A Ukrainian hacker group dubbed Coinhoarder has stolen more than $50 million in cryptocurrency from users of Blockchain.info, one of the most popular providers of digital currency wallets, according to a report published Wednesday by Cisco’s Talos cybersecurity team.
The Coinhoarder thefts occurred over the course of three years but surged at the end of 2017 as Bitcoin prices soared close to $20,000, with $10 million stolen between September and December. In one burst, the hackers made off with $2 million in the span of less than four weeks, the Talos researchers said. It’s possible the value of the thieves’ bounty totals much more than $50 million now, as Talos based its calculations on cryptocurrency prices at the time of the theft.
In a blog post published Wednesday, Dave Maynor and Jeremiah O’Connor detailed the Coinhoarder phishing scam, which they said Cisco has been investigating in the past six months in partnership with the Ukrainian Cyberpolice. All in all, they said that those behind the scam had netted $50 million in cryptocurrency over a three-year period.
The report explains how thieves preyed upon their victims using a “very simple” yet treacherous technique: Buying Google ads on popular search keywords related to cryptocurrency “to poison user search results” and snatch the contents of crypto wallets. This meant people Googling terms like “blockchain” or “bitcoin wallet,” saw links to malicious websites masquerading as legitimate domains for Blockchain.info wallets.
“The campaign was very simple and after initial setup the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,” they wrote. “This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims. This campaign demonstrates just how lucrative these sorts of malicious attacks can be for cybercriminals.”
For example, the poison ads included “spoofed” links with small types like “blokchien.info/wallet” and “block-clain.info,” which sent visitors to a landing page that mirrored actual websites of the company Blockchain, which runs both the domains Blockchain.info and blockchain.com. The legitimate sites appeared lower in results than the “poisoned” links, according to Cisco’s report.
Fooled into believing they had come to the right place, victims then entered private information that allowed the hackers to gain access to their actual wallets and take their digital money.
“The attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,” the Talos team said in their report.
Cisco also noted that the Coinhoarder group’s method has since “become increasingly common in the wild, with attackers targeting many different crypto wallets and exchanges.”
“What is clear from the Coinhoarder campaign is that cryptocurrency phishing via Google Adwords is a lucrative attack on users worldwide,” Talos researches added.
In its report, Cisco also revealed some of the hackers’ own Bitcoin wallet addresses, to which it was able to trace the stolen funds with the help of Ukrainian law enforcement. Unmasking the actual thief or thieves is more difficult, as Bitcoin addresses are pseudonymous and don’t contain the name of the person to whom they belong. But Cisco’s Talos researchers are scouring the Internet for clues, including forums such as Reddit where Coinhoarder victims have discussed the theft.
“While identifying the individual who owns a specific wallet is extremely difficult, we still can look for open source intelligence surrounding the wallet,” the researchers said in the report.