BitMart Breach, Naver Leak, qTox Exploit, and Credit Card Sales Detected on Dark Web
Threat actors remain highly active across dark web forums, with SOCRadar’s Dark Web Team uncovering multiple alarming developments this week. Highlights include the alleged breach of BitMart’s backend infrastructure and the leak of 1.2 million user records, as well as a claimed database leak affecting Naver Corporation. A new 0-day exploit targeting the secure messaging platform qTox has also been advertised. Meanwhile, separate posts promoted the sale of Canadian credit card data and a dataset containing over 54,000 card records from the U.S. and U.K.
Receive a Free Dark Web Report for Your Organization:
Alleged Database of Naver is Leaked

SOCRadar Dark Web Team has detected a post on a Dark Web forum where a threat actor allegedly leaked a database belonging to Naver Corporation, a South Korean internet company based in Seongnam, best known for operating the Naver search engine. According to the post, the exposed data includes user IDs, email addresses, password hashes, and some plaintext passwords. The threat actor also claimed to have compiled a portion of the data into a combolist.
Alleged 0-Day Exploit Sale Is Detected for qTox

SOCRadar Dark Web Team has detected a post on a Dark Web forum where a threat actor allegedly offered a 0-day exploit for sale targeting qTox, an open-source, peer-to-peer instant messaging application. Widely used in underground communities for its encryption and anonymity features, qTox is considered a privacy-focused alternative to mainstream messaging platforms. According to the post, the exploit is being sold for 10 BTC, and the actor claims to provide video proof of functionality.
Alleged Credit Card Data of Canada are on Sale

SOCRadar Dark Web Team has detected a post on a Dark Web forum where a threat actor is allegedly selling a dataset containing stolen credit and debit card information from Canada. According to the post, the database includes 1,000 records, composed of approximately 75% credit cards and 25% debit cards, with a claimed validity rate of 80–90%. The actor states that the data has not been listed on other marketplaces and is exclusively in their possession. Card details are said to include full cardholder information such as card number, CVV, billing address, and issuing bank.
Alleged 54K Credit Cards Belonging to the United States and the United Kingdom are on Sale

SOCRadar Dark Web Team has detected a post on a Dark Web forum where a threat actor is allegedly selling a dataset containing approximately 54,000 stolen credit card records, primarily from the United States and the United Kingdom. According to the post, at least 90% of the cards are from the U.S., with the remainder from the U.K. or other unspecified countries. The actor claims a validity rate between 30% and 50% and lists the total price as $800.
Alleged Database of BitMart is Leaked

SOCRadar Dark Web Team has detected multiple Dark Web forum posts allegedly involving a security breach and exploit sale related to BitMart.
The first post, dated July 9, was observed on a prominent Russian-speaking cybercrime forum and advertises a 0-day server-side prototype pollution exploit targeting BitMart’s backend infrastructure. The threat actor claims the vulnerability stems from a JavaScript deserialization flaw in BitMart’s Node.js backend, potentially allowing Remote Code Execution (RCE), privilege escalation, API key theft, and manipulation of wallet addresses. The exploit was offered for 15 BTC with a video proof of concept, and the actor emphasized that the vulnerability remained unpatched at the time of posting.

A few days later, on July 12, another threat actor, posting on the same Russian-speaking forum, allegedly leaked a user database claimed to have been exfiltrated from BitMart. According to the post, the leak includes over 1.2 million user records, with details such as email addresses, phone numbers, and additional personal data. The threat actor stated that prior attempts to alert BitMart had been ignored, prompting the public release.

These claims were soon echoed on a second well-known hacker forum, where two additional posts, dated July 12 and July 13, surfaced. The July 12 post mirrored the original leak announcement, while the July 13 post, shared by a different threat actor, offered the full dataset for $1,050, describing it as “fresh and exclusive.” The actor provided structured details, listing over 1.2 million records, including email addresses (777,633), phone numbers (550,823), IP addresses (162,007), registration timestamps, countries, regions, and referral IDs.

Powered by DarkMirror™
Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.
