Bitcoin Phishing Ring CoinHoarder

Cisco’s Talos Group has published their findings on a Bitcoin theft campaign they have been tracking in the Ukraine. By purchasing Google AdWords, the attackers were able to target specific search terms, such as “blockchain” or “bitcoin wallet”. Potential victims, searching for these terms, would see the cybercriminals’ links in the search results as a featured ad. Clicking on the fake ad would send the victim’s browser to a landing page in their native language that attempted to garner credential information. These phishing pages were hosted on and, except for the URL, appear quite similar to the real site. Using results from DNS queries and WHOIS data, Talos was not only able to track where the victims resided (Nigeria, Ghana, Estonia, and others), but were able to identify other potentially malicious sites as well. During the time Talos was watching this campaign, they noticed it evolving, the phishing pages began to look more like the real ones as well as the use of secure websites (HTTPS). The secure sites made use of certificates issued by Cloudflare and Let’s Encrypt. Another tactic observed was the use of internationalized domain names, referred to as homograph attacks. This is where an international character closely resembles an English character and could be mistaken by a casual viewer for the real URL.


Click to access BTC_IOCs.pdf


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s