Bitcoin to the moon: Trump endorsing, scammers exploiting

Threat spotlight - Feb 5, 2025

Overview

The price of Bitcoin is mooning to unprecedented heights, surpassing the $100,000 mark, a monumental event for investors, symbolizing mainstream acceptance and significant financial opportunity. Notably, Warren Buffett's Berkshire Hathaway has reportedly engaged in crypto-related investments, marking a significant shift in his earlier criticism of cryptocurrencies.

In his first week back in office, President Donald Trump has issued a series of executive orders, including one titled "Strengthening American Leadership in Digital Financial Technology." This order establishes a working group to review digital asset regulations and proposes the creation of a national bitcoin reserve. The BITCOIN Act of 2024, as well as SEC approval for BTC and ETH ETFs has further amplified the spotlight on cryptocurrencies, aiming to position the U.S. as a global leader in the market. The Act promotes the establishment of a national Bitcoin reserve, appoints crypto-friendly regulators, and encourages widespread adoption of digital assets.

In light of these developments, Cloudflare Email Security (CES) has observed a sharp rise in crypto related scams exploiting recent events like the launch of a Trump NFT. These scams primarily impersonate legitimate Bitcoin Wallets, such as Ledger and Binance, utilizing advanced techniques like AI-chatbots to masquerade as support agents in attempts to gain access to the target’s wallet.

Given the irreversible nature of blockchain and cryptocurrencies, these developments underscore the importance of evolving regulatory clarity, as opposed to traditional fiat currencies like the U.S dollar or the British pound.

This article explores the tactics unfolding behind these scams, offering valuable insights into cybercriminal operations and practical advice to help individuals and organizations protect themselves in this rapidly shifting threat landscape.

Phishing schemes leveraging Trump’s name

The recent inauguration of President Trump, alongside his crypto endorsement and launch of a cryptocurrency with his namesake, has fueled a wave of phishing schemes leveraging Donald Trump's name. Fake “digital trading cards” of NFTs like the one shown below, and other crypto-related offerings have emerged for enthusiasts drawn by the allure of exclusive NFTs and supposed official partnerships.

These schemes feature professional-looking websites and emails impersonating legitimate Bitcoin platforms, enticing users to interact with malicious links and approve fraudulent transactions. This surge in scams highlights how quickly actors adapt to public interest, using high-profile figures and events to lend credibility to the deception.

The phishing email above urges recipients to claim their free Trump NFT if they already own the Trump Meme coin and Ethereum in their wallet. The call to action at the bottom of the email labeled ‘Claim Your Free NFT Now’ led to a shortened URL, hxxps://clvr[.]ch/PxEgx. At the time of investigation, the malicious website had already been taken down by Clever Reach, a German newsletter company that the attackers were leveraging to send their payload. However, analysts at Cloudflare suspect it likely led to an OpenSea Crypto Drainer. Additionally, this email was sent from a compromised sender domain using the address trump@marmorstone.it. This domain, first registered in 2009, highlights a common tactic used by adversaries: use of older sender domains to bypass email protections designed to block Newly Registered Domains (NRDs) from reaching users.

Researchers at CES have also noticed a number of links contained within these crypto phishing emails having geofencing enabled, which results in a redirect to the Google homepage. Attackers use this tactic to prevent anyone except their targets from accessing and analysing the site.

Rising threats in the crypto landscape

The increased adoption of cryptocurrencies has inadvertently provided threat groups with new avenues to exploit unsuspecting investors. The crypto boom has also attracted larger and more organised threat actors. These sophisticated actors employ advanced tactics with significant resources, such as creating fake investment platforms, using deepfake technology and credible-looking websites.

The FBI has reported a significant increase in cryptocurrency related scams, with losses exceeding $5.6 billion in 2023 as scammers exploit the Fear of Missing Out (FOMO) surrounding Bitcoin’s rise. The FBI's figure encompasses a broad spectrum of cryptocurrency-related fraud, including investment scams, tech support schemes, and romance scams, which collectively swindled victims out of billions. The below graph, on the other hand, focuses specifically on crypto stolen through hacking incidents.

A type of malware gaining popularity in these hacking incidents is a crypto drainer, which is primarily designed to enumerate and identify all available assets, including cryptocurrency, tokens and NFTs, to facilitate draining funds from victims’ digital wallets. An attacker could drain your wallet without the seed phrase (a sequence of simple words used to generate your wallet's private key), using a malicious tool or mechanism designed to exploit unsuspecting users by proposing fraudulent transactions. These transactions appear legitimate, tricking the user into approving them. Once approved, the transaction transfers the victim’s assets to the attacker's wallet.

There is also a worrying trend of generic stealers, such as RedLine, that are blurring the lines between drainers and stealer malware. RedLine Stealer, a prominent infostealer operating on a Malware as a Service (MaaS) model, is readily available on hacking forums and is designed to extract sensitive information from compromised systems, including login credentials, credit card details, and cryptocurrency wallet data, as seen below.

Attack vectors

Highlighted below are attack vectors likely exploited by Bitcoin threat groups, as observed and tracked by Cloudflare’s CES PhishGuard team.

Impersonation scams

Attackers frequently impersonate support agents or representatives of well-known companies to deceive users into handing over sensitive credentials or transferring funds. These scams often create urgency, claiming issues such as account compromise or flagged transactions. By leveraging the reputation of large brands in order to gain access to the seed phrase of a wallet, attackers bypass transaction approvals, gaining unrestricted control over the wallet. This allows them to transfer funds and assets faster than you can say “cold storage”.

There is a single combination of 24 words that lies between any of us and $24 billion, the current largest Bitcoin wallet. While this may sound terrifying, it represents 256 bits of entropy - an astronomical 2^256 combinations. Unfortunately, the real risk lies not in brute force, but in social engineering attacks targeting this seed phrase

Impersonation to harvest credentials - attack lifecycle and key characteristics

In another recently observed impersonation campaign, attackers launched a website posing as Ledger, a well known cryptocurrency wallet. They then sent phishing emails, complete with logos, fonts and design elements closely replicating Ledger's branding (as shown in the images below). The email purports to be a security notice and directs users to click on a button labeled, ‘Verify My Recovery Phrase’. This link sends users to ledgerprotecthub[.]com, a fake website that was recently created to steal account credentials and funds. Users who entered their seed phrase under the guise of “verifying” or resolving a fabricated security issue, unknowingly gave attackers full access to their wallets.

Impersonation to steal seed phrase - attack lifecycle and key characteristics

Cloud mining

Cloud mining allows individuals to lease hardware or hash power from remote data centres allowing them to mine cryptocurrency without managing physical equipment. This sector has become rife with fraudulent schemes, with scams revolving around promises of automated crypto mining with high and unrealistic payouts, luring victims with enticing rewards and compelling testimonials. Victims are often required to provide personal information or make an upfront payment, only to find the promised earnings never materialise. A notable instance of fraudulent activity is the case of HashOcean, a supposed cloud mining service that claimed to handle large scale mining operations. Despite its professional online presence, HashOcean was revealed to own no mining infrastructure and operated as a ponzi scheme, disappearing with investors' funds.

Below is an example of a cloud mining phishing site identified by Cloudflare’s Phishguard team. In this campaign, a user receives an unsolicited email stating, “You’ve earned 1.34 BTC from our automated mining program!” with a link (in this case fdeumining[.]top) to claim the reward. Clicking the link leads to the extraction of personal data or financial loss, which can include identification documents.

Cloud mining - attack lifecycle and key characteristics

Airdrop scams

Legitimate aidrops are used in blockchain projects to distribute free tokens, often to promote new tokens or reward loyal users. Fraudulent airdrops exploit this concept and the appeal of "free crypto", enticing users to perform wallet actions or pay small fees to receive tokens. Targets may notice tokens in their wallet and attempt to swap them for more desirable ones, only to find that the process fails. This might lead them to a block explorer, where they encounter a message instructing them to claim their tokens through a third-party website. The attacker’s ultimate goal is to either gain access to the wallet or steal funds directly.

In another campaign investigated by the Phishguard team, targets received a phishing email with a message stating, “Claim your free airdrop—just connect your wallet to receive tokens”. If a target clicked the provided link they would be directed to the malicious platform shown below and eventually prompted to enter their credentials, leading to wallet compromise.

Airdrop scams - attack lifecycle and key characteristics

Fake crypto apps

Actors develop fraudulent applications that closely resemble legitimate crypto wallets and exchange platforms, distributed on unofficial app stores or deceptive sites, aiming to dupe users into downloading them. Once installed, these apps steal sensitive information, such as recovery phrases, private keys and identification details, leading to unauthorised access and potential theft. Practicing caution is imperative, as seen when a counterfeit Ledger Live App was found on the Microsoft store, resulting in a total loss of $768,000.

Below is an instance of a campaign promoting a fake Ledger app via email, which directed users to visit ledgerlielp.gitbook[.]io. The fraudulent site mimicked Ledger's branding, luring targets to disclose their details by promising new features that don’t exist in the authentic app.

Fake crypto apps - attack lifecycle and key characteristics

Phone scams

Attackers employ various communication platforms, including SMS, phone calls and emails, to impersonate support teams of exchanges or wallet providers. They create a sense of urgency by claiming suspicious activity on the user's account, pressuring them to share sensitive information such as seed phrases or 2FA codes.

In the phone scam example below, the target receives an email alerting them about a BTC payment made from their PayPal account using an unfamiliar IP address, and urges them to call the provided phone number. Concerned, the target may call the number, only to speak with a scammer posing as a PayPal support representative. The scammer claims, "Your account has been locked due to suspicious activity. Please provide your 2FA code to regain access." Trusting the caller's legitimacy, the victim may provide the code, granting the attacker access to their account and funds.

Attackers in this campaign utilized the address ‘dse_na4@docusign.net’, an expected sender for DocuSign (i.e., used to bypass defenses), but a clear red flag as it's unrelated to the PayPal lure. Additionally, the 'Reply-To' field revealed a Guerrilla Mail address ('@grr.la'). Guerrilla Mail is a service providing disposable email addresses, which are often leveraged in phishing attacks to provide anonymity and evade spam filters or blocklists.

Phone scams - attack lifecycle and key characteristics

Extortion

Threat actors send threatening emails or messages claiming access to compromising personal information about the target. They coerce victims into paying cryptocurrency ransoms to prevent the release of the fabricated or stolen data. These scams also often leverage information from data breaches to appear more convincing.

Below is an example of a common extortion scheme where a target receives an email stating, “We have compromising information about you—pay 1 BTC within 48 hours, or we’ll release it to your contacts”. The message may include personal details obtained from previous data breaches, but the attacker typically does not possess any compromising material.

To detect these text-based attacks, we leverage AI-driven sentiment analysis to identify language patterns intended to evoke fear or urgency. By analyzing contextual cues, we can distinguish legitimate emails from phishing attempts. Additionally, metadata such as sender domain, email headers, reply-to and link scores are analysed to corroborate suspicions.

Extortion - attack lifecycle and key characteristics

Detecting and mitigating the activity

The Cloudflare PhishGuard and Email Detection teams deployed a series of detections to block malicious crypto-related emails. These detections evaluate domain reputation and link behaviour, alongside capabilities to identify suspicious crypto-related sentiment and branding within the messages. We combine these high-confidence detections in our production environment along with proactive threat hunting techniques to identify emerging email-based threats. Additionally, these detections leverage our machine learning models, which analyse email content, sentiment and metadata to detect and flag malicious messages.

Below is sampling of some of our crypto-related detections along with descriptions of the messages they aim to detect:

Verified_Brand.Cryptocurrency.Call_Scam

  • Detects impersonation scams involving verified brands and fraudulent cryptocurrency-related phone call lures. Typically attackers pose as support or security teams.

Body.Cryptocurrency.SentimentCM_Scareware.All.Phishing

  • Utilizes proprietary AI-driven sentiment analysis to flag phishing campaigns by examining word patterns. For instance, emails employing scare tactics to provoke urgent action, such as phrases like "unauthorized access" or "account suspension," are identified and flagged

Body.CryptoCurrency.ClassicSpoofed

  • Monitors the email ‘envelope from’ address for spoofing attempts in conjunction with a cryptocurrency-themed message body.

Indicators of compromise

Link
fedumining[.]top/payouts
coudelariavaledoave[.]com/home.html
metamasksrecovery[.]com
meta-portfolio[.]org
ledgerprotecthub[.]com
bina-mail[.]top
ledgerlielp.gitbook[.]io
trustwallet.validating-secure[.]com
edshop[.]us
escalanteconstruction[.]com
seeders[.]hu
ledger.rojasyp[.]com
refapel[.]top
polyhedra-network.sip-tech[.]hr
arvidg.free[.]fr
gadgetfixzone[.]com/ether
stewarthaasracing[.]com
extrasensorial[.]shop/payouts/
verification.metemask[.]com/meta/kyc_verification/
trustwallet.pauvas[.]com.au
base-fastbitl[.]cc/threads/transfers?u=a413a4
unassimilable[.]shop/payouts/
base-fastbitl[.]cc
kycverification.datamrk[.]co
pusillanimously[.]shop
deossification[.]shop
base-fastbitl[.]cc
clvr[.]ch/PxEgx
arvidg.free[.]fr/clm.html
trustmysterybox[.]run
auth-bitgetconnect.ddnss[.]eu

Sender
ledger@media[.]com
service@ledgerweb3[.]com
service@ledger-web3[.]com
btc@invisturl[.]info
eventos@ambito[.]com.ar
trump@marmorstone[.]it
emandida785207@grr[.]la
noreply@texaslawgroup[.]com


To Help Build a Better Internet: report abuse to Cloudflare


About Cloudforce One

Cloudflare’s mission is to help build a better Internet. And a better Internet can only exist with forces of good that detect, disrupt and degrade threat actors who seek to erode trust and bend the Internet for personal or political gain. Enter Cloudforce One – Cloudflare’s dedicated team of world-renowned threat researchers, tasked with publishing threat intelligence to arm security teams with the necessary context to make fast, confident decisions. We identify and defend against attacks with unique insight that no one else has.

The foundation of our visibility is Cloudflare’s global network – one of the largest in the world – which encompasses about 20% of the Internet. Our services are adopted by millions of users across every corner of the Internet, giving us unparalleled visibility into global events – including the most interesting attacks on the Internet. This vantage point allows Cloudforce One to execute real-time reconnaissance, disrupt attacks from the point of launch, and turn intelligence into tactical success.

Related resources

Sacked or hacked? Unmasking employment termination scams

Campaign snapshot

Unraveling SloppyLemming’s Operations Across South Asia
Unraveling SloppyLemming’s operations across South Asia

Threat report

Freight fraud surge: global supply chain compromises
Freight fraud surge: global supply chain compromises

Campaign snapshot