Newly Discovered Bitcoin Phishing Campaigns
Analyzing the results of the OpenDNS Natural Language Processing(NLP) rank classifier, we have recently discovered new Bitcoin wallet companies that have made their way on to the list of phishing targets. We were able to identify phishing campaigns aimed at Kraken and Paxful users.


It was nice to see fraudulent domains taken down in a timely manner and additional security mechanisms being put into play. One such mechanism used on Paxful is a fidelity warning at the login screen:
Ongoing campaigns
Old campaigns against blockchain.info and localbitcoins.com are experimenting with different registrars, but aren’t going anywhere:



The three most recently detected domains are still alive and look to be part of an active, currently ongoing campaign. We can also see that the amount of phishing attacks against bitcoin users keeps increasing. Leveraging the power of Investigate by pivoting around detected infrastructure, we found that it is not only used to host fraudulent Bitcoin domains, but a whole range of other nefarious ones as well.
However, the most successful domains in this new campaign are block-clain[.]info and blockchalna[.]info. Both domains were registered on February 21, 2017, and went live on February 24th, getting over 200k DNS queries in a couple of hours. This is an interesting fact, since it correlates with Bitcoin reaching another maximum and the disclosure of CloudBleed.
Traffic delivery scheme hasn’t changed: we continue to see compromised Adword Google accounts used to host ads, which redirect users to phishing domains.

Visualizing actor relations
In the visualization of the domains and associated email addresses from the campaign (image below), we outline shared hosting infrastructure by multiple actors. Red-colored domains are spoofed bitcoin wallets, while the rest is a mix of banking, adwords and tax fraud websites.

We also see an increasing amount of phishing and other credentials harvesting attacks(RATs, InfoStealers), which result in an increase in account-checking activity. Since cybercrime services like Sentry MBA are widely available to criminals, their ease of use paired with a wide variety of available config files makes us confident that the number of actors engaging in such attacks will keep growing, particularly among lower-level actors.
This blog is a result of a collaboration between Artsiom Holub of Cisco Umbrella research team and Jeremiah O’Connor of Cisco country digitization team.
Related Indicators
A list of BTC_phishing_IOCs [PDF] applicable to this blog post can be found here: