A wave of fraudulent data leak claims is flooding dark web forums, and most of what is being sold turns out to be recycled material from old breaches. Threat actors operating in Chinese-language cybercrime ecosystems are packaging stale data and marketing it as fresh corporate intelligence, tricking organizations into wasting time and money on incidents that never actually happened.
The Scale of the Problem
Security teams around the world have been put on high alert as the volume of these fraudulent claims continues to rise. The listings appear across dark web forums and Telegram channels, often advertising millions of records tied to banks, investment firms, and other corporations across multiple regions. The speed and scale of these posts makes it nearly impossible for understaffed security teams to separate real threats from noise.
Analysts at Group-IB identified this growing trend and tracked five major lead data sources operating exclusively in Chinese-language environments on dark web forums and Telegram. Their research found that most advertised datasets were compiled from prior breaches, contained generated data, and showed no signs of a new or active corporate compromise. These sources routinely post between 600 to 1,000 messages per month — a volume that would be extraordinary if the breach claims were genuine.
How the Scam Works
The tactic works precisely because the data is not entirely fake. Brokers pull legitimate personally identifiable information from well-known past leaks — such as the Facebook 2021 breach and the Eatigo 2020 incident — then combine them with generated or inconsistent data to bulk up the claimed record count. This gives listings just enough credibility to cause panic, even though the rest of the dataset does not hold up under scrutiny.
What makes this especially dangerous is the time it costs defenders. Security teams that chase these false alarms are pulled away from real incidents, giving threat actors more room to operate undetected. The combination of fast messaging, high volume, and low-quality claims creates a fog that directly benefits those behind it.
The Five Key Brokers Identified
Group-IB tracked five prominent brokers operating in Chinese-language dark web spaces:
- Exchange Market (Deepmix) — A dark web marketplace serving as a central hub for fake data listings, posting hundreds of times per month
- Chang’An Sleepless Night — A Telegram-based channel posting high volumes of alleged corporate data from financial institutions
- Aiqianjin — Reached nearly 5,000 Telegram subscribers before ceasing operations in July 2024
- Yiqun Data — A persistent source of recycled breach data active across Chinese-language dark web forums
- Phoenix Overseas Resources — An active Telegram channel targeting international corporate data claims and foreign businesses
Group-IB analysts validated sample data from multiple listings and found the same pattern each time. Names and phone numbers traced back to the Facebook 2021 dataset. Password hashes pointed to the Eatigo 2020 breach. Email addresses matched records from the Truecaller 2022 leak. In every case, brokers had stitched together fragments from prior incidents and relabeled them as freshly stolen corporate data.
Inconsistencies That Reveal the Fraud
The inconsistencies become obvious once data is cross-referenced. Fields show mixed-language values, atypical translations, and field names that no legitimate database would ever use. A dataset claiming to be from a financial institution might contain column headers in broken English alongside Mandarin-language values, or record structures that do not match any known enterprise database schema.
Despite these red flags, organizations under pressure often react before conducting thorough verification. The urgency created by large-scale leak announcements — especially those claiming fresh corporate data — can prompt premature incident responses, regulatory notifications, and costly investigations into non-events.
How Organizations Can Protect Themselves
Group-IB recommends a structured analytical approach when organizations encounter these types of claims. The first step is verifying that the advertised fields match the structure of the organization’s own internal records. If a dataset claims to contain customer data, the field names, data types, and record counts should align with what the company actually stores.
- Cross-reference with known breach databases — Use threat intelligence platforms to check if records appear in previously disclosed incidents before escalating
- Validate sample records — Check whether identifiers such as email addresses or phone numbers actually belong to your customer or employee base
- Look for structural inconsistencies — Mismatched field names, language mix-ups, or atypical record formats are strong indicators of recycled data
- Avoid reacting to urgency alone — Brokers rely on confusion and speed to succeed; a calm, evidence-based approach is the most effective defense
- Monitor Chinese-language dark web forums — Organizations with global exposure should include these channels in their threat intelligence monitoring programs
A Growing Threat to SOC Efficiency
This trend highlights a growing challenge for corporate security teams: the weaponization of disinformation as a resource drain. Even when a data leak claim is entirely fabricated, the organizational response can be costly. Legal teams, communications departments, and incident response personnel are all mobilized, often before a single fact has been verified.
Security teams are urged to use threat intelligence platforms for updated breach cross-referencing before escalating a potential incident. A calm, evidence-based approach — rather than reacting to urgency — is the most effective defense against lead data brokers who rely on confusion to succeed. The Group-IB report serves as a timely reminder that not every dark web listing represents a genuine threat, and that verifying claims before acting can save significant time and resources.