Dark web breach claims fall apart as forums are shut

Several recent high-profile listings on dark web forums have been rejected by the companies named in those posts, while law enforcement actions and changes to scanning tools have altered the landscape for breach claims.

Polymarket responded to a forum post that offered a 750 MB package for sale by calling the listing “complete and utter nonsense.” The company said the files were on-chain market data and public API output, not private keys, stolen funds or KYC records. Polymarket noted it runs a $5 million bug bounty through Cantina and that scraped public endpoints do not qualify for bounty rewards.

Kraken addressed a separate forum listing that claimed access to an admin panel for about $1. The exchange’s chief security officer, Nick Percoco, described the claim as illegitimate and reported that the internal investigation found no system compromise. Kraken later disclosed a separate incident of limited insider misuse that affected about 2,000 customer accounts; the company said its core systems and customer funds were not affected.

In February 2026, a ransomware group posted listings claiming stolen data from several large companies. Those companies provided technical rebuttals. Iron Mountain said a 1.4 TB claim amounted to access to a single marketing folder via one compromised credential and that no ransomware had been deployed. Atlas Air denied a 1.2 TB listing that was said to include aircraft data. Poly, owned by HP, said a 90 GB engineering files post contained legacy material unrelated to current networks. Safran characterized a claim of one million lines of customer and order data as coming from a third party rather than from its own systems.

Other past claims treated as false by companies and regulators include a 2024 listing of 375 million customer records linked to a telecom provider and a 2025 dark web sale of alleged mobile-wallet data that the company and regulators called fake. Several firms have attributed forum postings to third-party vendors rather than to breaches of their own networks.

The sites used to post and trade stolen data have faced enforcement actions. BreachForums, a large forum for stolen data and exploit sales, was seized by authorities in 2025 following arrests and operational disruptions. The Archetyp online market was taken down by police in June 2025.

Google discontinued its Dark Web Report this year, stating that scans for new dark web breaches stopped on January 15, 2026, and that the report was no longer available as of February 16, 2026. The company said it saw weak signal value from those scans.

Researchers and law enforcement have also challenged longstanding online fraud claims tied to hitman-for-hire sites and so-called “red rooms,” finding many offerings were scams and prosecutable fraud rather than active services.

Industry teams and researchers report that the most common loss vectors for users now include phishing emails, browser extensions that drain crypto wallets, and social-engineering scams on messaging platforms. Companies continue to investigate and disclose confirmed incidents when they occur.