Home / Blogs

Cryptocurrency and DNS: Phishing Domains, Cryptomining and More

Cryptocurrency: A reminder of its role in cybercrime

When we look at the intersection of cryptocurrency and domain data, we see something insidious: The prevalence of crypto-related threats. And it’s not just cryptojacking. It’s not even the use of cryptocurrency which has made ransomware attacks easier for threat actors to commit and all the more widespread.

As with nearly every trend, there is always someone looking to capitalize on it and use it for their own, personal gain. Ever since cryptocurrency became the pandemic hobby of choice, threat actors have begun to target crypto novices for their schemes.

From a hacker’s perspective, the target audience is ripe for exploitation:

  • They are likely seeking out a way to make money, so promises of “guaranteed earnings” are likely to resonate as opposed to rouse suspicious.
  • These would-be crypto enthusiasts are just starting their journey, so they don’t know yet what not to look for
  • Plenty of brands already exist—from the coins themselves to the exchanges where they’re traded—so there are easy templates to copy, allowing total impersonation or the ability to be just “one more” among so many

This article references our upcoming Domain Threat Report, but includes research done after that report was finalized.

New crypto-related domains

Over the course of the pandemic, we encountered an increasing number of new sites leveraging crypto terms.

Within the generic Top-Level Domain (gTLD) .xyz, domain registrations related to crypto within this TLD have grown. Jocelyn Hanc, Vice President of Operations at XYZ, helped us validate this trend: “Blockchain companies are showing strong interest in .xyz domains. In 2018, .xyz was the first-ever TLD to connect to the Ethereum Name Service (ENS), allowing transfer of cryptocurrency using a short and memorable domain such as walletname.xyz, instead of a long series of letters and numbers. We have seen growing adoption of .xyz in the blockchain communities since then.”

Not every new website (registered within the last 30 days) is a threat, but the increase in popularity that has led to an explosion of domain registrations related to crypto has created questions around the validity of crypto sites you might get linked to in the course of your day.

Back in February, scammers on Discord launched a scheme with a link to a site claiming they won a prize. The catch was they requested .02 bitcoin before proceeding. Of course, that was the entire scheme. There was no giveaway, but scammers were able to get .02 in bitcoin from multiple people before the scam caught on.

The domain used in that scam was registered on January 22, 2021 (using the TLD .com) and the scam was first reported in early February—roughly two weeks after registration. If victims of this scam were blocking newly registered domains, they would not have been able to resolve the domain in question. The domain was flagged for abuse less than 30 days after registration.

Phishing schemes borrow inspiration from cryptocurrency

According to the research from our threat report, domains with the terms “bitcoin” and “nft” were more likely to house phishing schemes. Ethereum typosquatting domains favored cryptomining (more on that shortly), but phishing was a close second.

One phishing site related to crypto that we encountered was a domain advertising itself as “Ethereum Giveaway.” The site has since been taken down.

Another relatively well-known scam at this point is “Bitcoin Code,” which has resurfaced many times using different domains. The site uses stock photos to fake reviews of their product as well as their supposed CEO.

Part of this scam’s success is its reliance on “exclusivity.”

Just in the last 30 days, we encountered phishing sites with the following terms:

  • localbitcoin
  • bitcoin-storm
  • Bitcointime
  • bitcointodaynews

In the case of “localbitcoin” and “bitcointime,” these terms were registered under multiple TLDs to increase their attack surface. It’s a common tactic among phishers: As soon as one site goes down, another goes up. They’ll reuse one term until they’re ready to register a new one en masse.

The following is one of the “localbitcoin” sites:

Most websites do not set their pricing as their homepage, which is what is shown here. This alone is suspicious.

This is all a part of a trend to make phishing attacks more targeted. The blockchain is growing, and reaching people with an interest in cryptocurrency or NFTs is highly likely for threat actors and scammers.

Cryptomining matches the rise in Crypto interest

In 2020, cryptomining made a comeback. In a big way. On our network, terms related to Ethereum, Litecoin, and Dogecoin were the ones most likely to be categorized as cryptomining. And this makes a lot of sense, as they’re some of the newer cryptocurrencies (especially compared to bitcoin).

Of cryptomining domains encountered on our network during the pandemic, 2.39% of them contained the term “ethereum.” Impressively, 11.95% of these domains actively use terms related to mining. One particularly cheeky cryptominer registered a domain with the term “notmining.”

Looking at where these cryptomining sites are originating from:

  • 3.19% used the ccTLD (country-code TLD) .ru which belongs to Russia
  • 3.20% used the ccTLD .eu which belongs to the European Union
  • 4.80% used the ccTLD .tk which belongs to the Central African Republic
  • 5.20% used the ccTLD .de which belongs to Germany

We only expect cryptomining and the exploitation of terms surrounding “crypto” and “NFTs” to grow. This industry has reached mainstream popularity. Tom Brady now owns an NFT company and ads promoting the FTX cryptocurrency exchange run on Sundays between football games. We’ve even seen the term “FTX” used in phishing campaigns in the last 30 days, including at least one fake support portal:

People search for these products from their phones in between meetings while distracted. They’re on platforms like Discord and get direct messages from strangers. They receive emails about the latest changes in the crypto markets.

Threat actors are ready with plenty of traps for end users to fall into, and right now cryptocurrency seems to be one of the better ways to capture their attention.

By Serena Raymond, Content Marketing Manager at DNSFilter

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix


Sponsored byVerisign