☑️ Weekly Darkweb – September Week 1, 2025

🔍 Salesforce CRM Customer Data Circulating on Anonymous Telegram Channel

• On Sept 2, a post advertising a corporate CRM system “Salesforce” database was detected on the Telegram channel “DigitalGhost.”

• The threat actor distributing the message described the data as follows:

✓ Volume & Price: 4TB / negotiable

✓ Data Details: Personal information (names, addresses, contact details) stored in Salesforce

• The threat actor is selling via their anonymous messenger “Tox”

• A Salesforce data breach could expose both customer PII and corporate sales data, leading to phishing, identity theft, reputational damage, and legal risks.

🔍 Anti-Pakistan Threat Actor Selling FIA Classified Files on Russian Dark-Web

• On Sept 1, a post offering data from Pakistan’s Federal Investigation Agency (FIA) was identified on the Russian dark-web hacking forum Exploit.

• Threat actor “xuii” claimed to be selling about 5GB of data and shared samples in image form, including “terrorist investigation status,” “major case lists,” and “executive personnel transfers.”

• According to S2W’s investigation platform XARVIS, the threat actor has posted 16 times since joining Exploit in March, 13 of which directly targeted the Pakistani government.

🔍 By**ance Job-Seeker Resumes Illegally Traded on Telegram Channel

• Evidence was found of a Telegram channel trading Chinese job-seeker resumes, including a database of applicants to TikTok’s parent company (Company B).

• The threat actor running the channel is selling stolen original resumes converted into PDF files.

• The original PDF resumes submitted by applicants could be exploited for fake identities, corporate impersonation, and spear-phishing attacks.

*The full report is available upon request and for XARVIS subscribers.