Cloudflare 0-Day, Ameli Patient Leak, and New Fraud Tools Detected on Dark Web
SOCRadar Dark Web Team has identified a wave of new underground listings, highlighting both technical exploits and large-scale data breaches. Notably, a threat actor is selling a method allegedly bypassing Cloudflare’s protections via Host Header Injection, while another advertises a leak containing 8 million French health records tied to Ameli. Additional posts include a phishing page mimicking Binance, a new email spam tool, and credit card data primarily sourced from Chile. These findings point to a continued expansion of illicit services across fraud, exploitation, and credential harvesting domains.
Receive a Free Dark Web Report for Your Organization:
Alleged 0-Day of Cloudflare is on Sale

SOCRadar Dark Web Team identified a forum post where a threat actor claimed to be selling a private method to bypass the Cloudflare CDN (Content Delivery Network) and exploit a Host Header Injection (HHI) vulnerability. The threat actor claimed the method enables DNS SSRF (Domain Name System server-side request forgery) and cache poisoning, and claimed a Proof of Concept (PoC) was tested against a Coinbase login page.
Alleged Database of Ameli is on Sale

SOCRadar Dark Web Team identified a forum post where a threat actor advertised the sale of a database allegedly belonging to Ameli. The threat actor claimed the dataset contains approximately 8 million French patient and customer records and included a sample. The post directed interested parties to contact via Telegram and listed a price of 200 EUR. The unusually low price may indicate that the data has already been widely circulated, is incomplete, or that the threat actor is attempting to attract quick buyers in a competitive underground market.
Alleged Scam Page of Binance is Shared

SOCRadar Dark Web Team identified a forum post where a threat actor shared an alleged scam page targeting Binance. The post contained a link promoting the fraudulent page, which appeared to be designed for phishing or credential harvesting activity.
A New E-Mail Sender Tool is on Sale

SOCRadar Dark Web Team identified a forum post where a threat actor advertised a private email sender tool for sale. The threat actor claimed the tool supports mass mailing, customizable campaign settings (total emails, duration, concurrency), a template system with dynamic macros, dynamic headers, real-time statistics and analytics, proxy support with rotation and SOCKS5 authentication, SMTP management, and detailed email tracking. The post stated access is limited and that pricing starts at $500 per week under forum rules.
Alleged 60K Credit Cards are on Sale

SOCRadar Dark Web Team identified a forum post where a threat actor advertised the sale of an alleged credit card dataset containing 60,659 lines. The threat actor claimed the dataset excludes CVV codes and uses the format number|month|year|firstname, with an asserted validity rate of 50–60 percent and approximately 60 percent of records originating from Chile. The listing set a total price of 40,000 USD (approximately 0.7 USD per line) and provided contact channels on Telegram, Tox, and Signal.
A New Verification Service is Detected

SOCRadar Dark Web Team identified a forum post where a threat actor offered a verification and KYC facilitation service. The threat actor claimed over three years of experience and stated they can perform KYC, advise on account usage to increase lifespan, and provide services such as exchanges, wallets, photos, videos, and reviews. The service accepts guarantors and can operate on a postpaid basis for buyers with forum reputation. Pricing was listed from $10 and contact was provided via Telegram.
Powered by DarkMirror™
Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.
