40 Days in Deep/Dark Web About Crypto Scam

40 days in crypto scam
  • Forward
    • About document
  • Summary of finding
  • Tools
    • Fake Transaction Generator
    • Market drainer
    • Nocryi Logs
    • BradMax Logs
    • Baron Cloud Logs
    • Fate Cloud Logs
    • Log Checker
    • Magnus Ransomware
    • Brute Force Seed Key
    • Log Checker
    • Wallet_dat_net
    • Venom rat
    • Redline 
  • Abbrv.
  • Market drainer
  • Auto transfer
  • Crypto base
  • Mixed log
  • Fake transaction
  • Seed key crack
  • RAMP
  • Auto-withdrawal


Last year ransomware scammed more than 100 billion dollar from various organizations and users. We decide in this document research methods from seller to end client.

This report was made by the Hadess and data comes from various sources such as: Dark Web , Deep Web Forums, Sellers and Websites.

Summary of finding


Wallet Drainer

Methods of scam for earn crypto such as: Honney pot smart contract on bsc network, fake nft mint page, Metamask drainer page.

Auto transfer

Phishing system can be transfer crypto from victim wallet to attacker wallets, for example Coinbase Auto Transfer System Phishing can be transfer your conibase crypto to other wallet

Crypto base

Mixed mail/pass of exchange account can be used in auto-transfer for withdrew without any limitation

Mixed log

Lot of log included personal information, files, wallet address, wallet private/seed key, …

Fake transaction

Scam transfer crypto that confirm in one of confirmation stages and rollback after 12h till 2 week

Private/Seed Key Reverse

Methods for reverse wallet address and auto-transfer with private key or seed key.


Forums about ransomware as a service(raas).


Fake Transaction Generator

This tool generates fake bitcoin transactions and stays for 07-28 days depends on the blockchain network and license Type.

Price: £ 499.99 – £ 4,999.99

Market drainer

Honney pot smart contract on bsc network – price: 500$

fake nft mint page – price: 2000$

Metamask drainer page – price: 4000$

Nocryi Logs

Complete informative logs: cookies, authentications, sessions, victim information (hardware), Discord tokens, autocomplete and much more.

BradMax Logs

Complete informative logs: cookies, authentications, sessions, victim information (hardware), Discord tokens, autocomplete and much more.

Baron Cloud Logs

Complete informative logs: cookies, authentications, sessions, victim information (hardware), Discord tokens, autocomplete and much more.

Fate Cloud Logs

Complete informative logs: cookies, authentications, sessions, victim information (hardware), Discord tokens, autocomplete and much more.

Log Checker

 automatically search for keywords in mail access for yahoo / gmail!

Services Cookies Checker: Youtube , Netflix , Gmail , Instagram , Facebook , Yahoo , Steam , Coinbase , Amazon , Binance

All services come with capture like balance,items…


buy a Bitcoin core wallet.dat file with a lost or forgotten password

Magnus Ransomware

Magnus Ransomware its a sofisticated ransomware which can bypass any anti virus as malwarebites, avast, bitdefender… If it detect it doesnt even do anything because It disable any anti virus or program so its so dificult to dont get hacked.

Step 1- Disable AV

Step 2- Disable startup apps

Step 3- Encrypt all types of files as:


Step 4- Create a Readme.txt file which gives you all steps to unencrypt all files

Step 5- If the person paid then the attacker will send the desencryption software

Step 6- Enjoy the money 🙂

Venom rat

Venom RAT + HVNC: Remote Desktop, Online/Offline logger, Password Recovery, Clone profile, Download Execute 3 methods(Memory, Disk, URL)


