{"id":11566,"date":"2026-03-24T10:03:38","date_gmt":"2026-03-24T10:03:38","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/24\/new-data-leak-site-uncovered-linked-to-active-initial-access-broker-on-underground-forums\/"},"modified":"2026-03-24T10:03:38","modified_gmt":"2026-03-24T10:03:38","slug":"new-data-leak-site-uncovered-linked-to-active-initial-access-broker-on-underground-forums","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/24\/new-data-leak-site-uncovered-linked-to-active-initial-access-broker-on-underground-forums\/","title":{"rendered":"New Data Leak Site Uncovered Linked to Active Initial Access Broker on Underground Forums"},"content":{"rendered":"<p>    New Data Leak Site Uncovered Linked to Active Initial Access Broker on Underground Forums<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>The underground cybercriminal world saw a notable development on March 22, 2026, when a new Tor-based leak site called \u201cALP-001\u201d appeared on the dark web, openly marketing itself as a \u201cData Leaks \/ Access Market.\u201d <\/p>\n<p>The emergence of this platform points to a growing trend where established threat actors who traditionally sell corporate network access are now pushing into full-scale extortion. <\/p>\n<p>Security researchers warn this could represent a significant shift in how initial access brokers operate, merging data theft with victim exposure for maximum leverage.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/8c6015bb-34ba-4bd7-8d88-36d4c429b98f\/New-Data-Leak-Site-Uncovered-Linked-to-Active-Initial-Access-Broker-on-Underground-Forums.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEYV74WNRC%2F20260324%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260324T084331Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICR6GbD1uB%2BfDzMjEhttUSsAn7BiphwExbMQXvYVOVBtAiAmMT1e6zUEdN5%2FUyjWm4X59Lgu9c%2FJY0rDgrc4L3ZasSr0BAiR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMTU1M5OJeMid3VMEWKsgEWUPgK4e%2BVm65Vqq5jspfgfiAOFv2hC0c%2BdLyqIh8AcEpGIFDlkjnl2%2B0r4mU%2FnoZP3bz2PEsWHHsUJPZmYMFQL42D0C5I%2BSCztGHMjhxQWW1%2BV6%2Fe87XfdHiclLyBzP3tePuUe8ZWaG7HilZ10PvjEaMRBnDdIuwDwYChzP1NnIJ6MRsDHWl2%2FOjHmetjZnZzEoTz2I9uhUxM1Ep7i5BIYUFOU%2FgCLaAeD%2FsxdgIzRiatNO5gRW8aXtXP8h3%2BI26yPvfnR2WmyHl4ScqDrBkxE4wpLrPvxOjy25GWPpVAfehENX7NWlp89LiGgkT085RxLDEYI4SIGZq5anfypd%2BkfP7RKmaajyaGbAycE3EP7K9r9AQyTSkWQZtXfUm4wN01FFeChjxN7ljN%2BRDAxhLCfIvhGH32stGKpYw1SeIaMb%2FEi9zsGDELBvR6zWTlpjhOFvdGJGLSjq%2FCGiCI7yCxTDvslD1MJw8QbM4Gl1V5Q76jBKrANPMXeqFMhPxYgrEiGoy2weGVEp46csWyyIZ5UTZVi%2BgxZ8T3d1yQ8Em0%2BNH%2B9BOPq6LesP3QSOa%2FgrZoNGMZSdy04CaswzGrvwbYamDlnMtz1VLXCu%2FoIhC04NNN3OP7bDmoyDYGvhbJmo0nZivmG1s8cvi8zXFDTKKQCBKJ1YSe7KaPQhAkTkov2twpsjhVo%2Bd8pi1hjizqiAcoSh%2FH%2Bc8vOxZeZbXE8lUgmYIsQKALBtq%2FDG9Sz4%2FtoOM4CzE%2BGXrLB5cN7HZwTtv4po7DhfN6%2FswspCJzgY6mQGqkJvec7sh5Fly%2FBv1vObl1CDJ%2F%2Bsibfv6OmPhdtz6pA6x8CwBBk4jAoXlpDrYuBlLYcq7M12yyEZG%2Fn0Up1Xpu9Q4dPuy5cn6p9cusssoNRycvJN9bpymEuBmMW6B5yWL%2BfiZRCplvvP5B%2FiR5iQ%2Ft2akAT74E%2B%2BQ3maCDjW72bxioertiDsk%2BUiy%2FIJFKwVOzrfmGgATjEs%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=9c33e519022d210e2cb82c2cab75f1a68f3c8480827c2d9d0a807b39d1b9b615\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>ALP-001 