惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

M
MIT News - Artificial intelligence
有赞技术团队
有赞技术团队
S
Schneier on Security
aimingoo的专栏
aimingoo的专栏
T
Troy Hunt's Blog
U
Unit 42
Hacker News - Newest:
Hacker News - Newest: "LLM"
V2EX - 技术
V2EX - 技术
T
The Blog of Author Tim Ferriss
V
Visual Studio Blog
H
Heimdal Security Blog
H
Hacker News: Front Page
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
Cloudbric
Cloudbric
Google DeepMind News
Google DeepMind News
C
Cisco Blogs
The Cloudflare Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
MyScale Blog
MyScale Blog
F
Fortinet All Blogs
N
News | PayPal Newsroom
Attack and Defense Labs
Attack and Defense Labs
D
DataBreaches.Net
N
News and Events Feed by Topic
Security Archives - TechRepublic
Security Archives - TechRepublic
Forbes - Security
Forbes - Security
Simon Willison's Weblog
Simon Willison's Weblog
F
Full Disclosure
The Register - Security
The Register - Security
L
LINUX DO - 热门话题
Webroot Blog
Webroot Blog
Google Online Security Blog
Google Online Security Blog
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
Intezer
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
K
Kaspersky official blog
云风的 BLOG
云风的 BLOG
博客园 - 叶小钗
T
Threatpost
Spread Privacy
Spread Privacy
小众软件
小众软件
AWS News Blog
AWS News Blog
S
Secure Thoughts
S
Security @ Cisco Blogs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
J
Java Code Geeks

