{ "id": "7526aafe-552d-4125-b368-e42eeed0c69c", "created_at": "2026-04-06T00:11:05.812344Z", "updated_at": "2026-04-10T03:34:59.552301Z", "deleted_at": null, "sha1_hash": "d592b13d5088fd218f29cbad84abafe9ec782ed2", "title": "Dark Peep #16: Play Ransomware \u0026 LockBit's Alliance, BreachForums Leak, and CyberNiggers' Revival", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1028020, "plain_text": "Dark Peep #16: Play Ransomware \u0026 LockBit's Alliance,\r\nBreachForums Leak, and CyberNiggers' Revival\r\nPublished: 2024-08-08 · Archived: 2026-04-05 17:13:17 UTC\r\n1. Home\r\n2. Blog\r\n3. Dark Web\r\n4. Dark Peep #16: Play Ransomware \u0026 LockBit’s Alliance, BreachForums Leak, and CyberNiggers’ Revival\r\nWelcome to Dark Peep #16, where we unravel the freshest and most daring cyber capers. Rumors swirl about a\r\npotential collaboration between Play Ransomware and LockBit, with Play reportedly paying $35,000 for\r\nLockBit’s tricks. Meanwhile, AzzaSec found itself ambushed, their Telegram channels hijacked, and backup\r\nchannels were compromised.\r\nA new hacktivist collective, Holy League, has emerged, targeting NATO, Europe, Ukraine, and Israel with alleged\r\nDDoS and defacement attacks. Brain Cipher ransomware, after causing chaos in Indonesia, unexpectedly released\r\na decryption key, raising questions about their motives. SiegedSec announced their disbandment due to mental\r\nhealth and FBI pressure, and the BreachForums database leak by Emo threat actor exposed personal data of over\r\n200,000 members\r\nThe visual representation of ‘Threat actor tries to re-awaken the threat group.’ (Generated by OpenAI’s DALL-E)\r\nhttps://socradar.io/dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival/\r\nPage 1 of 4\n\nPotential Collaboration Between Play Ransomware and LockBit\r\nIn a twist straight out of a cybercrime comic book, a Telegram channel allegedly linked to Play Ransomware hints\r\nat an unlikely partnership with LockBit. Picture this: Play Ransomware and LockBit joining forces like the Joker\r\nand Harley Quinn of the digital underworld. The deal? Play Ransomware pays $35,000 for LockBit’s bag of\r\ntricks.\r\nA Telegram channel, allegedly operated by Play Ransomware, has announced a new partnership with LockBit\r\n(DailyDarkWeb)\r\nBut the fun doesn’t stop there! LockBit is also offering its expertise to make Play Ransomware’s operations even\r\nmore chaotic. It’s like a villainous mentorship, ensuring their mischievous escapades reach new heights.\r\nFor additional intelligence information, you can read our blog post about LockBit.\r\nAs this dynamic duo gears up to unleash their digital mayhem, the rest of us are left to brace for impact. But fear\r\nnot, because just as Gotham has Batman, the cyber world has SOCRadar. With real-time intelligence and cutting-edge insights, SOCRadar is here to help you thwart these cybercriminals’ plans and keep your digital city safe.\r\nThe Hacktivist Group Hit by Its Weapon\r\nWhile documenting AzzaSec‘s showdowns with other threat groups and their daring takeover of a rival’s\r\nTelegram channel, an unexpected plot twist occurred. In a classic case of the hunter becoming the hunted, a\r\ncheeky threat actor hijacked AzzaSec’s own Telegram channel. Not only did they shut it down, but they also\r\ngrabbed control of their backup channels.\r\nOn AzzaSec’s new Telegram channel, a threat actor claimed that AzzaSec had hijacked and shut down its\r\nTelegram channels.\r\nThis bold move, announced right on AzzaSec’s platform, turned the tables and left AzzaSec looking like they’d\r\nslipped on a banana peel in the middle of their grand heist.\r\nOnce Again, Another New Collective Emerges\r\nTurning our attention to hacktivist groups and their activities on Telegram, a significant development has surfaced.\r\nPro-Russian and pro-Palestinian hacktivist threat groups on Telegram have announced the formation of a new\r\ncollective called the Holy League.\r\nThis collective includes over 70 threat groups. While it is common for threat groups on Telegram to form\r\ncollectives, a partnership involving this many pro-Palestinian and pro-Russian groups is unusual. These groups\r\nhave claimed cyber attacks primarily targeting NATO, Europe, Ukraine and Israel, involving Distributed Denial-of-Service (DDoS) and website defacement operations.\r\nBrain Cipher’s Mysterious Decryption Key Release\r\nhttps://socradar.io/dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival/\r\nPage 2 of 4\n\nBrain Cipher ransomware burst onto the cyber scene like a bolt of lightning, making headlines with their alleged\r\nattack on Indonesia’s National Data Center (Pusat Data Nasional – PDN). The ransomware group quickly became\r\ninfamous for supposedly disrupting essential public services, leaving government servers encrypted and citizens in\r\na state of disarray.\r\nBrain Cipher’s post, which claims to offer a decryptor\r\nBut just as quickly as they rose to notoriety, Brain Cipher’s resolve seemed to waver. In an unexpected move, the\r\ngroup shared an onion link that they claimed contained the decryption key along with detailed instructions on how\r\nto use it. This act left many in the cyber community scratching their heads. Was this a genuine act of contrition, or\r\njust another layer of their deceit?\r\nThe decision to release the decryption key seemed almost out of character for a group that had caused so much\r\nchaos. It hinted at a possible internal conflict or a strategic pivot, perhaps driven by fear of reprisal or a calculated\r\nattempt to curry favor.