Cryptocurrency Theft Detailed Report: Sold for Only $105 on the Dark Web

marsbitPublicado a 2025-12-29Actualizado a 2025-12-29

Resumen

Phishing attacks go beyond stealing credentials through fake links. Stolen data is quickly commodified on the dark web. This report traces how data is collected via email, Telegram bots, and administration panels (like BulletProofLink), then sold and reused in future attacks. Data types range from instantly monetizable information (bank cards, e-wallet logins) to data used for follow-up attacks (account credentials, phone numbers) or targeted schemes (biometric data, ID scans). Analysis shows 88.5% of attacks in early 2025 aimed to steal online account credentials. On dark web markets, data is packaged, validated, and sold—often via Telegram—with prices varying based on account age, balance, and attached services. Old leaked data remains dangerous, as criminals compile comprehensive digital profiles for highly targeted attacks like whaling. Once stolen, it doesn’t disappear. Users must use unique passwords, enable multi-factor authentication, and monitor their digital footprint to reduce risk.

Author: Olga Altukhova Editor: far@Centreless

Compiled by: Centreless X(Twitter)@Tocentreless

Typical phishing attacks often involve users clicking on a fraudulent link and entering their credentials on a fake website. However, the attack is far from over at this point. Once sensitive information falls into the hands of cybercriminals, it immediately becomes a commodity, entering the "pipeline" of the dark web market.

In this article, we will trace the flow path of stolen data: from data collection through various tools (such as Telegram bots and advanced admin panels), to the sale of the data and its subsequent use in new attacks. We will explore how once-leaked usernames and passwords are integrated into vast digital profiles, and why data leaked years ago can still be exploited by criminals to carry out targeted attacks.

Data Collection Mechanisms in Phishing Attacks Before tracking the subsequent whereabouts of stolen data, we first need to understand how this data leaves the phishing page and reaches the cybercriminals.

Through the analysis of real phishing pages, we have identified the following most common data transmission methods:

  • Sent to an email address
  • Sent to a Telegram bot
  • Uploaded to an admin panel

It is worth mentioning that attackers sometimes use legitimate services for data collection to make their servers harder to detect. For example, they may use online form services like Google Forms, Microsoft Forms, etc. Stolen data may also be stored on GitHub, Discord servers, or other websites. However, for the convenience of this analysis, we will focus on the main data collection methods mentioned above.

Email

The data entered by the victim into the HTML form on the phishing page is sent to the attacker's server via a PHP script, which then forwards it to an email address controlled by the attacker. However, due to the many limitations of email services—such as delivery delays, the possibility of the hosting provider banning the sending server, and operational inconvenience when handling large amounts of data—this method is gradually decreasing.

Phishing kit contents

For example, we once analyzed a phishing kit targeting DHL users. The index.php file contained a phishing form for stealing user data (here, email address and password).

Phishing form imitating the DHL website

The information entered by the victim is then sent to the email address specified in the mail.php file via a script in the next.php file.

Contents of the PHP scripts

Telegram Bot

Unlike the method above, scripts using a Telegram bot specify a Telegram API URL containing a bot token and corresponding Chat ID, rather than an email address. In some cases, this link is even hardcoded into the phishing HTML form. Attackers design detailed message templates to be automatically sent to the bot upon successful data theft. A code example is as follows:

Code snippet for data submission

Compared to sending data via email, using a Telegram bot provides phishers with stronger functionality, which is why this method is becoming increasingly popular. Data is transmitted to the bot in real-time, and the operator is notified immediately. Attackers often use disposable bots, which are harder to track and ban. Furthermore, its performance does not depend on the quality of the phishing page hosting service.

Automated Admin Panels

More sophisticated cybercriminals use specialized software, including commercial frameworks like BulletProofLink and Caffeine, often provided as "Platform as a Service" (PaaS). These frameworks provide a web interface (dashboard) for phishing campaigns, facilitating centralized management.

All data collected by the phishing pages controlled by the attacker is aggregated into a unified database and can be viewed and managed through their account interface.

