CryptoChameleon is a phishing kit discovered in February 2024 used by unknown actors to harvest credentials and sensitive data via brand-mimicking landing pages. Silent Push reveals extensive fast-flux infrastructure based on DNSPod that rotates hundreds of domains, IPs, and ASNs to map and evade defenses targeting crypto platforms and services. Hashtags: #CryptoChameleon #DNSPod #Binance #Coinbase
Keypoints
- CryptoChameleon is a phishing kit first discovered in February 2024; the creator remains unidentified.
- The kit harvests usernames, passwords, password reset URLs, and photo IDs from employees’ and customers’ mobile devices.
- CryptoChameleon uses DNSPod nameservers to implement fast flux, cycling through many IPs tied to a single domain to evade detection.
- Targets include FCC, Binance, Coinbase, and a broad set of crypto/tech brands (e.g., Apple iCloud, Google, Gemini, Kraken, Ledger, etc.).
- The phishing pages impersonate legitimate brands, hosting landing pages that resemble real sites to harvest credentials and 2FA data.
- Silent Push has built IOFA feeds and tools (including a CryptoChameleon TLP Amber report) to help defenders monitor and mitigate the infrastructure.
- Infrastructure analysis shows ownership of multiple domains and IPs across specific ASNs, revealing a concentrated operational footprint.
MITRE Techniques
- [T1566.002] Spearphishing Link – The CryptoChameleon phishing kit copies the exact branding of legitimate websites and landing pages, with some key differences that allow the kit to evade standard countermeasures. “The CryptoChameleon phishing kit copies the exact branding of legitimate websites and landing pages, with some key differences that allow the kit to evade standard countermeasures.”
- [T1036] Masquerading – The phishing kit impersonates many different brands and hosting pages to deceive victims and bypass defenses. “The CryptoChameleon phishing kit copies the exact branding of legitimate websites and landing pages, with some key differences that allow the kit to evade standard countermeasures.”
- [T1583] Acquire Infrastructure – CryptoChameleon relies on DNSPod nameservers and fast flux techniques to rapidly rotate IPs attached to a single domain, complicating takedowns. “CryptoChameleon uses DNSPod nameservers to engage in fast flux evasion techniques that allow threat actors to quickly cycle through large amounts of IPs linked to a single domain name.”
Indicators of Compromise
- [Domain] 76153-coinbse[.]com, 81758-coinbse[.]com – domains used in CryptoChameleon infrastructure targeting Coinbase and related services
- [IP] 5.188.88[.]11, 84.38.181[.]13 – example IPs associated with CryptoChameleon infrastructure
- [IP] 188.68.221[.]152 – hosting all related domains, plus other private IP ranges referenced
- [ASN] AS29470 JSC Retnet (Russia), AS212441 Cloud Assets LLC (Russia) – hosting/service ASNs involved in infrastructure