Labs Interesting Crawls

Networks of Scammy Cryptocurrency Sites Promise Payday that Never Comes

With cryptocurrency mania in full swing, investors must now navigate an entirely new, rapidly expanding threat landscape. Coins, alt-coins, tokens, exchanges, and other cryptocurrency apps—both legitimate and malicious—pop up in the marketplace every day, many of which leverage the massive popularity and 'get-rich-quick' promise of cryptocurrency to attract new users. Some of these apps are stood up to target users, while many become the target of hackers themselves.

RiskIQ observes cryptocurrency threat campaigns that show threat actors bank on the fact that, to many people, the concept of cryptocurrency is nebulous at best, but still seen as a viable way to make money. This widespread perception creates fertile ground for scammers, who take advantage by creating all manners of cryptocurrency fakery designed to fool people out of money. Already, RiskIQ has detected and blacklisted dozens of fake cryptocurrency apps in the mobile app ecosystem that exploit the names of well-known exchanges and mixers, as well as hundreds of sites that falsely promise to make users money in other ways.

The site, for example, has a glossy crypto veneer but resembles a common advance fee scheme. Users can purchase phony "coins," marketed as various "cryptocurrencies" with real money (rubles) via Payeer, with the goal of being able to exchange them for a return on investment later. They can also earn them through "bonuses" rewarded for taking actions such as clicking on ads, visiting web pages, and recruiting new users.

However, the exchange rates for these coins to rubles are intentionally confusing and absurdly steep. To receive a payout via Payeer, users must first exchange their coins for "silver," which they then exchange for rubles at a rate of 100 "coins" to 1 "silver," and 100 "silver" to 1 ruble. This rate makes for a fantastic deal for the people who run the site, but it's a shakedown for customers.

Fig-1 Phony coins named after actual cryptocurrencies promising investors a profit

Cryptcoins[.]biz is only one of a network of sites operated by a single individual or group, all sharing the cryptocurrency theme. A single IP address,, hosts several domains using cryptocurrency themes and falsely promising their users profits. Pivoting in RiskIQ PassiveTotal, we see a handful of domains resolving to this address, ranging from sites masquerading as digital currency exchanges, sites offering ways of earning free cryptocurrency, and "economic simulators" that promise users to renew in-game profits for real-world money. One of these sites asks users to send .5 - 5 ETH (Ethereum) and promises a return of 5 - 50 ETH.

Some of the influx of new cryptocurrency apps are stood up to target users, while many become the target of hackers themselves. Here are a few examples.
Fig-2 Site offering a huge ROI ion a .5 ETH investment (yeah right)

According to RiskIQ PassiveTotal's PDNS data, this address was not routable before March 7th, with many of the domains currently routed to this IP were created soon after:

Some of the influx of new cryptocurrency apps are stood up to target users, while many become the target of hackers themselves. Here are a few examples.
Fig-3 PDNS data inside RiskIQ PassiveTotal for the IP

Other notable domains in this network include:
- ethfreepay[.]com

- etherfreegive[.]com

- eth-gives[.]com

- cryptolombard1[.]ru

- fastcryptex[.]eu

- bubblecrypt[.]ru

- crypto-coin[.]pw

- cryptcoins[.]biz

- crypto-airdrops[.]ru

- terraminingclub[.]ru

- miningmonet[.]ru

- minerscript[.]net

- minecraftzone[.]ru

- anminers9[.]ru

- blockchainadvisor[.]ru

- blockchain-support[.]online

- coin-metro[.]biz

Stay Safe, Know Your Digital Footprint

The cryptocurrency threat landscape is dangerous for users, but brands are also at risk. Threat actors hack vulnerable sites or spin up fake, illegitimate websites to siphon money off of brands, often with typosquatting domains and fraudulent branding. By leveraging domains or subdomains that appear to belong to major brands, these actors trick people into visiting their sites, which attempt to scam them and/or run cryptocurrency mining scripts to siphon users' CPUs.

Unfortunately, security teams lack visibility into all of the ways that they can be attacked externally, and struggle to understand what belongs to their organization, how it’s connected to the rest of their asset inventory, and what potential vulnerabilities are exposed to compromise. RiskIQ Digital Footprint has you covered by continuously discovering an inventory of your externally-facing digital assets and managing risks across your digital attack surface. If you would like more information about RiskIQ Digital Footprint Enterprise can help you with exposure to cryptominers, call us at 888-415-4447 or email us at

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor