Iran Hajj Organization Data Claim, Crypto Leads Sale, APT43 Tooling Claim, Sweden User Data, and Chrysler Breach Claim

SOCRadar’s Dark Web Team identified several new underground posts, including an alleged 168 million-record database sale tied to Iran’s Hajj and Pilgrimage Organization and a separate listing offering large volumes of U.S. crypto-related leads. Other posts claimed APT43-linked backdoors and zero-day vulnerabilities, advertised Swedish user data allegedly tied to AdressFakta, and referenced a Chrysler data breach claim involving Salesforce-related records.

Alleged Data Breach of Iran’s Hajj and Pilgrimage Organization Impacts 168 Million Records

SOCRadar Dark Web Team detected a threat actor post advertising an alleged database linked to Iran’s Hajj and Pilgrimage Organization. The actor claimed the dataset contains more than 168 million records covering the years 1984 to 2024.

The listing described a wide range of sensitive data, including names, dates and places of birth, ID numbers, national codes, passport details, contact information, travel records, insurance information, banking and payment data, and documents related to security deposits. The post also claimed the dataset includes information on government officials, NAJA forces, Basij forces, clerics, and source code for Hajj-related applications and services.

The actor listed the price as $80,000 in Bitcoin and shared a sample link. If authentic, the exposure could create serious risks around identity theft, targeted phishing, financial fraud, and intelligence gathering against both travelers and government-linked individuals.

Massive Crypto Platform User Leads are Offered for Sale

SOCRadar Dark Web Team detected a threat actor post advertising a large collection of alleged crypto-related user leads. The seller claimed the data was collected through a “crypto checker” and described it as a private database containing fields such as names, emails, and phone numbers.

The listing named several cryptocurrency and finance-related platforms, including Binance.US, Coinbase, Crypto.com, Gemini, Kraken, Robinhood, Ledger, Paxful, and others. Some listed datasets reached hundreds of thousands or millions of lines, including Crypto.com at over 1.8 million lines and Gemini at over 930,000 lines.

Even if the data is aggregated from multiple sources rather than a direct platform breach, this type of collection can still support phishing, SIM swapping, impersonation, and credential stuffing against crypto users.

APT43 Backdoor and Zero-Day Vulnerability Claims are Detected

SOCRadar Dark Web Team detected a post claiming to share backdoors, rootkits, and zero-day vulnerabilities allegedly linked to APT43 / Kimsuk, a North Korea-linked threat actor.

The post claimed the package included a C++ backdoor with encryption and anti-forensic capabilities, Android kernel attack tools, a server takeover rootkit, and three alleged zero-day vulnerabilities, including one described as enabling root privileges on Linux systems.

These claims remain unverified and should be treated cautiously, especially because dark web posts using APT names can be exaggerated or used to lure users into malicious downloads. Still, if any part of the claim is authentic, the material could increase risks around kernel-level compromise, stealthy persistence, and privilege escalation.

Swedish User Data Allegedly Stolen from AdressFakta is on Sale

SOCRadar Dark Web Team detected a post advertising a database allegedly tied to AdressFakta, a Swedish contact and marketing data service operated by SUPEReROI AB. The actor claimed the dataset contains 5,452,000+ unique user records.

The listing described exposed fields such as names, gender, mobile and landline phone numbers, street addresses, zip codes, towns, birthdates, and housing-type information. The actor priced the database at $3,800 for “base + access.”

If valid, this exposure could enable large-scale smishing, vishing, identity profiling, and targeted social engineering, particularly because residential and contact details can make fraudulent outreach appear more credible.

Everest Ransomware Group Claims Chrysler Data Breach

SOCRadar Dark Web Team identified a post referencing an alleged Chrysler breach claim attributed to the Everest ransomware group. The claim stated that more than 1 TB of data was exfiltrated, including over 105 GB of Salesforce-related information.

The referenced data reportedly spans 2021 to 2025 and includes customer, dealer, and internal agent records. Samples were said to contain customer interaction logs, names, phone numbers, email addresses, physical addresses, vehicle details, recall case notes, and call outcome information.

If confirmed, the exposure of CRM and customer interaction data could create downstream risks for targeted phishing, dealer impersonation, recall-related scams, and social engineering against customers or business partners.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.