Notes

the May 2026 Dark Web Breach Incident Trend Report is organized around the major cases of Data Breaches posted on the deep web and dark web forums. due to the nature of the source, some of the information may not be fully verifiable as to whether it is true or not, and is therefore subject to verification.

Major Issues

• data breaches and sales of initial access to private companies, government agencies, and military organizations around the world were widely observed across major forums.
• certain threat actors consistently claimed breaches targeting multinational enterprises, including global travel, Education content, real estate services, and Financial services companies. We also observed tampering with Learning Management System (LMS) login portals.
• certain groups were found to have sold the internal repositories and source code of global AI companies and affected related SDK packages through open source supply chain attacks. the group also claimed to have sold internal source code for development platforms and stolen data from a global pharmaceutical company, and disclosed its involvement in the operation of a major forum.
• in the South America Region, confidential electoral data and a number of government databases were shared, and Data from government agencies, financial and public institutions in neighboring countries were sold or distributed on the dark web.
• in China, data of large IT companies, e-commerce and payment services companies, and major Financial services institutions were circulated. in addition, tools to exploit background checks and company lookup functions related to local government online Service platforms, as well as code to exploit vulnerabilities, were also observed.
• in Japan, corporate data from a variety of industries, including telecommunications, manufacturing, education, and distribution, was sold or shared, and the sale of data related to public institutions and VPN-based initial access was also observed.
• in the Middle East, leaks centered on e-commerce and distribution platforms and government portal data, along with the sale of initial access over remote desktop (RDP).
• in South Korea, we observed the distribution of purported military data and defense-related information on the dark web. however, the reliability of some of the data was not verified based on our sample, and some of the data was reposted from past publications, making it difficult to determine if it represents a new breach. separately, cases of data leakage from private companies and organizations in Korea were also confirmed.
• We also observed a number of claims of high-risk, classified Data breaches involving NATO, Middle East nuclear facilities, European law enforcement, and military and intelligence organizations in Asia and South America.
• new Data theft groups have emerged, and prompted injection exploits targeting AI Services have been observed being traded on forums. key AI Service account information and session Data were also in circulation, and we saw an increase in related attack attempts.
• the increased collaboration between major forums and ransomware organizations, as well as the linking of operators, indicates an evolving ecosystem that combines ransomware, supply chain attacks, and dark web data distribution.

Conclusion

dark web trends in May 2026 were characterized by ShinyHunters’ continued targeting of multinational companies, TeamPCP’s leak of AI company source code and forum operational linkages, a large-scale breach of a Colombian government agency, intensive trading of Data from major Chinese companies and public institutions, the emergence of new threat groups, and a surge in claims of Region security-related Data leaks. in the South Korea Region, breaches were observed across military, public, and private sectors, and the repeated circulation of defense and military Data on the dark web demonstrated the need for continuous monitoring. Increased attacks on AI platforms and supply chains, as well as the circulation of Data, highlighted the need for response systems such as credential protection, supply chain security, and multi-factor authentication.