ZeroFox Intelligence Flash Report - Cryptocurrency Stealer for Sale on Dark Web

ZeroFox Intelligence Flash Report - Cryptocurrency Stealer for Sale on Dark Web

Product Serial: F-2026-02-12a

TLP:CLEAR

In this Flash report, ZeroFox researchers report on an advertisement on the dark web for a malware suite that functions to replace cryptocurrency wallet applications with counterfeit versions.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

• On February 2, 2026, ZeroFox observed an actor using the alias “MysteryHack” advertising a malware suite called DeepLoad on the dark web forum Exploit. The actor described DeepLoad as a centralized panel for multiple types of malware; its primary function is to replace seven cryptocurrency wallet applications with counterfeit versions.
• The actor claimed that a second DeepLoad feature, called Anti-Metamask, is designed to remove legitimate browser-based cryptocurrency wallets and replace them with fraudulent versions.
• MysteryHack further claimed that they are developing a future DeepLoad module, which they described as an executable file that installs an unspecified browser extension offering fraudulent airdrops.
• Due to DeepLoad’s wallet replacement, phishing automation, and persistent malware capabilities, ZeroFox assesses it is very likely a very sophisticated offering. DeepLoad’s design is explicitly focused on actively facilitating real-time cryptocurrency theft, which almost certainly makes it an attractive malware suite in the cybercrime-as-a-service (CaaS) environment.