{ "id": "e0234eb8-0ea8-4087-87e7-7aa11fcacd46", "created_at": "2026-04-06T00:22:35.664151Z", "updated_at": "2026-04-10T03:29:57.85986Z", "deleted_at": null, "sha1_hash": "3e907223a074944ad76257c8de11e52adc66cd85", "title": "Passive Income of Cyber Criminals: Dissecting Bitcoin Multiplier Scam", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3635145, "plain_text": "Passive Income of Cyber Criminals: Dissecting Bitcoin Multiplier\r\nScam\r\nBy Rakesh Krishnan\r\nPublished: 2021-01-15 · Archived: 2026-04-05 19:02:43 UTC\r\nIt is a common scenario to come across the various Bitcoin Scams on Dark Web while visiting various services.\r\nSome are even advertised on landing pages of popular Dark Web sites, which transports users to the luring page of\r\nBitcoin SCAMS. Inexperienced or Less Tech-Savvy Netizens are stupefied by such posts, falling into the bait;\r\nultimately losing money.\r\nIt is also evident that these kinds of scams are being made operational by infamous Threat Actors such\r\nas Dark Hotel (Korea) to gain maximized profit to fund their Cyber Operations. One such incident\r\npertaining to Magniber Ransomware (which we would be discussing at the end of this article). Hence,\r\nthis paved the way for a passive income for the cyber criminals without directly infecting the intended\r\ntargets.\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 1 of 12\n\nCriminals always Experiment for better strategies| Source: Wrath of Sabellian by\r\nArtofcarmen (DeviantArt)\r\nBitcoin — The Greatest Cryptocurrency is currently witnessing an important stage in its Bull Run, surpassing the\r\nMarket Value of Facebook (2 days back), to become $760 Billion in its Market Value. Moreover, the currency had\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 2 of 12\n\nbeen legalized in various countries such as the United States, Australia, Japan, Germany, and South Korea. It\r\nis also notable that more countries are in the pipeline of adopting Bitcoin for Economic Stability. Latin American\r\nCountries like Venezuela (Boliver) \u0026 Argentina (Peso) had already started to migrate towards Crypto-Economy,\r\nwhere local currency is getting devalued and spiraling down to hyperinflation.\r\nAs the adoption rate has gone astronomical, many more concepts are being added to the Crypto Economic\r\nCultures such as Bitcoin ATMs, KYC-less Exchanges, Paper Wallet, Cold Wallets etc.\r\nPress enter or click to view image in full size\r\nSource: CoinATM Radar\r\nThis provides a detailed view of Bitcoin ATMs installed over the world.\r\nIt is also remarkable that Bitcoin forks such as BCH (Bitcoin Cash) are also widely being accepted for day-to-day\r\ntrading.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 3 of 12\n\nA Store accepting BCH in North Queensland | Source: Reddit\r\nAs adoption rate gets quadrupled, the SCAMS in this arena is also getting matured; hence defrauding many\r\nBitcoin Enthusiasts. This article explains about 1 such SCAM which are generally known as Bitcoin Doubling or\r\nWhat makes these SCAMS successful are various technical pointers which are implemented in the site to entice\r\nthe people with partial knowledge and low-maintenance web pages etc. Let’s look into one of the use-case!\r\nCASE STUDY — REAL TIME\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 4 of 12\n\nLanding Page of Bitcoin Multiplier\r\nThis is one of the common Introductions found on such Scams, that instructs the users to feed their Bitcoin\r\nWallet Address and Required Amount by sliding the Amount Pointer to get it into your account.\r\nThere are various factors used in the Website to lure the visitors. Some of them are:-\r\nLive Stats:- This is used as a Trust Factor for newbies. The records are probably pulled from the Live Blockchain\r\nTransaction Log, repurposing it as Live Stats to showcase the website activity.\r\nPress enter or click to view image in full size\r\nLive Stats\r\nLive Chat Support:- Bragging about the profit made from the site is being dumped in this section. Another bait\r\nawaiting inexperienced users.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 5 of 12\n\nChat Box\r\nIn order to bust this myth, let’s take a chat conversation and run a plain check:-\r\n“I thought my friend wanted to fool me with this website link. but you can only get BTC here if you don't\r\nmess up with the fee confirmations”\r\nProof for Chat Script\r\nHere, you can see similar Bitcoin Sites where the same chat log was found.\r\nTIP: The best part is- Chat Windows even works without Internet Connection (as my power got disrupted while\r\ndrafting this), hence proving it to be hard-coded to the website (JS Files).\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 6 of 12\n\nReceipts: These are tiny pop-ups that appear on the site alerting visitors about its high-activity, claiming to have\r\nreceived funds by various users.\r\nReceipt Notification\r\nAgain, if you are running any of the username checks, you will be thrown many SCAM sites.\r\nAfter feeding a BTC Address, it will run a loader to satisfy the eagerness of the visitors. Following Script is being\r\nshown:-\r\nPress enter or click to view image in full size\r\nScript Visualization\r\n{ X00Percent: 2, X00Text: 'Starting `injection` process...' },\r\n { X00Percent: 4, X00Text: 'Connecting and Validating vulnerable BCH node...' },\r\n { X00Percent: 8, X00Text: 'Spoofing Packets through IPV6 Tunnel...' },\r\n { X00Percent: 10, X00Text: 'Tunnelling via be6e:854229af:c9a::34' },\r\n { X00Percent: 12, X00Text: 'Connecting to Node Maintenance Channel...' },\r\n { X00Percent: 14, X00Text: 'Establishing connection...' },\r\n { X00Percent: 16, X00Text: 'Connection successful on port 87118' },\r\n { X00Percent: 18, X00Text: 'Connecting to Node Maintenance Channel...' },\r\n { X00Percent: 18, X00Text: 'Re-spoofing Packets through IPV6 Tunnel...' },\r\n { X00Percent: 32, X00Text: 'Extracting data bitcoin pools -2 ' },\r\n { X00Percent: 33, X00Text: 'Exploit uploaded... 0%' },\r\n { X00Percent: 38, X00Text: 'Exploit uploaded... 50%' },\r\n { X00Percent: 42, X00Text: 'Exploit uploaded... 100%' },\r\n { X00Percent: 59, X00Text: 'Success: Spoofing Packets through IPV6 Tunnel.' },\r\n { X00Percent: 60, X00Text: 'Injecting script...' },\r\n { X00Percent: 74, X00Text: 'Checking bitcoin pools response...' },\r\n { X00Percent: 74, X00Text: 'Checking BCH Nodes for Vulnerability (OK).' },\r\n { X00Percent: 74, X00Text: '79.83.83.61...' },\r\n { X00Percent: 77, X00Text: 'Injecting ....' },\r\n { X00Percent: 79, X00Text: 'Spoof Successful(OK)' },\r\n { X00Percent: 79, X00Text: 'Checking Again for BCH Nodes with Vulnerability (OK).' },\r\n { X00Percent: 82, X00Text: 'Vulnerable Node Found at 183.9.25.156' },\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 7 of 12\n\n{ X00Percent: 82, X00Text: 'Reading Blockchain Head...!' },\r\n { X00Percent: 84, X00Text: 'ea0d7613 f665ce14 4de1a1d5 668088c9 90eadb87\\n dda97e16 5c286117 3ade08\r\n { X00Percent: 84, X00Text: 'Parsing...' },\r\n { X00Percent: 84, X00Text: 'Writing to Blockchain Head' },\r\n { X00Percent: 84, X00Text: 'fb7fa163 3b1dcc83 94cd05c2 538ce18b ecb82a6b\\n 106837e3 13ffbf3c 4e8bd3\r\n { X00Percent: 84, X00Text: 'Executing request!' },\r\n { X00Percent: 86, X00Text: 'Waiting for response...' },\r\n { X00Percent: 92, X00Text: 'Reading Blockchain Head.' },\r\n { X00Percent: 93, X00Text: 'Verification...' },\r\n { X00Percent: 94, X00Text: 'Removing exploit code from blockchain...' },\r\n { X00Percent: 99, X00Text: 'Sending cloned Bitcoin...' },\r\n { X00Percent: 100, X00Text: 'DONE.' },\r\nThe above listed script is obtained from this site, which reported earlier.\r\nGet Rakesh Krishnan’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nSoon after the progress, following screen would appear claiming to have completed the doubling process and\r\nfunds are ready for transmission:-\r\nPress enter or click to view image in full size\r\nReturn Screen\r\nHere is the ruse:- Initially you have to deposit $1,300 to Scamster’s Bitcoin Address\r\n1EFJNx1zGSgRf5u2L3oyCQunwa8Xro6ihb receive $3,500 to the user.\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 8 of 12\n\nBy mapping the address, we came to know that this address is active since 4 months and successfully received a\r\nsum of ~$310.