Alleged FortiBleed Access Auction, Sens Unique Paris Data Sale, and libsodium DoS Claims
SOCRadar Dark Web Team identified new underground activity involving alleged FortiBleed-related access, an alleged 529,892-record customer database linked to French retailer Sens Unique Paris, and a claimed libsodium and NaCl zero-day package. Additional listings advertised alleged KodexGlobal portal access, a 2 million-card database, and a separate collection of 2 million Spanish IBANs.
Receive a Free Dark Web Report for Your Organization:
Alleged FortiBleed-Related Access Auction is Detected

SOCRadar Dark Web Team detected a forum post advertising allegedly fresh access and stating that the related CVE would soon be closed as investigations were underway. The actor claimed to be continuing to collect or “dump” access while the opportunity remained available.
The listing used an auction format, with a starting price of $30,000, bidding increments of $5,000, and a $50,000 buy-it-now price. This activity may be connected to the broader FortiBleed exposure identified by SOCRadar researchers, which involved compromised Fortinet firewalls and VPN gateways. However, the actor’s claim and the specific source of the advertised access remain unverified.
Alleged Sens Unique Paris Customer Database is Offered for Sale

SOCRadar Dark Web Team detected a post advertising an alleged customer database linked to Sens Unique Paris, a French retailer. The seller claimed the dataset contains 529,892 records, priced it at $400, and stated that the breach occurred on June 20, 2026.
The listed fields included first and last names, dates of birth, postal codes, addresses, phone numbers, email addresses, and IBANs. If authentic, the combination of personal and banking details could support targeted phishing, identity fraud, and fraudulent direct-debit attempts.
Alleged libsodium and NaCl DoS PoC and Zero-Day Claims are Detected

SOCRadar Dark Web Team detected a forum post claiming a remote Denial-of-Service (DoS) proof of concept affecting applications using the libsodium and NaCl cryptographic libraries. The actor alleged that specially crafted boundary values could crash applications using the crypto_box_open_easy function.
The post also claimed the seller possessed ten additional zero-day vulnerabilities, including alleged heap out-of-bounds and nonce-reuse issues, and offered the broader package for 200 BTC. These claims remain unverified, and no official confirmation from the projects’ maintainers was identified at the time of reporting.
Alleged KodexGlobal Law Enforcement Accounts are Offered for Sale

SOCRadar Dark Web Team detected a post advertising alleged KodexGlobal law enforcement accounts for $1,500 each. The seller claimed the accounts could submit and manage emergency data requests and said proof of access would be provided to prospective buyers.
If valid, such access could allow an unauthorized party to impersonate law enforcement when requesting sensitive user information from services that process requests through the platform. The claim remains unverified.
Alleged Database of 2 Million Credit Card Records is Auctioned

SOCRadar Dark Web Team detected an auction for an alleged database containing approximately 2 million credit card records. The seller claimed that 80% of the records related to the United States, with the rest attributed to the EU, Australia, and the United Kingdom.
The listing set a starting price of $1,000 and a buy-it-now price of $3,000, while reporting a claimed validity rate of 0.5% to 1%. This low rate may indicate older or previously circulated card data, but the volume could still drive card-not-present fraud attempts.
Alleged Database of 2 Million Spanish IBANs is Offered for Sale

SOCRadar Dark Web Team detected a listing offering an alleged database containing 2 million Spanish IBANs. The actor attached a sample file but did not identify the organization or service from which the data was allegedly obtained.
Even without a named source, a dataset of this size could facilitate financial fraud, identity profiling, and phishing campaigns targeting Spanish banking customers.
Powered by DarkMirror™
Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.
