We’re back with another monthly cybercrime update – and with summer on the horizon, we hope in addition to catching up on threats from the criminal underground, you’re also busy planning some well-deserved vacation time, too.
- Speaking of taking breaks, that’s a good chunk of what we saw happen in cybercrime forums this past month, with major outages impacting BreachForums and LeakBase, as well as popular imageboard site 4chan.
- The Twitter/X breach was the hot breach of the month, impacting 8 billion users. SpyCloud has ingested the breach and customers can access breach insights to evaluate related risks.
- And – since we’ve been hearing some folks express what may be false confidence when it comes to macOS device immunity from malware – we took a fresh look at Atomic macOS Stealer (AMOS) and provided some new infection insights as a cautionary tale.
Read on for all this and more.
April cybercrime news
BreachForums outage & copycats
BreachForums, the most popular English-language data breach forum and the successor to RaidForums, went dark on April 15, 2025. The outage led to a flurry of unsubstantiated speculation about possible law enforcement actions and the creation of multiple copycat websites attempting to capitalize off of the situation.
On April 28, a simple message was posted to the breachforums[.]st website, stating that the site had been intentionally taken offline because the administrators had found out about “a MyBB 0day” which rendered the forum “subject to infiltration by various agencies and other global law enforcement bodies.”
During the outage, multiple different actors also attempted to capitalize on the confusion for clout and profit:
- The DDoS group that goes by the name DarkStorm claimed that they were responsible for the site outage, stating that they had DDoSed the forum “for fun.”
- A pair of new scam sites popped up claiming to be ‘BREACHFORUMS V4’ prompting people to pay $250 in Monero cryptocurrency to register for an account on the “new breachforums.” These appeared at breachforums[.]im and breachforums[.]cc. As of this writing breachforums[.]cc appears to be offline and breachforums[.]im has a different landing page, now offering the domain itself for sale by the actor @baphcomet.
- A new breached[.]fi forum also popped up claiming to be the new BreachForums, but without any clear affiliation with the administrators from the original site or the forum and user data. In fact, an announcement was posted to this site by forum administrator ‘Normal’ claiming that they were not backing up old forum data or account information as a deliberate “security-first” choice because they “are treating all previous user data as potentially exposed.” While many claimed that this site was a law enforcement honeypot, it was more than likely simply another – slightly less brazen – attempt to capitalize on the situation by claiming to be the new BreachForums site and offering different paid account tiers to new users. As of this writing, this site appears to be offline.
- Another actor who goes by hasan (aka hasanbroker/sextorts) has also posted extensively on both X/Twitter and Telegram claiming to be creating a successor to BreachForums. Based on a cursory search of the actor’s posting history, they appear to also be engaged in the network of online hacking, fraud, and harm communities known as ‘the Com.’
In the midst of all of this activity, it still remains unclear exactly what happened to cause the BreachForums outage, whether the forum will be restored, and where the actors who were active on BreachForums will ultimately migrate their activity.
4chan hack & leak
Coincidentally, on April 15, the popular imageboard site 4chan also appeared to go offline. This outage followed posts on rival imageboard soyjak[.]party starting on April 14 by a user claiming to have backend access to 4chan. This individual posted multiple proofs of this access including screenshots of administrative access, 4chan source code, a list of email addresses corresponding to janitor (4chan moderator) accounts, and pages of posts from the /j/ board which is restricted to 4chan janitors only.
Additionally, they used this access to restore the /qa/ board, a board which had been previously banned after ‘soyjaks’ took it over in 2021, prompting the 4chan moderators to delete the board and disgruntled users to create their own imageboard soyjak[.]party. After a 10-day outage, 4chan appeared to be back up and functional as of April 25.
LeakBase was down too!?
On April 29, another popular English-language data breach forum, LeakBase, also appeared to be down. However, the LeakBase administrator, Chucky, continued to post data from his Telegram account to official LeakBase-affiliated channels. On May 1, he posted an announcement to Telegram stating that they are in the process of migrating the website, but did not have an estimate of when the “new domain” would be active.
As of May 3, the forum appeared to be back up and running at a new domain: leakbase[.]la.
Image 5: Announcement on Telegram by LeakBase owner Chucky stating that the forum is being migrated.
Image 6: Telegram channel message on May 3 sharing a link to a new domain for the LeakBase forum.
Twitter data leak
On March 28, BreachForums user ThinkingOne posted a massive tranche of data from X/Twitter via a BitTorrent link, alleging that it had been originally leaked in January 2025 and “was almost certainly taken by a disgruntled employee while many employees were being laid off.” In the post, they also claimed that they had attempted contacting X/Twitter to no avail and that they were reposting this data to “make the public aware” of this breach affecting 2.8 billion X/Twitter users.
Also in the original post, they released extra content in the form of a combined new leaked data set with email accounts taken from the X/Twitter 2023 breach and merged into this 2025 BitTorrent data set. This combination resulted in 200M+ records of X/Twitter accounts with email addresses. The whole leak was a total of over 400GB of X/Twitter user account data spanning the last two years.
SpyCloud customers have access to the data from this breach, which can be used to aid investigations.
