{
	"id": "28879a1f-e595-472b-8193-6ee64d8d3813",
	"created_at": "2026-04-06T01:31:48.553567Z",
	"updated_at": "2026-04-10T03:25:07.208585Z",
	"deleted_at": null,
	"sha1_hash": "29dd6607dd2af65f30a37a5552bff62e15cd4634",
	"title": "IPFS: A New Data Frontier or a New Cybercriminal Hideout?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2852079,
	"plain_text": "IPFS: A New Data Frontier or a New Cybercriminal Hideout?\r\nArchived: 2026-04-06 01:02:32 UTC\r\nBy CSS Team Researchers:\r\nCedric Pernet, Jaromir Horejsi, Loseway Lu\r\nWith the rise of new technologies, innovations keep appearing that help us with our various activities. A notable\r\nsystem that has emerged in recent years is IPFS systemopen on a new tab, a decentralized storage and delivery\r\nnetwork based on peer-to-peer (P2P) networking and belonging to the emerging “Web3 technologiesopen on a\r\nnew tab.”\r\nIPFS allows users to host or share content on the internet at a more affordable price, with availability and\r\nresiliency capabilities. Unfortunately, it also provides opportunities for another part of the population:\r\ncybercriminals.\r\nIn this article, we briefly detail what IPFS is and how it works at the user level, before providing up to date\r\nstatistics about the current usage of IPFS by cybercriminals, especially for hosting phishing content. We will also\r\ndiscuss emerging new cybercrime activities abusing the IPFS protocol and detail how cybercriminals already\r\nconsider IPFS for their deeds.\r\nWhat is IPFS?\r\nIPFS stands for Interplanetary File System. It is a decentralized storage and delivery network, which is built on the\r\nprinciples of P2P networking and content-based addressing.\r\nLet’s try comparing it to the way the usual web works. Most of the actual content hosted on the web is served via\r\nweb servers. In a very simplified view, the way it works on the internet is that different computers request data\r\nfrom different web servers. This data can be web pages, files, or just any content that is accessible via an internet\r\nbrowser. Most of the time, that content is hosted on a single web server, which serves its content to every\r\ncomputer requesting it.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 1 of 15\n\nFigure 1. Simplified HTTP(S) protocol\r\nIPFS is a bit different, in the way that there is no central web server providing the data: it can be provided by any\r\nof the peers (also called nodes) hosting the data.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 2 of 15\n\nFigure 2. IPFS peer-to-peer based model.\r\nTo start sharing files on IPFS, users can download and use an IPFS Desktop client, API or use online services.\r\nOnce a file is requested by a node that does not have it, the file is copied so it can be shared for others later. This\r\nway, more nodes can provide the file. This method makes it possible for any user, including cybercriminals, to\r\ncreate a free account on an online service and start hosting content on the IPFS network, without necessarily\r\nrunning a node on their own infrastructure.\r\nIPFS content identifier (CID)\r\nWhen browsing the internet, users generally access URLs, such as trendmicro.com, for example. The users’\r\ncomputer requests the DNS system to know where the data is located and fetches it from that location. Therefore,\r\nthe client-server model of the web is said to be location-addressed.\r\nIn the P2P model adopted by IPFS, a given file might be located on a number of different IPFS peers. The storage\r\nof those files is addressed by a cryptographic hash of its content, known as the content identifier (also called CID).\r\nThe CID is a string of letters and numbers unique to files. A file will always have the same CID, no matter where\r\nit is stored. This is why IPFS is said to be content-addressed.\r\nIt should also be noted that a file will have a different CID if it is modified in any way.\r\nTwo versions of the CID exist. The CID v0 format is made of 46 characters and always start with the characters\r\n“Qm”, while the CID v1 format uses base32.\r\nIt is possible to convert CID v0 to the CID v1 format:\r\nFigure 3. Converting CID v0 to CID v1\r\nIPFS data browsing\r\nCIDs and their corresponding files can be accessed via two ways.\r\nThe first way consists of using a browser that handles the IPFS protocol natively. Currently, only Brave browser\r\nsupports IPFS. The computer runs an IPFS daemon in the background, which the browser uses to natively access\r\nthe IPFS content.\r\nThe second way consists of accessing content via so-called “IPFS gateways.” These gateways are used to provide\r\nworkarounds for applications that don’t natively support IPFS. To summarize, a gateway is an IPFS peer that\r\naccepts HTTP requests for IPFS CIDs, allowing users to use their default browsers to access the IPFS content.