Darkhub Hacking-for-Hire Portal Advertises Crypto Fraud, Message Interception, and Monitoring

A dark web platform calling itself Darkhub has surfaced on the Tor network, openly advertising hacking-for-hire services to anyone willing to pay.

The platform presents itself as a one-stop shop for illegal cyber activity, with offerings ranging from breaking into social media accounts to intercepting private messages and manipulating financial records.

What makes Darkhub notable is how openly it markets these capabilities, packaging a broad menu of illegal services in a polished interface as if it were a legitimate business.

The platform targets everyday people and organizations alike. Darkhub’s listed services include unauthorized access to Instagram, Telegram, and WhatsApp accounts, along with email compromise, mobile phone monitoring, and real-time location tracking of individuals.

It also claims to offer cryptocurrency-related fraud services, unauthorized bank account access, and the ability to alter credit scores, covering a surprisingly wide range of criminal intent in a single storefront.

Researchers at Oasis Security identified and analyzed the platform, revealing details about its infrastructure and the true nature of its advertised offerings.

Their investigation found that Darkhub is not just hiding behind the anonymity of the Tor network. A publicly accessible IP address was linked to the service, suggesting that parts of its backend are exposed beyond the encrypted Tor environment, a notable detail for any service that depends on staying hidden.

One aspect of Darkhub’s catalog drew particular attention from analysts. Categories like fund recovery and credit score manipulation are well-known hallmarks of advance-fee scam operations.

Darkhub’s Service Scope and Crypto Fraud Angle

These schemes prey on prior fraud victims, promising to recover lost money in exchange for an upfront payment that is never returned. Their presence in the service listing suggests Darkhub may be targeting two groups at once: outside victims and its own paying clients.

This kind of layered deception is not uncommon in the dark web services space. Many platforms advertising offensive hacking capabilities are, in practice, scam operations that collect payment without ever delivering anything real. While Darkhub’s true technical capability cannot be confirmed through external observation, the warning signs throughout its service catalog are very hard to overlook.

The range of services advertised by Darkhub covers nearly every recognizable form of digital intrusion. Beyond social media hacking and phone surveillance, the platform explicitly lists cryptocurrency-related services, which in this context almost certainly involves facilitating theft or large-scale fraud involving digital assets.

Crypto fraud is one of the fastest-growing areas of cybercrime, and platforms like Darkhub lower the barrier to entry for people with no technical background. By offering these capabilities as a paid service, the platform makes it possible for anyone to commission a digital crime. Its contact channels include a Telegram handle and a ProtonMail address, keeping interactions deliberately anonymous.

The inclusion of “recover stolen funds” alongside cryptocurrency services is especially revealing. People who have already lost money to crypto scams are among the most vulnerable targets for follow-up fraud, making them ideal marks for a platform openly promising recovery services it may never actually deliver.

Infrastructure Exposure and Bulletproof Hosting Links

A key finding from the Oasis Security investigation was the identification of a publicly routable IP address tied to Darkhub.

Using the dark web intelligence platform Arthur, researchers traced the site’s infrastructure to a U.S.-based hosting provider operating under ASN AS44259. This provider has previously been flagged in third-party reports for exhibiting bulletproof hosting characteristics.

Bulletproof hosting providers are known for ignoring abuse complaints, making them a favored infrastructure choice for cybercriminal operations.

The provider has also been the subject of an ICANN compliance notice related to phishing-related domain abuse, and its marketing materials reportedly emphasize permissive content policies, which is precisely the kind of environment dark web operators seek out.

The IP address associated with Darkhub has not always been stable. Historical data shows it changed multiple times before settling at its current value as of January 12, 2026.

Whether those changes reflect provider migrations or operational adjustments remains unclear. Organizations monitoring dark web threats should treat any traffic linked to this infrastructure with serious caution.

Type	Indicator	Description
Onion URL	7comssbegmmbxdi7nu7obids2urmkqnmxao5ojbesga3hxmns2yjnxqd.onion	Darkhub hacking-for-hire Tor hidden service address
IP Address	38.127.***.***	Public IP address associated with Darkhub backend infrastructure
ASN	AS44259	Autonomous System Number for ULTAHOST, the identified hosting provider
Email	[email protected]	Operator contact email advertised on the Darkhub platform
Telegram Handle	@DarkHubs0	Operator Telegram contact advertised on the Darkhub platform

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.