The Intersection of Cryptocurrency and DNS Data Part 2: Cryptomining, Phishing, New Domains, and More

Outtakes from our upcoming threat report

Now where were we? 

In part 1 of this 2-part blog series we covered cryptocurrency domain trends. Parts of this blog spurred an entire section in our upcoming Domain Threat Report (which you can reserve a copy of right now). What we have here are the outtakes. That’s not to say this blog represents the most “boring” findings—we just couldn’t fit everything in the threat report. And some things we discovered while wrapping up our report. But we still wanted to share our findings with you—that’s what you’ll see here.

Cryptocurrency: A reminder of its role in cybercrime

When we look at the intersection of cryptocurrency and domain data, we see something insidious: The prevalence of crypto-related threats. And it’s not just cryptojacking. It’s not even the use of cryptocurrency which has made ransomware attacks easier for threat actors to commit and all the more widespread.

As with nearly every trend, there is always someone looking to capitalize on it and use it for their own, personal gain. Ever since cryptocurrency became the pandemic hobby of choice, threat actors have begun to target crypto novices for their schemes.

From a hacker’s perspective, the target audience is ripe for exploitation:

• They are likely seeking out a way to make money, so promises of “guaranteed earnings” are likely to resonate as opposed to rouse suspicious
• These would-be crypto enthusiasts are just starting their journey, so they don’t know yet what not to look for
• Plenty of brands already exist—from the coins themselves to the exchanges where they’re traded—so there are easy templates to copy, allowing total impersonation or the ability to be just “one more” among so many
  

While our previous post focused on finding trends on our network that matched news stories, here we’ll zero in on scams, deceptive sites, and the manipulation of user resources.

New crypto-related domains

Over the course of the pandemic, we encountered an increasing number of new sites leveraging crypto terms. 

Within the generic Top-Level Domain (gTLD) .xyz, domain registrations related to crypto within this TLD have grown. Jocelyn Hanc, Vice President of Operations at XYZ, helped us validate this trend: “Blockchain companies are showing strong interest in .xyz domains. In 2018, .xyz was the first-ever TLD to connect to the Ethereum Name Service (ENS), allowing transfer of cryptocurrency using a short and memorable domain such as walletname.xyz, instead of a long series of letters and numbers. We have seen growing adoption of .xyz in the blockchain communities since then.”

Not every new website (registered within the last 30 days) is a threat, but the increase in popularity that has led to an explosion of domain registrations related to crypto has created questions around the validity of crypto sites you might get linked to in the course of your day.

Back in February, scammers on Discord launched a scheme with a link to a site claiming they won a prize. The catch was they requested .02 bitcoin before proceeding. Of course, that was the entire scheme. There was no giveaway, but scammers were able to get .02 in bitcoin from multiple people before the scam caught on.

The domain used in that scam was registered on January 22, 2021 (using the TLD .com) and the scam was first reported in early February—roughly 2 weeks after registration. If victims of this scam were blocking newly registered domains, they would not have been able to resolve the domain in question. The domain was flagged for abuse less than 30 days after registration.

Phishing schemes borrow inspiration from cryptocurrency

According to the research from our threat report, domains with the terms “bitcoin” and “nft” were more likely to house phishing schemes. Ethereum typosquatting domains favored cryptomining (more on that shortly), but phishing was a close second.

One phishing site related to crypto that we encountered was ​​a domain advertising itself as “Ethereum Giveaway.” The site has since been taken down. 

Another relatively well-known scam at this point is “Bitcoin Code,” which has resurfaced many times using different domains. The site uses stock photos to fake reviews of their product as well as their supposed CEO. 

Part of this scam’s success is its reliance on “exclusivity.” 

Just in the last 30 days, we encountered phishing sites with the following terms:

• localbitcoin
• bitcoin-storm
• Bitcointime
• bitcointodaynews
  

In the case of “localbitcoin” and “bitcointime,” these terms were registered under multiple TLDs to increase their attack surface. It’s a common tactic among phishers: As soon as one site goes down, another goes up. They’ll reuse one term until they’re ready to register a new one en masse.

The following is one of the “localbitcoin” sites:

Most websites do not set their pricing as their homepage, which is what is shown here. This alone is suspicious.

This is all a part of a trend to make phishing attacks more targeted. The blockchain is growing, and reaching people with an interest in cryptocurrency or NFTs is highly likely for threat actors and scammers.

Cryptomining matches the rise in Crypto interest

In 2020, cryptomining made a comeback. In a big way. On our network, terms related to Ethereum, Litecoin, and Dogecoin were the ones most likely to be categorized as cryptomining. And this makes a lot of sense, as they’re some of the newer cryptocurrencies (especially compared to bitcoin).

Of cryptomining domains encountered on our network during the pandemic, 2.39% of them contained the term “ethereum.” Impressively, 11.95% of these domains actively use terms related to mining. One particularly cheeky cryptominer registered a domain with the term “notmining.”

Looking at where these cryptomining sites are originating from:

• 3.19% used the ccTLD (country-code TLD) .ru which belongs to Russia
• 3.20% used the ccTLD .eu which belongs to the European Union
• 4.80% used the ccTLD .tk which belongs to the Central African Republic
• 5.20% used the ccTLD .de which belongs to Germany
  

We only expect cryptomining and the exploitation of terms surrounding “crypto” and “NFTs” to grow. This industry has reached mainstream popularity. Tom Brady now owns an NFT company and ads promoting the FTX cryptocurrency exchange run on Sundays between football games. We’ve even seen the term “FTX” used in phishing campaigns in the last 30 days, including at least one fake support portal:

People search for these products from their phones in between meetings while distracted. They’re on platforms like Discord and get direct messages from strangers. They receive emails about the latest changes in the crypto markets.

Threat actors are ready with plenty of traps for end users to fall into, and right now cryptocurrency seems to be one of the better ways to capture their attention.

Want early access to DNSFilter's 2021 Threat Report? Click here to be one of the firsts to reserve your copy today!