Dark Web Sees 135% Spike in Crypto-Drainer Discussions, Signaling Rising Threat: Kaspersky

Discussions surrounding crypto-drainers, malicious software designed to drain cryptocurrency wallets, have surged by 135% on dark web forums.

Discussions related to crypto-drainers on the dark web rose from 55 threads in 2022 to 129 threads in 2024, according to a report from global cybersecurity firm Kaspersky.

These forums have become a hub for cybercriminals to buy, sell, and distribute malware, as well as to recruit collaborators for broader distribution efforts.

Interest in Illicit Trade Increases

The significant uptick in discussions around crypto-drainers suggests a growing interest in the illicit trade and development of these tools among cybercriminals, per the report.

Crypto-drainers, which have been active for about three years, operate by deceiving users into authorizing fraudulent transactions.

Cybercriminals use tactics such as phishing websites, fake airdrops, malicious browser extensions, fraudulent smart contracts, and counterfeit NFT marketplaces to achieve their goals.

Alexander Zabrovsky, a cybersecurity expert at Kaspersky, warned that this upward trend in crypto-drainer activity is likely to continue in 2025.

He urges companies and organizations to increase vigilance, monitor their digital presence, and act quickly to counter fraudulent activity.

Drainers often exploit the brand recognition of major wallets and exchanges to lure unsuspecting victims.

Kaspersky’s report also highlights a 40% increase in the number of posts advertising corporate databases on one of the most active dark web forums.

From August to November 2024, the volume of such posts grew significantly.

While some of these database offers include old leaks disguised as new, they indicate persistent demand for corporate data.

Dark web and dark market in 2025: What’s next? 🌐

Our latest predictions reveal:
– Rise in trusted relationship attacks and real/fake data leaks
– Cybercriminals shifting back to #darkweb forums as #Telegram bans increase
– META region poised for a surge in hacktivism and… pic.twitter.com/0iEePvZmYR

— Kaspersky (@kaspersky) December 19, 2024

Zabrovsky said that certain breach advertisements are entirely fake, often blending publicly available information with older leaked data.

These tactics are used to damage corporate reputations or generate attention in underground markets.

He advised companies to track mentions of their brands and data on dark web platforms to enable a swift response to potential breaches.

Cybersecurity Landscape for 2025

Kaspersky’s forecast for 2025 predicts a shift in cybercriminal behavior.

Criminals are expected to retreat from Telegram channels back to dark web forums following a wave of bans targeting Telegram-based operations.

Additionally, increased law enforcement action against major cybercrime groups in 2024 may push bad actors toward invite-only forums to evade detection.

The threat of ransomware is also evolving. Kaspersky anticipates ransomware groups will splinter into smaller, more nimble units, making it harder for authorities to track and dismantle them.

Malware-as-a-Service (MaaS) operations, which enable criminals to rent out drainers and stealers, are also expected to grow.

This will likely result in a larger volume of stolen data being sold on underground platforms.

The Middle East is particularly vulnerable to this evolving threat landscape.

Geopolitical tensions in the region are expected to fuel a rise in hacktivism and ransomware attacks.

Data shows that ransomware victims in the region increased from an average of 28 per half-year in 2022-2023 to 45 in the first half of 2024.

More recently, it was revealed that cybersecurity scammers are using automated email replies to compromise systems and deliver stealthy crypto mining malware.

This came on the heels of another malware threat identified in August.

The “Cthulhu Stealer,” which affects MacOS systems, similarly disguises itself as legitimate software and targets personal information, including MetaMask passwords, IP addresses, and cold wallet private keys.