☑️ Weekly Darkweb – December Week 5, 2025

🔍 Subsidiary ‘O’ of Japanese Media Giant ‘T’ Infected with Lynx Ransomware

• On December 23, confidential data from company O, a core subsidiary of Japanese video content group T, was reportedly leaked by the ransomware gang ‘Lynx.’

✓ Company T is listed on the Tokyo Stock Exchange and reported approximately USD 300 million in annual revenue for FY2025, with company O managing its technical operations.

• Leaked data contain internal documents and business records since 2022, involving partners such as Japanese automotive giant T, global game company N, and Japanese subway operator T.

• Company O confirmed on its official website that its internal systems were encrypted in a ransomware attack on December 9 and has since shared response updates.

🔍 Internal Data of European Space Agency for Sale on Dark Web

• On December 26, a post offering internal data of the European Space Agency (ESA) was detected on the dark web hacking forum ‘BreachForums.’

• The threat actor ‘888’ claimed to have exfiltrated over 200GB of data from the ESA over the course of one week starting December 18, and has attached screenshots of ESA's internal source code repository (Bitbucket), work management system (JIRA), and confidential documents as evidence of the breach.

→ Leaked Data: source code, CI/CD pipelines, API tokens, confidential files, SQL files.

• According to S2W’s user profiling analysis, the user ‘888’ is a member of the threat group ‘CyberNiggers,’ which includes the former BreachForums operator ‘IntelBroker,’ and has been serving as a moderator for BreachForums since January 2025.

🔍 Database and FTP Access of Spanish Telecom ‘V’ Listed on Dark Web

• On December 23, a post offering the database and FTP access of Spanish telecommunications giant V was identified on the dark web hacking forum ‘DarkForums.’

✓ Company V, which was spun off from the major European telecommunications group V, reported an annual revenue of approximately USD 3.18 billion for the FY2025.

✓ FTP (File Transfer Protocol) Access: Access permissions to upload, download, and manage files stored on a server.

• The user noted that the data could be sold or exchanged for system access, providing images of the database structure and an alleged FTP access screen as evidence.

→ Exploiting these credentials could result in total system control loss; heightened caution in security management is strongly advised.

👉 Subscribe to <Weekly Darkweb> and get the latest newsletter every week.

Subscribe on LinkedIn

This newsletter is based on news derived from big data collected from over 400 million encrypted pages and channels, including those on the dark web and Telegram.

☎️ Contact us: https://s2w.inc/en/contact

*The full report is available upon request and for XARVIS subscribers.

Attachments

[S2W] Weekly Darkweb_20260104_EN.pdf

Threat Intelligence Reports

Threat Group Profiling: 888

2026.01.06

Threat Intelligence Reports

Threat Group Profiling: Everest

2026.01.13

List

File download request

This is a consent popup for collecting personal information in order to send you an attachment of S2W's Resource. Please enter the following items and submit, and the attachment will be sent to the email you provided. All information you provide will be subject to S2W's privacy policy.

Name *

Email *

Contact number *

Company / Institute name *

How did you find us?*

Agree to all

[Required] Terms of Service View all

[Required] Collection and Use of Personal Information View all

[Optional] Collection and Use of Information for Marketing Purposes

Collected items: Required : Name, Country, Company/Institute Name,Job Title, Email, Contact Number
Purpose of use: For online/offline marketing and advertising purpose Name, Job Title, Email, Contact Number; Delivery of product brochures, newsletters, event information, etc.
Retention period: Until consent for marketing use is withdrawn.