\r\nPress enter or click to view image in full size\r\nScam Funds Received in 4 Months\r\nNote:- As BTC is fluctuating, the amount gets varied. It also depends upon the fees calculated in the Scam site.\r\nThis is one of the site that still exists on Dark Web with high activity and it is evident that the last receipt was\r\nreceived a month back (Acc. to Blockchain), proving the scam is not obsolete.\r\nIf you think this amount is minuscule, here is another site that made around $3,705,769.52 in a span of 7\r\nyears (Still goes unflagged), hosted with Hetzner (159.69.62.95) with this Wallet Address:\r\n1F7rkmXCouKbCuXF4DbpCwug9xBcsVvnQ5.\r\nWhile digging deep, a profile got popped up from Bitcoin Talk Forum named Giaky from Italy, whose Wallet\r\nAddress was mapped to.\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 9 of 12\n\nProfile from Bitcoin Talk\r\nNote: There is no 100% surety whether the alleged Bitcoin Address belongs to the alleged user, as the data\r\nobtained from a Bitcoin Blacklist Comment.\r\nSimilarly, there are a multitude of SCAM Campaign Websites are still operational on both Dark Web and Surface\r\nWeb, reaping a high cash flow to Scamster’s account.\r\nFollowing are some of the details with reaped profits:-\r\nPress enter or click to view image in full size\r\nSimilar BTC Doubling Operations (Live)\r\nThese are some of the notable websites (that I come across) which are targeting Bitcoin Doubling fanatics. It is\r\nalso found that there are a large number of mirror sites for the same onion such as:-\r\nPress enter or click to view image in full size\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 10 of 12\n\nTor66 SE Report\r\nAccording to this Search Engine, there are in-total of 331 Websites (including Mirrors) exclusively with\r\n“BITCOIN DOUBLING” content in it, on Dark Web. Of course, there are more, but not everything can be\r\nindexed by a single entity.\r\nNote: This article covers Dark Web Aspect in more detail rather than Surface Web.\r\nMAGNITUDE EK LINKED WITH BITCOIN MULTIPLIER IN THE PAST\r\nMagnitude is one of the most successful Exploit Kit prevalent on various underground forums over the years. It\r\ndelivers Magniber Ransomware upon infection, affecting APAC Region. The Group (attributed to infamous\r\nSouth Korean Group DarkHotel) works by keeping up-to-date with the recently uncovered security loopholes\r\n(CVEs) targeting the intended parties. It is a surprising fact that the group had also operated various\r\nMalwertisements and Bitcoin Scam Websites as per Malware Bytes Report.\r\nIt is evident that the Cyber Criminal Groups are using this means as a passive income in order to fund their cyber\r\nattack operations.\r\nKEY TAKEAWAYS\r\nNever ever fall for the Doubling/Multiplier or any sorts of Scams\r\nCyber Criminals can set up such SCAM sites on a large scale, in order to raise large amount without\r\ndirectly infecting anyone with Ransomware\r\nThis is also a form of Passive Income for Cyber Criminals or a long term investment policy without any\r\nred flags\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 11 of 12\n\nAlways check for the Website Reputation before engulfing all the displayed promises\r\nCheck for the Blacklist activities of Bitcoin Address listed on various platforms like BitcoinWhosWho or\r\nBitcoin Abuse\r\nBe a responsible infosec contributor by flagging malicious Bitcoin Addresses to the said platforms\r\nImage Courtesy: Foxman Communications\r\nFollow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)\r\nNote:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without\r\nthe Author’s consent.\r\nSource: https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nhttps://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372" ], "report_names": [ "passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434955, "ts_updated_at": 1775791797, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e907223a074944ad76257c8de11e52adc66cd85.pdf", "text": "https://archive.orkl.eu/3e907223a074944ad76257c8de11e52adc66cd85.txt", "img": "https://archive.orkl.eu/3e907223a074944ad76257c8de11e52adc66cd85.jpg" } }