Enter the Devil’s Gateway: Inside the Secret Hidded Group’s Scam Syndicate

This investigation began unintentionally, while manually browsing dark web listings, I came across an unusually cryptic and minimalist onion site. Its design, though devoid of any clear function, carried heavy symbolic undertones. The page's simplicity and obscure tone raised enough suspicion to warrant a closer look.

That initial curiosity quickly escalated into a targeted profiling effort. As I pivoted through shared email addresses, reused Bitcoin wallets, and visual patterns, a broader picture began to form: a loosely connected fraud network built around psychological manipulation, symbolic themes, and fraudulent service offerings.

What initially appeared to be a one-off symbolic page turned out to be a front for a larger scam operation tied to the self-identified Secret Hidded Group. This network relied on a recurring combination of occult branding, static onion sites, and fabricated spiritual and hacking services.

With the help of StealthMole’s tracking capabilities, specifically dark web tracker, infrastructure pivots, and wallet correlation, the investigation revealed a multi-domain scheme designed to lure users into making cryptocurrency payments for services that never materialize.

Incident Trigger & Initial Investigation

The investigation was triggered by the manual discovery of a cryptic .onion domain: http://devil***********************************************d.onion/. The landing page featured symbolic red-and-black visuals with tarot and satanic imagery, including phrases like “DO YOU WANT TO JOIN US?” and “I HAVE COME TO DO THE DEVIL’S WORK.” It asked users to send their nickname and country to p*****i@****e.org and pay a $25 fee in return for "s***** *****s," a supposed spiritual charm promising to resolve love, money, or personal problems.

This static but eerie page appeared to be more than just satire. The absence of any backend interaction and the fixed email contact suggested a deeper scheme. Intrigued, I ran the onion URL through StealthMole’s dark web tracking module. This immediately revealed a cluster of associated elements.

The tool returned four distinct email addresses: p*****i@****e.org, p*****d@m*****or.com, p*****i@***x.su, and r*****n@o*******l.org, each linked to similarly styled static onion sites with identical structure: gothic imagery, spell coin offers, and contact prompts via email. This pattern suggested a templated infrastructure reused across domains.

Alongside these, StealthMole identified multiple BTC wallet addresses embedded in these sites. While most contained low-value or infrequent transactions, their recurrence across sites suggested an operation driven by low-risk, small-amount fraud at scale.

Each onion site followed a common playbook: no interactivity, minimal content, and symbolic or esoteric visual themes acting as psychological hooks. The emails functioned as the core interaction node, making email correlation an effective pivot point.

At this stage, the campaign was still masquerading as a spiritual service operation. However, the frequency of contact points and wallet reuse signaled something more organized. The visual similarities, repeated slogans, and cryptocurrency solicitation strongly hinted that this wasn’t a lone scam, but part of a distributed playbook orchestrated by a group branding themselves the Secret Hidded Group.

Infrastructure Mapping & Domain Pivoting

Following the identification of the initial four email addresses, the next step was to trace the extent of their activity across the dark web. Using StealthMole’s infrastructure correlation tools, I ran p******i@m****e.org through the platform’s Darkweb Tracker. This revealed a secondary onion domain http://evil**********************************d.onion/, which, although structurally similar to the first, used slightly varied visual assets while maintaining the same theme of occult symbolism and spiritual manipulation.

The contact email listed on this second domain had changed to p*****d@m*******r.com, which signaled that the operators were rotating aliases across mirrored infrastructure to distribute operational risk or obfuscate tracking.

Running this new email through StealthMole revealed a third onion domain: http://iq***********************************d.onion/. Unlike earlier versions, this site included structured “pacts” labeled by purpose such as “P*** w*** *****l,” “P**** w*** ******n,” and “P*** w**** *******r” adding further layers of psychological manipulation to the offer.

A new contact address p*****i@****x.su emerged on this site. It reinforced the theme of rotating but thematically consistent aliases used across domains. This continued reuse of address formats across different secure mail providers suggested an intentionally orchestrated operational scheme.

In addition to emails, StealthMole also surfaced two BTC wallet addresses reused across multiple domains. Although individual transactions remained small in value, their consistency across unrelated URLs indicated infrastructure reuse and low-risk fraud at volume.

Further investigation of p******d@********or.com unveiled a broader cluster of dark web domains tied to the same infrastructure. These sites varied slightly in presentation but were uniform in functionality, style, and intent. The following 12 domains were found directly associated through StealthMole’s dark web tracking module:

• http://evil***************************************************d.onion/
• http://iqq****************************************************d.onion/
• http://evil***************************************************d.onion/
• http://evil***************************************************d.onion/
• http://iqq****************************************************d.onion/
• http://devil**************************************************d.onion/
• http://evil***************************************************d.onion/
• http://devil**************************************************d.onion/
• http://devil**************************************************d.onion/
• http://evil***************************************************d.onion/
• http://evil***************************************************d.onion/
• http://iqq****************************************************d.onion/

Each of these continued the same visual aesthetic and offer structure: static landing pages built using lightweight HTML, lacking interactivity, often embedded with psychological hooks in the form of white-on-white text, satanic symbolism, and false service promises.

One of the most revealing pivots came through r*******n@**********l.org, which until this point hadn’t shown strong links to the core infrastructure. But later, it was directly found listed on an onion site associated with the same visual elements and psychological pitch. This bridged r******n@o*******l.org back into the same ecosystem, confirming it as a fourth contact alias.

