Posted on February 15, 2018 at 7:16 PM
A cybersecurity firm has discovered that hackers used poisoned Google ads to steal over $50 million worth of cryptocurrency fromusers.
One of bitcoin’s best and worst features is its enhanced anonymity. While it affords users more privacy than traditional transactions, the convenient feature has also been exploited by malicious actors to steal cryptocurrencies from unsuspecting victims’ wallets without any fear of being caught out. However, the cybersecurity firm, Cisco, has recently revealed a group of hackers responsible for an elaborate attack which has so far stolen millions from bitcoin wallet users.
In apublished earlier this week, the Cisco Talos team revealed that a Ukraine-based hacking group, known as Coinhoarder, has been stealing cryptocurrency from Blockchain.ino users. is one of the most popular crypto wallet solution available and Coinhoarder has been manipulating this service to steal more than $50 million from its users.
According to the report, Coinhoarder executed this hacking campaign using a simple yet effective technique. The hackers bought ads that contained certain popular keywords related to cryptocurrency. After buying the ads, hackers could poison the victim’s search results and display the compromised ads when a user googled terms such as “bitcoin”, “wallet”, or “blockchain”. The malicious ads would show up and mislead users into thinking that they were being redirected to a legitimate website ofwallet services.
Every poisoned ad included fraudulent links which pretended to be linked to the legitimatewebsite, for example some links were written as “ ” or “ . After users clicked on the fraudulent links, they were directed to a landing page which once again imitated the legitimate website. Interestingly, the Cisco Talos report notes that the legitimate website was actually displayed in in a lower position on the search results page than the fraudulent ads.
After victims had been sufficiently misled, they subscribed to the fraudulent wallet service and entered all their personal details and private which enabled the hackers to access their actual wallets and empty their funds. According to Cisco Talos researchers Dave Mayor and Jeremiah O’Connor, Coinhoarder simply had to continue buying more Google ads to continue tricking victims and stealing millions worth of cryptocurrency.
More attacks in the future
According to the report, Cisco Talos has been investigating this hacking campaign together with the Ukrainian cyberpolice for the past six months. What makes this new hacking campaign more alarming is the fact that this technique has been increasingly common and popular among the hacking community. While Facebook recently banned all cryptocurrency ads, Google ads remain a major problem. However, according to a Google spokesperson, the company is currently working on a system that will eradicate all fraudulent ads.
The Coinhoarder hacking campaign has been active for three years, but as the bitcoin price climbed to reach prices of up to $20,000 last year, the frequency of attacks increased as well. Coinhoarder stole over $10 million worth of cryptocurrency between September and December 2017 alone. In a particularly lucrative burst of activity, the hackers stole $2 million in less than a month. According to Talos’ estimations, the hackers’ total stolen funds amount to over $50 million.
Several hacking groups have been chasing bitcoin and other cryptocurrencies ever since the dramatic price increase of 2017. For example, the North Korean state-sponsored hacking group, known as Lazarus Group, has been using a mixture of phishing attacks and other techniques to steal millions of cryptocurrency coins from exchanges and individual users alike. According to the Cisco Talks report, the hackers targeted individuals who were likely to use a cryptocurrency wallet due to their country’s lack of widespread access to banks. African countries were particularly targeted, such as Ghana and Nigeria.
The Talos report also included some of the hackers’ wallet addresses which they used to trace the stolen cryptocurrency. However, it might be impossible to ever find the true perpetrators as the hackers likely created the bitcoin wallet addresses using pseudonyms. However, Talos will continue to search for intelligence regarding the source of the attacks.