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 3 of 15\n\nThe global formats look like this:\r\nA list of current gateways and their status can be found online at: https://ipfs.github.io/public-gateway-checker/open on a new tab\r\nFigure 4. Screen capture from the public gateway checker\r\nAn example of a complete path to access an IPFS content via the ipfs.io gateway looks like this:\r\nhttps://gateway.ipfs.io/ipfs/{randomly generated string}\r\nTo access the same content via the CloudFlare gateway, the URL would become:\r\nhttps://{same randomly generated string}.ipfs.cf-ipfs.com/\r\nNotice how the URL changes because we use a different gateway, but the CID (the randomly generated string)\r\nfrom this example does not change.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 4 of 15\n\nAdditional parameters might follow that kind of URL depending on the case, just like any web link.\r\nIPFS pinning\r\nNodes handle the files stored on the IPFS network by caching them and making them available for other nodes on\r\nthe network. As every node only has a finite cache storage amount, it is sometimes necessary to clean the cache\r\nused by the node, which is an operation called the “IPFS Garbage collection process.” During the operation,\r\ncached content that it considers no longer needed is removed. This is where IPFS pinning comes in.\r\nIPFS pinning consists of pinning data to ensure that it is not removed from the cache and is always accessible.\r\nIPFS pinning can be done on locally hosted nodes, but pinning services exist to ensure long-term storage. It is\r\ninteresting for cybercriminals who might use it to have their content stay accessible for longer periods.\r\nIPNS – Interplanetary Name System\r\nIPNS is another protocol, the Interplanetary Name Systemopen on a new tab. It can be seen as a kind of DNS\r\nsystem, but for IPFS. IPNS records are signed using a private key and contain IPFS content path and some other\r\ninformation, such as expiration or version number. IPNS records are published over the Distributed Hash Table\r\n(DHT) protocol. Therefore, it needs republishing on a regular basis not to be forgotten by the DHT peers over\r\ntime.\r\nTo summarize, here is an example of an IPNS record:\r\n• /ipns/k2k4r8oid7ncjwgnpoy979brx3r9ellvvwofht57mc9q4jzlxtydalvf\r\npoints to\r\n• /ipfs/QmYr5ExzJJncpMNhqzhLjkCrRNgm4UmyX28gcYjt5RLYY8\r\nThe IPNS address might be reassigned later to point to other content.\r\nDNSLink\r\nDNSLink uses the TXT records from the DNS protocol to map a DNS name to an IPFS address. This makes it\r\neasier for administrators to maintain links to IPFS resources as the DNS TXT record can be changed easily.\r\nDNSLink addresses look like IPNS addresses, except that it uses a DNS name to replace the hashed public key.\r\nAs an example, a DNSLink could look like this:\r\n /ipns/example.org\r\nTo map the relation, the DNS TXT record needs to be prefixed with dnslink, followed by the hostname.\r\nTo further elaborate, here is an example of a DNS TXT record for _dnslink.en/Wikipedia-on-ipfs.org, which\r\nresolves as dnslink=/ipfs/bafybeiaysi4s6lnjev27ln5icwm6tueaw2vdykrtjkwiphwekaywqhcjze.\r\nIPFS usage\r\nIPFS can be used for a variety of reasons, including but not limited to:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 5 of 15\n\nData storage and resilience\r\nResilience relates to the adaptability of a network against isolation. It is also the ability to provide and maintain a\r\nservice in the case of faults. IPFS provides it in the sense that data is generally stored on several different nodes,\r\nmaking the data less prone to becoming unavailable.\r\nIt is also possible to store any kind of data at a very low price on IPFS via services such as Filecoinopen on a new\r\ntab, for example.\r\nSmart contracts and non-fungible tokens\r\nSmart contracts are programs stored on the blockchain that can be triggered by transactions. While saving data on\r\nthe blockchain can be expensive, using decentralized storage such as IPFS as the database can reduce costs. For\r\nexample, one of the common implementations of NFT projects involves storing the metadata and the images (can\r\nalso be a video, clip, music, etc.) on IPFS, then accessing the data using smart contracts.\r\nVoting\r\nVoting platforms such as Snapshotopen on a new tab allows users or companies to use IPFS for storing proposals\r\nand user votes or polls.\r\nDocument signing\r\nSome online services are available for decentralized versions of document signing. Users can “sign” documents\r\nwith their wallets. In this usage, the document files are stored on IPFS, and the signatures are stored on the\r\nEthereum blockchain.