Comparitech

How to watch McGregor vs Holloway 2 (UFC 329) from anywhere Medical billing firm MCBS warns 300,000+ patients of data breach - Comparitech Ransomware Roundup: H1 2026 stats on attacks, ransoms, and active gangs - Comparitech Colorado Health Network warns 68,000+ people of data breach that leaked SSNs, credit cards, and medical records - Comparitech Middletown, OH warns 123,000+ people of data breach that leaked SSNs, financial and medical info - Comparitech DeGoogling your life: What is it and how do you do it? How to opt out of Meta AI data collection - Comparitech Is CurseForge safe? Common risks and how to mod safely - Comparitech Cybercriminals say they hacked New South Wales Rural Fire Service - Comparitech Grandview School District warns 9,000+ people of data breach 21 months later - Comparitech Which industry & country has the worst email security? An analysis of 5,800+ domains for SPF, DMARC, DKIM & MTA-STS protocols - Comparitech Kootenai County, ID warns residents of government data breach that leaked personal info - Comparitech What is Kik? Is it safe for kids? - Comparitech Cybercriminals say they hacked Reynella East College - Comparitech Are UK council websites adhering to government security guidelines? - Comparitech Bellflower Unified Schools warns students of data breach that leaked SSNs - Comparitech What are location services and how do they work? - Comparitech How to bypass Xbox age verification - Comparitech What is a Minecraft dedicated IP? Do you need one? The best Discord alternatives in 2026 - Comparitech How to watch UFC Freedom 250: Stream UFC White House online Taos Mountain Casino warns of data breach that leaked SSNs Cybercriminals give Delano Public Schools two weeks to pay ransom How to fix ‘Your connection is not private’ in Chrome Plaza Home Mortgage warns 138,000 people of data breach that leaked SSNs How to watch the NBA Finals live online from anywhere Cybercriminals take credit for Singing River Health System data breach How Spammers Are Hiding Behind Google and the New York Times Ransomware roundup: May 2026 Iowa hospital warns 24,000+ people of data breach that leaked SSNs, medical and financial info 80K+ people notified of data breach at Louisiana university that leaked SSNs & bank info Finance firm IMA warns 525,000+ people of data breach Auto lender IAC warns 79,000+ people of data breach that leaked SSNs Sandstone, MN says SSNs and financial info compromised in ransomware data breach Las mejores herramientas de gestión de Active Directory Die besten Active-Directory-Management-Tools I Migliori Strumenti di Gestione di Active Directory Las mejores herramientas de gestión de logs Die besten Log-Management-Tools I migliori strumenti di log management Watching You, Funded by You: Number of CCTV Cameras by UK Council & Police Force Las mejores herramientas SIEM para alertas de seguridad automatizadas Die besten SIEM-Tools für automatisierte Sicherheitswarnungen I migliori strumenti SIEM per gli avvisi di sicurezza automatizzati Software maker warns 200,000 Frost Bank customers in Texas of data breach Oregon employment firm notifies 142,000+ people of two data breaches claimed by ransomware gangs Cybercriminals say they hacked Harrison County, WV commission, demand ransom Cybercriminals say they breached AdvancedHealth, Tennessee clinic confirms Fluke Corp notifies 18,000+ people of data breach that leaked SSNs What is Token-Based Authentication? Tokens Explained Western Orthopaedics warns 113,000+ people of data breach that leaked SSNs, credit cards, and medical info What is ARP? ARP protocol explained What is symmetric encryption? Crunchyroll VPN not working? Fix buffering, errors & region blocks American Lending Center notifies 123,000+ people of data breach that leaked SSNs How to watch Oleksandr Usyk vs Rico Verhoeven online Cybercriminals say they hacked CarePoint Health, stole data Ransomware gang claims attack and data theft from UK city school Horizon Media reports data breach of SSNs, cybercriminals take credit Claude VPNs (and how to use Claude safely) What is GhostPairing on WhatsApp? What is a prompt injection attack? Where do leaked passwords end up? A statistical analysis of the dark web’s credential pipeline Ransomware roundup: April 2026 Suffolk, VA warns 157,000+ people of data breach that leaked SSNs, finances How to watch UFC 328 (Chimaev vs Strickland) from anywhere Cybercriminals say they hacked Winona County, MN (again) Keeper vs 1Password: Which password manager is best in 2026? What is F-Droid? Is it safe? Proton VPN Secure Core: What is it, and should you use it? What is an agentic browser? Features and how to use them safely Sandhills Medical Foundation warns patients of data breach Cybercriminals say they hacked Massachusetts Development Finance Agency, its second breach in 2 years STELIA Aerospace confirms cyber attack on North American systems. $2.07 million ransom issued Debt collector Rodenburg Law Firm warns 81,307 people of data breach Healthcare ransomware roundup: Q1 2026 stats on attacks, ransoms, and data breaches How to block ads on Paramount Plus A complete guide to smart speaker privacy What is the Great Firewall of China Cybercriminals say they hacked Rusk County, WI What is a decentralized VPN? Do you need a dVPN? Southern Illinois Dermatology warns patients of data breach that leaked SSNs 92,000 people notified of data breach following cyber attack at Puerto Rican hospital Cybercriminals say they hacked Minidoka Memorial Hospital, demand ransom What is sensitive data? Types and how to protect yourself What is a passphrase? Are they safer than passwords? Phoenix Art Museum warns of data breach that leaked SSNs Mozilla VPN vs NordVPN – VPN Comparison Guide Cookeville Regional Medical Center warns 338,000 people of data breach Antimalware vs Antivirus: What’s the difference? What is URL phishing? Examples and how to stay safe How to use a VPN in Bhutan (and the best options) Cybercriminals give Brockton, MA hospital one week to pay ransom after hack Is Truth Social safe? Everything you need to know What is cyberwarfare? Medical implant maker TriMed warns 80,000+ people of data breach Ransomware roundup: Q1 2026 Heart South Cardiovascular Group warns 46,000+ people of data breach Cybercriminals say they hacked Community College of Beaver County Critical Infrastructure at Risk: 179 ICS Devices Exposed Online
Inside RAMP: What a leaked database reveals about Russia’s ransomware marketplace
Paul Bischof · 2026-04-17 · via Comparitech

Inside RAMP_ What a leaked database reveals about Russia's ransomware marketplace

RAMP (Russian Anonymous Marketplace) was a Russian-language cybercrime forum that operated from late 2021 until it was seized by the FBI on January 28, 2026, in coordination with the U.S. Attorney’s Office for the Southern District of Florida. It ran as both a Tor hidden service and maintained a clearnet mirror at ramp4u.io, making it more accessible than many competing forums.

The forum ran on XenForo 2.2.5, a commercial platform, and had dedicated sections for selling network access, malware, ransomware partnerships, stolen data, and hiring criminal freelancers. Thread titles appeared in Russian, English, and Chinese, highlighting its global audience from Western cybercriminals to East Asian threat actors.

