Twitter was recently abuzz with news regarding an ongoing Cardano scam via a downloadable phishing app. Posing as a giveaway promo, which is how cybercriminals have frequently been victimzing cryptocurrency owners these days, users who get tricked into downloading the rogue app end up with stolen credentials instead.

We began our investigation into the threat with two indicators of compromise (IoCs) disclosed in a tweet—the malicious domain name airdrop-ada[.]net and the malicious IP address 104[.]21[.]78[.]87. Using these as jump-off points, our deep dive revealed:

• 29 possibly connected domains containing the string combination “airdrop + ada,” akin to the IoC
• 2 possibly connected subdomains containing the string combination “airdrop + ada”
• 300+ connected domains as they shared an IP host of the domain IoC
• 2 of the possibly connected domains and subdomains are malicious
• 1,100+ domains and subdomains containing the string “cardano,” 12 of which are already dubbed “malicious”

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Looking for Possible Connections to the IoCs

In our effort to look for other artifacts, we subjected the domain airdrop-ada[.]net to a DNS lookup and found two additional IP addresses, apart from the one identified in the tweet—213[.]226[.]124[.]209 and 172[.]67[.]219[.]16.

We then looked for other potential connections using the string combination “airdrop + ada” on Domains & Subdomains Discovery. The query uncovered 29 possibly connected domains, such as:

• airdrop-diadata[.]org
• adapad-airdrop[.]tech
• trustpadairdrop[.]com
• airdrop-crabada[.]com
• etherpadairdrop[.]org

Using the same string combination, we also discovered two possibly connected subdomains, namely:

• ada-airdrop[.]hwlegnano[.]it
• legit-airdrop-radar[.]myshopify[.]com

Next, we used the IP addresses 213[.]226[.]124[.]209, 172[.]67[.]219[.]16, and 104[.]21[.]78[.]87 as reverse IP lookup search terms and found at least 300 domains that shared 104[.]21[.]78[.]87 as host. Examples include:

• assets[.]ovh
• assumption[.]site
• atdominican[.]com
• atheniamarketing[.]com
• auto-payingsu[.]com

The high number of connected domains and the second-level domain (SLD) string dissimilarity indicate the likely use of shared hosting infrastructure. In addition, a bulk WHOIS lookup for the possibly connected domains showed that only 42 of the 301 possibly connected domains (14%) shared the domain IoC’s registrant country, reinforcing our earlier interpretation of the use of a shared hosting infrastructure.

Nevertheless, we subjected all the web properties we found to a bulk malware check on the Threat Intelligence Platform and discovered that two of them—dejob[.]xyz and dispenseoneglint[.]cyou—are considered malicious by various malware engines.

Expanding the Investigation

Cardano has been consistently part of the top 10 cryptocurrencies to invest in and that remains true this year. It’s not surprising, therefore, for it to be a favored cybercrime target. We looked into web properties containing Cardano and the names of other cryptocurrencies, in fact, around the same time last year and found around 30,000 potential threat vehicles.

We sought to discover if new domains and subdomains were registered just this year and found:

• 710 domains registered between 1 January and 18 May 2022 containing the string “cardano,” six of which have already been dubbed “malicious” by various malware engines
• 630 subdomains registered on 1January—18 May 2022 containing the string “cardano,” five of which turned out to be malicious

Note the growth in web property volume from 677 to more than double at 1,340 domains and subdomains in a span of less than a year. That not only denotes growth in the number of Cardano coin owners but likely also the threats that could target them.

All Cardano cryptocurrency owners should heed the call to avoid accessing the domains, subdomains, and IP addresses, especially those deemed “malicious,” if they want to avoid the risk of getting scammed or phished. Monitoring the possibly connected domains, particularly those registered in the U.S. and shared other WHOIS details with the domain IoC may also be worth doing.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.