Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Vercel and Binance Data Claims, Israel Facebook Leak, FALKONc2 Sale, and Gmail Caller Recruitment
Apr 20, 2026
5 Mins Read
Moon

Vercel and Binance Data Claims, Israel Facebook Leak, FALKONc2 Sale, and Gmail Caller Recruitment

SOCRadar Dark Web Team identified several new underground posts, including an alleged Vercel access key and source code sale framed as a supply chain risk, and a separate listing claiming a 1.5 million record Binance dataset. Other posts promoted an alleged leak of Israeli Facebook user data, a new RAT offering called FALKONc2, and recruitment for “Gmail callers” tied to social engineering activity.

Receive a Free Dark Web Report for Your Organization:

Alleged Vercel Access Key and Source Code Sale is Detected

Alleged Vercel Access Key and Source Code Sale is Detected

SOCRadar Dark Web Team detected a threat actor post on a dark web forum advertising alleged access keys, source code, and database materials linked to Vercel. The actor presented the access as “verified” and positioned it as potential leverage for a broader supply chain scenario, referencing Vercel’s role in widely used development tooling.

The listing claimed the seller had access tied to multiple employee accounts, internal deployments, and sensitive API tokens, including NPM and GitHub tokens. The actor also emphasized the downstream impact of pushing a malicious update into widely used packages, framing the sale as high impact and suitable for large scale abuse.

For more details, you can check “Vercel Breach: Hacker Claims to Sell Stolen Data in Potential Global Supply Chain Attack

Alleged 1.5 Million Record Binance Dataset Sale is Detected

Alleged 1.5 Million Record Binance Dataset Sale is Detected

SOCRadar Dark Web Team detected a threat actor post advertising an alleged Binance dataset for sale, claiming 1.5 million records. The post described a dataset that appeared to blend identity and account security details, including email and password fields, phone and country data, last login, 2FA status, KYC status, and a balance field.

If authentic, this type of dataset can enable targeted phishing and account takeover attempts, especially when attackers can tailor lures based on KYC status or 2FA state. Even when balances are not usable as direct proof, the presence of those fields can help criminals prioritize victims and craft more convincing social engineering.

Alleged Facebook User Data of Israeli Citizens is Leaked

Alleged Facebook User Data of Israeli Citizens is Leaked

SOCRadar Dark Web Team detected a post claiming leaked Facebook related data tied to Israeli users. The shared fields in the listing included phone numbers, Facebook IDs, names, gender, and location style attributes, with additional columns suggesting relationship or status style context.

This kind of exposure increases the risk of SIM swapping, impersonation, and localized phishing, because phone numbers plus identity attributes help attackers validate targets and build believable pretexts. It also supports enrichment when combined with other breach data, making follow on scams more targeted.

New FALKONc2 Remote Access Trojan Sale is Detected

New FALKONc2 Remote Access Trojan Sale is Detected

SOCRadar Dark Web Team detected a post advertising a remote access trojan called FALKONc2, described as a private RAT built for stealth and small payload size. The seller claimed in memory operation and promoted different stubs aimed at consumer and corporate environments, with the corporate focused variant marketed around EDR and XDR evasion.

The advertisement also referenced multiple communication methods and frequent infrastructure refresh cycles, along with features positioned for deep reconnaissance and persistence in enterprise networks. Claims about bypass techniques should be treated cautiously, but the overall pitch suggested the actor aimed to attract buyers seeking long term access and post compromise tooling.

Recruitment for Gmail Callers is Detected

Recruitment for Gmail Callers is Detected

SOCRadar Dark Web Team detected a recruitment post seeking “Gmail callers” with strong social engineering skills. The post advertised access to “high quality private USA data,” a profit share model, and operational tooling support, which suggested a structured fraud workflow rather than opportunistic scam attempts.

Recruitment posts like this often point to account takeover focused operations, where compromising email accounts becomes a gateway to password resets, financial fraud, and broader identity theft. Even without malware, these crews can scale quickly using data sets, spoofing, and repetitive call scripts targeting high trust services.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.