\r\nHas the SiegedSec Threat Group Disbanded?\r\nSiegedSec announced their sudden disbandment on their Telegram channel.\r\nPicture it: the threat actors gather for one last mission, only to realize the heat is too intense. For the sake of their\r\nmental health, to escape the relentless stress of public notoriety, and to dodge the all-seeing eye of the FBI,\r\nthey’ve decided to pull a Mission: Impossible disappearing act.\r\nTheir announcement read like a dramatic final scene, as if they were saying, “This tape will self-destruct in 5\r\nseconds.” SiegedSec’s unexpected exit is a reminder that even in the wild world of cyber escapades, every threat\r\nactor has their breaking point.\r\nExplore comprehensive insights and the latest updates on SiegedSec.\r\nBreachForums Breach: Your OPsec Guide to Avoid Starring in the Next Data\r\nDrama!\r\nThe notorious Pompompurin era of BreachForums had its database leaked, courtesy of the threat actor known as\r\nEmo. Following some internal strife, Emo decided to make this treasure trove public on a Telegram channel. This\r\ndata, potentially a goldmine for OPsec (Operational Security), revealed personal information of 212,414\r\nmembers from BreachForums 1.0.\r\nA sample of leaked data from BreachForums\r\nAccording to Emo, the data originated directly from Fitzpatrick (aka Pompompurin), who allegedly tried to sell it\r\nfor $4,000 while out on bail in June 2023. Emo claims the data was eventually purchased by three threat actors.\r\nThe leaked database includes user IDs, login names, email addresses, registration IPs, and the last IP address used\r\non the site, among other details.\r\nhttps://socradar.io/dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival/\r\nPage 3 of 4\n\nTo add a touch of drama, let’s not forget that the first major data breach forum, RaidForums, was seized by the\r\nFBI in 2022. In its aftermath, Pompompurin launched BreachForums (aka Breached) to fill the void. Fitzpatrick’s\r\narrest in early 2023 led to the original BreachForums shutting down, only for the notorious ShinyHunters to\r\nresurrect it later.\r\nFor anyone looking to tighten their OPsec, this leak is a stark reminder: in the digital wild west, it’s always high\r\nnoon somewhere. And remember, even Iron Man had to learn the hard way that keeping your identity secret is\r\nsometimes the best way to avoid the villains.\r\nIntelBroker Attempts to Revive CyberNiggers\r\nIn a move sparking outrage, notorious threat actor IntelBroker has announced plans to revive the infamous and\r\nracist group CyberNiggers. Known for its harmful and offensive activities, this group is attempting to rebuild, led\r\nby IntelBroker.\r\nIntelBroker’s announcement\r\nThe recruitment process, as outlined by IntelBroker, is steeped in hate and bigotry. The criteria include being\r\nwhite and racist, showing disdain for law enforcement, and providing evidence of past breaches and leaks. This\r\ndangerous group also emphasizes maintaining operational security and a ‘GOD Rank.’\r\nIntelBroker admits that the group has always been under attack, facing law enforcement actions and arrests.\r\nFor more detailed information about CyberNiggers check out our Dark Web Profile.\r\nConclusion\r\nWith all these cyber drama unfolding, you might be wondering how to keep your digital fortresses safe. Enter\r\nSOCRadar: whether it’s detecting the latest ransomware tactics, monitoring hijacked communication channels, or\r\nidentifying new threat collectives, SOCRadar offers real-time intelligence and cutting-edge insights.\r\nWith SOCRadar on your side, you can stay a step ahead of cybercriminals, ensuring your digital defenses are\r\nalways fortified. Stay vigilant, stay informed, and let SOCRadar help you navigate the ever-evolving cyber\r\nlandscape. \r\nSource: https://socradar.io/dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival/\r\nhttps://socradar.io/dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://socradar.io/dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival/" ], "report_names": [ "dark-peep-16-play-ransomware-lockbits-alliance-breachforums-leak-and-cyberniggers-revival" ], "threat_actors": [ { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "90d3eea4-276c-4c82-be78-e244c2d7ecd4", "created_at": "2024-10-04T02:00:04.76317Z", "updated_at": "2026-04-10T02:00:03.714964Z", "deleted_at": null, "main_name": "AzzaSec", "aliases": [], "source_name": "MISPGALAXY:AzzaSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c29ed071-678d-4023-a954-7138fb534056", "created_at": "2023-11-05T02:00:08.079228Z", "updated_at": "2026-04-10T02:00:03.39948Z", "deleted_at": null, "main_name": "SiegedSec", "aliases": [], "source_name": "MISPGALAXY:SiegedSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d6519c33-32d0-4a3c-b5cd-930ce047c240", "created_at": "2024-04-19T02:00:03.615928Z", "updated_at": "2026-04-10T02:00:03.612469Z", "deleted_at": null, "main_name": "CyberNiggers", "aliases": [], "source_name": "MISPGALAXY:CyberNiggers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "0263e1e1-4568-410a-a5e4-6932db1d40da", "created_at": "2024-06-26T02:00:04.854969Z", "updated_at": "2026-04-10T02:00:03.667295Z", "deleted_at": null, "main_name": "IntelBroker", "aliases": [], "source_name": "MISPGALAXY:IntelBroker", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434265, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d592b13d5088fd218f29cbad84abafe9ec782ed2.pdf", "text": "https://archive.orkl.eu/d592b13d5088fd218f29cbad84abafe9ec782ed2.txt", "img": "https://archive.orkl.eu/d592b13d5088fd218f29cbad84abafe9ec782ed2.jpg" } }