Unlock Exclusive Cyber Threat Intelligence
Powered by DarkWebInformer.com
Foundational access to breach intelligence. Track breaches, leaks, and threats in real time with high quality screenshots and concise expert summaries.
Continuously updated breach reports and threat summaries.
Daily breach, leak, and DDoS alerts.
Live tracking with JSON export.
Direct access to claims and posts.
Concise summaries of DDoS, defacements, and breaches.
Verified index of dark web sites and services.
Live status of 500+ sites.
Integrated checks inside breach posts.
Uncompressed, watermark free evidence.
Browser alerts for tracked terms.
Stay in the loop across channels.
Verified PGPs for ransomware and threat groups.
📖 Overview
A threat actor is advertising databases from three cryptocurrency platforms: Casa.io, Theya.us, and Nunchuk.io. The leak allegedly contains hundreds of thousands of user records with IDs, emails, phone numbers, passwords, wallet details, registration dates, and referral codes.
📌 Key Details
- Victim Country: USA
- Industry: Financial Services
- Victim Organization: casa inc.
- Victim Site: casa.io
- Threat Actor: MrDark
- Network: tor
- Category: Data Breach
- Severity: High
- Data Fields: user_id, email, password, phone, wallet, registration_date, referral_code
- Records and Prices:
- Casa.io: 330,000 records, $7,500
- Theya.us: 194,000 records, $6,500
- Nunchuk.io: 491,000 records, $10,000
- Sale Terms: One-hand sale only, escrow available
- Contact: Private message on forum
🔗 Claim Post (Plain Text)
Claim Post: Available on the Threat Feeds and Paid Subscriber blog posts.
📸 Screenshot Preview
⚠️ Note: This is a free post. Images may contain redacted information. Paid posts and threat feeds contain unredacted material.
🛡️ WhiteIntel.io Access Infostealers Check
This section is available exclusively for paid subscribers in the Ransomware/Threat Feed blog posts.
🧩 TTPs (MITRE ATT&CK Mapping)
- TA0009 Collection: Database dumps of user and wallet data
- TA0010 Exfiltration: Sale and distribution of stolen records
- TA0040 Impact: Fraud, identity theft, and wallet compromise
- T1078 Valid Accounts: Use of stolen credentials for further access
👤 Threat Actor Profile: MrDark
Summary
- Total Matches: 6
- First Seen: 2025-06-15
- Last Seen: 2025-08-21
- Data Start: 2024-10-02
- Countries: USA
- Industries: Financial Services, Gaming
📊 Threat Actor Activity
| Date | Country | Sector / Industry | Type | Target / Platform | Network |
|---|---|---|---|---|---|
| 2025-08-21 | USA | Financial Services | Data Breach | Casa.io | openweb |
| 2025-08-21 | USA | Financial Services | Data Breach | Casa Inc. (Casa.io) | tor |
| 2025-07-24 | — | Gaming | Data Breach | Miomi.game | openweb |
| 2025-07-16 | — | Gaming | Data Leak | Unidentified crypto gaming company | openweb |
| 2025-07-02 | — | Crypto / Social | Initial Access | Compromised Crypto Meme Twitter API | openweb |
| 2025-06-15 | USA | Financial Services | Data Breach | Kraken (kraken.com) | openweb |
🚨 Potential Risks
These databases include sensitive identity and wallet data that can fuel account takeovers, fraudulent withdrawals, targeted phishing, and SIM-swapping.
✅ Recommended Security Actions
- Notify impacted users and require password resets
- Enforce MFA for all accounts, ideally with hardware keys
- Monitor for suspicious logins and withdrawal attempts
- Alert partner exchanges and services about exposed credentials
- Perform a forensic review of authentication and wallet logs
💡 Final Thoughts
Crypto platforms remain prime targets because leaked data can translate directly into stolen assets. Strong authentication, user education, and continuous monitoring are essential to limit the damage from breaches like these.
![IOC Alert: Lumma Stealer C2 Domain Identified – larpfxs[.]top](/content/images/size/w1304/format/webp/2025/08/23985762398576198764252-1.jpg)
