A wave of fake data leak claims is flooding dark web forums, and most of what is being sold turns out to be recycled material from old breaches.
Threat actors operating in Chinese-language cybercrime ecosystems are packaging this stale data and marketing it as fresh corporate intelligence, tricking organizations into wasting time and money on incidents that never actually happened.
Security teams around the world have been put on high alert as the volume of these fraudulent claims continues to rise.
The listings appear across dark web forums and Telegram channels, often advertising millions of records tied to banks, investment firms, and other corporations across multiple regions.
The speed and scale of these posts makes it nearly impossible for understaffed security teams to separate real threats from noise.
Exchange Market dark web forum (Source – Group-IB)
Analysts at Group-IB identified this growing trend and tracked five major lead data sources operating exclusively in Chinese-language environments on dark web forums and Telegram.
Their research found that most advertised datasets were compiled from prior breaches, contained generated data, and showed no signs of a new or active corporate compromise.
Group-IB said in a report shared with Cyber Security News (CSN) that these sources routinely post between 600 to 1,000 messages per month, a volume that would be extraordinary if the breach claims were genuine.
The tactic works precisely because the data is not entirely fake. Brokers pull legitimate personally identifiable information from well-known past leaks like the Facebook 2021 breach and the Eatigo 2020 incident, then combine them with generated or inconsistent data to bulk up the claimed record count.
This gives listings just enough credibility to cause panic, even though the rest of the dataset does not hold up under scrutiny.
Chang’An Sleepless Night dark web marketplace (Source – Group-IB)
What makes this especially dangerous is the time it costs defenders. Security teams that chase these false alarms are pulled away from real incidents, giving threat actors more room to operate undetected.
Dark Web Leak Scam
The combination of fast messaging, high volume, and low-quality claims creates a fog that directly benefits those behind it.
The researchers tracked five prominent brokers in Chinese-language dark web spaces, including platforms known as Exchange Market (also called Deepmix), Chang’An Sleepless Night, Aiqianjin, Yiqun Data, and Phoenix Overseas Resources.
Each broker uses Telegram channels or dark web marketplaces to distribute their supposed data packages. Aiqianjin alone reached nearly 5,000 subscribers on Telegram before ceasing operations in July 2024, illustrating how wide these channels can spread misinformation.
Phoenix Overseas Resources’ Telegram channel (Source – Group-IB)
Group-IB analysts validated sample data from multiple listings and found the same pattern each time. Names and phone numbers traced back to the Facebook 2021 dataset. Password hashes pointed to the Eatigo 2020 breach.
Email addresses matched records from the Truecaller 2022 leak. In every case, brokers had stitched together fragments from prior incidents and relabeled them as freshly stolen corporate data.
The inconsistencies became obvious once cross-referenced, with fields showing mixed-language values, atypical translations, and field names no legitimate database would ever use.
Protecting Organizations from Lead Data Traps
Group-IB recommends a structured analytical approach when organizations encounter these types of claims.
The first step is verifying that the advertised fields match the structure of the organization’s own internal records.
If a dataset claims to contain customer data, the field names, data types, and record counts should align with what the company actually stores. Mismatches are a strong sign the data was pulled from somewhere else entirely.
Image of sample data posted by Phoenix Overseas Resources (Source – Group-IB)
Organizations should also check whether identifiers in the sample data, such as email addresses or phone numbers, actually belong to their customer or employee base.
One or two real-looking identifiers are not enough to validate a claim, especially when other fields in the same record are inconsistent.
Security teams are urged to use threat intelligence platforms for updated breach cross-referencing before escalating a potential incident.
A calm, evidence-based approach rather than reacting to urgency is the most effective defense against lead data brokers who rely on confusion to succeed.
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Dark Web Brokers Repackage Old Breaches as Fresh Corporate Data Leaks appeared first on Cyber Security News.
