Date: 02/07/2025
Severity: High
Summary
We’ve uncovered 42 malicious domains impersonating cryptocurrency-related entities like Independent Reserve, Coinbase, Coinhako, Enkrypt, and HiBT. These domains are grouped into seven clusters hosted on four IP address groups, sharing infrastructure and reusing web content. Most were registered between October and November 2024, with some dating back to March-May 2024. All domains feature a fake "Lead Market Analyst" whose identity is stolen from a real individual, Chris Weston. The campaign uses "noindex" directives to avoid search engine indexing, likely relying on targeted URLs to lure victims and evade accidental discovery.
Indicators of Compromise (IOC) List
Domains\Urls : | bestindependentreserve.com boredapeex.com boredapein.com boredapepro.com boredapest.com boredapew.com coinbaseproce.com coinbaseprowl.com encryptcoinex.com encryptcoinit.com encryptcoinpro.com encryptcointo.com gcmlco.com gcmlex.com gcmlin.com gcmlpro.com hibtco.com hibtex.com hibtig.com hibtil.com hibtin.com hibtit.com hibtop.com hibtpro.com independentreservea.com independentreserveco.com independentreserveg.com independentreserveig.com independentreserveil.com independentreservemax.com independentreservemg.com independentreserveo.com independentreserver.com independentreservese.com independentreservet.com independentreserveto.com independentreserveup.com independentreservew.com coinhakoex.com coinhakoin.com coinhakoit.com coinhakopro.com |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls 1 : | userdomainname like "independentreserveto.com" or url like "independentreserveto.com" or userdomainname like "hibtit.com" or url like "hibtit.com" or userdomainname like "encryptcoinpro.com" or url like "encryptcoinpro.com" or userdomainname like "independentreserver.com" or url like "independentreserver.com" or userdomainname like "boredapepro.com" or url like "boredapepro.com" or userdomainname like "coinhakoin.com" or url like "coinhakoin.com" or userdomainname like "independentreserveil.com" or url like "independentreserveil.com" or userdomainname like "boredapeex.com" or url like "boredapeex.com" or userdomainname like "independentreservemg.com" or url like "independentreservemg.com" or userdomainname like "hibtop.com" or url like "hibtop.com" or userdomainname like "gcmlco.com" or url like "gcmlco.com" or userdomainname like "encryptcoinit.com" or url like "encryptcoinit.com" or userdomainname like "boredapew.com" or url like "boredapew.com" or userdomainname like "coinhakoit.com" or url like "coinhakoit.com" or userdomainname like "encryptcointo.com" or url like "encryptcointo.com" or userdomainname like "independentreservea.com" or url like "independentreservea.com" or userdomainname like "hibtex.com" or url like "hibtex.com" or userdomainname like "independentreservet.com" or url like "independentreservet.com" or userdomainname like "boredapest.com" or url like "boredapest.com" or userdomainname like "bestindependentreserve.com" or url like "bestindependentreserve.com" or userdomainname like "hibtco.com" or url like "hibtco.com" or userdomainname like "gcmlpro.com" or url like "gcmlpro.com" |
Domains\Urls 2 : | userdomainname like "boredapein.com" or url like "boredapein.com" or userdomainname like "coinbaseproce.com" or url like "coinbaseproce.com" or userdomainname like "coinbaseprowl.com" or url like "coinbaseprowl.com" or userdomainname like "encryptcoinex.com" or url like "encryptcoinex.com" or userdomainname like "gcmlex.com" or url like "gcmlex.com" or userdomainname like "gcmlin.com" or url like "gcmlin.com" or userdomainname like "hibtig.com" or url like "hibtig.com" or userdomainname like "hibtil.com" or url like "hibtil.com" or userdomainname like "hibtin.com" or url like "hibtin.com" or userdomainname like "hibtpro.com" or url like "hibtpro.com" or userdomainname like "independentreserveco.com" or url like "independentreserveco.com" or userdomainname like "independentreserveg.com" or url like "independentreserveg.com" or userdomainname like "independentreserveig.com" or url like "independentreserveig.com" or userdomainname like "independentreservemax.com" or url like "independentreservemax.com" or userdomainname like "independentreserveo.com" or url like "independentreserveo.com" or userdomainname like "independentreservese.com" or url like "independentreservese.com" or userdomainname like "independentreserveup.com" or url like "independentreserveup.com" or userdomainname like "independentreservew.com" or url like "independentreservew.com" or userdomainname like "coinhakoex.com" or url like "coinhakoex.com" or userdomainname like "coinhakopro.com" or url like "coinhakopro.com" |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-06-IOCs-for-Crypto-investment-scam-phishing-campaign.txt