Coca-Cola and DocuSign Breaches Claimed as Insider Recruiting and Card Sales Surface

SOCRadar’s Dark Web Team has detected several noteworthy developments across underground forums this week. These include alleged breaches tied to Coca-Cola and DocuSign, a recruitment effort targeting insiders within the French police, and the sale of 100,000 reused credit cards from the U.S. and Europe. The findings underscore the persistent targeting of global enterprises, public institutions, and financial data in dark web marketplaces.

Receive a Free Dark Web Report for Your Organization:

New Recruitment Post is Detected

SOCRadar detected a recruitment post seeking insiders within the French police. The threat actor claims to offer access to information and leaks in exchange for internal cooperation. Contact details are provided via Telegram and Signal.

Alleged 100K Credit Cards Belonging to United States and Europe are on Sale

SOCRadar detected a post offering an alleged set of 100,000 second-hand credit cards from the United States and Europe. The threat actor claims a 30–35% validity rate and includes full info. The data is described as second-hand, likely indicating reuse or resale from older breaches.

Pricing starts at $80,000, with $2,000 bid increments. A blitz price of $100,000 allows immediate purchase. Samples are available to trusted users, and forum escrow is accepted.

Alleged Data of DocuSign are on Sale

SOCRadar detected a post offering the alleged data of DocuSign for sale. The threat actor claims to possess 146 million records and provides a 1,000-record sample via external link. The listed price is $10,000, and contact is available through Telegram. The post also promotes real-time phone number sales and features daily activity, reflecting the frequent and large-scale nature of data trading on dark web platforms.

Alleged Coca-Cola Breaches Surface Across Dark Web Platforms

SOCRadar detected separate dark web posts by Everest ransomware and Gehenna, both claiming unauthorized access to Coca-Cola and its subsidiary, Coca-Cola Europacific Partners. Everest shared samples of internal documents allegedly stolen from Coca-Cola. Gehenna, posting on a recently popular hacker forum, claimed to have exfiltrated over 23 million Salesforce records, including CRM data, contacts, and product details, covering the period from 2016 to 2025. These incidents reflect ongoing attempts by threat actors to target high-profile corporate infrastructure and customer data.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.