Sending data to the administration panel

These admin panels are used to analyze and process victim data. Specific functions vary depending on the panel's customization options, but most dashboards typically have the following capabilities:

  • Real-time statistics classification: View the number of successful attacks by time, country, and support data filtering
  • Automatic verification: Some systems can automatically verify the validity of stolen data, such as credit card information or login credentials
  • Data export: Support downloading data in various formats for subsequent use or sale

Example of an administration panel

Admin panels are a key tool for organized cybercrime groups.

It is worth noting that a single phishing campaign often employs multiple data collection methods simultaneously.

Data Types Coveted by Cybercriminals

The data stolen in phishing attacks varies in value and purpose. In the hands of criminals, this data is both a means of profit and a tool for carrying out complex multi-stage attacks.

Based on their use, stolen data can be divided into the following categories:

  • Immediate Monetization: Directly selling raw data in bulk, or immediately stealing funds from the victim's bank account or e-wallet
  1. Bank card information: Card number, expiration date, cardholder name, CVV/CVC code
  2. Online banking and e-wallet accounts: Login name, password, and one-time two-factor authentication (2FA) verification codes
  3. Accounts linked to bank cards: Login credentials for online stores, subscription services, or payment systems like Apple Pay/Google Pay
  • Used for subsequent attacks for further monetization: Using stolen data to launch new attacks for more gains
  1. Credentials for various online accounts: Usernames and passwords. It is worth noting that even without a password, just the email or phone number used as a login name has value to attackers
  2. Phone numbers: Used for phone scams (such as tricking users into giving 2FA codes) or phishing via instant messaging apps
  3. Personal Identifiable Information (PII): Full name, date of birth, address, etc., often used for social engineering attacks
  • Used for targeted attacks, extortion, identity theft, and deepfakes
  1. Biometric data: Voice, facial images
  2. Scanned copies and numbers of personal documents: Passport, driver's license, social security card, taxpayer identification number, etc.
  3. Selfies with documents: Used for online loan applications and identity verification
  4. Corporate accounts: Used for targeted attacks against businesses

We analyzed phishing and scam attacks that occurred between January and September 2025 to determine the data types most frequently targeted by criminals. The results showed: 88.5% of attacks aimed to steal various online account credentials, 9.5% targeted personal identity information (name, address, date of birth), and only 2% focused on stealing bank card information.

Selling Data on the Dark Web Market

Apart from being used for real-time attacks or immediate monetization, most stolen data is not used immediately. Let's take a deeper look at its flow path:

1. Data Packaged for Sale

After being consolidated, data is sold on dark web markets in the form of "data dumps"—compressed packages often containing millions of records from various phishing attacks and data breaches. A data dump may sell for as low as $50. The main buyers are often not active scammers, but dark web data analysts, the next link in the supply chain.

2. Classification and Verification

Dark web data analysts filter the data by type (email accounts, phone numbers, bank card information, etc.) and run automated scripts for verification. This includes checking the validity of the data and its potential—for example, whether a set of Facebook account passwords can also log into Steam or Gmail. Since users tend to use the same password on multiple websites, data stolen from a service years ago may still be applicable to other services today. Verified accounts that can still log in normally are sold at a higher price.

Analysts also correlate and integrate user data from different attack incidents. For example, an old social media leaked password, login credentials obtained from a phishing form impersonating a government portal, and a phone number left on a scam website may all be compiled into a complete digital profile of a specific user.

3. Sale on Specialized Markets

Stolen data is usually sold through dark web forums and Telegram. The latter is often used as an "online store," displaying prices, buyer reviews, and other information.

Offers of social media data, as displayed in Telegram

Account prices vary greatly, depending on many factors: account age, balance, linked payment methods (bank card, e-wallet), whether two-factor authentication (2FA) is enabled, and the popularity of the service platform. For example, an e-commerce account linked to an email, with 2FA enabled, a long usage history, and a large number of order records, will be sold at a higher price; for game accounts like Steam, expensive game purchase records increase their value; and online banking data involving high-balance accounts from reputable banks commands a significant premium.

The table below shows examples of prices for various types of accounts found on dark web forums as of 2025*.

