Articles Tagged with
Introduction
Cryptocurrency has become the preferred currency of the underground. It is fast, pseudonymous, and global. But it is also the target. Between theft, wallet draining, and outright fraud, the crypto space is losing billions every year.
In 2024 alone, wallet drainers stole over $500 million, according to Chainalysis’ 2025 Crypto Crime Report. That is not ransomware victims paying extortion demands. That is not clever social engineering or advanced persistent threats. That is simple, scalable fraud at an industrial scale. And the tools to do it are not hidden behind nation-state firewalls or elite darknet forums. They are on sale on what amounts to the Tor equivalent of Amazon.
SOS Intelligence has been tracking these marketplaces for months. We have documented the tools, the prices, the threat actors, and the money laundering pipelines. This analysis is what we found.
What We Found on DARKSEARCH
DARKSEARCH is one of the larger dark web marketplaces. It functions as a general vendor platform, not unlike eBay, but for illegal goods and services. On it, you can buy access to botnets, stolen data, hacking tutorials, or custom malware. You can also buy cryptocurrency theft tools.
The range of products is striking. These are not theoretical exploits or academic proofs of concept. These are working tools used in active campaigns against real targets. Here is what we documented.
Wallet and Account Theft
The simplest products on sale are stolen wallets. Vendors list wallets with substantial balances, already compromised and ready to be drained. A single listing might contain 599 BTC wallets, with individual wallet values ranging from $42,000 to $59,900 USD at 2024 exchange rates. These are not guesses or projections. These are actual wallets with known, verified balances. On markets like Tor Amazon (tamazoncmlw2ohkbsmqxnotudejdd4befrasxuigzzjumqu3zba535yd[.]onion), vendors openly advertise wallets with balances verified as of the day of listing.
Atomic Wallet credentials are also available. Atomic is a popular mobile and desktop wallet used by millions of crypto holders. The Atomic Wallet hack of June 2023 resulted in over $35 million in losses attributed to the Lazarus Group, and compromised credentials continue to circulate on dark web markets. Vendors offer compromised Atomic Wallet accounts containing 1 BTC or more, priced around $4,000 per account. The compromise is complete, meaning the original owner has already been locked out.
Beyond full wallets, you can buy seed phrases and private keys. These are the master credentials that unlock a wallet. A Bitcoin seed phrase recovery tool fetches $1,500 to $6,500, depending on the number of target wallets and recovery likelihood.
Password and Passphrase Cracking Tools
Password protection on wallets assumes the password is strong. It usually is not. So vendors offer specialised tools to crack wallet passphrases at scale. A wallet.dat passphrase cracker, which targets the encrypted wallet file format used by Bitcoin Core and older wallet software, sells for around $400. It performs brute force attacks on the passphrase, trying millions of combinations until it finds the correct one.
These tools are not slow. Modern GPU acceleration can test tens of billions of passwords per second. A weak passphrase, or one based on common patterns, will fall in minutes or hours. A strong one might take days. But the attacker does not need to be fast. They can run the crack in the background indefinitely.
Fake Token Senders and Spoofing Tools
One of the most audacious fraud vectors is the fake USDT sender. USDT is Tether, the largest stablecoin in circulation. Someone using a fake USDT sender can create a fraudulent transaction that appears on the blockchain, complete with the correct token contract address, that shows as sent from one wallet to another. To an untrained eye, it looks legitimate. To a crypto exchange or automated system relying on blockchain scans, it might be legitimate.
These tools sell for $300 to $500. They are typically paired with phishing campaigns. A victim receives a message claiming they have won an airdrop, or that a trade executed successfully, and they see the fake USDT in their wallet. When they try to withdraw or sell it, they are prompted to approve a smart contract transaction. At that point, the drainer takes control. Such tools are actively marketed on platforms like Dark Web World (worldyyyi2ktoisdqjjq4zlt3jftejabo443lb67pfofr2i5gqlkaoqd[.]onion), which hosts a Financial Tools category alongside hacking services.
Reverse Transaction Tools
Bitcoin transactions are supposed to be irreversible. That is part of the design. So the idea of a reverse transaction tool sounds like science fiction. But the vendors of these tools are selling something close to it. A BTC Reverse Transaction Tool, priced between $400 and $600, works by finding transactions on the blockchain that have not yet been fully broadcast to all network nodes. The tool allows the attacker to broadcast a conflicting transaction first, causing the original to be rejected by the network. The BTC then flows to the attacker instead.
This only works on a small fraction of transactions. But it is effective enough that people are paying for it. And the demand suggests it is working in practice.
Mnemonic Brute Force Tools
A BTC mnemonic brute tool costs around 690 USD or 550 GBP. It generates or guesses Bitcoin seed phrases and checks them against the blockchain to see if they contain funds. Because seed phrases follow the BIP39 standard, which is deterministic, a brute force attack on the space of possible mnemonics is theoretically feasible. The attacker generates thousands or millions of seed phrases, derives the public addresses from each one, and queries the blockchain for balances. Advanced Hacking Tools (zqi3evypxq7ok3gqnimwnlesf6v76ksrpgtgb6j7hh6ye752apzmceyd[.]onion) explicitly lists Cryptocurrency Scam Scripts among its offerings, with 38,530 visits and customer reviews confirming ‘software delivered instantly and fully functional’ and ‘secure transaction and smooth process.’
The computational cost is high. But cloud computing makes it cheap. A determined attacker can lease GPU resources for hours or days at a fraction of a cent per compute hour, making the economics viable for high-probability targets.
Leaked Data and Account Databases
Finally, vendors are selling access to compiled databases of leaked credentials. One listing offers access to 16 billion compromised accounts. The seller claims these are de-duplicated and verified against live services. The price is $121,484. That works out to less than one cent per compromised account. For a cyber criminal running wallet-draining campaigns, this is cheap reconnaissance. They can cross-reference stolen exchange login credentials against wallet addresses to identify holders with known balances. Multivendor platforms like Tor Market (sqw2klzo4mtwvbf3by7irjv7r5mdojxwziuus3lh6rketlkggvsdyaad[.]onion) support both Bitcoin and Monero payments, with dedicated Money Transfer categories facilitating these database sales.
Wallet Drainers as a Service
The real innovation on the dark web is not individual tools. It is the business model. Wallet drainers are offered as a service, DaaS, and it is a lucrative franchise.
How DaaS Works
So the architecture of a wallet drainer is straightforward. The developer publishes a toolkit consisting of a drainer contract (a smart contract deployed on-chain) and a user interface for creating phishing campaigns. A criminal rents the drainer, paying either a flat fee or a percentage of stolen funds. They set up a phishing website that mimics a popular crypto exchange or NFT marketplace. They send phishing links to targets via email, SMS, or social media.
When a victim clicks the link, they see a fake login screen or a fake approval request. If they enter their seed phrase or approve a transaction signature, the drainer gains the ability to control their wallet. The funds are transferred immediately to the attacker’s address. The entire flow from click to theft takes seconds.
The drainer operator keeps a percentage. The drainer developer keeps a percentage. The affiliate who promoted the drainer keeps a percentage. Everyone gets paid. It is a lean, distributed criminal supply chain.
Angel Drainer
Angel Drainer is perhaps the most notorious wallet-drainer family in operation. It is believed to have stolen over $25 million in cryptocurrency. It was active from early 2023 through 2024, and operated as a DaaS offering custom drainer contracts and campaign management tools. ScamSniffer blockchain security research has tracked Angel Drainer operations across multiple victim wallets.
Angel users could log into a dashboard, select their target blockchain, customize their phishing site, and launch their campaign. The drainer provided metrics on click-through rates, approval signatures collected, and stolen funds. It was, in essence, a SaaS offering with a criminal payload. Many law enforcement agencies have attributed wallet drains totalling in the millions of dollars to Angel Drainer operators.
Inferno Drainer
Inferno Drainer is believed to have stolen over $80 million. It operated in parallel with Angel Drainer and was arguably more technically sophisticated. Its phishing interfaces were higher fidelity, its blockchain support was broader, and its operational security was tighter. SlowMist blockchain security research has documented Inferno’s operational patterns across multiple victim reports.
In a striking twist, Inferno Drainer operators were observed transferring stolen funds directly to Angel Drainer wallets in several high-value campaigns. This suggests either a partnership or a buyout. It is unclear if Inferno has exited the market or if operations have simply gone underground or rebranded.
Pink Drainer
Pink Drainer operated more transparently than most. The operator ran an active Telegram channel and took custom contracts and integration requests. Pink is estimated to have commanded 28% market share of the wallet drainer space before exiting in May 2024. By that point, it was believed to have stolen tens of millions of dollars.
The operator announced the exit via a single Telegram message, claiming to be retiring. No law enforcement action was publicly attributed to the exit, suggesting the operator likely had good operational security and may be operating new campaigns under a different name.
Technical Breakdown
Understanding how these tools work requires looking at the mechanics of each attack vector. So let’s walk through them.
Mnemonic Crackers and Brute Force
A Bitcoin seed phrase, or mnemonic, is a sequence of 12, 15, 18, 21, or 24 English words. The words are drawn from the BIP39 word list, which contains exactly 2048 words. This means a 12-word seed phrase represents 2048^12, or roughly 5 x 10^39, possible combinations. That is astronomically large. But it is also finite.
A mnemonic brute force tool does not generate mnemonics randomly. Instead, it uses a wordlist and systematically generates combinations, typically in dictionary order or based on frequency analysis. Each generated mnemonic is used to derive public Bitcoin addresses via the BIP32 standard. The tool then queries a Bitcoin blockchain API or a local blockchain copy to check if those addresses hold funds.
The success rate depends on the blockchain. Bitcoin has around 900 million addresses with at least one transaction. The space of possible mnemonics is enormous, so brute force is impractical for a truly random search. But many users choose weak passphrases or do not add a passphrase at all, and some use common word patterns. Those are the targets.
Cloud GPU providers make the attack economic. For a few dollars an hour, an attacker can spin up instances with NVIDIA H100 GPUs, each capable of deriving and checking thousands of addresses per second. A sustained campaign lasting weeks could check billions of addresses at a marginal cost of fractions of a cent per address checked.
Wallet.dat Password Cracking
Bitcoin Core wallet files are stored in a binary format called wallet.dat. If the wallet is encrypted, the file is encrypted using a passphrase. The passphrase is hashed and used as a key for AES-256 encryption.
A wallet.dat cracker tool first extracts the encrypted private keys from the wallet file. It then performs a dictionary attack, hashing candidate passwords and attempting to decrypt the key material. If decryption succeeds, the tool has recovered the private key and can sign transactions.
The challenge for the attacker is that Bitcoin Core uses key stretching, specifically SHA-512, iterated 100,000 times on the passphrase. This makes brute force slow. Even with GPUs, testing a million passwords against a single wallet takes minutes or hours. But again, modern GPU acceleration and cloud computing make it feasible for high-value targets.
Fake USDT and Token Spoofing
USDT is issued by the Tether company, and on most blockchains, it is implemented as a smart contract. The token contract address is public and well-known. A fake USDT sender exploits this by creating a transaction that mimics a token transfer but is not actually executed on-chain.
The attack works like this: the attacker creates a transaction object that references the correct Tether contract address and shows a fake transfer from one address to another. They do not broadcast it to the blockchain. Instead, they inject it into the victim’s wallet interface or display it in a phishing site as if it had already settled.
When the victim sees the fake token in their wallet, they may attempt to withdraw it or trade it. Most wallets and exchanges check the blockchain for the transaction. But a carefully crafted spoof can appear in the transaction history without being fully confirmed. Victims are then prompted to approve a smart contract transaction to complete the withdrawal or trade. That approval signature is where the drainer takes control.
The trickery is not in the spoofing itself, but in the social engineering that surrounds it. The victim is led to believe they have received free tokens and that they need to take action to claim or access them.
Reverse Bitcoin Transactions
Bitcoin transactions are broadcast to the network and then mined into blocks. Once a transaction is included in a block, it is essentially irreversible. But in the brief window between broadcast and inclusion in a block, a miner or someone with network access can potentially broadcast a conflicting transaction first.
A reverse transaction tool exploits this window. When a victim initiates a high-value transaction, the attacker intercepts the network broadcast or learns of the pending transaction through a mempool monitor. The attacker then constructs a conflicting transaction that sends the same inputs to their own address and broadcasts it to the network with a higher fee.
If the attacker’s transaction is included in a block first, the victim’s original transaction becomes invalid because the inputs have already been spent. The funds flow to the attacker instead. This is sometimes called a mempool race or front-running, and it requires network-level access or partnership with a miner. It is not reliable, but it is effective enough that criminals are paying for it.
Clipboard Hijacking and Browser Injection
A simpler attack vector, but still effective, is clipboard hijacking. Some wallet drainers include code that monitors the victim’s clipboard for wallet addresses. When it detects a Bitcoin or Ethereum address, it replaces it with the attacker’s address.
A user copies a withdrawal address from a trusted source, pastes it into their wallet, and unknowingly sends funds to the attacker instead of their intended destination. The attack is hidden, requires no victim interaction beyond copy-paste, and exploits the assumption that the clipboard is a secure location for temporary data.
Clipboard hijacking is often deployed via browser extensions or by compromising popular wallet software. It is not as profitable as wallet draining, but it is persistent and low effort.
Dark Web Crypto Fraud Markets
Let’s consolidate what we found on dark web marketplaces into a clearer picture.
Wallet Drainer Families and Scale
Wallet drainers are the largest profit engine in crypto fraud. Here is what we know about the major players.
Attack Vectors and Detection Difficulty
Not all crypto fraud is equally easy to defend against. So here is a breakdown of the main attack vectors and how difficult they are to detect.
The Money Laundering Pipeline
Stolen crypto is not useful if the attacker cannot convert it back to cash. So understanding the laundering pipeline is critical to understanding the full economic model of crypto fraud.
Mixing and Tumblers
The simplest laundering step is a mixer, also called a tumbler. A mixer is a service that pools coins from multiple users and then redistributes them in ways that break the chain of custody. If I send 1 BTC to a mixer, I do not get the same 1 BTC back. I get 1 BTC that came from someone else’s deposit.
Mixers are sometimes voluntary services that users employ to protect their privacy. But in the context of stolen funds, they are money laundering tools. Law enforcement has been cracking down on mixing services, but many still operate, especially on the dark web.
Swap Services and Atomic Swaps
Another approach is to convert Bitcoin to a different cryptocurrency that has stronger privacy properties. We found references to swap services running on Tor, such as swp.cx, which claim to execute cryptographic atomic swaps between Bitcoin and Monero without requiring custody of the funds.
The attacker sends BTC to the service, which then sends Monero back to the attacker. Monero is pseudo-anonymous and much harder to trace on the blockchain. From there, the attacker can convert to other coins or cash out to fiat via less-regulated exchanges.
Privacy Coins
Privacy coins like Monero use ring signatures and stealth addresses to obscure the sender, receiver, and transaction amount on the blockchain. A transaction in Monero cannot be traced by following the chain of public addresses. This makes Monero the preferred destination for stolen BTC.
The conversion happens on a swap service or exchange. The attacker loses a small percentage to fees and exchange rates, but gains plausible deniability. Once in Monero, the funds are effectively invisible to on-chain analysis.
Chain Hopping and OTC Markets
The most sophisticated attackers use chain hopping: moving stolen funds across multiple blockchains and currencies before cashing out. Bitcoin to Ethereum to Monero to a stablecoin to a privacy token and back. Each hop adds complexity and expense, but it also significantly increases the cost of forensic analysis.
