Stolen crypto accounts trade for $105 on the dark web

Stolen crypto accounts sell on the dark web for an average price of $105. The data is collected from phishing attacks and is considered the first step in a complex supply chain of thievery.

The price of a single crypto account ranges between $60 and $400, according to SecureList. Hackers capture crypto data, monetize it immediately, or keep it in a database. The final destination depends on the type and quality of the captured data.

How stolen crypto data leaves phishing sites

The captured crypto data leaves a phishing page in three ways: email delivery, Telegram bot delivery, or admin panel upload.

The attackers also abuse legitimate services to hide their activity. These include Google Forms, Microsoft Forms, GitHub, Discord, and other similar platforms.

In email delivery, the data is collected from fake HTML forms and then sent to a server-side script, usually PHP. The script then forwards the stolen details to an attacker-controlled email address.

A phishing kit has a file to host the fake login page, a script to process the form, and a third file containing the attacker’s email address. However, email delivery is declining because of delays, provider blocking, and poor scalability.

Instead of email, many kits now send data directly to Telegram bots. The malicious script calls the Telegram API using a bot token and chat ID. Sometimes the API call is embedded directly in the HTML code.

Telegram has become a preferred channel for hackers. Stolen data arrives instantly. Operators get real-time alerts. Bots are disposable and hard to trace. And hosting does not matter much.

Advanced attackers prefer admin panels. They are part of a framework or a skeleton that captures crypto data and sends it to a database. The attacker manages the data via a web interface.

Admin panels provide live stats by time and country. Automated checks for credentials are included. The framework also exports data for resale or reuse. These panels are essential for organized phishing operations.

Selling stolen crypto data

Crypto data is valuable because it often leads to funds. The stolen data could be sold in real time or enter a resale pipeline, according to Kaspersky’s SecureList.

Hackers go after exchange logins, wallet access, and fiat onramp accounts. Other targeted data includes account credentials, phone numbers, and personal details.

Wallet logins with one-time codes or accounts linked to fiat onramps qualify for real-time sales. The remaining data is used for follow-up attacks.

Phone numbers could be used for SMS scams or 2FA interception. Personal data is utilized for social engineering. Identification documents, voice, facial data, or selfies with documents are used for high-risk abuse.

The resale pipeline starts with dump sales. Data is bundled into large archives or dumps. These contain millions of records from phishing attacks. Middlemen buy dumps for as low as $50.

Once a dump is acquired, middlemen filter and test the data. Then, automated scripts check whether credentials still work or not. The code also sees where else they can be reused.

Password reuse makes old data valuable. A login stolen years ago can still unlock a different account today. Then, the data from multiple attacks is merged. A password, phone number, and old employer record can create a single user profile.

Once the stolen data is cleaned and organized, it’s ready for resale to scammers. The verified data is sold on dark web forums and Telegram channels.

Telegram often acts as a storefront with pricing and buyer feedback. Prices vary based on account age, balance, linked payments, and 2FA status.

Typical price ranges:

• Crypto accounts: $60 – $400.

• Social media: cents to hundreds of dollars.

• Messaging apps: cents to $150.

• Personal documents: $0.5–$125.

Kaspersky’s analysis showed that 88.5% of attacks target account credentials. Around 9.5% steal personal identity data, while a mere 2% collect bank card details. The cybersecurity firm analyzed phishing attacks from January to September 2025.

Stolen crypto data is a valuable asset to cybercriminals. It is stored, evaluated, traded, and reused. One phishing mistake can lead to major crypto hacks, even years later.

The smartest crypto minds already read our newsletter. Want in? Join them.