Dark web threads discussing crypto-drainers – malware designed to drain cryptocurrency wallets – saw a rise in 2024, as revealed by the Kaspersky Security Bulletin.
Kaspersky reported a “40% spike” in corporate database ads on a prominent dark web forum, highlighting cybercriminals’ “growing focus on data breaches.”
Other trends include a shift of cybercriminals from Telegram back to forums, the proliferation of stealers and drainers via Malware-as-a-Service, a rise in “various types cyberthreats targeting the Middle East, and more.”
In 2024, Kaspersky Digital Footprint Intelligence experts saw “a notable surge of interest in crypto-drainers across dark web markets.”
A drainer is a type of malware that emerged around three years ago and designed to trick its victims into “authorizing fraudulent transactions to steal funds from their wallets.”
Common methods include fake airdrops, phishing sites, malicious browser extensions, “deceptive” ads, malicious smart contracts, as well as “fake NFT marketplaces.”
The number of dark web threads discussing drainers increased “by 135%, from just 55 in 2022 to 129 in 2024.”
In these threads, cybercriminals discuss various topics, ranging from buying and “selling this type of malicious software to assembling teams for distribution, and beyond.”
As noted in the update, companies should focus on “educating their customers and employees while actively monitoring their online presence to reduce the risk of successful attacks.”
Drainers often employ social engineering tactics to “ultimately steal funds.”
They may be exploiting well-known wallet and exchange brands to lure victims into “revealing their wallet information or making fraudulent transactions.”
Regularly searching for brand mentions on search engines, social media, and marketplaces is “essential.”
If any phishing or fraudulent sites are identified, they can be taken down promptly, “preventing potential victims from falling prey to these scams. Utilizing dedicated tools can greatly enhance this monitoring process.”
Other threats expected to gain momentum in 2025, include “data breaches and leaks.”
Kaspersky researchers revealed that they have observed a rise in “corporate database advertisements on one of the popular shadow forums.”
Specifically, the number of posts buying and selling databases “increased by 40% between August and November 2024, compared to the same period the previous year.”
While some of this growth may partially stem from reposting of older leaks, cybercriminals are clearly interested in “distributing leaked data – whether new or old.”
Given the trend of supply chain and similar attacks, 2025 is anticipated to witness an increase in data breaches overall, “particularly those stemming from attacks on major companies’ contractors.”
Other emerging trends on the dark web market in 2025 include:
- Migration from Telegram to dark web forums: despite a spike in cybercriminal activity on Telegram in 2024, the shadow community is expected to shift back to forums. Telegram channels are increasingly being banned, as reported by their administrators, driving this migration.
- Increase in high-profile law enforcement operations against cybercrime groups. This year was a significant one in the global high-profile fight against cybercrime. Kaspersky experts anticipate that 2025 will bring an increase in arrests and takedowns of cybercriminal group infrastructures and forums that receive publicity. In turn, in response to the successful operations of 2024, threat actors are likely to shift their tactics, migrating to invitation-only forums.
- Fragmentation of ransomware groups. Ransomware groups may fragment into smaller, independent units, making them harder to track. This decentralization allows cybercriminals to operate more flexibly while staying under the radar of law enforcement and cybersecurity firms.
Stealers and drainers will likely see a “rise in promotion via Malware-as-a-Service model.”
Moreover, various data and credentials stolen with the “use of these types of malware are expected to be increasingly sold on shadow forums.”
The region is witnessing an increase in hacktivism “driven by ongoing geopolitical tensions.”
If these tensions do not subside in 2025, hacktivism is “expected to intensify further.”
Kaspersky experts anticipate a rise in ransomware attacks in the Middle East, given that the number of ransomware victims “increased from an average of 28 per half-year in 2022-2023 to 45 in the first half of 2024.”
To guard against data-stealing malware, leaks, and other dark web-related activities, individuals are “advised to use security solutions on all devices.”
These solutions help prevent infections and alert users to potential dangers. Businesses, on the other hand, should “proactively monitor the dark web for signs of cybercriminal activity that could threaten corporate assets.”
Kaspersky Digital Footprint Intelligence has developed a playbook to guide companies on how to “respond to dark web activities involving their organization.”
Established in 2008, the Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering “APTs, cyber-espionage campaigns, major malware, ransomware, and underground cyber-criminal trends across the world.”
Today GReAT consists of 40+ professionals working globally – in Europe, Russia, Latin America, Asia, Middle East.
Security professionals provide company leadership in anti-malware research and innovation, bringing “expertise, passion and curiosity to the discovery and analysis of cyberthreats.”