number. As the name dictates, these OTP codes are only valuable one time for a short period; thus, the codes being sold are no longer valuable for direct account takeover (ATO) purposes. OTP codes could potentially have some social engineering value in convincing a victim that a scam call is genuine by sharing codes that match the OTP’s in the user’s history, but this unconventional approach is just as likely to confuse victims and raise suspicion.
While we can’t be certain where this data originated, this data does not appear to have significant value for ATO purposes. Steam also put out a statement a few days after the threat actor’s post, stating that they reviewed the sample and determined that this data was not obtained from a breach of Steam systems and confirming that the data could not be used for ATO of Steam user accounts.
Additionally, Twilio made a public statement clarifying that the data had not been obtained through a compromise of their service after Twitter/X user MellowOnline1 speculated that the data may have been stolen via a supply chain compromise of Twilio. Twilio is a tool commonly used to text 2FA codes to users.mid-
Glitch shutting down, citing misuse by threat actors
On May 22, Glitch, a website that allowed anyone to quickly create and deploy web apps for free, announced that it will be ending web hosting for apps on their service. This was notable to our team because Glitch, like many other free web app hosting providers, is a popular tool for threat actors to quickly and easily deploy phishing sites for no cost. In the announcement, they specifically cited “bad actors try[ing] to misuse the platform” as a reason for ending their web hosting services.
Image 3: Excerpt from Glitch’s announcement that they are ending their web app hosting service.
Researchers at DomainTools noted specifically that the ephemeral nature of Glitch’s free web app hosting actually made it particularly useful to phishers looking to avoid detection by security teams. Glitch’s free tier of web app hosting allowed any user to create a page and operate for five minutes. After that, the app creator has to manually click to reactivate the page, making it very difficult for cybersecurity analysts to go back and investigate the pages later, and thus acting as a sort of unintentional anti-analysis feature for the phishers.
TL;DR of new SpyCloud Labs research
Think combolists are just old, recycled credential dumps? Think again. We did a deep dive on ULP (URL:Login:Password) lists to see how today’s threat actors are using fresh data lifted straight from infostealer malware like LummaC2 and RedLine to build smarter, more dangerous combolists. These aren’t your typical dumps – they include browser-saved passwords, session cookies, and autofill data, making them incredibly effective for credential stuffing attacks. Take a look to see how the game has changed, and what we can do about it.
Current & forthcoming cybercrime research
What's happening with the LummaC2 takedown
On May 21, the FBI, Europol, and Microsoft announced a coordinated takedown of infrastructure related to the LummaC2 infostealer malware. Based on our collection of recaptured infostealer malware data from over 70 different malware families, LummaC2 has consistently been the top infostealer malware in terms of daily numbers of infections since the fall of 2024.
Just before the takedown was announced, Telegram messages by LummaC2 admins and users confirmed the loss in infrastructure functionality in real time, with many complaining that the panels were not working and that their logs had disappeared (see image 4). The FBI also posted directly to the LummaC2 Telegram group, taunting the LummaC2 subscribers and admins (see Image 5).
Image 4: Message in the LummaC2 Telegram group during the takedown.
Image 5: One of the FBI’s messages to the LummaC2 Telegram group following the takedown action.
Turning to SpyCloud’s recaptured infostealer log data to measure the impact of this disruptive action, we saw a slight decrease in the number of new LummaC2 infections on May 21, the day of the disruption. However, after only a few days, the infection numbers appeared to rebound, returning to similar levels as the days leading up to the takedown.
As you can see in Image 6, the number of successful LummaC2 infections per day appears to generally decline over the month of May, but the coordinated takedown action on May 21 so far does not appear to have a sustained effect on this trend.
Image 6: Graph showing the number of LummaC2 malware infections over a 30-day period, including the date of the takedown action on May 21, 2025.
Taking a look at overall infection numbers across all of our infostealer malware data, we do see some small increases in infection numbers for both Stealc and Nexus in the week following the the LummaC2 takedown. This could potentially indicate some threat actors moving away from LummaC2 and towards other alternatives as a result of the takedown action. The developers of Stealc even attempted to take advantage of the situation by posting ads in the LummaC2 chat as the takedown was happening (see Image 8).
Image 7: Graph showing proportion of new infections – by infection date – of the top 20 malware families, based on logs collected by SpyCloud during the month of May.
