Threat Actors Capitalize on Bittrex Bankruptcy to Launch Targeted Phishing Attack

Opportunistic threat actors are always on the lookout for vulnerabilities to exploit. Recently, attackers capitalized upon the tumultuous situation surrounding the bankruptcy of Bittrex, a prominent cryptocurrency exchange, to launch a highly targeted and sophisticated phishing campaign. Seeking to deceive former Bittrex customers into divulging their credentials, the attackers lured targets with the promise of accessing remaining funds before they were forfeited.

The perpetrators employed various tactics to make their emails appear genuine—including using a legitimate sender email, masking the phishing link, and incorporating actual information from the bankruptcy proceedings. They focused exclusively on prior Bittrex users, many of whom are university students. In fact, all recipients of the attacks detected by Abnormal were sent to email addresses belonging to higher education institutions.

Understanding the context of this attack requires knowing a bit of history about Bittrex. On April 30, 2023, following accusations from the U.S. Securities and Exchange Commission that it was operating as an unregistered securities exchange, Bittrex ceased operations in the United States.

Three weeks later, all Bittrex users received the below email from Omni Agent Solutions, a case administration service provider. It informed them that Desolation Holdings LLC and some of its affiliates, including Bittrex, Inc., had filed for Chapter 11 bankruptcy.

On May 31, Bittrex sent the following email to its entire database informing users that all funds in the exchange had been frozen due to the bankruptcy proceedings. They further explained that the company was working with the bankruptcy court to ensure customers could withdraw their assets as soon as possible.

Finally, on June 15, Bittrex announced via email they had been granted permission by the United States Bankruptcy Court to allow customers who met the necessary regulatory requirements to access their accounts and remove any remaining funds. Customers had until August 31 to do so.

Interestingly, of the approximately 1.6 million Bittrex customers who had funds in the exchange that were eligible for withdrawal, less than 3% actually claimed their assets. Bittrex users on Reddit reported the steps to extract their funds were cumbersome and time-consuming. Additionally, should a user have questions or need assistance during the disbursement process, they could expect a lengthy back-and-forth with Bittrex support that may or may not end with a satisfactory resolution.

Considering that when operations ceased, 77% of Bittrex accounts contained balances under $100, it’s safe to assume many users decided it wasn't worth the trouble.

On October 23, nearly two months after the withdrawal deadline, Bittrex’s former customers received three emails in short succession. The content of each email was identical, but the subject lines and sender display names varied between messages.

The emails claimed the recipient still had assets on the exchange that were eligible to be withdrawn and they were receiving this email because their account had a remaining balance of more than $1,000. The email further stated that if the funds were not taken out of the platform before the withdrawal period ended on October 25, all assets would be forfeited.

The message outlined the steps to claim the remaining account balance and contained a link purportedly to the Bittrex portal. However, if the recipient clicked on the link, they would be taken to a phishing page. While the perpetrators have since deleted the page, we can use similar attacks to infer what information targets were most likely prompted to enter.

In the first scenario, recipients were asked to provide their Bittrex username and password, which would allow the attackers to steal the login credentials of every individual who entered them on the page. They would then be able to access any account for which the target used that same password. This is dangerous enough as 51% of passwords are reused, and threat actors could be hoping that the credentials used for the Bittrex account were also used for bank accounts and other exchanges where they could withdraw funds.

Still, the other possibility is even worse. Since the withdrawal steps in the email refer to “account owner verification,” the phishing page potentially mirrored the Know Your Customer (KYC) process. This would mean targets would be asked to enter details like their name, address, date of birth, social security number, and either their driver’s license or passport number. And since step three mentions entering a “destination address,” presumably a bank account or cryptocurrency wallet address, the threat actor would instantly have the information they needed to steal that individual’s money and identity.

The most obvious indicators of a malicious email are generally poor grammar, syntax errors, and misspellings. With the exception of one easily overlooked incorrect word choice, this email is nearly flawless from a grammar and spelling standpoint.

Additionally, based on the sender email (matchinggifts@doublethedonation[.]com), it appears the attackers leveraged a legitimate donation software to send these emails. This ensured the email passed SPF, DKIM, and DMARC authentication and would be more likely to land safely in inboxes. In addition, the threat actors utilized a URL shortener to mask the link to the phishing page to decrease the chances of it being flagged as malicious.

The attackers also incorporated the actual footer from emails sent by Omni Agent Solutions, including the real phone numbers and email address for inquiries regarding the Bittrex bankruptcy. Moreover, the sender display names the perpetrators used not only included the brand being impersonated but also the name of the case administration service provider managing the bankruptcy proceedings. There’s no denying that they did their homework.

Further, the timing of the attack was clearly deliberate. Bittrex received bankruptcy court approval on Monday, October 30 to officially shut down U.S. operations. Because this deadline was likely in the court docket, the threat actors had access to this information and were able to determine October 23 was the best day to launch the attack.

Finally, the attackers manufactured a sense of urgency—a hallmark of social engineering. Along with limiting the disbursement period to 48 hours, the threat actors closed the email with the following: “Please be aware that after the withdrawal period expires, your remaining funds will become inaccessible, so it is crucial to complete your withdrawals within the specified time frame.” This increased sense of urgency might prompt people to take action without further examining the email.

The strategies used in the Bittrex phishing attack make it particularly difficult for both employees and legacy security solutions like secure email gateways (SEGs) to recognize the emails as threats.

For employees, the timeliness and relevancy of the content, impersonation of a known brand, use of Bittrex branding, and lack of obvious grammatical errors or misspelled words would make it challenging for the average individual to identify the email as malicious.

As to SEGs, the messages use authentic-looking content, obscure the destination of the phishing link with a URL shortener, contain no malicious attachments, employ social engineering tactics, and originate from a legitimate domain.

SEGs only flag messages that exhibit clear indicators of compromise and are unable to examine shortened URLs or detect the subtler aspects of social engineering. Additionally, traditional security solutions may not recognize the sender as malicious because the email came from a legitimate source.

Unlike a SEG, an AI-native email security solution leverages machine learning and behavioral AI along with content and link analysis to detect the unusual sender, suspicious link, and use of social engineering to accurately identify these emails as attacks. It also takes into account the fact the recipients have never received emails from this sender before as well as the mismatch between the sender domain and links in the email.

By understanding normal behavior and detecting these abnormal indicators, an AI-native cloud email security platform like Abnormal can prevent this phishing attack from reaching end users.

To see how Abnormal can help your organization block modern threats, reduce spend, and prevent emerging attacks, schedule a demo.