TL;DR of new SpyCloud Labs research
What do ransomware gangs talk about when they think no one’s watching? We analyzed the leaked chat logs from the Black Basta ransomware group, revealing how these criminals communicate, negotiate, and coordinate attacks. We also spent time digging into the different ways that Black Basta and their affiliates talked about leveraging stolen credentials to perpetrate attacks. It’s a rare look into the human side of ransomware – unfiltered, insightful, and essential reading for defenders.
Current & forthcoming cybercrime research
AMOS Stealer & the rise of macOS MaaS
Atomic macOS Stealer (AMOS) first appeared in April 2023, when it was identified by Cyble Research and shortly advertised on Telegram for around $1,000 per month. AMOS is engineered in Swift for universal compatibility across Intel and Apple Silicon Macs, and propagates through Trojanized DMG installers, malicious Google Ads campaigns, and spoofed applications such as the Arc Browser.
Once resident, the stealer exfiltrates macOS Keychain credentials, comprehensive system information, browser cookies, and even cryptocurrency wallet contents – targeting platforms like Atomic, Binance, Electrum, and Exodus.
Offered as a malware-as-a-service (MaaS) via affiliate-driven Telegram channels, Atomic Stealer’s rapid evolution and aggressive distribution has vaulted infection rates, accounting for 90 percent of successful infections of macOS devices according to SpyCloud’s recaptured malware data (that’s to the tune of more than 33,000 unique infections).
In light of this, let’s take a moment and break down some details about the devices that have been infected with AMOS since the beginning of 2025.
Analysis of AMOS infections in 2025
First, by analyzing AMOS infections by the country code extracted from 2025 log data, we see a notably different distribution of infected devices as compared to a similarly-sized sample of logs from the most popular Windows-targeted infostealer as of writing, LummaC2.
Image 7: Distribution of AMOS infections by country code in 2025.
Image 8: Distribution of LummaC2 infections by country code in 2025.
While both AMOS and LummaC2 have more victims in India than any other country, the United States’ dubious honor of receiving the penultimate slot of AMOS infections is notable as it places four spots higher than LummaC2.
Based on our analysis, the US’ position – alongside other Western countries which appear much higher than the comparative Windows-targeted data – may be due to the market saturation of Apple products, with the US and Europe leading the charts for Apple device purchases.
It’s also interesting to look at the breakdown of device CPUs infected by AMOS so far in 2025. While Apple Silicon has replaced Intel chips in all new (since 2020) Apple devices, devices with older-generation Intel CPUs are still observed in new infections.
Image 9: CPUs infected by AMOS in 2025.
Lastly, looking at the version of macOS installed at the time of infection reveals that, while older – and likely more vulnerable – versions of macOS like 12.7.6 (macOS Monterey, released in 2024) top the charts, more recent versions are not far behind.
This suggests that the developer of AMOS somewhat regularly maintains and updates the malware to respond to increased security on what is already a platform that is widely considered to be a very secure operating system. SpyCloud last observed an update to AMOS in January of this year, coinciding with the release of macOS 15.3.
Image 10: macOS versions infected by AMOS in 2025.
Taken together, these insights underscore not only the persistent adaptability of AMOS, but also the growing need for proactive macOS-specific defenses. As threat actors continue to refine their tools to penetrate even the latest Apple hardware and software, it’s clear that the myth of macOS invulnerability is long outdated.
Security teams must remain vigilant and regularly update, monitor, and protect organizational and personal Apple devices against a new generation of targeted malware like AMOS.
Intro to malware crypter services
As part of SpyCloud’s research into the malware ecosystem, we’re digging into the evolution of crypter services.
A malware crypter (aka cryptor, Криптор) is an anti-detection tool that uses encryption, encoding, and other techniques to obfuscate a software binary, making it difficult for antivirus and EDR tools to detect the malicious behavior of the program. These tools are integral to effective malware campaigns, making them a key component in the growing and expanding cybercrime enablement services landscape. Often they are marketed as making malware “fully undetectable” or “FUD” for short, and they may even list the specific AV/EDR software that they are able to evade.
Many are sold on the darknet, sometimes bundled with other Malware-as-a-Service (MaaS) product offerings like infostealer malware or loader malware (malware designed to deliver additional malware payloads). When not explicitly bundled together by the same MaaS operators, malware developers will still often recommend or partner with particular crypter services.
You can see both of these dynamics in Image 11 below: a partnership between an infostealer malware offering and a crypter service, as well as a crypter offered under the same brand name as a popular infostealer malware. Additionally, Image 12 shows that the relationship also goes both ways, with crypters often advertising for malware families, too.
Image 11: Two Telegram messages from the developers of the SIEDR infostealer malware. The first, from April 2024 announces a partnership between the SEIDR developers and the NetPain crypter service. The second, from almost a year later in March 2025 announces a new crypter offering from the developers of SEIDR.
Image 12: The Finar Crypting Service advertising for the GhostSocks malware family in March of 2024.
As we continue our research into malware crypter services, we’ll share more findings on trends and usage.
SpyCloud’s recaptured data collection numbers for April
April monthly total
Total New Recaptured Data Records for April
2,493,744,663
New third-party breach data this month
Third-Party Breaches Parsed and Ingested:
360
New Data Records from Third-Party Breaches:
1,767,369,978
New infostealer malware data this month
Stealer Logs Parsed and Ingested:
2,901,496
New Data Records from Stealer Infections:
15,158,410
New Stolen Cookie Records:
711,216,275
Stay in the loop
Keep reading
