The Crypto DNS Report: The Many Faces of Crypto-Related Internet Properties
Note: A special thanks to Ed Gibbs, WhoisXML API's Advanced Threat Researcher & Technical Account Manager, for his help compiling the domain and subdomain files used in this post.
Cryptocurrencies have gone a long way since their inception. Perhaps the most significant evidence that they have become embedded into our digital society is that as of February 2021, more than 4,000 cryptocurrencies were in existence. A decade ago, most people didn’t even know what Bitcoin was.
Cryptocurrency investing has changed the lives of certain people, too—from the Winklevoss twins who became billionaires through Bitcoin mining to the more recent rags-to-riches story of a Dogecoin millionaire who initially invested his life savings.
Unfortunately, cybercriminals may be riding the cryptocurrency tide as well. One notable role of cryptocurrency in cybercrime is cryptojacking, a form of cyberattack that uses a victim’s computer to mine cryptocurrencies. Cryptocurrency scams have also become prevalent—threat actors reach out to victims through emails luring them to send money using Bitcoin or other cryptocurrencies. Or when victims click on a link, their systems may get hacked and their money stolen.
That’s why we initiated the Crypto DNS Project to analyze how certain cryptocurrency-related domains and subdomains may not necessarily intend to change people’s lives for the better.
While some of the domains and subdomains we found may not be harmful, others raise red flags. Some of these domains could be used to plant crypto mining malware into victims’ devices. Alternatively, ransomware and the theft of financial account credentials are just a couple of the repercussions of falling victim to erring crypto-inspired domains.
Methodology and Data Gathering
The goal of this project is to uncover cryptocurrency-related domains and subdomains. In particular, we selected the oldest cryptocurrency, Bitcoin, and two of the newest and most newsworthy ones, Doge and Cardano.
We then looked at the screenshots of over 31,000 domains and subdomains and found that several of them are either parked, or for sale, or under construction. There are also those that host live content, and among the domains that stood out are suspicious ones.
Quite a few domains resolve to a news website labeled “Simcast - Powered by Microsoft News.” We also found others that seem to imitate other e-commerce sites not related to cryptocurrency.
WHOIS data redaction is evident in our findings as well, with 94.33% of registrant emails anonymized either by the registrars or through third-party privacy protection services.
Why Bitcoin, Doge, and Cardano?
We have done various studies that showed a correlation between newsworthy events and domain name registration, among which are:
- BLM-related domains: Remember when the Black Lives Matter movement was at its height in connection with George Floyd? Over 1,000 domains related to the issue were registered in a matter of three weeks.
- Coronavirus-related domains: Even before the World Health Organization (WHO) declared a pandemic, our study for Bloomberg revealed that thousands of coronavirus-related domains were already being registered.
- Vaccination-related domains: Suspicious vaccine-related domain names were also observed repeatedly throughout the past year but notably spiked in December 2020 when some countries began their vaccination campaigns. Our Cyber Threat Intelligence Recap for 2020 also showed how COVID-19 had influenced the tactics of threat actors.
As newsworthy events often relate with domain registration trends, we selected Bitcoin, Doge, and Cardano as strings in our research.
Bitcoin, for one, is almost synonymous with cryptocurrency and is always on the news.
Doge or Dogecoin made headlines recently after famous personalities like Elon Musk and Gene Simmons endorsed it on social media. Mark Cuban, the owner of NBA team Dallas Mavericks, fueled the fire after adding Dogecoin as a payment method when purchasing tickets and team merchandise. Interest in the digital coin continues to surge, and along with this, so does its value.
Cardano, on the other hand, is a cryptocurrency platform whose cryptocurrency is called “Ada.” The platform is mainly used for identity and credential verification by various educational and commercial institutions. Cardano became fully decentralized in April 2021, which means that the digital community now has complete control over it. Such a milestone is predicted to attract more investors and thereby increase its value.
Thousands of Domains and Subdomains Uncovered
A total of 31,555 domains and subdomains containing the words “bitcoin,” “doge,” and “cardano” were found. The breakdown is currently as follows:
Search Term | Number of Domains and Subdomains Containing the Search Term |
---|---|
“bitcoin” | 20,121 |
“doge” | 10,757 |
“cardano” | 677 |
The Different Faces of Crypto-Related Domains
The cryptocurrency-related domains were subjected to a bulk screenshot lookup to see what they look like. We categorized our findings into two—typical and suspicious.
