• Home
  • cyber
  • Pellenc: New Leak Site Tied to Active Initial Access Broker Emerges on Underground Forums
cyber Ransomware

Pellenc: New Leak Site Tied to Active Initial Access Broker Emerges on Underground Forums

Mar 23, 2026 2 min read
Pellenc: New Leak Site Tied to Active Initial Access Broker Emerges on Underground Forums

ALP-001: From Access Broker to Extortion New Tor-Based Threat Emerges

A newly identified Tor-based leak site, ALP-001, marks a shift in cybercriminal tactics, transitioning from selling network access to direct extortion. Operating as a "Data Leaks / Access Market," the group blends traditional initial access brokerage (IAB) methods with ransomware-style pressure tactics.

First Victim Named: Pellenc
ALP-001’s inaugural public target is Pellenc, a French manufacturer of battery-powered agricultural equipment based in Pertuis. The company, with reported revenue of $543 million, faces a 228 GB data leak threat, with a payment deadline set for early April 2026 a classic double-extortion tactic.

Attribution & Evolution
Threat researchers, including ReliaQuest, link ALP-001 to a long-standing IAB active on forums like Exploit and DarkForums, previously operating under aliases such as "Alpha Group" and "DGJT Group." Overlapping Tox and Session IDs, along with matching victim listings (including Pellenc), confirm the connection. In January 2026, the same broker advertised access to a French industrial firm matching Pellenc’s profile, reinforcing the pivot from access sales to extortion.

Tactics & Targets
ALP-001 specializes in compromising perimeter technologies, including:

  • VPN/RDP gateways (Fortinet, Cisco, Citrix RDWeb, Palo Alto GlobalProtect)
  • Exposed SSH servers
  • Stolen credentials (via brute force, infostealer logs, or unpatched vulnerabilities)

Once inside, the group establishes persistence creating admin accounts or backdoor VPN profiles before monetizing access, now through direct extortion rather than resale.

Broader Implications
ALP-001’s emergence reflects a growing trend: IABs evolving into standalone extortion groups to maximize profits. While the group has a proven track record in access brokering, its ability to exfiltrate and curate large datasets remains unproven. The Pellenc case suggests an experiment with ransomware-style shaming, though public evidence of widespread data leaks is still limited.

For now, ALP-001 operates as a high-quality access broker with escalating extortion ambitions, signaling a potential new threat in the cybercrime ecosystem.

Source: https://gbhackers.com/new-leak-site-tied/

Pellenc America, Inc. cybersecurity rating report: https://www.rankiteo.com/company/pellenc-america-inc.

"id": "PEL1774340749",
"linkid": "pellenc-america-inc.",
"type": "Ransomware",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Agricultural equipment',
                        'location': 'Pertuis, France',
                        'name': 'Pellenc',
                        'size': 'Revenue of $543 million',
                        'type': 'Manufacturer'}],
 'attack_vector': ['VPN/RDP gateways',
                   'Exposed SSH servers',
                   'Stolen credentials'],
 'data_breach': {'data_exfiltration': 'Threatened (228 GB)'},
 'description': 'A newly identified Tor-based leak site, ALP-001, marks a '
                'shift in cybercriminal tactics, transitioning from selling '
                'network access to direct extortion. The group blends '
                'traditional initial access brokerage (IAB) methods with '
                'ransomware-style pressure tactics, targeting Pellenc, a '
                'French manufacturer of battery-powered agricultural '
                'equipment, with a 228 GB data leak threat and a payment '
                'deadline set for early April 2026.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'extortion threat',
            'data_compromised': '228 GB of data threatened to be leaked',
            'systems_affected': ['VPN/RDP gateways (Fortinet, Cisco, Citrix '
                                 'RDWeb, Palo Alto GlobalProtect)',
                                 'SSH servers']},
 'initial_access_broker': {'backdoors_established': ['Admin accounts',
                                                     'Backdoor VPN profiles'],
                           'entry_point': ['VPN/RDP gateways',
                                           'Exposed SSH servers',
                                           'Stolen credentials']},
 'motivation': 'Financial gain (extortion)',
 'post_incident_analysis': {'root_causes': ['Unpatched vulnerabilities',
                                            'Brute force attacks',
                                            'Infostealer logs',
                                            'Exposed perimeter technologies']},
 'ransomware': {'data_exfiltration': 'Threatened (228 GB)'},
 'references': [{'source': 'ReliaQuest'},
                {'source': 'Exploit Forum'},
                {'source': 'DarkForums'}],
 'threat_actor': 'ALP-001 (formerly Alpha Group / DGJT Group)',
 'title': 'ALP-001: From Access Broker to Extortion - New Tor-Based Threat '
          'Emerges',
 'type': 'Extortion / Data Leak Threat',
 'vulnerability_exploited': ['Unpatched vulnerabilities',
                             'Brute force attacks',
                             'Infostealer logs']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.