On Wednesday, cybersecurity experts from Cisco Talos revealed that with the help of the Ukraine Cyberpolice, the team has been able to track and monitor the group over the past six months.
In a blog post, researchers Jeremiah O'Connor and Dave Maynor said the campaign might be simple, but has reaped incredible financial rewards for the threat actors.
Dubbed "Coinhoarder," the criminal group's phishing activities were first discovered in February 2017. The group targeted the Bitcoin wallet platform blockchain.info by using phishing links, fraudulent domains, and brand spoofing.
"This campaign was unique in that adversaries leveraged Google Adwords to poison user search results in order to steal users' wallets," Cisco Talos says. "Since Cisco observed this technique, it has become increasingly common in the wild with attackers targeting many different crypto wallets and exchanges via malicious ads."
The fraudsters established "gateway" phishing links that appeared in search results when potential victims searched Google for cryptocurrency-related keywords, such as "blockchain" or "bitcoin wallet."
These links, bolstered by the purchase of Google AdWords, would then send victims to malicious domains, which would serve phishing content depending on the IP address and likely language of the visitor.
According to the team, the hackers are focusing on countries where access to traditional banking may be difficult, such as Estonia, Nigeria, Ghana, and a number of other African countries.
When access to banking is difficult, cryptocurrency, as decentralized assets recorded on the Blockchain, may empower users financially. However, it seems that the cybercriminals behind the campaign also know there may be more interest from residents of these countries, and so, this idea has decided the focus of phishing campaigns.
Cisco observed spikes in DNS queries upwards of 200,000 per hour when the fraudulent ads were on display. The campaign appears to be the largest phishing scheme targeting blockchain.info to date.
The security firm believes that the gang has been in operation since at least 2015 and has managed to steal tens of millions of dollars' worth of cryptocurrency.
Between September 2017 to December 2017 alone, the group stole approximately $10 million in cryptocurrency, and in one particular 3.5 week period, the hackers were able to steal $2 million.
It is estimated that the unknown threat actors may have netted over $50 million over the past three years and likely profited when the price of Bitcoin skyrocketed last year.
"While criminals were able to profit from this, it also adds a new level of complexity for criminals to convert their cryptocurrency funds to a fiat currency like US dollars," the researchers note. "The historic price of Bitcoin during the height of this campaign would have made it very difficult to move these ill-gotten finances easily."
It appears the threat actors are not resting on their laurels despite the huge amount of fraudulent revenue they have established. The hackers have begun to use wildcard SSL certificates issued by Cloudflare and Let's Encrypt to appear legitimate alongside brand spoofing and international domain names.
"We can expect to see more of these realistic looking phishes with Let's Encrypt releasing full wildcard certificate support at the end of this month," the team added. "Cisco will continue to monitor the landscape and coordinate with international law enforcement teams in 2018 to help protect users and organizations."