The Intersection of Cryptocurrency and DNS Data Part 2: Cryptomining, Phishing, New Domains, and More

Outtakes from our upcoming threat report

Now where were we? 

In part 1 of this 2-part blog series we covered cryptocurrency domain trends. Parts of this blog spurred an entire section in our upcoming Domain Threat Report (which you can reserve a copy of right now). What we have here are the outtakes. That’s not to say this blog represents the most “boring” findings—we just couldn’t fit everything in the threat report. And some things we discovered while wrapping up our report. But we still wanted to share our findings with you—that’s what you’ll see here.

Cryptocurrency: A reminder of its role in cybercrime

When we look at the intersection of cryptocurrency and domain data, we see something insidious: The prevalence of crypto-related threats. And it’s not just cryptojacking. It’s not even the use of cryptocurrency which has made ransomware attacks easier for threat actors to commit and all the more widespread.

As with nearly every trend, there is always someone looking to capitalize on it and use it for their own, personal gain. Ever since cryptocurrency became the pandemic hobby of choice, threat actors have begun to target crypto novices for their schemes.

From a hacker’s perspective, the target audience is ripe for exploitation:

  • They are likely seeking out a way to make money, so promises of “guaranteed earnings” are likely to resonate as opposed to rouse suspicious
  • These would-be crypto enthusiasts are just starting their journey, so they don’t know yet what not to look for
  • Plenty of brands already exist—from the coins themselves to the exchanges where they’re traded—so there are easy templates to copy, allowing total impersonation or the ability to be just “one more” among so many

While our previous post focused on finding trends on our network that matched news stories, here we’ll zero in on scams, deceptive sites, and the manipulation of user resources.

New crypto-related domains

Over the course of the pandemic, we encountered an increasing number of new sites leveraging crypto terms. 

Within the generic Top-Level Domain (gTLD) .xyz, domain registrations related to crypto within this TLD have grown. Jocelyn Hanc, Vice President of Operations at XYZ, helped us validate this trend: “Blockchain companies are showing strong interest in .xyz domains. In 2018, .xyz was the first-ever TLD to connect to the Ethereum Name Service (ENS), allowing transfer of cryptocurrency using a short and memorable domain such as walletname.xyz, instead of a long series of letters and numbers. We have seen growing adoption of .xyz in the blockchain communities since then.”

Not every new website (registered within the last 30 days) is a threat, but the increase in popularity that has led to an explosion of domain registrations related to crypto has created questions around the validity of crypto sites you might get linked to in the course of your day.

Back in February, scammers on Discord launched a scheme with a link to a site claiming they won a prize. The catch was they requested .02 bitcoin before proceeding. Of course, that was the entire scheme. There was no giveaway, but scammers were able to get .02 in bitcoin from multiple people before the scam caught on.

The domain used in that scam was registered on January 22, 2021 (using the TLD .com) and the scam was first reported in early February—roughly 2 weeks after registration. If victims of this scam were blocking newly registered domains, they would not have been able to resolve the domain in question. The domain was flagged for abuse less than 30 days after registration.

Phishing schemes borrow inspiration from cryptocurrency

According to the research from our threat report, domains with the terms “bitcoin” and “nft” were more likely to house phishing schemes. Ethereum typosquatting domains favored cryptomining (more on that shortly), but phishing was a close second.

One phishing site related to crypto that we encountered was ​​a domain advertising itself as “Ethereum Giveaway.” The site has since been taken down. 

Another relatively well-known scam at this point is “Bitcoin Code,” which has resurfaced many times using different domains. The site uses stock photos to fake reviews of their product as well as their supposed CEO. 


Part of this scam’s success is its reliance on “exclusivity.” 

Just in the last 30 days, we encountered phishing sites with the following terms:

  • localbitcoin
  • bitcoin-storm
  • Bitcointime
  • bitcointodaynews

In the case of “localbitcoin” and “bitcointime,” these terms were registered under multiple TLDs to increase their attack surface. It’s a common tactic among phishers: As soon as one site goes down, another goes up. They’ll reuse one term until they’re ready to register a new one en masse.

The following is one of the “localbitcoin” sites:


Most websites do not set their pricing as their homepage, which is what is shown here. This alone is suspicious.

This is all a part of a trend to make phishing attacks more targeted. The blockchain is growing, and reaching people with an interest in cryptocurrency or NFTs is highly likely for threat actors and scammers.

Cryptomining matches the rise in Crypto interest

In 2020, cryptomining made a comeback. In a big way. On our network, terms related to Ethereum, Litecoin, and Dogecoin were the ones most likely to be categorized as cryptomining. And this makes a lot of sense, as they’re some of the newer cryptocurrencies (especially compared to bitcoin).

Of cryptomining domains encountered on our network during the pandemic, 2.39% of them contained the term “ethereum.” Impressively, 11.95% of these domains actively use terms related to mining. One particularly cheeky cryptominer registered a domain with the term “notmining.”

Looking at where these cryptomining sites are originating from:

  • 3.19% used the ccTLD (country-code TLD) .ru which belongs to Russia
  • 3.20% used the ccTLD .eu which belongs to the European Union
  • 4.80% used the ccTLD .tk which belongs to the Central African Republic
  • 5.20% used the ccTLD .de which belongs to Germany

We only expect cryptomining and the exploitation of terms surrounding “crypto” and “NFTs” to grow. This industry has reached mainstream popularity. Tom Brady now owns an NFT company and ads promoting the FTX cryptocurrency exchange run on Sundays between football games. We’ve even seen the term “FTX” used in phishing campaigns in the last 30 days, including at least one fake support portal:

People search for these products from their phones in between meetings while distracted. They’re on platforms like Discord and get direct messages from strangers. They receive emails about the latest changes in the crypto markets.

Threat actors are ready with plenty of traps for end users to fall into, and right now cryptocurrency seems to be one of the better ways to capture their attention.

Want early access to DNSFilter's 2021 Threat Report? Click here to be one of the firsts to reserve your copy today!

Search
  • There are no suggestions because the search field is empty.
Latest posts
Artificial Intelligence in Cybersecurity Artificial Intelligence in Cybersecurity

The term “artificial intelligence (AI)” was first coined in 1956. While progress stalled for many years, we can thank IBM for sparking real interest in AI as viable technology: First in 1997 when the computer Deep Blue defeated a chess champion and again in 2011 when Watson won Jeopardy!

The Mind Games Behind Cyber Attacks The Mind Games Behind Cyber Attacks

Hackers have long understood that the most sophisticated firewall is no match for a well-placed psychological trick. While many focus on the technical prowess of cybercriminals, the real magic often lies in their ability to manipulate human behavior. By exploiting our natural tendencies and cognitive biases, hackers can slip past even the most robust security systems. It's not just about cracking codes; it's about cracking the human psyche.

AI and Cybersecurity Risks: Why DNS Filtering is Critical for AI-Driven Workplaces AI and Cybersecurity Risks: Why DNS Filtering is Critical for AI-Driven Workplaces

Artificial intelligence is transforming business operations, automating everything from customer service to data analysis. But with these advancements come new security challenges. AI-driven cyber threats are becoming more sophisticated, enabling attackers to automate phishing campaigns, generate malware, and exfiltrate sensitive data at scale. Without proper safeguards, AI tools can unintentionally leak corporate secrets or connect to malicious ...

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.