Home / Capital & Crypto / Researchers Uncover Bitcoin Phishing Campaign

Researchers Uncover Bitcoin Phishing Campaign

Last Updated March 4, 2021 4:49 PM
Lester Coleman
Last Updated March 4, 2021 4:49 PM

OpenDNS Security Labs has discovered 100 fake bitcoin and blockchain domains that mimic legitimate bitcoin wallets in an attempt to steal credentials.


The domains share a provider with three different names that has used the IP space to sell pornography, false merchandise and phishing sites. The sites, most of which were registered on May 26, continue to pop up, indicating the campaign continues, according to Threatpost .

Researchers Trace Connections

OpenDNS Security Labs researchers Dhia Majoub, Artsiom Holub and Jeremiah O’Connor were able to trace connections among name servers, IP addresses and Whois indicators over the past few weeks to determine the campaign’s scope.

An Israeli cloud-based security firm, Cyren, initially came across the campaign in early June by observing the Blockchain.info domain spreading through a pay-per-click advertising scam by Google  AdWords. A user tricked into visiting the site and logging in would hand their Blockchain credentials to the attackers.

OpenDNS noticed a phishing attack at Blockchain-wallet.top a day after Cyren posted its research. OpenDNS discovered a site that looks similar to the real Blockchain.info site, also similar to the one Cyren found.

The site that OpenDNS found shares Blockchain’s teal-colored navigation bar and logo and is still active. Google has branded it as a deceptive site and warned users that it still might be in use to get people to reveal personal information.

More Suspicious Sites

OpenDNS a few days later found an obfuscated URL Blockchain.com linked to the same IP. Researchers examined the IP and similar IPs. They discovered dozens of suspicious sites, including sites that look like Blockchain-wallet.info and localbitcoins.com.

Bitcoin addresses need to be checked at base58Check-encoded to determine they are genuine.

The phishing domains the researchers found rely on typosquatting, which occurs when Internet users input a website address into a browser, make typographical errors, and are relocated.

The attackers demonstrate a solid understanding of bitcoin protection mechanisms and are seeking to defeat them, researchers noted.

Also read: Ransomware extortionists land $17,000 in BTC

IP Space Hosts Illicit Activity

The researchers found the IPs shared a provider with three different names over the past year that was discovered to host what OpenDNS called “criminal and toxic content.” Three offshore hosting firms utilized the company’s IP space to market fake merchandise, child pornography, child modeling and phishing sites that were iCloud and Blockchain related.

Researchers cross-referenced Whois registration and hosted domains to determine six different emails used to register Blockchain.info spoof domains. This shed light on how frequently criminals recycle infrastructures, making it evident how strongly they rely on offshore hosting providers to bring malware and phishing campaigns, researchers noted.

OpenDNS blocked the malicious IP ranges for its customers. Going forward, wallet companies should boost their security to prevent typosquatting and phishing attacks.

The increase in ransomware attacks, which usually bring demands for bitcoin payments, could have something to do with the rising bitcoin price.

Featured image from Shutterstock.