- More than 18 million crypto user records are for sale on the darknet
- The database includes names, phone numbers, physical addresses, and emails.
- The data was allegedly collected from top platforms, including Binance, Coinbase, etc.
- None of the mentioned platforms have officially acknowledged the leak
- The attacker is only asking for $10,000 for the database
More than 18 million crypto user records are for sale on the darknet, even from the top crypto platforms like Binance, Coinbase, Kraken, Gemini, Crypto.com, Bitfinex, and others. The platforms do not recognize the leaks, and the method of obtaining such an extensive amount of user data remains unknown. Moreover, it is unknown whether the attacker actually has this data, but they ask only $10,000 for it.
More on the Alleged Leak of 18 Million Records
Let’s start with why I’m carefully calling this an alleged leak. Formally speaking, we have no confirmation from any of the listed platforms that a data breach occurred on their side, nor do we have other evidence proving that the attacker is actually in possession of this data. All we have so far is a post on X describing the contents of the alleged database and naming its price.
The key detail here is that it’s a U.S.-based cryptocurrency user database, reportedly involving top platforms such as Binance, Coinbase, Kraken, Gemini, Crypto.com, Bitfinex, Coinmama, eCoin, BearTax, as well as CoinMarketCap, Robinhood, and Ledger — totaling more than 18 million lines across 20+ services.
But I’m also not claiming the opposite — that no leak occurred, that the attacker doesn’t have the data, or that it’s not being sold. We’re seeing a steady increase in various types of breaches in the crypto industry since the reward for success is quite high and serves as a strong incentive.
As we’ve seen before, this could be yet another scenario where an actual attack on the service itself wasn’t necessary — it may have been enough to compromise a user’s device as it was with Atomic and Exodus wallets, or a third-party service, possibly with some social engineering as it was with Bybit, and suddenly your account data is exposed. Still, I would raise one critical question: why so cheap?
The scale of the work involved is, to say the least, substantial. Also, if the database really does mostly contain U.S.-based cryptocurrency users, those are some of the most financially attractive targets. And yet the attacker is willing to give this up for $10,000 instead of exploiting it directly, or at the very least selling it for a much higher price?
My personal opinion is that I find this a bit suspicious, and I see a few hypothetical scenarios here.
First, this could be a case where one attacker is trying to profit off of other attackers rather than targeting platforms or users as in more traditional schemes.
Second, this could very well resemble a honeypot — something designed to prey on a malicious actor’s greed and end up directly in the hands of law enforcement. After all, no regular user is likely to purchase such a thing, and by merely doing so, they become a criminal.
Conclusion
My assumptions may be wrong, and my suspicion might turn out to be unnecessary. We could indeed be dealing with a massive leak, and the attacker might be selling it cheap for unknown, personal reasons.
We’ll wait for official statements from all the mentioned platforms and hope they conduct thorough audits of their systems and provide more information.
But ultimately, our security is always our responsibility — it cannot be entirely outsourced. So, in addition to using secure wallets, always use them correctly. And choose platforms that conduct regular audits and maintain reserves, able to promptly resume operations and absorb losses without affecting users — as was the case with Bybit, for example.
