Dark Partners Hacker Group Drains Crypto Wallets Using Fake AI Tools and VPN Services

The financially driven organization known as Dark Partners has been planning massive cryptocurrency theft since at least May 2025, using a complex network of more than 250 malicious domains that pose as AI tools, VPN services, cryptocurrency wallets, and well-known software brands. This is part of a rapidly developing cybercrime operation.

These fake websites, distributed via SEO poisoning and social engineering tactics, serve as primary infection vectors to deploy Poseidon Stealer on macOS and PayDay Loader on Windows systems.

Poseidon Stealer employs launch agents and scheduled tasks for persistence, enabling the exfiltration of cryptocurrency wallets, credentials, and sensitive data, while PayDay Loader utilizes PowerShell scripts and virtual hard disks to maintain foothold and load modular payloads.

The group’s infrastructure, including globally distributed command-and-control (C2) servers, facilitates efficient data harvesting from victims across the United States, European Union, Russia, Canada, and Australia, with a particular focus on cryptocurrency, blockchain, technology, financial services, and VPN sectors.

Named by cybersecurity researcher g0njxa, Dark Partners demonstrates no direct ties to nation-state actors or advanced persistent threats (APTs), instead prioritizing financial gain through the sale of stolen assets on underground markets.

Rapid Adaptation Fuel Ongoing Threat

Dark Partners’ technical sophistication is evident in their use of stolen code signing certificates to bypass endpoint detection and response (EDR) systems, coupled with anti-sandboxing mechanisms that thwart automated analysis environments.

The PayDay Panel serves as a centralized management platform for modular malware deployment, allowing operators to adapt payloads dynamically and scale operations across at least 37 impersonated brands.

Historical telemetry indicates campaigns ramping up in June 2025 with expanded fake site networks, followed by a temporary disruption in July due to certificate revocations, yet the group is anticipated to rebound by procuring new certificates and incorporating advanced evasion techniques such as fileless malware and living-off-the-land binaries (LOLBins).

Behavioral indicators include anomalous PowerShell persistence on Windows, suspicious launch agent activity on macOS, and network traffic to known C2 infrastructure, underscoring the need for continuous monitoring and dynamic indicators of compromise (IoC)-driven controls.

Multi-Layered Defenses

To counter this threat, organizations must implement advanced EDR solutions with behavioral analytics, enforce strict certificate validation protocols, and deploy network controls that adapt to evolving IoCs to disrupt malware delivery and C2 communications.

According to the Report, Targeted sectors, including crypto and DeFi platforms, should prioritize user awareness training and simulated phishing exercises to mitigate social engineering risks, as these remain the group’s core attack types.

Looking ahead, Dark Partners is poised to intensify tactics with AI-generated lures and expanded targeting of NFT ecosystems, necessitating intelligence sharing among cybersecurity communities and red team simulations to validate defenses against their TTPs.

Early detection through monitoring for certificate anomalies and persistence mechanisms remains critical, as the group’s scalable operations continue to pose a global risk to digital asset security.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.