AiT Darkweb Monitor

Manny is sweeping 12 sources for credential, dox, and brand exposure. Mock dataset shown below until Supabase is wired.

Findings (24h)630 total in queueWatchlist15active patternsAlerts pending21new + triagingCoverage11 / 12forums healthy

Findings

Latest credential / domain / mention hits
View all →
  • FND-001employee-A1@example.comcritical
  • FND-002brand:example-corphigh
  • FND-003exec:CFO-redactedhigh
  • FND-004infra:billing-api-keycritical
  • FND-005infra:frontend-monorepohigh

Monitored domains

+ Manage domains
  • example-corp.com
  • tenant-redacted-2.example.org
  • tenant-redacted-7.example.org
  • example-corp-support.*
  • example-corp-login.*
  • examplecorp-careers.*

Recent alerts

All alerts →
  • May 5, 06:42 PMLooks like an SSO credential pair. Hash format matches an old leak set; cred reuse risk on prod portals.
  • May 5, 04:11 PMLookalike registered yesterday. Visual confusables target login portal. File takedown.
  • May 5, 01:02 PMPartial dox. Address fragment looks aged but DOB is fresh. Loop in physical security.
  • May 5, 09:14 AMFormat consistent with a billing-side service token. Rotate immediately, audit usage.
  • May 4, 10:55 PMFilename matches our naming. Could be old fork. Need hash compare against last clean baseline.

Manny's read on the last 24h

Two active criticals on the board: a customer-PII auction tied to tenant-redacted-2 and an active CEO dox on a Telegram channel. Both are escalated. On the brand side, a fresh login-themed lookalike (registered yesterday) is queued for takedown. SSO credential pair on FND-001 looks real — rotate and force MFA reverify before close. A billing-side API key (FND-004) is in the wild; rotation is the only safe call.

Vendor Breach Impact Analyzer

Cross-references org users against known vendor breaches and generates AI-powered remediation guidance.

Critical Breaches6require immediate action
Total Affected Users14across 8 breach events
Avg Risk Score78out of 100
Severity Distribution
622
Critical: 6High: 2Medium: 2
Breach Impact Table
VendorBreach DateSeverityAffected UsersRisk ScoreUrgencyAction
Snowflake2024-05-31critical292immediate
Microsoft 3652024-01-19critical288immediate
LastPass2023-01-23critical185immediate
AWS2024-12-20critical282immediate
Okta2023-10-20critical178high
Twilio2023-06-28high172high
LinkedIn2024-06-02critical365medium
Supabase2025-05-01high258medium
Priority Recommendations
1
Snowflakeimmediate2 users affected

CRITICAL: Two users have credentials exposed in the Snowflake mega-breach affecting 560M records. Immediately rotate all Snowflake credentials, enforce MFA, and audit all data warehouse access logs since May 2024. Escalate to CISO for incident response.

2
Microsoft 365immediate2 users affected

CRITICAL: Nation-state actor Midnight Blizzard breach affects 2 org users. Review all Microsoft 365 OAuth app permissions, revoke suspicious delegated access, and enable Conditional Access policies with MFA for all admin accounts immediately.

3
LastPassimmediate1 user affected

User has LastPass vault potentially compromised. Assume all stored credentials are exposed. Rotate every credential in the vault immediately, prioritizing privileged access (admin accounts, infrastructure, payment systems). Switch to a hardware-backed password manager.

Paste Site Monitor

Scanning pastebin, GitHub Gist, Rentry, PrivateBin & Ghostbin for credential leaks, API keys, PII, and source-code fragments.

