Crypto Investment Scam/Phishing Campaign

    Date: 02/07/2025

    Severity: High

    Summary

    We’ve uncovered 42 malicious domains impersonating cryptocurrency-related entities like Independent Reserve, Coinbase, Coinhako, Enkrypt, and HiBT. These domains are grouped into seven clusters hosted on four IP address groups, sharing infrastructure and reusing web content. Most were registered between October and November 2024, with some dating back to March-May 2024. All domains feature a fake "Lead Market Analyst" whose identity is stolen from a real individual, Chris Weston. The campaign uses "noindex" directives to avoid search engine indexing, likely relying on targeted URLs to lure victims and evade accidental discovery.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    bestindependentreserve.com

    boredapeex.com 

    boredapein.com 

    boredapepro.com

    boredapest.com

    boredapew.com

    coinbaseproce.com

    coinbaseprowl.com

    encryptcoinex.com

    encryptcoinit.com

    encryptcoinpro.com

    encryptcointo.com

    gcmlco.com

    gcmlex.com

    gcmlin.com

    gcmlpro.com

    hibtco.com

    hibtex.com

    hibtig.com

    hibtil.com

    hibtin.com

    hibtit.com

    hibtop.com

    hibtpro.com

    independentreservea.com

    independentreserveco.com

    independentreserveg.com

    independentreserveig.com

    independentreserveil.com

    independentreservemax.com

    independentreservemg.com

    independentreserveo.com

    independentreserver.com

    independentreservese.com

    independentreservet.com

    independentreserveto.com

    independentreserveup.com

    independentreservew.com

    coinhakoex.com

    coinhakoin.com

    coinhakoit.com

    coinhakopro.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls 1 : 

    userdomainname like "independentreserveto.com" or url like "independentreserveto.com" or userdomainname like "hibtit.com" or url like "hibtit.com" or userdomainname like "encryptcoinpro.com" or url like "encryptcoinpro.com" or userdomainname like "independentreserver.com" or url like "independentreserver.com" or userdomainname like "boredapepro.com" or url like "boredapepro.com" or userdomainname like "coinhakoin.com" or url like "coinhakoin.com" or userdomainname like "independentreserveil.com" or url like "independentreserveil.com" or userdomainname like "boredapeex.com" or url like "boredapeex.com" or userdomainname like "independentreservemg.com" or url like "independentreservemg.com" or userdomainname like "hibtop.com" or url like "hibtop.com" or userdomainname like "gcmlco.com" or url like "gcmlco.com" or userdomainname like "encryptcoinit.com" or url like "encryptcoinit.com" or userdomainname like "boredapew.com" or url like "boredapew.com" or userdomainname like "coinhakoit.com" or url like "coinhakoit.com" or userdomainname like "encryptcointo.com" or url like "encryptcointo.com" or userdomainname like "independentreservea.com" or url like "independentreservea.com" or userdomainname like "hibtex.com" or url like "hibtex.com" or userdomainname like "independentreservet.com" or url like "independentreservet.com" or userdomainname like "boredapest.com" or url like "boredapest.com" or userdomainname like "bestindependentreserve.com" or url like "bestindependentreserve.com" or userdomainname like "hibtco.com" or url like "hibtco.com" or userdomainname like "gcmlpro.com" or url like "gcmlpro.com"

    Domains\Urls 2 :

    userdomainname like "boredapein.com" or url like "boredapein.com" or userdomainname like "coinbaseproce.com" or url like "coinbaseproce.com" or userdomainname like "coinbaseprowl.com" or url like "coinbaseprowl.com" or userdomainname like "encryptcoinex.com" or url like "encryptcoinex.com" or userdomainname like "gcmlex.com" or url like "gcmlex.com" or userdomainname like "gcmlin.com" or url like "gcmlin.com" or userdomainname like "hibtig.com" or url like "hibtig.com" or userdomainname like "hibtil.com" or url like "hibtil.com" or userdomainname like "hibtin.com" or url like "hibtin.com" or userdomainname like "hibtpro.com" or url like "hibtpro.com" or userdomainname like "independentreserveco.com" or url like "independentreserveco.com" or userdomainname like "independentreserveg.com" or url like "independentreserveg.com" or userdomainname like "independentreserveig.com" or url like "independentreserveig.com" or userdomainname like "independentreservemax.com" or url like "independentreservemax.com" or userdomainname like "independentreserveo.com" or url like "independentreserveo.com" or userdomainname like "independentreservese.com" or url like "independentreservese.com" or userdomainname like "independentreserveup.com" or url like "independentreserveup.com" or userdomainname like "independentreservew.com" or url like "independentreservew.com" or userdomainname like "coinhakoex.com" or url like "coinhakoex.com" or userdomainname like "coinhakopro.com" or url like "coinhakopro.com"

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-06-IOCs-for-Crypto-investment-scam-phishing-campaign.txt


    Tags

    MalwarePhishingcryptocurrency

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags