What happened
Researchers uncovered a new Tor-based data leak site called “ALP-001”, which is directly linked to an active Initial Access Broker (IAB) operating on underground forums. The platform, launched around March 22, 2026, markets itself as both a “Data Leaks / Access Market,” signaling a shift from simply selling access to compromised networks toward full-scale extortion. Investigators from ReliaQuest tied the site to a known threat actor by matching contact identifiers used across dark web forums, confirming the group had been active since at least mid-2024. Evidence showed overlap between previously sold access and newly listed victims on the leak site, indicating the group is now exposing or monetizing stolen data after gaining access. The actors primarily target internet-facing enterprise systems such as VPNs, Citrix gateways, FTP/SSH servers, and remote access infrastructure, making this evolution a significant escalation in their operations.
Who is affected
Organizations with exposed or vulnerable internet-facing infrastructure—particularly those using VPNs, Citrix, or remote access gateways—are affected, as these are the primary targets of the linked access broker.
Why CISOs should care
The development shows how threat actors are merging initial access brokering with data leak site operations, increasing pressure on victims by combining intrusion, data theft, and public exposure into a single extortion model.
3 practical actions
- Secure internet-facing systems. Patch and harden VPNs, Citrix, and remote access infrastructure frequently targeted by access brokers.
- Monitor for persistent access. Look for unauthorized sessions, abnormal privileged activity, and suspicious outbound transfers.
- Enforce strong authentication controls. Apply multi-factor authentication across all remote access points to reduce compromise risk.
For more coverage of major incidents and threat activity, explore our reporting on Cyberattacks.