Typical Domains
Under this category are common domain names, such as parked, blogging, and commercial domains.
Parked Domains
There were several parked domains (notably under GoDaddy), which could either belong to domain name investors waiting for offers, website administrators working on their sites, or potential threat actors planning to weaponize the domains at some point.
For Sale and Under Construction Domains
Domain names marked for sale, such as acbitcoin[.]com and adoge[.]com, are being sold for more than $1,000 each.
Moreover, some domains seem to indicate that websites like the one below (with domain barbitcoin[.]de) are still under construction.
Live Websites
Some of those domains’ websites are already up and running, too. While some contain news about cryptocurrencies, two types of running websites stood out—those offering income opportunities and those that display real-time cryptocurrency prices. Some examples of each are shown below.
Several subdomains also resolve to Cardano Stake Pool websites where users can receive rewards in Ada coins. Some examples of such subdomains are:
- cardano[.]ich-war-hier[.]de
- cardano[.]joschka-weiss[.]de
- cardano[.]rodmarzavala[.]com
- cardano[.]stakepool[.]quebec
- cardanostake[.]crypto-verse[.]net
Lastly, several domains point to Doge giveaways, including ceodoge[.]com getdoge[.]top, which promise a chance to win 500 million Dogecoins. Both domains have the same content that features Elon Musk, as shown below.
Suspicious Domains
Domains that have a high probability of being used by threat actors or brand abusers fall under this category. Aside from several domains that host adult content, we found possible brand imitators, potentially vulnerable domains, and domains tied to a malicious entity.
Possible Brand Imitators
The first group of suspicious domains we observed comprises those that imitate legitimate websites. For instance, we found that the homepage of 0bitcoins[.]ch, 0bitcoins[.]com, and 0bitcoins[.]org are very similar to that of wolfsec[.]ch. Below are the screenshots of the three Bitcoin domains:
And this is the screenshot result of woldsec[.]ch:
Another example is a bunch of Bitcoin domains that resolve to websites that appear to be those of .WS Emoji Domains.
Potentially Malicious Domains
Several domains also resolve to a website that says “Simcast - Powered by Microsoft News,” including 1bitcoin[.]cash and 1bitcoin[.]fund. An example of a screenshot result of one of the crypto-related domains is shown below.
A Google search for Simcast did not return any definitive results, as it could refer to a kind of malware or domain management company. However, the screenshot lookup results of the crypto domains appear very similar to simcast[.]com (shown below).
Note that this domain has been reported “malicious” by several engines on VirusTotal.
As part of the research, we tried to visit one domain—1bitcoin[.]fund—and found that it redirects rsafrwdr[.]com. Like simcast[.]com, this domain is reported “malicious” by multiple engines on VirusTotal.
Vulnerable Domains
Some domains in our sample also appear to host or least redirect to exposed source code directories.
Tracing the Ownership of Crypto-Related Domains: The Reality of WHOIS Redaction
In February 2020, we tackled the possible effect of the privacy guidelines implemented by the Internet Corporation for Assigned Names and Numbers (ICANN) in compliance with the General Data Protection Regulation (GDPR) in cybercrime investigations. We noted a considerable difference between WHOIS domain search results pre- and post-GDPR.
Tracking the WHOIS records of the cryptocurrency domains in this study showed that redaction is indeed prevalent. After looking into the domains’ registrant email addresses, we found that only an average of 5.67% could be publicly attributed to a person or an organization. The registrants of these domains typically used email providers like Gmail, Hotmail, Outlook, and Protonmail. We also saw several that use the domain qq[.]com, which has been tagged malicious on VirusTotal for ties to spamming and malware delivery.
Additionally, some unredacted email addresses use yandex[.]com, which is listed on PhishTank. More domains use yandex[.]ru, though this email domain has not been reported for ties to phishing.
The rest of the domains’ registrant email addresses (94.33% of them) have been either undisclosed, or privacy-protected, or redacted by their registrars.
This much redaction is significantly higher than the volume of redacted registrant email addresses cited in another study where we checked over 285 million domains (72.68%) a few years ago.
Registrar Distribution
Another WHOIS detail that we decided to explore is the domains’ registrar. If the registrant did not employ third-party privacy protection services, their registrars were likely to redact their WHOIS records. Why is tracing the registrar important?
Among ICANN’s proposed steps in mitigating Domain Name System (DNS) abuse is publishing reports identifying registries and registrars that have abusive domains and reporting the actions they took in response to the complaints. Furthermore, registrars of new gTLDs are required to “investigate and respond appropriately to any report of abuse.”
