A major cybersecurity incident has come to light involving a hacker collective known as Daisy Cloud, which has exposed over 30,000 sets of login credentials tied to a wide array of online platforms. The stolen data spans cloud services, financial accounts, government portals, and personal applications.
The group is believed to have been operating an underground marketplace via Telegram since October 2023, offering access to compromised accounts at low prices. Security analysts have linked the credential theft to info-stealing malware, likely related to the RedLine Stealer family—a well-known tool in the cybercriminal underworld.
The breach impacts over 25,000 unique websites and applications across 108 countries. Among the compromised services are major cryptocurrency platforms such as Binance and Coinbase, popular digital services like Facebook and Netflix, and even sensitive government portals from multiple regions.
This wide-reaching attack indicates a strategic approach to monetization, with the hackers targeting various sectors simultaneously rather than focusing on a single industry.
Researchers examining the exposed data discovered several instances of full administrative access to cloud and on-premise servers. Many of the affected systems lacked basic security protections, such as antivirus software, making them vulnerable to further exploitation.
One notable case involved a compromised development server in Southeast Asia, which may have served as a launchpad for broader network intrusions due to its elevated access privileges and lack of endpoint security.
The infection chain follows a multi-stage strategy:
This breach highlights a shift from simple credential theft to coordinated campaigns aimed at deeper infiltration and control. Analysts observed patterns of infection across entire network segments in countries like Poland, the Netherlands, the UK, and the US—suggesting broader operational goals potentially involving ransomware or large-scale data theft.