Comparitech gained exclusive access to a leaked database from RAMP. The full MySQL dump contains user records, forum threads, private messages, IP logs, and admin activity spanning November 2021 through January 2024.

RAMP at a glance

  • 7,707 registered users
  • 1,732 forum threads
  • 340,333 IP log records
  • 1,899 private conversations
  • 3,875 private messages
  • 14 RaaS programs advertised
  • 250+ ransomware leak sites referenced

Key findings:

  • The RAMP forum facilitated sale of corporate network access to organizations including defense contractors, energy companies, banks, hospitals, and government agencies across 20+ countries
  • The US is the #1 target: it appeared in 40% of listings where a country was identified
  • A single access broker posted 41 separate listings selling entry points into corporate networks, including a US company with $1.2 billion in revenue and government networks in South America and Ukraine
  • 14 ransomware-as-a-service (RaaS) programs actively recruited affiliates, offering up to 90% of ransom payments
  • Government agencies were the most-targeted sector (21 listings), followed by finance/banking and technology/telecom (11 each)
  • Forum activity surged 348% from a low of 67 threads in Q4 2022 to 300 threads in Q4 2023, suggesting a major resurgence after law enforcement disruptions

The access market: selling the keys to corporate networks

The single largest section of RAMP was its access marketplace, where 333 threads offered entry points into compromised corporate networks. These listings represent the first stage of the ransomware kill chain — before any malware is deployed, someone has to get inside.

Access types sold

The most common access type was RDP (Remote Desktop Protocol), appearing in 59 listings, followed by VPN access (22) and SSH/shell access (22). Domain Administrator access (giving full network control) was advertised in 12 listings and commands a premium.

Access TypeListingsShareRisk Level
RDP (Remote Desktop Protocol)5943%Critical
VPN (corporate gateways)2216%Critical
SSH / Webshell2216%High
Domain Admin (full network control)129%Critical
Citrix75%High
VNC32%High
Unspecified208

Target countries

The United States dominates the victim list, appearing in 40% of listings where a country was identified:

CountryListings% of identified targets
United States3940%
EU (various)66%
Asia (various)66%
Canada55%
Brazil33%
India33%
China33%
South Korea22%
Israel22%
Other (20+ countries)2627%

Target industries

Government organizations were the most frequently targeted sector:

IndustryListingsNamed Victims Include
Government (incl. embassies, military)21Mexican embassy, Ukraine GOV, IDF
Finance & Banking11Consolidated Bank of Ghana, AddisBank
Technology & Telecommunications11China Telecom, Emirates Telecom, Taiwan Telecom
Energy (oil, gas, power)5US petroleum co. ($1B), US energy ($800M)
Healthcare & Hospitals4South Korean hospital, Thai hospital
Education & Universities4US universities, unspecified
Manufacturing3Toyota's Brazilian operations
Defense & Aerospace2Indian defense aerospace
Retail2PEPSI official distributor in Asia

Named organizations in thread titles included a PEPSI official distributor in Asia ($250M+ revenue), an Indian defense aerospace company, Toyota’s Brazilian operations ($1B+ revenue), the Consolidated Bank of Ghana, AddisBank (Ethiopia), Emirates Telecom ($1.3B revenue), a Mexican embassy, hospitals in South Korea and Thailand, China Telecom, and Israeli telecommunications infrastructure.

The shift toward VPN exploitation

In early 2022, the market was dominated by RDP access. By late 2023, VPN access listings had grown significantly, reflecting a shift in attack methodology:

QuarterRDPVPNSSHDAShellTotal
Q4 20213200121
Q1 20229013034
Q2 202213004135
Q3 20227100028
Q4 20220101113
Q1 20232104225
Q2 20237152449
Q3 20234141242
Q4 20237704557
Q1 2024*1001028

*Data ends late January.

VPN access listings jumped from near-zero throughout 2022 to 7 in Q4 2023, matching RDP. This correlates with the surge of critical Cisco, Fortinet, and Citrix VPN vulnerabilities disclosed in 2023, which criminals rapidly weaponized.

SSH access, virtually absent in 2022, appeared in nine listings during Q2-Q3 2023 — mostly from sellers “xss_0x2” (12 SSH listings total) and “dayone31337_blardo” (4 SSH listings for Chinese and Korean targets).