Image 8: A threat actor attempting to drum up business for the Stealc infostealer MaaS in the LummaC2 chat on the day of the takedown actions.
While the long-term effects of the LummaC2 takedown action on May 21 still remain to be seen, early results seem to indicate that the MaaS was impacted by the disruption on May 21. However, the developers of LummaC2 appear to have been able to recover in the following days, returning back to pre-disruption levels of successful daily infections relatively quickly.
We will continue to track the situation closely and are hopeful that further follow-on actions by law enforcement are able to continue to disrupt this prolific MaaS.
The Forum Wars
As we mentioned in last month’s cybercrime update, BreachForums, the most popular English-language data breach forum, went dark on April 15. Since then, a whole host of different threat actors have been attempting to take advantage of the situation by creating and announcing their own replacements (with varying levels of exit scammyness). However, a clear successor is still yet to come to the fore.
Without wading too deep into the weeds, here’s some updates that we have observed in the last month about some of the various attempts to create the next version of BreachForums:
- As of May 18, the administrators of a popular BreachForums-centered Telegram group have referred to the ransomed[.]biz site as ‘the new forum.’ They are also offering 18TB of free data that can be found at cdn[.]ransomed[.]biz. This Telegram group is popular among former BreachForums users as it often re-shared pay-gated databases from BreachForums for free.
Image 9: Announcement about the ransomed[.]biz website as a successor to BreachForums.
- In other channels popular with former BreachForums users, a new version of Raid Forums is being touted as the next big data breach forum. However, based on the low number of posts to this site, it also doesn’t seem to be gaining mass adoption from former BreachForums users.
Image 10: Screenshot of a new Raid Forums site.
- Ads on multiple data leak Telegram channels are advertising that “Breachforums[.]sx” is for sale by “Anastasia” for the price of $2,000 (later apparently discounted to $1,500). However, as both journalists and other threat actors (see image 11) have noted, this alleged "Anastasia" and the sites they are apparently selling for a very reasonable price don’t seem to have any concrete ties to the original site.
Image 11: Telegram user warning others about a “Fake Anastasia” that is attempting to scam people by selling “fake breach clones.”
- As we highlighted last month, an actor who goes by hasan (aka hasanbroker/sextorts), who appears to have ties to the Com, has also posted extensively on both X/Twitter and Telegram claiming to be creating a successor to BreachForums. Throughout May, they continued to post about being in the process of creating a new site, stating that it was not yet ready and asking people to “be patient.”
Image 12: X/Twitter post by hasan discussing creating a new BreachForums alternative.
- We are also seeing some chatter indicating that some threat actors believe BreachForums will return on July 1. This potentially leads back to a message apparently sent by a former BreachForums moderator that goes by the moniker ‘paw’ that was screenshotted and reshared on X/Twitter (see Image 13).
Image 13: X/Twitter post containing a screenshot of an announcement by ‘paw’.
- Finally, another copycat site called breached[.]live is billing itself as ‘BreachForums V5” (see Image 14). The administrators claim to have no affiliation with BreachForums, but are attempting to rebuild the community, including adding posts that appear to have been scraped from BreachForums and promising former BreachForums users that they will restore their ranks and even refund money that was lost in escrow (see Image 15).
Image 14: Screenshot of the homepage on the breached[.]live site.
Image 15: Announcement on breached[.]live promising former BreachForums members that this new forum will restore their rank and lost funds.
As all of this hearsay and hullabaloo continues to play out, threat actors continue to share and sell their data on two other English-language data leak forums, LeakBase and DarkForums, as well as via Telegram channels. While some threat actors also share and sell breached databases through the Russian hacking forum XSS, it has a somewhat more stringent and onerous account creation process that we have observed both English and Chinese-speaking threat actors complain about. This makes migration of the BreachForums user base to XSS much less likely.
SpyCloud’s recaptured data collection numbers for May
May monthly total
Total New Recaptured Data Records for May
2,997,157,275
New third-party breach data this month
Third-Party Breaches Parsed and Ingested:
478
New Data Records from Third-Party Breaches:
1,968,189,323
New infostealer malware data this month
Stealer Logs Parsed and Ingested:
2,469,247
New Data Records from Stealer Infections:
21,372,940
New Stolen Cookie Records:
1,007,595,012
New recaptured phished data this month
Phished Records:
6,686,101
Stay in the loop
Keep reading