did not appear out of nowhere. The site carries clear markers of a well-organised threat actor who has been building a presence across multiple dark web forums since at least July 2024. <\/p>\n<p>During that time, the group was primarily known for selling unauthorised access to compromised enterprise systems, with a particular focus on internet-facing perimeter devices and remote access gateways. <\/p>\n<p>This move marks a sharp escalation in intent, suggesting the group now views extortion as a core part of its operation.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/8c6015bb-34ba-4bd7-8d88-36d4c429b98f\/New-Data-Leak-Site-Uncovered-Linked-to-Active-Initial-Access-Broker-on-Underground-Forums.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEYV74WNRC%2F20260324%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260324T084331Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICR6GbD1uB%2BfDzMjEhttUSsAn7BiphwExbMQXvYVOVBtAiAmMT1e6zUEdN5%2FUyjWm4X59Lgu9c%2FJY0rDgrc4L3ZasSr0BAiR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMTU1M5OJeMid3VMEWKsgEWUPgK4e%2BVm65Vqq5jspfgfiAOFv2hC0c%2BdLyqIh8AcEpGIFDlkjnl2%2B0r4mU%2FnoZP3bz2PEsWHHsUJPZmYMFQL42D0C5I%2BSCztGHMjhxQWW1%2BV6%2Fe87XfdHiclLyBzP3tePuUe8ZWaG7HilZ10PvjEaMRBnDdIuwDwYChzP1NnIJ6MRsDHWl2%2FOjHmetjZnZzEoTz2I9uhUxM1Ep7i5BIYUFOU%2FgCLaAeD%2FsxdgIzRiatNO5gRW8aXtXP8h3%2BI26yPvfnR2WmyHl4ScqDrBkxE4wpLrPvxOjy25GWPpVAfehENX7NWlp89LiGgkT085RxLDEYI4SIGZq5anfypd%2BkfP7RKmaajyaGbAycE3EP7K9r9AQyTSkWQZtXfUm4wN01FFeChjxN7ljN%2BRDAxhLCfIvhGH32stGKpYw1SeIaMb%2FEi9zsGDELBvR6zWTlpjhOFvdGJGLSjq%2FCGiCI7yCxTDvslD1MJw8QbM4Gl1V5Q76jBKrANPMXeqFMhPxYgrEiGoy2weGVEp46csWyyIZ5UTZVi%2BgxZ8T3d1yQ8Em0%2BNH%2B9BOPq6LesP3QSOa%2FgrZoNGMZSdy04CaswzGrvwbYamDlnMtz1VLXCu%2FoIhC04NNN3OP7bDmoyDYGvhbJmo0nZivmG1s8cvi8zXFDTKKQCBKJ1YSe7KaPQhAkTkov2twpsjhVo%2Bd8pi1hjizqiAcoSh%2FH%2Bc8vOxZeZbXE8lUgmYIsQKALBtq%2FDG9Sz4%2FtoOM4CzE%2BGXrLB5cN7HZwTtv4po7DhfN6%2FswspCJzgY6mQGqkJvec7sh5Fly%2FBv1vObl1CDJ%2F%2Bsibfv6OmPhdtz6pA6x8CwBBk4jAoXlpDrYuBlLYcq7M12yyEZG%2Fn0Up1Xpu9Q4dPuy5cn6p9cusssoNRycvJN9bpymEuBmMW6B5yWL%2BfiZRCplvvP5B%2FiR5iQ%2Ft2akAT74E%2B%2BQ3maCDjW72bxioertiDsk%2BUiy%2FIJFKwVOzrfmGgATjEs%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=9c33e519022d210e2cb82c2cab75f1a68f3c8480827c2d9d0a807b39d1b9b615\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/x.com\/ReliaQuestTR\/status\/2036070714344661228?s=20\" id=\"https:\/\/x.com\/ReliaQuestTR\/status\/2036070714344661228?s=20\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">ReliaQuest analysts identified ALP-001<\/a> and directly tied the group to an active Initial Access Broker operating across prominent underground forums, including Exploit and DarkForums. <\/p>\n<p>By cross-referencing the Tox and Session IDs displayed on the leak site, researchers confirmed that the same contact identifiers were already being used by a known IAB forum account. <\/p>\n<p>This group had previously gone by the names \u201cAlpha Group\u201d and \u201cDGJT Group,\u201d giving investigators enough historical data to construct a timeline of activity reaching back almost two years.