Dark Web Dumps Gemini and Binance User Data: What’s Real, What’s Hype, and What You Should Watch
Over 230,000 user records tied to Gemini and Binance are now for sale on dark web forums, raising serious questions about the scope and source of the leaks. While Binance denies a breach and blames phishing, the scale of exposed personal data suggests something deeper is at play.
When personal data linked to two of the world’s biggest crypto exchanges turns up for sale on the dark web, the first question isn’t how, it’s how bad.
According to Dark Web Informer—a cyber threat intel service that monitors breaches, darknet markets, and hacker chatter—threat actors have listed massive datasets allegedly tied to Gemini and Binance users. The Gemini leak was first flagged on March 27, when a hacker operating under the alias “AKM69” posted a sale listing containing over 100,000 user records. These include full names, emails, phone numbers, and location data, mostly from U.S.-based users.
A day earlier, on March 26, another actor known as “kiki88888” listed 132,744 records tied to Binance.com, again offering names, emails, phone numbers, and more. That listing, like many on these underground platforms, is vague on source but explicit about volume.
Gemini hasn’t confirmed a breach, and Binance has publicly denied any intrusion. Binance claims the data came from phishing attacks, not a breach of their infrastructure. According to their statement, the information was stolen using malware installed on individual users’ devices—malware capable of hijacking browser sessions and siphoning off credentials.
Dark Web Informer backs that version of events, suggesting that users clicked on malicious links or downloaded infected files, ultimately compromising themselves. But here’s the thing: that doesn’t make this any less serious.
Phishing is the crypto industry’s worst-kept secret, and it’s only getting more sophisticated. This month alone, the Australian Federal Police warned 130 victims about an SMS-based phishing campaign that impersonated Binance and other exchanges using spoofed sender IDs. On X (formerly Twitter), users also flagged scams pretending to be from Coinbase and Gemini, urging recipients to “recover” wallets using private phrases that actually handed over control to the attackers.
This isn’t a one-off. In September 2024, someone calling themselves “FireBear” claimed to have leaked 12.8 million Binance user records, including names, addresses, and contact info. Binance shut that down quickly, saying there was no breach. But once again, users were left in the dark, relying on official statements while their data floated in criminal marketplaces.
And the dark web’s crypto focus isn’t limited to stealing lists. SOCRadar reported a new service being sold this month, promising to exploit stolen wallet info across 100+ blockchain networks—from Bitcoin and Ethereum to Solana and Polygon. Microsoft also joined the fray with a warning about StilachiRAT, a new malware designed to steal browser credentials, clipboard data, and system info—perfect tools for targeting crypto holders.
So, is this latest leak real? Probably. Is it a direct breach? That’s unclear. But one thing is certain: personal data tied to Gemini and Binance users is being actively sold and marketed, and the risk isn’t going away.
If you’ve ever used either platform, now’s the time to:
➪ Rotate your credentials
➪ Set up phishing-resistant 2FA
➪ Watch your inbox like a hawk
Because in crypto, when your data is out there, so is your money.
