Cryptocurrency Phishing (May 2022 through April 2023)

May 2022 - April 2023 was a tumultuous period for cryptocurrency. The market was most adversely affected in Q2 2022, and then traded sideways in the low $1T range for the remainder of the year. The market has recovered slightly during the beginning of 2023 but the total market cap was less than ½ of the $2T reported for 2021.

Cryptocurrency phishing, however, continues to flourishes. The objectives are still the same as bank phishing: steal money, credentials, and personal identifying information.

To study phishing activity in cryptocurrencies, we examined over 6 million phishing URLs for keywords and brands that are common to cryptocurrency and metadata provided by phishing feeds to collect a data set suitable for closer analyses. We associated the URLS with three prominent classes of cryptocurrency.

Wallet Phishing includes mobile apps, browser extensions, or hardware devices that store cryptocurrency keys and allows users to buy, sell, and store cryptocurrency. We associated URLs with wallet phishing if they contained keywords (airdrop, wallet) or popular wallet brands (e.g., Ledger, WalletConnect, Trust Wallet).

Exchange Phishing includes platforms such as Binance, CoinBase, or Kraken, that allow cryptocurrency investors to buy, hold or sell cryptocurrencies. We associated URLs with exchange phishing if they contained names of Crypto Exchanges, e.g., Coinbase, Kraken, PancakeSwap, Binance, and Paxful. We also included URLs that contained strings such as exchange, cryptofx, fxcrypto, fxtrade, tradefx, or forex. These strings suggested currency trading and were frequently used in conjunction with an exchange brand name or cryptocurrency.

Cryptocurrency Phishing class included common cryptocurrency vernacular as well as brands and symbols of popularly traded cryptocurrencies. We associated URLs that contained names of popular cryptocurrencies (e.g., Bitcoin, Localbitcoin) and their exchange symbols of the most popular cryptocurrencies (e.g., BTC, ELON). We also included URLs that contained common keywords (e.g., crypto, blockchain, coin) and URLs that were tagged by our phishing feeds as targeting “generic crypto(currency)”. We excluded false matches of keywords and abbreviations (e.g., where btconnect targets BT Connect, not Bitcoin).

A stack of gold coins 3D Animation Production Company from Pixabay https://pixabay.com/users/quincecreative-1031690/ A logo of a cryptocurrency wallet Image by Mohamed Hassan from Pixabay https://pixabay.com/users/mohamed_hassan-5229782/

Overall, we observed little change in volume in cryptocurrency-related phishing, but we did observe significant shifts in phishing targets in our 2023 data compared to our 2022 data.

Composition of Cryptocurrency Phishing Domains

In our 2022 study, we observed that phishers used two or more brands or keywords when they composed domains that they purposely registered for their cryptocurrency attacks. The defanged URL examples that follow illustrate this practice:

http://www[.]coinbase3wallet[.]xyz/
http://www.metamaskwalletverification[.]com/wvw/
http://security-wallet-blockchain[.]com

We observed the same practice in 2023, but to a lesser extent. Still, we found that seven cryptocurrency brands and keywords appeared in more than 500 domain names (see table on right).

Which TLDs Have the Most Cryptocurrency Phishing Domains?

We identified 68 Top-level Domains with more than 25 unique reported cryptocurrency phishing domains. Overall, the number of cryptocurrency phishing domains reported increased from 23,680 in our Phishing Landscape 2022 report to 26,986 in this reporting period — a 14% increase.

·         76% of cryptocurrency phishing domains were delegated from gTLDs, 24% in ccTLDs,

·         62% of cryptocurrency phishing domains were determined to be maliciously registered,

Five TLDs had more than 1,000 cryptocurrency phishing domains reported (again, see table on right).

Where is Cryptocurrency Phishing Most Freqentuly Hosted?

We used the DNS to resolve the domain names reported for cryptocurrency phishing to IP addresses on the date reported. We included IP addresses found in reported URLs as well. We then identified the ASN from which the IP addresses were delegated.

Five ASNs with the largest number of unique IP addresses reported for hosting (or resolving to domains reported) for cryptocurrency phishing (one more time, see table on right).

Where in the World Do We Find Cryptocurrency Phishing Hosted?

We next associated the ASNs with a geographic location to identify where cryptocurrency phishing was most frequently hosted during the yearly period. For those cryptocurrency phishing attacks for which we could determine the country, the top five countries where cryptocurrency phishing attacks originated accounted for 84% of those attacks (oops, didn’t realize we had 4 tables).

Final Remarks

Phishing generally continues to rise. We do not expect cryptocurrency-related phishing to deviate from this patttern unless the phishing resource supply chain is disrupted. We are also quite confident that we are underreporting phishing generally. While 6 million URLs is a large number to collect over a single year, we only collect data from four blocklist operators. In our 2023 Phishing Landscape Study, we report overall phishing activity over one- and three-year periods.