The dark web’s underground market has once again set off alarms.
In recent days, SOCRadar’s intelligence team detected unusual activity: the sale of massive stolen databases, fake KYC identity services, Android malware tools, and the emergence of a new modular ransomware.
In addition, criminal groups are reportedly recruiting telecom employees to execute SIM‑swapping fraud schemes.
These findings reveal an alarming trend: cybercriminals are diversifying their methods, combining data theft, digital identity manipulation, and custom ransomware to maximize profits.
One of the most concerning listings detected by SOCRadar involves the sale of 1.7 billion Facebook user records.
The seller claims the data is “fresh,” never leaked before, and available through direct contact in dark‑web forums.
The dataset allegedly includes:
Although authenticity has not been verified, experts warn that if genuine, the data could be used for targeted phishing, identity theft, financial fraud, or social‑media impersonation.
A SOCRadar analyst explained that even social‑media data without passwords can power social‑engineering attacks, as criminals craft realistic, personalized messages that increase success rates.
Another dark‑web post offered forged KYC (Know Your Customer) verification services, advertising complete identity kits designed to bypass verification systems at banks, payment platforms, and crypto exchanges.
The listing mentions institutions such as Wise, Revolut, Skrill, HSBC, Monzo, PayPal, and Binance, with prices ranging from $60 to $1,400, depending on customization level.
The vendor even promotes a “custom name” feature—apparently for generating documents under a chosen identity.
These fake KYC services pose a serious threat to the financial sector, enabling money laundering, identity fraud, and sanctions evasion.
In practice, they allow criminals to open “verified” accounts with fake documentation, bypassing compliance systems entirely.
You might also be interested in: Major Dark Web Search Engines in 2025
SOCRadar also found Hook for Android advertised on the dark web—a malicious botnet designed to take full remote control of mobile devices.
The seller claims the tool is original, updated, and compatible with the latest Android versions, renting for $5,000 per month, with a free beta trial offered to prove its capabilities.
Hook Botnet can:
These attacks don’t just target individuals—they also threaten corporate environments, as infected employee devices can enable espionage and credential theft.
A new post announced MonoLock Ransomware v1.0, a modular tool for cybercriminals seeking to automate encryption and data‑theft attacks.
The developer advertises MonoLock as a “commercial” product with specialized modules:
MonoLock also includes anti‑forensic capabilities, detecting virtual machines or debugging tools to avoid analysis, and can delete local backups to block data recovery.
In short, it’s a ransomware built for maximum damage and minimal traceability.
Perhaps the most alarming discovery this week is a dark‑web recruitment ad seeking employees at telecom companies to help with SIM‑swapping attacks.
The group claims to have an “internal contact” at T‑Mobile and is now recruiting collaborators at AT&T and other carriers.
They promise profit‑sharing with recruits and boast of having “dozens of ready‑to‑hit targets.”
In SIM swapping, attackers clone a victim’s phone number to a new SIM card under their control.
Once successful, they can intercept verification codes, reset passwords, and take over banking or social‑media accounts.
SOCRadar’s findings expose a professionalized, service‑based cybercrime economy.
The dark web has evolved into a fully functional underground marketplace where actors can buy data, rent malware, forge IDs, and recruit insiders for coordinated operations.
This “cybercrime‑as‑a‑service” model dramatically lowers entry barriers—anyone with money can become a cybercriminal, purchasing ready‑made attack kits.
Similar titles: Fake Cryptocurrency Apps on Facebook: How They Steal Your Data
At TecnetOne, we recommend strengthening digital security with these key actions:
The surge of massive data leaks, fake identity services, and modular ransomware shows that cybercrime is evolving at an alarming pace.
Dark‑web forums have become sophisticated criminal marketplaces, fueling a new era of organized digital crime.
To fight it, organizations must adopt proactive, intelligence‑driven cybersecurity strategies rooted in prevention, education, and collaboration.
At TecnetOne, we believe that awareness, constant training, and modern security technologies remain the strongest defense against an enemy that never sleeps.