Threat Intel - New Data Leak Site ALP-001 Emerges
Basically, a new dark web site is selling stolen data and access to companies.
A new dark web site called ALP-001 has emerged, linked to an active Initial Access Broker. This site indicates a dangerous shift towards data extortion in cybercrime. Organizations should be vigilant and enhance their security measures to mitigate risks.
The Threat
On March 22, 2026, a new Tor-based leak site called ALP-001 emerged on the dark web. This site openly markets itself as a "Data Leaks / Access Market," indicating a significant shift in the tactics of established threat actors. Traditionally, these actors focused on selling access to corporate networks. Now, they are expanding into full-scale data extortion, leveraging stolen data for maximum profit.
Security researchers from ReliaQuest have identified ALP-001 as linked to an active Initial Access Broker (IAB). This group has been building its presence on various underground forums since at least July 2024. Their transition from selling access to engaging in data extortion signals a more aggressive approach to cybercrime, merging data theft with victim exposure.
Who's Behind It
The group behind ALP-001 has a history of operating across multiple dark web forums, including Exploit and DarkForums. They have been known for selling unauthorized access to compromised enterprise systems, particularly targeting internet-facing perimeter devices and remote access gateways. Analysts have traced their activities back nearly two years, revealing a pattern of exploiting vulnerabilities in widely used technologies.
The group has been linked to at least 10 IAB accounts across six dark web forums. Their established credibility in these circles, including escrow-verified status, suggests they are trusted by buyers to deliver on their promises. This reputation makes them a formidable threat in the cybercriminal landscape.
Tactics & Techniques
The attack vectors employed by this IAB are broad and deliberate. They focus on compromised FTP and SSH servers, Fortinet and FortiGate VPN appliances, and Cisco equipment. These targets are chosen because they often provide deep access to corporate environments once breached. The group’s strategy involves maintaining multiple identities across forums, allowing them to extend their reach while minimizing the risk of disruption.
Recent evidence shows that the group is not only selling access but is also likely in possession of stolen data. For instance, a French manufacturing company with annual revenues of $543 million was listed as a new victim on ALP-001, matching a previous access sale from the same account. This connection confirms the group's shift towards data extortion.
Defensive Measures
Organizations must take proactive steps to defend against this emerging threat. Security teams should audit and patch all internet-facing edge devices, especially those from Fortinet, Cisco, and Citrix. These devices are frequently targeted by the group.
Additionally, companies should implement multi-factor authentication on all remote access points and conduct thorough audits of privileged accounts. Monitoring for signs of persistent access, such as unauthorized sessions or unusual outbound transfers, is crucial. By taking these actions, organizations can reduce their exposure and better protect themselves against the evolving tactics of cybercriminals.