Alleged Eholo, OptimizerAI, PlayStation, Florajet, Coinbase Data and MalFactory Stealer Sale Surface

SOCRadar’s Dark Web Team identified several new underground posts this week, including alleged data leak and sale claims involving Eholo, OptimizerAI, PlayStation, Florajet, and Coinbase, as well as a new stealer builder marketed under the MalFactory name.

The listings reference sensitive medical notes, user account data, order records, credential logs, and an affordable malware builder advertised with multiple theft and evasion capabilities.

Receive a Free Dark Web Report for Your Organization:

The Alleged Eholo Hack Announcement and Data Sharing Post Detected

SOCRadar Dark Web Team detected a threat actor post on a dark web forum alleging a successful breach involving Eholo, a platform used by psychologists and psychological centers for patient and practice management.

According to the post, the threat actor claims to have extracted the Eholo Health database and states that the allegedly compromised data includes 1,146,700 medical notes and 601,308 user PII records. The listing also includes a $300,000 ransom demand and sets a deadline of March 15, 2026, while warning that the data may be sold if payment is not made.

Given the nature of the platform, the alleged exposure is notable because it may involve highly sensitive healthcare-related and personal data. The post also references sample material as proof of access and provides contact instructions for further communication.

The Alleged Database of OptimizerAI is Leaked

SOCRadar Dark Web Team detected a threat actor post on a dark web forum alleging a database leak involving OptimizerAI.xyz, described in the listing as an AI sound effects platform.

According to the post, the threat actor claims the dataset contains records tied to more than 118,000 users, including unique email addresses, usernames, registration timestamps, profile images, and multiple Discord-related fields such as Discord IDs, names, nicknames, and email information. The actor also claims the leak includes more than 1.1 million sound generation records associated with the platform.

Sample data shared in the post appears to show structured user and generation-related entries, suggesting a mix of account metadata and content-generation activity. If genuine, a dataset of this type could create follow-on risks such as credential abuse, impersonation attempts, and targeted social engineering against affected users.

The Alleged Data of PlayStation are Leaked

SOCRadar Dark Web Team detected a threat actor post on a dark web forum claiming that 500,000 PlayStation logs have been leaked by a group identified in the listing as the V for Vendetta Cyber Team.

According to the post, the shared material is presented as a CSV log dataset containing approximately 559,978 lines. The advertised format includes fields such as ID, username, password, account type, created date, public info, features, service provider, account status, verification, login context, URL, and timestamp. Multiple sample entries were also provided in the listing.

Because the post explicitly references login-related records and password fields, the alleged dataset may represent a broader credential collection rather than a confirmed direct breach of a single platform. Listings of this kind are often associated with aggregated logs or stealer-derived data, but they still pose a risk due to the potential for account takeover attempts, phishing, and credential reuse abuse.

New MalFactory Stealer Builder is on Sale

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising the sale of a stealer builder named MalFactory Stealer Builder, promoted as a malware-as-a-service offering for Windows systems.

According to the advertisement, the builder is marketed as a custom stealer MaaS with a claimed 0% average AV flag rate. The listed features include file stealing, wallet theft, wallet clipping, 2FA theft, cookie theft, startup persistence, computer information theft, anti-VM checks, game account theft, and Telegram session theft.

The threat actor also promotes multiple pricing options, including a $40 one-time payment, $10 per day, $15 per week, and $50 per month, while stating that source code access may also be discussed privately. From a threat perspective, offerings in this price range can lower the barrier to entry for less experienced actors by giving them access to a ready-made credential and data theft toolset.

The Alleged Database of Florajet is on Sale

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising the sale of an alleged database linked to Florajet, a France-based online flower delivery service.

According to the post, the threat actor claims to be selling 1,457,473 orders covering the period from 2023 to 2026, with the total data volume described as 136GB. After deduplication, the actor claims the dataset contains approximately 952,000 unique personal phone numbers and 1.2 million unique full addresses. The listing also includes sample PDF links and structured sample lines.

The allegedly exposed records appear to contain detailed order-related information, including recipient names, addresses, phone numbers, order metadata, and personal messages attached to deliveries. If authentic, data of this kind could be especially useful for fraud, phishing, and highly tailored social engineering, since it combines contact data with contextual information drawn from real customer transactions.

The Alleged Login Data of Coinbase are Leaked

SOCRadar Dark Web Team detected a threat actor post on a dark web forum alleging a login data leak involving Coinbase.

According to the post, the listing advertises 300,000 lines of data in a user CSV file with a stated size of 20 MB. The post includes several Coinbase-related URLs in the quoted sample and references hidden content, along with a Telegram mention for follow-up or distribution.

Although the post does not provide full technical validation, listings framed as login datasets are notable because they may be used for credential stuffing, phishing, or account access attempts against users of high-value financial and cryptocurrency platforms. In underground spaces, Coinbase-branded credential listings are especially attractive due to the direct financial incentive associated with successful account compromise.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.