Home / Industry

Cardano Joins the List of Favored Crypto Scam Targets

Twitter was recently abuzz with news regarding an ongoing Cardano scam via a downloadable phishing app. Posing as a giveaway promo, which is how cybercriminals have frequently been victimzing cryptocurrency owners these days, users who get tricked into downloading the rogue app end up with stolen credentials instead.

We began our investigation into the threat with two indicators of compromise (IoCs) disclosed in a tweet—the malicious domain name airdrop-ada[.]net and the malicious IP address 104[.]21[.]78[.]87. Using these as jump-off points, our deep dive revealed:

  • 29 possibly connected domains containing the string combination “airdrop + ada,” akin to the IoC
  • 2 possibly connected subdomains containing the string combination “airdrop + ada”
  • 300+ connected domains as they shared an IP host of the domain IoC
  • 2 of the possibly connected domains and subdomains are malicious
  • 1,100+ domains and subdomains containing the string “cardano,” 12 of which are already dubbed “malicious”

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Looking for Possible Connections to the IoCs

In our effort to look for other artifacts, we subjected the domain airdrop-ada[.]net to a DNS lookup and found two additional IP addresses, apart from the one identified in the tweet—213[.]226[.]124[.]209 and 172[.]67[.]219[.]16.

We then looked for other potential connections using the string combination “airdrop + ada” on Domains & Subdomains Discovery. The query uncovered 29 possibly connected domains, such as:

  • airdrop-diadata[.]org
  • adapad-airdrop[.]tech
  • trustpadairdrop[.]com
  • airdrop-crabada[.]com
  • etherpadairdrop[.]org

Using the same string combination, we also discovered two possibly connected subdomains, namely:

  • ada-airdrop[.]hwlegnano[.]it
  • legit-airdrop-radar[.]myshopify[.]com

Next, we used the IP addresses 213[.]226[.]124[.]209, 172[.]67[.]219[.]16, and 104[.]21[.]78[.]87 as reverse IP lookup search terms and found at least 300 domains that shared 104[.]21[.]78[.]87 as host. Examples include:

  • assets[.]ovh
  • assumption[.]site
  • atdominican[.]com
  • atheniamarketing[.]com
  • auto-payingsu[.]com

The high number of connected domains and the second-level domain (SLD) string dissimilarity indicate the likely use of shared hosting infrastructure. In addition, a bulk WHOIS lookup for the possibly connected domains showed that only 42 of the 301 possibly connected domains (14%) shared the domain IoC’s registrant country, reinforcing our earlier interpretation of the use of a shared hosting infrastructure.

Nevertheless, we subjected all the web properties we found to a bulk malware check on the Threat Intelligence Platform and discovered that two of them—dejob[.]xyz and dispenseoneglint[.]cyou—are considered malicious by various malware engines.

Expanding the Investigation

Cardano has been consistently part of the top 10 cryptocurrencies to invest in and that remains true this year. It’s not surprising, therefore, for it to be a favored cybercrime target. We looked into web properties containing Cardano and the names of other cryptocurrencies, in fact, around the same time last year and found around 30,000 potential threat vehicles.

We sought to discover if new domains and subdomains were registered just this year and found:

  • 710 domains registered between 1 January and 18 May 2022 containing the string “cardano,” six of which have already been dubbed “malicious” by various malware engines
  • 630 subdomains registered on 1January—18 May 2022 containing the string “cardano,” five of which turned out to be malicious

Note the growth in web property volume from 677 to more than double at 1,340 domains and subdomains in a span of less than a year. That not only denotes growth in the number of Cardano coin owners but likely also the threats that could target them.

All Cardano cryptocurrency owners should heed the call to avoid accessing the domains, subdomains, and IP addresses, especially those deemed “malicious,” if they want to avoid the risk of getting scammed or phished. Monitoring the possibly connected domains, particularly those registered in the U.S. and shared other WHOIS details with the domain IoC may also be worth doing.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API