Researchers across Cisco have been teaming up with Ukraine Cyber-Police to track the Coinhoarder campaign, a Bitcoin phishing operation that has been tied to the theft of $50 million worth of the cryptocurrency.
Cisco first observed Coinhoarder in February 2017 in a massive phishing campaign hosted in Ukraine that targeted the popular Bitcoin wallet site blockchain.info. The campaign was unique because adversaries leveraged Google AdWords to poison user search results in order to steal users’ wallets.
Cisco identified an attack pattern in which the threat actors behind the operation would establish a gateway phishing link that would appear in search results among Google ads. When searching for crypto-related keywords, such as "blockchain" or "bitcoin wallet," the spoofed links would appear at the top of search results. When clicked, the link would redirect to a page that served phishing content in the dominant language of the geographic region of the victim's IP address. After initial setup, the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims.
“Crypto-assets have proven to be a new, valuable financial commodity targeted by varying degrees of cybercriminals,” Cisco researchers said in an analysis. “In 2017, we observed phishers advance their tactics by utilizing new attack vectors such as Google Adwords combined with the use of IDNs and rogue SSL certificates to improve their probability of success and generate millions in profit.”
This campaign targeted specific geographic regions, including in African countries and other developing nations where banking can be more difficult and local currencies much more unstable compared to the digital asset. Additionally, attackers targeted users in countries whose first language is not English, making for potentially easier targets.
The group behind Coinherder has been actively pilfering Bitcoin wallets since at least 2015, primarily targeting users of online cryptocurrency wallets and exchanges, according to the researchers. Based on the observable exchange activity, Cisco estimates the Coinhoarder group to have netted over $50 million dollars over three years. There were spikes in this: Between September to December 2017 alone, the bad actors stole around $10 million. In another run, they made $2 million within 3.5-week period.
It is important to note that the price of Bitcoin shot up drastically during 2017, starting around $1,000 in January and hitting a high point just under $20,000 in December. As of press time it was trading at $9,000. Those increasing values are a blessing and a cure for the perpetrators.
“While criminals were able to profit from this, it also adds a new level of complexity for criminals to convert their cryptocurrency funds to a fiat currency like US dollars,” the researchers said. “The historic price of Bitcoin during the height of this campaign would have made it very difficult to move these ill-gotten finances easily.”
What is clear from the campaign is that cryptocurrency phishing via Google AdWords can be a lucrative attack on users worldwide.
“Phishers are significantly improving their attack techniques by moving to SSL and employing the use of IDNs to fool victims into handing over their credentials,” researchers noted. “We can expect to see more of these realistic-looking phishes.”