Phishing domains, cryptomining and more


Cryptocurrency: a reminder of its role in cybercrime

When we look at the intersection of cryptocurrency and domain data, we see something insidious: the prevalence of crypto-related threats. And it’s not just cryptojacking. It wasn’t even the use of cryptocurrency that made ransomware attacks easier to commit and all the more prevalent for malicious actors.

As with almost all trends, there is always someone looking to take advantage of it and use it for their own personal gain. Since cryptocurrency has become the hobby of choice during a pandemic, threat actors have started targeting crypto newbies for their schemes.

From a hacker’s perspective, the target audience is ripe for exploitation:

  • They are probably looking for a way to make money, so the promises of “guaranteed income” are likely to resonate rather than arouse suspicion.
  • These future crypto enthusiasts are just beginning their journey, so they don’t know what not to look for yet.
  • Many brands already exist, from the coins themselves to the exchanges where they are traded, so there are models that are easy to copy, allowing for total identity theft or the possibility of being just “one more” among so many. others.

This article references our upcoming Domain Threat report, but includes research that was done after this report was finalized.

New fields related to cryptography

During the pandemic, we have encountered an increasing number of new sites using crypto terms.

Within the generic top-level domain (gTLD) .xyz, cryptography-related domain registrations within this TLD have increased. Jocelyn Hanc, Vice President of Operations at XYZ, helped us validate this trend: “Blockchain companies are showing a strong interest in .xyz domains. In 2018, .xyz was the very first TLD to connect to the Ethereum Name Service (ENS), enabling the transfer of cryptocurrency using a short, memorable domain such as, instead of a long series. letters and numbers. Since then, we have seen a growing adoption of .xyz in blockchain communities.

Not all new websites (registered in the past 30 days) are a threat, but the increase in popularity that has led to an explosion in crypto-related domain registrations has created questions about the validity of sites. crypto that you might be linked to during your day.

In February, crooks on Discord launched a program with a link to a site claiming they had won a prize. The catch is, they asked for .02 bitcoin before continuing. Of course, that was the whole scheme. There was no freebie, but the crooks were able to get 0.02 in bitcoin from several people before the scam spread.

The domain used in this scam was registered on January 22, 2021 (using the .com TLD) and the scam was first reported in early February, approximately two weeks after registration. If the victims of this scam blocked the newly registered domains, they would not have been able to resolve the domain in question. The domain was reported for abuse within 30 days of registration.

Cryptocurrency Inspired Phishing Schemes

According to our Threat Report research, domains with the terms “bitcoin” and “nft” were more likely to harbor phishing scams. Ethereum’s typosquatting domains favored cryptomining (we’ll talk about that shortly), but phishing was just behind.

One crypto-related phishing site we encountered was a domain identifying itself as “Ethereum Giveaway”. The site has since been deleted.

Another relatively well-known scam at this point is the ‘Bitcoin Code’, which has resurfaced on several occasions using different domains. The site uses stock photos to fake reviews of their product as well as their alleged CEO.

Part of the success of this scam is its addiction to “exclusivity”.

In the past 30 days, we have encountered phishing sites containing the following terms:

  • localbitcoin
  • bitcoin storm
  • Bitcointime
  • bitcoin today news

In the case of “localbitcoin” and “bitcointime”, these terms have been registered under several TLDs to increase their attack surface. It’s a common tactic among phishers: as soon as one site goes down, another goes up. They will reuse a term until they are ready to mass record a new one.

The following is one of the “localbitcoin” sites:

Most websites don’t set their prices as their homepage, which is shown here. That alone is suspect.

This is all part of a trend to make phishing attacks more targeted. The blockchain is growing and reaching people interested in cryptocurrency or NFTs is very likely for threat actors and crooks.

Cryptocurrency mining matches rising interest in crypto

In 2020, cryptomining made a comeback. In a big way. On our network, terms related to Ethereum, Litecoin, and Dogecoin were most likely to be classified as cryptomining. And that makes a lot of sense, as these are some of the newer cryptocurrencies (especially compared to bitcoin).

Among the cryptomining domains encountered on our network during the pandemic, 2.39% of them contained the term “ethereum”. Impressively, 11.95% of these domains actively use terms related to mining. One particularly cheeky cryptominer registered a domain with the term “notmining.”

Looking at where these cryptomining sites come from:

  • 3.19% used the ccTLD (country code TLD) .ru which belongs to Russia
  • 3.20% used the .eu ccTLD which belongs to the European Union
  • 4.80% used the ccTLD .tk which belongs to the Central African Republic
  • 5.20% used the .de ccTLD which is owned by Germany

We expect cryptomining and mining of the terms surrounding “crypto” and “NFT” to expand. This industry has achieved mainstream popularity. Tom Brady now owns an NFT company and advertisements promoting the FTX cryptocurrency exchange on Sundays between football matches. We’ve even seen the term ‘FTX’ used in phishing campaigns over the past 30 days, including at least one fake support portal:

People search for these products on their phones between meetings when they are distracted. They are on platforms like Discord and receive direct messages from strangers. They receive emails about the latest changes in the crypto markets.

Threat actors are ready with many traps that end users can fall into, and cryptocurrency seems to be one of the best ways to grab their attention right now.

  1. A version of this article originally appeared on the DNSFilter site.


Previous 72% of organizations affected by DNS attacks in the past year
Next NCP's Nawab Malik and Jitendra Awhad leaked official documents: IPS officer Rashmi Shukla's lawyer told Bombay HC

No Comment

Leave a reply

Your email address will not be published.