Alleged Crypto Leads, Android Spyware, Mossad Leak, Binance Data, Nakamura Listing

SOCRadar’s Dark Web Team identified several new underground posts this week, including a global “crypto leads” dataset advertised for sale, an Android spyware listing, and politically framed claims of a Mossad-related database leak. Additional posts promoted an alleged Binance user dataset with PII and login activity, and a large database listing referencing Nakamura.

Receive a Free Dark Web Report for Your Organization:

The Alleged Crypto Leads Dataset is on Sale

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising a large “Leads Are Interested In Crypto” dataset spanning multiple countries.

The seller claims the records were collected through marketing campaigns and community scraping across platforms such as Facebook and Telegram, with additional enrichment methods mentioned in the listing. The post includes country-level counts, with large volumes claimed for USA (8,567,118), UK (1,352,314), and Australia (887,081) among others, and states the dataset will be updated over time.

New Android Spyware Listing is Detected

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising an Android spyware tool for sale.

The listing claims the spyware can collect a broad range of victim data, including keystrokes, contacts, messages, notifications, call logs, and location signals, and includes remote control capabilities. The post lists a price of $1,000 (negotiable) and notes escrow-based dealing. These types of offerings are commonly positioned for surveillance and credential theft, and often lead to follow-on account compromise and fraud.

The Alleged Database of Mossad is Leaked

SOCRadar Dark Web Team detected a threat actor post on a dark web forum claiming a leak tied to Mossad, framed as a politically motivated release.

The threat actor claims the dataset contains highly sensitive personal data that could be used for doxing, impersonation, and targeted social engineering. While underground posts often exaggerate scope and authenticity, claims involving identity numbers and address-level data are notable due to the immediate harm potential even when only partially accurate.

Alleged Binance User Database is on Sale

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising an alleged database of 1.5M+ Binance users, described as “fresh” and not previously circulated.

According to the listing, the dataset includes full PII (name, email, phone), account attributes such as registered country and KYC status, and login activity fields such as last login IP, device or user-agent details, and timestamps. The post markets the dataset for credential abuse and targeted phishing scenarios and references crypto-only payment methods.

Alleged Nakamura.co.id Member Database is Leaked

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising a large database listing tied to nakamura.co.id, branded in the post as Nakamura Holistic Therapy.

The listing claims 850,000+ members and a dataset size of 17GB+, suggesting a broad customer or membership record set rather than a small credential dump. If authentic, datasets of this size typically enable high-volume phishing and account targeting, especially when combined with contact fields and identity attributes.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.