Which VPN vendors are criminals targeting?

When sellers specified the VPN product they had compromised, Cisco appeared most frequently:

VPN VendorMentionsContext
Cisco (AnyConnect, ASA)8Most frequently exploited; bulk credential sales
Citrix7Gateway access to large enterprises
Fortinet (FortiGate)3Exploited via known CVEs
Pulse Secure3CVE-2019-11510 referenced directly
Palo Alto (GlobalProtect)2Enterprise networks
SonicWall1
F5 BIG-IP1

One seller (“blackod”) posted five consecutive Cisco VPN access listings for US, Australian, Canadian, and UK organizations in November 2023 alone, suggesting automated scanning and exploitation of a common Cisco vulnerability at scale. Another thread explicitly referenced CVE-2019-11510 (Pulse Secure) by name, demonstrating that known but unpatched vulnerabilities remain a primary entry point.

A separate demand-side thread from “yakuza” titled “Buy corporate access [SonicWall, Cisco, Fortinet, F5 BIG IP, Pulse, Citrix, RDWeb]” further confirms that these seven vendors represent the primary targets.

The biggest listings by victim revenue

Access to a South Korean conglomerate with a reported annual revenue of $16 billion was the most valuable listing on the forum:

DateVictim DescriptionRevenue (USD)Seller
Sep 2022South Korean corporation$16 billioninthematrix
Dec 2023South Korean corporation$15 billionBig-Bro
Sep 2022US corporation$6 billioninthematrix
May 2023US corporation$2.6 billionuroboros
Dec 2023Canadian corporation (RDP)$5 billionfokonishi
Apr 2023Emirates Telecom (UAE)$1.3 billionvars_secc
Mar 2022US corporation (RDP)$1.2 billioninthematrix
Aug 2022US petroleum company$1 billionSkyler
Mar 2023Toyota Brazil$1 billion+el84
Dec 2023US energy company$800 millionfokonishi

The bigger the target, the higher the price

Of the 333 access listings, 48 explicitly stated the victim organization’s annual revenue. Buyers use this info to approximate how much money they could steal or extort from victim organizations, which in turn determines the price of access.

Revenue TierListings% of Revenue-ListedTypical Access Type
Under $50M1838%RDP, Domain Admin, Webshell
$50M–$200M1123%RDP, Domain Admin
$200M–$500M715%RDP, Domain Admin, Webshell
$500M–$1B36%RDP
$1B–$5B613%RDP, Domain Admin
$5B+36%Unspecified (premium)

The ransomware economy: affiliate splits reaching 90%

RAMP hosted 60 threads in its dedicated RaaS section, where ransomware operators recruit affiliates. The data reveals a clear trend toward more generous splits over time — from 80/20 in early 2022 to 90/10 by mid-2023:

DateRaaS ProgramSplit (affiliate/operator)Language
Feb 2022RTM Locker 3.080/20
Jun 2022Luna85/15Rust
Dec 2022Nevada85/15
May 2023Knight 3.090/10

A 90/10 split means the person deploying the ransomware keeps $900,000 out of every $1 million in ransom collected. This escalation reflects fierce competition for skilled and willing affiliates across the cybercrime ecosystem.

14 RaaS programs advertised on RAMP (2021–2024)

We identified 14 distinct RaaS programs:

  • AvosLocker (Nov 2021)
  • Conti (Nov 2021)
  • Luna (Jun 2022)
  • BEAST (Jun 2022)
  • Nevada (Dec 2022)
  • CryptNet (Apr 2023)
  • Knight 3.0 (May 2023)
  • NoEscape (May 2023)
  • Bl00dy (Jul 2023)
  • KUIPER (Sep 2023)
  • UBUD (Nov 2023)
  • PHOBOS — cracked builder (Dec 2023)
  • Zeppelin2 — source code leak (Dec 2023)
  • Wing 1.0 (Jan 2024)

The appearance of cracked builders and leaked source code (PHOBOS, Zeppelin2) is particularly concerning. It lowers the barrier to entry, allowing anyone to launch independent ransomware attacks outside the RaaS model entirely. No affiliate agreement, no profit-sharing, and no operator oversight are required.

