Dark Web Roast - June 2025 Edition

By Trellix Advanced Research Center · July 21, 2025

Executive Summary

Welcome to the very first Dark Web Roast! Each month, we're going to take a peek into the shadowy world of cybercrime and playfully "roast" some of its characters, all with a little help from our internal AI assistant. Our main goal as security researchers is always the same: to give bad people bad days.

At Trellix, we think it's important we don’t make cybercriminals seem larger than life or hero-worship them. This roast is about showing the human side of cybercrime and how they mess up, just like anyone else. With our agentic AI assistant, we're aiming for humor that's as sharp as Ricky Gervais. So, grab a seat, chill out, and enjoy some laughs!

June 2025 delivered a comedy goldmine from the cybercriminal underground, proving that even threat actors can't escape the universal law of unintentional hilarity. From AI-worshipping script kiddies getting breathlessly excited about "FraudGPT" to French carders who can't spell "quality," this month's underground scene was dominated by copy-paste spammers, emoji-obsessed dealers, and identity-confused criminals who couldn't successfully run a lemonade stand, let alone sophisticated cyber operations. These "threat actors" are about as dangerous as a rubber knife and twice as dull, serving up more laughs than actual threats and demonstrating that even organized crime can't escape the curse of poor management and terrible marketing.

This Month in the DarkRoast

🤖 The "FraudGPT" Fanboy Convention

ricox316 and heterobot on DarkNetArmy are absolutely losing their minds over "FraudGPT" like it's the second coming of cyber-Jesus. Of note, FraudPT was largely hype with no substance. These “legends” are breathlessly hyping its ability to "write malicious code, create undetectable malware" with the enthusiasm of teenagers discovering energy drinks for the first time. The best part? One responded to this earth-shattering AI revelation with a profound technical analysis of "Kk." Nothing screams "elite cybercriminal operation" quite like getting excited about an AI tool that probably can't even spell "malware" correctly, let alone create undetectable versions of it.

🇫🇷 The "Haute Qualitey" French Carding Catastrophe

Meet @iziLife_cc from Telegram's "💎Lëgend💎" channel, the wannabe French Credit Card cybercriminal whose spelling is so atrocious it makes Google Translate surrender unconditionally. This linguistic disaster is advertising "CC fresh haute qualitey" for €18-20 each while promising "qualiter superieur" and "rez du jour même" —apparently even their spell-check has given up and moved to Switzerland. The threat assessment here is that potential victims might die laughing before they get properly scammed.

🏦 The Corporate Banking Spam Bot Apocalypse

The underground messaging scene was absolutely flooded by desperate financial fraudsters with handles like ا, 31, and 61 spamming every crypto channel with identical walls of text begging for Indian corporate bank accounts. These clowns are offering 10,000 INR bonuses as if they're running a legitimate HR department instead of a money laundering operation, complete with emojis that scream, "I learned marketing from a 2010 MLM scheme." They're so persistent, they make Nigerian princes look subtle.

🎪 The "Scammer F*ck Off" Professional

Nothing says "trustworthy criminal enterprise" quite like @lotiluciacica ending their money laundering advertisement with "scammer f*ck off" — the irony is so thick you could cut it with a stolen credit card. They're demanding 500K USDT daily whilst selling WhatsApp numbers and guaranteeing "no cyber" for 30+ days, as if cybercrime comes with a warranty period. They're essentially running a "Scammers Anonymous" meeting whilst actively scamming.

🛒 The Vietnamese Data Buffet Extravaganza

@kingman96 has transformed identity theft into a subscription service, advertising everything from "spa/cosmetic surgery customer data" to "2023-2024 car owner data," like they're running a criminal Costco membership program. They have more data categories than a government census, including "VIP customer data by region," because apparently, even stolen personal information now requires a loyalty program. It's like watching someone turn cybercrime into a one-stop shopping experience for sociopaths.

🎓 The Academic Malware Professor

Dystortion on hackforums.net wrote what can only be described as a cybercrime dissertation titled "[2025] 5 Malware Techniques [No Code]" -- because apparently even threat actors are going no-code these days! This educational masterpiece features revolutionary techniques, including the use of "cat.jpg" as a steganography cover image and testing protocols involving "calc.exe execution verification." Nothing screams "dangerous nation-state actor" like someone who needs step-by-step instructions on how to hide malware in pictures of cats.

🏢 The North Korean Job Interview Scam Theatre

WWW on crdclub.ws delivered breaking news about North Korean hackers conducting elaborate fake job interviews to spread malware through npm packages with names like "reactbootstraps" and "chalk-config". The comedy gold here is watching sophisticated nation-state actors willingly sit through technical interviews, send coding assignments via Google Docs, and pressure candidates to run malicious code whilst screen-sharing. Imagine being so dedicated to cybercrime you're willing to endure the soul-crushing experience of fake HR recruitment processes.

📝 The One-Letter Wonder Technical Review

In what can only be described as the most comprehensive malware analysis in cybercrime history, goshkata on DarkNetArmy provided their expert assessment of ZeroTrace Stealer source code with the eloquent review: "f." That's it. Just the letter "f." Meanwhile, other criminal masterminds are dropping "thanks for sharing king," and "thanks for sharing this bro," like they're reviewing a Netflix series instead of discussing tools designed to steal people's cryptocurrency wallets. The underground economy's peer review process is truly something to behold.

🎯 The "Totally Not Suspicious" Crypto Cleaner

swxrovski on xss.is is advertising cryptocurrency laundering services with all the subtlety of a neon sign in a police station car park. They're promising a "maximum low AML level (0-25% exchange)" and "your funds will have no traceable history" with a professional 3.5% fee structure. After all, nothing says "legitimate business operation" quite like explicitly advertising money laundering services with competitive pricing. The best part? They're so confident in their "totally legal" operation that they require a one BTC deposit upfront and offer escrow services.

🌸 The Kafka Credit Card Scraper Poetry Club

Someone at @xRonak from the "𝙆𝙖𝙛𝙠𝙖 • CC刮刀" channel decided to name their credit card scraping tool after Franz Kafka and decorate their stolen card data with flower emojis and "Have a nice day 😊" messages. Nothing says "existential dread" quite like automated financial fraud delivered with a customer service smile and literary pretensions. They're running "alpha1.5.0-0" software that sounds like it was coded by philosophy majors who failed computer science.

Conclusion

The underground scene in June 2025 was tricky. While not overtly threatening, it’s notable enough to keep an eye on. These digital delinquents are essentially running the world's worst customer service operations while committing felonies, proving that even organized crime can't escape the curse of poor management and terrible marketing. The real threat to cybersecurity isn't their criminal capabilities – it's the secondhand embarrassment they're causing to actual cybercriminals worldwide! These are the participation trophy winners of the threat landscape, clearly having criminal skill isn’t the same as having criminal intentions.

Disclaimer
While these incidents are genuinely amusing, they represent real criminal activities causing significant harm. This content is for threat intelligence and educational purposes only.
And to all you cybercriminals out there, remember they’re just jokes….

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/