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/8c6015bb-34ba-4bd7-8d88-36d4c429b98f\/New-Data-Leak-Site-Uncovered-Linked-to-Active-Initial-Access-Broker-on-Underground-Forums.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEYV74WNRC%2F20260324%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260324T084331Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICR6GbD1uB%2BfDzMjEhttUSsAn7BiphwExbMQXvYVOVBtAiAmMT1e6zUEdN5%2FUyjWm4X59Lgu9c%2FJY0rDgrc4L3ZasSr0BAiR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMTU1M5OJeMid3VMEWKsgEWUPgK4e%2BVm65Vqq5jspfgfiAOFv2hC0c%2BdLyqIh8AcEpGIFDlkjnl2%2B0r4mU%2FnoZP3bz2PEsWHHsUJPZmYMFQL42D0C5I%2BSCztGHMjhxQWW1%2BV6%2Fe87XfdHiclLyBzP3tePuUe8ZWaG7HilZ10PvjEaMRBnDdIuwDwYChzP1NnIJ6MRsDHWl2%2FOjHmetjZnZzEoTz2I9uhUxM1Ep7i5BIYUFOU%2FgCLaAeD%2FsxdgIzRiatNO5gRW8aXtXP8h3%2BI26yPvfnR2WmyHl4ScqDrBkxE4wpLrPvxOjy25GWPpVAfehENX7NWlp89LiGgkT085RxLDEYI4SIGZq5anfypd%2BkfP7RKmaajyaGbAycE3EP7K9r9AQyTSkWQZtXfUm4wN01FFeChjxN7ljN%2BRDAxhLCfIvhGH32stGKpYw1SeIaMb%2FEi9zsGDELBvR6zWTlpjhOFvdGJGLSjq%2FCGiCI7yCxTDvslD1MJw8QbM4Gl1V5Q76jBKrANPMXeqFMhPxYgrEiGoy2weGVEp46csWyyIZ5UTZVi%2BgxZ8T3d1yQ8Em0%2BNH%2B9BOPq6LesP3QSOa%2FgrZoNGMZSdy04CaswzGrvwbYamDlnMtz1VLXCu%2FoIhC04NNN3OP7bDmoyDYGvhbJmo0nZivmG1s8cvi8zXFDTKKQCBKJ1YSe7KaPQhAkTkov2twpsjhVo%2Bd8pi1hjizqiAcoSh%2FH%2Bc8vOxZeZbXE8lUgmYIsQKALBtq%2FDG9Sz4%2FtoOM4CzE%2BGXrLB5cN7HZwTtv4po7DhfN6%2FswspCJzgY6mQGqkJvec7sh5Fly%2FBv1vObl1CDJ%2F%2Bsibfv6OmPhdtz6pA6x8CwBBk4jAoXlpDrYuBlLYcq7M12yyEZG%2Fn0Up1Xpu9Q4dPuy5cn6p9cusssoNRycvJN9bpymEuBmMW6B5yWL%2BfiZRCplvvP5B%2FiR5iQ%2Ft2akAT74E%2B%2BQ3maCDjW72bxioertiDsk%2BUiy%2FIJFKwVOzrfmGgATjEs%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=9c33e519022d210e2cb82c2cab75f1a68f3c8480827c2d9d0a807b39d1b9b615\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<figure class=\"wp-block-embed aligncenter is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f6a8.png?ssl=1\" alt=\"\ud83d\udea8\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\">  Unmasking the new data leak site: ALP-001<\/p>\n<p>A new Tor-based leak site, &#8220;ALP-001,&#8221; surfaced yesterday marketing itself as a &#8220;Data Leaks \/ Access Market.&#8221; But who are they?<\/p>\n<p>ReliaQuest directly tied this group to an active Initial Access Broker (IAB) on underground forums. <img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f447.png?ssl=1\" alt=\"\ud83d\udc47\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\">\u2026 <a href=\"https:\/\/t.co\/f1uyjM3Yl4\">pic.twitter.com\/f1uyjM3Yl4<\/a><\/p>\n<p>\u2014 ReliaQuest Threat Research (@ReliaQuestTR) <a href=\"https:\/\/twitter.com\/ReliaQuestTR\/status\/2036070714344661228?ref_src=twsrc%5Etfw\">March 23, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>A strong piece of corroborating evidence emerged when analysts compared the victims listed on ALP-001 against previous access sale posts on underground forums. <\/p>\n<p>A French manufacturing company with reported annual revenues of $543 million, shown on the leak site as a new victim, matched exactly with an access sale the same forum account posted in January 2026. <\/p>\n<p>This direct link between the leak site and forum activity left little doubt about the attribution and confirmed the group\u2019s transition from access selling to <a href=\"https:\/\/cybersecuritynews.com\/cephalus-ransomware-emerges-as-go-based-double-extortion-threat\/\" id=\"142344\" target=\"_blank\" rel=\"noreferrer noopener\">data extortion<\/a>.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/8c6015bb-34ba-4bd7-8d88-36d4c429b98f\/New-Data-Leak-Site-Uncovered-Linked-to-Active-Initial-Access-Broker-on-Underground-Forums.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEYV74WNRC%2F20260324%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260324T084331Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICR6GbD1uB%2BfDzMjEhttUSsAn7BiphwExbMQXvYVOVBtAiAmMT1e6zUEdN5%2FUyjWm4X59Lgu9c%2FJY0rDgrc4L3ZasSr0BAiR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMTU1M5OJeMid3VMEWKsgEWUPgK4e%2BVm65Vqq5jspfgfiAOFv2hC0c%2BdLyqIh8AcEpGIFDlkjnl2%2B0r4mU%2FnoZP3bz2PEsWHHsUJPZmYMFQL42D0C5I%2BSCztGHMjhxQWW1%2BV6%2Fe87XfdHiclLyBzP3tePuUe8ZWaG7HilZ10PvjEaMRBnDdIuwDwYChzP1NnIJ6MRsDHWl2%2FOjHmetjZnZzEoTz2I9uhUxM1Ep7i5BIYUFOU%2FgCLaAeD%2FsxdgIzRiatNO5gRW8aXtXP8h3%2BI26yPvfnR2WmyHl4ScqDrBkxE4wpLrPvxOjy25GWPpVAfehENX7NWlp89LiGgkT085RxLDEYI4SIGZq5anfypd%2BkfP7RKmaajyaGbAycE3EP7K9r9AQyTSkWQZtXfUm4wN01FFeChjxN7ljN%2BRDAxhLCfIvhGH32stGKpYw1SeIaMb%2FEi9zsGDELBvR6zWTlpjhOFvdGJGLSjq%2FCGiCI7yCxTDvslD1MJw8QbM4Gl1V5Q76jBKrANPMXeqFMhPxYgrEiGoy2weGVEp46csWyyIZ5UTZVi%2BgxZ8T3d1yQ8Em0%2BNH%2B9BOPq6LesP3QSOa%2FgrZoNGMZSdy04CaswzGrvwbYamDlnMtz1VLXCu%2FoIhC04NNN3OP7bDmoyDYGvhbJmo0nZivmG1s8cvi8zXFDTKKQCBKJ1YSe7KaPQhAkTkov2twpsjhVo%2Bd8pi1hjizqiAcoSh%2FH%2Bc8vOxZeZbXE8lUgmYIsQKALBtq%2FDG9Sz4%2FtoOM4CzE%2BGXrLB5cN7HZwTtv4po7DhfN6%2FswspCJzgY6mQGqkJvec7sh5Fly%2FBv1vObl1CDJ%2F%2Bsibfv6OmPhdtz6pA6x8CwBBk4jAoXlpDrYuBlLYcq7M12yyEZG%2Fn0Up1Xpu9Q4dPuy5cn6p9cusssoNRycvJN9bpymEuBmMW6B5yWL%2BfiZRCplvvP5B%2FiR5iQ%2Ft2akAT74E%2B%2BQ3maCDjW72bxioertiDsk%2BUiy%2FIJFKwVOzrfmGgATjEs%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=9c33e519022d210e2cb82c2cab75f1a68f3c8480827c2d9d0a807b39d1b9b615\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The attack surface this group targets is broad and deliberate. The IAB has historically profited from compromised perimeter technologies, focusing on widely used enterprise infrastructure that grants deep access to corporate environments once breached. <\/p>\n<p>Their known attack vectors span FTP and SSH servers, Fortinet and FortiGate VPN appliances, Cisco equipment, Citrix and RDWeb gateways, and GlobalProtect remote access systems. <\/p>\n<p>These targets are picked carefully because they are almost always internet-facing, carry significant privileges, and appear consistently across large organisations worldwide.