Search TorWire

Find cybersecurity guides and research articles

Home > News > Deep Web > Hackers Claim to Offer Alleged Endesa and Santander Records for Sale

Hackers Claim to Offer Alleged Endesa and Santander Records for Sale

By: Morgan Cipher Senior Privacy Journalist

Last updated: July 9, 2026

Human Written
Hackers Claim to Offer Alleged Endesa and Santander Records for Sale
  • A group of cyber thieves are boasting that they have customer data allegedly from Spain’s Endesa and Santander up for sale.

  • One listing claims to contain more than 20 million Endesa records, and the other advertises 5,000+ Santander customer profiles.

  • Researchers say there is no verification yet regarding the listings and there is no proof that a new breach hit the company.

Cybercriminals are claiming they have customer data belonging to two of Spain’s biggest companies. The claims first came to light after Daily Dark Web Intelligence spotted both listings on a dark web forum.

The cybersecurity monitoring account stressed that it has not confirmed either claim. So, there is no evidence proving that what the thieves are listing is truly from new breaches involving the two companies.

Threat Actors Claim to Hold Millions of Endesa Customer Records

Endesa and Santander both serve millions of customers. It’s not a surprise for cyber thieves to target them. According to an underground forum ad that Daily Dark Web Intelligence flagged and our team confirmed, a threat actor brandished a database allegedly belonging to Endesa with more than 20 million records in.

The seller also claims the database is larger than one terabyte. According to the listing, it includes customer IBAN bank account numbers. The post also contains sample files that the seller says prove the data is genuine.

Even as those claims remain unverified, the listing has raised questions. Earlier this year, Endesa disclosed a cybersecurity incident. According to TechRadar, the firm confirmed that attackers gained unauthorized access to one of its commercial platforms.

They stole some customer information. These included names, contact details, Spanish national identity numbers, contract information, and IBAN numbers. The company notified customers that got hit. It also informed Spanish authorities and the country’s data protection regulator.

Notwithstanding, no one has proof that the newly advertised database is from that earlier incident. Daily Dark Web Intelligence made that point clear. They explained that no technical validation is available yet for the dark web listing. They also said there is no evidence linking it to Endesa’s previous incident.

Separate Forum Post Claims to Offer Santander Customer Data

In another underground listing, a threat actor claimed to have a database with over 5,000 banking profiles for sale. These include customer names, IBAN account numbers, Spanish DNI identity numbers, telephone numbers, birth dates, payment card details, and account details.

Santander has not announced any new incident that matches this claim. In 2024, Santander disclosed a data theft incident after attackers hit one of its third-party service providers.

However, no evidence currently connects that earlier event to the newly advertised database. Daily Dark Web Intelligence urged readers not to treat the forum advertisement as proof of customer data theft until appropriate confirmation.

Experts Warn that Dark Web Listings Do Not Always Tell the Full Story

Security researchers regularly remind people that dark web advertisements should be viewed with caution. Threat actors often exaggerate their operations to gain attention from buyers or fear. They pump the number of records they possess. Others recycle information from older leaks. Some even mix past exposed data with public materials before selling it.

The same caution applies to claims of massive healthcare data leaks in France, where the authenticity of alleged breaches remains unverified.

Again, Daily Dark Web Intelligence says that no announcements have come from neither Endesa nor Santander to validate these claims. They advised organizations and customers not to jump into conclusions until forensic experts complete a proper technical analysis. Even without confirmation, cybersecurity professionals still encourage customers to stay alert.

Bad actors can use situations like this as a decoy to launch phishing campaigns. Customers should watch for unexpected messages asking for passwords, banking details, or verification codes. Avoid opening links or attachments from unknown senders.

Share this article

About the Author

Morgan Cipher

Morgan Cipher

Senior Privacy Journalist

Morgan combines a journalist’s curiosity with a security specialist’s precision. His reporting on data breaches, privacy laws, and encryption tech has been featured in several tech publications. At TorWire, he focuses on real-world threats and how to counter them, always with an eye on what’s next in digital privacy.

Comments (0)

No comments.