Binance Inches Closer to Revealing Hacking Group

Big things are happening behind the scenes of the Binance exchange. Their ongoing investigation regarding market manipulation and theft is progressing nicely. With the hacker bounty still ongoing, the company provided the world with a pretty interesting update.

Binance Hacker Bounty Update

It is evident the recent attempt to steal funds from Binance lingers in people’s minds. Although the attack was ultimately unsuccessful, it does paint a worrisome picture overall. The associated phishing campaign shows how “easy” it can be to manipulate cryptocurrencies in general. Phishing attacks are nothing new in the world of cryptocurrency, though.

In fact, there are quite a few phishing operations active right now. In the case of Binance, their hacker bounty program sheds some interesting light on how this attack was performed. It seems this is not the work of an individual user per se. Instead, there is most likely a group that is responsible for this most recent development. While no one can be identified at this point, that is a remarkable train of thought.

Additionally, the company also identified some phishing domains involved in this recent attack. Most of those domains use search engine advertising campaigns to gain a higher ranking. It is unclear if this includes Google’s own advertising option, but it seems highly likely. It does appear these domains are not just used to target Binance by any means.

Cryptocurrency Phishing Is a Problem

Interestingly enough, the Binance hacker bounty reveals details regarding the people registering these domain names. Two specific names seem to pop up more often than others. Most of the domains registered to these particular individuals are designed with malicious intent in mind. It is unclear if this information is legitimate or just someone using stolen credit card data to register these domains.

Furthermore, the Binance hacker bounty reveals suspicious VIA transactions. Most people know how Viacoin is a prominent altcoin which can be traded on various exchanges. Several transactions containing 4,000 VIA each were discovered. More specifically, 31 such transfers discovered are interesting as they can be related to the hacking attempt.

For the time being, we will see how things play out in this regard. Binance will continue to monitor the situation accordingly. Users are still welcome to contribute any data as apart of this ongoing hacker bounty accordingly. Whether or not they will ever find the real culprits, remains to be seen. It is evident these hackers need to be identified as quickly as possible. That is much easier said than done.

Subscribe to our newsletter

The cryptocurrency space possesses two qualities that make it the ideal environment for scams. Firstly, there is no shortage of legitimate anecdotes about people who have enjoyed immense wealth courtesy of early digital currency investments. The proliferation of such tales provides the perfect backdrop for a “get rich quick” scheme. Secondly, since the technology is incredibly tough for the layperson to understand, a lot of information has to be taken on trust. Unfortunately, thanks to these two factors, there’s a growing list of stories of people who have been duped out of large sums of money. Here are some tips to help you avoid joining it.

Common Crypto Scams and Their Tell-Tale Signs

Ponzi Schemes: Ponzi schemes work by recruiting new investors to generate returns for their first backers. These scams usually fall to pieces when it becomes apparent that there isn’t actually enough money being generated for all investors.

A common red flag of ponzi schemes is that they promise a high rate of return with very little risk. This is contrary to the usual investment maxim of “high risk/high reward”. Put simply, if it sounds too good to be true, it probably is.

Another red flag to watch out for is multi-level or tiered marketing structures. If it sounds like one level is relying on the efforts of a lower tier to generate profits, you’re likely dealing with a ponzi scheme

Examples of recent cryptocurrency ponzi schemes include Bitconnect. Ethereum founder Vitalik Buterin was amongst those to call Bitconnect out based on their hugely optimistic forecast for investor returns:

Exit Scams: Exit scams are common in the ICO space. They rely on a gullible investor pool and reasonably savvy presentation of a company that doesn’t exist. Those behind the scam will launch an ICO, usually with the most grandiose of claims, before disappearing entirely.

Red flags of exit scams would be incomprehensible white papers, none existent teams, and extravagant profit projections. With it being so easy to pull off an ICO exit scam, it’s important to thoroughly research any project before backing it with hard cash. Study the white paper. Check out the team and their backgrounds.

Remember, most ICOs will probably fail at delivering the promises made to investors eventually. Add in the fact that some of them are downright scams and the chances of an investment falling to zero are even greater.

A recent example of an exit scam was Confido. They successfully raised $300,000 at ICO before promptly disappearing.

