Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/Initial Access Broker Exposed by New Data Leak Site
Threats

Initial Access Broker Exposed by New Data Leak Site

Key Takeaways A new Tor-based leak site, “ALP-001,” emerged on March 22, 2026, operating as a “Data Leaks / Access Market.” Security researchers at ReliaQuest have...

Sarah simpson
Sarah simpson
March 24, 2026 4 Min Read
46 0

Key Takeaways

  • A new Tor-based leak site, “ALP-001,” emerged on March 22, 2026, operating as a “Data Leaks / Access Market.”
  • Security researchers at ReliaQuest have conclusively linked ALP-001 to an established Initial Access Broker (IAB) previously known as “Alpha Group” and “DGJT Group.”
  • This IAB, active since July 2024, has transitioned from selling network access to engaging in full-scale data extortion, signaling a significant evolution in their operational model.
  • The group targets widely used enterprise perimeter devices and remote access gateways, including Fortinet, Cisco, and Citrix products.

A new dark web platform, “ALP-001,” has surfaced, signaling a concerning evolution in the cybercriminal landscape. Launched on March 22, 2026, this Tor-based site openly functions as a “Data Leaks / Access Market,” indicating a shift by an established Initial Access Broker (IAB) towards direct data extortion.

Table Of Content

  • Key Takeaways
  • Tracing the Evolution of a Threat Actor
  • Verifying the Transition to Extortion
  • Targeting Critical Infrastructure
  • Dark Web Footprint and Growing Extortion Model
  • What You Should Do

This development underscores a growing trend where sophisticated threat actors, traditionally focused on selling initial access to corporate networks, are now expanding into full-scale extortion operations. Cybersecurity experts caution that this strategic pivot could fundamentally alter how IABs operate, integrating data theft with public victim exposure to maximize leverage against compromised organizations.

Tracing the Evolution of a Threat Actor

The appearance of ALP-001 is not an isolated event. Analysis reveals the platform is associated with a highly organized threat actor that has maintained a consistent presence across various dark web forums since at least July 2024. During this period, the group specialized in offering unauthorized access to compromised enterprise systems, with a particular emphasis on internet-facing perimeter devices and remote access gateways.

This move to launch a dedicated leak site signifies a significant escalation in the group’s intent, suggesting that data extortion is now a central component of their illicit business model.

Analysts at ReliaQuest identified ALP-001 and successfully attributed it to an active IAB operating on prominent underground forums such as Exploit and DarkForums. By cross-referencing unique contact identifiers, specifically Tox and Session IDs displayed on the leak site, researchers confirmed these were identical to those used by a known IAB forum account.

This group previously operated under the monikers “Alpha Group” and “DGJT Group.” This historical data allowed investigators to construct a comprehensive timeline of the group’s activities, extending back nearly two years.

Verifying the Transition to Extortion

Further corroborating evidence emerged when analysts compared the victim list published on ALP-001 with previous access sale advertisements on underground forums. A French manufacturing company, with reported annual revenues of $543 million, appeared as a new victim on the leak site. This entry precisely matched an access sale posted by the same forum account in January 2026.

This direct correlation between the leak site and prior forum activity definitively linked the IAB to ALP-001, confirming the group’s strategic shift from merely selling access to actively engaging in data extortion.

Targeting Critical Infrastructure

The group’s attack methodology is both broad and deliberate. Historically, this IAB has capitalized on vulnerabilities in perimeter technologies, specifically targeting widely adopted enterprise infrastructure that, once breached, provides extensive access to corporate environments.

Their documented attack vectors include FTP and SSH servers, Fortinet and FortiGate VPN appliances, Cisco equipment, Citrix and RDWeb gateways, and GlobalProtect remote access systems. These targets are strategically chosen due to their internet-facing nature, the significant privileges they afford upon compromise, and their pervasive use across large organizations globally.

Dark Web Footprint and Growing Extortion Model

ReliaQuest analysts observed that ALP-001 is linked to at least 10 different IAB accounts spread across six distinct dark web forums, with the earliest documented activity dating back to July 2024. Across these various accounts, the group consistently advertised unauthorized access to enterprise organizations via compromised FTP servers, Fortinet/FortiGate VPNs, GlobalProtect, and Citrix environments.

This extensive multi-platform activity suggests a sophisticated threat actor intentionally maintaining parallel identities to broaden their reach and mitigate the risk of disruption on any single forum.

The credibility of this group within criminal circles further amplifies the concern surrounding their escalation. On underground forums, the group operated with escrow-verified status, indicating a track record of reliability and trust among buyers. While their full data exfiltration capabilities remain unconfirmed, the public listing of victims on a dedicated Tor-based site strongly implies they either possess stolen data or are in the process of acquiring it immediately after gaining initial access.

What You Should Do

  • Patch and Update Immediately: Prioritize auditing and patching all internet-facing edge devices, particularly Fortinet, Cisco, and Citrix solutions, as these are frequently exploited entry points for this group.
  • Implement Multi-Factor Authentication (MFA): Enforce MFA on all remote access points, VPNs, and critical systems to significantly reduce the risk of unauthorized access even if credentials are compromised.
  • Monitor for Persistent Access: Conduct regular security audits and actively hunt for indicators of persistent access, including unauthorized user sessions, unusual outbound data transfers over protocols like FTP or SCP, and irregular privileged account activity.
  • Audit Privileged Accounts: Perform thorough and frequent audits of all privileged accounts to ensure proper access controls are in place and to detect any anomalous behavior.
  • Review Perimeter Security: Strengthen perimeter defenses and continuously monitor network traffic for signs of compromise, focusing on the technologies identified as common targets by this IAB.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitPatchSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Roundcube Webmail Critical Vulnerabilities Patched

Next Post

Google Gemini AI Crawls Dark Web for Cyber Threat Detection

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us