Cicso, Ukraine Reveals $50 Million Bitcoin Phishing Incident

Feb 16, 2018 at 12:27

The cyber police department of Ukraine and technology giant, Cisco revealed that a Ukrainian Bitcoin phishing ring managed to steal over $50 million over a three-year period.

Cisco’s threat intelligence team, Talos reported that they were first alerted of the incident when the phishing scheme, COINHOARDER, targeted wallet service through Google Ads that contained gateway phishing links that generated over 200,000 client search queries.

Talos added that under the phishing scheme, Google Ads would appear to represent a real Bitcoin wallet by using domain names that closely resemble an official wallet like The phishing sites were also said to have been designed to match the real site in every way except for the domain name.

Furthermore, the intelligence team expressed that COINHOARDER began to make their phishing site look more legitimate by using rogue SSL certificates in combination with their typosquatting, brand spoofing, and homograph attacks.

Talos also explained that the phishing site targeted geographic areas like Nigeria and Ghana where local currencies were unstable and English was not the first language for victims were more likely to miss the slight differences in the domain and SSL names.

Cisco’s intelligence team also noted that around $10 million alone was stolen while tracking the wallet’s activity from September through Dec. 2017 as it released a list of IP addresses associated with the phishing scam.

The incident also led Cisco to begin flagging associated domains as suspicious and used DNS requests to find and block other domains opened by the same registrant of the initial site.

It can be noted that crypto phishing scams on Twitter have also recently become prevalent with fake accounts imitating crypto experts like Charlie Lee or Vitalik Buterin promoting fake crypto giveaways.