Kaspersky reports 135% surge in interest for crypto-stealing drainers on dark web

A surge in interest for crypto-drainers. In 2024, Kaspersky Digital Footprint Intelligence experts saw a notable surge of interest in crypto-drainers across dark web markets. A drainer is a type of malware that emerged around three years ago and designed to trick its victims into authorizing fraudulent transactions to steal funds from their wallets. Common methods include fake airdrops, phishing sites, malicious browser extensions, deceptive ads, malicious smart contracts, and fake NFT marketplaces.

The number of dark web threads discussing drainers increased by 135%, from just 55 in 2022 to 129 in 2024. In these threads, cybercriminals discuss various topics, ranging from buying and selling this type of malicious software to assembling teams for distribution, and beyond.

The number of unique threads on drainers on the dark web.
Source: Kaspersky Digital Footprint Intelligence

“In light of this trend, the interest of cybercriminals in crypto-drainers and related attacks is likely to grow further in 2025,” says Alexander Zabrovsky, a security expert at Kaspersky Digital Footprint Intelligence. “This means crypto enthusiasts need to be more vigilant than ever, adopting robust crypto security measures. Meanwhile, companies should focus on educating their customers and employees while actively monitoring their online presence to reduce the risk of successful attacks. Drainers often employ social engineering tactics to ultimately steal funds. They may be exploiting well-known wallet and exchange brands to lure victims into revealing their wallet information or making fraudulent transactions.  Regularly searching for brand mentions on search engines, social media, and marketplaces is essential. If any phishing or fraudulent sites are identified, they can be taken down promptly, preventing potential victims from falling prey to these scams. Utilizing dedicated tools can greatly enhance this monitoring process”.

The rise in advertisements for alleged data breaches
Other threats expected to gain momentum in 2025, include data breaches and leaks. Kaspersky researchers have observed a rise in corporate database advertisements on one of the popular shadow forums. Specifically, the number of posts buying and selling databases increased by 40% between August and November 2024, compared to the same period the previous year. While some of this growth may partially stem from reposting of older leaks, cybercriminals are clearly interested in distributing leaked data – whether new or old.

The number of dark web posts selling and buying databases. One of the popular forums, August 2023-November 2024. Source: Kaspersky Digital Footprint Intelligence

“Not every advertisement of a data breach on the dark web stems from a genuine incident. Some ‘offers’ may simply be well-marketed materials. For example, certain databases might combine publicly available information or previously leaked data, presenting it as breaking news. By making such claims, cybercriminals can generate publicity, create buzz, and tarnish the reputation of the targeted company simply by announcing a data breach. This underscores the growing importance of monitoring corporate mentions and assets on the dark market, allowing for proactive defense and immediate response,” elaborated Alexander Zabrovsky.

Given the rising trend of supply chain and similar attacks, 2025 is anticipated to witness an increase in data breaches overall, particularly those stemming from attacks on major companies’ contractors.

Other emerging trends on the dark web market in 2025 include:

• Migration from Telegram to dark web forums: despite a spike in cybercriminal activity on Telegram in 2024, the shadow community is expected to shift back to forums. Telegram channels are increasingly being banned, as reported by their administrators, driving this migration.
• Increase in high-profile law enforcement operations against cybercrime groups. This year was a significant one in the global high-profile fight against cybercrime. Kaspersky experts anticipate that 2025 will bring an increase in arrests and takedowns of cybercriminal group infrastructures and forums that receive publicity. In turn, in response to the successful operations of 2024, threat actors are likely to shift their tactics, migrating to invitation-only forums.
• Fragmentation of ransomware groups. Ransomware groups may fragment into smaller, independent units, making them harder to track. This decentralization allows cybercriminals to operate more flexibly while staying under the radar of law enforcement and cybersecurity firms.
• Stealers and drainers will likely see a rise in promotion via Malware-as-a-Service model. Moreover, various data and credentials stolen with the use of these types of malware are expected to be increasingly sold on shadow forums.
• Escalating threat landscape in the Middle East. The region is witnessing an increase in hacktivism driven by ongoing geopolitical tensions. If these tensions do not subside in 2025, hacktivism is expected to intensify further. Furthermore, Kaspersky experts anticipate a continued rise in ransomware attacks in the Middle East, given that the number of ransomware victims increased from an average of 28 per half-year in 2022-2023 to 45 in the first half of 2024

To guard against data-stealing malware, leaks, and other dark web-related activities, individuals are advised to use comprehensive security solutions on all devices. These solutions help prevent infections and alert users to potential dangers. Businesses, on the other hand, should proactively monitor the dark web for signs of cybercriminal activity that could threaten corporate assets. Kaspersky Digital Footprint Intelligence has developed a comprehensive playbook to guide companies on how to respond to dark web activities involving their organization.

Read more on dark web market trends on Securelist.