Threat Actor Claims Theft of 400,000 Bol Customer Records
A threat actor using the alias "Jeffrey Epstein" claimed to have stolen data on more than 400,000 Belgian customers of Dutch online retailer Bol and advertised the dataset for sale on a dark web forum. Reports said the actor published a sample to support the claim and directed prospective buyers to negotiate through Telegram or Session.
The allegedly exposed records include names, birthdates, phone numbers, email addresses, physical and shipping addresses, tracking numbers, order history, and some payment-related details, though reports said passwords and bank or financial data were not included. Bol said it was taking the claim seriously but had no evidence of a hack or attack, that its systems were operating normally, and that no ransomware was involved; if the data is genuine, it could be used in phishing, identity theft, and fraud targeting affected customers.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Bol denies breach and says no evidence of attack exists
Bol responded that it was taking the report seriously but had found no evidence of a hack or attack, said its systems were operating normally, and stated that no ransomware was involved. This denial accompanied public reporting on the alleged data theft.
Threat actor claims theft of 400,000+ Bol customer records
A threat actor using the alias "Jeffrey Epstein" claimed on a dark web forum to have stolen personal and transactional data belonging to more than 400,000 Belgian customers of Dutch retailer Bol. The actor allegedly posted a sample of the data and offered the dataset for sale via Telegram or Session.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Odido Customer Data Breach and Extortion Leak Campaign
Dutch telecom **Odido** reported that attackers stole data on **6.2 million** current and former customers, while the threat actor claimed the dataset covers **8+ million** people and demanded **€1M+** in ransom, threatening to publish data in daily tranches if unpaid. Reporting indicates the company refused to pay, and the extortionists proceeded with a staged leak strategy intended to maximize public and media impact. Subsequent leak batches reportedly included not only typical customer identifiers (e.g., names, addresses, phone numbers, dates of birth, bank account numbers, and ID numbers) but also **internal customer-service notes** containing highly sensitive context such as stalking, threats, domestic violence, and protected addresses—creating potential **physical safety risks** for affected individuals. The leak cadence was described as multiple dumps over consecutive days (including a “final dump”), drawing significant national attention in the Netherlands and increasing the likelihood of intensified law-enforcement focus on the perpetrators.
Mar 27, 2026
HexDex Lists Stolen Customer and Operational Data From French Retailers
Threat actor **HexDex** has claimed breaches at two French e-commerce companies and is offering the allegedly stolen data for sale. One listing targets **Airsoft-Entrepot**, where the actor says it obtained more than 10 database files covering 2013 to 2026, including roughly **383,000 customer profiles**, **328,000 email addresses**, **243,000 phone numbers**, and **333,000 full address records**. The exposed material reportedly goes beyond customer PII to include **orders, invoices, supplier data, delivery history, accounting records, B2B orders, and warehouse or inventory information**, suggesting compromise of both customer-facing and back-office systems. A second listing targets **Allopneus**, a major French online tire retailer, with HexDex claiming to hold data spanning 2014 to 2026 for **453,299 customers** across **739,316 records**, including **513,089 phone numbers** and **453,299 email addresses**. The actor reportedly published proof links, sample records, and 1,000-line excerpts for both datasets while soliciting offers through underground channels. If authentic, the disclosures would expose large volumes of customer contact data and purchase-related information, while the Airsoft-Entrepot cache could also reveal sensitive supplier, financial, and logistics details that increase fraud, phishing, and business intelligence risks.
Mar 23, 2026
Dark Web Leak Claims Target Colis Privé and Multiple Online Services
Dark web monitoring reports described **unverified data leak claims** involving several organizations, including French parcel delivery firm **Colis Privé**. One post on **BreachForums** allegedly offered an upload of **22,564,381 records** attributed to Colis Privé, described as `.jsonl` files totaling **~4.1 GB**; no specific threat actor attribution or company confirmation was cited, and the notice characterized the situation as informational while scope is assessed. If authentic, the scale and format of the dataset would materially increase risk of **identity theft, credential stuffing, and targeted phishing** against customers. Separate dark web forum posts also alleged database exposures affecting **JobsGO** (Vietnam recruitment platform), **MyVete** (veterinary management platform), **PIXPAY** (Senegalese payment service), and **Groupe Fondasol** (France-based engineering). The claimed datasets reportedly include **CV/personal records**, and in some cases **API credentials and employee metadata**, with example figures including **~2.3 million records** for JobsGO and **~5.57 million records** for MyVete (verification not indicated). Across the claims, the primary business risk is downstream abuse of exposed personal and operational data for **social engineering, recruitment fraud, and account takeover**, rather than immediate exploitation of a specific software vulnerability.
Mar 21, 2026