Millions of dollars in Bitcoins Stolen While Using Google AdWords

Over the last year the value of Bitcoins has increased enormously, and consequently, lots of people showed a great interest in this cryptocurrency. Unfortunately, while some people decided to purchase it, there were some who sought ways to obtain it in illegal ways. Back in 2017 researchers from Cisco discovered a vast phishing campaign based in Ukraine. The cyber criminals behind it were targeting a particular website known as Apparently, while using Google AdWords, the scammers were able to place ads leading to their phishing web pages at the top of search results when victims were looking for specific information. The report says by doing so the hackers were able to steal victims’ wallets and as a result, they stole millions of dollars in cryptocurrency. Further, in the article, we will explain how the cyber criminals were able to do so and what regions particularly were targeted the most. Also, we will mention a couple of computer security specialists’ recommendations that should help avoid such scams.


For starters let us explain what a phishing scam is. It is an attempt to make the user reveal his sensitive information, such as username, password, credit card details, or even steal his money like in this case. It is done by convincing the user the sensitive information is required by a legitimate company or a website the scammers pretend to be. Such attacks can be made via email, instant messaging, or as in this case via fictitious Google AdWords leading to particular fake Bitcoin sites.

Researchers at Cisco found out the cyber criminals chose countries where local currencies could be unstable compared to Bitcoin. Also, the victims come from locations where people are less likely to understand English; in other words, countries with the mother tongue other than English. For example, most victims came from Nigeria (46.29%), Ghana (18.81%), and Estonia (6.44%). There were users from other countries who got scammed as well, but their numbers are much lesser than in the listed ones. Another thing we can tell about the victims is that all of them were looking how to reach or for other information about Bitcoins, creating a wallet, and so on.

According to the Cisco report, the phishing campaign in Ukraine was organized by a group of cyber criminals known as COINHOARDER. These hackers used Google AdWords to present their victims with links to phishing sites among Google Ads. It looks like such links could appear if the victim uses keywords like blockchain, bitcoin wallet, and so on. What’s more, the researchers discovered such links lead to web pages containing phishing content displayed in user’s mother tongue. Clicking such content could result in redirection to a fake website, for example, blockchalna[.]info. However, while more careful users may notice differences in URL addresses, some might not see any difference in the original and the fake web page’s appearance as they look more or less identical. Just as the original site, the fake one also invites to “create your wallet or login now.” Needless to say, logging in or creating a wallet in such a site could result in it being stolen later on.


Furthermore, of course, after learning about these malicious websites displayed while using Google AdWords the Cisco researchers made sure they would be flagged accordingly as harmful. Nevertheless, the evidence shows the mentioned group of cyber criminals been organizing and initiating such scams since at least 2015. No doubt, till now the hackers were able to steal millions of dollars in Bitcoins. For example, between September and December in 2017 COINHOARDER hackers were able to take approximately 10 millions of dollars and over the past three years, the sum could be more than 50 million dollars.

Computer security specialists notice a massive increase in scams related to cryptocurrencies, which is why users who do not wish to be scammed should follow a couple of simple safety recommendations. For starters, those who visit daily or often enough should bookmark its address instead of looking for it via each time; just make sure you bookmark the legitimate site. The same advice goes for other popular web pages that could be targeted too. Lastly, it would also be smart to pay close attention to the URL addresses of the web pages you visit since often you can see a difference in the addresses of fake phishing sites if you only take a closer look, for example, there could be additional symbols, letters, words, and so on.


  1. Jeremiah O'Connor, Dave Maynor, Artsiom Holub, and Austin McBride. COINHOARDER: Tracking a Ukrainian Bitcoin Phishing Ring DNS Style. Cisco Talos Intelligence Blog.
  2. Phishing. Wikipedia.
  3. Your Guide to Avoid Bitcoin Fraud. Bitcoin News.