Darkweb Threat Actors Claim to Possess Massive Leak of Gemini, Binance American User Data

Darkweb threat actors are selling over 100,000 Gemini user records and 132,744 Binance user credentials on online platforms.

According to a new blog post from Dark Web Informer, a lot of data is in play. It is a cyber threat intelligence service that monitors and reports cyber threats, including data breaches, darknet markets, DDoS attacks, and other illicit activities.

Is It Real?

The post, which went live on March 27, stated that a cybercriminal operating under the alias AKM69 listed a large database of U.S.-based cryptocurrency leads allegedly tied to Gemini, the well-known cryptocurrency exchange.

The dataset, now for sale on underground forums, is said to contain over 100,000 records with full names, emails, phone numbers, and location data. The majority of the records reportedly come from individuals based in America, with a small number of entries from Singapore and the UK.

On March 26, Dark Web Informer disclosed on X that a threat actor using the alias “kiki88888” listed a database containing Binance user data in 2025 on a hacking forum. The actor claimed to offer 132,744 records linked to Binance.com. The dataset contains emails, phone numbers, and other personal details.

Gemini has not officially confirmed any breach or direct link to the leaked data. Security experts warn that exposure of the information could lead to phishing attacks, identity theft, and cryptocurrency scams targeting affected individuals.

Binance Says It’s Phishing Attack Targeting Users

In response to reports of user information appearing on the dark web, Binance said that the information was not obtained through a direct security breach of their systems. They claimed that the data was gathered through phishing

According to the exchange, the hacker used malware to infect individual users’ computers, which then allowed the hacker to take over the users’ browser sessions and eventually stole the data.

Dark Web Informer’s statement also supports Binance’s claim. The entity suggested that the users might have clicked suspicious links or downloaded malicious software, which resulted in their information being compromised.

Big Money At Risk

Major exchanges are often high-valued targets for cybercriminals seeking to profit from sensitive personal and financial data.

In September 2024, a person identifying as “FireBear” claimed they had acquired the sensitive details of 12.8 million Binance users. These included names, email addresses, phone numbers, and even residential addresses.

FireBear said that the dataset was the result of a security lapse the previous month and then offered it for sale on the dark web.

However, Binance firmly denied these allegations after a comprehensive internal investigation. The exchange asserted that no data breach had taken place on their systems.

At the time, security experts advised users to exercise caution and be on the lookout for phishing attempts.

Cybercriminals also impersonate prominent exchanges in an attempt to deceive users. This month, the Australian Federal Police notified 130 individuals about a sophisticated scam. This scam involved messages that cleverly mimicked the sender IDs of legitimate cryptocurrency exchanges, including Binance, to lure recipients.

Earlier reports surfaced on X (formerly Twitter) of deceptive messages impersonating Coinbase and Gemini. These fraudulent communications aimed to trick users into setting up new cryptocurrency wallets using recovery phrases that were, in reality, controlled by the scammers themselves.

SOCRadar’s Dark Web Team reported this month that a threat actor advertised a service designed to handle and exploit stolen cryptocurrency information. The service claims to work across a vast range of over 100 different blockchain networks, including major ones like Ethereum, Bitcoin, Binance Smart Chain, Polygon, and Solana.

Microsoft also disclosed this month that it had identified a new malware targeting cryptocurrency holders called StilachiRAT. The cybersecurity threat can steal credentials stored in browsers, clipboard data, and system information.