A whole new world of ICO

Bitcoin and cryptocurrencies are disrupting not just the currencies market. A newly observed trend of Internet Coin Offerings (ICOs) is changing the way VCs work with startups.  A recent Coindesk report states that the Bancor ICO set a record by raising $153 million in Ether from approximately 10,885 buyers. According to Coinschedule, 140 of the currently active ICOs have raised over two billion dollars while Reuters estimates the overall value of the coin market is over $90 billion. ICO is not yet the most popular choice among startups or investors, but interest is increasing despite the many challenges it faces.

While the largest challenges for ICO might be regulatory or legal, the focus here will be on security issues. Some of these issues include bugs in smart contracts, attacks on the websites of companies offering an ICO, errors in the implementation of multi-sig wallets, and DDOS attacks on currency networks. These contribute to about 50% of all cybercrime revenue, with the remainder being phishing schemes. Chainalysis, a blockchain analysis company, estimates the value of stolen cryptocurrencies from phishing attacks to be at 115 million dollars from over 16,900 victims.

Tracking phishing campaigns

While the main protection mechanism we rely on in identifying phishing domains is our machine learning-based model, NLPRank, which is actively enhanced to detect different crypto currency wallet phishing attempts, we continue to apply other hunting approaches that leverage additional visibility into DNS data. Pivoting around IPs, registrants, and name servers allow us to expose bullet-proof hosting infrastructures and to block emerging attacks as soon as they go live or before they are launched.

Automated phishing pivoting flow

Part of a phishing attack infrastructure exposed via this process:

Exposed Phishing infrastructure

Blockchain[.]info, MyEtherWallet[.]com, Bittrex[.]com and several ICOs are some of the targets in recent campaigns. Their infrastructures are tied to Russian, Ukraine, and Hong Kong IP address space. Most phishing attempts still come in form of mass sent spam emails with generic messages which example we can see in the picture below:

Typical message in the BTC phishing email

While majority of the phishing domains has low amount of hits, with average count between 15 and 100

Query volume to the phishing domains

Query volume to the phishing domains

Other delivery methods, such as search result poisoning, have proven to be an effective means of phishing users. This can be seen below, with a link to a phishing site listed during a google search for ‘myetherwallet’:

Poisoned Adwords example


Phishing domain served via Google Ads

Such domains are able to drive big amounts of traffic in short period of time and have better conversion rate:

Amount of traffic to phishing domain via poisoned ad

Another important aspect of the recent campaigns is the fact that malicious actors utilizing all of the newly emerged phishing methods such as homograph attacks and abuse of SSL as we can see in following picture:

Homograph attack on MyEtherWallet

New threats are emerging

It’s not just cybercriminals who have historically been involved in phishing which are turning towards cryptocurrencies. Recently, we discovered a strain of a credential stealer which targets digital wallets stored on computers as well as online services.  This threat is delivered via malspam messages with an attached doc file that contains a Powershell script which downloads malware. Then it finds stored wallets and credentials and uploads them to the C2:

Function stealing Ethereum Wallets

Full list of trojan functions

What to expect

We first observed phishing campaigns targeting cryptocurrency users in June 2016 when nobody knew what ICO was and when Bitcoin’s price was about $700. Now with Bitcoin’s price skyrocketing to nearly $4,000 and over 140 ICOs coming, we are sure that phishing attempts will continue to haunt cryptocurrency ICOs and their users. Anyone who is already a cryptocurrency user or is thinking about becoming one should be very careful. Some tips to avoid becoming a victim:

  • Don’t follow any links in messages from services, try to remember or bookmark the services that you regularly using and avoid advertised google results
  • Be suspicious of messages in social media and Slack forums, especially if they contain any URLs
  • Treat messages from bots very carefully, as they can be easily crafted by malicious actors
  • Use your common sense and check anything suspicious in the open source projects like Ethereum Scam Database


This post is categorized in: