A cybercriminal operating under the alias ByteToBreach has emerged as a notable threat actor in the underground market, actively selling and leaking sensitive data from airlines, banks, universities, and government entities worldwide.
Active since at least June 2025, this threat actor runs a cross-platform operation that combines technical skill with aggressive self-promotion across DarkForums, Dread, Telegram, and even a public WordPress website.
The actor’s targets span multiple countries, including Ukraine, Kazakhstan, Cyprus, Poland, Chile, Uzbekistan, and the United States. Leaked datasets include airline passenger manifests, banking employee records, healthcare databases, and government-related files.
Affected organizations have corroborated several of these breaches or contain verifiable technical artifacts, confirming the legitimacy of the claims.
KELA security researchers identified and traced ByteToBreach through extensive investigation.
The actor uses a combination of technical approaches, including exploiting known vulnerabilities in cloud and corporate infrastructure, reusing stolen credentials from infostealers and phishing campaigns, and leveraging brute force or misconfiguration-based access to gain entry.
.webp "ByteToBreach Cybercriminal Selling Sensitive Global Data from Airlines, Banks, and Governments 3")
Once inside, the focus shifts to data exfiltration, targeting employee records, databases, backups, and sensitive documents.
In August 2025, ByteToBreach established a website under the name “Pentesting Ltd” built on WordPress. The site was designed to resemble a professional service provider, displaying logos of companies he claimed to have hacked as “clients.”
Banners featured provocative phrases such as “Let Me Harm Your Data” and “Industry-leading Threat Actor.”
The actor communicates through multiple channels, including ProtonMail, Tuta, Gmail, Telegram (@ByteToBreach), Signal, and Session. KELA’s datalake analysis linked the actor to two infostealer-infected machines originating from Algeria.
One machine was infected with Raccoon in September 2022, and another with StealC in February 2024. The former Telegram username “inesslopez” and a phone number directly tied to ByteToBreach’s Telegram account were found in the bot data.
.webp "ByteToBreach Cybercriminal Selling Sensitive Global Data from Airlines, Banks, and Governments 4")
This case highlights how modern threat actors blend legitimate technical capabilities with criminal intent, using marketing-first approaches to monetize stolen data across global markets.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
