Coinhoarders Steal $50 Million in Cryptocurrency Using Google Ads

Another hack in the cryptocurrency world. What else is new? Well, this time security companies are getting involved to expose the hackers (successfully), and the hackers chose to use Google Ads to hack their victims. The total damage was approximately $50 million over the course of three years using a very basic phishing technique.

Cryptocurrency, A Regular Target

Cryptocurrencies are generally stored on an exchange, in a mining pool, or a user’s individual wallet, which makes individual’s computers and exchanges prime targets for hacks and unfortunately many have suffered such attacks in recent years. The largest attacks are common names in the crypto community. Mt. Gox and Coincheck were the biggest hacks in cryptocurrency history with almost $1 billion stolen cumulatively between the two heists. These two hacks were the most significant robberies in history, but many much smaller crypto heists go undiscussed. With almost $1 billion stolen between two heists, it is clear why Mt. Gox and Coincheck made the headline news for days.

Mt. Gox was a major cryptocurrency exchange heading into 2014 but then suffered what at the time was the largest cryptocurrency hack in history. The value of the hack was estimated at $450 million resulting in Mt. Gox’s declaration of bankruptcy. This sent shockwaves through the cryptocurrency community resulting in the plummeting of the price of bitcoin. There has been one larger hack in recent history occurring at the end of January 2018. Coincheck was hacked for more than $500 million but has thus far been solvent and remained active. Thankfully for 2017’s influx of investors, trading volume, and production of wealth, Coincheck should have ample reserves to cover their losses. Even without declaring bankruptcy and ushering an era of regulation the price of BTC and XEM (the hacked currency) still corrected heavily following the hack’s announcement. It seems hacks are getting bigger with hackers becoming bolder.

Using Google Ads to Steal Crypto

Although hundreds of millions of dollars were not stolen, the most recent heists took place through Google Ads. The number, $50 million is still a significant one, especially for those who lost cryptocurrency because of the hack. The blockchain is supposed to be transparent, but even with displaying transaction amounts and receiving and sending wallets the users were still difficult to determine. For years, hackers have enjoyed heists in the millions of dollars of cryptocurrency because they were able to remain anonymous. Privacy coins were created to provide anonymity to users, but blockchains like BTC are completely transparent. Transparency is a benefit in most situations unless you are a hacker using the Bitcoin blockchain. The hacker’s true identity is not exposed even though the wallet where hacked funds were transferred to is publicly known.

Cisco has recently diverted a significant focus to blockchain technology. This has allowed them to understand security threats and even expose the thieves behind a number of bold hacks. The most recent hack was pulled off by a group individuals based out of Ukraine who have named themselves Coinhoarder. The technique used by the hackers was very basic yet was able to capture the attention and funds of thousands of people. This simple technique included the hacking group taking out ads on Google related to key search terms. These key search terms were all directly related to cryptocurrencies. Terms like “blockchain,” “cryptocurrency wallet,” and “bitcoin wallet,” were all search terms that provided malicious ads.

The ads displayed for these particular search terms attempted to imitate legitimate domains such as, which specializes in cryptocurrency wallets. Users inability to notice subtle differences in domain names and web presence allowed hackers to have unsuspecting users browsing their malicious knock-off websites for extended periods of time. The landing pages for “” looked almost identical to that of the one users were familiar with, If you were not looking for the “ie” and missing “c” in the web address, you could have easily been duped into the scam. The worst (or most intelligent) part was the hackers were paying enough to have their malicious links ranked higher than the actual real versions of the websites they were mirroring.

Once the user is on the malicious website, they proceed as if they landed at the proper site they are accustomed to or going to for the first time. At this point, they enter personal information which allows the hackers to gain access to their accounts (wallets) on the real websites. Once they have accessed the user’s wallets, they transfer the funds to themselves and the hack is complete. The entire strategy was to mirror the real website while purchasing Google Ads at the highest rate possible. What is more shocking is that this phishing scam has taken place for years as Cisco in collaboration with Ukraine’s Cyberpolice have investigated.


The Coinhoarder group has been deemed responsible for multiple thefts since 2015 with the value and number soaring at the end of 2017, as the bitcoin price simultaneously climbed. Between the three months of September, November, and December more than $10 million was stolen. Even with cyber police forces and top security companies in hot pursuit, the hackers remain as bold as ever. The technique to mirror websites for phishing scams is becoming increasingly popular even as places like Facebook ban ads related to crypto.

Coinhoarder specializes in phishing scams, but those are just one of the many techniques implemented to steal cryptocurrencies. Lazarus Group, which is notoriously speculated to be a North Korean hacking ring, also specializes in phishing scams through mirroring websites. More and more hacking groups are using very basic website mirroring techniques to get users to provide the information needed to access their wallets and remove the valued cryptocurrency. The majority of IP addresses for individuals who lost in the most recent hacks were predominantly African, from Nigeria and Ghana. This is not surprising as underbanked regions of the world are where cryptocurrencies are used most, and the population may not be educated entirely regarding the possibility of scams. However, it seems a completely mirrored website would be a simple way to confuse someone unless the user is actively monitoring their visited web addresses.

Stay Vigilant of Your Web Addresses and Download Security Software

The bitcoin addresses of where the stolen funds were transferred are known, yet not much can be done. The problem remains that the BTC addresses are pseudonymous and without anything but a number it remains almost impossible to know who has access to the suspected wallet. The trail of funds can be monitored indefinitely until they are spent or transferred to an exchange. However, there is no guarantee the owner of the wallets will ever be successfully revealed.

The benefits of the blockchain occasionally also are its faults. If the blockchain were completely transparent and required identification, the hackers would have been found, but then the decentralization and degree of anonymity would not exist. There is a trade-off with almost anything in life, and by not requiring identifiers to maintain a BTC wallet it provides individuals the ability to hold funds under a wallet number on a secure blockchain. In this instance, the hackers have not spent their funds in a way in which they can be captured, or their anonymity revealed.  

The lessons that can be learned from this entire situation is staying extremely vigilant of the websites you visit and the ads you click. Beyond staying vigilant make sure you use antivirus software and anti-phishing software. Metamask is a simple Ethereum-based wallet and anti-phishing browser attachment that warns if a phishing site is landed upon. They have recently helped prevent many hacks and phishing scams. An added benefit is they work as an ETH wallet for ERC-20 tokens. If you invest in any ICOs (that are ETH-based) or need a place to keep your ETH a free anti-phishing download that doubles as a wallet is a great location!


To read the King’s prior articles, to find out which ICOs he currently recommends, or to get in contact directly with the King, you can on Twitter (@JbtheCryptoKing) or Reddit (ICO updates and Daily Reports).

Source: Read Full Article

Leave a Reply