Newly Discovered Bitcoin Phishing Campaigns

Analyzing the results of the OpenDNS Natural Language Processing(NLP) rank classifier, we have recently discovered new Bitcoin wallet companies that have made their way on to the list of phishing targets. We were able to identify phishing campaigns aimed at Kraken and Paxful users.

Phishing domain imitating login page


Phishing domain imitating login page

It was nice to see fraudulent domains taken down in a timely manner and additional security mechanisms being put into play. One such mechanism used on Paxful is a fidelity warning at the login screen:

Ongoing campaigns

Old campaigns against and are experimenting with different registrars, but aren’t going anywhere:

Suspended domains: https–blockchain[.]lol, blockchain–login[.]org


This domain is still up and running but looks broken

Active phishing domain

Active phishing domain

The three most recently detected domains are still alive and look to be part of an active, currently ongoing campaign. We can also see that the amount of phishing attacks against bitcoin users keeps increasing. Leveraging the power of Investigate by pivoting around detected infrastructure, we found that it is not only used to host fraudulent Bitcoin domains, but a whole range of other nefarious ones as well.

However, the most successful domains in this new campaign are block-clain[.]info and blockchalna[.]info. Both domains were registered on February 21, 2017, and went live on February 24th, getting over 200k DNS queries in a couple of hours. This is an interesting fact, since it correlates with Bitcoin reaching another maximum and the disclosure of CloudBleed.

Traffic delivery scheme hasn’t changed: we’re continue to see compromised Adword Google accounts used to host ads, which redirect users to phishing domains.

Malicious Ads


Visualizing actor relations

In the visualization of the domains and associated email addresses from the campaign (image below), we outline shared hosting infrastructure by multiple actors. Red colored domains are spoofed bitcoin wallets, while the rest is a mix of banking, adwords and tax fraud websites.

Visualization of the phishing campaign

We also see an increasing amount of phishing and other credentials harvesting attacks(RATs, InfoStealers), which result in an increase of account-checking activity. Since cyber crime services like Sentry MBA are widely available to criminals, their ease of use paired with wide variety of available config files makes us confident that the number of actors engaging in such attacks will keep growing, particularly among lower level actors.

This blog is a result of collaboration between Artsiom Holub of Cisco Umbrella research team and Jeremiah O’Connor of Cisco country digitization team.

Related Indicators

A list of BTC_phishing_IOCs [PDF] applicable to this blog post can be found here:



This post is categorized in: