Domain spoofing on the rise as cybercriminals see some crypto sites as a ‘perfect target’

September 2, 2022, 11:00 AM UTC
Glove-wearing hand inserting key with asterisks into keyhole
Crypto websites such as and Binance compose a staggering 77% of spoofing attacks among the 10 most-targeted sites.
Boris Zhitkov—Getty Images

The crypto industry has become synonymous with hacks. The blockchain intelligence firm Chainalysis found that criminal hackers stole approximately $3.2 billion in 2021—a 516% increase from 2020. 

With governments tackling ransomware attacks, hackers are turning to different techniques. A new report from cybersecurity company Bitdefender found that website spoofing—or attacks where cybercriminals create international domain names that imitate a target’s domain name—has become one of the most prevalent new strategies.

According to Bitdefender’s analysis, websites such as and Binance compose a staggering 77% of spoofing attacks for the 10 most-targeted websites. Facebook, by comparison, accounts for 9%.  

“It’s like a perfect target for these actors,” said Martin Zugec, technical solutions director at Bitdefender. 

Neither nor Binance provided data on spoofing attacks, but each said it was vigilant in addressing them.

“We use both internal and external tools to detect phishing websites at various user lifecycle stages, from domain name registration to a website going live,” Jimmy Su, Binance’s chief security officer, told Fortune. “Any detected phishing websites are taken down through multiple third-party vendor services.”

A spokesperson said the company conducts 24/7 monitoring to identify and remove phishing campaigns.

A basic type of spoofing attack, or homograph phishing, is substituting letters or numbers from popular domain names to create websites that appear similar—changing Google’s two O’s to zeroes, for example. Zugec said spoofing increased with the introduction of international domain names, when cybercriminals began using similar letters from different alphabets to steer users toward fraudulent sites. Some of the letters are close enough to be barely noticeable to users—or even invisible.

While browsers have cracked down on the practice—such as restricting non-Latin characters—different applications are still vulnerable, with Zugec citing Microsoft Office as an example, as well as some messaging apps on mobile phones.

‘Worth the extra effort’

Crypto-focused websites are particularly vulnerable to spoofing attacks. They tend to have a large concentration of funds and inexperienced users, providing a huge target. In 2021, Cybercrime Magazine found that more than 30,000 crypto-related domains and subdomains were identified as suspicious or worth investigating. 

Furthermore, with law enforcement agencies going after hacking groups—such as the U.S. Department of the Treasury sanctioning cryptocurrency mixer software Tornado Cash—cybercriminals are turning to different means. Rug pulls, where developers build seemingly legitimate cryptocurrency projects and then disappear with investors’ funds, are a relatively new development, according to Chainalysis. Homograph phishing attacks are also making a comeback., for example, had previously been targeted by a $27 million spoofing attack in 2019. 

Spoofing attacks are difficult to set up and maintain, which makes bigger crypto websites like even more appealing for cybercriminals. “It’s worth the extra effort,” added Zugec. 

He told Fortune that although it’s difficult to estimate how much money the recent uptick in spoofing attacks has netted, “What we know for sure is these cryptocurrency scams specifically are very successful.”

Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.