The cybercriminal underground has seen a significant development with the emergence of a new Tor-based leak site, “ALP-001,” appearing on March 22, 2026. This platform openly advertises itself as a “Data Leaks / Access Market,” signaling a concerning trend of initial access brokers (IABs) evolving into full-scale extortion operators. Security researchers warn this shift could dramatically alter the landscape of cyber threats, merging data theft with victim exposure for increased leverage.
The platform, ALP-001, is not a new entity’s sudden appearance but rather the public face of an established threat actor. This group has been active on various dark web forums since at least July 2024, primarily known for selling unauthorized access to compromised enterprise systems. Their specialization has historically focused on internet-facing perimeter devices and remote access gateways. The establishment of ALP-001 marks a clear escalation, indicating a strategic move toward making extortion a core component of their operations.
ALP-001: A New Data Leak Site Emerges, Linked to Active Initial Access Broker
ReliaQuest analysts were instrumental in uncovering ALP-001 and establishing a direct link to an active Initial Access Broker. By analyzing Tox and Session IDs displayed on the leak site, researchers confirmed the affiliation with a known IAB account operating on prominent underground forums such as Exploit and DarkForums. This group previously operated under the aliases “Alpha Group” and “DGJT Group,” providing a historical trail of activity spanning nearly two years.
Further corroboration came from comparing victim lists on ALP-001 with prior access sale postings made on underground forums. A French manufacturing company, with reported annual revenues of $543 million, was listed as a new victim on ALP-001. This same company had been advertised as having its access for sale by the connected forum account in January 2026. This direct correlation between the leak site’s victimology and the IAB’s previous activities solidified the attribution and confirmed the group’s transition from merely selling access to actively engaging in data extortion.
The attack surface targeted by this group is broad and chosen with clear intent. The IAB has a proven track record of profiting from compromised internet-facing perimeter technologies. These are carefully selected because they often grant deep access into corporate environments once breached. Their attack vectors have consistently included FTP and SSH servers, Fortinet and FortiGate VPN appliances, Cisco equipment, Citrix and RDWeb gateways, and GlobalProtect remote access systems.
This strategic targeting of widely used, internet-facing enterprise infrastructure ensures a consistent pool of potential victims across many large organizations globally. These systems are critical for remote connectivity and often carry significant administrative privileges, making them attractive targets for attackers seeking to establish a foothold.
Broader Reach and Diversified Identities
ReliaQuest analysts’ investigation revealed that ALP-001 is associated with at least 10 distinct IAB accounts distributed across six different dark web forums. The group’s earliest recorded activities date back to July 2024. Throughout this period, these accounts consistently advertised unauthorized access to enterprise organizations, prioritizing compromises via FTP servers, Fortinet/FortiGate VPNs, GlobalProtect, and Citrix environments. This deliberate maintenance of parallel identities across multiple platforms suggests a strategic effort to expand their reach and insulate themselves from disruption on any single forum.
The group’s established credibility within criminal circles adds a significant layer of concern. Operating with escrow-verified status on underground forums implies a level of trust from buyers, suggesting they have historically fulfilled their promises of delivering access. While the specifics of their data exfiltration capabilities remain unconfirmed, the public listing of victims on a Tor-based site strongly indicates that they either possess stolen data or are actively working to acquire it shortly after gaining initial access. This dual approach of access brokering and data extortion presents a considerable threat to organizations.
Recommendations for Defense
Organizations facing this evolving threat should prioritize auditing and patching all internet-facing edge devices, with a particular focus on Fortinet, Cisco, and Citrix solutions, as these represent the group’s most frequently exploited entry points. Security teams should also implement robust threat hunting measures to detect signs of persistent access. This includes monitoring for unauthorized sessions, unusual outbound data transfers over protocols like FTP or SCP, and irregular privileged account behavior.
Enforcing multi-factor authentication on all remote access points is a critical immediate step to reduce exposure. Additionally, conducting thorough audits of privileged accounts can help identify and mitigate potential internal compromises. The ongoing evolution of IABs into data extortionists necessitates a proactive and layered security approach to defend against these increasingly sophisticated threats.
The emergence of ALP-001 signifies a tactical shift by a known threat actor, moving from selling network access to explicitly engaging in data extortion. Continued monitoring of underground forums and the ALP-001 site will be crucial to track the group’s future activities and the impact on their victims. Organizations will need to adapt their defenses to counter this growing trend of combined access brokering and public data exposure.