Finally, the attacker accesses over-the-counter (OTC) brokers, often in countries with weak AML enforcement or corrupt officials. They sell large quantities of crypto for cash, receiving wire transfers to bank accounts in their name or under shell companies. These OTC brokers do not ask difficult questions and are incentivised to facilitate large transactions.
Casino Bonus Exploitation
One lesser-known crypto fraud vector is casino bonus exploitation. Online casinos offer sign-up bonuses to new players: deposit $100, get a $100 bonus. To claim the bonus, you must meet a turnover requirement, usually 30 to 50 times the bonus amount. This is designed to be difficult.
But with access to stolen payment methods and identity documents, a fraudster can create dozens or hundreds of accounts and claim bonuses using different identities. A casino bonus exploitation kit, selling for $150 to $350 on the dark web, automates this process. The kit includes scripts to bypass identity verification, claim bonuses, meet turnover requirements using automated play, and cash out.
The profit margins are high. A $3,000 to $10,000 bonus can be turned into actual cash if the attacker is patient and covers their tracks. The casinos absorb the losses, and usually do not prosecute because of the reputational and legal costs.
Scale of the Problem
To appreciate the scale, consider the raw numbers.
Sixteen billion compromised accounts are for sale on dark web markets. That is more than twice the world population. Many accounts are duplicates across multiple breaches, but the number still represents massive exposure. Any crypto user with an email address used on a commonly breached service is a potential target for credential-based attacks.
Stolen Bitcoin wallets with known balances, in the hundreds or thousands of BTC, are actively listed on the marketplace. These are not speculative. These are wallets that have been compromised and whose balances have been verified.
Wallet-drainer families have collectively stolen $300 million or more in the last two years. Many attacks go unattributed and unreported, especially from users in countries with weak cybercrime reporting infrastructure. The true number is certainly higher.
The tools themselves are cheap. A full-featured drainer costs $100 to $500 per month to rent. A mnemonic cracker is a few hundred dollars. An investment of a few thousand dollars can yield millions in stolen crypto. The economics are favourable for the attacker. They are not.
How SOS Intelligence Monitors Crypto Threats
SOS Intelligence has been monitoring these dark web markets since 2024. Our approach focuses on two core capabilities.
DARKSEARCH Crawling and Indexing
Our DARKSEARCH crawler maintains a running index of major dark web marketplaces, including the venues where crypto fraud tools are sold. We track new tool releases, pricing changes, operator behaviour, and customer feedback. This gives us a real-time view of the threat landscape.
We extract and parse product listings, vendor history, and customer reviews. We track changes in pricing, which often correlate with law enforcement action or shifting market dynamics. When a major drainer family exits or goes dark, we identify the shift early and begin looking for successor operations.
Cryptocurrency Address Monitoring
We also monitor the blockchain itself for known crypto fraud addresses. When a wallet drainer operation is disrupted or a perpetrator is identified, their associated addresses often remain public. We track these addresses for ongoing movement of funds, which can identify new campaigns or money laundering patterns.
By correlating blockchain data with dark web intelligence, we can often connect a phishing campaign to a drainer family, and that family to a money laundering pipeline. This gives our customers early warning before their users are targeted.
Defensive Recommendations
For crypto holders and exchanges, defence is possible. So here is what we recommend.
For Individual Crypto Holders
Use hardware wallets for significant amounts. Hardware wallets store private keys offline and require physical confirmation of transactions. They are resistant to mnemonic cracking, wallet.dat attacks, and phishing.
If you use hot wallets, use strong and unique passphrases. Do not use dictionary words or common patterns. Use a password manager to generate and store passphrases. This makes brute force attacks impractical.
Never approve transactions on suspicious sites or in response to unsolicited messages. Drainers rely on approval signatures. If you do not approve, you do not lose funds.
Monitor your wallet addresses for unauthorised transactions. Set up blockchain monitoring alerts on your addresses. If funds start moving without your action, you can investigate immediately.
Use two-factor authentication on exchange accounts. Many drainers target exchange credentials. MFA, even SMS-based MFA, adds a layer of protection.
