888
888 is a financially motivated cybercriminal and data broker active on cybercrime forums including BreachForums and DarkForums. Based on the provided reporting, the actor is associated with advertising, selling, leaking, or claiming responsibility for multiple large-scale data breaches affecting organizations in several sectors, including space/scientific collaboration, real estate, events, recruitment, betting, and other commercial targets. Known victims mentioned in the content include the European Space Agency (ESA), Ledil Immobilier, DinerEnBlanc.com, CIEE (Centro de Integração Empresa-Escola), ThankQCamping, Samsung Medison, MinasBet, and incidents involving Microsoft and Nokia employee data. The actor has been described as having a credible reputation on the dark web for large-scale data breaches and operating for financial gain. 888 has offered stolen data for sale or publication on forums, including exclusive sales and free-download leaks, and has requested payment in Monero in some cases. Reported exposed data types across incidents include personally identifiable information, employee and customer records, source code from private Bitbucket repositories, CI/CD configurations, API and access tokens, SQL database files, Terraform code, credentials, internal documentation, event-management data, and sensitive cloud-hosted records. Tradecraft explicitly mentioned in the content includes use of cybercrime forums for monetization and disclosure, alleged exploitation of public-facing applications, theft of data from information repositories, exfiltration over web services, and in at least one case access via a compromised third-party service. In the CIEE incident, reporting tied the exposure to a publicly accessible misconfigured Google Cloud Storage bucket. In the ESA case, 888 claimed access to external servers supporting unclassified collaborative engineering activities and posted screenshots as purported proof, though some reporting noted the authenticity of samples had not yet been independently verified at the time. No nation-state attribution is supported by the provided content. No additional aliases or sub-groups for 888 are directly established in the content beyond the actor name itself.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Real Estate Management & Development
Where they target
Geographies tied to known operations.
- 🇫🇷 France
Tradecraft
10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Observables
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Posted and freely distributed a full database allegedly stolen from Ledil Immobilier on darkforums.su, exposing 6,700 user records containing real estate customer, agent, notaire, property, and transaction data.
Selling a stolen DinerEnBlanc.com database containing 411,000 user records, including personal details, event logistics, VIP/VIF status, partner links, and newsletter data, as a one-time exclusive sale for Monero.
Financially motivated data-leak actor advertising/selling stolen datasets on underground forums; claimed breaches include a Thailand-based health supplement company (Hopeful Co., Ltd; ~158k customer records) and a UAE-based consulting/software firm (MHz Group). Authenticity not independently verified in the report.
888 is known for breaching organizations and exfiltrating sensitive data, which is then offered for sale on cybercrime forums. In this incident, 888 claims to have accessed European Space Agency servers for a week, stealing hundreds of gigabytes of internal data.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.