WhatsApp Number Leak, OpenVPN Access Sale, LiteLLM Exploit Scanner, BIN Leads Listing, and PHI Buyer Post

SOCRadar Dark Web Team identified several new underground posts, including a claim of 20.65 million Indonesian WhatsApp numbers being shared, a separate listing advertising OpenVPN access into an Indian financial services target, and an exploit or scan script sale tied to CVE-2026-42208 impacting LiteLLM Proxy. Other posts promoted a large BIN-tagged “leads” dataset and a buyer request focused on Western Europe PII + PHI, showing continued demand for both consumer targeting data and healthcare related records.

Receive a Free Dark Web Report for Your Organization:

The Alleged WhatsApp Number Database Leak is Detected for 20.65 Million Indonesian Users

SOCRadar Dark Web Team detected a forum post claiming a WhatsApp number database leak affecting 20.65 million active Indonesian numbers. The poster described the dataset as spanning multiple islands, provinces, and cities, and shared partial samples in the thread to support the claim.

Even if WhatsApp itself was not directly compromised, large-scale phone number exposure like this can fuel smishing, WhatsApp-based impersonation, and follow-on fraud where attackers validate targets using number ownership before pushing scams or account recovery attempts.

The Alleged Unauthorized OpenVPN Access Sale is Detected for an Indian Financial Services Company

SOCRadar Dark Web Team detected a listing advertising alleged OpenVPN access into an Indian financial services organization, marketed with Cloud Admin (Owner) privileges. The post also referenced an asking price of $1,130 (crypto priced) and positioned the access as “verified,” which aligns with typical initial-access broker marketing intended for ransomware or data theft follow-on activity.

Posts like this matter because “owner-level” remote access can enable rapid privilege expansion, tenant-wide changes, and large-scale data access if the credentials or session artifacts are valid, especially when the buyer’s goal is persistence rather than a quick smash-and-grab.

The Alleged LiteLLM Proxy Exploit Scanner Sale is Detected for CVE-2026-42208

SOCRadar Dark Web Team detected a sales post advertising an exploit or scan script tied to CVE-2026-42208 affecting LiteLLM Proxy. The seller claimed the package included the code, usage procedure, and “FOFA dorks,” suggesting it was designed to help buyers find and test exposed instances at scale.

If this tooling circulated beyond a small buyer group, it could accelerate opportunistic targeting of internet-facing LiteLLM deployments, with the main risk being exposure of API keys, virtual or master keys, and environment secrets stored behind the proxy.

The Alleged Sale of 15 Million BIN-Tagged Personal Leads is Detected

SOCRadar Dark Web Team detected a listing advertising 15 million “leads” records containing BIN + name + phone + email, with the seller claiming USA 80% coverage and an auction-style pricing format (start, step, blitz) under escrow.

Datasets framed this way typically support high-volume fraud and targeting, because BIN context helps attackers tailor payment-themed lures, while phone and email fields support cross-channel outreach (email plus SMS or calls) to pressure victims into fast actions.

A PHI and Medical Data Buyer Post is Detected for Western Europe

SOCRadar Dark Web Team detected a buyer-focused post seeking connections for Western Europe PII + PHI and medical or health sector data. The actor claimed access to 500+ GB of data, including 1.5 million PHI documents, plus 200+ GB of source code and references to private keys tied to European vaccination card related access, while requesting contact via forum messages only.

Whether or not every claim was accurate, the pitch reflected consistent underground demand for healthcare-grade identifiers and documents, which can be reused for identity fraud, targeted extortion, and highly personalized social engineering against patients and staff.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.