Blue Origin Leak Claim, iOS Zero Day Sale, VPN and AWS Access Listings, and Ticketmaster Database Post

SOCRadar Dark Web Team identified several new underground posts, including a claim of leaked Blue Origin documents tied to a ransom demand, a separate listing advertising an alleged full-chain iOS exploit, and access sales marketed with elevated privileges. Another post promoted an alleged Ticketmaster database, while a separate listing advertised AWS Console access tied to a Turkiye-based technology and SaaS target.

Most of these claims remain unverified as shared in underground forums. Still, the themes are consistent with what threat actors often monetize: sensitive corporate data, high-impact exploit tooling, and initial access that can enable follow-on intrusion.

Receive a Free Dark Web Report for Your Organization:

Alleged Blue Origin Data Leak and Ransom Demand is Detected

SOCRadar Dark Web Team detected a threat actor post claiming a leak of sensitive Blue Origin documents, framed as containing internal materials and information tied to rocket development. The actor positioned the post as a targeted breach narrative and promoted off-platform contact via Telegram.

The post also referenced a large claimed leak size of 492GB and demanded $250,000 described as ransom and “system repairs,” with “negotiation” mentioned. As with many leak claims, teams should treat the details cautiously until validated through independent confirmation or victim statements.

Alleged iOS 26.4.1 Full-Chain Zero Day Sale is Detected

SOCRadar Dark Web Team detected a threat actor post advertising an alleged iOS 26.4.1 full-chain exploit, described as a one-click remote code execution path with a multi-step chain. The listing presented the capability as a premium offering and advertised both “exclusive” and “non-exclusive” pricing options.

The seller also claimed high stability and stealth characteristics, while requesting private contact for proof and further details.

VPN Fortinet Access Sale is Detected for a Legal Services Target in India

SOCRadar Dark Web Team detected a post advertising alleged VPN (Fortinet) access tied to a Legal Services organization in India, marketed with Enterprise Admin privileges. The listing also referenced an endpoint stack in the environment, suggesting the seller tried to present the access as higher value and harder to remove.

The actor provided a specific asking price of $605 and stated BTC only, while claiming the access had been verified within the last 48 hours. Initial access listings like this can enable ransomware staging, data theft, or persistent access depending on what privileges are real and how quickly the victim rotates credentials and hardens remote access.

Alleged Ticketmaster Database of 20 Million Records is Detected

SOCRadar Dark Web Team detected a post claiming compromise of more than 20 million Ticketmaster records and sharing what appeared to be a broad set of database field names. The actor framed the claim as a direct hack and promoted Telegram contact for follow-up.

If authentic, a dataset of this size could create downstream risk for targeted phishing, fraud attempts, and account takeover, especially if attackers can map emails or phone numbers to purchase history or identity attributes. Large “field list” style posts often aim to build credibility, but defenders should still validate before treating claims as confirmed.

AWS Console Access Sale is Detected for a Technology and SaaS Target in Turkiye

SOCRadar Dark Web Team detected a listing advertising AWS Console access tied to a Technology and SaaS target in Turkiye, marketed with Domain Admin privileges. The post also included claimed business context such as revenue range and network size, which is commonly used to signal a high-value target.

The listing referenced an endpoint security product in the environment and claimed the seller could provide proof and details privately. Access listings involving cloud consoles are especially sensitive because a single compromised console can enable resource abuse, credential harvesting, data exposure, and persistence if identity and access controls are weak.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.