Berkeley University, Eni France, and Foremost Named in Dark Web Sales; SDC Service Advertised

New activity observed by the SOCRadar Dark Web team reveals an expanding ecosystem of cybercrime services and data leaks targeting high-profile entities. A newly advertised cash-out platform called SDC Ecosystem claims to enable fraud even against MFA-protected accounts. At the same time, threat actors have shared or offered alleged datasets tied to Eni France, the University of California Berkeley, and U.S.-based Foremost Groups.

Receive a Free Dark Web Report for Your Organization:

SDC Cash Out Service Is Detected

SOCRadar has observed a dark web post advertising a new service called the SDC Ecosystem (System Delivery Cash), which offers cash-out operations using stolen payment credentials protected by multi-factor authentication.

The service is designed to monetize compromised data through merchant-based or product-based transactions, even when the cards are secured with 3-D Secure (3DS), one-time passwords (OTP), or push notification-based verification systems. The threat actor claims to offer high profit margins and instant processing, suggesting a streamlined infrastructure built for rapid and large-scale fraud.

The operation appears to target regions including Europe, Asia, Scandinavia, and Arab countries, indicating adaptation to diverse financial systems and local anti-fraud mechanisms. The emphasis on confidentiality and secure communication channels is likely intended to attract experienced fraudsters while reducing exposure to law enforcement.

This activity reflects the increasing professionalization of cybercrime services, where complex operations such as bypassing authentication and laundering funds are being offered as ready-to-use solutions on underground platforms

Alleged Database of Foremost Groups Is Leaked

SOCRadar has identified a new post on a Dark Web forum claiming to leak internal data belonging to Foremost Groups, a U.S.-based corporate holding company specializing in indoor furniture, kitchen and bath products, outdoor furniture, and food service equipment.

According to the threat actor, the leaked material consists of more than 20 GB of compressed files, organized as a multi-archive ZIP dump. The contents allegedly include legal, financial, human resources, audit, and insurance documents. An alleged sample bank statement is also shared as proof of access, and the post references the company’s official website as the data source.

Alleged Data of Eni Are on Sale

SOCRadar has identified a dark web post claiming to offer a database allegedly containing sensitive information from Eni S.p.A., the Italian multinational energy company headquartered in Rome. The post appears to focus on Eni’s operations in France, referencing the domain fr.eni.com.

The threat actor claims the dataset includes approximately 1.2 million records, containing full names, addresses, phone numbers, point de livraison (PDL) identifiers, service provider names, postal codes, cities, and countries. A redacted sample is included in the post, showing entries linked to gas and power services under Eni’s French customer infrastructure.

The alleged breach is dated July 30, 2025, and the data is offered for $1,500, with payment accepted in Bitcoin (BTC) or Tether (USDT). The threat actor also offers escrow and shares contact details via Telegram and qTox.

While the full contents and origin of the data remain unverified, the post suggests a possible compromise affecting Eni’s regional operations in France. If confirmed, the exposure may result in reputational, legal, and regulatory consequences under European data protection frameworks.

Alleged Database of Berkeley University Is on Sale

SOCRadar has identified a dark web post claiming to offer for sale a database allegedly associated with the University of California, Berkeley.

According to the threat actor, the full dataset is available in both SQL and CSV formats, with access to phpMyAdmin also included. The post claims the dump contains a wide range of information, including student and faculty details, seminar data, usernames, password hashes, and records of school-related payments. The actor further notes that multiple subdomains linked to Berkeley were reportedly offline at the time of posting, allegedly due to being hosted on the compromised server.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.