For Exchanges and Custodians
Implement withdrawal limits and delays. If a customer’s account is compromised, a withdrawal delay gives the customer time to notice the anomaly and cancel the transaction.
Monitor for suspicious wallet addresses in withdrawals. If a customer is withdrawing to a known drainer address or money laundering service, flag it for review.
Educate users about phishing. Many victims do not realise they have been compromised until weeks after the attack. Clear guidance on how to identify phishing reduces successful attacks.
Implement address whitelisting. Allow customers to whitelist trusted withdrawal addresses and require manual override for new addresses. This blocks many spontaneous account takeovers.
Work with blockchain analysis firms to identify incoming funds from known stolen addresses. Money laundering at scale means some stolen funds flow into honest people’s wallets. Detecting and blocking this upstream reduces the utility of theft.
Conclusion
Cryptocurrency fraud is not a niche problem. It is a $300 million to $500 million per year industry, with efficient, scalable tools and business models. The tools are cheap, the barriers to entry are low, and the margins are enormous.
The most striking finding is not the theft itself, but the industrialisation of fraud. DaaS offerings like Angel Drainer and Inferno Drainer have turned wallet draining into a franchise model. Anyone with a phishing campaign and a few hundred dollars can become a crypto criminal. This scale is what makes the problem so difficult to solve.
Detection is possible but hard. Many attacks leave no blockchain signature. Most attacks are indistinguishable from normal user behaviour. And the speed of the ecosystem means new tools and evasion techniques emerge constantly.
The path forward requires three things. First, better security practices from users. Hardware wallets and strong passphrases are not sexy, but they work. Second, better tooling from exchanges and custodians. Withdrawal limits, address whitelisting, and outgoing transaction monitoring can block many attacks. Third, continued law enforcement and intelligence work to disrupt the most profitable operations.
SOS Intelligence will continue monitoring these threats. We will continue indexing dark web marketplaces and tracking the money laundering pipelines. We will continue alerting our customers when we identify attacks targeted at their users. And we will continue building the tools that make attribution and defence possible.
Appendix: DARKSEARCH Observed Listings
Between February 2026 and March 2026, our DARKSEARCH crawlers observed the following active marketplace listings offering cryptocurrency fraud tools and services. All onion URLs are defanged to prevent accidental access.
External References
This report draws on the following open-source intelligence and blockchain security research:
- Chainalysis (2025). 2025 Crypto Crime Report. Available at: https://www.chainalysis.com/reports/crypto-crime-report-2025/. Documents wallet drainer losses exceeding $500 million in 2024; tracks drainer family evolution and exit patterns.
- ScamSniffer (2024-2026). Wallet Drainer Tracking. Available at: https://scamsniffer.io. Real-time tracking of Angel Drainer, Inferno Drainer, and Pink Drainer operational signatures across blockchain transactions.
- SlowMist (2024-2026). Blockchain Security Research. Available at: https://slowmist.medium.com. Technical analysis of wallet drainer mechanics, transaction patterns, and operational security.
- Elliptic (2024-2026). Blockchain Analytics Research. Available at: https://www.elliptic.co. Tracks money laundering pipelines, privacy coin conversions, and OTC broker involvement in stolen funds movement.
- FBI IC3 (2024). Internet Crime Complaint Center – Cryptocurrency Fraud Statistics. Available at: https://ic3.gov. Official statistics on reported cryptocurrency fraud, wallet draining, and wallet compromise cases.
- Atomic Wallet Security Incident (June 2023). Initial reports and analysis of $35 million hack attributed to Lazarus Group; tracked credential circulation on dark web marketplaces through 2026.
- MITRE ATT&CK Framework. Cryptocurrency Fraud Tactics. Documents attack patterns including credential dumping (T1005), phishing for information (T1598), and signed script proxy execution (T1216).
Header image by Art Rachen on Unsplash
Wallet by Emil Kalibradov on Unsplash
Drain by Daniel Dan on Unsplash
Casino by Michał Parzuchowski on Unsplash
Recent Comments