Democratization through cracked builders

Seven separate listings offered cracked or leaked versions of established ransomware and penetration testing tools:

DateToolTypeSignificance
Jul 2022OSKI StealerCrackedInformation stealer used for credential theft
Aug 2022Mars Stealer V8Cracked (panel+builder)Popular stealer with full infrastructure
Sep 2022LockBit 3.0 BuilderLeakedMost prolific ransomware operation; builder enables anyone to deploy
Aug 2023Cobalt Strike 4.8Cracked$5,900/year legitimate tool used by most APTs
Nov 2023Core Impact 21.3CrackedCommercial pentest tool ($20K+/year)
Dec 2023PHOBOS RansomwareCracked builderAffiliate program bypassed entirely
Dec 2023Zeppelin2Source code + cracked builderFull source code enables modification
Jan 2024Stop/DJVUCracked builderTargets individual consumers/small businesses

The LockBit 3.0 builder leak was the most consequential. LockBit was the world’s most prolific ransomware operation when RAMP was at its peak, and its leaked builder has been used by dozens of independent operators who have no affiliation with the original group. This single leak multiplied the number of LockBit-branded attacks far beyond what the original operators could manage.

Cracked versions of commercial penetration testing tools like Cobalt Strike ($5,900/year) and Core Impact ($20,000+/year) further lower barriers. These tools, designed for legitimate security testing, provide professional-grade attack capabilities at zero cost to criminals.

The combined effect is a “democratization” of ransomware — the tools, techniques, and playbooks that once required affiliation with a major RaaS operation are now freely available to any moderately skilled criminal.

The malware supermarket

The malware marketplace hosted 121 listings across a range of criminal tools:

CategoryListingsNotable Examples
Exploits & 0-days22Sonicwall VPN RCE, Office 0-day, WinRAR RCE
Crypters / FUD tools17Private Crypt ($2K/month), Luxury Shield
Ransomware12Kakia v2, Thanos, ESXi ransomware
RATs & Backdoors11Windows backdoors, Android banking trojans
Stealers / Infostealers10LummaC2, Mars Stealer, Meduza, OSKI
Botnets7Crypto botnet ($25K), GoldBrute RDP scanner
Loaders / Droppers6AresLoader, BazarLoader

Standout listing: a crypto-stealing botnet advertised at $25,000 that claimed to bypass two-factor authentication on major cryptocurrency exchanges. The forum also listed a VPN RCE 0-day exploit with an asking price of $100,000, indicating that nation-state-grade vulnerabilities circulate in these spaces.

The criminal job market: $25K/month for malware developers

RAMP’s freelance section (68 threads) functions as a criminal career marketplace.

Only one thread explicitly advertised a salary, but it was a striking one. A user posting under “OttoFonBismark” in November 2022 offered $20,000–$25,000 per month for an Android “virologist” (malware developer), promising “fast and big money.”

The compensation spectrum

RoleCompensation ModelEvidence from RAMP
Android malware developer$20–25K/monthExplicit salary offer, "fast and big money"
Ransomware affiliate70–90% of ransomRansom payments average $200K-$1M+
Access brokerPer-salePrices vary $500-$50K+ by target size
Pentester (hired by RaaS team)% of ransomMultiple teams hiring, split negotiated
Ransom negotiatorPer-dealThread seeking "callers for negotiations"
Insider (telecom employee)Per-SIM-swapAT&T/T-Mobile/Verizon insiders sought
Crypto exchange insiderUnknownI have insider admin in one European crypto exchanger

The top 10 vendors on RAMP

The most active sellers represent the forum’s commercial backbone:

#SellerListingsSpecialty
1inthematrix41Corporate RDP access (US, EU, Asia, GOV)
2boxi23VNC/SSH access, data dumps
3el8418Corporate access (Brazil, Israel, telecom)
4RobinHood12Access broker + RaaS operator (KUIPER)
5xss_0x212SSH access (Linux corps, worldwide)
6jacksparrow11US/EU RDP access
7w1nte4mute11Corporate access
8eliotto8VPN exploits, malware
9Big-Bro8High-value corporate access
10vars_secc7Telecom, banking (UAE, Taiwan, Thailand)

“RobinHood” stands out as a dual-role threat actor: selling corporate access to targets including an Indian defense aerospace firm and a PEPSI distributor, while simultaneously operating the KUIPER RaaS program targeting Windows, Linux, ESXi, NAS, MacOS, and FreeBSD.

