Spam and phishing mail

Email crypto phishing scams: stealing from hot and cold crypto wallets

The higher the global popularity of cryptocurrencies and the more new ways of storing them, the wider the arsenal of tools used by malicious actors who are after digital money. Scammers tailor the complexity of technology they use and the thoroughness of their efforts to imitate legitimate websites to how well the target is protected and how large the amount is that they can steal if successful. This story covers two fundamentally different methods of email attacks on the two most popular ways of storing cryptocurrency: hot and cold wallets.

Hot wallets and attempts at hacking them

A hot wallet is a cryptocurrency wallet with permanent access to the internet. This is essentially any online service that provides cryptocurrency storage, ranging from crypto exchanges to specialized apps.

Hot wallets are a highly popular crypto storage option. This can be explained by the simplicity of creating one (registering with a wallet service is all you need to do) and the ease of withdrawing and converting funds. The popularity and simplicity of hot wallets makes them cybercriminals’ main target. However, for this reason, and due to the fact that hot wallets are always online, they are rarely used for storing large amounts. Hence, cybercriminals have little motivation to invest heavily into phishing campaigns, and so, techniques used in email attacks on hot wallets are hardly ever original or complex. In fact, they look rather primitive and target mostly unsophisticated users.

A typical phishing scam aimed at a hot wallet user works as follows: hackers send email messages addressed as coming from a well-known crypto exchange and requesting the user to confirm a transaction or verify their wallet again.

Sample phishing email that targets Coinbase users

Sample phishing email that targets Coinbase users

After the user clicks the link, they are redirected to a page where they are asked to enter their seed phrase. A seed phrase (recovery phrase) is a sequence of 12 (less commonly 24) words for recovering access to a crypto wallet. This is essentially the main password for the wallet. The seed phrase can be used for gaining or recovering access to the user’s account and making any transactions. The seed phrase cannot be changed or recovered: by misplacing it, the user risks losing access to their wallet for good, and by giving it to scammers, permanently compromising their account.

Seed phrase entry page

Seed phrase entry page

If the user enters the seed phrase on a fake web page, scammers get full access to the wallet and the ability to siphon all of the funds to their own addresses.

Fairly simple and devoid of software or social engineering tricks, scams like these typically target non-technical users. A seed phrase entry form usually has a stripped-down look: just an input field and a crypto exchange logo.

Phishing scams that target cold wallets

A cold wallet (cold storage) is a wallet without a permanent connection to the internet, like a dedicated device or even just a private key written on a slip of paper. Hardware storage is the most common type of cold wallets. As these devices are offline most of the time, and remote access is impossible, users tend to store significantly larger amounts on these. That said, it would be erroneous to believe that a hardware wallet cannot be compromised without stealing it, or at least, getting physical access to it. As is the case with hot wallets, scammers use social engineering techniques to get to users’ funds. We spotted an email campaign recently that was specifically aimed at the owners of hardware cold wallets.

This type of attack starts as a crypto email campaign: the user gets an email, addressed as being from the Ripple cryptocurrency exchange and offering to join a giveaway of XRP tokens, the platform’s internal cryptocurrency.

Phishing email pretending to be from Ripple cryptocurrency exchange

Phishing letter pretending to be from the Ripple cryptocurrency exchange

If the user clicks the link, they are presented with a blog page featuring a post that explains the rules of the “giveaway”. The post contains a direct link to “registration”.

Fake Ripple blog

Fake Ripple blog

Already at this point, the scam shows a few differences from mass attacks on hot wallets: instead of sending the user a link to a phishing page, the scammers used a more sophisticated immersion trick with a blog post. They also went so far as meticulously copying the design of the Ripple website and registering a domain name that was nearly identical to the exchange’s official domain. This is called a Punycode phishing attack. At first glance, the second-level domain is identical to the original one, but a closer look will reveal that the letter “r” has been replaced with a Unicode character that uses a cedilla:

https://app[.]xn--ipple-4bb[.]net -> https://app[.]ŗipple[.]net/

Also, the scam site is hosted in the .net top-level domain, rather than .com, where the official Ripple website is located. This may not raise any red flags with the victim, though, as both domains are widely used by legitimate organizations.

After the user follows the link from the “blog” to the fake Ripple page, they are offered to connect to the WebSocket address wss://s2.ripple.com.

Connection to the WebSocket address

Connection to the WebSocket address

Next, the user is offered to enter the address of their XRP account.

Entering XRP account address

The website then offers to choose an authentication method for receiving the bonus tokens.

Choosing an authentication method

Choosing an authentication method

As you can see, hardware wallets are top of the list and suggested by scammers. Selecting Trezor redirects the user to the official website trezor.io, which allows to connect devices to web apps via Trezor Connect API. The API is used for simplifying transactions with the help of a hardware wallet. The scammers want the victim to connect to their website, so they can withdraw the funds from the victim’s account.

When the user attempts to connect to the third-party website, Trezor Connect asks them to consent to anonymous collection of data and to confirm that they want to connect to the website. The address of the scam site is displayed in a Punycode view as: https://app[.]xn--ipple-4bb[.]net. The scammer’s hope is that the user misses the address, which is provided in small print on the side of the page.

Trezor Connect: confirming the connection to the scam site

Trezor Connect: confirming the connection to the scam site

Connection via Ledger is a lot like Trezor, but it uses the WebHID interface, with the other steps unchanged.

What happens after the user connects their hardware wallet? We had to explore the code of the phishing site just a bit to answer that question. The website is powered by an application written in Node.js. This uses two APIs:

  • wss://s2.ripple.com, the official WebSocket address for Ripple transactions
  • The phishing site API, for example: app[.]xn--ipple-4bb[.]net/api/v1/action

The scammers use these two APIs for interacting with the victim’s XRP account. The phishing site API talks to the WebSocket address, verifies account details and requests funds. For this purpose, the scammers spin up one-off intermediate wallets.

Withdrawal request Response and description
* The scammers generate a new address every time

The intermediate account is used for just two things: to receive the victim’s funds and to forward these to the scammers’ permanent account. This helps to hide the final destination.

Statistics

In the spring of 2023, Kaspersky antispam solutions detected and blocked 85,362 scam emails targeting cryptocurrency users. Scam email campaigns peaked in March, with 34,644 messages. We blocked 19,902 emails in April and 30,816 in May.

Number of detected phishing emails targeting cryptocurrency users in March–May 2023 (download)

Conclusion

Scammers understand one thing just fine: the harder it is to get to the loot, the bigger it is likely to be. Therefore, attacks on hardware wallets, which many consider bullet-proof, use far more sophisticated tactics than those employed against the users of online crypto storage services. Although hardware wallets are indeed more secure than hot wallets, users should not lower their guard. Check every detail carefully before giving any website access to your wallet, and refuse to connect if anything smells fishy.

Email crypto phishing scams: stealing from hot and cold crypto wallets

Your email address will not be published. Required fields are marked *

 

Reports

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

APT trends report Q1 2023

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

Subscribe to our weekly e-mails

The hottest research right in your inbox