{"id":4582,"date":"2018-02-15T11:54:53","date_gmt":"2018-02-15T08:54:53","guid":{"rendered":"https:\/\/forklog.media\/?p=4582"},"modified":"2018-03-20T15:16:08","modified_gmt":"2018-03-20T12:16:08","slug":"ukrainian-hackers-stole-50-million-in-bitcoins-using-poison-google-ads","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/ukrainian-hackers-stole-50-million-in-bitcoins-using-poison-google-ads\/","title":{"rendered":"Ukrainian Hackers Stole $50 Million in Bitcoins Using ‘Poison’ Google Ads"},"content":{"rendered":"

A Ukrainian hacker group dubbed Coinhoarder has stolen more than $50 million in cryptocurrency from users of Blockchain.info, one of the most popular providers of digital currency wallets, according to a report published Wednesday by Cisco\u2019s Talos cybersecurity team.<\/p>\n

The Coinhoarder thefts occurred over the course of three years but surged at the end of 2017 as Bitcoin prices soared close to $20,000, with $10 million stolen between September and December. In one burst, the hackers made off with $2 million in the span of less than four weeks, the Talos researchers said. It\u2019s possible the value of the thieves\u2019 bounty totals much more than $50 million now, as Talos based its calculations on cryptocurrency prices at the time of the theft.<\/p>\n

In a blog post<\/a> published Wednesday, Dave Maynor and Jeremiah O’Connor detailed the Coinhoarder phishing scam, which they said Cisco has been investigating in the past six months in partnership with the Ukrainian Cyberpolice<\/a>. All in all, they said that those behind the scam had netted $50 million in cryptocurrency over a three-year period.<\/p>\n

The report explains how thieves preyed upon their victims using a \u201cvery simple\u201d yet treacherous technique: Buying Google ads on popular search keywords related to cryptocurrency \u201cto poison user search results\u201d and snatch the contents of crypto wallets. This meant people Googling terms like \u201cblockchain\u201d or \u201cbitcoin wallet,\u201d saw links to malicious websites masquerading as legitimate domains for Blockchain.info wallets.<\/p>\n

“The campaign was very simple and after initial setup the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,” they wrote. “This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims. This campaign demonstrates just how lucrative these sorts of malicious attacks can be for cybercriminals.”<\/p><\/blockquote>\n

For example, the poison ads included \u201cspoofed\u201d links with small types like \u201cblokchien.info\/wallet\u201d and \u201cblock-clain.info,\u201d which sent visitors to a landing page that mirrored actual websites of the company Blockchain, which runs both the domains Blockchain.info and blockchain.com. The legitimate sites appeared lower in results than the \u201cpoisoned\u201d links, according to Cisco\u2019s report.<\/p>\n

Fooled into believing they had come to the right place, victims then entered private information that allowed the hackers to gain access to their actual wallets and take their digital money.<\/p>\n

\"Ukrainian<\/a>

How the Coinhoarder hackers robbed their victims’ cryptocurrency wallets. Diagram courtesy of Ukraine Cyberpolice<\/p><\/div>\n

 <\/p>\n

\u201cThe attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,\u201d<\/strong> the Talos team said in their report.<\/p><\/blockquote>\n

Cisco also noted that the Coinhoarder group\u2019s method has since \u201cbecome increasingly common in the wild, with attackers targeting many different crypto wallets and exchanges.\u201d<\/p>\n

Schemes involving digital advertising prompted Facebook to ban all cryptocurrency ads<\/a> earlier this year, and Google is also working to root out abusive ads, a spokesperson recently told Fast Company<\/a>.<\/p>\n

“What is clear from the Coinhoarder campaign is that cryptocurrency phishing via Google Adwords is a lucrative attack on users worldwide,”<\/strong> Talos researches added.<\/p><\/blockquote>\n

In its report, Cisco also revealed some of the hackers\u2019 own Bitcoin wallet addresses, to which it was able to trace the stolen funds with the help of Ukrainian law enforcement. Unmasking the actual thief or thieves is more difficult, as Bitcoin addresses are pseudonymous and don\u2019t contain the name of the person to whom they belong. But Cisco\u2019s Talos researchers are scouring the Internet for clues, including forums such as Reddit where Coinhoarder victims have discussed the theft<\/a>.<\/p>\n

\u201cWhile identifying the individual who owns a specific wallet is extremely difficult, we still can look for open source intelligence surrounding the wallet,\u201d<\/strong> the researchers said in the report.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"

A Ukrainian hacker group dubbed Coinhoarder has stolen more than $50 million in cryptocurrency from users of Blockchain.info, one of the most popular providers of digital currency wallets, according to a report published Wednesday by Cisco\u2019s Talos cybersecurity team.<\/p>\n","protected":false},"author":1,"featured_media":4583,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"human_written","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[716,281,43,715,16],"class_list":["post-4582","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cisco","tag-crime","tag-hackers","tag-phishing","tag-ukraine"],"aioseo_notices":[],"amp_enabled":true,"views":"203","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/4582","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=4582"}],"version-history":[{"count":2,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/4582\/revisions"}],"predecessor-version":[{"id":4586,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/4582\/revisions\/4586"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/4583"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=4582"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=4582"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=4582"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}