-
A threat actor claims to be selling Superadmin access to ThreatDown Core Next-Gen, a cybersecurity platform operated by Malwarebytes.
-
The seller claims that the access granted also allows for activation or management of 2FA settings.
-
As of now, there is no proof available to indicate that the ThreatDown platform has been compromised, and the above claims remain unsubstantiated.
A threat actor is claiming to have Superadmin access to ThreatDown Core Next-Gen. This is the business-focused cybersecurity platform operated by Malwarebytes. The access is being advertised for sale online for just $120. The claim comes from a recent threat intelligence finding.
The seller claims that the access provided gives administrative access, and the same allegedly allows the activation or management of 2FA settings. If their claim is true, then ThreatDown is actually in trouble because that level of access could allow anyone to control parts of the platform.
But there’s no proof anywhere that the claim is authentic. No breach has been confirmed. No public information suggests ThreatDown’s systems have been compromised. So security researchers and organizations should treat this listing as an unverified claim. It’s not proof of a security incident.
What the Seller Claims to have
According to the advertisement, the alleged access involves ThreatDown Core Next-Gen. This is one of the core components of the ThreatDown security platform.
ThreatDown provides endpoint protection, endpoint detection and response (EDR), and managed detection and response (MDR). It also offers other cybersecurity services for businesses.
The threat actor describes the access as “Superadmin.” This term commonly refers to accounts with the highest level of permissions within a platform. The listing also claims that two-factor authentication can be activated through the account.
But there’s no proof. The seller provided no screenshots or any technical details. Neither did they drop any proof-of-access material. And no independent validation has been publicly released alongside the claim.
Since there’s no evidence backing the actor’s claim, no one can tell if the access is genuine. It could be outdated, or it could be limited in scope, or even fake entirely.
Low Price Raises Doubts
One detail is drawing attention: the asking price. The seller is offering the alleged Superadmin access for just $120. That’s surprisingly low. verified administrator-level access to valuable corporate systems often sells for much higher prices in underground cybercrime markets.
Rapid7 did a study and found that most access broker deals go for anywhere between $500 and $1,000, but the average price sits just above $2,700. These deals often include admin credentials and multiple ways into a network.
The market for such access is diverse, recent dark web listings have included not just corporate networks but also physical infrastructure access, such as an Italian airport offered for sale alongside corporate systems.
A low asking price does not necessarily make the offer fraudulent. Cyber threat actors may sometimes sell the access quickly at a lower price. In some situations, the seller could be trying to inflate the value of what they own.
There’s often a mix of both genuine and fake offers on cybercriminal marketplaces. Sometimes you’d find recycled listings too. There are often misleading adverts and outright scams. That’s why security professionals generally avoid treating marketplace claims as fact. They wait for additional evidence.
What Could Happen If the Access Were Real?
If the advertised access is authentic, the potential impact could be significant.
Administrative accounts often allow users to manage settings. They can create or modify accounts. Also, they can assign permissions. They can make changes that affect security operations.
Depending on the platform’s structure, a Superadmin account could provide visibility into customer environments. It could allow changes to security controls. The claim regarding two, factor authentication management is particularly notable. Authentication settings help prevent unauthorized entry into user accounts.
But these are just hypothetical risks. There is no public confirmation that the seller actually possesses the level of access they advertised.
No Public Evidence of a ThreatDown Compromise
As of now, neither ThreatDown nor Malwarebytes has publicly disclosed a breach connected to the claim.
They haven’t issued any known security advisories or incident reports. Also, there is no official statement indicating that hackers broke into ThreatDown’s infrastructure. Independent researchers have not publicly verified the alleged access.
ThreatDown continues to operate as Malwarebytes’ business security platform. The company has recently expanded its focus on identity protection and threat detection capabilities.
Until more information emerges, the available evidence supports only one conclusion: an online seller is making a claim that has not been verified.
Security Community Watches for Further Developments
Listings that advertise access to security vendors often attract attention. That’s because of the potential downstream impact. Security platforms frequently play a role in protecting multiple organizations. Any alleged compromise becomes particularly sensitive.
However, experienced analysts caution against assuming that every underground marketplace post reflects a real-world breach. Verification typically requires supporting evidence. It requires independent validation.
It requires victim confirmation or direct investigation by researchers. None of those elements is currently available in this case. For now, the situation remains a developing story. It’s not a confirmed incident.
Organizations that use ThreatDown should continue following standard security practices. Monitor official communications from the company. Stay alert for any updates. Until credible evidence emerges, the reported Superadmin access sale remains an unverified claim. It’s not proof of a compromise.