Dark Partners Hackers Group Wiping Crypto Wallets With Fake Ai Tools and VPN Services

A sophisticated cybercrime group dubbed “Dark Partners” has emerged as a significant threat to cryptocurrency users worldwide, orchestrating large-scale theft campaigns through an extensive network of fake websites impersonating AI tools, VPN services, and popular software brands.

Active since at least May 2025, this financially motivated group has deployed a complex infrastructure spanning over 250 malicious domains, targeting victims across the United States, European Union, Russia, Canada, and Australia through carefully crafted social engineering tactics.

The group’s operations center on distributing two primary malware families: Poseidon Stealer targeting macOS systems and PayDay Loader designed for Windows environments.

These sophisticated tools enable the theft of cryptocurrency wallets, credentials, and sensitive data, which are subsequently monetized through cybercriminal markets.

The attackers have demonstrated remarkable scalability, impersonating at least 37 popular applications and services, including crypto platforms, VPN services, and widely used software brands.

AlphaHunt analysts identified the group’s sophisticated evasion techniques, which include the use of stolen code signing certificates and advanced anti-sandboxing measures to avoid detection by security systems.

The cybercriminals employ SEO poisoning strategies to manipulate search engine results, directing victims to malicious websites that closely mimic legitimate software download pages.

This approach has proven particularly effective in targeting sectors rich in digital assets, including cryptocurrency and blockchain companies, technology firms, and financial services organizations.

Advanced Persistence and Evasion Mechanisms

The technical sophistication of Dark Partners’ malware lies in its multi-layered persistence mechanisms and detection evasion capabilities.

On macOS systems, Poseidon Stealer establishes persistence through launch agents and scheduled tasks, creating multiple pathways for maintaining access to compromised systems.

The malware leverages macOS-specific features to embed itself deeply within the operating system’s startup processes, ensuring continued operation even after system reboots.

For Windows environments, PayDay Loader employs PowerShell scripts and virtual hard disks as persistence mechanisms, utilizing legitimate system tools to maintain stealth.

The malware’s modular architecture is managed through the PayDay Panel, a centralized command-and-control platform that enables rapid adaptation and scalable operations across the group’s global infrastructure.

This sophisticated management system allows operators to deploy new payloads, update evasion techniques, and coordinate multi-platform attacks with unprecedented efficiency, making Dark Partners one of the most technically advanced cryptocurrency theft operations observed in 2025.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now