Hackers Stole $50 Million in Cryptocurrency Using ‘Poison’ Google Ads

February 14, 2018, 8:17 PM UTC

For years, hackers have robbed Bitcoin investors, emptying their cryptocurrency wallets without fear of being caught thanks to the relative anonymity of the blockchain. Now, Cisco (CSCO) has exposed the thieves behind a string of particularly flagrant attacks.

A Ukrainian hacker group dubbed Coinhoarder has stolen more than $50 million in cryptocurrency from users of, one of the most popular providers of digital currency wallets, according to a report published Wednesday by Cisco’s Talos cybersecurity team.

The report explains how thieves preyed upon their victims using a “very simple” yet treacherous technique: Buying Google ads on popular search keywords related to cryptocurrency “to poison user search results” and snatch the contents of crypto wallets. This meant people Googling terms like “blockchain” or “bitcoin wallet,” saw links to malicious websites masquerading as legitimate domains for wallets.

For example, the poison ads included “spoofed” links with small types like “” and “,” which sent visitors to a landing page that mirrored actual websites of the company Blockchain, which runs both the domains and (The legitimate sites appeared lower in results than the “poisoned” links, according to Cisco’s report.)

Fooled into believing they had come to the right place, victims then entered private information that allowed the hackers to gain access to their actual wallets and take their digital money. “The attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims,” the Talos team led by Jeremiah O’Connor and Dave Maynor said in their report.

Blockchain, for its part, is working with Google “on a daily basis” to take down phishing ads, and secured the removal of almost 10,000 such malicious websites last year, along with another 3,000 it flagged in January alone, according to Blockchain CEO and co-founder Peter Smith.

“Beyond our work in removing such ads, we are committed to educating and arming our users with the tools necessary to protect themselves from such attacks,” Smith said in a statement. Unfortunately, this is a widespread problem that extends far beyond our company and industry.”

Cisco, which investigated the “massive phishing campaign” for more than six months in partnership with Ukraine’s Cyberpolice, noted that the Coinhoarder group’s method has since “become increasingly common in the wild, with attackers targeting many different crypto wallets and exchanges.” Schemes involving digital advertising prompted Facebook to ban all cryptocurrency ads earlier this year, and Google is also working to root out abusive ads, a spokesperson recently told Fast Company.

How the Coinhoarder hackers robbed their victims’ cryptocurrency wallets. Diagram courtesy of Ukraine Cyberpolice
Ukraine Cyberpolice

The Coinhoarder thefts occurred over the course of three years but surged at the end of 2017 as Bitcoin prices soared close to $20,000, with $10 million stolen between September and December. In one burst, the hackers made off with $2 million in the span of less than four weeks, the Talos researchers said. It’s possible the value of the thieves’ bounty totals much more than $50 million now, as Talos based its calculations on cryptocurrency prices at the time of the theft.

Phishing, which is just one of several techniques used to steal Bitcoin, is also deployed by the notorious North Korean hacking ring known as the Lazarus Group, which is likewise accused of perpetrating phishing attacks to steal cryptocurrency. Cisco found that the Coinhoarder scam disproportionately ensnared those from underbanked regions where cryptocurrency has caught on as an alternative means of storing wealth: Residents of African countries such as Nigeria and Ghana made up the majority of those who landed on the malignant websites.

In its report, Cisco also revealed some of the hackers’ own Bitcoin wallet addresses, to which it was able to trace the stolen funds with the help of Ukrainian law enforcement. Unmasking the actual thief or thieves is more difficult, as Bitcoin addresses are pseudonymous and don’t contain the name of the person to whom they belong. But Cisco’s Talos researchers are scouring the Internet for clues, including forums such as Reddit where Coinhoarder victims have discussed the theft. “While identifying the individual who owns a specific wallet is extremely difficult, we still can look for open source intelligence surrounding the wallet,” the researchers said in the report.

One day, victims might even be able to get their money back—though such happy outcomes are so far exceedingly rare.

This story has been updated to reflect a response from Blockchain CEO Peter Smith.