Public intelligence search returns recent ransomware and extortion records with source links, first-seen timing, aliases, and safe summaries.
Loading
Loading
Dark web monitoring for security teams
Hanasand monitors leak and extortion sources for the companies, domains, suppliers, and executives you care about. Every alert explains what was found, why it matters, source context, severity, and the next review step.
Active monitored sources
116
142 mapped across source families
Public Telegram sources
38
Broker rooms, mirrors, stealer-log shops
Sources without stolen files
12
Leak sites, mirrors, hashes, screenshots
Coverage boundary
The page separates current public source context from example alert shapes and tenant-gated collection.
Public intelligence search returns recent ransomware and extortion records with source links, first-seen timing, aliases, and safe summaries.
Session, token, API-key, and webhook examples show the alert shape. They become customer-visible only when a tenant watchlist and approved source record support them.
Invite-only Telegram rooms, infostealer logs, session cookies, OAuth tokens, API keys, and non-human identities require approved collection scope before alerts are treated as confirmed.
Critical
session or token hint · Lumma C2
5 sources · Strong evidence · validate identity
Session-artifact example · Okta
Example shape · verify in tenant alerts before action
API-key example · AWS IAM
Example shape · source approval required
Leak-site claim · Akira
Acme Payments · acme.com · needs review
needs_review · Strong evidence
Confirm the company match, rotate exposed sessions or keys if present, notify vendor-risk or incident response, and keep the leak-site source on a 30-minute watch.
Webhook preview
For non-specialist buyers
The useful output is not a giant feed. It is a short explanation of the company mention, the safe source context, the review priority, and who should review it.
A criminal group, broker, or seller posting about stolen access, leaked data, or an extortion claim.
The type of place the mention came from, such as a leak site, Telegram-like public channel, public advisory, or security feed.
Hanasand records safe facts about a claim, such as source, timing, title, hash, and screenshot state, without storing stolen files.
An automatic delivery to tools your team already uses, such as Slack, Jira, a SIEM, SOAR, or vendor-risk workflow.
Sample alert
Alert format. Real notifications use your watchlist and live source context.
Telegram is the new dark web
Criminal groups and access sellers often post in public or semi-public channels before the same claim reaches a broader leak site. Hanasand tracks those sources, checks whether they are healthy, and shows when a finding needs review.
Coverage model
Channels, mirrors, actors, campaigns
Processing
Parse, dedupe, score, route
@breach_drop_house
Selling internal dump · sample post on mirror
@session_replay_market
Sample token-risk hint · Office365 · CRM
@nhi_keystore
API-key preview · seller offers escrow
@phishing_brand_alley
Lookalike domain registered · launching Monday
@ransom_press_room
Affiliate post · ransomware listing · 48h countdown
Public-page rows show the alert shape. Customer alerts require an approved source, a watchlist match, and safe-field review.
Built for the analyst
Every alert should state where it came from, why it matched, how urgent it is, and what action owner should review next.
Seed watchlists from domains, subsidiaries, brands, VIPs, suppliers, products, and portfolio companies.
Continuously match across public Telegram, forums, markets, leak pages, advisories, and approved sources.
Ship a small alert with the artifact, source, evidence strength, recommended action, and handoff path.
Push reviewed alerts to webhooks, Slack, Jira, SIEM, SOAR, vendor-risk tools, or the API.
Dark web collection depth
Hanasand keeps sensitive sources behind approval and safe-field boundaries while still giving analysts the investigation shape: source family, first seen, mirror status, actor, victim, data type, hash, screenshot state, and retention.
Broker rooms, ransomware mirrors, combo-list drops, stealer-log shops, and phishing-kit seller channels.
Leak sites, mirrors, first-seen times, screenshots, hashes, and victim/data-type metadata.
Ransomware and extortion leak sites normalized into victim, sector, country, and mirror-state fields.
CERT, vendor reports, GitHub advisories, malware infrastructure feeds, and corroborating public reports.
