Home » Featured » Phishing Attacks on Bitcoin Wallets Surge as Bitcoin Price Skyrockets
Click Here To Hide Tor

Phishing Attacks on Bitcoin Wallets Surge as Bitcoin Price Skyrockets

During the past 24 hours, bitcoin price exceeded the $900 mark for the first time during the past 3 years. The reason behind this recent price surge is not completely clear, especially that the value of bitcoin has increased by more than 100% in less than 6 months.

Whenever the price of bitcoin surges, cybercriminals’ interest in cryptocurrencies in general rises too.

hack phish.gif

How the Bitcoin Price Surge Affected Cybercriminals?

The most commonly encountered cybercriminal activity related to bitcoin is more or less related to ransomware. Ransomware are malicious pieces of code, mostly in the form of trojans, that denies the victim’s access to his/her files by encrypting them and then a ransom in bitcoin is requested by the attacker in order to decrypt the files on the victim’s machine back again.

In 2015-2016, tens of thousands of ransomware attacks were recorded. Three main families of ransomware were mostly incriminated; Bitcryptor, CTB-Locker and Coinvault. A year or so ago, most ransomware authors set the ransom to 2 bitcoins, which was equal to around $900. Today, 2 Bitcoins equal more than $1800, which is relatively high, so most authors of ransomware tojans have reduced the ransom to 1 bitcoin, as can be clearly seen on Darknet’s ransomware markets.

Success of ransomware attacks are highly related to the modes of delivery of the carrier trojans rather than periods of bitcoin popularity. After all, ransomware trojans represent the malicious business model of a cybercriminal. Last November, there was a surge in infections with “Locky” ransomware, mainly because it was delivered via phishing. On the other hand, last June exhibited the least cases of ransomware infections in 2016, mainly when the “Angle Exploit Kit” lost its effectiveness.

The Bitcoin Price Surge and Wallet Phishing Attacks:

Whenever the price of bitcoin surges, the malacious wallet phishing activities prosper too. A Hacker will set a website that resembles a given 3rd party online wallet, such as Blockchain.info, with a domain name that is deceivingly similar to the wallet’s real original domain name. The hacker will implant a keylogger to phish the login credentials of a victim that gets deceived by the fake website and enters his/her login credentials.

Recently, members of OpenDNS’s Cisco team trailed a number of operators of bitcoin wallet phishing sites and linked them to other phishing domain names that are used to phish login credentials for other services such as Google, Apple, Amazon, Dropbox and others.

This image includes a group of phishing domains that are registered to connor123fox[at]writeme.com as published by Cisco’s OpenDNS investigation team:


In most cases, cybercriminals target Blockchain.info as it is the world’s biggest online wallet. Many have been using Blockchain.info’s wallet for years now, especially that the site doesn’t store the private keys of the bitcoins you own.

According to a report published on Cisco’s OpenDNS blog, the following represents the phishing domains that were created during the past 6 weeks (each shown with its day of registration), which corresponds to the period marked by bitcoin price surge:


blockchainls.info 2016-11-03

blockchanfo.info 2016-11-03

blockchianfo.info 2016-11-03

blockchainle.info 2016-11-04

blockchainln.info 2016-11-04

blockchianin.info 2016-11-05

blockchianls.info 2016-11-05

blockchianie.info 2016-11-08

blockchianle.info 2016-11-08

blockchianln.info 2016-11-08

blockchinfo.info 2016-11-14

blockchlanfo.info 2016-11-14

blocklchaina.info 2016-11-14

blockchanifo.info 2016-11-16

blockchianas.info 2016-11-16

blockichianfo.info 2016-11-16

blockchiania.info 2016-11-21

blockchianias.info 2016-11-21

blockchianies.info 2016-11-21

blockchianisa.info 2016-11-21

blockichianis.info 2016-11-21

blockchiansa.info 2016-11-22

blockchianse.info 2016-11-22

blockchiensa.info 2016-11-22

blackclhian.info 2016-12-07

blackichian.info 2016-12-07

blacklchian.info 2016-12-07

The algorithm used by Cisco’s OpenDNS team is helping in detection of such phishing campaigns shortly after they are live and in some instances, before even the domains are registered, which would help prevent occurrence of successful phishing attacks. Such algorithms are formulated via deep understanding of previous incidences of successful phishing attacks. The team’s algorithm is based on the popularity of the keywords related to bitcoin on search engines, during periods of bitcoin price surge, as stated by the blog post. The rise in online bitcoin wallets’ phishing attempts are also related to the rate of ransomware infections in a way or another.


