Flash Report: Cryptocurrency Stealer for Sale on Dark Web

Key Findings

• On February 2, 2026, ZeroFox observed an actor using the alias “MysteryHack” advertising a malware suite called DeepLoad on the dark web forum Exploit. The actor described DeepLoad as a centralized panel for multiple types of malware; its primary function is to replace seven cryptocurrency wallet applications with counterfeit versions.
• The actor claimed that a second DeepLoad feature, called Anti-Metamask, is designed to remove legitimate browser-based cryptocurrency wallets and replace them with fraudulent versions.
• MysteryHack further claimed that they are developing a future DeepLoad module, which they described as an executable file that installs an unspecified browser extension offering fraudulent airdrops.
• Due to DeepLoad’s wallet replacement, phishing automation, and persistent malware capabilities, ZeroFox assesses it is very likely a very sophisticated offering. DeepLoad’s design is explicitly focused on actively facilitating real-time cryptocurrency theft, which almost certainly makes it an attractive malware suite in the cybercrime-as-a-service (CaaS) environment.

Details

On February 2, 2026, ZeroFox observed actor MysteryHack advertising a malware suite called DeepLoad on the dark web forum Exploit. The actor described DeepLoad as a centralized panel for multiple types of malware; its function is to replace seven cryptocurrency wallet applications (Ledger, Trezor, Exodus, Guarda, BitBox, KeepKey, and Atomic) with counterfeit versions. 

• In this scenario, when a victim attempts to open a legitimate wallet, a fake interface is launched instead, prompting the user to enter their seed phrase.
• MysteryHack has been a member of Exploit since December 2025 and has made 44 posts since that date. ZeroFox assesses they are likely considered very active by other forum users, given the timeframe. The threat actor has a favorable reputation on the forum, meaning they are very likely to be taken seriously by potential customers and will almost certainly receive attention from cybercriminals seeking solutions for attacking cryptocurrency platforms.

The actor claimed a second feature of DeepLoad, called Anti-Metamask, is designed to remove legitimate browser-based cryptocurrency wallets (such as MetaMask, Trust Wallet, and OKX Wallet) and replace them with fraudulent versions. The malware is capable of transmitting harvested credentials from infected victims’ devices to the operator’s control panel. 

• While this functionality resembles that of traditional infostealers, it is specifically tailored for cryptocurrency-focused attacks.
• The system appears to combine automated phishing techniques with persistent malware infection, enabling attackers to interact with victim data in real time.

MysteryHack further claimed that they are developing a future DeepLoad module, referred to as a “Binance stealer.” The actor described the component as an executable file that installs an unspecified browser extension offering fraudulent airdrops. The stealer is likely to be integrated into the DeepLoad panel in a future update.

• MysteryHack did not specify a price for the product and indicated that they are open to private offers. Given their claim that the product generated USD 7,000 in profit within a single week, it is very likely that the final price will be substantial.
• Notably, the sale of the project will allegedly include support from the original coder, who can additionally be paid a percentage of earnings or a salary to continue longer-term technical support, if the buyer is interested.

ZeroFox observed no information about how the malware would be delivered or how threat actors would generate traffic and infections at scale. The service appears to rely heavily on customized phishing techniques to achieve initial compromise; however, if a more persistent initial access method is developed, DeepLoad would likely represent a significant threat to the cryptocurrency marketplace.

Due to DeepLoad’s wallet replacement, phishing automation, and persistent malware capabilities, ZeroFox assesses it is very likely this is a very sophisticated offering. While DeepLoad’s malware suite shares similarities with traditional infostealers, its design is explicitly focused on actively facilitating real-time cryptocurrency theft, which almost certainly makes it an attractive offering in the CaaS environment.

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 10:00 AM (EST) on February 12, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.