This web of domains, connected through common language, visual cues, and repeated infrastructure, firmly established the scale and operational pattern of what had initially appeared to be a standalone spiritual scam. By this stage, the Secret Hidded Group appeared to be a central narrative device for a rotating group of static onion domains operating under a unified, manipulative fraud scheme.

Financial Footprint & Cryptocurrency Linkages

With multiple onion domains already pointing toward fraudulent services, the next layer of investigation focused on the cryptocurrency trail. StealthMole helped surface and correlate Bitcoin wallet addresses that were repeatedly embedded across the identified domains.

From the initial batch of domains, two Bitcoin addresses were prominently listed:

• bc1**************************************q
• bc1**************************************s

Though relatively low in total balance and transaction volume, these wallets were crucial infrastructure anchors. By leveraging StealthMole, additional dark web domains were uncovered, each connected through these wallets.

From bc1**************q, three distinct sites emerged through StealthMole’s darkweb tracker module:

• “The Box”, hosted at http://tbox*********************************ynd.onion/, mimicked a locked service portal with minimal but suggestive messaging.

• A second site titled “Visa Card”, found at http://card************************d.onion/, offered fraudulent financial services and explicitly referenced Telegram user @br********n as the point of contact.

• The third, labeled simply “Wish”, was hosted at http://to*********************d.onion/ and portrayed itself as a wish fulfillment service with vague occult overtones.

These sites retained symbolic language but shifted in thematic focus, moving from spell-based spiritual manipulation to outright financial fraud promises. Despite the change in narrative, the continued use of the same BTC address across domains reinforced the infrastructure reuse hypothesis.

The second wallet, bc1****************s, led to a site offering “WhatsApp hacking services” hosted at:

• http://enr***************************************d.onion/

Here, traditional spiritual manipulation was replaced by tech-based fraud services. The shift in offerings did not indicate a different actor but rather confirmed that the same infrastructure was being used to cast a wider fraud net.

R** *****’s wallet trace added yet another layer. From one transaction tied to r******n@********l.org, StealthMole surfaced a dream-themed onion portal featuring a hidden interface.

• http://4t**************************************id.onion/

The transaction in question involved the following Bitcoin address, linking R** *******’s operation back to the broader scam infrastructure.

• bc1******************************s

This site mirrored the R** ******n aesthetic and deployed visual cloaking tactics such as white-on-white embedded text to obscure its content. Despite its minimalist appearance, the site listed hacked account offers and payment instructions, all funneled through the same wallet, reaffirming shared infrastructure between them.

In one of the final investigative pivots, tracing the email y**********@***x.su uncovered two additional dark web properties that further expanded the thematic range of the operation. The first was a ritualistic site titled the “** Society”**, accessible at http://***society*******************************d.onion/. This portal maintained the same symbolic and spiritual façade seen across earlier sites, promoting access to esoteric knowledge and secret power through occult branding.

The second was far more abstract: a surreal, narrative-driven site themed around a cryptic challenge called the “O* Game”**, hosted at http://o*********************************************.onion/. This site used gamified language and layered symbolism to lure visitors into what appeared to be a psychological initiation process, all without ever offering a concrete service or product.

These thematic shifts, from satanic spellcasting to financial schemes and alternate-reality cult roleplay, demonstrated a calculated effort to diversify victim targeting. Despite their surface differences, all sites were unified through reused contact emails, infrastructure overlap, and common wallet endpoints. This underscored the campaign's sophistication: flexible front-end storytelling backed by a stable backend of payment and outreach mechanisms.

Conclusion

What began as a routine dark web monitoring task rapidly evolved into the uncovering of a sprawling and psychologically engineered fraud network. At the center of it stood the so-called Secret Hidded Group, a faceless entity leveraging symbolic occult imagery, minimalist static sites, and carefully worded calls to action to lure users into cryptocurrency-based scams.

Through StealthMole’s investigative tools, a recurring pattern of deception emerged. A single static website led to the discovery of over a dozen others, linked through reused email addresses, wallet traces, and thematic similarities. From fake love spells to fraudulent financial services, each site operated under the same backend logic: extract cryptocurrency under the guise of esoteric solutions.

The consistent reuse of email aliases and Bitcoin wallets across vastly different thematic portals demonstrated that this wasn’t opportunistic copy-pasting, but a deliberate and cohesive campaign. The perpetrators maintained anonymity, avoided backend infrastructure, and frequently used visual cloaking tactics, suggesting operational awareness and experience in dark web fraud operations.

While the financial damage per victim may be relatively minor, the cumulative scope and resilience of this ecosystem highlight the effectiveness of low-cost, high-deception cybercrime models. Left unchecked, such fraud networks can continue to exploit vulnerable individuals at scale, often flying under the radar of traditional cyber enforcement.

This case reinforces the value of proactive dark web monitoring and multi-angle pivoting using tools like StealthMole, not only to expose scams, but to trace the underlying architecture of threat actors who hide behind symbolism, secrecy, and psychological manipulation.

Editorial Note

This investigation into the Secret Hidded Group highlights how modern fraud campaigns increasingly rely on symbolism, emotional manipulation, and low-tech infrastructure to evade detection. While clear patterns were identified across domains, wallets, and aliases, it’s important to note that cyber attribution is inherently probabilistic, especially within anonymous dark web ecosystems.

The findings presented here were enabled through StealthMole, including the Dark Web Tracker, which allowed for deep pivots across fragmented threat surfaces. Cases like this underscore the importance of cross-domain visibility in transforming scattered signals into actionable intelligence.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com