-
Stolen virtual asset accounts are on sale across the unindexed internet (dark web) priced at $105.
-
Bad actors harness the power of email, bots on Telegram, or admin panels to gather, steal, and trade the stolen data.
-
A single phishing mistake can lead to major hacks years later as criminals reuse and resell old credentials.
Your crypto account might be worth more than you think. To hackers, at least. A new analysis reveals that stolen cryptocurrency accounts fetch an average of $105 on dark web marketplaces.
The data comes from phishing attacks and represents just the first step in a sprawling criminal supply chain. A report from SecureList revealed that a single virtual currency account is on sale between $60 and $400.
Email Delivery and Other Routes to Steal Your Data
Captured crypto information leaves phishing sites through three primary methods: email delivery, bot delivery on Telegram, or upload to the admin panel. So, bad actors adopt modern technology to hide their footprints; GitHub, Microsoft Forms, Google Forms, Discord, the list goes on.
Email delivery leads because it facilitates fake HTML forms that transmit data to a PHP-written server-side script. Next, the script pushes the stolen credentials to an email that the bad actor manages.
However, email delivery is declining fast. Delays, provider blocking, and poor scalability have made it less attractive to criminals. Instead, many kits now send data directly to Telegram bots using the Telegram API with a bot token and chat ID. Sometimes the API call is embedded right in the HTML code.
Telegram has become the preferred channel for good reason. Stolen credentials arrive without delays. Operators receive alerts at the same time, too. Bots are disposable and nearly impossible to trace. Hosting becomes irrelevant.
The most sophisticated attackers prefer admin panels. These are complete frameworks that capture crypto data and send it to databases. The attacker manages everything through a web interface that provides live statistics by time and country. Automated credential checks are built in. The framework exports data for resale or reuse. These panels are absolutely essential for organized phishing operations.
The Resale Pipeline
Crypto data holds immense value because it often leads directly to funds. Stolen credentials can be sold in real time or enter a complex resale pipeline, according to Kaspersky’s SecureList analysis.
Hackers target exchange logins, wallet access, and fiat onramp accounts. They also grab account credentials, phone numbers, and personal details. Wallet logins with one-time codes or accounts linked to fiat onramps qualify for immediate real-time sales. Attackers save everything else for future follow‑up attacks.
Scammers use phone numbers to intercept 2FA codes or run SMS scams. Personal data fuels social engineering campaigns. Identification documents, voice recordings, facial data, and selfies with documents enable high-risk abuse scenarios.
This pipeline isn’t limited to crypto accounts; major corporate data breaches, like the recent incident involving South Korean giant Coupang, feed the same criminal ecosystems, where stolen personal information is packaged and sold on the dark web.
The resale network commences discount offers. Criminals bundle data into massive archives with millions of records from phishing attacks. Middlemen buy these discounts for as low as $50. Once acquired, they filter and evaluate everything. Automated scripts check whether stolen credentials still work and find other accounts where attackers can reuse them.
Password reuse makes even old data valuable. “A login stolen years ago can still unlock a different account today,” researchers note. Attackers merge data from multiple breaches together. A password, phone number, and old employer record combine to create a complete user profile.
Once cleaned and organized, the data is ready for resale to scammers. Verified credentials sell on dark web forums and Telegram channels. Telegram often serves as a storefront, complete with pricing and buyer feedback.
Prices vary based on account age, balance, linked payments, and 2FA status. Typical ranges include crypto accounts at $60–$400, social media accounts from cents to hundreds of dollars, messaging apps from cents to $150, and personal documents at $0.50–$125.
Kaspersky’s analysis revealed that 88.5% of attacks focus on account information. At least 9.5% collect personal ID credentials, while just 2% collect bank card details. The cybersecurity company assessed phishing incidents from January 2025 to September 2025.
Stolen crypto data isn’t just a one-time problem. Criminal networks store, analyze, trade, and reuse this data on platforms they believe are secure. However, these operations are not immune to law enforcement action, as demonstrated by high-profile seizures like the FBI takedown of a dark web domain linked to a multi-million dollar bank hijacking scheme. One phishing mistake today can lead to devastating crypto hacks years down the line. That $105 price tag on your account? To criminals, it’s just the beginning.