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/8c6015bb-34ba-4bd7-8d88-36d4c429b98f\/New-Data-Leak-Site-Uncovered-Linked-to-Active-Initial-Access-Broker-on-Underground-Forums.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEYV74WNRC%2F20260324%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260324T084331Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICR6GbD1uB%2BfDzMjEhttUSsAn7BiphwExbMQXvYVOVBtAiAmMT1e6zUEdN5%2FUyjWm4X59Lgu9c%2FJY0rDgrc4L3ZasSr0BAiR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMTU1M5OJeMid3VMEWKsgEWUPgK4e%2BVm65Vqq5jspfgfiAOFv2hC0c%2BdLyqIh8AcEpGIFDlkjnl2%2B0r4mU%2FnoZP3bz2PEsWHHsUJPZmYMFQL42D0C5I%2BSCztGHMjhxQWW1%2BV6%2Fe87XfdHiclLyBzP3tePuUe8ZWaG7HilZ10PvjEaMRBnDdIuwDwYChzP1NnIJ6MRsDHWl2%2FOjHmetjZnZzEoTz2I9uhUxM1Ep7i5BIYUFOU%2FgCLaAeD%2FsxdgIzRiatNO5gRW8aXtXP8h3%2BI26yPvfnR2WmyHl4ScqDrBkxE4wpLrPvxOjy25GWPpVAfehENX7NWlp89LiGgkT085RxLDEYI4SIGZq5anfypd%2BkfP7RKmaajyaGbAycE3EP7K9r9AQyTSkWQZtXfUm4wN01FFeChjxN7ljN%2BRDAxhLCfIvhGH32stGKpYw1SeIaMb%2FEi9zsGDELBvR6zWTlpjhOFvdGJGLSjq%2FCGiCI7yCxTDvslD1MJw8QbM4Gl1V5Q76jBKrANPMXeqFMhPxYgrEiGoy2weGVEp46csWyyIZ5UTZVi%2BgxZ8T3d1yQ8Em0%2BNH%2B9BOPq6LesP3QSOa%2FgrZoNGMZSdy04CaswzGrvwbYamDlnMtz1VLXCu%2FoIhC04NNN3OP7bDmoyDYGvhbJmo0nZivmG1s8cvi8zXFDTKKQCBKJ1YSe7KaPQhAkTkov2twpsjhVo%2Bd8pi1hjizqiAcoSh%2FH%2Bc8vOxZeZbXE8lUgmYIsQKALBtq%2FDG9Sz4%2FtoOM4CzE%2BGXrLB5cN7HZwTtv4po7DhfN6%2FswspCJzgY6mQGqkJvec7sh5Fly%2FBv1vObl1CDJ%2F%2Bsibfv6OmPhdtz6pA6x8CwBBk4jAoXlpDrYuBlLYcq7M12yyEZG%2Fn0Up1Xpu9Q4dPuy5cn6p9cusssoNRycvJN9bpymEuBmMW6B5yWL%2BfiZRCplvvP5B%2FiR5iQ%2Ft2akAT74E%2B%2BQ3maCDjW72bxioertiDsk%2BUiy%2FIJFKwVOzrfmGgATjEs%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=9c33e519022d210e2cb82c2cab75f1a68f3c8480827c2d9d0a807b39d1b9b615\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"dark-web-footprint-and-growing-extortion-model\"><strong>Dark Web Footprint and Growing Extortion Model<\/strong><\/h2>\n<p>ReliaQuest analysts noted that ALP-001 has been connected to at least 10 IAB accounts spread across six dark web forums, with the group\u2019s earliest known activity dating to July 2024. <\/p>\n<p>Across these accounts, the group repeatedly advertised unauthorised access to enterprise organisations through compromised FTP servers, Fortinet\/FortiGate VPNs, GlobalProtect, and Citrix environments. <\/p>\n<p>This level of activity across multiple platforms signals a threat actor who has deliberately maintained parallel identities to extend reach and reduce the risk of being disrupted on any single forum.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/8c6015bb-34ba-4bd7-8d88-36d4c429b98f\/New-Data-Leak-Site-Uncovered-Linked-to-Active-Initial-Access-Broker-on-Underground-Forums.