In the last few years Bitcoin has dominated headlines online. As you all will likely know, many cryptocurrencies have grown in value exponentially over the last few years. As the market has progressed it has gained a lot of traction in particular with hackers and cyber-criminals. This is due to the currencies anonymity which is what caused its mainstream popularity to begin with. Once a bitcoin has been stolen, it is extremely difficult, if not impossible to track who took it.

In the past hackers have made off will huge sums of money from renowned crypto organisations, never to be seen again. That’s why the fact that Cisco Talos and the Ukrainian Cyber-Police have managed to uncover a large Bitcoin phishing scam is a step in the right direction.

Who are Cisco Talos?

Cisco Talos are a section of Cisco purely dedicated to investigating and combatting cyber threats. The whole of the Cisco cyber-security ecosystem is underpinned by Cisco Talos. They are the industry leading threat intelligence group with over 250 full-time experts employed. Their extensive resources allow them to continuously scan millions of malware samples and terabytes of data every day so they are able to keep their extensive knowledge base growing and valuable.

Cisco Talos is responsible for ensuring market leading security platforms such as Cisco AMP, Cisco Umbrella and Cisco Stealthwatch are kept up to date with potential incoming threats.

The Coinhoarder Campaign

In February last year, a huge phishing campaign was identified by Cisco. They observed that the origin of this scam was in Ukraine and they were targeting the extremely well-known Bitcoin wallet site blockchain.info which had a client request magnitude of over 200,000 client queries. This campaign was different compared to predecessors. The hackers leveraged Google Adwords to entrap searchers in order to steal their wallets. After Talos realised what was happening, it has become increasingly common on the web with attackers targeting many different crypto wallets and exchanges via malicious ads.

An attack pattern was identified by Talos in which the criminals behind the operation would establish a gateway phishing link that would appear at the top of google searches as ads. When people were searching for crypto-related keywords such as  “bitcoin wallet” or “blockchain,” the false links would appear at the top of your page. If you clicked the ad it would redirect to a lander page and show phishing content in your own language depending on your IP address.

You can read about what actions Cisco Talos performed in order to disrupt this lucrative crime organisation in extent on Cisco Talos’ blog.