Initial Access Broker Exposed by New Data Leak Site
Key Takeaways A new Tor-based leak site, “ALP-001,” emerged on March 22, 2026, operating as a “Data Leaks / Access Market.” Security researchers at ReliaQuest have...
Key Takeaways
- A new Tor-based leak site, “ALP-001,” emerged on March 22, 2026, operating as a “Data Leaks / Access Market.”
- Security researchers at ReliaQuest have conclusively linked ALP-001 to an established Initial Access Broker (IAB) previously known as “Alpha Group” and “DGJT Group.”
- This IAB, active since July 2024, has transitioned from selling network access to engaging in full-scale data extortion, signaling a significant evolution in their operational model.
- The group targets widely used enterprise perimeter devices and remote access gateways, including Fortinet, Cisco, and Citrix products.
A new dark web platform, “ALP-001,” has surfaced, signaling a concerning evolution in the cybercriminal landscape. Launched on March 22, 2026, this Tor-based site openly functions as a “Data Leaks / Access Market,” indicating a shift by an established Initial Access Broker (IAB) towards direct data extortion.
Table Of Content
This development underscores a growing trend where sophisticated threat actors, traditionally focused on selling initial access to corporate networks, are now expanding into full-scale extortion operations. Cybersecurity experts caution that this strategic pivot could fundamentally alter how IABs operate, integrating data theft with public victim exposure to maximize leverage against compromised organizations.
Tracing the Evolution of a Threat Actor
The appearance of ALP-001 is not an isolated event. Analysis reveals the platform is associated with a highly organized threat actor that has maintained a consistent presence across various dark web forums since at least July 2024. During this period, the group specialized in offering unauthorized access to compromised enterprise systems, with a particular emphasis on internet-facing perimeter devices and remote access gateways.
This move to launch a dedicated leak site signifies a significant escalation in the group’s intent, suggesting that data extortion is now a central component of their illicit business model.
Analysts at ReliaQuest identified ALP-001 and successfully attributed it to an active IAB operating on prominent underground forums such as Exploit and DarkForums. By cross-referencing unique contact identifiers, specifically Tox and Session IDs displayed on the leak site, researchers confirmed these were identical to those used by a known IAB forum account.
This group previously operated under the monikers “Alpha Group” and “DGJT Group.” This historical data allowed investigators to construct a comprehensive timeline of the group’s activities, extending back nearly two years.
Verifying the Transition to Extortion
Further corroborating evidence emerged when analysts compared the victim list published on ALP-001 with previous access sale advertisements on underground forums. A French manufacturing company, with reported annual revenues of $543 million, appeared as a new victim on the leak site. This entry precisely matched an access sale posted by the same forum account in January 2026.
This direct correlation between the leak site and prior forum activity definitively linked the IAB to ALP-001, confirming the group’s strategic shift from merely selling access to actively engaging in data extortion.
Targeting Critical Infrastructure
The group’s attack methodology is both broad and deliberate. Historically, this IAB has capitalized on vulnerabilities in perimeter technologies, specifically targeting widely adopted enterprise infrastructure that, once breached, provides extensive access to corporate environments.
Their documented attack vectors include FTP and SSH servers, Fortinet and FortiGate VPN appliances, Cisco equipment, Citrix and RDWeb gateways, and GlobalProtect remote access systems. These targets are strategically chosen due to their internet-facing nature, the significant privileges they afford upon compromise, and their pervasive use across large organizations globally.
Dark Web Footprint and Growing Extortion Model
ReliaQuest analysts observed that ALP-001 is linked to at least 10 different IAB accounts spread across six distinct dark web forums, with the earliest documented activity dating back to July 2024. Across these various accounts, the group consistently advertised unauthorized access to enterprise organizations via compromised FTP servers, Fortinet/FortiGate VPNs, GlobalProtect, and Citrix environments.
This extensive multi-platform activity suggests a sophisticated threat actor intentionally maintaining parallel identities to broaden their reach and mitigate the risk of disruption on any single forum.
The credibility of this group within criminal circles further amplifies the concern surrounding their escalation. On underground forums, the group operated with escrow-verified status, indicating a track record of reliability and trust among buyers. While their full data exfiltration capabilities remain unconfirmed, the public listing of victims on a dedicated Tor-based site strongly implies they either possess stolen data or are in the process of acquiring it immediately after gaining initial access.
What You Should Do
- Patch and Update Immediately: Prioritize auditing and patching all internet-facing edge devices, particularly Fortinet, Cisco, and Citrix solutions, as these are frequently exploited entry points for this group.
- Implement Multi-Factor Authentication (MFA): Enforce MFA on all remote access points, VPNs, and critical systems to significantly reduce the risk of unauthorized access even if credentials are compromised.
- Monitor for Persistent Access: Conduct regular security audits and actively hunt for indicators of persistent access, including unauthorized user sessions, unusual outbound data transfers over protocols like FTP or SCP, and irregular privileged account activity.
- Audit Privileged Accounts: Perform thorough and frequent audits of all privileged accounts to ensure proper access controls are in place and to detect any anomalous behavior.
- Review Perimeter Security: Strengthen perimeter defenses and continuously monitor network traffic for signs of compromise, focusing on the technologies identified as common targets by this IAB.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.