\r\nFighting censorship\r\nIPFS might be used by people living in countries that have active censorship technologies. The ability to access\r\nthe same content via multiple different gateways makes it easier to find a way to reach data without it being\r\nblocked. The blocking solutions deployed in such countries might just block one specific gateway and not others,\r\nfor example.\r\nPaste tools\r\nJust as the website, pastebin.com, is located on the clear web, some paste services do exist on IPFS, like\r\nhardbin.com, for example.\r\nDecentralized apps\r\nDecentralized apps or dApps can be built and hosted on IPFS. Available frameworks, such as Fleek, can help\r\ndevelopers create such apps.\r\nThere are just as many different uses of dApps for IPFS than for the usual clear web.\r\nEcommerce\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 6 of 15\n\nIPFS can be used to run ecommerce websites. During our research, we discovered one ecommerce framework.\r\nThis particular framework provides hosting on IPFS, and works with cryptocurrencies, which makes it particularly\r\ninteresting for cybercriminals.\r\nFigure 5. Banner for an ecommerce platform using IPFS and cryptocurrencies.\r\nCybercrime statistics\r\nWe have analyzed several months of IPFS-related cybercriminal activity from our telemetry.\r\nFor a few reasons, the method is not exhaustive, and the numbers provided might be lower than reality, yet we still\r\nfind them very interesting. The first limitation in analyzing our data comes from the fact that some IPFS URLs\r\nwere just not working at the time of our analysis. Another limitation comes from the data themselves: URLs\r\nleading to password-protected files (mostly archive files) could not be analyzed, thus we cannot know the content\r\nof those archives. Finally, some of our customers do not want to send back any detection data, so our analysis\r\ncan’t be 100% accurate.\r\nThe results we obtained seem fairly constant from one month to the other in the observed range, from June to\r\nOctober 2022.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 7 of 15\n\nFigure 6. IPFS URL hit statistics\r\nAs can be seen in figure 6, the total number of IPFS analyzed in our telemetry per month ranges from 5.5 million\r\nto 7.9 million hits.\r\nThe number of threats posed by IPFS in our data steadily increases. While it represented 1.8% of the global IPFS\r\ntraffic in May 2022, it now counts for almost 6% of the traffic. We believe with high confidence that it is still\r\ngoing to increase in the future\r\nScams\r\nWe found very few IPFS-hosted content related to scams. The content we found, which was never more than\r\n0.02% of the threats, consists of images used by scammers such as those used for lottery scams, or more recently,\r\nin Bored Ape NFT scams. They are all related to long-time existing types of fraud.\r\nPhishing\r\nPhishingopen on a new tab consists of enticing unsuspecting users into providing their credentials to\r\ncybercriminals, generally via phishing emails, SMS, messages on social networks, private messages, etc. leading\r\nto phishing pages hosted on the internet.\r\nThose phishing pages generally pretend to be a mailbox access or just any kind of online services in order to make\r\nvictims fill it with their login credentials, which cybercriminals can later use for different fraudulent purposes.\r\nWhile phishing pages are relatively easy to set up, its main weakness resides in the hosting of such pages. As soon\r\nas a phishing page is reported, it is generally blocked within minutes by security solutions and taken down by the\r\nhosting company.\r\nUsing IPFS to host such phishing pages makes sense since the pages will be harder to take down.\r\nFigure 7. Some gateways do take down phishing content, but simply switching the gateway allows access to the\r\nsame phishing site\r\nThe majority of IPFS threats we analyzed are phishing threats. As can be seen in Figure 6, phishing occurs in\r\nmore than 90% of the global IPFS threats for every month we analyzed, reaching 98.78% in September 2022.\r\nPhishing statistics: IPFS vs non-IPFS\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 8 of 15\n\nFigure 8. IPFS vs non-IPFS phishing pages hosting\r\nTo fully understand the threat of IPFS phishing, it needs to be compared to usual phishing using the web. While\r\npercentage of IPFS vs. non-IPFS might seem low (between 3.5% and 9% of phishing threats), the volume is a\r\ngrowing concern.\r\nIn October 2022, unique IPFS CIDs represented 9% of the global phishing threat, yet it still represents more than\r\n23,000 unique pages hosted on IPFS for that month. We believe these numbers are still going to increase in the\r\nfuture, and confident that IPFS phishing will count for more than 10% of the phishing threat in the coming\r\nmonths.