4. High-Value Target Screening and Targeted Attacks

Criminals pay particular attention to high-value targets—users who hold important information, such as corporate executives, accountants, or IT system administrators.

Here is a possible scenario for a "whaling" attack: Company A has a data breach containing information on an employee who previously worked there and is now an executive at Company B. The attackers use Open Source Intelligence (OSINT) analysis to confirm that the user is currently employed at Company B. They then carefully forge a phishing email that appears to be from the CEO of Company B and send it to the executive. To enhance credibility, the email even cites some facts about the user from the previous company (of course, the attack methods are not limited to this). By lowering the victim's vigilance, criminals have the opportunity to further infiltrate Company B.

It is worth noting that such targeted attacks are not limited to the corporate sphere. Attackers may also target individuals with high bank account balances, or users holding important personal documents (such as those required for micro-loan applications).

Key Takeaways

The flow of stolen data is like an efficiently operating pipeline, with each piece of information becoming a commodity with a clear price tag. Today's phishing attacks widely use diverse systems to collect and analyze sensitive information. Once data is stolen, it quickly flows into Telegram bots or the attacker's admin panels, where it is then classified, verified, and monetized.

We must be清醒地认识到清醒地认识到 (clearly aware): Once data is leaked, it does not disappear into thin air. On the contrary, it is constantly accumulated, integrated, and may be used months or even years later to carry out targeted attacks, extortion, or identity theft against the victims. In today's online environment, staying vigilant, setting unique passwords for each account, enabling multi-factor authentication, and regularly monitoring one's digital footprint are no longer suggestions, but necessities for survival.

If you unfortunately become a victim of a phishing attack, please take the following measures:

  1. If bank card information is leaked, immediately call the bank to report the loss and freeze the card.
  2. If account credentials are stolen, immediately change the password for that account, and also change the passwords for all other online services that use the same or similar passwords. Be sure to set a unique password for each account.
  3. Enable multi-factor authentication (MFA/2FA) on all supported services.
  4. Check the account's login history and terminate any suspicious sessions.
  5. If your instant messaging or social media account is stolen, immediately notify friends and relatives, reminding them to be wary of fraudulent messages sent in your name.
  6. Use professional services (such as Have I Been Pwned, etc.) to check if your data has appeared in known data breach incidents.
  7. Be highly vigilant of any unexpected emails, phone calls, or promotional information you receive—they may seem credible precisely because attackers are using your leaked data.

Preguntas relacionadas

QWhat are the three most common methods for transmitting stolen data from phishing pages to cybercriminals?

AThe three most common methods are: sending to an email address, sending to a Telegram bot, and uploading to an administration panel.

QWhy are cybercriminals increasingly using Telegram bots over email for data collection?

ATelegram bots provide real-time data transmission, immediate notifications to the operator, are harder to track and block, and their performance is not dependent on the quality of the phishing page hosting service.

QWhat percentage of phishing and scam attacks from January to September 2025 aimed to steal online account credentials?

A88.5% of the attacks aimed to steal various online account credentials.

QWhat is the typical first step in the 'pipeline' of stolen data after it is collected and before it is used in new attacks?

AThe data is packaged and sold as 'dumps' on dark web marketplaces, often for as little as $50.

QAccording to the article, what is one crucial step a victim should take if their online account credentials are stolen?

AThey should immediately change the password for that account and also change the passwords for all other online services where the same or a similar password was used, ensuring a unique password for every account.

