Cybersecurity Stop of the Month: Bitcoin Scam—How Cybercriminals Lure Victims with Free Crypto to Steal Credentials and Funds

The Cybersecurity Stop of the Month blog series explores the ever-evolving tactics of today’s cybercriminals and how Proofpoint helps organizations better fortify their email defenses to protect people against today’s emerging threats.

In recent years, cryptocurrency has grown from a niche interest into a mainstream financial ecosystem. This evolution, however, hasn’t been without drawbacks. Namely, it has attracted cybercriminals who use the allure of digital wealth to perpetrate sophisticated fraud schemes. In 2023, illicit crypto addresses received at least $46.1 billion, up from $24.2 billion. This underscores how rapidly crypto-related crimes are spreading.

The perceived anonymity and decentralized nature of cryptocurrencies make them appealing to threat actors. Such qualities can make it easier for them to steal financial assets from their victims using pre-existing attack patterns that are common in the phishing landscape.

Cybercriminals use automation, deception and advanced obfuscation techniques to drain millions from their unsuspecting targets. In this blog post, we’ll examine one such cryptomining fraud campaign and uncover how it works.

The scenario

In January 2025, Proofpoint researchers identified a widespread credential phishing campaign that targets cryptocurrency enthusiasts as well as other unsuspecting users. The attack used a Bitcoin-themed lure, claiming recipients had unclaimed cryptocurrency earnings from an automated mining service. The emails urged recipients to act immediately or risk losing their funds in an effort to create a sense of urgency and get victims to click on malicious links.

Notably, Proofpoint not only detected this threat within our own customer data, but we also identified it behind the defenses of five other Gartner Magic Quadrant Email Security players who had missed it in our Proofpoint Email Rapid Risk Assessment. This highlights the sophistication of the attack. It also proves how effective our advanced threat detection capabilities are when it comes to identifying threats that bypass traditional security tools.

The threat: How did the attack happen?

Here’s how the attack unfolded:

1. Setting the lure. Attackers crafted a series of emails that closely mimicked a legitimate notification from a cryptocurrency mining service. The emails claimed that the recipient had accumulated a significant Bitcoin balance through automated cloud mining. And they urged the recipient to take immediate action to withdraw their funds before their account was permanently blocked.

A phishing lure used by threat actors.

To make the emails seem more credible, the attackers personalized them with a fabricated user ID as well as references to an IP address that was supposedly linked to the victim’s devices. Additionally, messages included a direct link to a withdrawal page. URL shorteners and multiple redirects were used to obscure the true destination.

The attackers’ goal was to create a sense of urgency and excitement. This would cause the victim to act without suspicion and, ultimately, surrender their credentials.

Another lure used by threat actors.

2. Taking the bait. If the recipient clicked on the link, they were redirected through a series of obfuscated URLs. Finally, they would land on a spoofed cryptomining panel login page. This page was nearly indistinguishable from legitimate cryptocurrency platforms. It featured branding, account balance details and interactive elements that were designed to convince the victim of its authenticity.

A spoofed cryptomining panel page designed to mimic legitimate platforms.

To "claim" their Bitcoin, users were required to log in using their credentials. However, once entered, these credentials were immediately harvested by the attacker. The victim was then guided through a fake withdrawal process, during which they were prompted to pay a small “transfer fee” before accessing their funds.

This step served two purposes:

• It allowed the attacker to verify that the victim was willing to proceed with financial transactions. This made them a more valuable target.
• It tricked the victim into voluntarily transferring additional funds—and further enriched the attacker.

By the time the victim realized the fraud, their credentials had already been exfiltrated. If they had a Bitcoin wallet linked to their account, their balance was likely drained.

A fake login page.

3. Exfiltrating credentials and funds. Once stolen, the victim’s credentials were either:

• Used directly to access their real cryptocurrency accounts and empty their funds.
• Sold on dark web marketplaces to other cybercriminals who could exploit them for additional fraud.

The attacker-operated domain that hosted the fake cryptomining panel often disappeared within days or hours to avoid detection. Any stolen Bitcoin was quickly laundered through mixing services. Or it was transferred across multiple wallets to hide the transaction trail. This made it nearly impossible for victims to recover their assets.

4. Amplifying the attack. This campaign targeted thousands of recipients (of which over 1,000 were Proofpoint customers). Cryptocurrency enthusiasts and individuals who may have previously interacted with cryptomining platforms were targeted. The attackers likely used automated phishing kits to generate and distribute the emails. This ensured that multiple messages were consistent, and slight variations could evade detection.

The phishing emails used urgent and persuasive language to pressure recipients into acting immediately. The subject lines included:

• “Immediate Action Required: Claim Your 1.39 BTC Before It’s Lost!”
• “URGENT: Your Crypto Mining Balance is at Risk – Withdraw Now!”
• “Final Notice: Your BTC Earnings Will Be Forfeited in 24 Hours!”