The demand side: who’s buying?

Twenty-four threads were posted by buyers actively seeking corporate access, revealing what’s in demand:

DateBuyerWhat They Want
Dec 2021AvosLockerBuy or work access (VPN->RDP, Citrix, webshell..)
Jan 2022Whop-WhopBUYING CORP ACCESSES US/CA/UK/AU/DE/FR
Apr 2023FASTPRISONERI will buy USA and CANADA corporate accesses + pay % from profit
Sep 2023unknow50I buy access from Iran
Sep 2023SireneLooking for access of Indian govt
Oct 2023yakuzaBuying Cisco, Fortinet, Pulse, Citrix, F5, SonicWall, RDWeb access
Oct 2023krabNeed access to road cameras of a certain country
Nov 2023PwnstarPentesters for $1B+ revenue networks; later: Canadian Credit Union logs
Feb 2023ippsecBuy Access SSH/SHELL/SCADA from Iran

The AvosLocker listing is particularly significant: a known ransomware operation directly posting buying requests on the same forum where it advertised its RaaS program. This confirms the supply chain relationship between access brokers and ransomware operators.

The request for SCADA access from Iran and road camera access in a specific country suggest state-aligned or espionage-motivated activity alongside the primarily financially-motivated listings.

Several buyers offered profit-sharing arrangements (“pay % from profit”), indicating that some buyers lack the upfront capital to purchase access outright and instead offer a cut of eventual ransom payments.

Forum growth: a U-shaped recovery

RAMP’s activity follows a distinctive pattern. After a strong 2021 launch, activity declined through 2022, hitting a low of just 67 threads in Q4. Then it rebounded sharply through 2023:

QuarterThreadsChangeContext
Q4 2021345(launch)Forum established
Q1 2022216-37%
Q2 2022144-33%
Q3 202293-35%
Q4 202267-28%Trough - law enforcement pressure
Q1 202391+36%Recovery begins
Q2 2023169+86%
Q3 2023198+17%
Q4 2023300+52%Peak — 348% above trough
Q1 2024*109partial*Data ends late January

*Data ends late January.

The Q4 2022 trough likely reflects law enforcement operations that year, including the Hive ransomware takedown and related arrests. The 2023 resurgence, peaking at 300 threads in Q4, suggests the forum successfully attracted displaced users from other disrupted platforms.

Operational security: where criminals slip up

Most RAMP users relied on privacy-focused email providers. Proton Mail accounted for 38% of registrations.

A significant minority made poor choices. Across the full 7,707 user database, 94 accounts were registered with Gmail addresses tied to Google accounts. Several contain patterns consistent with real names.

The forum’s server logged 340,333 IP records across 4,788 users. While most IPs are Tor exit nodes (expected for a .onion site), the data provides session correlation and timing analysis opportunities. We identified connections from residential ISPs in multiple countries, suggesting some users accessed the forum without Tor protection.

Private messages: the deals behind the curtain

The database includes 1,899 private conversations containing 3,875 messages — the hidden negotiations that turn forum listings into actual attacks. Conversation subjects include “VPN access,” “Stealer,” “Request [RaaS] Private Partner Program,” and direct deal-making. This private message data captures the actual transaction layer that public forum posts only advertise.

For example, when the forum’s most prolific access broker “inthematrix” listed access to a South Korean conglomerate with $16 billion in annual revenue, buyer inquiries arrived within hours. One user (“frenkie378”) initiated a private conversation titled “South Korea / 16kkk/ local admin” that ran to three replies, showing a complete negotiation cycle from listing to deal. In total, inthematrix’s 41 public access listings generated 41 private conversations with buyers including ransomware operators, access resellers, and pentest teams.

Methodology

This analysis is based on a MySQL database dump of the RAMP forum’s XenForo installation. We parsed raw SQL to extract structured data from the xf_user (7,707 records), xf_thread (1,732 records), xf_post, xf_ip (340,333 records), xf_admin_log, xf_conversation_master (1,899 records), and xf_conversation_message (3,875 records) tables. IP addresses were decoded from binary format and geolocated against known ISP allocations. All findings are based on data as it existed in the database dump and have not been independently verified against live sources.