Ukrainian hacker group Coinhoarder has been revealed as the agents behind a massive spoofing of the Google ads system that resulted in the group being able to steal more than $50 million in cryptocurrency from an undisclosed number of victims. Tech giant Cisco cooperated with Ukrainian authorities in an investigation spanning six months before finally being able to confirm the identity of the hackers. The group used Google’s AdWords platform to run ads on search terms related to cryptocurrency, such as “blockchain” and “bitcoin.” When users clicked on the ads, they were taken to a fake landing page that mimicked popular wallet site Blockchain.info. Once hackers had users’ information in hand, they were able to empty out their cryptocurrency wallets with no issue.
Cryptocurrency and the blockchain that powers it inherently has some measure of anonymity, which has made cybercrime related to cryptocurrency far less dangerous than cybercrime relating to actual currency, such as phishing bank information or hacking into domains to steal digitally represented money. The phishing server for this hack is unique in that it did not reconstruct the original page that it aped from the ground up, but rather overlaid a proxy on that page with a few specific JavaScript instructions and other bits that would send users’ information to the hackers, instead of sending it to the correct domain. It was this behavior that allowed Cisco’s Talos team and Ukrainian cybercrime authorities to eventually trace the attacks.
While Coinhoarder has been found out and done away with, Cisco reported that the group’s tactic has since been copied, and users involved with cryptocurrency will need to exercise extra caution when handling their wallets. The world of cryptocurrency can still largely be considered to be an untamed part of the internet. While that affords cryptocurrency users a measure of privacy and autonomy, it means that security is a bit more lax, and authorities may have a harder time helping out when things like this happen. All of the usual rules of the web need to be followed, along with some extra caution. Users should always double check the URL of any page that they enter personal information into, and if they’re using a browser that gives them security alerts, such as Chrome, they should think twice before ignoring or bypassing such alerts to interact with a page.