Research report: how cybercriminals successfully target crypto users

Criminals impersonate popular cryptocurrency platforms to steal login information and funds

The popularity of digital funds make hackers more eager to obtain user account credentials and funds directly

Researchers report that financially motivated scammers managed to spread spoofed emails and create fake login pages to steal login details and deceptively transfer virtual currency funds from users' wallets. Binance, Celo, Trust Wallet, and other cryptocurrency platforms get impersonated on these emails, so criminals can make money.^[1]

Reports show^[2] that since NFTs or non-fungible tokens become more popular and go mainstream, there is a greater risk that more individuals NFT holders fall victim to fraud that tries to exploit people.^[3] These criminals use the popularity for their own gains and manage to scam people into revealing details or transferring their NFTs and cryptocurrency directly to illegitimate wallets.

Proofpoint report also states that there these attacks targeting particular cryptocurrency platforms are an appealing financial resource for actors and these campaigns have been improved under the pre-existing patterns that are used in the phishing landscape and were more popularized and abused since the rise of blockchain-based virtual currency.

Criminals focusing on siphoning virtual funds more and more

Cryptocurrency is more targeted by various strains of attacks and malware. Phishing attacks^[4] are commonly chosen for the fact that it is quick and global. These particular campaigns can largely be broken into categories of crypto credential harvesting; cryptocurrency transfer solicitation and commodity stealers that target cryptocurrency values. This is the list that the Proofpoint research team also determines.

There are many different applications and platforms that rely on cryptocurrency exchanges where people can use and manage their funds. These pages require usernames and passwords and rarely have proper security measures like two-factor authentication. These credentials, however, are tightly targeted and can be obtained by hackers.

Sensitive cryptocurrency data is targeted by threat actors, and these changes in the cybercriminals' tactics have been already addressed by various researchers, including Microsoft 365 Defender Research team that warned about particular threats stealing seed phrases, wallet addresses, and private keys.^[5]

Phishing landscape and social engineering changes

In recent years the popularity of Web3 has triggered the change in phishing and started to make the way for other social engineering and exploitation methods that help to aim directly at cryptocurrency. This was the start of attacks when funds and credentials got stolen. Stealer malware for currency and credential harvesting techniques helped threat actors to achieve their goals.

Proofpoint researchers note that new malware families have been emerging. Old virus strains have been updated to server hybrid functions that allow targeting the cryptocurrency-related data that is later used in scaming and financial attacks:

Current threat activity that most closely resembles threat actor activity in the phishing landscape prior to the existence of cryptocurrency in its current form is the use of infostealer malware.

These spam emails that contain URLs with malware downloads and redirects that lead to exposure to credential harvesting pages or even lookalike versions of NFT trading platforms start to emerge more often. Other campaigns even use the form where seed phrases get stolen. This is the start of new methods and attacks aimed at Blockchain users. Crypto went mainstream, so malicious attackers take note and try to use this opportunity for a quick financial gain.