Crypto Domains. PHOTO: Cybercrime Magazine.

Beware Of Fake Cryptocurrency Domain Names

Revealing and concerning statistics

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – May 20, 2021

The whole internet is abuzz with cryptocurrencies. Even those who are not innately interested in investing in them are joining the trend — including cybercriminals.

About $18 million USD was lost to cryptocurrency-related scams in the first quarter of 2021, including the fake Elon Musk giveaway, which caused one person to lose more than a half-million dollars. On top of that, most cryptocurrency-stealing malware can be bought for as low as one dollar on the dark web.

One of the elements crypto-related scammers and cybercriminals often need for executing campaigns is domain names, as they can serve as vehicles to deliver malware-laden emails or lure in victims with the promise of big rewards and earnings.

Yet how prevalent is the registration of suspicious crypto-related domains? Here is a summary of our findings:

  • More than 30,000 crypto-related domains and subdomains were identified as suspicious or at least worth investigating.
  • 94 percent of the sampled domains either had privacy-protected, undisclosed, or redacted registrant email addresses, making it hard to attribute ownership.
  • GoDaddy was the top registrar (19 percent) used to register those domains, followed by NameCheap (18 percent). Other registrars were MarkMonitor.(4 percent), PDR Ltd. (4 percent), NameSilo (3 percent), Dynadot (2 percent), (2 percent), Tucows, (2 percent), REGRU-RU (1 percent), and eNom (1 percent).

Crypto-related Domains: DNS Abuse in Disguise?

The Internet Corporation for Assigned Names and Numbers (ICANN) defines DNS abuse as “intentionally deceptive, conniving, or unsolicited activities that actively make use of the Domain Name System (DNS) and/or the procedures used to register domain names.”

Registering domain names for fraudulent purposes is a clear form of DNS abuse, and threat actors could be hiding behind a portion of cryptocurrency-related domains.

A targeted WHOIS database and passive DNS search yielded over 30,000 domains and subdomains that contained the words “bitcoin,” “doge,” and “cardano.” While some of these could be legitimately used for cryptocurrency-related activities, others are more suspicious. For instance, crypto-related domains and subdomains that host or have hosted cryptocurrency giveaways or promise high returns should be dealt with cautiously.

WHOIS Redaction amid DNS Abuse

The relation between DNS abuse and WHOIS data redaction is difficult to establish. After all, WHOIS redaction is not something new — registrants always had the option to employ privacy protection services. Besides privacy gains for registrants, however, domain-related crimes became more difficult to investigate.

In the past, it was in several ways easier to cross out false positives given a list of suspicious domains. One could also reach out to registrants through the publicly available contact details if needed as part of an investigation.

These days, redaction has become the norm, and so across most TLDs and registrars. For the thousands of crypto-related domains under study, about 94 percent of them were either privacy-protected, undisclosed, or redacted by their registrars. This means that only about 6 percent of those domains could be publicly attributed to an actual person or organization.

Heading Towards Accountability

Privacy protection is essential, but so is accountability. When the internet is filled with anonymity, who can help dealing with erring domains?

ICANN 70 discussions led to several proposals to mitigate DNS abuse and better specify accountability. Among those proposals were to streamline the Domain Abuse Activity Reporting (DAAR) process, as well as to require registrars and registries to report and promptly take action on DNS abuse complaints, especially when the threat actors are repetitive.

About 56 percent of the crypto-related domains studied were under the administration of ten registrars, with GoDaddy (19 percent) and NameCheap (18 percent) topping the list, as shown in the below chart. If the sampled crypto domains are found to exemplify DNS abuse, then accountability could be specified, at least to some extent, starting with these registrars.

If you’re a cybersecurity researcher or professional wanting to learn more about the cryptocurrency domains and subdomains in this study, feel free to contact us. We are open to research partnerships and collaborations.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.

Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.