iOS 0-Day, 55M U.S. Citizens’ Data, and Stealer Tools Hit Dark Web Forums
SOCRadar’s Dark Web Team has uncovered a surge in underground listings offering sensitive data, powerful exploit tools, and persistent access channels. Threat actors are advertising a zero-day RCE exploit targeting iOS 18, a database allegedly exposing 55 million U.S. citizens, a new Discord-focused malware called “Trap Stealer 2025,” and subscription-based access to premium stealer logs. These developments reflect the evolving cybercrime economy, where critical tools and data are being sold at scale.
Receive a Free Dark Web Report for Your Organization:
Alleged Database of 55 Million U.S. Citizen Records is on Sale

SOCRadar Dark Web Team identified a forum post where a threat actor advertised the sale of a database allegedly containing 55 million U.S. citizen records. The threat actor stated that the dataset includes names, phone numbers, dates of birth, addresses, workplace details, Social Security Numbers in about 39 percent of entries, email addresses, ZIP codes, gender, ethnicity, and cookies. The seller said the data was collected between May and August 2025 and invited buyers to negotiate the price on Telegram or via forum messages. Transactions would be processed only through the forum administrator as a middleman. The threat actor claimed the database was obtained by exploiting several vulnerabilities, including an SQL Server 0-Day (CVE-2025-49719), other zero-days, and an IDOR flaw.
Alleged 0-Day RCE Exploit Sale is Detected for iOS

SOCRadar Dark Web Team identified a forum post where a threat actor offered an alleged zero-day Remote Code Execution (RCE) exploit for iOS. The threat actor claimed the exploit enables full device compromise with root privileges, operates without user prompts or visible crash artifacts, and supports persistence across reboots. It was advertised as compatible with all versions of iOS 18.x.x and effective on iPhones in all regions. The post stated that details and pricing would be shared with interested buyers and directed potential customers to contact the seller via Session.
Alleged Stealer Log Access Sale is Detected

SOCRadar Dark Web Team identified a forum post where a threat actor advertised access to a stealer log channel. The threat actor claimed to have long-standing experience with logs and databases and stated that they consolidated content from more than 30 premium channels, some of which cost up to $400 per month.
According to the post, the channel has already shared over 10,000 files, updated daily with SQL databases, text files, and email logs, typically ranging in size from 3 to 5 GB. The threat actor described the service as a reliable alternative for those seeking continuous access to fresh data and offered subscriptions at $50 per month, directing interested buyers to a Telegram contact. This trend lowers the cost of access within the cybercrime ecosystem, enabling even inexperienced and unskilled actors to conduct attacks with ease.
Alleged Trap Stealer Tool is Shared

SOCRadar Dark Web Team identified a forum post where a threat actor shared a new stealer tool called “Trap Stealer 2025.” The tool was advertised as a fully undetected (FUD) Discord-focused stealer with an extensive feature set. According to the threat actor, it is capable of stealing credentials, cookies, browser passwords, autofill data, and clipboard content, as well as targeting platforms such as Steam, Minecraft, WhatsApp, and popular online services including Spotify, Roblox, TikTok, and Twitch.
Additional functions allegedly include Discord injection, disabling security tools, persistence through startup and scheduled tasks, stealing files from USB drives, taking screenshots, and even crashing Windows devices. The post emphasized the tool’s versatility by highlighting features like custom icons, fake disguises (e.g., Discord Nitro generators), and self-deletion after execution.
Powered by DarkMirror™
Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.
