Solonik

Solonik is a cybercriminal threat actor active on dark web forums and Telegram channels, primarily observed advertising and selling allegedly stolen datasets. In January 2026, Solonik gained attention for promoting an Instagram dataset described as “17M Global Users - 2024 API Leak,” claiming it contained usernames, email addresses, phone numbers, internal IDs, and partial location data. Multiple reports cited Solonik as highly active and associated with multiple large-scale data dump advertisements, including claims involving approximately 22.5 million records related to a U.S. asset management firm’s customers, offered for sale for $9,500, and separate claims involving VietISO. Supporting infrastructure attributed to Solonik included BreachForums and Dark Forums posts, public Telegram vouch/transaction channels, invite-only Telegram groups used for buyer negotiation and cryptocurrency payment confirmation, and a dedicated domain associated with leaked files. High-confidence reporting in the provided content indicates that Solonik likely repackaged and rebranded older breach or scraped data as new. Investigations found the advertised Instagram dataset was not new and matched materially identical data previously posted in 2023 and 2024, with no evidence of refresh or expansion. The same dataset was linked in prior postings under the aliases Chucky and Chucky_lucky, and the overlap in timing, datasets, platforms, and Telegram channels suggests possible linkage between Chucky, Chucky_lucky, and Solonik, although this was not conclusively proven. Infrastructure analysis also linked a Solonik-associated Telegram account to a phone number beginning with Iran’s +98 country code and to Persian-speaking Telegram activity, but the content explicitly states this is continuity/context only and not definitive attribution. No nation-state attribution is established in the provided content.