New Data Leak Site Uncovered Linked to Active Initial Access Broker on Underground Forums

The underground cybercriminal world saw a notable development on March 22, 2026, when a new Tor-based leak site called “ALP-001” appeared on the dark web, openly marketing itself as a “Data Leaks / Access Market.”

The emergence of this platform points to a growing trend where established threat actors who traditionally sell corporate network access are now pushing into full-scale extortion.

Security researchers warn this could represent a significant shift in how initial access brokers operate, merging data theft with victim exposure for maximum leverage.

ALP-001 did not appear out of nowhere. The site carries clear markers of a well-organised threat actor who has been building a presence across multiple dark web forums since at least July 2024.

During that time, the group was primarily known for selling unauthorised access to compromised enterprise systems, with a particular focus on internet-facing perimeter devices and remote access gateways.

This move marks a sharp escalation in intent, suggesting the group now views extortion as a core part of its operation.

ReliaQuest analysts identified ALP-001 and directly tied the group to an active Initial Access Broker operating across prominent underground forums, including Exploit and DarkForums.

By cross-referencing the Tox and Session IDs displayed on the leak site, researchers confirmed that the same contact identifiers were already being used by a known IAB forum account.

This group had previously gone by the names “Alpha Group” and “DGJT Group,” giving investigators enough historical data to construct a timeline of activity reaching back almost two years.

https://twitter.com/ReliaQuestTR/status/2036070714344661228?ref_src=twsrc%5Etfw

A strong piece of corroborating evidence emerged when analysts compared the victims listed on ALP-001 against previous access sale posts on underground forums.

A French manufacturing company with reported annual revenues of $543 million, shown on the leak site as a new victim, matched exactly with an access sale the same forum account posted in January 2026.

This direct link between the leak site and forum activity left little doubt about the attribution and confirmed the group’s transition from access selling to data extortion.

The attack surface this group targets is broad and deliberate. The IAB has historically profited from compromised perimeter technologies, focusing on widely used enterprise infrastructure that grants deep access to corporate environments once breached.

Their known attack vectors span FTP and SSH servers, Fortinet and FortiGate VPN appliances, Cisco equipment, Citrix and RDWeb gateways, and GlobalProtect remote access systems.

These targets are picked carefully because they are almost always internet-facing, carry significant privileges, and appear consistently across large organisations worldwide.

Dark Web Footprint and Growing Extortion Model

ReliaQuest analysts noted that ALP-001 has been connected to at least 10 IAB accounts spread across six dark web forums, with the group’s earliest known activity dating to July 2024.

Across these accounts, the group repeatedly advertised unauthorised access to enterprise organisations through compromised FTP servers, Fortinet/FortiGate VPNs, GlobalProtect, and Citrix environments.

This level of activity across multiple platforms signals a threat actor who has deliberately maintained parallel identities to extend reach and reduce the risk of being disrupted on any single forum.

What makes this escalation more concerning is the group’s established credibility within criminal circles. On underground forums, the group operated with escrow-verified status, meaning buyers trusted them to deliver what they promised.

While their actual data exfiltration capabilities have not been confirmed, the public listing of victims on a Tor-based site strongly suggests they are either already in possession of stolen data or working to obtain it shortly after gaining initial access.

Defenders facing this threat should audit and patch all internet-facing edge devices, particularly Fortinet, Cisco, and Citrix solutions, as these represent the group’s most frequently exploited entry points.

Security teams should also hunt for signs of persistent access, including unauthorised sessions, unusual outbound transfers over FTP or SCP, and irregular privileged account behaviour.

Enforcing multi-factor authentication on all remote access points and conducting thorough privileged account audits are critical steps organisations must take to reduce exposure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Data Leak Site Uncovered Linked to Active Initial Access Broker on Underground Forums appeared first on Cyber Security News.