New Crypto Phishing Attack Steals Funds from Cold Wallets

Cryptocurrency’s rising fame and diverse storage methods expand the arsenal of tools used by threat actors chasing digital assets and funds.

The threat actors adapt their techniques and mimic legit sites based on target protection and potential theft size.

There are two email attack methods that target the top cryptocurrency storage approaches, and here below, we have mentioned them:-

  • Hot wallets
  • Cold wallets

Cybersecurity researchers at Kaspersky Lab recently discovered that threat actors are actively targeting cold wallets via crypto phishing attacks to steal funds.

Targeting Hot and Cold wallet

The hot wallet is a type of cryptocurrency wallet and this wallet constantly remains connected to the internet with unrestricted internet access.

Whereas a cold wallet (aka Cold storage) is an offline storage option, such as a dedicated device or a private key written on paper, that lacks constant internet connectivity.

The popularity of Hot wallets derives from their simplicity in creation and the convenience of two key elements:-

  • Easy fund withdrawal
  • Easy fund conversion

Due to their constant online accessibility and easy conveniences, large amounts are rarely stored in these wallets.

With minimal incentive to invest significantly, cybercriminals rarely employ original or complicated techniques in email attacks on hot wallets.

Phishing email (Source – Kaspersky)

Phishing scams targeting hot wallet users often employ emails from reputable crypto exchanges, urging them to confirm transactions or verify their wallets.

Attackers Targeting the Hot Wallet

The seed phrase grants access to the account and enables transactions, so losing or exposing the seed phrase means permanent loss of the wallet, as it cannot be altered or retrieved.

Entry page for Seed phrase (Source – Kaspersky)

Entering the seed phrase on a fraudulent webpage grants attackers the ability to transfer all funds to their own addresses since the seed phrase will give the attackers complete wallet access.

While in this case, the Cold wallets remain offline and lack remote access, which leads users to store significant amounts of funds. Since hardware wallets are invincible without theft or physical access.

In an email campaign targeting cold wallets, users receive an email masquerading as a Ripple cryptocurrency exchange, inviting them to participate in an XRP token giveaway.

Fake letter (Source – Kaspersky)

Clicking the link leads users to a blog page displaying a post outlining the “giveaway” rules, with a direct registration link included.

Blog page (Source – Kaspersky)

Separating from regular hot wallet attacks, the scam employs an immersive blog post rather than a phishing link. 

The attackers mimic Ripple’s website with high details for creating a pure matching domain, employing a Punycode phishing attack. While further examination reveals a Unicode character replacing the letter “r”:-

  • https://app[.]xn--ipple-4bb[.]net -> https://app[.]ŗipple[.]net/

Users are prompted to connect to the following WebSocket address, upon clicking the link in the “blog” to the Ripple page that is fake:-

  • wss://s2.ripple.com
WebSocket address (Source – Kaspersky)

The user is prompted to input their XRP account address, and the site presents authentication options, including selecting Trezor. 

Choosing Trezor redirects to trezor.io, enabling device connection via Trezor Connect API for simplified transactions.

Scammers aim to lure victims to their sites and withdraw funds from their accounts.

Trezor Connect (Source – Kaspersky)

Threat actors think tougher loot means bigger, and that’s why they use advanced tactics on supposedly secure hardware wallets, not like the ones for online crypto storage users.

“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Beware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify a…

3 hours ago

Malicious Supply Chain Attacking Moving From npm Community To VSCode Marketplace

Researchers have identified a rise in malicious activity on the VSCode Marketplace, highlighting the vulnerability…

3 hours ago

Hackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload

TA397, also known as Bitter, targeted a Turkish defense organization with a spearphishing email containing…

3 hours ago

BADBOX Botnet Hacked 74,000 Android Devices With Customizable Remote Codes

BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with malware…

3 hours ago

Europol Details on How Cyber Criminals Exploit legal businesses for their Economy

Europol has published a groundbreaking report titled "Leveraging Legitimacy: How the EU’s Most Threatening Criminal Networks…

3 hours ago

CISA Proposes National Cyber Incident Response Plan

The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a proposed update to the National…

4 hours ago