Following the Trail of Anubis: Forums, Onion Sites, and the Rise of a Ransomware Operation


Some ransomware operations appear suddenly. A new name surfaces, victims begin to appear, and attention quickly shifts to the impact of the attacks. What often goes unnoticed is everything that happens before that point.

Behind every ransomware operation is a period of growth. Infrastructure is built, relationships are formed, and an online presence gradually takes shape across corners of the internet that most people never see. Traces of that activity are often scattered across forums, hidden services, and other platforms, leaving behind a digital trail that can reveal how an operation evolved long before it gained wider attention.

This investigation follows that trail.

Using StealthMole, a series of seemingly unrelated discoveries led to a deeper examination of Anubis, a ransomware operation that has steadily expanded its presence across the underground ecosystem. What began as a routine inquiry soon developed into a broader effort to understand how the operation established itself, promoted its services, and grew its network over time.

The sections that follow reconstruct that journey, tracing the digital footprint left behind by Anubis and the individuals operating under its banner.

Following the First Lead

The investigation began after Anubis published a ransomware listing targeting a South Korean company operating in the semiconductor and industrial equipment sector. The victim entry was identified through StealthMole's Ransomware Monitoring module and directed visitors to a dedicated page hosted on the group's leak platform:

  • om6q4a*********************************u4aqd.onion/

At first glance, the listing appeared similar to many ransomware leak posts regularly published across the dark web. However, rather than focusing solely on the victim, the investigation turned toward the operation responsible for publishing the claim.

A broader search for Anubis within StealthMole's Ransomware Monitoring module revealed that the group had publicly listed 83 victims between February 2025 and June 2026, suggesting that the latest attack was part of a much larger operation. Additional searches across StealthMole's monitoring datasets uncovered references to the same leak infrastructure in connection with other organizations, including a US county, further indicating that the operation had maintained an active presence for an extended period.

While the victim listings provided a starting point, they offered only a limited view of the operation itself. To better understand who was behind Anubis and how the group had established its presence, the investigation shifted beyond the leak site and began tracing the digital footprint surrounding the operation. That search soon led to a recurring identity that appeared across multiple underground platforms.

The Emergence of Anubis Media

As the investigation moved beyond victim listings and into the wider footprint surrounding Anubis, one name began appearing repeatedly across multiple platforms: Anubis Media.

The earliest discovery was an account on the XSS forum, registered on 16 November 2024 under the profile:

  • https://xss.***/members/4*****8/

The account's profile description translated to "We convey information," a message that would later align closely with the branding and public image promoted by the Anubis operation. At the time, however, there was little to suggest how significant this persona would become.

Further investigation uncovered the same identity across multiple underground communities, including:

  • https://breachforums.**/User-Anubis-media
  • https://breachforums.**/User-Anubis-media
  • https://breachforums.**/User-Anubis-media

Rather than appearing as isolated registrations, these accounts demonstrated a consistent effort to establish a recognizable presence across several well-known cybercriminal forums.

The same branding also appeared outside traditional forum environments. An X account operating under the handle Anubis*****a was identified at:

  • https://x.com/Anubis******a

The account was used to publish updates related to the operation, share infrastructure announcements, and promote content associated with the Anubis brand.

It remained unclear whether Anubis Media represented a single operator, a spokesperson, or a broader public-facing identity used by the group. What was clear, however, was that the name appeared consistently across multiple platforms and increasingly served as a common thread connecting disparate pieces of the investigation.

As additional findings emerged, Anubis Media would become closely associated with the promotion of services, recruitment efforts, and infrastructure linked to the Anubis operation.

Building a Presence Across the Underground

The growing presence of Anubis Media across multiple platforms was accompanied by a steady stream of advertisements promoting various services associated with the operation. These posts provided a clearer view of how the group was attempting to establish itself within the underground ecosystem and attract potential partners.

One of the earliest examples was identified on ReHub:

  • https://rehubcom.***/threads/*****/

The post advertised a corporate access monetization program built around a profit-sharing model. Similar advertisements were later discovered on several BreachForums instances as well as mirrored versions.

  • https://breachforums.**/Thread********monetization-50-50-Earn

The advertisements sought individuals with access to corporate environments and invited them to collaborate with the operation under a 50/50 revenue-sharing arrangement. According to the posts, preferred targets included organizations located in the United States, Canada, Europe, and Australia. The advertisements specifically referenced access types such as VPNs, RDWeb deployments, Citrix environments, remote code execution opportunities, and other forms of corporate network access.

The same activity was not limited to a single forum. Similar recruitment efforts were identified on XSS, where the Anubis Media persona promoted access monetization services to another underground audience. The repeated appearance of these advertisements across multiple communities suggested a deliberate effort to expand the operation's network of partners rather than relying solely on internally obtained access.

At this stage, the investigation revealed an operation focused not only on public visibility but also on building relationships within the cybercriminal ecosystem. The recurring recruitment campaigns indicated that Anubis was actively seeking opportunities to acquire access, attract collaborators, and increase its operational reach.

While these advertisements demonstrated how the operation sought to expand, they also raised another question. What services were those partners ultimately being recruited to support? The answer emerged through a separate set of posts that revealed the group's ransomware ambitions.

From Leak Operation to Ransomware Program

The purpose behind Anubis' recruitment efforts became clearer following the discovery of a dedicated thread on the RAMP forum:

  • https://ramp4u.**/threads/data-ransom-ransomware-anubis*****

Created by the user superSonic on 23 February 2025, the post provided one of the earliest detailed descriptions of the services being offered under the Anubis brand. Notably, the timing closely aligned with the emergence of the group's leak infrastructure, suggesting that the operation's public-facing presence and recruitment efforts developed in parallel.

Rather than advertising a single service, the RAMP post presented Anubis as a multi-faceted operation built around two primary offerings: ransomware and data extortion.

The ransomware component promoted support for Windows, Linux, NAS, and ESXi environments while highlighting features designed to maximize operational impact. The advertisement described capabilities such as network-wide deployment, privilege escalation, shadow copy removal, and disruption of virtualized environments. The post also referenced multiple encryption modes, including a "Lite Locker" option and a destructive wipe mode.

Alongside the ransomware offering, the thread introduced a separate "Data Ransom" model. Unlike traditional ransomware campaigns that rely on encryption, this service focused on monetizing stolen corporate information. Individuals in possession of sensitive company data were invited to collaborate with the operation, allowing Anubis to leverage its existing infrastructure and publicity channels to pressure victims and generate revenue from leaked information.

This distinction proved particularly significant. The model suggested that Anubis was not solely dependent on ransomware deployments to generate income. Instead, the operation appeared willing to profit from both network intrusions and independently acquired datasets, broadening the range of opportunities available to potential partners.

The RAMP advertisement also outlined preferred target regions, including the United States, Canada, Europe, and Australia. At the same time, the post stated that organizations associated with government, education, non-profit sectors, BRICS countries, and former Soviet states were excluded from the group's stated targeting criteria.

By this stage of the investigation, Anubis no longer appeared to be simply a ransomware leak site or a collection of forum profiles. The evidence pointed toward an operation actively recruiting affiliates, acquiring access opportunities, and promoting multiple revenue streams under a single brand.

As the investigation continued, attention shifted from the services being advertised to the infrastructure supporting them.

Mapping the Anubis Infrastructure

The investigation's next phase focused on the infrastructure supporting the Anubis operation. Using StealthMole's Dark Web Tracker, multiple pages associated with the group's leak platform were identified, including dedicated sections for news, rules, frequently asked questions, and operational information.

At the center of this infrastructure was the group's primary leak site:

  • om6q4a6*************************************4aqd.onion

The site served as the public-facing hub for the operation, hosting victim listings, announcements, and guidance for both affected organizations and prospective collaborators. Several of the pages contained contact information and references that helped connect the infrastructure to identities previously identified during the investigation.

One of the most significant findings appeared within the Rules section, where the operation publicly provided multiple communication channels:

  • qTox ID: 354217********************************************948F
  • Email: anu*****t@onionmail.org
  • PGP Fingerprint: D59C**********************5A1

The same page also directed visitors to several forum profiles previously encountered during the investigation, including the RAMP account associated with superSonic and the Anubis Media presence on underground forums. These references provided an important bridge between the operation's infrastructure and its public recruitment activities.

Further examination of the platform revealed that Anubis had invested in maintaining a structured and regularly updated environment rather than a simple victim listing page. Sections dedicated to operational announcements, leak publications, and user guidance suggested an effort to create a recognizable and persistent presence within the underground ecosystem.

Additional infrastructure surfaced through the group's X account, which announced a new onion domain on 12 June 2025:

  • anubis*************************************y6ad.onion

The domain was described as a "New Node DLS." While the service appeared inactive or under maintenance at the time of investigation, the announcement provided evidence that the operation was actively expanding or maintaining additional infrastructure beyond its primary leak platform.

These findings revealed an operation that had developed far beyond a single leak site. The infrastructure connected communication channels, forum identities, victim publications, and operational announcements into a unified ecosystem supporting the broader Anubis brand.

Public Messaging and Brand Development

While the technical infrastructure provided insight into how Anubis operated, the content published across its platforms offered a different perspective into how the group wanted to be perceived.

Throughout the investigation, the Anubis operation consistently avoided presenting itself solely as a ransomware group. Instead, references across its leak platform, forum accounts, and social media presence repeatedly emphasized themes more commonly associated with information publishing and disclosure.

This approach was particularly visible through the Anubis Media identity, which appeared across multiple underground platforms and served as the public-facing voice of the operation. The account maintained a presence on X, BreachForums, XSS, and other communities, regularly promoting updates, services, and infrastructure associated with the Anubis brand.

The operation's About page reinforced this image by describing Anubis as a media-focused platform dedicated to publishing information. Similar messaging appeared elsewhere throughout the ecosystem, including the XSS profile description associated with Anubis Media, which stated: "We convey information."

The same narrative extended to the FAQ section of the leak platform. In addition to addressing victim inquiries, the page openly invited communication from individuals possessing unpublished corporate information and offered collaboration opportunities involving exclusive data. Separate sections also encouraged engagement from journalists and media representatives interested in discussing leaked information.

These findings suggest that Anubis was deliberately cultivating an identity that extended beyond traditional ransomware activity. Rather than presenting itself exclusively as an extortion operation, the group consistently incorporated media-oriented language into its public communications, recruitment efforts, and platform design.

Whether this branding strategy was intended to attract partners, increase visibility, or distinguish the operation from competing groups remains unclear. However, the consistency of the messaging across multiple platforms indicates that it formed a deliberate part of the Anubis identity rather than an isolated marketing effort.

Conclusion

What began with a single victim listing ultimately revealed a much broader operation. By following the trail left across ransomware monitoring data, underground forums, social media accounts, and onion services, the investigation uncovered an ecosystem that extended well beyond a conventional leak site.

The findings show that Anubis invested considerable effort into establishing its presence across the underground landscape. Recruitment campaigns, access monetization programs, dedicated infrastructure, and the recurring appearance of the Anubis Media persona all point to an operation focused not only on conducting attacks but also on expanding its reach and visibility within cybercriminal communities.

While many ransomware groups become visible only after victims begin appearing on their leak sites, the Anubis case demonstrates the value of examining the activity that occurs behind the scenes. Long before an operation gains wider attention, traces of its development can often be found across the platforms, services, and communities that support its growth. By connecting those traces, it becomes possible to build a more complete understanding of how an operation evolves and positions itself within the broader ransomware ecosystem.

Editorial Note

Cybercriminal operations rarely emerge fully formed. Long before victims appear on leak sites or attacks attract public attention, traces of an operation's growth can often be found across forums, hidden services, recruitment posts, and other pieces of digital infrastructure.

While the findings presented in this report are based on artifacts identified during the investigation, attribution in cybercrime investigations is rarely absolute, and online identities can be shared, abandoned, or deliberately misleading. This case highlights how StealthMole can help investigators navigate that uncertainty by connecting information across multiple sources, enabling a clearer view of how an operation develops and establishes itself within the underground ecosystem.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com


Labels: ,

From ChatGPT to CheatGPT: What Lies Behind a Dark Web Hacker Chatbot

Over the past few years, artificial intelligence has gone from a niche technology to something most people interact with almost daily. Whether it is asking ChatGPT for help with a task, generating content, or solving a technical problem, AI chatbots have become part of everyday life for millions of users around the world.

As the technology gained popularity, it was only a matter of time before underground communities began adapting the concept for their own purposes. A growing number of dark web services now market themselves as unrestricted alternatives to mainstream AI platforms, promising everything from malware development and phishing assistance to other activities that legitimate AI providers actively prohibit.

One such service is CheatGPT, a dark web platform that presents itself as an AI-powered hacking assistant. At first glance, the website appears to be another attempt to capitalize on the popularity of AI by offering an underground alternative to mainstream chatbot services. However, a closer look reveals a far more interesting story.

What began as a routine investigation into a dark web AI service gradually expanded into a broader examination of the infrastructure, payment systems, and contact mechanisms supporting the platform. Along the way, multiple connections emerged that suggested CheatGPT may not exist in isolation. Instead, it appeared to be part of a much larger ecosystem operating across the dark web.

This report follows the trail beyond CheatGPT itself to explore what lies behind the service and the network of platforms connected to it.

The Discovery of CheatGPT

The investigation that ultimately led to CheatGPT did not begin with artificial intelligence at all.

At the time, we were investigating KidBin, a dark web platform associated with child sexual abuse material (CSAM). As part of that investigation, several cryptocurrency payment mechanisms used by the platform were identified and examined to better understand how the service operated and whether it shared infrastructure with other websites.

One of those payment artifacts became particularly interesting.

When the Bitcoin wallet was pivoted through StealthMole's Dark Web Tracker, the results extended well beyond KidBin itself. The same wallet appeared across multiple dark web services, some of which belonged to entirely different categories of illicit activity. What initially looked like a routine infrastructure check quickly became something much larger.

Among the results was a service called CheatGPT.

Unlike the websites that had led to its discovery, CheatGPT was not a file-sharing platform or a content repository. Instead, it presented itself as an AI-powered assistant designed specifically for cybercriminals. The service openly promoted capabilities related to hacking, malware development, phishing, account compromise, and other activities commonly restricted by mainstream AI providers.

At first glance, CheatGPT appeared to be another entrant in the growing underground market for AI-powered hacking tools. The platform offered subscription plans, accepted cryptocurrency payments, and marketed itself as an unrestricted alternative to legitimate chatbot services.

However, the circumstances surrounding its discovery raised an obvious question.

Why would a dark web AI chatbot share payment infrastructure with completely different services discovered during a separate investigation?

Answering that question became the focus of the investigation. What followed was a series of pivots through wallets, contact identifiers, and infrastructure artifacts that gradually revealed a far more complex picture than the website's front page suggested.

Inside CheatGPT

After identifying CheatGPT during the KidBin investigation, the next step was to understand exactly what the platform was offering and how it presented itself to potential users.

Unlike traditional dark web forums or marketplaces, CheatGPT was designed to resemble a modern AI chatbot platform. The website featured a polished interface, user registration functionality, subscription plans, and a conversational chat environment intended to mimic the experience offered by mainstream AI services.

  • Cheatgpt****************************************6blid.onion

According to its marketing material, CheatGPT was built as an unrestricted alternative to popular AI assistants. The platform openly advertised its ability to assist with activities that legitimate providers actively prohibit, including malware development, phishing campaigns, social engineering, credential theft, vulnerability exploitation, and other offensive cyber operations.

Throughout the website, the operators positioned CheatGPT as a tool for users seeking answers without the content restrictions commonly encountered on mainstream AI platforms. Promotional material emphasized privacy, anonymous cryptocurrency payments, and the absence of logging, all themes commonly used to appeal to dark web audiences.

The platform offered three subscription tiers:

Plan

Price

Features

Starter Access

$20

Standard access

Monthly Pro Mode

$40

API access, higher usage limits, priority processing

Elite Lifetime Access

$100

API access, higher usage limits, priority processing, and exclusive functionality

Several sections of the website attempted to demonstrate the platform's capabilities through screenshots and example conversations. These examples focused heavily on cybercrime-related scenarios, including malware generation, phishing, credential theft, and other offensive use cases. The site's FAQ section reinforced this positioning by explicitly discussing topics such as hacking, website attacks, account compromise, and malware development.

The platform also claimed compatibility with open-source AI models and referenced technologies such as GGUF and LLaMA. Additionally, the operators stated that the service was available not only through its onion presence but also through a subscriber-accessible clearnet environment, although no associated clearnet domain was identified during this investigation.

On the surface, CheatGPT appeared to be exactly what it claimed to be: a dark web AI assistant designed for cybercriminals. However, as the investigation moved beyond the platform's marketing material and into the infrastructure supporting it, a different picture began to emerge.

Following the Money

To better understand whether CheatGPT was operating independently or as part of a larger network, the investigation shifted away from the website itself and toward its payment infrastructure.

Several cryptocurrency wallets were identified on the platform, including Bitcoin, Ethereum, and Monero addresses used for subscription payments. Rather than focusing on the service's marketing claims, these payment artifacts were used as pivot points across StealthMole's Dark Web Tracker to determine where else they appeared.

The first significant finding emerged from the Bitcoin wallet:

  • bc1q****************************3tq

This wallet had already attracted attention during the earlier KidBin investigation. When examined in greater detail, it became clear that its presence was not limited to either KidBin or CheatGPT. The same wallet was identified as a payment address across multiple dark web services, including:

  • CheatGPT
  • KidBin
  • LoliPorn
  • Additional LoliPorn-related infrastructure

Importantly, the wallet was not merely mentioned within indexed content. In each case, it appeared directly within payment workflows and was presented to users as a destination for cryptocurrency transactions.

The overlap immediately raised questions. CheatGPT marketed itself as an AI-powered hacking assistant, while the other platforms belonged to an entirely different category of dark web services. At face value, there was little reason to expect them to share payment infrastructure.

Further analysis of additional CheatGPT-associated Bitcoin wallets revealed a similar pattern.

A second wallet was identified on a WormGPT payment page. The same wallet also appeared within LoliPorn-related infrastructure, creating another connection between services that initially appeared unrelated.

  • bc1q****************************xp5h

A third wallet extended the pattern even further. In addition to appearing on LoliPorn infrastructure, the wallet was also linked to a platform known as Torture Rooms.

  • bc1q********************************r647

By this stage of the investigation, a recurring trend had become difficult to ignore. Different services, operating under different names and serving different audiences, repeatedly converged on the same pool of payment infrastructure.

What initially appeared to be a single AI-powered hacking service was beginning to look like one part of a much larger ecosystem.

As additional wallets were examined, the overlaps continued to grow. The investigation soon expanded beyond Bitcoin and into a broader collection of cryptocurrency addresses, introducing new connections that would further complicate the picture.

Different Names, Familiar Infrastructure

By this stage of the investigation, the repeated cryptocurrency overlaps suggested that CheatGPT was unlikely to be operating in complete isolation. To better understand the scope of those connections, all cryptocurrency payment mechanisms identified on the platform were collected and examined.

The investigation identified the following cryptocurrency addresses associated with CheatGPT:

Bitcoin

  • bc1q**********************************r647
  • bc1q**********************************xp5h
  • bc1q**********************************n3tq

Ethereum

  • 0x3***********************************c62

Monero

  • 89Tc8****************************************************uNiu
  • 89AFz****************************************************bUqV

While the Bitcoin overlaps had already revealed connections to several other dark web services, the Ethereum and Monero infrastructure introduced an entirely new set of relationships.

The Ethereum wallet was identified on multiple platforms beyond CheatGPT. Among them were WormGPT, FraudGPT, and a service operating under the name Dark Web Porn Official. In each case, the same Ethereum address appeared as part of the platform's cryptocurrency payment infrastructure.

The overlaps did not stop there.

Further examination revealed that the Monero wallets associated with CheatGPT also appeared elsewhere within the ecosystem. One of the Monero addresses was shared with WormGPT, while another was linked to infrastructure associated with Dark Web Porn Official. These findings mirrored the patterns already observed through Bitcoin and Ethereum analysis, where seemingly separate services repeatedly converged on the same payment mechanisms.

The platforms themselves also shared notable similarities.

FraudGPT and WormGPT displayed nearly identical layouts, navigation structures, subscription models, and payment workflows. Their websites followed the same overall design philosophy, presenting themselves as AI-powered assistants intended for offensive cyber operations. While website templates can be copied or reused, the similarities became more noteworthy when viewed alongside the overlapping cryptocurrency infrastructure.

At this point, the investigation was no longer focused solely on CheatGPT.

Instead, a broader picture was beginning to emerge. Multiple services operating under different names appeared to share elements of their financial infrastructure while simultaneously presenting similar products to similar audiences. Whether these overlaps represented shared operators, shared developers, or a common service provider remained unclear. What was becoming increasingly difficult to dismiss, however, was the consistency with which these supposedly independent platforms continued to intersect.

The strongest connections, however, were not found in cryptocurrency wallets at all. They emerged through a set of recurring contact identifiers that appeared across multiple platforms and mirror domains.

The Contact Trail

While the cryptocurrency overlaps revealed an increasingly interconnected network of services, some of the most compelling findings emerged from a different set of artifacts entirely.

During the investigation, several contact identifiers were recovered from CheatGPT and associated infrastructure:

  • Cheat******1@proton.me
  • wo*****t@cock.**
  • wo*****t@xmpp.**

At first glance, these appeared to be standard support or communication channels. However, further investigation revealed that the same identifiers were being reused across multiple platforms operating under different names.

The ProtonMail address Cheat*****1@proton.me was linked to several CheatGPT onion domains, including:

  • cheatgpt*******************************************qmtqd.onion
  • cheatgpt*******************************************tk7yd.onion
  • cheatgpt*******************************************6blid.onion

This provided a clear link between multiple CheatGPT mirrors and helped establish them as part of the same service rather than unrelated websites using a similar name.

More interesting findings emerged from the identifiers wo****t@cock.** and wo***t@xmpp.**.

Rather than being limited to WormGPT infrastructure, these addresses appeared across multiple services examined during the investigation. The address wormgpt@cock.li was linked to:

  • wormgpt**********************************************qqd.onion
  • wormgpt**********************************************uad.onion
  • wormgpt**********************************************7ad.onion
  • fraudcd**********************************************yyd.onion
  • cheatgpt*********************************************lid.onion

Similarly, wo****t@xmpp.** was identified across multiple WormGPT mirror domains and was also linked to CheatGPT infrastructure.

This pattern stood out because the services involved were marketed as separate products. CheatGPT, WormGPT, and FraudGPT each presented themselves as independent platforms with their own branding and identities. Yet behind the scenes, the same communication channels repeatedly appeared across their infrastructure.

The findings did not conclusively establish common ownership. However, they did demonstrate that the platforms were not as isolated from one another as their branding suggested. The repeated reuse of the same contact identifiers across multiple services provided another layer of overlap alongside the cryptocurrency infrastructure already identified during the investigation.

By this stage, several independent investigative paths had produced similar results. Wallet analysis, payment infrastructure, mirror domains, and communication channels all pointed toward a closely connected ecosystem operating behind multiple dark web services.

One final lead remained. During the investigation, an exposed server-status page revealed a potentially interesting infrastructure artifact. While it initially appeared promising, further analysis would produce a very different outcome.

Looking Beyond the Front-End

As the investigation progressed, attention shifted toward potential infrastructure artifacts that might provide additional insight into the services operating behind CheatGPT.

One such lead emerged from a server-status page associated with the platform:

  • http://cheatgpt********************blid.onion/server-status

The page exposed the IP address:

  • **7.**7.**3.**3

At first glance, the finding appeared noteworthy. Infrastructure-related artifacts can occasionally provide valuable clues regarding hosting arrangements, shared resources, or operational relationships between services. As a result, the IP address was examined further within StealthMole.

However, the follow-up investigation produced a different picture.

Searches revealed that the same IP address appeared across multiple unrelated server-status pages and was referenced within content that showed no obvious connection to CheatGPT, WormGPT, FraudGPT, or any of the other services identified during the investigation. Rather than functioning as a unique infrastructure indicator, the IP appeared to be associated with a broader collection of records that could not be reliably linked to any specific platform.

As a result, the artifact was treated with caution.

While the IP address was documented as part of the investigation, the available evidence was insufficient to establish it as a meaningful attribution indicator. Unlike the cryptocurrency wallets, contact identifiers, and mirror domains identified elsewhere in the investigation, the server-status finding did not provide a reliable basis for linking services or identifying operators.

The distinction is important.

Dark web investigations frequently generate large volumes of technical artifacts, but not every artifact carries the same evidentiary value. In this case, the IP address represented an interesting lead rather than a confirmed finding, and it was ultimately excluded from the broader attribution assessment.

Even without the server-status discovery, however, the investigation had already uncovered a substantial collection of overlapping infrastructure, payment mechanisms, and communication channels connecting multiple dark web services. Taken together, those findings painted a far more revealing picture than any single technical artifact could provide.

Conclusion

What began as a routine investigation into KidBin ultimately led far beyond its original scope.

The discovery of CheatGPT initially appeared to represent little more than another dark web service attempting to capitalize on the growing popularity of artificial intelligence. On the surface, the platform presented itself as a subscription-based chatbot designed to assist cybercriminals with activities ranging from phishing and malware development to other offensive cyber operations.

However, as the investigation progressed, the focus shifted away from the platform's marketing claims and toward the infrastructure supporting it.

Through a series of cryptocurrency pivots, multiple overlaps were identified between CheatGPT and a wider collection of dark web services. These connections extended across Bitcoin, Ethereum, and Monero payment mechanisms, linking CheatGPT to platforms operating under different names and serving different purposes. Further analysis revealed recurring contact identifiers, shared communication channels, and mirror infrastructure that appeared repeatedly throughout the investigation.

The findings did not conclusively establish that a single operator controlled every identified service. Attribution within dark web environments is rarely that straightforward. What the investigation did reveal, however, was a consistent pattern of shared infrastructure that challenged the appearance of independence presented by several of the platforms examined.

CheatGPT, WormGPT, and FraudGPT were found sharing more than a common theme. Cryptocurrency wallets, contact identifiers, communication channels, and supporting infrastructure repeatedly intersected across multiple services, suggesting the existence of a closely connected ecosystem operating behind a collection of seemingly separate brands.

Perhaps the most notable aspect of the investigation was not the discovery of a dark web AI chatbot itself, but what emerged when the surrounding infrastructure was examined. A service that initially appeared to be a standalone platform became the entry point into a much broader network of interconnected services, demonstrating how seemingly unrelated investigations can converge when viewed through the lens of shared operational artifacts.

In the end, the investigation serves as a reminder that the most valuable intelligence findings are often uncovered not on a website's front page, but within the infrastructure quietly supporting it.

Editorial Note

Dark web investigations rarely follow a straight path. What begins as the analysis of a single platform can quickly expand into a much broader examination of interconnected services, shared infrastructure, and overlapping operational footprints. While definitive attribution often remains difficult, the ability to identify and follow these connections is critical to understanding how underground ecosystems function.

This investigation demonstrates how StealthMole's extensive indexing of dark web content, cryptocurrency artifacts, communication channels, and historical infrastructure can help investigators move beyond surface-level observations and uncover relationships that might otherwise remain hidden.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com


Labels: , ,

Following the Money: Mapping KidBin's Cryptocurrency Infrastructure Across Darkweb

Dark web continues to host a wide range of illicit platforms that rely on anonymity, cryptocurrency, and closed communities to operate beyond the reach of traditional online services. Among the most persistent are subscription-based content platforms that monetize access through Bitcoin payments, often presenting themselves as exclusive repositories of restricted or prohibited material. While many of these sites appear isolated at first glance, their underlying infrastructure can reveal connections that are not immediately visible to visitors.

One such platform is KidBin, a subscription-based dark web service that advertises access to illicit content through cryptocurrency-funded accounts. Like many similar services, KidBin presents itself as a standalone platform with its own payment and access mechanisms. However, the infrastructure supporting these operations often extends beyond a single domain, creating opportunities to identify relationships that would otherwise remain hidden.

By examining cryptocurrency payment infrastructure associated with KidBin, this investigation uncovered a broader network of interconnected services spanning multiple dark web platforms. The findings demonstrate how following financial artifacts can expose operational overlaps, shared infrastructure, and potential links between platforms that appear unrelated on the surface.


Behind the KidBin Facade

The investigation began during an unrelated dark web inquiry when StealthMole identified an active onion service operating under the name KidBin:

  • kidsbin3**************************************7krtqd.onion

At first glance, the platform presented itself as an "AI-Powered Adult Content Hub", promoting features such as content recommendations, automated tagging, premium streaming, and social interaction. The site's branding suggested a modern subscription-based content platform rather than a traditional dark web forum or marketplace.

However, a review of historical snapshots indexed by StealthMole quickly revealed inconsistencies between the platform's public description and the content visible within archived pages. These observations raised concerns regarding the true nature of the service and prompted a closer examination of both the platform and its supporting infrastructure.

StealthMole's Dark Web Tracker confirmed that KidBin remained operational and exposed several accessible components of its ecosystem. In addition to the main landing page, indexed content revealed a functioning login portal, topic pages, account creation workflows, and user activation pages accessible through additional platform URLs.

Unlike many dark web communities that rely on invitations or administrator approval, KidBin appeared to support automated account generation. Registration pages created user credentials on demand and presented newly generated usernames and passwords to prospective users. Multiple snapshots showed users being instructed to complete a cryptocurrency payment before access would be activated.


Following the Money

The presence of automated account creation and cryptocurrency-based activation raised an important question: how was access to KidBin being monetized?

To answer this, the investigation shifted toward the platform's payment infrastructure. Using StealthMole's Dark Web Tracker, multiple Bitcoin addresses associated with KidBin's registration and activation workflows were identified. In total, sixteen Bitcoin wallets were linked to the platform:

  • bc1qu*********************************n3tq
  • bc1qz*********************************mmgd
  • bc1q4*********************************xyxu
  • bc1qt*********************************jag4
  • bc1q2*********************************ttw8
  • bc1q9*********************************w444
  • bc1qq*********************************2fwk
  • bc1q9*********************************mlns
  • bc1qz*********************************v0ac
  • bc1ql*********************************cvpr
  • bc1qt*********************************h2cm
  • bc1qc*********************************a59l
  • bc1q4*********************************5xc2
  • bc1qt*********************************vhhs
  • bc1qx*********************************slhl
  • bc1q5*********************************56zs

Initial blockchain analysis revealed that not all identified wallets had been used. Several addresses showed no recorded transactions, suggesting they may have been generated for prospective users who never completed the payment process. This observation aligned with the registration workflow observed during the investigation, where unique payment addresses appeared to be assigned during account creation.

Other wallets displayed a different pattern. The following addresses showed transaction activity consistent with user payments. Several of these wallets received relatively small deposits before funds were subsequently transferred elsewhere, suggesting they functioned as temporary receiving addresses rather than long-term storage wallets.

  • Bc1q5****************************56zs

  • Bc1q**************************************5xc2

  • Bc1q***********************************vpr

  • Bc1q***********************************yxu

  • bc1q***************************************mgd

The observed transaction patterns provided further evidence that KidBin was operating an active subscription-based payment model. More importantly, the wallets offered a new investigative pivot. Rather than focusing solely on the visible platform, each Bitcoin address could be used as a starting point for identifying additional infrastructure, services, and relationships hidden beyond the original onion domain.

What began as an examination of KidBin's payment system would soon reveal connections extending well beyond the platform itself.


Beyond KidBin: Following the Wallet Trail

The investigation expanded significantly once the Bitcoin wallets associated with KidBin were used as pivot points within StealthMole's Dark Web Tracker. While the wallets initially appeared to be part of a payment system supporting a single platform, further analysis revealed associations with several additional dark web services.

One of the earliest findings involved the wallet:

  • bc1q**************************nn3tq

StealthMole linked this wallet to multiple domains, including:

  • kidbin.qr.payserver**************************l5yayd.onion
  • loliporn.qr.payserver*********************isll5yayd.onion
  • aaolh6codj*******************************up5ibqd.onion (LoliPorn)
  • cheatgpt*****************************c46blid.onion (CheatGPT AI)

Further review of indexed snapshots revealed that the same Bitcoin address appeared directly on payment pages associated with both KidBin and CheatGPT AI. This finding was particularly significant because it represented direct wallet reuse rather than a simple infrastructure overlap. While the relationship between the two services could not be conclusively attributed to a common operator, the reuse of the same payment address strongly suggested shared financial infrastructure.

Additional pivots uncovered similar patterns. The wallet:

  • bc1qt2zk6************************jag4

was associated with:

  • pureyoun*********************************z52wgqd.onion (PureYoung)
  • pure.qr.payserver*********************************ll5yayd.onion

Like KidBin, PureYoung relied on Bitcoin-based access controls and dedicated payment workflows. The platform's payment process used QR codes and automated transaction-based account activation, mirroring operational characteristics observed elsewhere during the investigation.