Phishing Scams: Phishing has been a popular scam amongst cybercriminals for a long time. The premise behind phishing scams is to trick an internet user into handing over valuable or sensitive data to the scammer. They do this by creating websites or emails with an uncanny resemblance to a trusted service. With potentially huge value now accessible through purely digital means, it’s unsurprising that phishing scammers are targeting cryptocurrency users.

Red flags of phishing websites or emails are non-secured webpage URLs or requests for sensitive data. Check that the website uses a secure address (starts with https rather than just http). In addition, look out for any strange characters within the address itself. Be particularly mindful of the use of tiny dots above or below letters. Also, avoid sponsored advertisements on search engines or social media. If you use an exchange or similar service regularly, type the URL in yourself and bookmark the page after checking its SSL security.


These are just a few of the various scams around and their telltale signs. While the cryptocurrency market remains predominantly lawless, such deceptions will unfortunately be part and parcel of it. Bitcoin and other digital currencies allow their proponents to essentially become their own bank. Whilst this ensures unprecedented freedom from traditional financial institutions, it also demands that investors and users are responsible for their own funds.

For years Ukrainian hackers have preyed on bitcoin investors, emptying wallets and then hiding behind the inherent anonymity of the encrypted blockchain.

$50 million in stolen cryptocurrency

Now Cisco has exposed a notorious Ukranian hacker ring known as Coinhoarder (very subtle) possibly responsible for thefts equaling more than $50 million from over many years.

According to a report from Cisco’s Talos cybersecurity team, the thieves used a ‘simple yet treacherous’ form of phishing that involved salting Google adwords with near named sites like

Users entered their security information thinking they were on legitimate sites which allowed hackers to steal cryptocurrency directly from their registered wallets. According to the Talos team;

“The attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,”

Treacherous Phishing

Cisco investigated this group’s Phishing campaign for over six months in cooperation with Ukrainian cyber-police and found that its technique had ‘become increasingly common in the wild, with attackers targeting many different crypto wallets and exchanges.

The Coinhoarder thefts occurred over three years but culminated in late 2017 as the value of Bitcoin and other cryptocurrencies rose sharply. The group reportedly got away with $10 million between Sept. and Dec. and in one frantic burst of advertising snatched $2 million in less than 4 weeks.

Cisco was able to trace some of the stolen funds with the assistance of Ukrainian law enforcement to the thieves own wallet address. Though this doesn’t reveal the identity of the crooks as the wallets are under pseudonyms, Cisco hopes that by scouring forums like Reddit they may eventually pick up clues to the real names of the hackers.

Coinhoarders aren’t the only hacker group to use phishing as a way to attract potential victims. The same technique is employed by the notorious Lazarus Group from North Korea. Cisco found that people from countries with insufficient banking facilities and services are more likely to fall prey to these kinds of techniques as they look towards cryptocurrency as an alternative way to store and move wealth.

In a bit of irony residents from the African countries of Nigeria and Ghana top this list of victims. Schemes like phishing that rely on digital ads have prompted Facebook to ban all cryptocurrency ads while Google is exploring ways to put an end to the misleading and fraudulent use of Adwords.

Still, the Cisco security team hopes to ultimately discover and reveal those involved in the Coinhoarder group and maybe even being able to return the stolen funds to their rightful owners. Though that is most likely wishful thinking.

Just weeks after a digital wallet provider for Stellar Lumens was hacked another altcoin wallet has been hit. This time Iota users found their wallets emptied by hackers using malicious online seed generators. It was estimated that $4 million in Iota tokens was stolen in the digital heist.

According to the IB Times the attackers used spurious websites to generate password details for the fintech network. The hackers also used DDoS attacks during the incursion and succeeded in moving IOTA users’ assets to their wallets via seeds they got from a compromised website.

Stolen seeds

Seed generation is a process whereby an 81 character string is created to open or protect an Iota wallet. It is the equivalent of a username and password, or a digital key. Online seed generating websites can perform this task which is quite complex. It can also be carried out offline however requires some technical expertise.

The website exploited was which generated the string by users moving their mouse randomly on the screen. The site has since gone offline leaving the unceremonious message “Taken down. Apologies.” It was the top result in the search pages for online seed generators – possibly an advert for a phishing site that had paid Google to be at the top.

IOTA secure

The Iota distributed ledger remains secure and only the wallets accessed with compromised seeds suffered losses. IOTA Evangelist Network member, Ralf Rottmann, took to Medium to explain the situation.

“From what I’ve heard, many users who lost their funds created their seeds at Chances are, the folks behind this and potentially other seed generators have sat tight for a while, collecting piles of seeds, though the actual numbers of users affected are not known to me. The fact, that is still online at the time of this writing might suggest that the site got compromised itself, and its not the folks behind the service who ran the attack.”

Rottmann went on to state;

“The victims literally shared the keys to their wallets with the attackers by using the attackers’ website. In essence, from a purely technical and security perspective, all transfers that happened under this attack, are legitimate transactions. The attackers knew the seeds. You invited them into your wallet, by handing them your keys on a silver platter. The attackers did not leverage anything IOTA specific! This is super important.”

Some observers commented that the situation could have been avoided if Iota ran and maintained its own seed generator. However Iota co-founder, David Sønstebø, had little sympathy and said users should be responsible for their own security, he went on to add;

“Some inexperienced users went to a website that was listed in Google Ads to generate a password i.e a phishing site. As a consequence, they essentially gave their password to this nefarious operator. IOTA the technology has not been affected at all.”

The attack comes just a week after $450,000 of XLM was lifted a from compromised third party Stellar Lumens digital wallet provider.

Cryptocurrency users have become a prone target for cybercriminals these nefarious individuals often target exchanges and digital wallets. However, it seems there is a malicious social media campaign related to a Bitmain phishing website as well. The site looks and feels like the real deal, but it is clearly a fake. Users need to be aware of these problems and remain vigilant at all times. Cryptocurrency mining is very popular and people aren’t always browsing the correct websites.

The number of phishing attacks against cryptocurrency users has grown significantly. Over the past few years, we have seen numerous attempts at causing financial damage. Exchanges and trading platforms will remain the main target right now. However, someone is trying to trick users into order mining equipment from a fake Bitmain website. Considering how the company is the world’s largest manufacturer of such hardware, it is only normal criminals try to mimic it.

Beware of Fake Bitmain Ads on Facebook

Anyone who gets caught up in this fake website will lose their money. Although it is unclear how many victims there, one Reddit user pointed this issue out to us. More specifically, he lost 0.33 BTC due to this fake Bitmain website. It seems the nefarious site uses a different spelling of the “n” in the Bitmain name. This also makes the domain name look more legitimate compared to using a slightly different company name. A very problematic development, and one that should not be allowed tot to take place.

Unlike previous phishing sites, the fake Bitmain isn’t found on Google. There are no paid search engine advertisements when looking for the company by name. Instead, it can only be found on Facebook. Given the popularity of social media, it is normal criminals will try their hand at this new method. No one knows for sure how long the ad has been running for, though. Moreover, it remains unclear if this ad targets users in specific countries.

All things considered, cryptocurrency users need to be more careful than ever before. Any platform or email can contain malicious ads for services which seem legitimate. Bitmain is the latest victim in the ongoing attack by cybercriminals against cryptocurrency enthusiasts. It is unfortunate sites like these are even approved by Facebook. Big companies often don’t have the right staff in place to remain ahead of these phishing sites. It will not be the last of its kind either.

Header image courtesy of Shutterstock

There are many different types of scams in the world of cryptocurrency. Phishing sites are still the main source of concern and financial gain for criminals. Things are only complicated further thanks to paid Google Search ads which show up in people’s browsers. A phishing site mimicking ShapeShift has been identified as a Google Search result. It is easy to spot the fake ad, but some people will get tricked into visiting the site regardless.

Cryptocurrency users need to be on their toes at all times when searching the web. Bookmarking the sites you visit on a regular basis is the best course of action. Typing in addresses manually is prone to errors and may redirect people to phishing sites. Always be wary of Google Search results as well, as the first link is often a sponsored advertisement. Such is the case when conducting a  Google Search for ShapeShift. The first result is an ad for a phishing site.

Beware of the Fake ShapeShift Site in Google

It is not the first time criminals use Google advertisements to promote phishing sites. In this case, the site redirects to, instead of It is only a minor difference most people will not notice right away. Using the wrong site will end up in the money being stolen, though. The site looks and feels exactly like the real ShapeShift, which will make it more difficult for novice users to spot the fake one. It is unclear how long this advertisement has been showing up in Google results.

Cryptocurrency users are often targeted by criminals. Given the price appreciation of most top currencies, that is no real surprise. Phishing sites have always been a popular method of attack in this regard. One would expect cryptocurrency enthusiasts to know better than to fall for such blatant scams, but the reality is often very different.  Bookmarking the correct address is a viable solution to circumvent issues like phishing sites. It is now up to Google to get rid of this malicious advertisement.

This is not the first phishing attempt against ShapeShift or other cryptocurrency platforms. Exchanges are the most prominent target for cybercriminals in this regard. These platforms are frequently used by people from all over the world, which means there is good money to be made with copycat sites. It is unclear if anyone has used the fake ShapeShfit site and lost money because of it. Google has to step up its game to actively block such advertisements in the future, that much is certain.

Cryptocurrency users have seen their fair share of phishing scams over the years. In most cases, those scams involve fake exchange or wallet websites. Users are often contacted through an email campaign, which is often somewhat successful. This is a big problem that needs to be addressed. Things only get worse when the top Google Search result for the Bittrex exchange is a phishing site as well. This method of attack has become more prevalent in recent months.

Rest assured cryptocurrency users will see more phishing attempts in the future. Criminals know exchange users often use lackluster account security. All they need is a login and password to empty account balances with ease. In the case of Bittrex, that has become a lot more difficult. In a new update, the company introduces mandatory email-based 2FA for all users upon logging in. A great move forward, especially considering the growing number of phishing scams in circulation.

Phishing Clone of Bittrex Dominates Google Search Results

More specifically, the top search result for Bittrex on Google in a phishing scam. This is one of the sponsored ads which show up during most people’s searches. The domain name in question is It also uses a fake description which makes it look somewhat legitimate, though. People need to be very careful when Googling for website address rather than entering them manually. It’s not hard to remember the domain name, though. Still, novice users often struggle with this concept, which makes them prone targets for such phishing scams.

It has to be said, this fake Bittrex website looks like an exact copy of the original. However, a closer look at the address bar unveils you are using This domain was registered about two weeks ago, indicating this scam has been going on for some time now. It is unclear who registered the domain, though, but we do know they use CloudFlare protection. It also appears the ad is no longer showing up for some people depending on their region, which shows Google is taking action against this scam.

Unfortunately, we will probably see more of these phishing sites in the future. Cybercriminals know users store a lot of money in an exchange wallet. It is up to individual users to take the necessary security precautions. Enabling 2FA in your account is an obvious first step. Not keeping funds in an exchange wallet is the better strategy, though. There are dozens of mobile, desktop, and hardware wallet solutions out there. Keeping your funds safe should be the number one priority for every cryptocurrency user. Otherwise, phishing attempts like these will remain far too successful.

Bitcoin users are all too familiar with the concept of phishing emails. Criminals attempt to trick users into giving up their login information through carefully crafted emails. The latest phishing email to make the rounds is aimed at once again. It is not the first time people try to trick platform users into exposing their Bitcoin wallet.

Never opening an email from someone you don’t know is still a valid course of action. This is especially true for people who rely on external Bitcoin wallet services. So far, we have seen multiple companies suffering from phishing attacks executed by unknown criminals. appears to be a very popular target in this regard. The platform has seen multiple phishing attempts over the past few years. Users Are at Risk Once Again

More specifically, the new phishing email claims users need to download a backup of their wallet. First of all, the company would never ask users to do so via email. Secondly, they will never include a hyperlink in the message. Anyone can see this is a phishing attempt, even if you are not exactly tech-savvy. Emails like these need to be avoided at all costs. Clicking the link will expose your login information to unknown assailants.

What is rather interesting is how the email also contains an email attachment. This file is named “backup wallet.pdf.exe”. Downloading and running an executable file sent via email is the worst idea anyone can have. It is very likely these criminals want to infect computers with malware as well. Their ulterior motives remain shrouded in mystery for the time being. Moreover, it is unclear who is behind this new phishing email.

