Dark Web Roast - February 2026 Edition

By Trellix Advanced Research Center · March 18, 2026

Executive Summary

February 2026 delivered another stellar month in the ongoing theatre of the absurd that is the cybercriminal underground, where ransomware gangs bulk-scheduled their extortion like a content calendar, and an exploit developer burned their $70K Cisco RCE for a forum price check. From an actor who lists domain admin access to Russia’s energy grid for less than a used car, to a data broker candidly advertising age-segmented victim data with a grandma emoji, the underground demonstrated once again that the gap between ambition and execution is not merely wide, but a chasm so vast it has its own postcode. Grab your mug and settle in: February’s roast is served hot, fresh, and with zero detections.

This Month in the DarkRoast

📅 The 0APT ‘spray and pray’ ransomware blog

0APT apparently approached ransomware blog posts the way a mid-tier social media manager approaches their weekly schedule: bulk-drafted, templated, and deployed with the mechanical regularity of someone who has never once asked whether the content was good, only whether it was out. Considering the sheer, numbing volume of their posts, it's a solid bet that their 'victims' are probably just fake sites they spun up themselves for content, because nothing screams legitimacy like inflating your stats with phantom compromises. The gang helpfully self-certified their encryption as ‘(UNBREAKABLE)’ — a designation awarded by the same people selling the padlocks, which is either charming confidence or a profound misunderstanding of how trust works. Their operating philosophy appeared to be no target too small, no template too reused, a motto that would sit nicely on a motivational poster in the world’s least inspiring office. The ransomware industry has rarely been so efficiently mediocre.

🎙️ “Sir, This Is a Wendy’s” — the Cisco exploit price check

Actor cortana9000 spent what appears to be several sleepless nights doing deep dataflow analysis of Cisco’s Unified Communications Manager source code, discovered a pre-auth RCE chain in CVE-2026-20045, confirmed APT groups are actively exploiting it, and then — in a moment of breathtaking self-awareness — posted on a forum to ask “so how much is this worth?” He then immediately listed it on a second forum for $70,000. The man did the research, found the treasure, and then asked strangers on the internet to appraise it, which is the cybercriminal equivalent of finding a Picasso in your attic and posting it on Reddit before calling Sotheby’s. To top it all off, a fellow forum member, KlopInko, swooped in with the devastating one-liner: “since it’s known it’s a 1day exploit” — essentially telling cortana9000 that his $70K payday had already started depreciating the moment he opened his mouth. The lesson here: in the exploit market, the second you ask for a price, you’ve already lost the negotiation.

💸 Selling Russia’s power grid for less than a used car

Actor patagon on DarkForums decided that a full domain access to the Russian energy sector infrastructure — the kind of target that would make a nation-state analyst’s coffee go cold — was worth approximately the same as a second-hand Vauxhall Astra with questionable MoT history. The listing was cross-posted to every available forum simultaneously, with the enthusiasm of someone listing their flat on every rental platform at once, presumably hoping that someone, somewhere, would bite before the landlord noticed. The actor proudly advertises domain admin access to ~500 hosts and a 3TB data dump, then casually mentions the installed antivirus is Kaspersky — Russia’s own flagship security product — which apparently did not stop the breach of Russia’s own power infrastructure. The actor had, in short, dramatically undervalued their inventory by several orders of magnitude, which is either admirable humility or a pricing strategy that would make an economist weep.

🥉 The crypto mixer that communicates exclusively in ASCII art

Varkinat posted a mixer advertisement that, by word count, is approximately 40% operational pitch and 60% elaborate ASCII art of what appears to be a decorative vase or possibly a robot. The post confidently declares “a truly clean transaction means cutting all ties to its past” — a bold philosophical statement — before pivoting to a wall of Unicode block characters that serves no discernible purpose. From a threat intelligence perspective, this is a mixer service whose marketing team has clearly confused “anonymous” with “incomprehensible.” The fact that this was posted on Valentine’s Day suggests Varkinat may have been trying to woo potential clients with abstract digital art, which, honestly, is a more creative sales strategy than most legitimate fintech startups manage.

👵 The data broker who sells “Old Age Data 👵🏻” — Lead Bank’s most candid product listing

Actor Lead Bank posted a remarkably comprehensive data brokerage menu in February, offering phone leads, bank data, WhatsApp data, and crypto investor data from Bybit, Coinbase, Binance, and OKX — covering 175 countries. But the standout product category, listed with its own dedicated emoji, is “Old Age Data 👵🏻👨🏾‍🦳” — because apparently targeting elderly people is a niche worth calling out by name in your marketing materials. The post was dropped into the STOCK AND MARKET TALK Telegram channel, which means someone’s retirement portfolio discussion group is now receiving targeted elderly fraud lead advertisements. The brazenness of advertising age-segmented victim data on a financial channel, with a grandmother emoji, is either the darkest possible comedy or a compliance department’s worst nightmare — and given that it appeared on STOCK AND MARKET TALK, it may be both simultaneously.

Conclusion

And so February 2026 draws to a close, leaving behind a rich legacy of criminals who burned their own zero-days for a second opinion and actors who sold domain admin access to a national grid for the price of a used car. The underground ecosystem’s central tragedy is not ambition, but accounting. They might be able to breach critical infrastructure and target the most vulnerable, but they still can’t price their inventory correctly. This month, the cybercriminals demonstrated, once again, their extraordinary capacity for self-defeat: from the ransomware gang bulk-scheduling their 'unbreakable' extortion posts to the crypto mixer who confused anonymity with an elaborate ASCII art vase, the month’s edition was a masterclass in ambition systematically undermined by execution. Until next month — stay patched, keep your kettles on a fixed-term contract, and remember: the grandma emoji is never innocuous.

Disclaimer

While these incidents are genuinely amusing, they represent real criminal activities causing significant harm. This content is for threat intelligence and educational purposes only.

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/