Dark Web Digest – November 2025 Edition

November was another wild month in the underground. If you’ve been keeping track of what’s happening below the surface of the clearnet, you know things have been heating up. Law enforcement scored some big wins, threat actors dropped one of the largest credential dumps we’ve ever seen, and the marketplace scene? Still a mess. Let’s break down what went down.

Mid-November saw Europol and friends pull off what they’re calling Operation Endgame Phase 2. Between the 10th and 13th, they coordinated a takedown that hit the Rhadamanthys infostealer, VenomRAT, and the Elysium botnet pretty hard. They grabbed one suspect in Greece who’s apparently the brains behind VenomRAT, and managed to take down over a thousand servers worldwide. That’s a lot of infrastructure suddenly going dark.

What makes this interesting is the scale. These weren’t small-time operations—we’re talking about infrastructure that had compromised hundreds of thousands of victims and stolen millions of credentials. The coordination happened at Europol’s HQ in The Hague, and involved multiple countries working together. It’s the kind of operation that makes cybercriminals nervous, even if history shows they’ll just rebuild somewhere else.

The ripple effects from June’s Archetyp Market takedown were still being felt throughout November too. That marketplace had been around since 2020 and had built up quite the user base—around 3,200 vendors and 600,000 customers before authorities from six countries pulled the plug. The vacuum it left? Still hasn’t been properly filled.

Here’s where things get really messy. On November 5th, some user called dEEpEst posted what’s being called one of the biggest password dumps in history on HTDark forum. We’re talking roughly 10 billion plaintext passwords, just sitting there for free. No paywall, no exclusive access—just grab and go.

Kaduu’s threat intel team caught it during routine monitoring, and the security world collectively groaned. This thing makes RockYou2021 and RockYou2024 look small, and those were already massive. What’s worse is that unlike previous mega-leaks that got hidden behind paid access on some dark corner of the web, this one’s completely open. Anyone with basic dark web access can download it, which means credential stuffing attacks are about to get a whole lot worse.

If you’re still reusing passwords across multiple sites, this is your wake-up call. Actually, it’s more like an air horn going off at 3 AM.

Italy’s railway system got hit when threat actors breached Almaviva, the IT services provider for FS Italiane Group. It happened on November 20th and shows once again that supply chain attacks are still the preferred method for getting into bigger targets. Why hack the fortress when you can walk through the vendor’s back door?

Over in France, Pajemploi—a social security service handling childcare stuff—leaked info on 1.2 million people. That happened around November 18th. Government services have been getting hammered lately, and this is just another example of how these platforms often lack the security they really need.

The banking sector wasn’t spared either. Qilin ransomware group claimed they grabbed 2.5 terabytes from Habib Bank AG Zurich, including customer details, transaction records, and source code. They posted screenshots on their leak site to prove it, which is pretty much standard operating procedure for ransomware gangs these days. The bank operates across multiple countries including Switzerland, the UK, UAE, and Hong Kong, so the potential fallout is global.

Despite all the law enforcement wins this year, ransomware groups are still out here causing chaos. The Interlock gang hit DaVita, a kidney dialysis company, and leaked their data. Healthcare continues to be a favorite target because these organizations often can’t afford downtime and will pay to get their systems back online quickly.

What’s interesting is watching how the ransomware scene adapts. Remember BlackSuit? The group that got taken down earlier this year? Well, some of those operators have already moved on to something called Chaos ransomware. Cisco Talos found similarities in the encryption methods and tools being used. It’s like playing whack-a-mole, except the moles have cryptocurrency wallets and operational security.

The RondoDox botnet was particularly active, exploiting CVE-2025-24893 with a spike in attacks on November 7th and again on the 11th. These botnets are getting faster at integrating new exploits, which means the window for patching vulnerabilities gets smaller every time.

Speaking of unpatched vulnerabilities, there’s this Windows LNK bug (CVE-2025-9491) that’s been getting hammered since March. Eleven different groups are exploiting it, including a Chinese state-backed crew called Mustang Panda (also tracked as UNC6384). They’ve been going after diplomatic targets in Hungary, Belgium, Serbia, Italy, and the Netherlands, using it to drop PlugX malware and spy on communications.

The frustrating part? Microsoft still hasn’t patched it. They said back in March it doesn’t meet their bar for immediate servicing, which is a polite way of saying “we’ll get to it eventually.” Meanwhile, diplomats around Europe are getting their emails and documents stolen.

The hospitality industry got hit with a massive phishing campaign too. Russian-speaking threat actors registered over 4,300 malicious domains this year, with activity ramping up in November. They’re targeting hotel guests with fake reservation confirmations, trying to steal credit card info. If you’ve booked a hotel recently and got a weird email about confirming payment within 24 hours, delete it.

The dark web marketplace scene is still trying to find its footing after Abacus Market‘s suspected exit scam in July. That marketplace basically dominated the Western darknet economy before its admin “Vito” allegedly ran off with everyone’s money—somewhere between $12 million and $54 million depending on who you ask.

Without Abacus, the landscape is fragmented. Russian Market has become popular for buying stolen credentials. TorZon, STYX Market, Brian’s Club, and WeTheNorth are all trying to grab market share. But there’s less trust now. When the biggest marketplace can just vanish with your funds, it makes everyone paranoid.

Finland’s customs office shut down Sipulitie, a local darknet market for drugs. And in a twist that sounds like something from a movie, the Everest ransomware gang’s leak site got hacked by someone and went offline. Cybercriminals stealing from other cybercriminals—you love to see it.

Sweden’s power grid operator Svenska kraftnät got breached, with Everest gang claiming they grabbed 280GB of data. The company found out when a security researcher told them their data was on a leak site, which is embarrassing but at least the power stayed on.

Princeton University disclosed a security incident, joining the long list of educational institutions getting compromised. Living Room Theaters in Portland and Indianapolis had to shut down after a cyberattack, showing that even small businesses aren’t safe.

The infostealer market keeps growing. Places like Exodus marketplace are selling access to over 7,000 infected machines for as little as $3 to $10 each. It’s dirt cheap, which means more people are jumping into the cybercrime game.

Australia’s dealing with BADCANDY malware that’s infected over 400 devices since July, exploiting a Cisco vulnerability. Even by late October, more than 150 devices were still compromised. State-sponsored actors are suspected, which means this isn’t just criminals—it’s geopolitics playing out through malware.

November showed us that despite major law enforcement operations and some impressive takedowns, the dark web ecosystem is resilient. When one marketplace falls, others pop up. When one ransomware group gets busted, the operators rebrand and keep going. It’s a cycle that doesn’t seem to be breaking anytime soon.

The 10 billion password leak is probably the month’s biggest story because it affects so many people. If you haven’t already, go check if your credentials are in there and change your passwords. Use unique passwords for every site. Turn on two-factor authentication everywhere you can. It’s basic advice, but it matters more now than ever.

For organizations, the message is clear: patch your systems, watch your vendors, and assume you’re going to get hit eventually. Have backups that aren’t connected to your network. Train your people to spot phishing attempts. And maybe don’t trust that email about confirming your hotel reservation.

The underground economy isn’t going anywhere. It’s adapting, evolving, and finding new ways to profit from security gaps and human mistakes. November 2025 was just another chapter in a story that’s been going on for years and doesn’t seem to have an ending in sight.

Information compiled from open-source intelligence, security research reports, and dark web monitoring conducted throughout November 2025.