Report: Stolen crypto accounts sell for average $105 on dark web via phishing and Telegram

Published: 2025-12-28 23:56:37 |

A SecureList analysis (Jan–Sep 2025), cited by multiple outlets, finds stolen cryptocurrency accounts sell on dark-web markets for an average of $105, with prices typically from $60 to $400 depending on account balance, age, linked payment methods and 2FA status. Phishing is the dominant entry vector: 88.5% of observed operations targeted credentials. Stolen credentials and related data (exchange logins, wallet access, fiat on/off‑ramp details) are exfiltrated through three main channels — email forwarding, Telegram bots (favoured for real‑time, disposable, hard‑to‑trace delivery) and attacker admin panels that enable scale, automated validation, geo/time filters and exports. Cybercriminals monetize data either by instant flips or via resale pipelines: low‑cost bulk dumps are sold to middlemen who run validation scripts, exploit password reuse, enrich profiles and list verified accounts on dark‑web forums and Telegram storefronts. High‑value items (wallet access, one‑time codes, fiat rails) fetch up to ~$400. The report highlights growing professionalisation of phishing operations and Telegram’s central role in distribution. For crypto traders, the main operational risks are direct account loss and increased sell pressure from large-scale liquidations of compromised holdings; recommended mitigations include hardware wallets, unique strong passwords, and multi‑factor authentication to reduce compromise risk and downstream market impacts.

Bearish

The report increases short-term downside risk for affected crypto assets because compromised exchange accounts and wallet access can lead to rapid, unplanned sell-offs as attackers or resale buyers liquidate stolen holdings. Bulk dumps and middleman validation pipelines enable faster conversion of stolen tokens to fiat or other assets, increasing immediate supply pressure. Traders may react by lowering bids and increasing sell-side liquidity for coins known to be targeted, especially assets with high on‑ramp/off‑ramp activity. Longer term the impact is neutral-to-moderately negative: improved security practices (hardware wallets, 2FA, unique passwords) and platform improvements can reduce successful thefts and limit market effects, while persistent professionalisation of phishing and Telegram-based distribution sustains elevated operational risk. Overall, expect acute short-term selling pressure on compromised assets, with limited lasting price damage if exchanges and users tighten security and compromised coins are traced or frozen.