BLUF: A dark web site advertising access to a high-value Bitcoin wallet was identified as an advance-fee fraud operation run by a Russian-speaking threat actor deploying a sequentially numbered DeFi liquidity mining drain kit across multiple .onion domains. Starting from a single Bitcoin address, Mjolnir Security's RAN platform and OSINT pipeline traced the operation to a cluster of operator-controlled sites, linked clearnet infrastructure, and identifying email addresses and forum accounts — achieving full attribution within a single investigative session.
TLP:WHITE — This report may be freely shared without restriction. Approved for public distribution.
Background
Mjolnir Security's threat intelligence team was tasked with investigating a dark web listing that advertised access to what it claimed was a high-value Bitcoin wallet holding over $7.5 million USD. The listing was designed to draw victims into an advance-fee scheme — paying upfront for "access" to funds they would never receive.
The investigation began with a single data point: the Bitcoin address referenced in the listing.
Phase 1 — On-Chain Profiling
Using the RAN Cryptocurrency Intelligence platform, the advertised address was profiled immediately.
| Attribute | Value |
|---|---|
| Address | 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa |
| Balance | 107.16625496 BTC (~$7,550,720 USD) |
| Risk Score | 65 — HIGH |
| Transaction Count | 62,194 |
| Total Received | 107.16625496 BTC |
| Total Sent | 0.0 BTC |
| Mixer Detection | Not detected |
| Entity Type | pubkeyhash |
| First Seen | 2009-01-03 |
The address is immediately recognizable to blockchain analysts: it is the Bitcoin Genesis Block address, the very first Bitcoin address ever created by Satoshi Nakamoto on January 3, 2009. Its private keys are presumed lost or were never generated. It is provably unspendable.
The 62,194 transactions and 107+ BTC balance represent over 15 years of unsolicited "tribute" transactions sent by the community — a well-documented phenomenon. The address has never sent a single satoshi.
Assessment: The operator deliberately selected this address as social proof. A large, well-known balance lends surface-level legitimacy to the listing. The address itself poses no criminal threat. The operator behind the site does.
Phase 2 — Dark Web Site Analysis
The listing originated from a .onion v3 site titled "Майнинг Ethereum - What is it? - Crypto" — a bilingual Russian/English title that immediately flags operator origin.
| Attribute | Value |
|---|---|
| Domain | invest2vgs6d4iswmlg3dvk6eqrti2bqyrzp2dpbhuzlb2japeb7ylid.onion |
| Tor Version | v3 |
| Server | nginx |
| Status at Analysis | Offline (HTTP Status: N/A) |
| Uptime Recorded | 77.8% (7/9 checks online) |
| First Seen | January 17, 2026 — 01:17 AM |
| Last Confirmed Online | February 20, 2026 — 17:11 PM |
| Active Window | ~34 days |
| Category | Cryptocurrency Services |
| Risk Score | 40 |
The 34-day active window is consistent with deliberate operational security: long enough to harvest victims at scale, short enough to evade blocklist propagation and law enforcement action before rotating to the next instance.
Language Signature
The bilingual title — "Майнинг Ethereum" (Russian: "Ethereum Mining") combined with English subtext — is a recognized signature pattern in Eastern European cybercriminal operations targeting English-speaking victims. The operator is comfortable in Russian but is deliberately targeting an anglophone audience.
Phase 3 — Cluster Enumeration
Passive indexing through OnionRanks surfaced a sibling domain during the investigation:
# invest[N] domain cluster invest2vgs6d4iswmlg3dvk6eqrti2bqyrzp2dpbhuzlb2japeb7ylid.onion ← primary target invest3do3vkvp52jvoszmj2p6gfvsmixq5d4p5mxpk3zcueoqd5adqd.onion ← sibling, indexed
The invest[N] naming convention — sequential numeric suffixes on identical base infrastructure — is a hallmark of kit-based mass deployment. This pattern has been documented by both the FBI IC3 (PSA-220721) and SC Media's DeFi fraud research, in which the same scam frontend is deployed across hundreds of numbered domains simultaneously to maximize victim exposure while making individual takedowns ineffective.
Cluster Assessment
| Instance | Status | Notes |
|---|---|---|
invest1[...] | Unconfirmed | Presumed to exist; not yet indexed |
invest2[...]lid | Offline | Primary target — 34-day run confirmed |
invest3[...]adqd | Indexed | Sibling domain, same stack |
invest4+[...] | Unconfirmed | Likely active or staged |
Assessment: The operator is not running a single site. They are running a production deployment pipeline. When one domain goes dark, the next is already staged.
Phase 4 — TTP Classification
The site's mechanics match the DeFi liquidity mining drain kit pattern documented in FBI IC3 PSA-220721 and independently analyzed by SC Media:
- Solicitation: Victim is solicited via social media, messaging platforms, or dark web listings
- Lure: Victim is directed to a professional-looking "mining" or "yield" dashboard
- Wallet Connection: Victim is prompted to connect their cryptocurrency wallet via WalletConnect or equivalent API
- Malicious Authorization: A smart contract — appearing to be a routine authorization — grants the operator unlimited withdrawal rights
- Drain Execution: The operator drains the wallet silently, without further victim interaction
- Cashout: Stolen funds are moved through intermediary wallets before reaching exchange accounts for cashout
The fake yield dashboard displays fabricated returns to encourage larger deposits before the drain executes.