Once again, it is unclear how these people get access to Bitcoin users’ email addresses. Considering how phishing campaigns are rather common, something is clearly wrong. However, these emails are often sent to people who don’t even use the service as a wallet as well. It is possible these emails are harvested from a prior Bitcointalk break several years ago. We can only hope this new campaign is not overly successful in the long run.

Criminals are often targeting Bitcoin users all over the world. Given the popularity and the BTC price increase as of late, this is not surprising. A new phishing email is making the rounds claiming to include some BTC-E vouchers. No one knows exactly who is behind this campaign, yet it is something to be wary about.

Beware of the fake BTC-E Voucher Email

It is not the first phishing email to target bitcoin exchange users. Various similar campaigns have made the rounds over the past few years. In most cases, criminals claim to represent Bitcoin exchanges asking for consumer information. This time, users are greeted with a message regarding BTC-E vouchers. An intriguing turn of events, although it is not hard to see this is a scam.

Everyone who ever uses BTC-E knows the exchange provides a voucher system. However, they will not give them out to platform users free of charge. This email claims otherwise, though. However, rather than pointing users to their account, the email includes a Word file. This file is locked with a password, which is also mentioned in the fake email. In other cases, BTC-E would send a plain text email without attachments.

The goal is to have people open this Word attachment and infect computers with malware, by the look of things. This has become a common tactic among internet criminals worldwide. They embed Word files with a malicious macro that triggers the download of malware. In some cases, they use this method to infect computers with ransonware as well.

It is unclear where the people behind this campaign got the email list they use. Some people on Reddit claim it is a result of a previous Bitcointalk hack. That is not confirmed at this stage, though. Not everyone who receives this email is a customer of BTC-E either. It is doubtful the campaign will be successful in the end. Then again, it never hurts to warn people about the danger lurking around the corner.

Global fraud rings are nothing new under the sun these days. With the rise of deep web activity, criminals have created platforms to communicate and collaborate on a global scale. Avalanche, one of the largest global fraud rings in the world, has now been dismantled. This is a major boon for law enforcement agencies, although the threat is far from over.

The Avalanche global fraud ring has been a thorn in the side of police officials for quite some time now. This project serves as a distributed cloud hosting network, which is often rented out to fraudsters. In fact, Avalanche has been used for over seven years and contributed to multiple malware and phishing attacks all over the world.

Europol, together with law enforcement agencies, worked together for four years to bring Avalanche to an end. Five individuals were arrested on November 30, and a total of 39 web servers have been seized and shut down. Moreover, the global fraud ring scheme spanned 830,000 domain names, which are put out of business as well.

Avalanche is Just One of Many Global Fraud Rings

This crime-as-a-service business model has seen its fair share of success in the past few years. Scammers, spammers, carders, and phishers all made use of this infrastructure at some point. In fact, one could argue Avalanche is one of the pillars of global cybercrime. Moreover, the service is responsible for major e-commerce and bank credential thefts over the years. Several banking Trojans have been deployed through this infrastructure as well.

The UK National Crime Agency explained the situation as follows:

“Cyber criminals rented the servers and through them launched and managed digital fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software that would steal users’ bank details and other personal data, At its peak 17 different types of malware were hosted by the network, including major strains with names such as goznym, urlzone, pandabanker and loosemailsniffer.At least 500,000 computers around the world were infected and controlled by the Avalanche system on any given day.”

Do not be mistaken in thinking this global fraud ring was decentralized by any means. Even though its creators made sure servers were located all over the world, but that is not the same. Instead, the fast-flux hosting method allows botnets to hide delivery sites behind a constantly changing network of compromised services.

For the time being, it is unclear if the Avalanche global fraud ring enabled Bitcoin scam sites as well. Given the sheer amount of malicious cryptocurrency investing sites, it is not unlikely similar services are used by criminals. Global fraud rings are a significant threat to our society, and the shutdown of Avalanche is a major victory. However, that does not mean cybercrime threats will subside all of a sudden.

Header image courtesy of Shutterstock