The dark web’s underground market has once again set off alarms.
In recent days, SOCRadar’s intelligence team detected unusual activity: the sale of massive stolen databases, fake KYC identity services, Android malware tools, and the emergence of a new modular ransomware.
In addition, criminal groups are reportedly recruiting telecom employees to execute SIM‑swapping fraud schemes.
These findings reveal an alarming trend: cybercriminals are diversifying their methods, combining data theft, digital identity manipulation, and custom ransomware to maximize profits.
1.7 Billion Facebook Records for Sale
One of the most concerning listings detected by SOCRadar involves the sale of 1.7 billion Facebook user records.
The seller claims the data is “fresh,” never leaked before, and available through direct contact in dark‑web forums.
The dataset allegedly includes:
- User Ids
- Birth dates
- Location
- Gender
- Marital status
- Friend counts
Although authenticity has not been verified, experts warn that if genuine, the data could be used for targeted phishing, identity theft, financial fraud, or social‑media impersonation.
A SOCRadar analyst explained that even social‑media data without passwords can power social‑engineering attacks, as criminals craft realistic, personalized messages that increase success rates.
Fake KYC Verification Services Threaten Banks and Fintechs
Another dark‑web post offered forged KYC (Know Your Customer) verification services, advertising complete identity kits designed to bypass verification systems at banks, payment platforms, and crypto exchanges.
The listing mentions institutions such as Wise, Revolut, Skrill, HSBC, Monzo, PayPal, and Binance, with prices ranging from $60 to $1,400, depending on customization level.
The vendor even promotes a “custom name” feature—apparently for generating documents under a chosen identity.
These fake KYC services pose a serious threat to the financial sector, enabling money laundering, identity fraud, and sanctions evasion.
In practice, they allow criminals to open “verified” accounts with fake documentation, bypassing compliance systems entirely.
You might also be interested in: Major Dark Web Search Engines in 2025
The Return of Mobile Botnets: Hook for Android
SOCRadar also found Hook for Android advertised on the dark web—a malicious botnet designed to take full remote control of mobile devices.
The seller claims the tool is original, updated, and compatible with the latest Android versions, renting for $5,000 per month, with a free beta trial offered to prove its capabilities.
Hook Botnet can:
- Record keystrokes (keylogging)
- Intercept SMS and WhatsApp messages
- Access banking data stored in apps
- Gain full control of infected devices
These attacks don’t just target individuals—they also threaten corporate environments, as infected employee devices can enable espionage and credential theft.
MonoLock: A New Modular Ransomware
A new post announced MonoLock Ransomware v1.0, a modular tool for cybercriminals seeking to automate encryption and data‑theft attacks.
The developer advertises MonoLock as a “commercial” product with specialized modules:
- Elevate — gains admin privileges without modifying system registry.
- MonoSteal — extracts documents, images, passwords, and certificates.
- MonoLock — main encryption engine using hybrid ChaCha20 + Salsa20 algorithms.
- Notedrop — distributes ransom notes on infected devices.
MonoLock also includes anti‑forensic capabilities, detecting virtual machines or debugging tools to avoid analysis, and can delete local backups to block data recovery.
In short, it’s a ransomware built for maximum damage and minimal traceability.
Recruiting Insiders for SIM‑Swapping Fraud
Perhaps the most alarming discovery this week is a dark‑web recruitment ad seeking employees at telecom companies to help with SIM‑swapping attacks.
The group claims to have an “internal contact” at T‑Mobile and is now recruiting collaborators at AT&T and other carriers.
They promise profit‑sharing with recruits and boast of having “dozens of ready‑to‑hit targets.”
In SIM swapping, attackers clone a victim’s phone number to a new SIM card under their control.
Once successful, they can intercept verification codes, reset passwords, and take over banking or social‑media accounts.
A Growing Criminal Ecosystem
SOCRadar’s findings expose a professionalized, service‑based cybercrime economy.
The dark web has evolved into a fully functional underground marketplace where actors can buy data, rent malware, forge IDs, and recruit insiders for coordinated operations.
This “cybercrime‑as‑a‑service” model dramatically lowers entry barriers—anyone with money can become a cybercriminal, purchasing ready‑made attack kits.
Similar titles: Fake Cryptocurrency Apps on Facebook: How They Steal Your Data
How to Protect Yourself and Your Organization
At TecnetOne, we recommend strengthening digital security with these key actions:
- Monitor the dark web for leaked data or credentials tied to your business.
- Enable multi‑factor authentication (MFA)—avoid SMS‑based codes; use secure apps like Microsoft or Google Authenticator.
- Train employees to recognize phishing and handle passwords securely.
- Maintain encrypted, offline backups to prevent ransomware destruction.
- Apply least‑privilege policies—restrict user access to essential systems only.
- Keep systems patched and configurations up to date.
Conclusion
The surge of massive data leaks, fake identity services, and modular ransomware shows that cybercrime is evolving at an alarming pace.
Dark‑web forums have become sophisticated criminal marketplaces, fueling a new era of organized digital crime.
To fight it, organizations must adopt proactive, intelligence‑driven cybersecurity strategies rooted in prevention, education, and collaboration.
At TecnetOne, we believe that awareness, constant training, and modern security technologies remain the strongest defense against an enemy that never sleeps.