Severity breakdown

20
critical5
high8
medium6
low1

Source distribution

pastebin8
github gist5
rentry3
privatebin2
ghostbin2
Filter:
pastebincriticalCredentials
May 11, 10:14 PM
admin@intelligentit.io:REDACTED_HASH — appeared in combo list titled 'MSP-2026-Q2'
intelligentit.iomruiz@
github gisthighCredentials
May 11, 07:37 PM
support@intelligentitnyc.com:REDACTED_HASH — part of stealer log bundle
intelligentitnyc
pastebincriticalCredentials
May 11, 02:05 PM
ops@intelligentit.io — password hash REDACTED, sourced from leaked CRM export
intelligentit.io
ghostbinhighCredentials
May 10, 11:48 PM
helpdesk@intelligent-it.io:REDACTED — found in resold breach bundle
intelligent-it
pastebinmediumCredentials
May 10, 05:22 PM
billing@intelligentit.io:REDACTED_HASH — 2024 leak recirculated in May 2026 dump
intelligentit.io
rentrylowCredentials
May 9, 08:30 AM
noc@intelligentitnyc.com:REDACTED — old credential pair from 2023 stealer log
intelligentitnyc
github gistcriticalAPI Keys
May 11, 08:01 PM
ANTHROPIC_API_KEY=sk-ant-REDACTED-XXXXX — committed to public gist, now removed but cached
ait-gatewayintelligent group
pastebincriticalAPI Keys
May 11, 11:14 AM
AIT_GATEWAY_API_KEY=aitgw-REDACTED — shared in public Slack export archive
ait-gateway
privatebinhighAPI Keys
May 10, 09:55 AM
SUPABASE_SERVICE_ROLE_KEY=eyJhbGciREDACTED — found in misconfigured .env committed to fork
aitcsgintelligentit.io
pastebinhighAPI Keys
May 9, 09:33 PM
CLERK_SECRET_KEY=sk_live_REDACTED — leaked via CI log artifact
aitcrm
github gistmediumAPI Keys
May 8, 02:00 PM
RESEND_API_KEY=re_REDACTED — found in deobfuscated build artifact
intelligent group
pastebinhighPII
May 11, 04:40 PM
Employee directory dump: Name REDACTED, Role REDACTED, Phone +1-555-REDACTED — 47 rows posted
intelligent groupintelligentit.io
ghostbinhighPII
May 10, 01:19 PM
Client contact list: company=REDACTED, name=REDACTED, email=*@intelligentit.io — 200 row teaser
intelligentit.io
rentrycriticalPII
May 9, 06:00 AM
Contract employee data: REDACTED names + REDACTED SSN last-4 — labeled 'IT MSP staff 2025'
intelligent-it
pastebinmediumPII
May 7, 10:10 PM
Old HR export: name=REDACTED, dob=REDACTED, manager=REDACTED — 2024 recirculation
intelligent group
github gisthighSource Code
May 11, 08:45 AM
Partial ait-agent source: function handleSlashCommand() { /* REDACTED */ } — 400 LOC fragment
ait-agentintelligentit.io
pastebinmediumSource Code
May 10, 03:22 AM
ait-bridge webhook handler fragment: const secret = process.env.BRIDGE_HMAC_SECRET — redacted
ait-bridge
rentrymediumSource Code
May 8, 06:55 PM
AiTVault auth module: verifyJwt(token, REDACTED_PUBLIC_KEY) — 90 LOC snippet from internal tool
aitvault
privatebinhighConfig
May 11, 05:10 AM
docker-compose.yml: SUPABASE_URL=https://REDACTED.supabase.co, AIT_GATEWAY_URL=REDACTED — leaked env file
aitcsgait-gateway
github gistmediumConfig
May 9, 02:30 PM
Terraform tfvars: project=intelligent-group-ait, region=us-central1, service_account=REDACTED
intelligent groupaitcrm

Scan history

Job IDStartedCompletedScannedFindingsStatus
SCAN-001May 11, 10:00 PMMay 11, 10:01 PM8427completed
SCAN-002May 10, 10:00 PMMay 10, 10:02 PM7915completed
SCAN-003May 9, 10:00 PMMay 9, 10:01 PM9034completed
SCAN-004May 8, 10:00 PMMay 8, 10:03 PM6743completed
SCAN-005May 7, 10:00 PM1120failed
Threat Actor ProfilesWave 320 actors
Motivation:
Level:
Loading threat actor profiles…