Redazione RHC : 4 October 2025 09:23
A post recently appeared on a popular underground forum that’s attracting the attention of the cybersecurity community. A user with the handle KaruHunters , already known for his activities within digital criminal networks, posted an ad claiming to be in possession of compromised data from RIPE NCC (Réseaux IP Européens Network Coordination Centre).
Disclaimer: This report includes screenshots and/or text from publicly available sources. The information provided is for threat intelligence and cybersecurity risk awareness purposes only. Red Hot Cyber condemns any unauthorized access, improper dissemination, or misuse of this data. It is currently not possible to independently verify the authenticity of the information reported, as the organization involved has not yet released an official statement on its website. Therefore, this article should be considered for informational and intelligence purposes only.
In the post, KaruHunters explicitly states: “Today I am selling RIPE NCC Data Breach, thanks for reading and enjoy!” The actor claims an alleged cyberattack against the RIPE NCC in October 2025, which allegedly led to the exfiltration of the organization’s private source code and internal tools. A compromise involving a data tree is also mentioned, but no concrete technical details are provided in the public post.
A particularly notable element is the commercial component of the announcement: data is being offered for sale starting at $500 (with the possibility of negotiation), while internal access to the compromised systems is being offered for $1,200 . KaruHunters also adds that the stolen information would concern an entity with a reported turnover of $37.5 million, although this figure should be treated with caution and verified.
The post was accompanied by a RIPE NCC logo, a detail often used in social engineering tactics by criminals to lend greater credibility to their offers. However, as is often the case in these cases, no verifiable evidence was provided to support the alleged intrusion, at least not in the public post. It’s likely that any “proof of concept” is only shared in private negotiations with potential buyers.
The RIPE NCC (Réseaux IP Européens Network Coordination Centre) is the Regional Internet Registry (RIR) responsible for Europe, the Middle East, and parts of Central Asia. It is a non-profit organization based in Amsterdam, founded in the early 1990s, whose primary task is managing and distributing the Internet’s digital resources, such as IP addresses and Autonomous System Numbers (ASNs) .
The RIPE NCC should not be confused with RIPE (Réseaux IP Européens) , which is an open community of network operators and specialists. While the RIPE community defines policies and guidelines for network operation, the RIPE NCC is the entity that implements these decisions through operational management of resources.
The main tasks of the RIPE NCC include:
The RIPE NCC’s role is crucial to the orderly and transparent functioning of the network, as it ensures that IP resource allocation is fair, traceable, and compliant with community-established policies. Essentially, it represents one of the invisible but essential foundations for the functioning of the Internet as we know it today.
KaruHunters’s forum profile shows a fairly high reputation level, with 154 points and the “GOD” rank, indicating a certain level of recognition within the community. The user has been registered since August 2024 , with 26 posts and 18 open threads. This fact reinforces the idea that he is not a newcomer, but someone who has managed to gain credibility in the criminal world.
If confirmed, a data breach affecting RIPE NCC would have potentially serious consequences for the entire European internet ecosystem and beyond, as the organization handles sensitive information related to global network connectivity. However, it is not uncommon for exaggerated or false advertisements to be posted on these forums, used more as criminal marketing operations than as actual sales of compromised data.
In conclusion, KaruHunters’ post should be treated with caution. On the one hand, the user’s reputation on the forum lends some weight to his statement; on the other, the lack of tangible evidence requires awaiting independent verification. What is certain is that the mere appearance of this announcement is a wake-up call for the cybersecurity industry, reminding us of how malicious actors are constantly seeking critical points in the infrastructure that regulates the internet itself.
As is our custom, we always leave room for a statement from the organization should they wish to provide us with updates on this matter, and we’d be happy to publish it in a dedicated article highlighting the issue. RHC will monitor the development of the matter and publish further news on the blog should there be any substantial developments.
Redazione