The investigation also identified wallet:

  • bc1q2ke8***********************wttw8

on the registration and payment pages of:

  • darkweb************************************5xdad.onion

a service operating under the name "Dark Web Porn Official." StealthMole additionally associated this wallet with both LoliPorn and WormGPT-related infrastructure. Although the exact WormGPT page displaying the wallet could not be independently verified during the investigation, the association was repeatedly observed within StealthMole's indexed data.

Another wallet,

  • bc1q9*************************gemlns

was similarly linked to PureYoung, WormGPT, and infrastructure associated with LoliPorn. The recurrence of these associations across multiple wallets suggested that the observed relationships were not isolated incidents.

A particularly notable finding throughout the investigation was the repeated appearance of the following onion service:

  • payserver*************************5yayd.onion

The domain appeared in connection with multiple services through dedicated payment subdomains, including:

  • kidbin.qr.payserver...
  • pure.qr.payserver...
  • loliporn.qr.payserver...

Its continued presence across unrelated platforms suggests that it may serve as a common payment component within a broader ecosystem of dark web services.

Taken individually, each wallet association could potentially be explained by shared infrastructure or payment processing services. Viewed collectively, however, the findings revealed a recurring pattern of overlapping cryptocurrency infrastructure spanning multiple platforms, including KidBin, PureYoung, LoliPorn, Dark Web Porn Official, CheatGPT AI, and WormGPT. What began as an investigation into a single onion service had evolved into the mapping of a much larger network connected through shared financial artifacts.


The AI Connection

One of the more unexpected findings to emerge from the investigation was the recurring presence of AI-themed services within the same ecosystem of cryptocurrency infrastructure.

The initial point of discovery, KidBin, marketed itself as an "AI-Powered Adult Content Hub", claiming to offer features such as automated content tagging, recommendations, and enhanced user experiences. While the investigation did not seek to verify the platform's AI capabilities, the use of AI-focused branding was notable given the nature of the service and the content observed within archived snapshots.

As the investigation expanded through cryptocurrency wallet analysis, additional AI-related platforms began to surface. Wallet associations identified through StealthMole linked portions of the investigated infrastructure to both CheatGPT AI and WormGPT, services commonly marketed as unrestricted alternatives to mainstream generative AI platforms. Unlike publicly available AI tools that implement safeguards and content restrictions, these services are typically advertised within underground communities as offering fewer limitations and greater anonymity.

Although the exact relationship between these platforms could not be conclusively established, their appearance alongside content-driven services such as KidBin, PureYoung, and LoliPorn highlights an emerging trend within the dark web ecosystem. Operators are increasingly incorporating AI branding, AI-powered features, or dedicated AI services into existing underground business models, either as standalone offerings or as part of a broader service portfolio.

The findings observed during this investigation suggest that AI is no longer confined to traditional cybercrime-focused communities. Instead, AI-themed services are increasingly appearing alongside other forms of illicit infrastructure, creating new intersections between emerging technologies and established underground economies.


Conclusion

What began as the examination of a single dark web platform ultimately revealed a much broader network of interconnected services linked through shared cryptocurrency infrastructure.

The investigation initially focused on KidBin, a platform that publicly presented itself as an AI-powered content service while operating a Bitcoin-based access model supported by automated account generation and payment workflows. Analysis of the platform's cryptocurrency infrastructure uncovered multiple Bitcoin wallets associated with user registration and activation processes, providing an opportunity to move beyond the visible website and examine the infrastructure supporting its operations.

By tracing these wallets through StealthMole's Dark Web Tracker, the investigation identified associations extending beyond KidBin itself. Multiple wallets were linked to additional services including PureYoung, LoliPorn, Dark Web Porn Official, CheatGPT AI, and WormGPT, while recurring references to the PayServer infrastructure suggested the presence of overlapping payment components used across multiple platforms.

Although the available evidence does not conclusively establish common ownership between the identified services, the repeated appearance of shared wallets, payment mechanisms, and supporting infrastructure demonstrates that cryptocurrency artifacts can expose relationships that are not immediately visible through content analysis alone. These findings illustrate how financial infrastructure can serve as a critical investigative pivot for uncovering connections between otherwise separate dark web operations.

Ultimately, the investigation demonstrates how a single cryptocurrency trail can expand the scope of an inquiry far beyond its original target, revealing a wider ecosystem of services connected through shared financial infrastructure and operational overlap.


Editorial Note

Dark web investigations rarely follow a predictable path. What begins as the analysis of a single platform can quickly expand into a much larger network of infrastructure, services, and relationships that are not immediately visible on the surface.

This investigation highlights the importance of following financial artifacts as investigative pivots and demonstrates how StealthMole can help uncover hidden relationships across complex dark web ecosystems, enabling analysts to move beyond isolated findings and develop a broader understanding of the infrastructure supporting illicit activity.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Labels: ,

Learn more about StealthMole

Talk to our team of experts today to learn how you can manage your dark web exposure.
Request demo More Reports

Share this report