For years Ukrainian hackers have preyed on bitcoin investors, emptying wallets and then hiding behind the inherent anonymity of the encrypted blockchain.
$50 million in stolen cryptocurrency
Now Cisco has exposed a notorious Ukranian hacker ring known as Coinhoarder (very subtle) possibly responsible for thefts equaling more than $50 million from Blockchain.info over many years.
According to a report from Cisco’s Talos cybersecurity team, the thieves used a ‘simple yet treacherous’ form of phishing that involved salting Google adwords with near named sites like Blockchein.info.
Users entered their security information thinking they were on legitimate sites which allowed hackers to steal cryptocurrency directly from their registered wallets. According to the Talos team;
“The attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,”
Cisco investigated this group’s Phishing campaign for over six months in cooperation with Ukrainian cyber-police and found that its technique had ‘become increasingly common in the wild, with attackers targeting many different crypto wallets and exchanges.‘
The Coinhoarder thefts occurred over three years but culminated in late 2017 as the value of Bitcoin and other cryptocurrencies rose sharply. The group reportedly got away with $10 million between Sept. and Dec. and in one frantic burst of advertising snatched $2 million in less than 4 weeks.
Cisco was able to trace some of the stolen funds with the assistance of Ukrainian law enforcement to the thieves own wallet address. Though this doesn’t reveal the identity of the crooks as the wallets are under pseudonyms, Cisco hopes that by scouring forums like Reddit they may eventually pick up clues to the real names of the hackers.
Coinhoarders aren’t the only hacker group to use phishing as a way to attract potential victims. The same technique is employed by the notorious Lazarus Group from North Korea. Cisco found that people from countries with insufficient banking facilities and services are more likely to fall prey to these kinds of techniques as they look towards cryptocurrency as an alternative way to store and move wealth.
In a bit of irony residents from the African countries of Nigeria and Ghana top this list of victims. Schemes like phishing that rely on digital ads have prompted Facebook to ban all cryptocurrency ads while Google is exploring ways to put an end to the misleading and fraudulent use of Adwords.
Still, the Cisco security team hopes to ultimately discover and reveal those involved in the Coinhoarder group and maybe even being able to return the stolen funds to their rightful owners. Though that is most likely wishful thinking.