Search

New Data Leak Site Uncovered Linked to Active Initial Access Broker

Cyber threats and incidents
By John Kevin Hao

Related

Cyber threats and incidents

Suspected Cyberattack Triggers False Emergency Alerts Across Brazil

What happened Brazil suspended its mobile phone emergency alert system...
Read more
Cyber threats and incidents

Iranian Cyber Group Handala Claims Cal Water Hack

What happened Iran-linked threat actor Handala claimed it hacked California...
Read more
Cyber threats and incidents

British High School Sends Students Home After Cyberattack

What happened Great Marlow School in Buckinghamshire, England, sent the...
Read more
Cyber threats and incidents

IBM and AT&T Accused of Covering Up Foreign Hacks

What happened IBM and AT&T were accused in a whistleblower...
Read more
Cyber threats and incidents

Cyberattack Shuts Down Major Australian Sugar Mills

What happened A cyberattack disrupted sugar production in one of...
Read more

Share

What happened

Researchers uncovered a new Tor-based data leak site called “ALP-001”, which is directly linked to an active Initial Access Broker (IAB) operating on underground forums. The platform, launched around March 22, 2026, markets itself as both a “Data Leaks / Access Market,” signaling a shift from simply selling access to compromised networks toward full-scale extortion. Investigators from ReliaQuest tied the site to a known threat actor by matching contact identifiers used across dark web forums, confirming the group had been active since at least mid-2024. Evidence showed overlap between previously sold access and newly listed victims on the leak site, indicating the group is now exposing or monetizing stolen data after gaining access. The actors primarily target internet-facing enterprise systems such as VPNs, Citrix gateways, FTP/SSH servers, and remote access infrastructure, making this evolution a significant escalation in their operations. 

Who is affected

Organizations with exposed or vulnerable internet-facing infrastructure—particularly those using VPNs, Citrix, or remote access gateways—are affected, as these are the primary targets of the linked access broker. 

Why CISOs should care

The development shows how threat actors are merging initial access brokering with data leak site operations, increasing pressure on victims by combining intrusion, data theft, and public exposure into a single extortion model. 

3 practical actions

  1. Secure internet-facing systems. Patch and harden VPNs, Citrix, and remote access infrastructure frequently targeted by access brokers. 
  2. Monitor for persistent access. Look for unauthorized sessions, abnormal privileged activity, and suspicious outbound transfers. 
  3. Enforce strong authentication controls. Apply multi-factor authentication across all remote access points to reduce compromise risk. 

For more coverage of major incidents and threat activity, explore our reporting on Cyberattacks.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
Trio-Tech Discloses Ransomware Attack Impacting Semiconductor Operations
Next article
Female Cybersecurity Leaders to Watch in Arizona
AI and security

Upwind’s AI Sensor for Endpoints Seeks to Close the Distance Between Endpoint and Cloud Security

The security industry has spent years organizing around categories....
Cyber threats and incidents

Europe Becomes a Growing Ransomware Hotspot as Attacks Surge

What happened Ransomware activity is rising sharply across Europe, according...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.