A new report by Cisco’s Talos cybersecurity team has named a Ukrainian hacking collective behind a string of audacious and high-value cryptocurrency thefts.
The report details how the group, called Coinhoarder, has stolen over $50 million in cryptocurrency from users of the popular wallet Blockchain.info. The group make use of a “very simple” scheme involving purchasing Google ads focused on popular search keywords relating to cryptocurrency.
These “poisoned ads” allowed the hackers to set up a gateway phishing link that would appear in search results among other legitimate. These ads, which used keywords such as ‘blockchain’ or ‘bitcoin wallet’ would redirect the user to a landing page that served phishing content in the language of the geographic region of the user IP.
Fooled by legitimate looking landing pages, victims were prompted to enter their private information into the site. This allowed the hackers to gain access to their digital wallets and assume control of their cryptocurrencies.
Cisco investigated this wide-scale phishing campaign for over six months in partnership with the Ukrainian police. During this time the company noted that Coinhoarder’s methods were becoming “increasingly common in the wild, with attackers targeting many different crypto wallets and exchanges via malicious ads”.
The attacks had occurred over the course of three years, but they spiked in frequency at the end of 2017 as the price of Bitcoin and other cryptocurrencies skyrocketed. The report notes that a mammoth $10 million was stolen between September and December of 2017.
One particular feature of the attack that caught the researcher’s attentions was the geographical nature of the attacks. It seems that the attackers were particulary targeting victims from African and other developing nations where banking can be “more difficult and local currencies much more unstable”. It also seems that the group has keen to target users in countries where English was not the first language.
Cisco says that it has witnessed the group evolve over time, with their fake sites in particular becoming more convincing over the observed time period. The report concludes that:
“Phishers are significantly improving their attack techniques by moving to SSL and employing the use of IDNs to fool victims into handing over their credentials.”