Tracking the Coinhoarder Campaign: How Cisco Researchers Collaborated with Ukraine Cyber-Police to Combat Bitcoin Phishing
Researchers at Cisco have joined forces with the Ukraine Cyber-Police to investigate and track the Coinhoarder campaign, a sophisticated Bitcoin phishing operation responsible for the theft of $50 million worth of the cryptocurrency.
Uncovering the Coinhoarder Campaign
The Coinhoarder campaign first came to light in February 2017 when Cisco detected a large-scale phishing scheme originating from Ukraine. The operation targeted the popular Bitcoin wallet platform, blockchain.info, using a unique approach that involved manipulating Google AdWords to deceive users and steal their wallets.
Attack Pattern and Tactics
Cisco identified a pattern in which the threat actors created a gateway phishing link that appeared in Google search results through AdWords. By targeting keywords related to cryptocurrency, such as “blockchain” and “bitcoin wallet,” the malicious links would show up at the top of search results. When users clicked on these links, they were redirected to phishing pages tailored to their geographic region and language, increasing the success rate of the attack.
Impact and Profits
The Coinhoarder group has been actively targeting online cryptocurrency wallets and exchanges since 2015, accumulating over $50 million in stolen funds over three years. The group saw spikes in their earnings during certain periods, with estimated profits of $10 million in a three-month span and $2 million in just 3.5 weeks.
Challenges and Complexity
With the volatility of Bitcoin prices, the perpetrators faced challenges in converting their ill-gotten gains into fiat currency like US dollars. The surge in Bitcoin value during 2017 made it harder for the criminals to cash out their profits easily, adding a layer of complexity to their operations.
Future Threats and Trends
Cryptocurrency phishing via Google AdWords is a lucrative tactic for cybercriminals, and researchers anticipate more sophisticated and realistic phishing attacks in the future. By leveraging SSL certificates and IDNs, phishers are evolving their techniques to deceive users and steal sensitive information.
Overall, the collaboration between Cisco researchers and the Ukraine Cyber-Police highlights the importance of cybersecurity efforts in combating complex and financially rewarding cyber threats like the Coinhoarder campaign.