Blockchain.info Coinhoarder Phishing
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Blockchain.info was one of the most popular online wallets for bitcoin and other cryptocurrencies. The platform provided a JavaScript back-end to clients, which would allow them to manage their own private keys locally. A group of phishers from Ukraine set up mirror website which looked identical, at very similar URLs. The content was pulled directly from blockchain.info as a proxy, with the only modification being code which allowed the extraction of the private key. Users would interact with what they thought was the blockchain.info website, only to find that their funds mysteriously disappeared. While law enforcement appears to have tracked down the criminals responsible, it does not appear that any funds have been recovered.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]
About Blockchain.info
"The world’s most popular crypto wallet. Over 80 million wallets created to buy, sell, and earn crypto." "As they say, not your keys, not your crypto. Blockchain.com Private Key Wallets are the most widely-used wallets for self-custody of your crypto. We make it easy for people who are ready to control their private keys to hold them with a Secret Private Key Recovery Phrase." "When it comes to ensuring that your crypto is secure, we think about every last detail so you don’t have to."
"According to a report published Wednesday, February 14th by Cisco’s Talos Intelligence Group, a team of Ukrainian hackers dubbed CoinHoarder has stolen more than $50 million in cryptocurrency from users who were under the impression they were accessing Blockchain.info, one of the most popular providers of virtual currency wallets." "[S]ecurity researchers teamed up with Ukraine’s Cyberpolice unit to uncover a phishing scam that was going on for at least three years."
"In February 2018, a criminal group, dubbed Coinhoarder, managed to amass a total of $50 million in cryptocurrencies since 2015 – including an amount of $2 million that was taken in less than a month during 2017."
"The campaign was based on the simple premise of setting up fake websites mirroring the immensely popular online wallet website, Blockchain.info." "According to coindesk.com, the perpetrators set up fake sites with similar but slightly different domain names to Blockchain.info, like “blockchien.info”, targeting specific geographic areas."
"The hackers then ensured a steady purchase of Google AdWords in order to infiltrate search results of users looking to access Blockchain.info and position their fake websites in a favorable spot." "This meant people Googling terms like “blockchain” or “Bitcoin wallet,” saw links to malicious websites masquerading as legitimate domains for Blockchain.info wallets."
"The poison ads included “spoofed” links with small mistypes like “blokchien.info/wallet” and “block-clain.info,” which sent visitors to pages that mirrored actual websites of the company Blockchain, which runs both the domains Blockchain.info and Blockchain.com."
"Once users accessed the fake site, they would be fed phishing content in their native language, determined according to their geographic region that was revealed through their IP address."
"This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims. This campaign demonstrates just how lucrative these sorts of malicious attacks can be for cybercriminals. Additionally, the revenue generated by these sorts of attacks, can then be reinvested into other cybercriminal operations."
"Cisco identified an attack pattern in which the threat actors behind the operation would establish a "gateway" phishing link that would appear in search results among Google Ads. When searching for crypto-related keywords such as "blockchain" or "bitcoin wallet," the spoofed links would appear at the top of search results. When clicked, the link would redirect to a "lander" page and serve phishing content in the native language of the geographic region of the victim's IP address."
"The domain block-clain[.]info was used as the initial "gateway" victims would first visit. Victims would immediately be redirected to blockchalna[.]info, the landing page where the actual phishing content was hosted. These fraudulent sites are mostly hosted on bulletproof hosting providers based in Europe."
"As soon as the user enters the wallet, or creates a new one, downloading from the JavaScript site, Nginx on the fake server replaces it with his own. These functions, when initializing the wallet, send to a special address POST-request with data: sharedkey, password, secondPassword, isDoubleEncrypted, pbkdf2_iterations, accounts. "Accounts" contain xpub and xpriv keys for each wallet. If the wallet data is encrypted with a double password, it decrypts and sends this information to its server. An interesting fact is that two-factor authentication will not help in this case."
"The nginx server works as the proxy of the original site, with the exception of JS file "my-wallet", which uses the module "Lua nginx" to add malicious functions that are executed after authorization and send to the server a private key of the user, after which its balance is automatically checked and the transfer is carried out."
"The account 18xaP8AmpRDAUiqiXsELtKQFzicC78BnYh was stolen at 2017-11-11 22:41:12 from a blockchain.info wallet. The 2FA was activated and no seed stored on any pc. Also not backup. The 2FA was with google authenticator on a smartphone. The bitcoin is being splitted on two accounts: 13wahvu3FP8LK8P51UmEkhBUhyC7mzkrn3 and 1KDFTGoWXceeZxqUk5wHjnViPEkCdJeU1V. If you check the movements of these wallets you can see they are doing the same to many accounts. The blockchain support answered with a copy/paste generic email, but not more help. The police is already informed and let us see if they can do something...this is frustrating. How can this happen?"
“The attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,” the Talos team — led by Jeremiah O’Connor and Dave Maynor — said in their report. Cisco, which investigated the “massive phishing campaign” for more than six months in partnership with Ukraine’s Cyberpolice, noted that the Coinhoarder group’s method has since “become increasingly common in the wild, with attackers targeting many different crypto wallets and exchanges.”
"Cisco found that the Coinhoarder scam disproportionately ensnared those from underbanked regions where cryptocurrency has caught on as an alternative means of storing wealth: Residents of African countries such as Nigeria and Ghana made up the majority of those who landed on the malignant websites." "Using data from Umbrella Client Requester Distribution queries to these malicious domains, we can see a significant number of DNS resolution requests coming from countries such as Nigeria, Ghana, Estonia and many more." "According to a report on the issue published on Tripwire on February 15th, 2018, African countries were persistently targeted by the Ukrainian group, which managed to snatch $10 million just in the last four months of 2017."
"According to blockchain.info security experts, this phishing campaign is one of the largest in the company's history. We believe that this group started its activities at the end of 2014, and in 3 years their total income from criminal activities may exceed hundreds of millions of US dollars."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| February 14th, 2018 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $50,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Private keys need to be stored offline, and should never be handled in a website environment. Blockchain.info can require an email confirmation when users request access from a new IP address, and only grant access if that link is clicked from the same IP as requested access. Keys can be a shared multi-sig between Blockchain.info and the end user to prevent unauthorized transfers.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ This French Exchange Has Become a Victim of Phishing Attack (Dec 12, 2021)
- ↑ Ukrainian Phishing Gang Robs Cryptocurrency Wallet Owners out of $50 million (Dec 23, 2021)
- ↑ CoinHoarder Steals Over $50M in Crypto Using Google Ads (Dec 24, 2021)
- ↑ https://blog.talosintelligence.com/2018/02/coinhoarder.html (Dec 24, 2021)
- ↑ Кіберполіція викрила масштабну фішингову кампанію, направлену на користувачів криптовалюти (ФОТО) — Департамент Кіберполіції (Dec 24, 2021)
- ↑ Bitcoin stolen from Blockchain.info wallet even with 2FA activated : Bitcoin (Dec 24, 2021)
- ↑ my Blockchain.info just got hacked : Bitcoin (Dec 24, 2021)
- ↑ Schrodingers bitcoins. 1 Bitcoin reward. : Bitcoin (Dec 24, 2021)
- ↑ How Blockchain.info Stole $65,000 From me : Bitcoin (Dec 24, 2021)
- ↑ Bitcoin stolen / phished from blockchain.info wallet (???) : Bitcoin (Dec 24, 2021)
- ↑ Blockchain.com Wallet - Store and Invest in Crypto (Dec 24, 2021)
- ↑ Blockchain Wallet Review: Learn How To Buy Bitcoin On Blockchain (Dec 24, 2021)
- ↑ In cryptoland, trust can be costly | Securelist (Jan 16, 2022)
- ↑ Blockchain.info Wallet Phishing Attack. If you do a Google search for "Bitcoin Wallet", the first ad link is a phishing attack for the Blockchain.info Wallet. : CryptoCurrency (Oct 17, 2022)