Dark Web Breach – Lionishackers Sell Stolen Corporate Databases

A financially motivated threat actor known as “Lionishackers” has emerged as a significant player in the corporate database theft market, actively exfiltrating and selling sensitive company information through underground forums and encrypted messaging platforms.

According to recent threat intelligence analysis by Outpost24’s KrakenLabs team, this group has been operating since September 2024, targeting corporations across multiple sectors with a particular focus on Asian markets.

SQL Injection Attacks Drive Data Theft Operations

The cybercriminal group primarily employs SQL injection attacks to compromise its victims, utilizing automation tools such as SQLMap to streamline its operations. 

Unlike traditional ransomware groups that demand payment before releasing stolen data, Lionishackers operates a direct-to-market model, immediately offering exfiltrated databases for sale without prior extortion attempts.

Their targeting strategy demonstrates both opportunistic behavior and regional preferences, with documented attacks against gambling sites, government agencies, pharmaceutical companies, telecommunications providers, educational institutions, and retail organizations. 

The group has specifically stated its preference for attacking gambling sites, though its victim portfolio spans diverse geographic regions, including Thailand, Syria, and India.

Beyond corporate database theft, Lionishackers has expanded its criminal enterprise to include selling social media platform credentials, email service databases, and even commercializing a botnet dubbed “Ghost” that supports both Layer 4 and Layer 7 attacks.

In August 2024, they launched “Stressed Forums,” a criminal marketplace that operated during a period when major forums, such as Breach Forums, faced law enforcement seizures.

Underground Network Operations and Attribution Evasion

The group maintains an extensive presence across multiple underground forums while conducting all negotiations exclusively through Telegram. 

In a deliberate attempt to evade attribution, Lionishackers creates multiple forum accounts under different aliases rather than maintaining consistent identities across platforms. 

Researchers have identified at least 15 distinct usernames across various forums, with many accounts being banned or posting only a single thread before being abandoned.

Intelligence analysis reveals connections between Lionishackers and the politically motivated “Hunt3r Kill3rs” group, with evidence showing Lionishackers served as an administrator for the Hunt3r Kill3rs Telegram channel. 

This relationship has led to secondary ideological motivations, including participation in coordinated DDoS attacks against Ukrainian and Israeli targets.

The cybersecurity implications extend far beyond initial data theft, as purchased databases enable subsequent criminal activities, including credential reuse attacks, sophisticated social engineering campaigns, corporate espionage, and financial fraud. 

Companies face not only direct financial losses but also significant reputational damage when their compromised data is sold on underground markets and attracts media attention.

This case highlights the evolving landscape of cybercrime, where individual actors exploit underground networks to monetize stolen corporate data, resulting in cascading security risks that affect multiple victim organizations and their stakeholders.