Each variation of the message reinforced a sense of fear and excitement. This, in turn, increased the chances that victims would engage with the phishing link. Emails were sent from randomized sender addresses and domains, which made it harder for security filters to block them preemptively. Also, the use of URL shorteners and multiple redirections helped the attackers evade automated detection mechanisms.

An urgent and persuasive message.

The detection: How did Proofpoint identify this attack?

Proofpoint uses a variety of threat detection techniques. AI is a cornerstone of our Nexus platform, which combines semantic and behavioral AI, machine learning (ML) and curated threat intelligence from researchers. All of these technologies work together to create a multilayered defense that can detect and mitigate malicious messages and content in highly sophisticated and evolving threats.

Phishing campaign shown in the Proofpoint Targeted Attack Protection (TAP) dashboard.

This campaign was determined by Proofpoint Nexus to be malicious based on these observations:

• Suspicious behavior. The emails came from unfamiliar senders. And they contained links that led to newly registered domains. Both of which strongly indicated that messages were phishing attempts.
• New URL domains. The phishing URLs were hosted on recently registered domains, which is a common tactic used by cybercriminals to avoid being flagged by security systems.
• Uncommon URL domains. The domains used in the attack were not commonly seen in Proofpoint traffic, further suggesting malicious intent.
• Uncommon senders. The email senders were unfamiliar. And the senders did not frequently correspond with people at the targeted organizations, which increased suspicion.
• AI-inferred intent. The Proofpoint Nexus Language Model (LM) inferred the emails’ intent to deceive based on semantic analysis, structure and contextual indicators that are commonly associated with phishing campaigns. The AI model flagged these emails as attempts to harvest credentials and steal financial assets.
• Suspicious requests. The phishing page requested login credentials and prompted the user to pay a "transfer fee" before receiving their supposed Bitcoin balance. This multistep fraud attempt aligned with known tactics used in financially motivated phishing scams.

Between Jan. 5 and Feb. 9, 2025, this campaign targeted over 5,400 customers. Zero messages were delivered to our users. Proofpoint detected and blocked all of them.

Condemnation summary of signals Proofpoint used to detect the campaign.

The remediation: What are the lessons learned?

You need to implement proactive measures to protect against these types of phishing campaigns. Here are some tips:

• Teach users about “free money” lures. Users should understand how common these lures are and how important it is to be skeptical about unsolicited messages, especially those that use URL shorteners with multiple redirects. Security awareness training can help change user behavior over time, making them more vigilant and proactive.
• Help users to recognize attack patterns. Train users to identify the common tactics, techniques and procedures (TTPs) that are used in phishing attacks. Examples include landing pages that are hosted on free-use cloud platforms, spoofed domains and urgent action deadlines.
• Encourage users to report and block. Users should be trained to report suspicious activities to their security operations center (SOC) teams. Then, they should block senders of phishing emails and promptly delete such messages.
• Consider blocking top-level domains (TDLs). TLDs are often associated with malicious activities. Domains like .cc and .top at the network edge should be blocked unless they are required for official business purposes.

Proofpoint delivers human-centric protection

As the cryptocurrency landscape continues to evolve, so do the tactics of cybercriminals. To safeguard your digital assets against sophisticated fraud campaigns, it’s essential to stay informed and implement robust security measures.

Cyberattackers target people. That’s why Proofpoint is committed to providing human-centric security. Our focus on the human element ensures that our comprehensive solutions can protect people and organizations from today’s evolving threats. This approach informs everything we do, from gathering advanced threat intelligence to educating users and developing adaptive security measures.

Learn more about Proofpoint Threat Protection or read our solution brief.

Read our Cybersecurity Stop of the Month series

To learn more about how Proofpoint stops advanced attacks, check out our previous blogs in this series:  

• Uncovering BEC and supply chain attacks (June 2023)    
• Defending against EvilProxy phishing and cloud account takeover (July 2023) 
• Detecting and analyzing a SocGholish Attack (August 2023)  
• Preventing eSignature phishing (September 2023) 
• QR code scams and phishing (October 2023)   
• Telephone-oriented attack delivery sequence (November 2023)    
• Using behavioral AI to squash payroll diversion (December 2023)   
• Multifactor authentication manipulation (January 2024)    
• Preventing supply chain compromise (February 2024)
• Detecting multilayered malicious QR code attacks (March 2024) 
• Defeating malicious application creation attacks (April 2024)  
• Stopping supply chain impersonation attacks (May 2024) 
• CEO impersonation attacks (June 2024) 
• DarkGate malware (July 2024)  
• Credential Phishing Attack Targeting User Location Data (August 2024)  
• Preventing Vendor Impersonation Scams (September 2024) 
• SocGholish Haunts the Healthcare Industry (October 2024)
• Preventing Vendor Email Compromise in the Public Sector (November 2024)
• How Proofpoint Stopped a Dropbox Phishing Scam (December 2024)
• E-Signature Phishing Nearly Sparks Disaster for Electric Company (January 2025)