WhatsApp 3B Dump, OnlyFans 340M Records Sale, BlockFi Email Leak, Ramen Kuroda Data Leak, and VSP Security Wholesale Breach

SOCRadar Dark Web Team detected several new underground posts this week, including a 7.1 million leak from the Philippine restaurant chain Ramen Kuroda, an alleged 340 million user record sale tied to OnlyFans, a 3 billion row WhatsApp data dump, a free release of 654,000 BlockFi customer emails, and a 15 GB full data dump of VSP Security Wholesale attributed to the Stormous Group.

Across these posts, threat actors leveraged loyalty program data, linked social profiles, and bulk PII to enable fraud, targeted phishing, and follow-on access operations.

You can quickly check your organization’s exposure for free before continuing:

Alleged WhatsApp 3 Billion Records Dump Is Detected

SOCRadar Dark Web Team detected a post from a threat actor sharing what they claimed to be a dataset of approximately 3 billion WhatsApp-linked records. The shared sample contained full names, email addresses, phone numbers, WhatsApp account status, account verification dates, and physical addresses, with samples appearing to reference users primarily based in the United Kingdom. The actor framed the post as a farewell message before exiting the forum.

Datasets of this scale, even if partially authentic, represent a serious risk for mass phishing, smishing, and SIM swap attacks, particularly when phone numbers are paired with verified addresses and account activity signals. The farewell framing does not reduce the downstream threat, as such datasets are commonly redistributed across multiple channels after initial release.

Alleged Ramen Kuroda Database Leak Is Detected

SOCRadar Dark Web Team detected a post claiming the full compromise of the customer database of Ramen Kuroda, a Japanese ramen restaurant chain operating in the Philippines. The actor posted three CSV files totaling 1 GB with over 7.1 million records, including fields such as first name, last name, email, mobile number, birthdate, gender, age, and detailed loyalty program data like RK Wallet Balance, Total Spent, Tier Level, Orders Count, and Topups Count.

The combination of personal identifiers and financial loyalty data creates significant risk for identity theft, targeted phishing, and loyalty point fraud. The large scale of the breach and the richness of the customer profiles make this dataset a high-value asset for attackers looking to run long-term fraud campaigns against Philippine consumers.

Alleged OnlyFans 340 Million Records Sale Is Detected

SOCRadar Dark Web Team detected a listing claiming an internal OnlyFans database dump containing approximately 340 million user records covering both fan and creator accounts. The dataset was presented in a colon-delimited format and included fields such as UID, username, full name, join date, email, phone number, follower and like counts, media counts, user type (fan or creator), last four digits of a payment card on file, and linked external social profiles.

The exposure of account type alongside linked social profiles significantly raises the risk of reputational harm, blackmail, and targeted social engineering. The inclusion of partial payment card data, combined with email and phone, gives attackers enough to cross-reference with other breaches and build actionable financial fraud profiles.

Alleged BlockFi and Kroll Crypto Email Leak Is Detected

SOCRadar Dark Web Team detected a free post on a hacker forum offering an alleged 654,000 email address database tied to BlockFi customers, with the leak attributed to the previously reported Kroll third-party compromise. The post referenced a public news article about the 2023 Kroll hack affecting FTX and BlockFi customer data and provided a direct download link.

This incident underscores the persistent risk of third-party supply chain breaches, where customer data remains accessible and exploitable long after the original event. Even with BlockFi in bankruptcy proceedings, the email list provides a ready attack surface for credential stuffing and phishing campaigns targeting former customers who may still reuse credentials across active financial platforms.

Alleged VSP Security Wholesale Full Data Dump Is Detected

SOCRadar Dark Web Team detected a post attributed to the Stormous Group releasing a 15 GB dataset allegedly belonging to VSP Security Wholesale (vspsolutions.com.au) for free. The actor stated the release followed the company’s failure to reach a resolution, a phrasing consistent with a failed ransomware or extortion negotiation. The dump was described as containing administrative and financial records, payroll sheets, client and partner directories, employee records, official contracts, internal correspondence, and tax and legal documents.

The breadth of the leaked material, spanning both internal operations and external client relationships, creates significant risk of reputational damage, regulatory liability, and downstream attacks against VSP’s clients and partners. The Stormous Group’s pattern of publishing data after failed negotiations suggests the full dataset may be further distributed through affiliate channels.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.