Searchable public context used to reduce false positives before customer delivery.
Collection
telegram_public
darkweb_metadata
actor_page
public_advisory
clear_web
Credential movement changed
Password-only monitoring misses valuable exposure. Hanasand tracks the ways credentials move now: infostealer sessions, OAuth tokens, API keys, phishing-kit exfil, and service or machine-account identifiers.
Breach dumps, combo lists, reused passwords, and domain exposure counts.
Browser dumps, saved logins, cookies, autofill, corporate URLs, and seat-based resale.
Live cookies, OAuth tokens, MFA bypass risk, and short-lived session artifacts.
Telegram exfil drops, AiTM kit posts, lures, hosting, and brand impersonation.
API keys, service accounts, OAuth apps, tokens, and machine identities. Security teams often call these non-human identities.
On-demand collection
Standard coverage is not enough. Submit a Telegram channel, new forum, actor alias, sector, language, or specific customer scope. Hanasand turns it into a scoped request, checks whether it can be monitored safely, and promotes safe sources into continuous monitoring.
Public channels and approved invite reviews for broker rooms, ransomware mirrors, and stealer-log markets.
Source onboarding alerts for newly launched communities before they appear in generic indexes.
Language, region, campaign, actor alias, industry, vendor, product, or portfolio monitoring windows.
Page details, hashes, screenshots, source timing, and redaction state without downloading stolen files.
API and webhook delivery
The API turns scattered observations into stable fields: company, actor, source family, date, artifact type, claim summary, evidence strength, review state, and recommended action.
Inspect the alert shape and validate the delivery preview here. Customer endpoint delivery is created inside the authenticated console.
{
"eventType": "darkweb.monitoring.match",
"deliveredAt": "2026-07-03T02:14:00.000Z",
"severity": "critical",
"actor": "Akira",
"company": "Acme Payments",
"matchedTerm": "acme.com",
"artifactType": "telegram_stealer_log_hint",
"sourceFamily": "telegram_public + restricted_metadata",
"sourceName": "monitored Telegram broker room and leak-site update",
"sourceUrl": "https://hanasand.com/ti/Acme%20Payments",
"claimSummary": "Telegram broker post and leak-site update mention a watched company, corporate URLs, session artifacts, and claimed financial records.",
"firstSeenAt": "2026-07-03T02:08:00.000Z",
"confidence": 88,
"sourceCount": 5,
"reviewState": "needs_review",
"recommendedAction": "Confirm the company match, rotate exposed sessions or keys if present, notify vendor-risk or incident response, and keep the leak-site source on a 30-minute watch.",
"pivots": [
"Akira",
"Acme Payments",
"acme.com",
"Lumma",
"session cookies",
"financial records"
],
"webhookDelivery": {
"retryPolicy": "signed delivery with retry and dead-letter review",
"destinations": [
"Slack",
"Jira",
"SIEM",
"SOAR",
"vendor-risk portal"
]
}
}Pricing and next step
$49/mo
25 watched names or domains, recent actor-claim matches, email notifications.
Start this tier$149/mo
250 watched names or domains, faster refreshes, structured alert export.
Start this tier$499/mo
1,500 watched names or domains, priority source expansion, custom delivery format.
Start this tierFields customers pay for
Dark web monitoring scans cybercrime sources for external threats linked to your organization, vendors, domains, brands, employees, and products. Hanasand keeps the output small: source, timing, match reason, evidence strength, and the next action.
Threat actors increasingly move from static forums to Telegram rooms, mirrors, broker channels, stealer-log shops, and ephemeral drops. A useful service must monitor Telegram-like public channels as first-class sources, not as a side note.
Credential leaks, infostealer logs, session cookies, API keys, OAuth tokens, phishing-kit drops, vendor mentions, ransomware listings, data-type descriptions, group aliases, source changes, and corroborating public reports.
No. The product is built around source records, redaction, hashes, screenshots when approved, and customer-specific alert context. The goal is response speed without unnecessary raw leaked-data handling.