IRLeaks Targets Iranian Insurance, TAPSI; Mass Data Exposures Surge
Summary
Today's threat landscape is dominated by a surge in high-volume data exposure events, with Iranian hacktivist group IRLeaks claiming multiple breaches against domestic entities. The volume of alleged breaches -- 50 critical exposures out of 144 total events -- signals an aggressive posture from both hacktivists and financially motivated actors. Defenders should prioritize monitoring for credential stuffing and phishing campaigns leveraging the large datasets reportedly circulating, particularly those targeting financial services, telecoms, and government sectors.
Today's developments
The most significant cluster of activity today centers on IRLeaks, which claims to have breached TAPSI, an Iranian ride-hailing and IT services platform, with an alleged dataset of 194 million records. The same actor also claims to have compromised over 20 Iranian insurance companies (160 million records) and the Hajj Pilgrimage Organization in Iran. These claims, if substantiated, represent one of the largest coordinated data theft operations against Iranian infrastructure this year. Separately, IRLeaks is allegedly selling personal data from additional Iranian insurance firms, suggesting a sustained commercial monetization strategy.
In the United States, a breach allegedly affecting stripchat.com claims to involve 62 million users and 408,000 models, making it one of the largest adult platform exposures on record. Another actor, nanoapple, claims to have breached 185 million USA leads and 380,000 BetMGM online casino users. The scale of these alleged datasets, combined with the financial services and consumer focus, elevates the risk of targeted phishing and account takeover attacks against US-based individuals.
Several government and law enforcement entities are also in the crosshairs. Alleged breaches include the Philippine National Police, Nigerian National Assembly Service Commission, New Jersey City University, and Sistem Lavanan Aplikasi Bapas Jakarta Pusat in Indonesia. In Europe, actors claim to have breached Colruyt (Belgium, food & beverage), E-COLET LOGISTIC S.A. (Romania, logistics), and Figaro Immobilier (France, real estate). The geographic and sectoral diversity underscores that no region or industry is being spared.
Threat landscape signals
Actor concentration is notable: DeepCore Network leads with 12 events, followed by Dark Storm Team and LOCKBIT 5.0 (8 and 7 events respectively). The presence of NoName057(16) with 7 events, primarily DDoS-related, indicates sustained hacktivist pressure against European and Ukrainian targets. The IRLeaks activity (5 events) is a sharp spike, likely tied to geopolitical tensions.
Victim country clustering shows the United States (21 events) and United Kingdom (15 events) as primary targets, but the emergence of Indonesia (11 events) and Thailand (10 events) suggests threat actors are expanding their reach into Southeast Asia. The Iran cluster (7 events) is almost entirely driven by IRLeaks' internal targeting, a pattern that may indicate internal political or economic motivations.
Ransomware activity (17 events) remains elevated, with LOCKBIT 5.0 continuing to be the most active variant. The DDoS category (23 events) and defacement (20 events) suggest a mix of hacktivist and criminal operations, with no single vector dominating. The low number of vulnerability (1) and malware (1) events likely reflects reporting bias rather than a genuine decline in exploitation activity. Defenders should maintain vigilance across all attack surfaces, with particular attention to credential-based attacks following today's large-scale data exposures.