bleepingcomputer.com
By Bill Toulas
November 20, 2025

Data from Italy's national railway operator, the FS Italiane Group, has been exposed after a threat actor breached the organization's IT services provider, Almaviva.

The hacker claims to have stolen 2.3 terabytes of data and leaked it on a dark web forum. According to the threat actor's description, the leak includes confidential documents and sensitive company information.

Almaviva is a large Italian company that operates globally, providing services such as software design and development, system integration, IT consulting, and customer relationship management (CRM) products.

Andrea Draghetti, Head of Cyber Threat Intelligence at D3Lab, says the leaked data is recent, and includes documents from the third quarter of 2025. The expert ruled out the possibility that the files were recycled from a Hive ransomware attack in 2022.

"The threat actor claims the material includes internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and even complete datasets from several FS Group companies," Draghetti says.

"The structure of the dump, organized into compressed archives by department/company, is fully consistent with the modus operandi of ransomware groups and data brokers active in 2024–2025," the cybersecurity expert added.

Almaviva is a major IT services provider with over 41,000 employees across almost 80 branches in Italy and abroad, and an annual turnover of $1.4 billion last year.

FS Italiane Group (FS) is a 100% state-owned railway operator and one of the largest industrial companies in the country, with more than $18 billion in annual revenue. It manages railway infrastructure, passenger and freight rail transport, and also bus services and logistics chains.

While BleepingComputer’s press requests to both Almaviva and FS went unanswered, the IT firm eventually confirmed the breach via a statement to local media.

“In recent weeks, the services dedicated to security monitoring identified and subsequently isolated a cyberattack that affected our corporate systems, resulting in the theft of some data,” Almaviva said.

“Almaviva immediately activated security and counter-response procedures through its specialized team for this type of incident, ensuring the protection and full operability of critical services.”

The company also stated that it has informed authorities in the country, including the police, the national cybersecurity agency, and the country’s data protection authority. An investigation into the incident is ongoing with help and guidance from government agencies.

Almaviva promised to transparently provide updates as more information emerges from the investigation.

Currently, it is unclear if passenger information is present in the data leak or if the data breach is impacting other clients beyond FS.

BleepingComputer has contacted Almaviva with additional questions, but we have not received a response by publication time.

Law enforcement authorities from six countries took down the Archetyp Market, an infamous darknet drug marketplace that has been operating since May 2020.

Archetyp Market sellers provided the market's customers with access to high volumes of drugs, including cocaine, amphetamines, heroin, cannabis, MDMA, and synthetic opioids like fentanyl through more than 3,200 registered vendors and over 17,000 listings.

Over its five years of activity, the marketplace amassed over 612,000 users with a total transaction volume of over €250 million (approximately $289 million) in Monero cryptocurrency transactions.

As part of this joint action codenamed 'Operation Deep Sentinel' (led by German police and supported by Europol and Eurojust), investigators in the Netherlands took down the marketplace's infrastructure, while a 30-year-old German national suspected of being Archetyp Market's administrator was apprehended in Barcelona, Spain.

One Archetyp Market moderator and six of the marketplace's highest vendors were also arrested in Germany and Sweden.

In total, law enforcement officers seized 47 smartphones, 45 computers, narcotics, and assets worth €7.8 million from all suspects during Operation Deep Sentinel.

• Check Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute malware or malicious links via phishing repositories. The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate.
• This network is a highly sophisticated operation that acts as a Distribution as a Service (DaaS). It allows threat actors to share malicious links or malware for distribution through highly victim-oriented phishing repositories.
• Check Point Research is tracking the threat group behind this service as Stargazer Goblin. The group provides, operates, and maintains the Stargazers Ghost Network and distributes malware and links via their GitHub Ghost accounts.
• The network distributed all sorts of malware families, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.
• Our latest calculations suggest that more than 3,000 active Ghost accounts are part of the network. Based on core GitHub Ghost accounts, we believe that the network began development or testing on a smaller scale for the first time around August 2022.
• Check Point Research discovered an advertiser in Dark-Web forums that provides the exact GitHub operation. The first advertisement was published on July 8, 2023, from an account created the previous day.
• Based on the monitored campaigns from mid-May to mid-June 2024, we estimate that Stargazer Goblin earned approximately $8,000. However, we believe that this amount is only a small fraction of what the actor made during that period. The total amount during the operations’ lifespan is estimated to be approximately $100,000.
• Stargazers Ghost Network appears to be only one part of the grand picture, with other Ghost accounts operating on different platforms, constructing an even bigger Distribution as a Service universe.

The world’s most prolific crypto thieves have used Sinbad.io to launder tens of millions. Its creator, “Mehdi,” answers WIRED’s questions.

On cybercrime forums, user complaints about being duped may accidentally expose their real identities.

It was the largest dark-web drug and crime bazaar in history, run by a technological mastermind who seemed untouchable—until his tech was turned against him.