Incident Overview

A threat actor operating under the handle "markopollo" is auctioning unauthorized CMS administrator access to an unidentified New Zealand-based online shop on the Exploit forum. According to the listing, the access includes a "CMS recorder" and admin-level privileges to the shop's content management system. The threat actor claims the shop has processed 4,400 orders between October 1, 2025 and January 27, 2026, with 800+ orders in January 2026 alone.

The listing indicates that a payment redirection mechanism has been deployed on the compromised store, capable of intercepting payments through Afterpay, internet banking, and credit card transactions. The threat actor notes that payments are "mostly paid by SS" (likely referring to a payment processor or screenshot verification). The auction starts at $1,500 USD with a $250 step increment and a blitz (buy-it-now) price of $5,000 USD. The auction runs for 12 hours after the last bid or blitz purchase, with Guarantor+ escrow protection.