These scams leverage the ongoing distribution of customer assets following BlockFi’s 2022 bankruptcy, tricking victims into surrendering cryptocurrency wallet seed phrases, potentially leading to financial losses.

BlockFi, once a prominent provider of high-yield interest accounts and crypto-backed loans, announced bankruptcy in November 2022.

The company began disbursing repayments to affected clients in 2024 as part of its restructuring plan.

Kaspersky has detected fraudulent emails mimicking BlockFi’s official branding, which falsely invite recipients to “claim the payment” they are “entitled to.” After clicking on the link, users land on a phishing page and are prompted to “connect their wallet”.

The attackers suggest that users import their existing wallet by typing in the secret phrase – this grants attackers direct access to the funds in the victim’s wallet.

“Phishing attacks like this are widespread, capitalising on real-world events to build trust and urgency. Victims who fall for these scams risk exposing their crypto wallets to theft. It’s critical for individuals to verify any communications directly through official channels and to check the address from where the email originates for legitimacy,” comments Roman Dedenok, anti-spam expert at Kaspersky.

The phishing emails feature convincing logos, colour schemes, and language, making them difficult to spot at first glance.

Kaspersky recommends the following steps to avoid falling victim to this or similar scams:

• Do not click on links or respond to unsolicited emails.
• Protect Sensitive Information: Never share banking credentials, wallet seed phrases, or other private keys in response to an email or online form.
• Use Security Tools: Enable two-factor authentication (2FA) on all financial accounts, employ reputable security software and consider using a password manager to safeguard credentials.

Since the beginning of 2022, Kaspersky products detected and prevented almost 200 000 attempts to steal users’ digital currencies and credentials to their wallets via phishing.

The number of such attempts almost reached 50 000 in April, which is half of the indicators for the first quarter of 2022. Crypto wallets are the primary target for scamming and malicious activity.

With the boom in digital currencies observed over the past five years, Kaspersky experts have seen various cybercriminal tactics used to steal cryptocurrency – from luring victims with gifts sent by crypto exchanges to distributing Trojanized DeFi wallets. Crypto wallets are the primary target for scammers because they are the initial place of storage for cryptocurrency and deal with large amounts of virtual money.

In 2022, Kaspersky products have recorded 193,125 phishing attempts aimed at potential crypto investors or users interested in cryptocurrency mining. Throughout the first quarter of this year, Kaspersky experts discovered about 107,000 attempts.

Then in April alone there were nearly 50,000 attempts – that is nearly half of the previous quarter in a single month.

Fraudsters mimic the original crypto wallets’ websites and lure victims to enter a personal seed-phrase, a secret phrase of 12 or 24 words that ensures the security of the wallet, along with a password and private key.

Once the user shares their secret phrase, they’re redirected to the real website, however, their account and all of their savings are now in the scammer’s hands.

An example of a phishing page asking for the seed-phrase

In fact, crypto wallets have become the target of numerous malicious and scamming activities, including not only phishing pages disguised as the most popular wallets but also malware distributed in their names.

Kaspersky experts took a close look into the malicious files that are distributed using the names of 20 of the most popular cryptocurrency wallets.

As a result, they found that within the first five months of 2022, Kaspersky products had prevented more than 1100 users from downloading more than 1400 different variants of malicious files spread under the analysed crypto wallet names.

Out of the discovered malicious files, 75% were exploiting the Binance exchange.

This was followed by Electrum (10%) and MetaMask (9%). Most often fraudsters distributed Trojan downloaders, programs that download and install new versions of other malicious programs.

However, among the analysed files, we also found bankers, spyware and ransomware.

“Scammers will stop at nothing to steal cryptocurrency. With the growing value of digital currencies, fraudsters have been intensifying their scamming activities toward potential investors. Phishing crypto scams deserve special attention – because they’re based on social engineering, these attacks do not require any advanced technical skills to be launched and work well for the fraudsters. They are often successful due to a user’s inattention and lack of awareness. Hence, users need to be wary of basic scamming indicators: offers that are too generous, proposals from unknown senders as well as requests for money with the promise of future profit,”comments Alexey Marchenko, Head of Content Filtering Methods Research at Kaspersky.