MITRE ATT&CK Mapping
| Technique ID | Name | Application |
|---|---|---|
T1583.001 | Acquire Infrastructure: Domains | Sequential invest[N] .onion cluster |
T1566 | Phishing / Social Engineering | Pig-butchering / DeFi mining lure |
T1657 | Financial Theft | Smart contract wallet drain |
T1036 | Masquerading | Genesis Block address as legitimacy prop |
Phase 5 — Infrastructure Pivot
Server fingerprinting, HTTP header analysis, and timing correlation across the identified .onion instances were used to pivot to clearnet infrastructure operated by the same actor cluster. This included hosting assets and registration artifacts that bridged the anonymized Tor presence to identifiable internet-facing infrastructure.
Details withheld from public disclosure pending further action.
Phase 6 — Identity Attribution
OSINT graph analysis — correlating the operator's clearnet infrastructure, registration artifacts, and historical forum activity — surfaced:
- Operator email addresses
- Linked underground forum accounts
- Cross-platform pseudonym clusters
- Historical operational activity pre-dating the invest[N] campaign
A full attribution dossier including the operator cluster map was delivered to the client.
Details withheld from public disclosure.
Indicators of Compromise
Dark Web Domains
invest2vgs6d4iswmlg3dvk6eqrti2bqyrzp2dpbhuzlb2japeb7ylid.onioninvest3do3vkvp52jvoszmj2p6gfvsmixq5d4p5mxpk3zcueoqd5adqd.onion
Bitcoin Address (Social Proof Lure — Not Criminal)
1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
This is the Bitcoin Genesis Block address. It is not controlled by the threat actor and cannot be spent. It is listed here solely for awareness — its presence in a listing or solicitation should be treated as an immediate fraud indicator.
Infrastructure Indicators
| Indicator | Type | Note |
|---|---|---|
| nginx (version undisclosed) | Server | Consistent across cluster |
| Tor v3 hidden service | Protocol | All instances |
| React-based frontend | Technology | DeFi scam kit fingerprint |
invest[N] naming pattern | Domain pattern | Sequential deployment |
| RU/CIS bilingual content | Language | Operator origin indicator |
Recommendations
For Individuals
- Any unsolicited outreach offering access to Bitcoin wallets, mining yields, or DeFi returns should be treated as fraud by default.
- Never connect your cryptocurrency wallet to a platform you did not independently verify through multiple trusted sources.
- The presence of a large, well-known Bitcoin address in a listing is not evidence of legitimacy — it is a known social engineering tactic.
For Organizations
- Implement dark web monitoring that covers .onion indexing services, not just surface-web threat feeds.
- Cryptocurrency solicitations received by employees should be reported to your security team immediately.
- Engage a threat intelligence provider capable of on-chain attribution if a wallet address surfaces in an incident.
For SOC and Threat Intel Teams
- The
invest[N]naming pattern on Tor v3 infrastructure should be treated as a high-confidence fraud cluster indicator. - Passive indexing via services such as OnionRanks can surface sibling domains without requiring direct access to the dark web.
- Bilingual RU/EN content targeting English speakers is a persistent actor signature worth tracking across campaigns.
Conclusion
What began as a single Bitcoin address turned into a window into a broader fraud operation — a sequentially deployed scam kit, a RU/CIS threat actor, and an attribution trail that led from the blockchain to identifiable individuals.
Cryptocurrency does not equal anonymity. Every on-chain footprint, infrastructure choice, and OPSEC failure leaves a trail.
Mjolnir Security's RAN platform and intelligence pipeline are purpose-built to follow that trail.
Mjolnir Security — Cryptocurrency Intelligence & Dark Web Monitoring
Mjolnir Security Inc. is a Toronto-based Canadian cybersecurity firm operating a managed Security Operations Centre (SOC) and delivering DFIR, offensive security, threat intelligence, and GRC services to enterprise clients.
- Cryptocurrency Intelligence & On-Chain AttributionTrace blockchain transactions from pseudonymous addresses to real-world identities using the RAN platform and OSINT pipeline. Full attribution dossiers delivered within a single investigative session.
- Dark Web Monitoring & Threat IntelligenceContinuous monitoring of .onion indexing services, underground forums, and dark web marketplaces. Proactive identification of threats targeting your organization, brand, or executives.
- Incident Response & Digital Forensics24/7 DFIR capabilities for cryptocurrency fraud, ransomware, and advanced persistent threats. Canadian data residency with no US-jurisdiction cloud dependency.
24/7 Incident Response: +1 833 403 5875
Intelligence Inquiries: mjolnirsecurity.com
References
- FBI IC3, "Fraudulent Cryptocurrency Investment Schemes," PSA-220721, 2022. ic3.gov
- SC Media, "DeFi Liquidity Mining Scams," 2023. scworld.com
- MITRE ATT&CK, "Enterprise Techniques." attack.mitre.org
- "Threat Intelligence," Mjolnir Security. mjolnirsecurity.com
- "Digital Forensics," Mjolnir Security. mjolnirsecurity.com
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts