Crypto privacy was designed against a specific adversary: someone watching the chain. Bitcoin’s pseudonymity, ring signatures, stealth addresses, mixers, privacy coins — all of it assumes the attacker is reading the public ledger and trying to bind addresses to people from on-chain behaviour alone.
That threat model held for a long time. It does not hold now.
In January 2026, security researcher Jeremiah Fowler disclosed a 149,404,754-record infostealer database left exposed online. The database was not a paste of raw logs. It was indexed, structured, and queryable by infected machine. Among the records: 48 million Gmail credentials, 17 million Facebook logins, 6.5 million Instagram, and 420,000 Binance accounts, all grouped per device.
The structure matters more than the count. For most crypto holders, anonymity does not break on-chain. It breaks at the endpoint, where the same machine that holds a hardware-wallet manager also holds a Gmail session, an exchange tab, a tax-software API key, and a KYC selfie sitting in Downloads/. Once that machine is compromised, the bridge from pseudonymity to real identity is built without touching the blockchain at all.
This is what the Fowler database industrialised, and what every crypto holder running anything beyond an air-gapped device should now treat as the dominant threat model.
What the Fowler 2026 database actually changed
Older infostealer leaks were chaotic. Operators dumped raw logs into Telegram channels and dark-web forums in inconsistent formats. Linking a stolen Binance password to a stolen Gmail password from the same victim was probabilistic at best.
The January 2026 database removed that ambiguity. Fowler documented a field called host_reversed_path, present in virtually every record, formatted as com.example.user.machine. He noted directly: “This structure is used to create an easily indexable way to organize the stolen data by victim and source. Reversing the hostname can also help avoid directory conflicts.” The system used a line hash as the document ID to ensure one unique record per unique log line.
What that field does, in practice: every credential harvested from a single infected device is bucketed under the same key. Run a single query against that key and the result is every login from that machine, time-stamped and grouped. Banking, exchange, social, email, wallet extensions. The Binance password, the Gmail password, and the Facebook profile are no longer probabilistically linked. They are deterministically linked, because they were exfiltrated from the same physical machine in the same session.
For crypto users, this is the difference between “you may share an alias with someone whose identity I can guess” and “you are the same person whose Instagram tagged you in Geneva last summer.” The leak did not break any cryptography. It eliminated the last layer of plausible deniability that bad endpoint hygiene had been hiding behind.
Six exfiltration paths from a single infected machine
Modern infostealers do not just grab passwords. They harvest the full context of a logged-in user. For crypto holders, six categories of exfiltrated data each independently break the air-gap between digital alias and real-world identity.
Exchange email confirmations. Every centralised exchange sends deposit, withdrawal, and trade confirmations to the registered email. An attacker with access to that inbox sees timestamps, amounts, and destination addresses for every historical transaction. Even withdrawing privacy-coin balances to a fresh wallet does not help. The exchange receipt sitting in Gmail permanently ties the original deposit to the registered identity.
Browser-stored credentials and session cookies. Stealers extract the full credential database from Chrome, Edge, Firefox, and Brave, plus active session cookies. The cookies are often more dangerous than the passwords: they bypass two-factor authentication entirely. An attacker performing a pass-the-cookie attack walks straight into the exchange dashboard, the wallet management interface, or the email account, with no MFA prompt.
API keys in plaintext files. Tax-tracking software (Koinly, CoinTracker, CoinTracking), trading bots, and portfolio dashboards typically connect to exchanges via API keys, often stored in .env, .txt, or .csv files. Stealers actively grep the disk for these keywords. Read-only API keys are sufficient: a Read-Only key returns the complete trading history, all linked bank accounts, and every wallet address ever used for deposits or withdrawals. A perfect map of the holder’s on-chain network.
Local KYC artefacts. Centralised exchanges require government ID and selfie verification. Most users save those images locally before uploading. Stealers run File Grabber modules that scan Downloads/, Desktop/, and Documents/ for image files containing keywords like passport, license, ID, KYC, or scan. A stolen passport scan and matching selfie is the cleanest possible identity proof an attacker can hold; it survives even hardened 2FA on the exchange itself.
Clipboard monitoring (clipper modules). Crypto addresses are too long and complex to type. Users copy and paste them. Many infostealers ship with clipper modules that log every copy event with a timestamp and the host machine ID. The result is a deterministic record of every wallet address the user has ever staged for a transaction, complete with timing data, which can be aligned against on-chain broadcast timestamps to confirm authorship.
Wallet extension data and seed phrases. Stealers explicitly target browser-extension wallet directories: MetaMask, Phantom, Coinbase Wallet, Keplr, and others, extracting encrypted vaults, sometimes alongside cached seed phrases or unlocked-session keys. The 2026 Omnistealer family, documented by Malwarebytes, targets more than sixty browser-based crypto wallets directly.
Any one of these six paths is sufficient to dox a holder. The Fowler database showed all six routinely co-existing in the same record set, indexed by the same machine ID.
If your crypto activity is publicly attributable (protocol involvement, fund operations, public wallets), knowing what a credential dump already discloses about you is a starting point, not an endpoint. Our Crypto & Financial Exposure Scan (€1,200) maps that surface specifically.
Talk to an AnalystEmail reuse as the universal join key
The single most consequential OPSEC failure in crypto is email reuse.
The 2026 database carried 48 million Gmail credentials. Gmail is the default for the majority of crypto users in non-Asian markets, and many of those Gmail addresses also signed up for Facebook, Instagram, banking, government services, and the original exchange account. Once that email appears in any breach corpus, every service connected to it becomes a join point.
The mechanic is simple. The host_reversed_path field groups data per device. A repeated email address groups data per identity, across devices, across breaches, across years. An attacker running a join query against the email surfaces every credential ever exfiltrated from any machine that ever logged into that address. Different employer, different country, different decade: the email tying them together makes them one record set.
For crypto, the consequence is retroactive traceability. A 2024 Bitcoin UTXO, a 2025 Ethereum DEX trade, a Monero spend in 2026: none of these were necessarily linked to a real person at the moment of broadcast. Once the registered exchange email leaks, all of them inherit the identity attached to that email. KYC documents the exchange holds become attributable. Notification timestamps line up against on-chain confirmations. The privacy coin still has cryptographic privacy on the chain, but the wallet that funded it no longer does.
The distinction between a brand-new email and an email “used more” is not stylistic. A dedicated address used only for crypto, on a non-Google provider, accessed only from a dedicated device, has zero prior footprint in any breach corpus or social graph. An address that was ever used for a forum signup, a newsletter, or a previous job is the digital equivalent of using the same password everywhere, except the consequences are far more permanent, because email addresses are designed to be lifelong identifiers.
The 2026 stealer landscape after the takedowns
Two large law-enforcement actions reshaped the infostealer market in 2024 and 2025, but neither ended it.
In October 2024, Operation Magnus (Dutch National Police, the FBI, Eurojust, and partners) seized the servers, source code, panels, and Telegram bots behind RedLine Stealer and its clone MetaStealer. Charges were unsealed in the United States against Maxim Rudometov, identified as a developer and administrator. The malware no longer functions to exfiltrate fresh data. RedLine, however, generated years of stolen credentials before takedown, and that historical corpus continues to circulate in dumps like Fowler’s. RedLine is dead as an active threat. Its outputs are not.
In May 2025, Microsoft’s Digital Crimes Unit and the Department of Justice disrupted Lumma Stealer, seizing approximately 2,300 domains and the central command infrastructure. Microsoft had identified over 394,000 infected Windows machines globally in the two months prior. The takedown was real. It was also short-lived. By July 2025, Trend Micro published “Back to Business: Lumma Stealer Returns with Stealthier Methods.” Operators rebuilt with GitHub abuse and fake CAPTCHA delivery. Lumma in 2026 is a resurged operation, not an unbroken one.
Beyond the takedown survivors, three notable 2026-active families:
- Omnistealer (Malwarebytes, March–April 2026). Stores its staging code inside transactions on public blockchains: TRON, Aptos, Binance Smart Chain. Because blockchains are append-only, the malicious snippets cannot be removed once mined. Targets more than ten password managers (including LastPass), major browsers, and over sixty browser-based crypto wallets including MetaMask and Coinbase Wallet. Distributed via fake job offers on LinkedIn and Upwork pointing to GitHub repositories.
- Storm (BleepingComputer / Varonis, early 2026). Server-side decryption: encrypted browser files exfiltrated to attacker infrastructure, decrypted off-host, shrinking the local footprint. Targets browser credentials, session cookies, crypto wallets, plus session data from Telegram, Signal, and Discord. Sold on tiered subscription: $300 for a 7-day demo, $900/month standard, $1,800/month for a 100-operator team licence.
- Void Stealer (SOCRadar coverage, 2026). Quietly targeting organisations through the same mechanics: credential theft, session cookie hijacking, wallet harvesting.
The pattern across all three: subscription pricing, professional aggregation backends, structured indexed output. The Fowler database is what that backend looks like when one of them, or a centralised buyer pulling from several, leaks.
What this looks like in the real world
The threat is no longer hypothetical. Four 2026 incidents make the chain from endpoint compromise to consequence concrete.
Abu Dhabi Finance Week (December 2025, disclosed February 2026). Scans of more than 700 passports and government IDs from delegates at ADFW were left on an unprotected cloud storage server linked to the conference. Among those exposed: former British prime minister Lord David Cameron, hedge fund manager Alan Howard, Anthony Scaramucci, EU ambassador Lucie Berger, and Richard Teng, co-CEO of Binance. The leak originated in a third-party vendor environment, not on any attendee’s device. But the implication for executives whose crypto affiliations are public knowledge is identical to the implication of any endpoint compromise: real-world identity documents are now attached to known crypto exposure, and the resulting dataset is exactly what targeted phishing and physical-coercion operations need as input.
Drift Protocol (April 1, 2026). $285 million drained from the Solana-based DEX in twelve minutes. The root cause was not a smart-contract bug. According to Chainalysis and TRM Labs, attackers (attributed to North Korea-linked actors) spent roughly six months posing as a quantitative trading firm. They attended industry conferences in person, contributed to working sessions, and deposited over $1 million of their own capital to build credibility with Drift’s contributors. On March 23 they created durable nonce accounts on Solana, exploiting a feature that allows transactions to be signed for later execution. At least two Security Council members signed transactions they did not fully understand. The signers were not careless; they were targeted with months of relationship engineering against personal identities the attackers had researched in advance. The endpoint-to-identity bridge for protocol signers is the input to that kind of operation.
Coinbase (May 2025 and December 2025). Two distinct insider incidents. In May 2025, Coinbase confirmed that criminals had bribed support contractors to copy customer data (names, addresses, phone numbers, masked identifiers, transaction history) affecting close to 70,000 customers. Coinbase refused a $20 million ransom and posted a $20 million reward instead. In December 2025, a separate contractor improperly accessed support-tool data on approximately thirty customers, with the incident disclosed in February 2026. The recurring lesson: even a holder whose own endpoint is hardened still has data sitting on the endpoints of exchange employees, and those endpoints are themselves the target.
Wrench attacks (Chainalysis 2026 Crypto Crime Report). Physical coercion attacks against crypto holders rose 75% in 2025, with 72 confirmed incidents involving violence to compel wallet transfers. Physical assaults including home invasions, kidnappings, and homicides rose 250%. Europe accounts for over 40% of recorded incidents, up from 22% in 2024, with France leading at 19. Chainalysis observes that attackers time these operations to coincide with cryptocurrency price peaks. The data does not break the cryptography. It locates the holder.
What proper crypto OPSEC looks like
The mitigations are not exotic. They require discipline more than they require technology.
Dedicated crypto-only email. A new address, on a privacy-respecting provider (Proton, Tutanota, or a self-hosted instance), used for nothing else. Never linked to social accounts. Never used as a recovery contact for non-crypto services. The point is to take the universal join key out of play before it is created.
Dedicated device or account separation. A second physical machine, a hardened virtual machine, or at minimum a fully separate user profile that holds only crypto-related sessions, with no overlap with the user’s general browsing, social media, banking, or work activity. The Fowler database’s lethal property is the per-machine grouping; a separate machine produces a separate record.
Two-factor authentication that survives cookie theft. TOTP via an authenticator app is the floor. Hardware security keys (FIDO2 / WebAuthn) are the realistic ceiling for high-value holders, because they defeat session-cookie replay attacks that bypass TOTP. SMS-based 2FA is treated as no protection at all, because SIM-swap and session replay both break it.
