Inva Malaj : 5 October 2025 08:46
Author : Inva Malaj and Raffaela Crisci
04/10/2025 – Darkforums.st: “303” Claims 9GB Data Breach on Apple.com
In the early hours of October 4, 2025, a data breach claim emerged on the underground forum Darkforums from user “303” (profile: Java Maniac, rank “GOD”, reputation 197, registered January 2025). Darkforums is a leading dark web exchange for data, vulnerabilities, and cybercriminal services, providing visibility to emerging and established threat actors. Actor “303” is known for previous compromise announcements and reputation-building activities, including participation in prominent community discussions and threads.
It’s common practice for threat actors to use the logo of the targeted company rather than that of a third-party vendor involved in the alleged breach, so this information should be interpreted with caution.
At this time, we cannot confirm the authenticity of this news, as the organization has not yet published an official statement on its website regarding the incident. The information reported comes from public sources accessible on underground sites, and should therefore be interpreted as intelligence and not as definitive confirmation.
The “303” actor posted the following announcement:
“Apple.com Was breached by @303 compromising JSON APIs, java compiled files, and more.
price: 5,000 USD
Contact: session: 0567de4ad12b1fa9f16930f881de1d2b24733d69041442b90b79be0ada5cadef59
qtox: 751A97D90B14BBD927ACCAFD0F3923AAE144CBC56D579A22722AD3B250E07144ED026A214927”
Code snippets and alleged “samples” representing JSON data structures, supposedly taken from internal AWS Backup APIs (CreateBackupPlanInput, CopyJob, etc.), as well as references to compiled Java files have been attached, but there is no real evidence of Apple-exclusive content. The thread also includes tags for supposedly well-known groups (“@KaruHunters,” “@UNIT_PEGASUS,” “@NodeSillent”), apparently to boost the announcement’s visibility and credibility.
The actor’s asking price for the alleged exfiltrated data package is $5,000, with public contact via session and qtox. No verified previews are offered, and the visible samples are compatible with public AWS documentation, with no unique Apple elements.
Apple Inc. is a leading global multinational manufacturer of hardware, software, and digital services. In 2024, it posted revenue of approximately $391 billion, marking a new all-time record for the company. Active Apple ID users are estimated to exceed 1.5 billion, consistent with the vast global use of iPhone devices and other Apple products. Apple’s technology infrastructure is primarily based on leading cloud providers such as Amazon Web Services (AWS) and Google Cloud, supplemented by its own dedicated facilities. Apple is recognized as a benchmark for data security and protection, despite being cyclically targeted by sophisticated cyberattacks and disinformation campaigns.
The published samples perfectly match public structures in AWS Backup documentation, which are readily available online and cannot be uniquely linked to Apple systems. The tagging of other cybercriminal groups and the tone of the announcement suggest a typical reputation-building strategy.
Until official confirmation, Apple’s alleged compromise should be considered a case to be monitored closely. Currently, the claim lacks concrete technical evidence directly related to Apple, and does not indicate a significant impact on the company’s ecosystem.
It is advisable to remain vigilant for any subsequent developments or publications.
Red Hot Cyber will follow the story for updates and new news via the blog. We encourage anyone with information to provide it anonymously via the encrypted whistleblower email address.
Inva Malaj