Knowing the registrars of erring domains can, therefore, help mitigate abuse and threats as well as facilitate takedown.
GoDaddy and NameCheap are the top registrars in our study, accounting for 19% and 18% of the total number of cryptocurrency-related domains respectively. The rest of the domains are distributed across hundreds of other registrars.
We broke down the top 10 registrars for each cryptocurrency in the table below to provide more perspective. Other recurring registrars are Tucows, eNom, PDR Ltd., Dynadot, and MarkMonitor.
Bitcoin | Dogecoin | Cardano |
NameCheap, Inc. | GoDaddy | GoDaddy |
GoDaddy | NameCheap, Inc | NameCheap, Inc |
MarkMonitor | Alibaba Cloud Computing | MarkMonitor |
PDR Ltd. | Dynadot | 101domain GRS Ltd |
NameSilo | Googl | eNom, LLC |
Dynadot | NameSilo, LLC | Tucows Domains Inc. |
REGRU-RU | PDR Ltd. | DANESCO TRADING LTD |
Name.com | TurnCommerce, Inc. DBA NameBright.com | Epik Holdings Inc |
eNom | Tucows Domains Inc. | PDR Ltd. |
TucowsDomains Inc. | GMO | Gandi SAS |
Some of these registrars are among the biggest in the market, managing millions of domain names. GoDaddy alone has more than 82 million domains under its wings. Therefore, we could argue that they can’t monitor all of their domains for suspicious activities.
ICANN’s proposal to create a standardized DNS abuse reporting can help streamline the process and make it easier for registrars. Such a proposal is part of the recommendation to improve Domain Abuse Activity Reporting (DAAR) and strengthen the compliance of the parties involved.
Words Matter: Most Common Text Strings Used Alongside the Cryptocurrency Names
People may have different responses to fully qualified domain names (FQDNs), based on word combinations. For instance, a seasoned Dogecoin investor may be interested enough to click on doge[.]earnings[.]ltd, as it could lead him/her to more opportunities to earn.
But the same person could be wary about doge[.]jungsource[.]com or doge[.]o3o[.]ir, since the root domains don’t give him/her much information. Hence, threat actors tend to use domains that contain generic words to make them appear legitimate.
This practice coincides with the top 10 words used alongside “bitcoin,” “doge,” and “cardano.” These are:
-
“buy”
“invest”
“cash”
“coins”
“pay”
“mail”
“bet”
“bot”
“news”
“miners”
The word cloud below shows other text strings that appear alongside the three cryptocurrencies’ names. The presence of the word “login” is also worth noting, as this could encourage users to type in their account credentials into suspicious or copycat sites.
How WhoisXML API Has Been Helping with the Crypto DNS Project
WhoisXML API”s WHOIS database tracks the registration details of more than 1.2 billion domains and subdomains, including the crypto-related ones featured in this study. In particular, Bulk WHOIS Lookup made it possible for the researchers to access the WHOIS records of thousands of domains in one go.
Screenshot API, meanwhile, allowed us to get a glimpse of what the website each domain and subdomain looks like. With the tool, we were able to investigate the sites without having to expose ourselves to potentially malicious activity.
Conclusion
Cryptocurrencies have been dubbed “the new gold” by some people, and the industry will continue to grow. By 2026, it is expected to reach US$2.2 billion. More people, even those who are not inherently investors, will be drawn to digital currencies. Not only do they offer a decentralized way of handling people’s finances, but they also hold great promise of fortune. And therein lies the cybersecurity issue.
As more people become interested, it would be easy for threat actors to use cryptocurrencies to lure victims. In this study alone, which focuses on Bitcoin, Doge, and Cardano, more than 31,000 domains and subdomains were found. While some of these may be used legitimately, we found others that are potentially suspicious, including:
-
Domains that host imitation websites, such as 0bitcoins[.]ch, could look similar to a cybersecurity company’s
website.
Domains that appear to be Simcast news sites and could be tied to the malicious website simcast[.]com.
Even the typical domains found could be weaponized by threat actors. Live websites that promise earnings, rewards, and giveaways could lure cryptocurrency investors into giving away sensitive information.
Monitoring these domains and reporting the ones that figure in malicious activities to their registrars are crucial steps toward a safer digital world.
Cybersecurity professionals who wish to monitor cryptocurrency-related domains and subdomains may contact us for more information on using our full WHOIS database.
Read other articles