The only Link you should trust.

A little while ago, we started noticing suspicious domains with legitimate-looking content on it — as in, the domain itself wasn’t phishing you, but would link users to a foreign domain that was also controlled by the bad actors.

They started using the service to direct users to bad content, primarily intending to steal their private keys by convincing you that you’d get some high-value airdrop of a new Ethereum-based token (that had no other web presence, not even a whitepaper or technical paper). These types of attacks play off of the greed that can live within someone. I touched on the use of in one of my previous articles.

I want to preface this article by saying this isn’t a dig at the service, but more of an analysis on phishers using their services.

What it is a link shortening service, a very popular one, that allows you to enter a url — they handle the redirection to that url as well as collect statistics on the clicks.

It’s mostly used with good intentions for marketing people to track click-throughs to specific campaigns or to pass to people on business cards or whatever so they don’t have to remember a really long domain — only the bitlink which is typically 7 characters.

The types of attacks we see

Since we started tracking the bitly redirect codes, we have discovered over 50 that have directly affected a cryptocurrency enthusiast within the Ethereum scene, totalling over 124,000 clicks.

A pie chart detailing the types of attacks we saw

Analysing the biggest attack type

As you can see from the chart above, MyEtherWallet-based attacks were the most popular to phish users of their keys/funds. This is a modified MyEtherWallet source designed to send your keys to a back-end server that will automatically “drain” your wallet of funds.

A bar chart detailing the types of domains used for phish users using a MyEtherWallet phishkit

As you can see from the bar chart above, the mostly common domains used to phish users are IDN homograph attack domains and subdomains.

There are various types of places we found these links, including projects promising $100+ in token airdrops if they sign a message with their private key, and comments on popular block explorers.

A bar chart detailing where we found the links that forwards to MyEtherWallet phishing

We can see the vast majority of users who were redirected using the service were targeted on airdrop sites exploiting users’ greed or interest in new tokens. Some of these airdrop sites were abusing the reputation of existing tokens/chains — such as EOSGas — which got very popular in recent weeks. The links that we caught processed over 5,000 click-throughs using the EOS branding to phish users using MyEtherWallet phishkits.

Since our data is limited (as we are not the authors of these bitlinks), our analysis won’t be complete but it will still show some trends — for example, country data is limited to the top 3 traffic sources and the rest is bundled into “more” which we cannot view.

Analysis shows that Nigeria (39%), Indonesia (29%), Vietnam (15%), and India (8%) are the top traffic sources (that we can see) across the links we have watched — yes, we are assuming we live in a perfect world where people have their browser language set correctly and no VPNs/proxies were used.

A map pinned to illustrate the top traffic sources for the tracked links

We also graphed most of the click-throughs by week of the year (for the first half of 2018) to see when these phishing/scams were most active.

A graph to detail the number of click-throughs for every link watched, grouped by the week of the year

As you can tell, May, June, and July 2018 were most active according to the links we found — mostly leading to private key phishing sites and trust-trading scams. This raises a very obvious problem that we can solve. In fact, we've already written about it — deprecating private keys online.

What can you do to stay safe?

Talk To Us & Share Your Thoughts

A note: Your support enables MyCrypto to continue developing non-custodial, user-friendly cryptocurrency management solutions as a public good. We love helping the community stay safe and informed through efforts such as CryptoScamDB and free educational articles, and are happy to walk you through solving any problems we can help with even if you are asking for help with something that isn’t directly related to MyCrypto. We are currently a small team with limited resources, and we don’t charge for most features on the MyCrypto apps. Please consider making a donation or purchasing a MyCrypto Membership, which will come with more exclusive features and perks as we scale. Your contributions help us continue to help you and the rest of the crypto community.