Threat analysts are monitoring a Russia-linked threat actor deploying domains for cryptocurrency scams targeting the US Presidential Election and major US tech brands. The scams promise fake cryptocurrency giveaways and urge users to send coins to attacker-controlled wallets, using spoofed sites, fake legal letters, and other deception to appear legitimate. #SilentPush #DonaldTrump
Keypoints
- Threat actor linked to Russia deploying crypto scam domains.
- Scams involve fake Bitcoin and Ethereum giveaways.
- Targeted individuals include high-profile figures like Donald Trump and Elon Musk.
- Fake giveaways are promoted through spoofed websites and videos.
- Domains are registered to a Russian email address and hosted behind Cloudflare.
- Some domains feature chat functions instructing users on how to send cryptocurrency.
- Fake legal letters from US regulatory bodies are used to legitimize scams.
- Analysts are creating an IOFA Feed to track and mitigate these scams.
MITRE Techniques
- [T1566] Phishing – Threat actors use fake websites and emails to trick users into sending cryptocurrency. “Threat actors use fake websites and emails to trick users into sending cryptocurrency.”
- [T1003] Credential Dumping – Potentially collecting user credentials through fake login prompts on spoofed sites. “Potentially collecting user credentials through fake login prompts on spoofed sites.”
- [T1036] Masquerading – Creating domains that mimic legitimate organizations to deceive users. “Creating domains that mimic legitimate organizations to deceive users.”
Indicators of Compromise
- [Domain] IOFA scam domains – trumpdebate24[.]com, cryptologic[.]online, musk.trump[.]io, apple-event2024[.]com, btcstarship[.]com, debate[.]gives
- [Wallet Address] Crypto wallet used in scams – 0x207Fe723F8B0d864A4Ae4e3B5F064883F207c642
- [Email Address] Russian IOFA registration email – [email protected]
Read more: https://www.silentpush.com/blog/us-political-crypto-scams/