Saturday, June 15, 2024

New Crypto Phishing Attack Steals Funds from Cold Wallets

Cryptocurrency’s rising fame and diverse storage methods expand the arsenal of tools used by threat actors chasing digital assets and funds.

The threat actors adapt their techniques and mimic legit sites based on target protection and potential theft size.

There are two email attack methods that target the top cryptocurrency storage approaches, and here below, we have mentioned them:-

  • Hot wallets
  • Cold wallets

Cybersecurity researchers at Kaspersky Lab recently discovered that threat actors are actively targeting cold wallets via crypto phishing attacks to steal funds.

Targeting Hot and Cold wallet

The hot wallet is a type of cryptocurrency wallet and this wallet constantly remains connected to the internet with unrestricted internet access.

Whereas a cold wallet (aka Cold storage) is an offline storage option, such as a dedicated device or a private key written on paper, that lacks constant internet connectivity.

The popularity of Hot wallets derives from their simplicity in creation and the convenience of two key elements:-

  • Easy fund withdrawal
  • Easy fund conversion

Due to their constant online accessibility and easy conveniences, large amounts are rarely stored in these wallets.

With minimal incentive to invest significantly, cybercriminals rarely employ original or complicated techniques in email attacks on hot wallets.

Phishing email (Source – Kaspersky)

Phishing scams targeting hot wallet users often employ emails from reputable crypto exchanges, urging them to confirm transactions or verify their wallets.

Attackers Targeting the Hot Wallet

The seed phrase grants access to the account and enables transactions, so losing or exposing the seed phrase means permanent loss of the wallet, as it cannot be altered or retrieved.

Entry page for Seed phrase (Source – Kaspersky)

Entering the seed phrase on a fraudulent webpage grants attackers the ability to transfer all funds to their own addresses since the seed phrase will give the attackers complete wallet access.

While in this case, the Cold wallets remain offline and lack remote access, which leads users to store significant amounts of funds. Since hardware wallets are invincible without theft or physical access.

In an email campaign targeting cold wallets, users receive an email masquerading as a Ripple cryptocurrency exchange, inviting them to participate in an XRP token giveaway.

Fake letter (Source – Kaspersky)

Clicking the link leads users to a blog page displaying a post outlining the “giveaway” rules, with a direct registration link included.

Blog page (Source – Kaspersky)

Separating from regular hot wallet attacks, the scam employs an immersive blog post rather than a phishing link. 

The attackers mimic Ripple’s website with high details for creating a pure matching domain, employing a Punycode phishing attack. While further examination reveals a Unicode character replacing the letter “r”:-

  • https://app[.]xn--ipple-4bb[.]net -> https://app[.]ŗipple[.]net/

Users are prompted to connect to the following WebSocket address, upon clicking the link in the “blog” to the Ripple page that is fake:-

  • wss://
WebSocket address (Source – Kaspersky)

The user is prompted to input their XRP account address, and the site presents authentication options, including selecting Trezor. 

Choosing Trezor redirects to, enabling device connection via Trezor Connect API for simplified transactions.

Scammers aim to lure victims to their sites and withdraw funds from their accounts.

Trezor Connect (Source – Kaspersky)

Threat actors think tougher loot means bigger, and that’s why they use advanced tactics on supposedly secure hardware wallets, not like the ones for online crypto storage users.

“AI-based email security measures Protect your business From Email Threats!” – .


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles