Deep and Dark Web Round Up

Weekly Highlights

• MassJacker Clipboard Hijacking Operation Uses 778k Wallet Addresses
• North Korean Hacking Group “Moonstone Sleet” Deploys Qilin Ransomware
• Twitter Experiences Outages Due to DDoS Attacks
• Cryptocurrency Exchange “Garantex” Disrupted in International Operation

Malware/Ransomware

MassJacker Clipboard Hijacking Operation Uses 778k Wallet Addresses

Researchers at CyberArk have discovered a previously unknown clipboard hijacking operation dubbed “MassJacker.” As noted in the cybersecurity company’s report, cryptojacking works by replacing crypto wallet addresses copied by the targeted user with addresses belonging to the attacker in the clipboard. By replacing the address with their own, the attackers attempt to trick victims into transferring the money to them instead of the intended recipient. The newly identified MassJacker campaign uses at least 778,531 cryptocurrency wallet addresses to steal assets.

North Korean Hacking Group “Moonstone Sleet” Deploys Qilin Ransomware

Microsoft’s threat intelligence experts have observed the North Korean state-sponsored hacking group “Moonstone Sleet” (previously tracked as Storm-1789) deploying Qilin ransomware in recent attacks. According to Microsoft, the North Korean state actor has been deploying Qilin ransomware since at least late February 2025. Thus far, the ransomware payloads have only been used in a limited number of attacks.

Threat Actor Activity

Twitter Experiences Outages Due to DDoS Attacks

On March 10, X (formerly known as Twitter) suffered multiple worldwide outages. The hacktivist group Dark Storm has claimed responsibility for the distributed denial-of-service (DDoS) attacks which caused the outages. Specifically, the group made posts on their Telegram channel the same day the attacks took place and shared screenshots from check-host.net as proof of the attack. Tens of thousands of users were impacted by the outages.

Cryptocurrency Exchange “Garantex” Disrupted in International Operation

In a March 7 press release, the U.S. Department of Justice (DOJ) announced the disruption of Garantex, a cryptocurrency exchange that “allegedly facilitated money laundering by transnational criminal organizations — including terrorist organizations — and sanctions violations.” The international operation was carried out in coordination the DOJ’s Criminal Division, “the Federal Bureau of Investigation, Europol, the Dutch National Police, the German Federal Criminal Police Office (Bundeskriminalamt aka BKA), the Frankfurt General Prosecutor's Office, the Finnish National Bureau of Investigation, and the Estonian National Criminal Police.”

Notable Leaks and Breaches

• Maxi Kits

On March 12, a threat actor on BreachForums claimed to have leaked data from Maxi Kits, a store that sells sports accessories. According to the post, the breach exposed the shop database and impacts approximately 500,000 users. Compromised data includes orders, users, billing details, and more.

• Al Kautsar Bandar Lampung?

On March 11, a threat actor on BreachForums claimed to have leaked data from the official platform for online New Student Admissions (PMB) at Al Kautsar Bandar Lampung in Indonesia. According to the post, prospective students utilize the system to register online. Compromised data reportedly includes full names, usernames, passwords, and more.

• Jaguar Land Rover

On March 10, a threat actor on BreachForums claimed to have leaked data from Jaguar Land Rover, the global automotive brand. According to the post, the data breach occurred in March 2025 and includes approximately 700 internal documents, including “development logs, tracking data, source codes, etc.” Exposed data also includes employee information, including usernames, emails, display names, time zones, and more.

• Oman Jobs

On March 10, a threat actor on BreachForums claimed to have leaked data from Oman Jobs, a leading job site in Oman. According to the post, compromised data includes email addresses, IDs, passwords, usernames, full names, DOBs, and more.

• NicoVIP

On March 08, a threat actor on BreachForums claimed to have leaked data from NicoVIP, a French company specializing in electronic cigarettes and vaping products. According to the post, the breach occurred in March 2025 and exposes information on 90k customers and 360k orders. Compromised information includes IDs, full names, email addresses, and more.

Suggested Further Reading

• Akira ransomware encrypted network from a webcam to bypass EDR
• Data breach at Japanese telecom giant NTT hits 18,000 companies
• FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations
• SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa
• North Korean Lazarus hackers infect hundreds via npm packages
• Chinese cyberspies backdoor Juniper routers for stealthy access
• Garantex crypto exchange admin arrested while on vacation
• New North Korean Android spyware slips onto Google Play
• CISA: Medusa ransomware hit over 300 critical infrastructure orgs

About DarkOwl

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.? ?

Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and? secure manner without having to access the darknet itself.?

DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet.?

For more information, visit www.darkowl.com.