Heimdal™ AI Discovers a Complex Phishing Cryptocurrency Scam Campaign

Cryptocurrencies have been tremendously growing in popularity, which never fails to attract cybercriminals. While there are still legitimate transactions and investment opportunities in this fintech niche, there are also a lot of shady deals covered up by the anonymity of cryptocurrency, or even downright scams.


We have warned our readers about cyptocurrency scams before and advised them on how to safely invest in cryptocurrency from a security standpoint.Today, our AI engines and the team of malware analysts and machine learning engineers who are actively working to continuously improve the PredictiveDNS™ capabilities powering our Heimdal™ Threat Prevention suite (for Endpoints and Networks) have uncovered a sophisticated new and vast phishing cryptocurrency scam campaign. We are revealing the entire scheme here of tracking these malicious hackers across multiple domains and websites.

How the Malicious Scammers Prepared the Ground for their Theft Campaign


The way this entire phishing campaign was planned out gives testimony to a remarkably organized group. The cybercriminals prepared the environment for their fraudulent campaign many months in advance with fake news websites about cryptocurrency.
This way, they could increase their ranking across search engines and be trusted as legit and trustworthy websites, as well as amass a readership of people interested in cryptocurrencies.


The registration addresses for all of these, while fake (rented out), span across UK, USA, Iceland, The Netherlands and more. The complexity of the campaign was carefully constructed to fly under the radar.

The Purpose of the Phishing Cryptocurrency Scam Campaign

After laying the ground and building the trust of both search engines and readers, the cyber-criminals created several infected websites and shared them on fake news websites with articles like the following:

Our AI algorithm was able to discover the following phishing domains from the fake cryptocurrency news websites:

• geowexbit.com -> 2021-03-08 19:11:37 UTC

• changebitc.com -> 2021-04-02 09:09:56 UTC

• bitctoo.com -> 2021-04-05 22:11:17 UTC

• geocryptonium.com -> 2021-05-03 23:00:59 UTC

• chillbtc.com -> 2021-04-09 12:49:24 UTC

• bitcmax.com -> 2021-04-16 17:28:16 UTC

• excoinbit.com -> 2021-04-01 15:01:10 UTC

• hugobitc.com -> 2021-04-30 11:43:43 UTC

• coinsray.com -> 2021-02-06 12:06:28 UTC

• bigbitc.com -> 2021-04-08 10:58:49 UT

• highbitc.com -> 2021-04-08 10:58:57 UTC

• frexcoin.com -> 2021-01-06 15:43:06 UTC

• bitelix.com -> 2021-03-05 17:06:13 UTC

• cryptonsky.com -> 2021-02-20 23:49:12 UTC

• bitcoinist.com -> 2011-04-25 13:53:36 UTC -> Updated Date: 2021-04-13T12:53:05Z

• bitacex.com -> 2021-03-09 10:31:44 UTC

https://fast-bitcoin-doubler.com -> 2020-11-27 09:07:10 UTC

https://wibexlive.com -> 2019-02-23 07:00:30 UTC

https://waukeen.io -> 2018-09-21

https://cryptoreet.com -> 2021-02-26 22:46:29 UTC

https://traderydefi.com -> 2021-03-16 15:32:06 UTC


You can notice the complexity of the campaign judging by the variety and the age of these domains as well. We believe the hackers might have hijacked some formerly legitimate domains as well in order to include them in the campaign (considering how old the registry dates for some of these are – like 2011, for instance).


These malicious domains promise their readers that they will gain 8 ETH (Ethereum coin) if they can validate that the victim first sends them 0.3 ETH.
After completing the transaction, the money is lost and the data of the victim is likely stored for use in future cybercrime campaigns. The online Ethereum wallets of the hackers seem are empty right now, but this is probably part of a strategy to move funds and cash them in as soon as they receive them.


At the moment, none of these domains are reported elsewhere as being infected, which means that the cybercrime campaign hasn’t been discovered by other cybersecurity researchers so far.
With the internet as vast as it is, traditional cybersecurity research methods are of course only able to discover a small fraction of cybercrimes committed, and even fewer of these are discovered before they can do serious damage.


Without the help of our advanced PredictiveDNS™ AI engine within Heimdal™ Threat Prevention, it’s very likely that a long time would have passed until this new phishing cryptocurrency scam campaign was revealed.


About Heimdal™ Security

Heimdal™ is a strongly emerging cybersecurity provider established in 2014 in Copenhagen, currently spanning offices across the world. With a spectacular year-over-year growth and an impressive ahead-of-the-curve approach to threatscape trends, Heimdal™ Security is the go-to solution for unified, intelligent cybersecurity made easy. In March 2020, Heimdal™ Security was acquired by Marlin Equity Partners, fueling its networks of growth and distribution even further.