Skip to content

Data From Domain Registrar and Host Netim Allegedly Offered for Sale, Including Source Code and Customer Records

Breach Report France flagFrance Technology Data for Sale

Data From Domain Registrar and Host Netim Allegedly Offered for Sale, Including Source Code and Customer Records

A threat actor using the alias lucy is advertising a private, one-time sale of what they describe as comprehensive data from Netim.com, a French domain registrar and hosting provider, for $5,000 in cryptocurrency. Per the listing, the data includes a 16.5 million-document Elasticsearch cluster covering payments, sales, domains, support tickets, hosting, affiliates, SSL details, and staff accounts; an internal database dump with customer master records (names, addresses, phone numbers, emails, password hashes, account balances, and VAT details) dated up to March 2024; SQL dumps from billing, hosting, and production systems; and complete source-code repositories with configuration files, credentials, and internal infrastructure layouts. The seller says samples will be provided only after proof of funds. The claim is unverified.

Data16.5M docs
Price$5,000
CountryFrance flagFrance
Actorlucy

Post details

TargetNetim.com (domain registrar / host)
CountryFrance flagFrance
SectorTechnology / Hosting
ListingPrivate one-time sale ($5,000)
DataCustomer records, source code, payments
FreshnessMain DB up to March 2024
Observed
Actorlucy

!Allegedly included

  • 16.5M Elasticsearch documents
  • Customer master records
  • Password hashes
  • Payments & account balances
  • VAT & reseller / affiliate data
  • SSL details & support tickets
  • Source code (full Git history)
  • Config files, credentials, infra layouts

Screenshot

Potential impact

This is a critical-severity listing because the target is a domain registrar and hosting provider, and the claimed data reaches deep into both customer records and the provider's own infrastructure. If genuine, the customer side (names, addresses, phones, emails, password hashes, account balances, and VAT details across millions of documents) enables identity theft, financial fraud, and credential attacks, while the provider side (SSL details, source code with credentials, configuration files, and internal infrastructure layouts) is far more dangerous: it could facilitate domain hijacking, interception of encrypted traffic, and compromise of hosted customer websites and the registrar's own systems. Because registrars sit at the root of domain and certificate trust, a breach of this kind can cascade to the provider's entire customer base. That said, the main database is dated to March 2024, and as an unverified sale offer with samples withheld pending payment, the claim may be exaggerated or recycled from an earlier incident. No sample data, credentials, or seller contact details are reproduced here.

iStatus

Unverified

This is a sale listing offering samples only after proof of funds; no samples, credentials, or the seller's or middlemen's contact details are reproduced here. Part of the data is dated to March 2024, which may indicate older or recycled material. The claim has not been independently confirmed and Netim has not publicly addressed it. If accurate, the exposure of credentials, SSL details, and source code would warrant urgent credential rotation and customer notification.

Want the non-redacted screenshots? Paid subscribers get all of the claim details and unredacted screenshots. Check out the threat feed or ransomware feed (whichever applies to this post), then after subscribing, search there for this alert to view the unredacted version. View pricing →

DARK WEB INFORMER - THREAT INTELLIGENCE

Latest