New Crypto Phishing Attack Steals Funds from Cold Wallets

Cryptocurrency’s rising fame and diverse storage methods expand the arsenal of tools used by threat actors chasing digital assets and funds.

The threat actors adapt their techniques and mimic legit sites based on target protection and potential theft size.

There are two email attack methods that target the top cryptocurrency storage approaches, and here below, we have mentioned them:-

  • Hot wallets
  • Cold wallets

Cybersecurity researchers at Kaspersky Lab recently discovered that threat actors are actively targeting cold wallets via crypto phishing attacks to steal funds.

Targeting Hot and Cold wallet

The hot wallet is a type of cryptocurrency wallet and this wallet constantly remains connected to the internet with unrestricted internet access.

Whereas a cold wallet (aka Cold storage) is an offline storage option, such as a dedicated device or a private key written on paper, that lacks constant internet connectivity.

The popularity of Hot wallets derives from their simplicity in creation and the convenience of two key elements:-

  • Easy fund withdrawal
  • Easy fund conversion

Due to their constant online accessibility and easy conveniences, large amounts are rarely stored in these wallets.

With minimal incentive to invest significantly, cybercriminals rarely employ original or complicated techniques in email attacks on hot wallets.

Phishing email (Source – Kaspersky)

Phishing scams targeting hot wallet users often employ emails from reputable crypto exchanges, urging them to confirm transactions or verify their wallets.

Attackers Targeting the Hot Wallet

The seed phrase grants access to the account and enables transactions, so losing or exposing the seed phrase means permanent loss of the wallet, as it cannot be altered or retrieved.

Entry page for Seed phrase (Source – Kaspersky)

Entering the seed phrase on a fraudulent webpage grants attackers the ability to transfer all funds to their own addresses since the seed phrase will give the attackers complete wallet access.

While in this case, the Cold wallets remain offline and lack remote access, which leads users to store significant amounts of funds. Since hardware wallets are invincible without theft or physical access.

In an email campaign targeting cold wallets, users receive an email masquerading as a Ripple cryptocurrency exchange, inviting them to participate in an XRP token giveaway.

Fake letter (Source – Kaspersky)

Clicking the link leads users to a blog page displaying a post outlining the “giveaway” rules, with a direct registration link included.

Blog page (Source – Kaspersky)

Separating from regular hot wallet attacks, the scam employs an immersive blog post rather than a phishing link. 

The attackers mimic Ripple’s website with high details for creating a pure matching domain, employing a Punycode phishing attack. While further examination reveals a Unicode character replacing the letter “r”:-

  • https://app[.]xn--ipple-4bb[.]net -> https://app[.]ŗipple[.]net/

Users are prompted to connect to the following WebSocket address, upon clicking the link in the “blog” to the Ripple page that is fake:-

  • wss://s2.ripple.com
WebSocket address (Source – Kaspersky)

The user is prompted to input their XRP account address, and the site presents authentication options, including selecting Trezor. 

Choosing Trezor redirects to trezor.io, enabling device connection via Trezor Connect API for simplified transactions.

Scammers aim to lure victims to their sites and withdraw funds from their accounts.

Trezor Connect (Source – Kaspersky)

Threat actors think tougher loot means bigger, and that’s why they use advanced tactics on supposedly secure hardware wallets, not like the ones for online crypto storage users.

“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

HellCat and Morpheus Ransomware Share Identical Payloads for Attacks

The cybersecurity landscape witnessed a surge in ransomware activity during the latter half of 2024…

4 minutes ago

370+ Ivanti Connect Secure Exploited Using 0-Day Vulnerability

A major cybersecurity incident has come to light, with more than 370 Ivanti Connect Secure…

2 hours ago

BASHE Ransomware Allegedly Leaked ICICI Bank Customers Data

A major cyber threat looms over Indian financial giant ICICI Bank as the notorious BASHE…

3 hours ago

North Korean IT Workers Steal Companies Source Codes to Demand Ransomware

The Federal Bureau of Investigation (FBI) has issued fresh warnings about malicious activities by North…

4 hours ago

Zero-Click Outlook RCE Vulnerability (CVE-2025-21298), PoC Released

Microsoft issued a critical patch to address CVE-2025-21298, a zero-click Remote Code Execution (RCE) vulnerability…

5 hours ago

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular open-source…

14 hours ago