Kaspersky reports 135% rise in crypto-drainer discussions

Research by Kaspersky has identified a significant rise in dark web discussions about crypto-drainers, a form of malware, with the number of related threads increasing by 135% between 2022 and 2024.

According to Kaspersky's findings, crypto-drainers are designed to execute fraudulent transactions in order to steal digital currency. The methods used by these drainers include fake airdrops, phishing websites, malicious browser extensions, deceptive advertising, malicious smart contracts, and counterfeit NFT marketplaces.

The surge in dark web discussions is a stark indication of the growing interest among cybercriminals in deploying such malware. "In light of this trend, the interest of cybercriminals in crypto-drainers and related attacks is likely to grow further in 2025," stated Alexander Zabrovsky, a Security Expert at Kaspersky Digital Footprint Intelligence. He continued, "This means crypto enthusiasts need to be more vigilant than ever, adopting robust crypto security measures. Meanwhile, companies should focus on educating their customers and employees while actively monitoring their online presence to reduce the risk of successful attacks."

Zabrovsky also noted that the adoption of social engineering tactics by cybercriminals often involves exploiting well-known wallet and exchange brands to trick victims into providing wallet information or authorising fraudulent transactions. He said, "Regularly searching for brand mentions on search engines, social media, and marketplaces is essential. If any phishing or fraudulent sites are identified, they can be taken down promptly, preventing potential victims from falling prey to these scams. Utilizing dedicated tools can greatly enhance this monitoring process."

In addition to the rise in crypto-drainer activity, Kaspersky reported a 40% increase in the advertisement of corporate databases on dark web forums. These observations point to a broader pattern, with cybercriminals showing increasing interest in data breaches and leaks. Kaspersky's experts suggest that while some of these advertisements might be for older leaks, there is a clear focus on distributing both new and old leaked data.

"Not every advertisement of a data breach on the dark web stems from a genuine incident," warned Zabrovsky. "Some 'offers' may simply be well-marketed materials. For example, certain databases might combine publicly available information or previously leaked data, presenting it as breaking news. By making such claims, cybercriminals can generate publicity, create buzz, and tarnish the reputation of the targeted company simply by announcing a data breach. This underscores the growing importance of monitoring corporate mentions and assets on the dark market, allowing for proactive defence and immediate response."

The research also indicates a shift in the cybercriminal landscape, with movements from platforms like Telegram back to forums, enhanced law enforcement actions, and increased interest in Malware-as-a-Service. This shift may lead to smaller ransomware groups that are harder to detect, potentially expanding the market for stolen data on shadow forums.

Kaspersky experts also warn of an escalating threat environment in the Middle East, where hacktivism may continue to rise due to ongoing geopolitical tensions. Ransomware attacks in the region are predicted to increase, as demonstrated by a rise in the number of victims from 28 per half-year in 2022-2023 to 45 in the first half of 2024.

To combat these threats, individuals are advised to employ comprehensive security solutions, while businesses should actively monitor the dark web for indications of threats to their corporate assets. Kaspersky Digital Footprint Intelligence has devised a playbook to assist organisations in responding to dark web activities involving their entity.