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEYV74WNRC%2F20260324%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260324T084331Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICR6GbD1uB%2BfDzMjEhttUSsAn7BiphwExbMQXvYVOVBtAiAmMT1e6zUEdN5%2FUyjWm4X59Lgu9c%2FJY0rDgrc4L3ZasSr0BAiR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMTU1M5OJeMid3VMEWKsgEWUPgK4e%2BVm65Vqq5jspfgfiAOFv2hC0c%2BdLyqIh8AcEpGIFDlkjnl2%2B0r4mU%2FnoZP3bz2PEsWHHsUJPZmYMFQL42D0C5I%2BSCztGHMjhxQWW1%2BV6%2Fe87XfdHiclLyBzP3tePuUe8ZWaG7HilZ10PvjEaMRBnDdIuwDwYChzP1NnIJ6MRsDHWl2%2FOjHmetjZnZzEoTz2I9uhUxM1Ep7i5BIYUFOU%2FgCLaAeD%2FsxdgIzRiatNO5gRW8aXtXP8h3%2BI26yPvfnR2WmyHl4ScqDrBkxE4wpLrPvxOjy25GWPpVAfehENX7NWlp89LiGgkT085RxLDEYI4SIGZq5anfypd%2BkfP7RKmaajyaGbAycE3EP7K9r9AQyTSkWQZtXfUm4wN01FFeChjxN7ljN%2BRDAxhLCfIvhGH32stGKpYw1SeIaMb%2FEi9zsGDELBvR6zWTlpjhOFvdGJGLSjq%2FCGiCI7yCxTDvslD1MJw8QbM4Gl1V5Q76jBKrANPMXeqFMhPxYgrEiGoy2weGVEp46csWyyIZ5UTZVi%2BgxZ8T3d1yQ8Em0%2BNH%2B9BOPq6LesP3QSOa%2FgrZoNGMZSdy04CaswzGrvwbYamDlnMtz1VLXCu%2FoIhC04NNN3OP7bDmoyDYGvhbJmo0nZivmG1s8cvi8zXFDTKKQCBKJ1YSe7KaPQhAkTkov2twpsjhVo%2Bd8pi1hjizqiAcoSh%2FH%2Bc8vOxZeZbXE8lUgmYIsQKALBtq%2FDG9Sz4%2FtoOM4CzE%2BGXrLB5cN7HZwTtv4po7DhfN6%2FswspCJzgY6mQGqkJvec7sh5Fly%2FBv1vObl1CDJ%2F%2Bsibfv6OmPhdtz6pA6x8CwBBk4jAoXlpDrYuBlLYcq7M12yyEZG%2Fn0Up1Xpu9Q4dPuy5cn6p9cusssoNRycvJN9bpymEuBmMW6B5yWL%2BfiZRCplvvP5B%2FiR5iQ%2Ft2akAT74E%2B%2BQ3maCDjW72bxioertiDsk%2BUiy%2FIJFKwVOzrfmGgATjEs%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=9c33e519022d210e2cb82c2cab75f1a68f3c8480827c2d9d0a807b39d1b9b615\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>What makes this escalation more concerning is the group\u2019s established credibility within criminal circles. On underground forums, the group operated with escrow-verified status, meaning buyers trusted them to deliver what they promised. <\/p>\n<p>While their actual <a href=\"https:\/\/cybersecuritynews.com\/cl0p-ransomware-data-exfiltration-vulnerable\/\" id=\"113974\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">data exfiltration<\/a> capabilities have not been confirmed, the public listing of victims on a Tor-based site strongly suggests they are either already in possession of stolen data or working to obtain it shortly after gaining initial access.<a href=\"https:\/\/ppl-ai-file-upload.s3.us-east-1.amazonaws.com\/web\/direct-files\/attachments\/11146061\/8c6015bb-34ba-4bd7-8d88-36d4c429b98f\/New-Data-Leak-Site-Uncovered-Linked-to-Active-Initial-Access-Broker-on-Underground-Forums.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Checksum-Mode=ENABLED&amp;X-Amz-Credential=ASIA2F3EMEYEYV74WNRC%2F20260324%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20260324T084331Z&amp;X-Amz-Expires=3600&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCICR6GbD1uB%2BfDzMjEhttUSsAn7BiphwExbMQXvYVOVBtAiAmMT1e6zUEdN5%2FUyjWm4X59Lgu9c%2FJY0rDgrc4L3ZasSr0BAiR%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMTU1M5OJeMid3VMEWKsgEWUPgK4e%2BVm65Vqq5jspfgfiAOFv2hC0c%2BdLyqIh8AcEpGIFDlkjnl2%2B0r4mU%2FnoZP3bz2PEsWHHsUJPZmYMFQL42D0C5I%2