Lecturas Relacionadas

Bitcoin’s path to $80K may hinge on THIS hidden trend

Bitcoin's potential path toward $80,000 is influenced by conflicting market signals. Data shows the Coinbase Bitcoin Premium Index has recorded its longest-ever streak of consecutive negative premiums, indicating muted institutional demand or net selling from U.S. institutions. While such a trend often signals short-term weakness, it doesn't necessarily forecast a long-term bear market. Additionally, a bearish crossover occurred in Bitcoin's Net Unrealized Profit/Loss (NUPL), with its short-term average falling below the longer-term average, suggesting declining investor profitability and waning market momentum. Historically, major bear market bottoms saw the 100-day NUPL drop below zero, but this cycle it remains positive, implying either an unprecedented bottom or a further decline is needed. Currently trading around $63,148, Bitcoin has seen weekly gains but remains below its May peak. Technical indicators present a mixed picture: the MACD shows bullish momentum, while the RSI signals bearish pressure. A positive development is the return of inflows to Bitcoin ETFs after eight weeks of outflows. Analysts hold divergent views; some highlight a key liquidity zone between $48,000-$50,000 where a market bottom could form, while others maintain a more optimistic long-term outlook. Ultimately, while some bullish signs exist, a strong push from institutional investors appears crucial for Bitcoin to challenge the $80,000 level.

ambcryptoHace 5 min(s)

Bitcoin’s path to $80K may hinge on THIS hidden trend

ambcryptoHace 5 min(s)

Unexpected Weak Non-Farm Payrolls Data Pushes BTC to Rebound 11%, FOMC Minutes to Test the Narrative of This Rally

Bitcoin has rebounded 11% from its 21-month low, but the sustainability of this rally hinges entirely on the Federal Reserve's release of the June FOMC meeting minutes. The bounce was triggered by a weaker-than-expected US jobs report, which showed only 57,000 jobs added in June—about half of economists' forecasts. This data prompted traders to scale back bets on further Fed rate hikes, fueling a rally in Bitcoin alongside gold and stocks. The upcoming minutes are critical. They will reveal whether Fed officials, in their mid-June meeting, were already expressing concerns about a weakening labor market, tight credit conditions, or the risks of overtightening—factors that would support the market's recent dovish shift. Conversely, if the discussion focused on persistent inflation and the conditions for more rate hikes, the rally's foundational narrative would crumble. Market indicators show the rebound's fragility. While US spot Bitcoin ETFs saw a significant single-day inflow, it followed a prolonged period of outflows. On-chain data indicates a substantial increase in Bitcoin being moved to exchanges, creating potential sell pressure. Options market positioning suggests key price levels around $60,000 and $62,000 that could either stabilize or accelerate price movement. In essence, Bitcoin's 11% gain is built on speculation about the Fed's private deliberations three weeks ago. The FOMC minutes will replace that speculation with concrete details, and the discrepancy between market expectations and the actual record will determine whether Bitcoin holds above $64,000 or falls back toward $58,000.

marsbitHace 16 min(s)

Unexpected Weak Non-Farm Payrolls Data Pushes BTC to Rebound 11%, FOMC Minutes to Test the Narrative of This Rally

marsbitHace 16 min(s)

Just Now, The World's First Ultra-High-Frame World Model Was Born, Nvidia Content 0, Racing to 50 FPS

Just Now, Global First Ultra-High-Frame World Model Born, 0% NVIDIA, Speeds to 50 FPS A Chinese team has developed MoWorld, the world's first Flash World Model, achieving real-time interactive inference exceeding 50 FPS. Crucially, it is entirely built on domestic NPUs (National Processing Units), bypassing NVIDIA GPUs. Developed by Moxin Technology in collaboration with Zhejiang University's Pan Yunhe academician team, MoWorld represents a complete, closed-loop system from training and distillation to deployment on domestic computing power. The model tackles the critical industry bottleneck of real-time performance, essential for applications like robotics, gaming, and digital worlds. MoWorld achieves this through a full-stack redesign for NPUs, including a proprietary 3D-annotated data pipeline, system-level optimizations for long-sequence training (up to 2000 frames), and inference optimizations like dynamic mixed-precision quantization. On a Huawei Ascend 910C platform, a 14B MoE parameter model achieves over 50 FPS, reducing typical inference costs by 70% compared to equivalent GPU solutions. This breakthrough lowers the deployment barrier, potentially accelerating the industrialization of world models. Key application areas include gaming/entertainment (offering 6-DoF camera control for immersive exploration), embodied AI/autonomous driving (providing a high-fidelity digital training ground), film pre-visualization, and 3D reconstruction/digital twins due to its strong geometric consistency. MoWorld demonstrates that a full-stack domestic compute ecosystem can support cutting-edge, real-time world models, positioning China at a competitive starting line in defining next-generation spatial intelligence standards. The project underscores a shift in competition from model scale to real-world usability and cost-effective deployment.

marsbitHace 53 min(s)

Just Now, The World's First Ultra-High-Frame World Model Was Born, Nvidia Content 0, Racing to 50 FPS

marsbitHace 53 min(s)

Pacific 'Fever': How Extreme Weather Becomes Wall Street's Cash Machine?

