Note: A special thanks to Ed Gibbs, WhoisXML API’s Advanced Threat Researcher & Technical Account Manager, for his help compiling the domain and subdomain files used in this post.

Cryptocurrencies keep making waves in the online community, making them prime vehicles of threat actors in scam, phishing, and other malicious campaigns. Fraudsters, for one, have stolen millions of dollars worth of cryptocurrencies from investors through websites that promise rewards, giveaways, and earning opportunities.

Does it mean it’s time to monitor crypto-related Internet properties that could end up being used in a scam?

The WhoisXML API security research team did so, and identified more than 31,000 crypto-related domains and subdomains and analyzed them based on the following angles of research:

• Screenshots: What do the domains look like?
• Registrant email addresses: Who owns the domains?
• Registrar details: Who manages the domains?

How the Data Was Gathered

We searched WHOIS and subdomains databases for domains and subdomains that contain the text strings “bitcoin,” “doge,” and “cardano.” These cryptocurrencies were chosen because they were among the most newsworthy ones.

Bitcoin, for one, is almost synonymous with cryptocurrency. On the other hand, Dogecoin recently made headlines after famous personalities (including Elon Musk) expressed support for it. Cardano has also been in the news after becoming fully decentralized in April 2021.

A total of 31,555 domains and subdomains were found broken down into:

Screenshot Analysis

Website Screenshot API allowed us to do a bulk screenshot lookup for the domains and subdomains. Some domains resolved to pages that indicate the websites are still under construction. As expected, several domains were parked, some of which are for sale for over US$1,000 each.

More concerning are the domains that resolved to live websites. For instance, the screenshots of ceodoge[.]com and getdoge[.]top showed content that promised Doge giveaways, with an image of Elon Musk.

Elon Musk’s giveaway is a tactic scammers have been using recently, costing victims thousands of dollars.

Registrant Email Analysis

With the help of Bulk WHOIS Lookup, we were able to obtain the WHOIS data of the crypto-related domains. However, only 5.67% had unredacted registrant email addresses while 94.33% can’t be publicly attributed to an organization or individual.

We did find domains with the registrant email domain yandex[.]com, a verified phishing site according to PhishTank. Another registrant email domain also stood out—yandex[.]ru. Aside from sharing the same first-level domain (yandex) with the phishing domain, it is also the registrant email domain of elonpromo[.]site, the domain used in the fake Elon Musk giveaway linked above.

The domain elonpromo[.]site is already being reported “malicious” on VirusTotal while yandex[.]ru is still deemed safe. What’s more, a historical WHOIS analysis of the actual email address on record revealed another domain chamath-event[.]site—which was used to host a similar giveaway scam, this time implicating Canadian-American venture capitalist Chamath Palihapitiya.

Note that about 21 crypto-related domains in our sample had registrants that use yandex[.]ru as their email domain. While these crypto-related domains may not be related to the identified malicious domains (elonpromo[.]site and chamath-event[.]site), it would be safer to warn the public about websites that promise rewards and giveaways.

Registrar Analysis

The top 10 registrars of the domains are broken down per cryptocurrency in the table below.

NameCheap and GoDaddy took the top spot while eNom, Tucows, Dynadot, and MarkMonitor repeatedly appeared.

Knowing the registrars of the domains could help in the takedown process in case some of the domain names are found malicious.

Many cryptocurrency investors have become rich and, understandably, many people want to follow suit. However, threat actors could be lurking behind some of these cryptocurrency-related domains. One wrong move and investors could lose vast amounts of money.

As such, it’s probably a good practice to examine domains and subdomains first before investing. Could they be part of a scam in any way? Screenshot Lookup enables users to check websites without exposing themselves to the threats that may be hiding behind the domains. Looking at WHOIS data and investigating connections with known malicious domains could also help find hidden connections.

Cybersecurity professionals who wish to keep a lookout on the cryptocurrency-related domains and subdomains in this research may contact us to get access to our WHOIS and passive DNS databases.