BSCztGHMjhxQWW1%2BV6%2Fe87XfdHiclLyBzP3tePuUe8ZWaG7HilZ10PvjEaMRBnDdIuwDwYChzP1NnIJ6MRsDHWl2%2FOjHmetjZnZzEoTz2I9uhUxM1Ep7i5BIYUFOU%2FgCLaAeD%2FsxdgIzRiatNO5gRW8aXtXP8h3%2BI26yPvfnR2WmyHl4ScqDrBkxE4wpLrPvxOjy25GWPpVAfehENX7NWlp89LiGgkT085RxLDEYI4SIGZq5anfypd%2BkfP7RKmaajyaGbAycE3EP7K9r9AQyTSkWQZtXfUm4wN01FFeChjxN7ljN%2BRDAxhLCfIvhGH32stGKpYw1SeIaMb%2FEi9zsGDELBvR6zWTlpjhOFvdGJGLSjq%2FCGiCI7yCxTDvslD1MJw8QbM4Gl1V5Q76jBKrANPMXeqFMhPxYgrEiGoy2weGVEp46csWyyIZ5UTZVi%2BgxZ8T3d1yQ8Em0%2BNH%2B9BOPq6LesP3QSOa%2FgrZoNGMZSdy04CaswzGrvwbYamDlnMtz1VLXCu%2FoIhC04NNN3OP7bDmoyDYGvhbJmo0nZivmG1s8cvi8zXFDTKKQCBKJ1YSe7KaPQhAkTkov2twpsjhVo%2Bd8pi1hjizqiAcoSh%2FH%2Bc8vOxZeZbXE8lUgmYIsQKALBtq%2FDG9Sz4%2FtoOM4CzE%2BGXrLB5cN7HZwTtv4po7DhfN6%2FswspCJzgY6mQGqkJvec7sh5Fly%2FBv1vObl1CDJ%2F%2Bsibfv6OmPhdtz6pA6x8CwBBk4jAoXlpDrYuBlLYcq7M12yyEZG%2Fn0Up1Xpu9Q4dPuy5cn6p9cusssoNRycvJN9bpymEuBmMW6B5yWL%2BfiZRCplvvP5B%2FiR5iQ%2Ft2akAT74E%2B%2BQ3maCDjW72bxioertiDsk%2BUiy%2FIJFKwVOzrfmGgATjEs%3D&amp;X-Amz-SignedHeaders=host&amp;x-id=GetObject&amp;X-Amz-Signature=9c33e519022d210e2cb82c2cab75f1a68f3c8480827c2d9d0a807b39d1b9b615\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Defenders facing this threat should audit and patch all internet-facing edge devices, particularly Fortinet, Cisco, and Citrix solutions, as these represent the group\u2019s most frequently exploited entry points. <\/p>\n<p>Security teams should also hunt for signs of persistent access, including unauthorised sessions, unusual outbound transfers over FTP or SCP, and irregular privileged account behaviour. <\/p>\n<p>Enforcing <a href=\"https:\/\/cybersecuritynews.com\/microsoft-multi-factor-authentication-issue\/\" id=\"88334\" target=\"_blank\" rel=\"noreferrer noopener\">multi-factor authentication<\/a> on all remote access points and conducting thorough privileged account audits are critical steps organisations must take to reduce exposure.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 92%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/new-data-leak-site-uncovered-linked\/\">New Data Leak Site Uncovered Linked to Active Initial Access Broker on Underground Forums<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/new-data-leak-site-uncovered-linked\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Data Leak Site Uncovered Linked to Active Initial Access Broker on Underground Forums The underground cybercriminal world saw a notable development on March 22, 2026, when a new Tor-based leak site called \u201cALP-001\u201d appeared on the dark web, openly marketing itself as a \u201cData Leaks \/ Access Market.\u201d The emergence of this platform points [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-11566","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11566"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11566"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11566\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11566"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}