Dark Web Activity Targets MEXC Global, Pandora Joias, Tea App, and Expands Smoke Loader Reach
SOCRadar Dark Web Team has observed several high-impact cybercrime developments over the past week. Threat actors are offering unauthorized fund withdrawal services for MEXC Global accounts, claiming they can bypass KYC/AML checks.
In Brazil, Pandora Joias is allegedly the victim of a large-scale ERP system breach, with millions of user records exposed. Meanwhile, a privacy-invasive leak involving the Tea dating app has surfaced, with tens of thousands of personal images reportedly scraped and distributed. Finally, an updated version of the Smoke Loader botnet is circulating, showcasing new obfuscation and delivery tactics
Receive a Free Dark Web Report for Your Organization:
The Alleged Data of MEXC Global are on Sale

SOCRadar has detected a post on a hacker forum where a threat actor offers to process unauthorized withdrawals from MEXC Global accounts. MEXC is a centralized cryptocurrency exchange platform that offers spot and derivatives trading to a global user base. The threat actor claims they can withdraw up to 95% of the balance from an account if provided with a live session cookie or email access. They propose a 60/40 profit split, where 60% of the stolen funds are kept by the threat actor and 40% are given to the person who supplies the access. The post also mentions access to blocked accounts with higher balances, and the threat actor claims they can bypass KYC (Know Your Customer) and AML (Anti-Money Laundering) checks to complete the withdrawals.
Alleged Database of Pandora Joias is on Sale

SOCRadar has detected a post on a hacker forum offering the alleged database of Pandora Joias, the Brazilian subsidiary of the international jewelry brand. The threat actor claims to have compromised all databases of the ERP Linx systems used by Pandora and its franchisees in Brazil. The leaked data allegedly includes customer, supplier, vendor, and product records, with personal details such as CPF numbers, phone numbers, email addresses, and names of spouses, children, and family members. The post references the domain pandorajoias.com.br and advertises full database access. The database is claimed to be 40 GB in size and to contain over 1.6 million user entries.
The Alleged Database of Tea App is Leaked

SOCRadar has detected a post on a Russian-speaking hacker forum related to the reported breach of Tea, a viral mobile app that allows women to anonymously share information and photos about men they are dating. On July 26, a threat actor claimed that the app stored sensitive data, including user selfies and government ID images, in an unsecured Firebase database. They stated that the data had already been scraped, resulting in a 55 GB archive, and shared magnet links allegedly pointing to the files.
The actor also referenced unconfirmed claims that a larger archive, between 70 and 120 GB, may exist. This forum post appeared shortly after independent reports emerged that over 72,000 images, including 13,000 user-submitted photos and ID documents, were being circulated on platforms such as 4Chan and X (formerly Twitter).
New Smoke Loader Botnet Tool is Shared

SOCRadar has detected a post on a hacker forum promoting an updated version of the Smoke Loader botnet tool. The malware features a modular plugin system, including keyloggers, form grabbers, and system info collectors. The threat actor claims 2025 updates include a new loader method, updated admin panel, and enhanced C2 encryption. The bot uses HTTP with RC4 encryption and disguises its traffic by mimicking requests to legitimate websites. It also reportedly supports .bit domains and GeoIP-based targeting. Recent payloads include Whiffy Recon, used to geolocate victims via Wi-Fi.
Powered by DarkMirror™
Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.
