A threat actor operating on the dark web forum “Knox” has allegedly aggregated a staggering 13.5 million records from eight cryptocurrency-related breaches, marking one of the largest coordinated data compilations of 2025.
The dataset, dubbed “Have I Been Drained,” reportedly includes sensitive information from platforms such as Binance US, Gemini, CoinMarketCap, and Nexo, exposing users to heightened risks of financial fraud and identity theft.
Breach Overview
The compromised data spans 10.7 million unique email addresses, full names, phone numbers, physical and IP addresses, Ethereum wallet details, KYC (Know Your Customer) verification statuses, and transaction histories.
Platforms implicated in the compilation include:
- Cointracker (portfolio management)
- Chainlink (blockchain oracle services)
- Coinmine (mining hardware)
- Tokensoft (tokenization infrastructure)
The threat actor claims the data was aggregated over several months, exploiting vulnerabilities in API endpoints and third-party vendor systems.
Notably, including KYC statuses and transaction amounts suggests attackers could bypass authentication protocols or orchestrate sophisticated phishing campaigns.
Technical Analysis
Dark web markets like “Knox” often employ crawlers built with frameworks like Scrapy and Selenium to automate data collection from forums and vendor listings.
This breach aligns with trends observed in February 2025, where threat actors increasingly targeted decentralized finance (DeFi) platforms—such as the $9.5 million zkLend heist caused by a smart contract rounding error.
The aggregation of data across multiple breaches amplifies risks:
- Cross-platform exploitation: Attackers can correlate email addresses, wallet IDs, and transaction histories to hijack accounts or drain funds.
- KYC bypass: Fraudsters may misuse verified identities to create synthetic identities or bypass exchange security.
Industry Context
This incident follows a surge in ransomware and dark web activity in early 2025.
For example:
- The Hive ransomware group directly extorted Knox College students by threatening to leak medical and financial records.
- Over 1.3 million user records from the Stalker Online game were sold on dark web marketplaces, with passwords stored as MD5 hashes (salted)—a weak encryption method easily cracked with modern tools.
Cryptocurrency platforms remain prime targets due to the pseudonymous nature of transactions and high-value assets.
The use of Monero (XMR)—a privacy-focused cryptocurrency—by dark web markets complicates blockchain analysis, as noted in studies of illicit transactions.
Mitigation and Response
Affected users are advised to:
- Reset passwords and enable multi-factor authentication (MFA) on all cryptocurrency accounts.
- Monitor Ethereum wallets for unauthorized transactions using blockchain explorers like Etherscan.
- Freeze credit reports to prevent identity theft via exposed KYC data.
Platforms like Binance US and Gemini have yet to confirm the breach’s authenticity.
However, historical precedents—such as the Equifax breach caused by expired SSL certificates and poor network segmentation—highlight the need for rigorous vulnerability management and zero-trust architectures.
Expert Insights
Cybersecurity analysts speculate the aggregation aims to maximize profitability. By compiling fragmented datasets, the threat actor increases the data’s market value on forums like “Knox,” where buyers often seek comprehensive profiles for targeted attacks.
As one researcher noted, “This isn’t just a breach—it’s a frankenstein dataset designed to exploit trust across ecosystems”.
Authorities, including the FBI’s Cyber Division, are likely investigating ties to groups like Hive, which pioneered direct-to-victim extortion tactics in 2022.
Meanwhile, the lack of immediate data leaks on “Knox” suggests ongoing negotiations, a common strategy to pressure organizations into paying ransoms.
The “Have I Been Drained” compilation underscores systemic vulnerabilities in cryptocurrency infrastructure and the dark web’s role as a data brokerage hub.
With blockchain analytics firm Chainalysis reporting a 40% YoY rise in crypto-related crimes, the incident serves as a stark reminder for platforms to adopt hardened API security, behavioral biometrics, and real-time threat intelligence integrations.
For users, vigilance and proactive security measures remain the strongest defense against an increasingly audacious cybercriminal ecosystem.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=A threat actor operating on the dark web forum "Knox" has allegedly aggregated a staggering 13.5 million records from eight cryptocurrency,){kind=link}