Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Threat Actors Target Nike, PayPal, and CelcomDigi in New Access and Data Sales
Table Of Content
Free Dark Web Report
Is your Domain/Email Exposed?
Related Articles
SOCRadar® Cyber Intelligence Inc. | Alleged Okta Leak, MTS Bank Data Sale, Naucalpan, SSH Access, and Flawireless Claims
Alleged Okta Leak, MTS Bank Data Sale, Naucalpan, SSH Access, and Flawireless Claims
Jun 29, 2026
SOCRadar® Cyber Intelligence Inc. | Top Dark Web Telegram Groups & Channels 2026
Top Dark Web Telegram Groups & Channels 2026
Jun 23, 2026
SOCRadar® Cyber Intelligence Inc. | Top 10 Dark Web Markets in 2026: List & Threat Analysis
Top 10 Dark Web Markets in 2026: List & Threat Analysis
Jun 22, 2026
SOCRadar® Cyber Intelligence Inc. | Alleged FortiBleed Access Auction, Sens Unique Paris Data Sale, and libsodium DoS Claims
Alleged FortiBleed Access Auction, Sens Unique Paris Data Sale, and libsodium DoS Claims
Jun 22, 2026
SOCRadar® Cyber Intelligence Inc. | Dark Web Profile: Fox Kitten
Dark Web Profile: Fox Kitten
Jun 15, 2026
Aug 18, 2025
5 Mins Read
Aug 19, 2025
Moon

Threat Actors Target Nike, PayPal, and CelcomDigi in New Access and Data Sales

The SOCRadar Dark Web Team has uncovered several significant listings in the past week, including a recruitment effort targeting employees of top brokerage firms, an alleged leak of over 20 million records from Malaysia’s CelcomDigi, and a large credential dump marketed as PayPal-related. Additionally, a threat actor has claimed to possess unauthorized shell access to Nike USA. These developments signal ongoing risks across sectors.

Receive a Free Dark Web Report for Your Organization:

New Recruitment Post is Detected

New Recruitment Post is Detected

SOCRadar Dark Web Team detected a recruitment post on an underground forum targeting employees of major brokerage firms, including Interactive Brokers, Saxo, Trade Republic, and Hargreaves Lansdown. The threat actor is recruiting insiders with access to trade history data and promotes the scheme as a mutually beneficial cooperation that generates additional income. The post claims that the work carries no risks and does not involve scamming. The threat actor provides contact details via Telegram and Jabber/Signal upon request. The offer starts at 1,000 USD, with the potential for higher earnings based on the insider’s access level and capabilities.

Alleged Database of CelcomDigi is on Sale

Alleged Database of CelcomDigi is on Sale

SOCRadar Dark Web Team detected a new post advertising the alleged database of CelcomDigi, a major telecommunications provider in Malaysia. The threat actor claims responsibility for a large-scale leak affecting over 20.6 million records, which allegedly include sensitive customer and corporate data.

The advertisement accuses CelcomDigi of negligence in protecting customer privacy, stating that both the company’s and its clients’ data “fell into my hands.” The dataset is offered in CSV format, with a compressed size of 1.92 GB and an uncompressed size of 7.65 GB. According to the post, compromised fields include full name, national identity number (NRIC), date of birth, nationality, gender, addresses, phone numbers, emails, SIM serial numbers, device details, registration data, and subscription information.The alleged breach date is listed as August 2025, and the seller sets the price at $5,000.

Alleged Database of PayPal is on Sale

Alleged Database of PayPal is on Sale

SOCRadar Dark Web Team detected a new advertisement for an alleged Global PayPal Credential Dump 2025, claiming to contain more than 15.8 million email and password pairs in plaintext, with a reported dump size of 1.1 GB. The listing describes the dataset as including login emails, plaintext passwords, and associated PayPal-related URLs across multiple domains and countries.

The claim raises questions, as large credential dumps offered on underground forums are often compiled from multiple sources rather than originating from a single platform. The presence of plaintext passwords may indicate that the data was harvested through infostealer malware, phishing kits, or previous credential leaks repackaged as a PayPal-specific breach. Even if the dataset is not directly sourced from PayPal, it could still be used in credential stuffing, fraud attempts, and phishing campaigns against PayPal users worldwide.

Alleged Unauthorized Shell Access Sale is Detected for the Nike USA

Alleged Unauthorized Shell Access Sale is Detected for the Nike USA

SOCRadar Dark Web Team detected a post advertising alleged unauthorized shell access to Nike USA. The threat actor claims to be selling initial access with root or administrator privileges through a shell exploit. The listing sets the price at $5,000 (negotiable), payable in XMR or BTC, and requires proof of funds before providing additional details.

Threat actors often avoid disclosing company names directly in access sales to reduce the risk of losing control. The explicit mention of Nike USA makes this claim unusual but also raises questions about its credibility. If valid, such access could enable ransomware deployment, large-scale data theft, or further intrusions against the company’s infrastructure.

Powered by DarkMirror™

Gaining visibility into deep and dark web threats can be extremely useful from an actionable threat intelligence and digital risk protection perspective. However, monitoring all sources is simply not feasible, which can be time-consuming and challenging. One click-by-mistake can result in malware bot infection. To tackle these challenges, SOCRadar’s DarkMirror™ screen empowers your SOC team to follow up with the latest posts of threat actors and groups filtered by the targeted country or industry.