API key segregation and rotation. Tax-tracking and portfolio software stays on a dedicated machine. API keys are read-only by default, IP-allowlisted where the exchange supports it, scoped to a single application, and rotated quarterly. No API key sits in a .env file on the same machine that runs general-purpose browsing.
KYC artefact handling. Identity documents and selfies are uploaded directly from a clean device, never saved to long-lived local folders. Once uploaded, the local copies are deleted and the storage is overwritten. Local archives of passport.jpg are treated as ammunition.
Clipboard hygiene. Wallet addresses are verified character-by-character against the source on every paste. Dedicated address-book features in wallet software replace clipboard transfer for repeat destinations. Anti-clipper extensions exist; they are not a substitute for verification.
Hardware-wallet discipline. A hardware wallet protects the private key. It does not protect the registered email, the KYC documents, the API key, or the browser session. Holders who treat hardware-wallet ownership as the totality of their OPSEC routinely lose to the endpoint, not the chain.
Segregation of social and crypto identity. No public association between the holder’s real-name social presence and their crypto activity. Public boasting, public addresses, and public exchange affiliations are treated as adversary inputs. The Drift signers and the ADFW attendees did not lose because their cryptography failed; they lost because their identities were correlated and targeted in advance.
When the threat model justifies more
For most users, dedicated email plus a separate profile plus hardware 2FA plus disciplined artefact handling closes the dominant exposures. For executives at protocols, fund operators, signers on multi-signature treasuries, family-office principals, and anyone whose crypto holdings are publicly attributable: a higher floor applies.
That floor includes a fully air-gapped signing device, in-person verification of significant transfers (defeating durable-nonce-style attacks), explicit out-of-band verification of any party requesting working-session access, formal social-engineering threat modelling of the signer set, and an external review of what the holder’s open-source identity surface actually exposes. The Drift Protocol post-mortem describes attackers who spent six months building social trust before using it. That kind of operation succeeds against discipline only at the level of months, not minutes.
The endpoint is the threat model
The Fowler 2026 database did not introduce a new attack. It documented the maturity of an existing one: the endpoint as the bridge that turns on-chain pseudonymity into off-chain identity. RedLine and Lumma takedowns dented the supply, but the market reorganised within months. Omnistealer, Storm, and Void are the 2026 successors, with subscription pricing and structured backends that will keep producing dumps like Fowler’s.
For anyone holding crypto seriously (for size, for privacy reasons, or both), the question is no longer whether the blockchain protects them. The blockchain works as designed. The question is whether everything around the blockchain protects them. Email, browser, clipboard, file system, social graph, and the people they sign transactions alongside.
That is what crypto OPSEC is, in 2026. It is not the wallet.
Sources
Primary infostealer database research
- Jeremiah Fowler. “149M Infostealer Data Exposed.” ExpressVPN Blog, 23 January 2026.
Stealer family takedowns and 2026 landscape
- Microsoft Digital Crimes Unit. “Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool.” 21 May 2025.
- U.S. Department of Justice. “Justice Department Seizes Domains Behind Major Information-Stealing Malware Operation.”
- Trend Micro Research. “Back to Business: Lumma Stealer Returns with Stealthier Methods.” July 2025.
- The Hacker News. “Dutch Police Disrupt Major Info Stealers RedLine and MetaStealer in Operation Magnus.” 28 October 2024.
- Malwarebytes Labs. “Omnistealer uses the blockchain to steal everything it can.” April 2026.
- BleepingComputer. “The silent ‘Storm’: New infostealer hijacks sessions, decrypts server-side.”
Real-world incidents
- The National. “Abu Dhabi Finance Week says data breach resolved.” 18 February 2026.
- Dark Reading. “Abu Dhabi Finance Week Exposed VIP Passport Details.”
- Chainalysis. “Drift Protocol Hack: How Privileged Access Led to a $285M Loss.”
- TRM Labs. “North Korean Hackers Attack Drift Protocol in $285 Million Heist.”
- BleepingComputer. “Coinbase confirms insider breach linked to leaked support tool screenshots.”
- Coinbase. “Protecting Our Customers — Standing Up to Extortionists.”
Chainalysis 2026 Crypto Crime Report
- Chainalysis. The 2026 Crypto Crime Report.
- CoinDesk. “Crypto crime is getting violent: ‘wrench attacks’ jumped 75% in 2026.” 2 February 2026.