Cyber Incident Victim: Bittrex
Date:
Aug 2017
Location:
United States of America
Summary
A phishing campaign targeted users of a cryptocurrency exchange through a fraudulent website mimicking the legitimate platform's login page, designed to steal credentials and funds. The fake domain utilized a visually similar URL with character substitution to deceive victims, resulting in financial losses for at least one user who reported stolen assets. The malicious site, registered to an individual in Russia, was identified and subsequently taken offline shortly after discovery, with web browsers flagging it as deceptive. A separate phishing attempt leveraged search engine advertisements to promote another fraudulent domain, which briefly appeared above the genuine exchange's site in search results. Both schemes aimed to harvest authentication details and drain accounts by exploiting visual similarities to the authentic platform.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-August 2017, a phishing campaign targeted users of the cryptocurrency exchange Bittrex through a fraudulent domain designed to mimic the legitimate platform. The fake website, operating at blttrex[.]com, employed typosquatting by substituting the letter 'i' in Bittrex's authentic domain (bittrex[.]com) with an 'l', creating a visually similar URL. This deceptive site replicated Bittrex's login interface to harvest user credentials and two-factor authentication codes. On August 15, 2017, a user identified as Tourpaul reported losing approximately $2,000 after inadvertently entering his login details on the phishing portal. Tourpaul documented the incident on Steemit, noting attackers drained his account within five minutes of credential entry and that the fraudulent domain became inaccessible the following day. Additional warnings circulated on Reddit as users shared information about the scam. The phishing domain's registration records, visible via WHOIS lookup, listed Sergey Valerievich Kireev of Russia as the registrant, including his physical address, phone number, and email.
The threat actors operated the phishing site for a limited duration before it was rendered inactive, though the precise reason for its takedown remained unspecified. By August 19, 2017, Google Chrome browsers flagged the domain as a phishing risk. A separate but related phishing operation leveraged Google AdWords to promote another fraudulent Bittrex clone, which briefly appeared above the genuine exchange’s website in search results. This secondary scam domain was also defunct by the time of reporting. The incidents resulted in confirmed financial losses for affected users like Tourpaul, who received no response from Bittrex support regarding fund recovery attempts. Security researchers observed the campaigns relied on visual deception and search engine manipulation rather than technical exploits against Bittrex’s infrastructure, with user vigilance and bookmarking official URLs cited as critical preventative measures in subsequent discussions.