Collects from browsers(Login and passwords, Cookies, Autocomplete fields, Credit cards), Collection of data from FTP clients, IM clients, Customizable grabber file according to the criteria: Path, Extension, Search in subfolders (can be configured for the desired cold wallets, steam, etc.), Create/Edit tasks:

a) Download – download a file via a direct link to the specified path

b) RunPE – inject a 32-bit file downloaded from a direct link into another file that you specify

c) DownloadAndEx – downloading a file via a direct link to the specified path with subsequent launch

d) OpenLink – open link in default browser


Collection of Steam files, Collecting Telegram Desktop, passwords, cookies and autofill, File grabber with very fine tuning and support for shortcuts, The loader supports .EXE / .DLL / .BAT files as well as running commands (CMD) and Powershell, Almost all existing cryptocurrency desktop wallets, Recursive collection of Core wallets (.dat), Panel in *.onion zone

The story of steal wallet

Cryptocurrencies are a popular target for hackers because crypto transactions are pseudonymous and typically irreversible. This makes it challenging to associate stolen crypto with the real-world identity of the hacker and essentially impossible to reverse nefarious transactions.

We have multiple scenario when wallet is compromised for example

90% malware

20% other

Malware and Stealer

Campaign Based

In this method for any service or hot exploitation(CVE-2021-40444) run campign for comromise users and drop malware.


Broadcast malware to users with website(download for free anything), document(docx, xlsx, …)

Stealer Cloud Log

Lot of malware have leakage in server side and in dark/deep web seller sell it.

For example Nocryi Logs sell redline stealer such as below


run campaign for compromise users and drop malware.

For example run binance method for binance breached ids document and drop malware to victims

Fake Airdrop

Scammers will use free airdrop events with posters or links to promote in the community. If the user scans the code, enters the website and approves to receive airdrop tokens. After approval, the scammers obtain permission to transfer away user assets easily. 

Fake QR Code

Fake QR code scam refers to that fraudsters use fake QR codes to let users perform operations such as approval. Usually, the user will enter the transfer interface or phishing pages after scanning the code. Actually, this transfer operation is an approval process. If the user clicks “Approve”, the fraudster will obtain permission to transfer the asset, which leads to the loss of the asset. 

Phishing App

The scammer will develop Apps that are highly similar to the official App. When the user creates or imports a wallet, the data will be recorded and synchronized to the scammer’s specific server. As a result, users have a great risk of being stolen by scammers.

Phishing Website

“Phishing website” refers to a fake website used to deceive users. Its page is basically the same as the real website. Scammers use fake sites to deceive and steal users’ private keys or mnemonics. In general, Phishing websites have only one or a few pages, which are slightly different from real websites. They usually spread fake giveaways/airdrops, or impersonate official supports, or other means on communities to attract users to use their fake websites. 

Fake Token

Scammers counterfeit tokens by using similar token names and symbols, and then they will exchange for real tokens that are well-known tokens. The main victims are mostly new users since users who get familiar with the blockchain can judge a token by checking the contract address of the token, such as the common USDT, ETH, BTC, etc. 

Fake Customer Service

Most people will contact customer service for help when there are some problems that need to be solved. At this time, scammers get the chance to impersonate official supports. Usually, they have the same name and logo (not ture) with the official supports and then hide in the various communities/groups. Once users send their issues on the group, these scammers will send messages to users privately attached unknown links/QR codes to fraud users’ private key or mnemonic.

DApp Approval

When it comes to currency exchange in the DEX platform, the approval step will be used. Only after the first operation of “Approve“ can the swap be performed, and this is only one of the application scenarios. 

Since the “Approve” operation essentially grants the exercise authority of part of your token to another address or smart contract address, scammers will use codes or links to maliciously let users perform “Approve” operations. For example, users may receive airdrop tokens attached memo and link, noted that the airdropped tokens can be exchanged for other tokens. If the user opens the link and executes the exchange, they will fall into the trap that maliciously approves Dapp. As a result, the user’s assets will be transferred by the Dapp easily.

Have I Been Pwned

find out if your account has been hacked may be recently your email or exchange account or wallet compromised.


Please check your email in intelx like as this


Wallet Address

Please search wallet address in intelx(BTC, ETH)


Important Files

Please calculate wallet.dat file checksum and search in intelx


Related Content




Sign up now to receive the latest notifications and updates from Hadess.

Sign up for News & Communications

Do you want quick & free cyber-security analysis of your application?

Secure your entire workforce, including remote employees.