New Tor-Based Extortion Platform ALP-001 Linked to Active Initial Access Broker
Cybersecurity researchers at ReliaQuest have uncovered ALP-001, a recently launched Tor-based data leak site operating on the dark web. The platform functions as both a repository for stolen data and a marketplace for unauthorized network access, marking a strategic expansion for its operators previously known as an Initial Access Broker (IAB) active in underground criminal forums.
Unlike typical extortion groups, the threat actors behind ALP-001 have shifted from merely selling initial network access to directly extorting compromised organizations. Their attack methodology prioritizes exploiting vulnerable internet-facing infrastructure, particularly perimeter technologies and remote access gateways. Key targets include Fortinet, Cisco, Citrix, Remote Desktop Web Access, and GlobalProtect systems, often compromised through unpatched vulnerabilities or weak administrative credentials.
The group frequently monetizes access via compromised FTP and SSH servers, leveraging these footholds to infiltrate high-value corporate networks. ReliaQuest’s findings highlight the group’s focus on silent persistence, enabling them to resell valid remote access credentials and escalate attacks into full-scale data extortion.
To counter this threat, organizations are advised to harden perimeter defenses by patching edge devices, monitoring for unauthorized administrative activity, and enforcing multi-factor authentication (MFA) across all remote access points. Additionally, security teams should track anomalous outbound data transfers, particularly those using FTP or SCP protocols, to detect potential exfiltration linked to ALP-001’s operations.
Source: https://cyberpress.org/leak-site-tied-broker/
Citrix cybersecurity rating report: https://www.rankiteo.com/company/citrix
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "CITFOR1774355090",
"linkid": "citrix, fortinet",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'attack_vector': ['Exploiting vulnerable internet-facing infrastructure',
'Unpatched vulnerabilities',
'Weak administrative credentials'],
'data_breach': {'data_exfiltration': 'Potential exfiltration via FTP or SCP '
'protocols',
'type_of_data_compromised': 'Stolen data, unauthorized '
'network access credentials'},
'description': 'Cybersecurity researchers at ReliaQuest have uncovered '
'ALP-001, a recently launched Tor-based data leak site '
'operating on the dark web. The platform functions as both a '
'repository for stolen data and a marketplace for unauthorized '
'network access, marking a strategic expansion for its '
'operators previously known as an Initial Access Broker (IAB) '
'active in underground criminal forums. The threat actors '
'behind ALP-001 have shifted from merely selling initial '
'network access to directly extorting compromised '
'organizations.',
'impact': {'data_compromised': 'Stolen data repository and unauthorized '
'network access',
'systems_affected': ['Fortinet systems',
'Cisco systems',
'Citrix systems',
'Remote Desktop Web Access',
'GlobalProtect systems']},
'initial_access_broker': {'data_sold_on_dark_web': 'Valid remote access '
'credentials',
'entry_point': ['Compromised FTP servers',
'Compromised SSH servers'],
'high_value_targets': 'Corporate networks'},
'lessons_learned': 'Organizations should harden perimeter defenses, patch '
'edge devices, monitor for unauthorized administrative '
'activity, and enforce multi-factor authentication (MFA) '
'across all remote access points.',
'motivation': 'Financial gain through extortion and resale of network access',
'post_incident_analysis': {'corrective_actions': ['Hardening perimeter '
'defenses',
'Patching edge devices',
'Enforcing multi-factor '
'authentication (MFA)',
'Monitoring for '
'unauthorized '
'administrative activity'],
'root_causes': ['Exploiting vulnerable '
'internet-facing infrastructure',
'Unpatched vulnerabilities',
'Weak administrative credentials']},
'recommendations': ['Patch vulnerable edge devices',
'Monitor for unauthorized administrative activity',
'Enforce multi-factor authentication (MFA) across all '
'remote access points',
'Track anomalous outbound data transfers, particularly '
'those using FTP or SCP protocols'],
'references': [{'source': 'ReliaQuest'}],
'response': {'enhanced_monitoring': 'Tracking anomalous outbound data '
'transfers, particularly those using FTP '
'or SCP protocols'},
'threat_actor': 'ALP-001 (Initial Access Broker)',
'title': 'ALP-001 Tor-Based Extortion Platform Linked to Initial Access '
'Broker',
'type': 'Extortion, Data Breach, Initial Access Brokerage',
'vulnerability_exploited': ['Fortinet vulnerabilities',
'Cisco vulnerabilities',
'Citrix vulnerabilities',
'Remote Desktop Web Access vulnerabilities',
'GlobalProtect vulnerabilities']}