\r\nIt is also difficult to determine the real impact of IPFS phishing, as these statistics only reflect a number of unique\r\ndomains/CIDs, but not the number of emails spreading each of those. A unique domain might be triggered by\r\nmillions of emails while another one might only spread to a few thousand victims.\r\nIPFS phishing: stolen data still on the usual web\r\nFigure 9 shows an example of a phishing page we have seen in the wild, available on IPFS:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 9 of 15\n\nFigure 9. Phishing example hosted on IPFS (Recipients email address has been removed)\r\nUnsuspecting users are led to that page via an initial email that contains an IPFS link to the page. The link\r\ncontains one parameter transmitted to the page, which is the email address of the target.\r\nbafybeicsapdb6iapble5huh6ph5gkjl75ugck7gnx4ih4w25zb[.]ipfs[.]w3s.link/aws.html?email=\r\nYet when analyzing the HTTP POST request headers sent by a victim who would click on the “Sign In” button,\r\nwe see the data goes to a usual URL on the web:\r\nPOST /wp-content/plugins/ioptimization/awy/df.php HTTP/2\r\nHost: \u003c REDACTED \u003e.immo\r\nUser-Agent: \u003c REDACTED \u003e\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate, br\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 90\r\nOrigin: https://bafybeicsapdb6iapble5huh6ph5gkjl75ugck7gnx4ih4w25zb[.]ipfs[.]w3s.link\r\nDNT: 1\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 10 of 15\n\nConnection: keep-alive\r\nReferer: https://bafybeicsapdb6iapble5huh6ph5gkjl75ugck7gnx4ih4w25zb[.]ipfs[.]w3s.link/\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: cross-site\r\nThe data sent by the user is actually transmitted to a PHP script hosted on a compromised website .immo, which is\r\na website that is not hosted on IPFS.\r\nThis might be our most interesting discovery here: we found no IPFS phishing page that would send the data to\r\nIPFS. All of the phishing pages we analyzed do send the stolen data to usual servers on the web.\r\nPhishing emails\r\nOur telemetry reports a daily activity of about 27,000 unique emails containing phishing IPFS links, leading to\r\nphishing pages hosted on IPFS. This activity covers approximately 30 different phishing campaigns per day.\r\n\u003c TARGET EMAIL ADDRESS \u003e Download your documents via WeTransfer \u003c DATE \u003e\r\nReminder: Please DocuSign:XXXXXX DRAFT XXXXX.docx\r\nMail Password Update Notification For \u003c TARGET EMAIL ADDRESS \u003e\r\nCompleted: Letter of Acceptance for Contract Ref. No. 2022/XXX/XXXXXXXXXXXX\r\n\u003c COMPANY NAME \u003e Insurance Renewal Quote\r\n\u003c TARGET EMAIL ADDRESS \u003e you have new shared Invoice document\r\nPassword for \u003c TARGET EMAIL ADDRESS \u003e expires today \u003c DATE \u003e\r\nYour \u003c COMPANY WEBSITE URL \u003e Account storage is 99% full\r\nAs can be seen in Figure 12, the phishing email topics are no different from the ones on the clear web that use\r\ncommon social engineering methods.\r\nMalware\r\nSo far, we have seen very few cybercriminals making use of IPFS to host malware.\r\nWe found 180 different malware samples through the last five months, which is incredibly low compared to the\r\nnumerous samples we see every month.\r\nWe found very few ransomware on IPFS, most of those we found were older ransomware families.\r\nAmongst the usual low-level malware that you might expect on the internet, such as adware and potentially\r\nunwanted applications (PUA), we found a few more serious threats on IPFS.\r\nInformation stealers and remote administration tools\r\nInfo stealersopen on a new tab and malicious RATs are amongst the biggest threats on the internet, and we found a\r\nfew families on IPFS.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 11 of 15\n\nMalware Family\r\nNumber of unique\r\nsamples\r\nAgent Tesla (Trojan.MSIL.AGENTTESLA.THCOCBO) 55 samples\r\nFormbook (Trojan.Win32.FORMBOOK.EPXopen on a new tab\r\n,Trojan.W97M.FORMBOOK.AQopen on a new tab)\r\n10 samples\r\nRemcos RAT (Backdoor.Win32.REMCOS.TICOGBZopen on a new tab) 9 samples\r\nRedline Stealer (TrojanSpy.MSIL.REDLINESTEALER.YXBDNopen on a new\r\ntab,\r\nTrojanSpy.Win32.REDLINE.X,\r\nTrojanSpy.MSIL.REDLINESTEALER.N)\r\n6 samples\r\nOther various RATs/infostealers 3 samples\r\nTable 1. Malware family and their samples on IPFS\r\nIn addition to malware, we also found common tools used for legitimate and non-legitimate purposes hosted on\r\nIPFS, such as proxying tools or scamming tools, and file binders.\r\nFinally, we could find seven cryptominer samples that are hosted on IPFS, which might be used for legitimate or\r\nillegitimate purpose, depending if they are run legally or on compromised machines.