A sophisticated phishing campaign impersonating cryptocurrency brokerage Bitpanda has been uncovered by cybersecurity researchers.
The operation, detailed in a new advisory by the Cofense Phishing Defense Center, combines credential theft with extensive personal data harvesting, using a near-perfect replica of the legitimate platform to deceive users.
As cryptocurrency adoption increases, so does criminal interest. Analysts at Cofense said this latest campaign goes beyond typical login harvesting by guiding victims through a staged, fake multi-factor authentication (MFA) process designed to collect multiple forms of personally identifiable information.
Cofense explained the observed attack begins with an email formatted to resemble official Bitpanda communications, complete with familiar branding and layout.
The message informs recipients that updated security standards require them to reconfirm their information or risk having their accounts blocked. The warning introduces urgency. It also reflects a common scare tactic.
A "Start Update" button directs users to a fraudulent website. Although the landing page closely mirrors the genuine Bitpanda login screen and even links to the legitimate app download page via QR code, a closer inspection reveals a deceptive domain. The malicious domain had reportedly been created only days before analysis.
Multi-Step Data Harvesting
Once credentials are entered, victims are pushed through additional verification screens requesting:
-
First and last name
-
Telephone number
-
Residential address
-
Date of birth
Each step is framed as part of an MFA process. The information collected could enable attackers to reset passwords, submit fraudulent support tickets or access other accounts where personal data is used for verification.
After completing the forms, users see a confirmation message stating their verification was successful before being redirected to the legitimate Bitpanda login page.
How to Defend Against Similar Attacks
"Malicious campaigns can range from broad to highly targeted. This example demonstrates the latter, with high accuracy to the real service, deceptive URL domains, and wording that makes the victim believe in a false sense of security. It not only harvested login credentials but also harvested sensitive user information," Cofense wrote.
"Campaigns like these can be headed off with tools designed to detect and quarantine threats that slip through secure email gateways (SEGs).”
Users should hover over links to check destination URLs, confirm that sender addresses match official company domains and be cautious of messages that threaten account suspension if immediate action is not taken.
Accessing brokerage platforms directly through bookmarked or manually typed addresses, rather than embedded email links, can also reduce exposure. Even small inconsistencies in domain names or formatting may signal a fraudulent site.
Image credit: Mamun_Sheikh / Shutterstock.com