A skilled cybercriminal known as ByteToBreach is actively marketing and leaking sensitive global data, including information from airlines, banks, universities, and government agencies. This threat actor, operating since at least June 2025, has established a widespread presence across multiple online platforms, combining technical expertise with aggressive self-promotion to reach potential buyers. The scope of ByteToBreach’s activities highlights a growing trend of sophisticated cybercriminals leveraging the dark web and other channels to monetize stolen information.
Data compromised by ByteToBreach spans numerous countries, with confirmed victims including entities in Ukraine, Kazakhstan, Cyprus, Poland, Chile, Uzbekistan, and the United States. The leaked datasets are diverse, ranging from airline passenger manifests and banking employee records to sensitive healthcare databases and governmental files. These claims have been corroborated by affected organizations and through verifiable technical evidence, underscoring the seriousness of the breaches.
ByteToBreach: A Global Data Breach Operation
Security researchers at KELA have identified and tracked ByteToBreach, detailing a multi-faceted approach to data compromise. The cybercriminal employs a combination of technical methods to gain unauthorized access. These tactics include exploiting known vulnerabilities in cloud and corporate infrastructure, reusing stolen credentials acquired through infostealer malware and phishing campaigns, and leveraging brute-force attacks or exploiting misconfigured systems. This blend of exploitation and credential harvesting enables ByteToBreach to penetrate targeted networks.
Once access is secured, the primary objective shifts to data exfiltration. ByteToBreach focuses on extracting valuable information such as employee records, entire databases, system backups, and other confidential documents. This data is then packaged and offered for sale on the underground market.
The Marketing and Operational Strategy of ByteToBreach
Adding to its notoriety, ByteToBreach launched a public-facing website in August 2025 under the guise of an legitimate cybersecurity service provider named “Pentesting Ltd.” This WordPress-built platform was designed to appear professional, even showcasing logos of companies the actor claimed to have breached as “clients.” The website featured provocative slogans such as “Let Me Harm Your Data” and “Industry-leading Threat Actor,” aimed at attracting attention within cybercriminal communities.
ByteToBreach maintains communication through a variety of channels, including ProtonMail, Tuta, Gmail, Telegram (@ByteToBreach), Signal, and Session. KELA’s investigation also linked the actor to two compromised machines originating from Algeria. Analysis of bot data revealed connections to information-stealing malware, including Raccoon in September 2022 and StealC in February 2024. Furthermore, a previous Telegram username, “inesslopez,” and a specific phone number were directly associated with ByteToBreach’s current Telegram account, providing crucial attribution clues.
This operation by ByteToBreach exemplifies a modern approach to cybercrime, where malicious technical capabilities are intertwined with sophisticated marketing strategies. By leveraging multiple communication channels and even creating a faux professional service, the actor seeks to legitimize their illicit activities and maximize profits from the global trade in compromised data. The continued activities of actors like ByteToBreach pose a significant and evolving threat to organizations worldwide, necessitating robust cybersecurity defenses and proactive threat intelligence gathering.
The ongoing activities of ByteToBreach underscore the persistent threat posed by data brokers in the cybercriminal ecosystem. Organizations worldwide must remain vigilant against these evolving tactics. Future actions to monitor include further data leaks from ByteToBreach and any potential attribution developments from security researchers or law enforcement agencies aiming to disrupt this operation.