\r\nIPFS in underground forums\r\nIPFS discussions\r\nJust as with any new technology, IPFS is being discussed in cybercriminal underground forums. The discussions\r\nrange from non-technical topics, often produced by low skilled cybercriminals with questions like “what is IPFS?”\r\nto real technical conversations about IPFS infrastructure.\r\nSome of those cybercriminals were criticizing the protocol, mostly by emphasizing that it is really slow and\r\ncannot be used for all purposes, while others were more enthusiastic and already using it.\r\nOne of the IPFS adopters asked on the Lapsu$open on a new tab Chat on Telegram, however, did not get an\r\nanswer:\r\n“Lapsus team, how feasible would it be to setup an ipfs node on the server you’re currently seeding from? Data\r\nwould be quickly cached on cloudflare for free and downloads would be super fast.”\r\nIPFS for data sharing amongst cybercriminals\r\nCybercriminals often need to share files, cybercrime methods/tutorials, or even just screenshots on the\r\nunderground forums, and use free data hosting services such as MediaFire or Mega for these purposes. Some\r\nmight also use hosting on the Tor union network.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 12 of 15\n\nWe have seen an increasing number of cybercriminals using IPFS to store such content and share it with their\r\npeers since 2021.\r\nAs an example, we saw one user share a PDF file on IPFS in November 2022 that is actually a tutorial on “How to\r\nbuild a website/shop that cannot be shut down by Law enforcement.”\r\nFigure 10: Sample content from a PDF file hosted on IPFS and shared amongst cybercriminals\r\nIPFS for illegal content hosting\r\nWe found advertisements in underground forums for a few illegal commercial services that were hosted on IPFS.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 13 of 15\n\nFigure 11. Entrance page for a website that sells illegal drugs hosted on IPFS.\r\nFigure 12. Screenshot of a website that sells drugs found on IPFS\r\nThe website owners describe themselves as veterans from the Darknet interested in new technologies.\r\nFigure 13. Description from the website’s About us page\r\nConclusion\r\nIPFS and its related IPNS are protocols that can be abused by cybercriminals, just like any other protocol.\r\nCybercriminals with average or low skill levels will probably not use much of the technology, mostly because it\r\nneeds some preparation and knowledge to be used efficiently. Yet, the more advanced malicious actors might see\r\nopportunities in it. Backed by the fact that they are already talking about it in their underground forums.\r\nAdditionally, some of them are already using it for hosting and conducting their deeds.\r\nEcommerce looks to be growing in the IPFS environment and this has definitely been exploited by the\r\ncybercriminals. They have set up stores selling illegal goods, and in the event that one node is down, another will\r\ntake its place, providing resiliency. However, we should also take note of the increase of phishing sites and how it\r\nworks well in IPFS. Other threat actors are also using the system to host malware. We also expect some threat\r\nactors to create their own IPFS gateways and run nodes to keep their content online as much as possible.\r\nWhile IPFS is a popular choice when it comes to Web 3.0 decentralized storage, there are more options. We expect\r\nthreat actors to explore other Web3 storages for their operations moving forward. In this sense, we must become\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 14 of 15\n\nmore vigilant whenever a new technology appears, because while it can benefit a lot of people, cybercriminals can\r\nalso see opportunities.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hi\r\ndeout\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout"
	],
	"report_names": [
		"ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout"
	],
	"threat_actors": [
		{
			"id": "d4b9608d-af69-43bc-a08a-38167ac6306a",
			"created_at": "2023-01-06T13:46:39.335061Z",
			"updated_at": "2026-04-10T02:00:03.291149Z",
			"deleted_at": null,
			"main_name": "LAPSUS",
			"aliases": [
				"Lapsus",
				"LAPSUS$",
				"DEV-0537",
				"SLIPPY SPIDER",
				"Strawberry Tempest",
				"UNC3661"
			],
			"source_name": "MISPGALAXY:LAPSUS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439108,
	"ts_updated_at": 1775791507,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/29dd6607dd2af65f30a37a5552bff62e15cd4634.pdf",
		"text": "https://archive.orkl.eu/29dd6607dd2af65f30a37a5552bff62e15cd4634.txt",
		"img": "https://archive.orkl.eu/29dd6607dd2af65f30a37a5552bff62e15cd4634.jpg"
	}
}