"Pacific Fever": How Extreme Weather Becomes Wall Street's ATM? The summer of 2026 sees unusually fierce weather across China and globally. The common driver behind this global pattern is a powerful El Niño event, potentially the strongest since 1950, as declared by NOAA. This phenomenon, characterized by warming central/eastern Pacific waters, disrupts global atmospheric circulation, raising risks of floods, droughts, and heatwaves, further intensified by climate change. For financial markets, especially commodities, El Niño is not just weather but a major trading theme. History shows its price impact is profound. In the 1970s, El Niño-driven anchovy collapse in Peru fueled a soybean boom, giving Richard Dennis his first million. Anthony Ward's cocoa empire was built on superior weather intelligence. Most recently in 2024, West African droughts caused cocoa prices to soar over 400%, delivering huge gains for trend-following hedge funds. In 2026, markets are again pricing in future El Niño-induced supply shocks. Despite high current inventories, prices for palm oil, rubber, and sugar have rallied on anticipation of upcoming Southeast Asian droughts and weak Indian monsoons. Analysts identify key indicators to watch: the Niño3.4 index, Indian monsoon rainfall, Malaysian palm oil stocks, and the fundraising scale of specialized weather funds like Moreton Capital. Beyond trading opportunities, a concerning narrative is gaining traction online, linking El Niño with fertilizer shortages and energy supply disruptions to warn of potential global food crises within months. While alarmist, it highlights a deeper truth: the cascading effects of climate-driven weather extremes ultimately translate into higher costs of living for everyone, far beyond the trading floor.

marsbitHace 57 min(s)

Pacific 'Fever': How Extreme Weather Becomes Wall Street's Cash Machine?

marsbitHace 57 min(s)

Pacific 'Fever': How Extreme Weather Becomes Wall Street's ATM?

"Pacific 'Fever': How Extreme Weather Becomes Wall Street's Piggy Bank" The article examines how the 2026-2027 El Niño, potentially the strongest since 1950, is not only disrupting global weather but also creating major financial opportunities. It links recent extreme events in China and worldwide to this climate phenomenon, which alters atmospheric patterns, increasing risks of floods, droughts, and heatwaves. The core narrative explores how financial markets capitalize on these disruptions. A hedge fund is raising $500 million specifically to bet on El Niño-affected crops like South African corn and Malaysian palm oil. Historically, such strategies have yielded massive profits. Examples include Richard Dennis ("Turtle Trader") making his first fortune in the 1970s soy boom triggered by El Niño's impact on Peruvian anchovies (a key fishmeal source), and Anthony Ward's cocoa empire built on superior weather intelligence. The 2024 cocoa price surge, driven by West African drought, enriched quantitative trend-following funds. Currently, markets are preemptively bidding up palm oil, rubber, and sugar futures based on anticipated future supply shocks, despite high current inventories. The article details El Niño's asymmetric global impacts: causing drought in Southeast Asia (hurting palm oil/rubber) and India (affecting sugar/cotton), but bringing beneficial rains to South American soy and sugarcane. Key metrics to watch include the Niño3.4 index, Indian monsoon data, and Malaysian palm oil stocks. The true price effects often materialize *after* the El Niño peaks, suggesting 2027 may see the real volatility. The conclusion warns that beyond trading gains, the convergence of El Niño, energy shortages, and fertilizer scarcity poses a systemic risk, potentially raising the cost of living for everyone, turning a climate event into a global economic story.

链捕手Hace 1 hora(s)

Pacific 'Fever': How Extreme Weather Becomes Wall Street's ATM?

链捕手Hace 1 hora(s)

Trading

Spot
活动图片