Malicious Scammer Targets 10,000 Dogecoin Users, Russian Cybersecurity Firm Reports

  • Sophisticated and experienced online scammer uses multiple backdoors to lure Dogecoin holders.
  • Scammer(s) steal cryptocurrency by creating (replicating) fake Dogecoin mining pools and fake giveaway/rewards websites.

A cybercriminal has reportedly been targeting Dogecoin (DOGE) users by using credential-stealing malware, according to a recent post by cybersecurity firm Dr. Web.

The Russia-based internet security company wrote that their investigation of the activities involving the cryptocurrency scammer found them using “a wide range of commercial Trojans” - which are mainly available through secret online forums like the dark web.

"Gaining Illegal Income"

Referred to as the Investimer, Mmpower, or Hyipblock, the scammer was found to be “gaining illegal income” by using malicious Trojans such as “Eredel, AZORult, Kpot, Kratos, N0F1L3, ACRUX, Predator The Thief, Arkei, and Pony”, Dr. Web noted.

The team of online security researchers discovered that the bad actor has been using the DarkVNC - which is reportedly “a TeamViewer-based Spy-Agent backdoor”, in addition to using HVNC backdoors, to gain access to victims’ personal computers (PCs).

Multiple Backdoor Programs Used

In order to break into users’ machines, the scammer also used the virtual networking computing (VNC) protocol - which is a simple, lightweight protocol that allows users to gain remote access to graphical user interfaces (GUIs) such as those developed by Windows operating systems (OS).

Additionally, the hacker used backdoors “based on RMS”, and “widely applied the Smoke Loader.” As explained by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), a Smoke Loader is “a small application used to download other malware. It is often distributed via spam campaigns and exploit kits. ... The trojan also evades detection by changing the timestamp of its executable to prevent the malware from being located by searching recently modified files.”

Dr. Web further noted that the cybercriminal used another Loader developed by Danij and a Trojan miner that has a built-in “clipper” for modifying users’ clipboard content. To carry out the attacks, Investimer “hosts [its] controlling servers” on websites including jino.ru, hostlife.net, and marosnet.ru, the Russian cybersecurity firm determined.

Phising Websites

Based on Dr. Web’s findings, most of these websites “are Cloudflare protected and [they] hide their [real] IP address[es].” Moreover, the internet security team believes “Investimer is mainly focused on cryptocurrency fraud, primarily with Dogecoin.”

As described by Dr. Web, the scammer(s) have launched numerous “phishing websites that replicate actual online resources.” One example is replicating a crypto asset exchange that reportedly tells users they need customized client software programs, however, this is actually a “Spy-Agent Trojan” which many unsuspecting users have now downloaded.

The experienced cybercriminal has also created a fake Dogecoin mining pool that is “available for rent at competitive prices.” This scam works by claiming that users will have access to a profitable mining pool if they simply download a “client application” from a “password-protected archive.”

However, the password scheme is actually used to bypass detection by antivirus programs and a “stealer Trojan” is then downloaded onto victims’ PCs, according to Dr. Web. Other key findings by the Russian security team were that malware programs were also being used to steal users’ digital assets including ethereum (ETH) and dogecoin by directing them to fake websites that promised rewards or giveaways.

$800,000 XRP Stolen In Phishing Scam

These sites had malicious scripts “under the guise of a special app” which allowed the scammers to steal users’ private information and/or obtain access to their crypto assets.

As CryptoGlobe reported in September, $800,000 in XRP had been stolen from users by scammers who had created a fake crypto exchange website by replicating a real exchange site.

Users were then sent fraudulent emails that contained links to the fake XRP trading platform. Those who visited these websites and entered their passwords and other private information ended up losing their funds as the hacker(s) simply used it to steal their digital assets by logging into the real XRP exchange.

Coin Metrics: Over 94% of Daily BSV Transactions ‘Generated by a Weather App’

Siamak Masnavi

According to the latest research by blockchain analytics/research boutique Coin Metrics, as of July 14, over 94% of Bitcoin SV's daily transactions are reportedly being generated by "a weather app."

Coin Metrics' findings were published on Tuesday (July 16) in issue #8 of their weekly newsletter "State of the Network".

This shocking discovery was made while Coin Metrics was doing research on the on-chain activity of Bitcoin (BTC), Bitcoin Cash (BCH), and Bitcoin SV (BSV). 

Although Coin Metrics found that BSV's "overall transaction count has been growing," they noticed that the majority of these transactions include the OP_RETURN opcode.

According to the Bitcoin Wiki, OP_RETURN is "a script opcode used to mark a transaction output as invalid" and "any outputs with OP_RETURN are provably unspendable."

This means that this opcode can be used to store data on the blockchain. However, as the Bitcoin Wiki points out, many Bitcoiners "believe that use of OP_RETURN is irresponsible in part because Bitcoin was intended to provide a record for financial transactions, not a record for arbitrary data," and it's "less costly and far more efficient to store non-currency data elsewhere."

In the case of the Bitcoin SV blockchain, it appears that BSV transactions are "increasingly including OP_RETURNS", and that, since May, the majority of OP_RETURNs are coming from a web-based weather app, "WeatherSV", which records to and retrieves from the Bitcoin SV blockchain weather information.

The WeatherSV website says that it is demonstrating "the ability to index and retrieve climate data immutably stored on a distributed ledger."

Furthermore, Coin Metrics found that the majority of BSV’s overall transactions are being generated by WeatherSV, in fact over 94% (as of July 14):

Coin Metrics Chart - 16 July 2019.png

According to data from CryptoCompare, at press time, BSV is trading at $11.31, down 11.04% in the past 24-hour period:

BSV-USD Chart - 17 July 2019.png

Featured Image Credit: Photo via Pexels.com. BSV Chart Courtesy of Coin Metrics.