Fresh Facebook Data Sale, MonoLock Ransomware, and SIM-Swap Recruitment Announced in Underground Forums

SOCRadar’s Dark Web Team observed a busy underground market this week where actors offered massive scraped datasets, KYC and SIM-swap services, botnets for rent, and a new modular ransomware toolkit. The listing claimed 1.7 billion Facebook records, an advertised Hook Android botnet, and MonoLock ransomware v1.0 with multiple modules for exfiltration and locking. These posts, if genuine, increase the risk of large-scale phishing, identity fraud, and targeted SIM-swap campaigns.

Receive a Free Dark Web Report for Your Organization:

Alleged Scraped Data of Facebook are on Sale

SOCRadar Dark Web Team detected an alleged sale of 1.7 billion scraped Facebook user records. The threat actor claims the dataset is fresh, never leaked before, and available for an unspecified price, providing a contact link in their bio. According to the listing, the data includes user ID, gender, date of birth, location, relationship status, and friends count. Such information could enable large-scale social engineering, targeted phishing, or identity theft campaigns if the claim proves legitimate.

A New Alleged KYC Service is Detected

SOCRadar Dark Web Team detected an alleged KYC service advertised on a dark web forum. The threat actor offers identity verification and document services for various financial institutions, banks, and exchanges, including Wise, Revolut, Skrill, HSBC, Monzo, PayPal, and Binance. Prices range from $60 to $1,400 depending on the institution and whether the buyer requests a “custom name” option, which likely refers to forged identity documents.

New Hook Android Botnet Tool Sale is Detected

SOCRadar Dark Web Team detected an alleged rental offering for a Hook Android botnet at $5,000 per month. The threat actor claims the malware is an original, fully updated Hook botnet compatible with the latest Android versions and offers a free beta test as proof. The listing states the price as $5,000 per month, contact via private message, and advertises full functionality with supporting evidence available on request.

New MonoLock Ransomware is Announced

SOCRadar Dark Web Team detected an alleged announcement for MonoLock ransomware v1.0. The threat actor presents MonoLock as a commercial, modular ransomware toolkit for automated command and control operations. They describe specific modules: Elevate for privilege escalation that avoids registry changes and uses living off the land techniques; MonoSteal 1.0 for fast file exfiltration targeting documents, images, videos, passwords, and certificates; MonoLock 1.0 as the locker using a ChaCha20-Salsa20 hybrid for encryption; and Notedrop for delivering ransom notes or instructions on the victim system. The actor claims anti-analysis checks for virtual machines, debuggers, and other forensic tools, and a module to enumerate and delete Volume Shadow Copies to hinder recovery.

New Partnership Searching Post is Detected for Employees

SOCRadar Dark Web Team has detected a post seeking telecom insiders for SIM swapping operations. The threat actor claims to already have a T-Mobile insider and is now searching for AT&T or other SIM company employees to join their scheme. They mention verified clients, dozens of ready targets, and promise profit sharing for collaborators.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.