Connect with us

Hi, what are you looking for?



Cybercriminals Embark on Bitcoin Phishing Expedition

Attackers are playing on the hype around the crypto-currency Bitcoin to cast a wider phishing net looking for victims. It’s not just bank credentials cyber-criminals are looking for.

Attackers are playing on the hype around the crypto-currency Bitcoin to cast a wider phishing net looking for victims. It’s not just bank credentials cyber-criminals are looking for.

Enterprise information security firm Proofpoint detected 12,000 messages sent in two separate waves trying to trick victims into handing over their wallet credentials on the site, the company said in a blog post Wednesday. With these credentials, attackers would be able to transfer out all the Bitcoins in the victim’s wallet into another. The surprising part about this campaign was the fact that the Bitcoin credential phishing campaign received a 2.7 percent click rate, which is much higher than the percentage of Bitcoin users in the general population, Proofpoint found.

PhishingThis suggests attackers are sending these phishing emails to people who don’t have Bitcoins, and “a mix of both Bitcoin and non-Bitcoin users were clicking,” Proofpoint said.

Past Bitcoin-focused attacks relied on lists of known and active users. This campaign sent phishing emails over two days to 400 companies, which spanned across industry sectors, including higher education, financial services, high tech, media, and manufacturing, Proofpoint found.

“The broad nature of this campaign was surprising, since most other Bitcoin phishing attacks have targeted known Bitcoin users,” Proofpoint said.

While 12,000 sounds like a lot, it’s worth remembering that attackers generally send out millions of messages during the course of a campaign. It is likely that this was a trial run, with attackers experimenting with ways to find Bitcoin users without relying on user lists. As phishing campaigns go, this appears to be fairly simple and low-volume.

Attackers initially used a single hostname in each email, but customized the URL for each victim by including a unique parameter, according to Proofpoint’s blog post. The original hostname was added to a spam blocklist fairly quickly, and attackers switched to randomized URLs from multiple domains in the second wave. This is another clue this could have just been a trial run for inexperienced criminals because the initial attack method was easy to block.

Security professionals cannot discount any phishing emails, even if the contents don’t appear to be relevant to their users, Proofpoint warned. The fact that so many non-Bitcoin users clicked on the links is worrying, since a more sophisticated “multi-variant” version of this campaign could have downloaded malware onto victim computers, or stolen credentials for other accounts.

Advertisement. Scroll to continue reading.

“Effective lures attract clicks even from users who should have no reason to click,” Proofpoint said.

As for the email, it followed the familiar “account warning” template used for banks and online payment services, with a message that there was a failed login attempt originating from China, Proofpoint said. Instead of an actual bank name, the email used the name. A unique-looking Case ID helped make the email look real. If the user clicked on the “Reset Password” button in the message, the user was directed to a realistic-looking, but fake, Blockchain login page. The credentials entered on this page are captured and sent to attackers while users are shown a generic error message. Attackers are then able to login and steal the Bitcoins.

It’s worth remembering that even though Bitcoin is an estimated $6.8 billion target for cybercriminals, the number of people who have the currency and are actually using it are very small compared to the overall population.  The small number of users doesn’t appear to be deterring cyber-criminals, however.

“It would only take hitting one drug dealer’s wallet to make it all worthwhile,” Andrew Conway, a researcher from Cloudmark, told SecurityWeek.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...