A hacker calling himself DarkNikon claims to have obtained a database containing personal and financial information on 45 million users in Mexico, mainly linked to payment apps and electronic wallets.
According to what he posted on one of the most well-known underground forums among cybercriminals worldwide, the leaked data includes everything from full names, phone numbers, and email addresses to dates of birth, addresses, account identifiers, bank card information, and KYC documents (which financial platforms request to verify users' identities).
Companies such as Edenred, Broxel, and others are among those potentially affected by the data breach (Source: Publimetro México)
The alleged hacker claims that the database was obtained in 2025 and is already organized into CSV and TXT files, ready to be sold on the dark web. According to his post, the information is related to a long list of companies, including voucher issuers, digital wallets, payment processors, and alternative financial services platforms such as Edenred, Up Sí Vale, Broxel, Pluxee, OneCard, Tienda Pago, Sr. Pago, Zettle, among others.
Although the leaker claims to offer a sample to verify the data, it is not publicly available, making it difficult to immediately confirm its authenticity. However, the post shares contact channels on Telegram and alternative links where the “complete dump” of the information can supposedly be accessed.
The trail of iCap0ne and doubts about the authenticity of the leak
Behind this new offering of leaked data is a name already known in cybercrime circles: iCap0ne, who is notorious for reselling previously leaked databases as if they were new. Cybersecurity experts have identified his presence in various forums and channels under different aliases (such as “Kaught”) where he has shared files very similar to the current ones, with repeated descriptions and samples that had already been distributed by other actors.
On at least two recent occasions, Injection Inferno (the original perpetrator of the series of leaks known as Inferno Leaks) has publicly accused him of stealing and reselling his databases without authorization. These internal disputes between cybercriminals have cast doubt on the legitimacy of the current leak, suggesting that it could be old data repackaged as new.
Furthermore, recent analysis confirms that the samples shared by iCap0ne match previous leaks, indicating that the content is likely not entirely original. However, that does not mean the data has lost its value: if it is still valid, the risk to affected users remains real.
To make matters worse, iCap0ne has been found to administer several channels on Telegram and has promoted the creation of a new forum similar to Breach Forums, which was shut down after the arrest of its founders. This initiative has raised suspicions even among other hackers, some of whom believe it could be a honeypot (a fake platform created to trap those who trade in illegal information).
Read more: New wave of smishing puts your WhatsApp at risk in Mexico
How real is the risk?
Although it has not yet been confirmed whether the 45 million leaked records correspond to a recent breach, the way in which the sale was presented, the history of the actor involved, and the sensitive nature of the data are sufficient reasons to be alert.
When a database includes such detailed information as names, phone numbers, addresses, IDs, and financial data, the risk is significant. Such leaks can be used to open fraudulent credit accounts, steal bank accounts, impersonate identities, and even launch highly personalized phishing attacks that may appear completely legitimate at first glance. In some cases, the data could also be used to circumvent KYC verification processes on fintech platforms or investment apps.
So far, none of the companies mentioned in the publication has officially confirmed a breach, nor is there any public evidence that the data is circulating widely on forums or underground networks. Even so, the threat should not be taken lightly.
If you use payment apps or digital financial services, it is best to strengthen your security measures:
-
Enable two-step verification on all your accounts.
-
Change your passwords if you use repeated combinations.
-
Do not share personal information via suspicious messages, emails, or calls.
-
Check your financial transactions regularly.
Although not all noise ends up in a real incident, it is better to be safe than sorry, especially when it comes to your personal information and money.