Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | NordVPN Dev Data Leak, Crow Stealer Tool & Large Data Listings
Jan 05, 2026
5 Mins Read
Jan 23, 2026
Moon

NordVPN Dev Data Leak, Crow Stealer Tool & Large Data Listings

SOCRadar’s Dark Web Team identified several new underground posts this week, including a threat actor claim involving alleged internal NordVPN development data, a large data sale attributed to AgroParisTech, and the promotion of a new information-stealing malware called Crow Stealer. Another listing advertised a large aggregated email and password collection compiled from multiple sources.

Receive a Free Dark Web Report for Your Organization:

Alleged Database of NordVPN is Leaked

Alleged Database of NordVPN is Leaked

SOCRadar Dark Web Team detected a threat actor claiming on a hacker forum, alleging the leak of internal NordVPN data obtained from a misconfigured development environment. The threat actor states that access was achieved by brute-forcing a development server hosting Salesforce and Jira-related assets.

The claim indicates that the exposed data includes more than ten database source codes linked to NordVPN’s development infrastructure, Salesforce API keys, Jira tokens, and additional sensitive information. To support the claim, the threat actor shared sample database dumps and schema details demonstrating internal Salesforce-related processes and API key storage.

NordVPN mentioned SOCRadar on X and stated that the company’s security team found no indications of a compromise affecting NordVPN servers or internal production infrastructure based on the initial forensic analysis.

Alleged Database of AgroParisTech is on Sale

Alleged Database of AgroParisTech is on Sale

SOCRadar Dark Web Team detected a threat actor post on a hacker forum advertising the sale of data allegedly linked to AgroParisTech, an elite French academic institution operating within the Paris-Saclay higher education ecosystem. The threat actor describes the listing as a one-time sale using escrow and claims the dataset currently exceeds 211 GB, with additional data still being extracted.

The post claims the dataset contains over 131,000 files, including databases, access keys, personal and identity-related records, financial information such as IBANs, student and research materials, email backups, and VPN-related data. To support the claim, the threat actor shared sample records in database format with partially masked identifiers.

New Crow Stealer Tool Sale is Detected

New Crow Stealer Tool Sale is Detected

SOCRadar Dark Web Team detected a threat actor post on a dark web forum promoting the sale of a malware tool referred to as “Crow Stealer.” The threat actor markets the tool as a modern information stealer and advertises it as actively maintained, with both free and paid distribution models.

According to the forum post, the stealer is designed to collect system metadata and harvest credentials and session data from a wide range of applications and browsers. The threat actor claims support for dozens of browsers, cryptocurrency wallets, FTP clients, cloud service tools, game launchers, VPN clients, and popular communication applications. The post also highlights file-search capabilities targeting wallet and credential-related keywords, as well as filtering based on file extensions.

The advertised feature set emphasizes evasion and operational flexibility, including anti-virtual machine and sandbox detection, claimed bypass capabilities for recent Chromium-based browser versions, encrypted log storage, and multiple build options. The threat actor also promotes a dedicated dashboard for payload customization, packaging, and log management, as well as a Telegram channel used for promotion and distribution.

Alleged Email Password Collection is on Sale

Alleged Email Password Collection is on Sale

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising the sale of an alleged large-scale email and password data collection. The threat actor promotes the dataset as a bulk offering, while also claiming the ability to sell subsets by domain, country, individual files, or selected private records.

In the post, the threat actor directly addresses the advertised scale of the collection, warning that it should not be interpreted as containing 50B unique credential lines. According to the actor, the dataset was compiled over time from multiple sources, including collections purchased from other forum members as well as previously held material. The threat actor openly acknowledges the presence of duplicate entries, reused credentials, and generated lines within the collection.

Screenshots shared with the listing show file names that may create the impression of a dataset containing up to 50B credential lines. However, both the file structure and the threat actor’s own disclaimer indicate that this offering represents an aggregated credential compilation rather than a newly exposed database. As such, it should not be assessed as a fresh data leak.

From a threat perspective, collections of this nature are typically used to support credential stuffing and account takeover attempts rather than signaling a recent compromise. While many of the credential lines may be outdated or previously exposed, the risk remains relevant in environments where password reuse persists and multi-factor authentication is not enforced.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.