Our Investigation of the Pure Incubation Ventures Leak [Threat Note]

This blog is a summary of our latest threat note, “Pure Incubation Investigation Leak”, which is available for all our clients to read in the CybelAngel portal. Interested in reading this report as a non client? Get in touch with us to access this content.

Who are Pure Incubation Ventures?

Pure Incubation Ventures, founded in 2007 by Melissa Chang and Barry Harrigan, is an investment firm headquartered in Danvers, Massachusetts. As a company they focus on providing financial and operational expertise, and historically have created and launched marketing technology firms focused on B2B demand generation. They specialize in areas such as lead generation, content marketing, and software development. They also wish to foster business links between the Philippines and the U.S. as part of their investment focus.

Pure Incubation has developed a portfolio of companies and digital platforms, serving diverse markets including healthcare, real estate, technology, education, and finance. Their current portfolio companies includes the MedData Group, Scienz AI, and Demand Science.

An outline of the Pure Incubation data breach so far

Back in March 2024, an actor named KryptonZambie posted a thread on Breach Forums selling a database belonging to Pure Incubation.

Furthermore, within their group of businesses, they reportedly have ownership of a company specializing in data-driven, AI-powered solutions for the B2B sector. As a result, the breach compromised millions of pieces of personally identifiable information (PII) gathered by this subsidiary (We detail who this company is, only in our threat note!).

What was exposed in this breach?

In the Pure Incubation data breach, two specific tables within the company’s database were compromised, leading to the unauthorized exposure of sensitive information. One of the tables contained details on potential members, while the other stored information on contacts.

These tables held personal and potentially sensitive data, including names, physical addresses, email addresses, job titles, company details, LinkedIn URLs, encrypted passwords, and other identifiers. The breach exposed both current and past records, increasing the risk of social engineering and fraudulent activities for those affected.

For example members table includes the following headers:

"id","first_name","last_name","address1","address2","city","state","zip","province","country","email","email_type","password","phone","ext","direct_dial","direct_dial_ext","phone_verified","phone_verified_date","phone_type","company_name","source","site_id","type","is_valid","can_email","ip","ml_title","dex_title","job_title","job_level","industry","company_size","company_size_integer","company_revenue","silo","job_area","job_function","hq_phone","hq_phone_verified","hq_address","hq_city","hq_state","hq_zip","hq_country","hq_company_name","last_login","created_at","updated_at","updated_by","last_edit_form_display","last_edit_form_update","company_url","do_not_call","first_qa_date","final_qa_date","email_problem","cant_find_online","previous_company","linkedin_url","qa_file_id","original_owner","didnt_call","for_softwaretrends","st_timestamp","emailoversight_result".

A threat actor snapshot: Who is KryptonZambie?

KryptonZambie, the threat actor behind these data breach initiatives, is a well-known cyber threat group.

Who are KryptonZambie? Above, a previous hack from February 2024.

They are also known by these other aliases:

  • Barboza
  • robinhouse0xc4
  • krpzambie0xc4
  • robinFlexSnow

This actor primarily operates on cybercriminal forums like Breached and uses Telegram for the wider communication and distribution of stolen data. Their Telegram channel, named Robinhouse, currently has over 300 subscribers. Cybercriminals typically use this social media platform for selling stolen credentials, personal data, credit cards, and offering services like SMS spam, OTP bots, and SIM swapping. Our report takes you behind the scenes.

CybelAngel analyst’s have found that the activities KryptonZambie initially concentrated on targeting databases from companies in India, but have since expanded to a global scale.

The recent leak underscores the emerging cyber vulnerabilities and threats that numerous teams are facing, particularly those related to the supply chain and artificial intelligence. It prompts a critical examination of how to handle personal data breaches, especially when these are facilitated or produced by artificial intelligence. The key questions now include determining responsibility: Who is held accountable? Additionally, it’s crucial to outline proactive and reactive measures for addressing these threats effectively

Good to know
CybelAngel monitors various platforms for potential threats, including Telegram. Within our Dark Web Monitoring service, we scan TOR, I2P, Discord, Telegram and IRC among other platforms.

The full list of topics covered in our data-driven investigation

Within this threat note there are three main areas of focus. Each section of this threat note contains comments from our expert REACT team members who have analyzed the intricate and detailed malicious actor commentary specific to this marketing services data breach.

The main focus areas of this report:

I. An overview of this data breach
II. Pure Incubation
III. A review of the affected contact and member databases
IV: A rundown of the threat actor in question: KryptonZambie*

In this threat note, our analysts fully list the entities targeted, as well as a list of industries and victims.

Get the full picture of the Pure Incubation leak, only in our latest threat note

Dive further in the consequences of data breaches, and looks at the global rise of the threat actor, KryptonZambi, in our sparkling new threat note. Be more equipped to fight data breaches as they ruthlessly target widely. All company profiles and company sizes are at risk today- there are no exceptions.

If you are not a CybelAngel client but also wish to have a complete picture of this trending threat actor, you can obtain access to this resource by getting in touch with our REACT team at [email protected].

Follow us on social media- LinkedIn, Twitter/X, and Facebook.

If you don’t want to stop reading check out our latest analysis on Anonymous Sudan, ‘Anonymous Sudan’s Post Arrest Cyber Chaos [A Threat Note Guide].’