According to a report published Wednesday, February 14th by Cisco’s Talos Intelligence Group, a team of Ukrainian hackers dubbed CoinHoarder has stolen more than $50 million in cryptocurrency from users who were under the impression they were accessing Blockchain.info, one of the most popular providers of virtual currency wallets.
The report details how thieves preyed on their victims using a simple technique: Buying Google ads on popular search keywords related to cryptocurrency “to poison user search results” and snatch the contents of crypto wallets. This meant people Googling terms like “blockchain” or “Bitcoin wallet,” saw links to malicious websites masquerading as legitimate domains for Blockchain.info wallets. Fooled into believing they had come to the right place, victims then entered private information that allowed the hackers to gain access to their actual wallets and take their virtual currency.
The poison ads included “spoofed” links with small mistypes like “blokchien.info/wallet” and “block-clain.info,” which sent visitors to pages that mirrored actual websites of the company Blockchain, which runs both the domains Blockchain.info and Blockchain.com. According to Cisco’s report, the legitimate sites appeared lower in the results than the “poisoned” links.
“The attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,” the Talos team — led by Jeremiah O’Connor and Dave Maynor — said in their report. Cisco, which investigated the “massive phishing campaign” for more than six months in partnership with Ukraine’s Cyberpolice, noted that the Coinhoarder group’s method has since “become increasingly common in the wild, with attackers targeting many different crypto wallets and exchanges.”
The Coinhoarder thefts occurred over the course of three years but surged at the end of 2017 as Bitcoin prices soared close to $20,000, with $10 million stolen between September and December. In one run, the hackers made off with $2 million in the span of fewer than four weeks, the Talos researchers said. Further, it’s very likely the value of the steals total much more than $50 million now, as Talos based its calculations on cryptocurrency prices at the time of the theft.
Cisco found that the Coinhoarder scam disproportionately ensnared those from underbanked regions where cryptocurrency has caught on as an alternative means of storing wealth: Residents of African countries such as Nigeria and Ghana made up the majority of those who landed on the malignant websites.