Lionishackers Threat Actors Exfiltrating and Selling Corporate Databases on Dark Web

A financially motivated threat actor known as Lionishackers has emerged as a significant player in the illicit marketplace for corporate data in recent months.

Leveraging opportunistic targeting and a preference for Asian-based victims, the group employs automated SQL injection tools to breach database servers, exfiltrate sensitive records, and list them for sale on underground forums and Telegram channels.

Though not overtly ransomware-based, their model reflects a form of “double extortion” by monetizing stolen data directly rather than encrypting and demanding payment for decryption.

Outpost24 analysts noted that Lionishackers initially surfaced in September 2024, quickly establishing a reputation through proof-of-compromise screenshots and sample excerpts shared across multiple underground platforms.

The group’s communication strategy involves maintaining numerous forum aliases—each tied to identical Telegram contact information—thereby evading long-term attribution while preserving buyer outreach.

Their services have diversified beyond corporate records to include social media and email credential databases, as well as ancillary offerings such as DDoS botnets and forum hosting projects.

As Lionishackers’ activity accelerated, their impact on targeted organizations became increasingly apparent. Victims span government bodies, telecommunications firms, pharmaceutical companies, educational institutions, retail chains, and notably, gambling sites.

Data sets exfiltrated have included personally identifiable information (PII), financial records, and authentication credentials—elements readily exploited for identity theft, account takeover, or corporate espionage.

The group’s tactics underscore the growing potency of database-focused cybercrime, which can inflict profound reputational and financial harm without deploying traditional ransomware.

Outpost24 researchers identified that the group’s specialization in SQL-based attacks and reliance on widely available automation frameworks enable rapid compromise and scaling.

The transition from isolated database sales to additional offerings—such as the Ghost botnet for network-layer DDoS—demonstrates their evolving criminal enterprise.

A Telegram advertisement showcasing Ghost’s capabilities. While the short-lived “Stressed Forums” project launched amid law enforcement scrutiny of BreachForums.

Infection Mechanism and Persistence Tactics

A closer examination reveals that Lionishackers primarily exploit SQL injection vulnerabilities in poorly configured web applications.

By leveraging tools like SQLmap, they automate reconnaissance and payload delivery.

A typical injection sequence observed by Outpost24 follows:-

sqlmap -u "https://victim.com/product?id=1" 
       --batch --dbs --threads=5 
       --tamper=space2comment --time-sec=10

This command probes for injectable parameters, enumerates databases, and extracts table contents.

Once credentials are retrieved, the attackers often reuse valid login information to pivot deeper into internal networks.

Persistence is achieved through the deployment of lightweight backdoors—frequently simple web shells—hidden in temporary directories or disguised as innocuous update scripts.

These shells facilitate ongoing data pulls and serve as fallback access points if the initial vulnerability is patched.

By understanding Lionishackers’ automation-driven SQL injection workflow and their nimble alias rotation across forums, defenders can prioritize application firewall rules, enhance query parameterization, and implement continuous monitoring for anomalous database access patterns.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches