Incident Overview

A threat actor using the handle "timcookapple" is offering a massive collection of unauthorized access credentials for sale, including webshells, WHMCS hosting server access, and cPanel control panel access affecting over 50,000 domains globally. The seller claims these compromised domains have high traffic and good domain authority metrics, making them ideal for malicious activities such as casino landing pages or parasite SEO campaigns.

• Purpose: Domain access with high traffic and good DA/PA/DR metrics for casino landing pages or parasite SEO
• Total Webshell Access: 10,869 valid webshell accesses
• Minimum Webshell Order: 2,000 shells x7$ (minimum purchase $14,000)
• Total WHMCS Access: 5,936 valid WHMCS host server accesses
• WHMCS Domain Count: Each host server contains approximately 50-400 domains
• WHMCS Pricing: $1,000 per host (minimum order 1 host)
• Total cPanel Access: 54,827 valid cPanel accesses
• Minimum cPanel Order: 1,000 cPanel x20$ (minimum purchase $20,000)
• Total Affected Domains: Over 50,000 domains across all access types
• Affected TLDs (Top-Level Domains): .edu, .gov, .go, .gob, .ac, .com, .org, .net, .co
• Affected GEOs (Geographic Extensions): .id, .br, .th, .mx, .ar, .bd, .pe, etc.
• Domain Selection: Random allocation (buyer cannot choose specific domains)
• Quality Guarantee: At least 50-60% of domains are guaranteed to be "good domains"
• Payment System: Pay first, then receive access
• Accepted Payments: BTC / USDT
• Contact Method: Telegram @Nicholasaaronfoster
• Sample Domains Visible: Multiple educational and government domains from various countries including Mexico, Australia, Myanmar, Peru, Argentina, Indonesia, Brazil, South Africa, and others