According to a report published by Cisco’s OpenDNS team, phishing attacks on online bitcoin wallets have surged in response to the rise in bitcoin price during the past 6-8 weeks. 2 months ago, a man in Connicticut was arrested for phishing Darknet login credentials on some websites and stealing bitcoins, and it seems we will see more of such cases soon. There are also many other phishing scams on Clearnet sites. Bitcoin Success of ransomware infections are more related to the mode of delivery rather than the price of bitcoin.


  1. Combined with a recent surge in pricing of certain (I.e., my essential product which I require in order to keep well and not to get sick…) products, this is extremely disturbing; I am relatively certain that I have done all that I can to protect myself – I do NOT have a third party wallet but pay directly from my BTC provider to my marketplace wallet, safest way to go about things if one is not doing any kind of investment with BTC or XMR or any other CC; wallets on the Markets I use are valid only for a certain number of days in any event.
    I feel for those who have been taking advantage of the rise in BTC price and suddenly find themselves victim of one of these phishing/key logging attacks (possible through wallets but NOT through TOR network wallets or Markets)… the advantage of what I do is that what I am paying for still remains the same in UsD, GBP, EUR or any other hard currency – I have thought in the past of investment and would have made a relative fortune had I done so when I was in agreement with the Daily Telegraph’s recommendations of around 6 or 7 months back to pour at least half of one’s moveable income into BTC, having predicted a high of USD600 (an understandable but now mich lower figure than even I expected, having thought myself that GBP600 was the most likely high for the next twelve months. The methods being employed, though, are the most disturbing things about it all.
    How on earth do we bring about the end of this ransomware and its consequences for traders both buyers and vendors? Avoiding the wallets mentioned and also the Coinbase group is a start; of course there is no chance of taking advantage of any further rise in price but if you are merely using the BTC for single purchases from week to week or month to month then that it’s not a problem and it is not a situation that the blackmailers can take advantage of.
    Anyone got any ideas how to turn this around and cause the phishes to fall on THEIR faces and lose?
    Let us face it, they are the ultimate scum of the cryptocurrency markets.
    And can anybody confirm or deny what has happened to the MONERO market? I hear that it is in a state of stagnation until something or other (bug? Some sort of problem related to the provision of the currency?) is fixed… At the moment the price is still 1/35 BTC. I see MONERO as the next big CC which will inevitably grow and rise beyond its current capabilities and truly become a, or THE main rival to BTC as the CC of choice, there are already at least three Marketplaces on the DN that accept both.
    Anything to add, my friends?

  2. have a look a BURST i believe that to be the next big Crypto in the next few years…. remember what would buy a pizza would now buy a mansion in BTC terms from when that first hit and burst is going in the same direction

  3. The best way you can thwart these attacks is to disable java or better yet not install it at all as most of the ransomware viruses are written in java, flash is another popular attack threat. Be careful of where you browse and block ads, many of the viruses are spread through an infected ad on a harmless page. Use common sense when browsing and good anti malware. If you are on tor be sure ad block is enabled and no script is turned on. This should keep you safe. Common sense and good anti malware is the key to staying safe on the web. I have seen the crypto locker virus at work and it is ingenious. There are many versions and they keep writing new ones as the old ones are detected.from an IT security perspective I find it fascinating and have watched it in a sandboxed environment very effectively encrypt while network drives as well as the computer’s hard drive leaving some institutions no choice but to pay the ransom!

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *