Deep and Dark Web Round Up
Weekly Highlights
Malware/Ransomware
Meta has confirmed that WhatsApp users have been targeted in a global spyware campaign. The campaign involved the use of spyware developed by the Israeli company Paragon Solutions, which has since received a cease and desist letter from Meta following the incident. Nearly 100 WhatsApp users were impacted by the campaign, most of whom were journalists or ?“other members of civil society.” As noted by The Guardian, WhatsApp shared that it had “’high confidence’ that the 90 users in question had been targeted and ‘possibly compromised.”
Threat actors have been observed impersonating developer tools for DeepSeek AI, the Chinese AI-powered chatbot that became the most-downloaded free app in Apple’s App Store in late January and caused US tech stocks to fall. As highlighted by BleepingComputer, threat actors have promoted two malicious infostealer packages named “deepseeek” and “deepseekai” on the Python Pacakge Index (PyPI), the online repository of software for Python developers.
Threat Actor Activity
Spain’s Guardia Civil and Policía Nacional have arrested “Natohub,” a notorious 18-year-old hacker in Alicante who allegedly conducted more than 40 cyberattacks against Spanish and international organizations, “including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.” According to the Policía Nacional’s official press release, the suspect utilized three different pseudonyms while targeting international government organizations and accessed databases containing personal information belonging to employees and clients, as well as internal documents.
In a joint operation dubbed “Operation Heart Blocker,” U.S. and Dutch law enforcement agencies seized 39 domains—and their associated servers—linked to business email compromise (BEC) schemes. As noted in the U.S. Department of Justice’s (DOJ) January 30 press release, the domains were part of a “Pakistan-based network of online marketplaces selling hacking and fraud-enabling tools operated by a group known as Saim Raza (also known as HeartSender).”
Notable Leaks and Breaches
On February 06, a threat actor on BreachForums claimed to have leaked data from Kabupaten Belitun, a regency of Bangka Belitung Islands Province in Indonesia. According to the post, exposed data includes information about “users, government employees, and much more.”
On February 06, a threat actor on BreachForums claimed to have leaked data from the INTERPOL Relief Database. According to the post, Relief is used by member countries to check if “the same device has been used to compress another seized drug package. […] Relief also stores information on tablet logos and the chemical composition of different drugs.” Exposed data includes case IDs, case names, registration numbers, seizure dates, total count of drug bricks, total weight of drug bricks, packaging methods, circumstances of seizure, email addresses, phone numbers, and more.
领英推荐
?
On February 05, a threat actor on BreachForums claimed to have leaked data from Oizé, a French village located in Sarthe. According to the post, the database includes “names, addresses, the city directory, emails between residents, the police station, as well as the local classifieds.”
On February 04, a threat actor on BreachForums claimed to have leaked data from Nutergia Laboratory, a French company that manufactures healthcare products and nutritional supplements. According to the post, the breach occurred in February, 2025 and resulted in the exposure of 15,864 customers. Compromised data includes “ID, Title, First Name, Last Name, Email Address, Date of Registration, Source, Pro Account, Number of Orders, Newsletter Subscriber, Country, Province, Zip Code and City.”
On February 04, a threat actor on BreachForums claimed to have leaked Trump Hotel invitations. According to the post, exposed data includes IDs, full names, emails, creation dates, unit IDs, and more.
?
Suggested Further Reading
About DarkOwl
DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.? ?
Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and? secure manner without having to access the darknet itself.?
DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.?
For more information, visit www.darkowl.com.