-
Chinese-language cybercrime groups on dark web forums and Telegram sell fake stolen data, but Group-IB analysis found no evidence of actual breaches after gathering over 17,000 messages.
-
Sellers stitch together old leaks, they added machine-translated field names to market recycled information as fresh intelligence.
-
The fraudulent claims waste security resources as organizations investigate non-existent breaches instead of focusing on real threats, particularly affecting financial institutions across the Gulf region.
Cybersecurity firm Group-IB has uncovered a network of Chinese-language cybercrime ecosystems peddling data on dark web forums and Telegram channels. The groups claim to possess large volumes of information stolen from organizations worldwide, especially financial institutions within the Gulf region.
After collecting over 17,000 messages from three Telegram-based sources as part of a five-source study, Group-IB researchers found no evidence of actual data breaches. The analysis expresses a different pattern from what the criminals advertise. What sellers display as fresh stolen data actually consists of recycled information compiled from old leaks.
The research identified five prominent sources operating exclusively in Chinese-language environments. These include dark web marketplaces like Exchange Market and Chang’An Sleepless Night, along with Telegram channels such as Aiqianjin, Yiqun Data, and Phoenix Overseas Resources. These sources post up to 1,000 messages per month.
The rise of Telegram for stolen data sales is part of a larger shift. Research shows Telegram is replacing the dark web as criminals seek faster, more accessible platforms for their activities.
Sellers Stitch Together Old Leaks with Machine-Translated Labels
The cybercrime groups assemble records from prior data breaches and stitch them together into new datasets. They add machine-translated field names to make the information appear fresh and relevant. The criminals then market these compiled records as new intelligence on targeted organizations.
Group-IB validated sample datasets record by record during the investigation – the researchers traced names and phone numbers back to the Facebook data leak (in 2021). Password hashes originated from the Eatigo breach (in 2020), matched to completely different individuals than the sellers claimed.
The analysis revealed Arabic database headers that had been machine-translated to the point of incoherence. The data simply does not belong to the organizations that the sellers name in their advertisements. This pattern remained consistent across all sources examined in the study.
The upstream sources for phone numbers across all analyzed examples came predominantly from the Facebook breached dataset. Criminals repackage this year ‘s-old information as newly stolen data from recent breaches. The tactic deceives potential buyers who believe they are purchasing fresh intelligence.
Fake Breach Claims Waste Valuable Security Resources
The basic impact on targeted organizations and companies is not actual data compromise but a waste of analytical resources. Security teams chasing illegitimate breach claims spend time investigating phantom incidents. These resources could instead focus on identifying and responding to real threats.
Group-IB researchers identified recurring message structures, keywords, and posting behaviors across all sources. These patterns serve as reliable markers for identifying similar false claims. Security professionals can use these indicators to quickly dismiss fraudulent breach advertisements.
The cybercrime ecosystem operates exclusively within Chinese-language environments. This linguistic isolation may help the groups avoid scrutiny from non-Chinese-speaking researchers. The criminals specifically target financial institutions in the Gulf region with their fabricated datasets.
Group-IB has published its full research, including upstream mapping of sources, sample validation guides, and identification guidance. The report helps organizations recognize and dismiss fraudulent breach claims without wasting investigation resources. Security teams can use the findings to focus on genuine threats rather than chasing fake data sales.
Financial Institutions in the Gulf Region Face Targeted Disinformation
Fake breach claims disproportionately target financial institutions in the Gulf region. Criminals name financial organizations in their ads to entice prospective buyers who are specifically looking to purchase financial sector data. This method of targeting creates known fear for targeted organizations as well as their customers.
When validating the authenticity of data breaches, financial institutions should obtain verification from third-party claims prior to launching investigations, such as consulting a reputable third-party cybersecurity firm like Group-IB to verify that a reported data breach has actually taken place, so that the organization does not waste time and resources on incidents that did not occur.
Data from the research reflects how cybercriminals repackage old data into new. Their business model is easy to execute with a low degree of technical skill and can therefore provide cybercriminals with an income stream to sell to unsuspecting buyers. They take advantage of the inherent difficulties associated with the quick verification of very large volumes of data and resell previously obtained information.
Security teams of organizations should receive training to identify common elements of fake breach claims. The same old data from major data leaks, such as what occurred with Facebook, appear frequently in fraudulent datasets. So, training security personnel to identify these attributes will allow them to rapidly eliminate fraudulent ads so they can concentrate on threats that are real.
