Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Luca Stivali : 2 December 2025 13:00
In the underground forum landscape, there are actors who operate episodically, seeking a single media hit, and others who build an almost industrial pipeline of compromises over time, releasing technical datasets and internal information from companies around the world. Among these, one of the most recognizable profiles is the one who presents himself with the simple alias “888.”
Active since at least 2024, 888 is now considered one of the most prolific data leakers on the scene , with over a hundred claimed breaches and a constant presence on the most popular English-language cybercrime forums. Unlike structured ransomware groups, it does not operate with extortion methods, does not negotiate, and does not use countdowns: its model is based on the private sale and public release of selected datasets , with the clear goal of boosting reputation, visibility, and demand.
In November 2025, 888 returns to the spotlight by publishing an archive with an eloquent title:
“Ryanair Internal Communications” .
A dump that includes data relating to bookings, routes, flight numbers, claims management processes and, most importantly, internal interactions within the company’s legal/claims department .
I have done some historical research on 888 ‘s activities and the information I have gathered paints a clear profile:
Its activity spans various sectors: tech, education, retail, automotive, energy, SaaS platforms, and most recently aviation.
888 targets repeatable, monetizable datasets , not complex environments like OT or ICS.
A rare characteristic that distinguishes him: continuity . His reputation derives precisely from this.
The most interesting source is the interview with Sam Bent for his “Darknet Dialogues” column, which sheds some interesting light on 888: his mentor? Kevin Mitnik. His perspective on AI and hacking? All his work is based solely on his knowledge and skills.
Within the airline thread, several CSV samples appear, which represent extractions consistent with an EU261 legal dispute and complaint management system.
The data structure clearly highlights:
I had the opportunity to analyse the samples “offered” in the post on Dark Forum and they are communications from Italian passengers, referring to legal disputes or requests for reimbursement for various types of poor service.
The possible compromise vectors can only be speculated, as 888 does not provide any details on the method used to obtain the data. The most likely possibility is the compromise of a CRM or case management system used to manage customer communications and legal matters, including through external partners.
The aviation accident is no exception: it fits perfectly into 888 ‘s modus operandi.
The threat actor has already claimed responsibility for:
888 never seeks a “shock” effect: it doesn’t publish everything at once, it doesn’t create negotiations, it doesn’t orchestrate extortion.
He simply releases , often after privately selling the material.
Ryanair, in this context, is a piece of a larger chain , not a specific focus.
888 is an actor that exists in the gray area between intrusion broker and opportunistic data leaker , with a structured compromise pipeline, heavy activity in underground forums, and a constant eye for datasets that can generate financial or reputational returns.
The Ryanair case is not an isolated incident, but yet another confirmation of its trajectory: a single, constant, methodical actor moving along a global digital supply chain where every weak link—an exposed bucket, a forgotten repository, an unprotected ticketing service—becomes a new dump to be published.
Luca Stivali