Following the theft of $1.4 billion in cryptocurrency from Dubai-based exchange Bybit (Figure 1) on 21 February 2025[1], the organisation found itself targeted by a range of phishing attacks, as reported by security vendor BforeAI. The campaign(s) included efforts to acquire customer credentials and steal further currency - in some cases under the guide of offering support, guidance or fund recovery - using techniques including domain- and subdomain-based brand impersonations incorporating typo-variants and the use of a range of issue- and industry-specific keywords such as 'refund', 'wallet', 'information', 'check', 'recovery', 'metaconnect', 'mining' and 'airdrop'[2].
Figure 1: The official Bybit website (bybit[.]com), as of 04-Apr-2025
As of the start of April 2025, gTLD zone-file analysis reveals the existence of over 2,000 domains containing 'bybit', of which 1,044 contain 'bybit' at the start, or feature the brand name together with any of the high-relevance keywords listed above.
Of these 1,044 domains, only 21 appear to be under the control of the official Bybit organisation (based on the citation of their official domain registrar in the whois record, where information is available via an automated look-up).
Domain registration dates are available for 796 of the third-party domains, of which 160 (20.1%) have been registered since the date of the initial theft (Figure 2), including (for example) refund-bybit[.]com, bybitclaims[.]com and bybithacked[.]com, all registered on the day of the attack.
Figure 2: Daily numbers of registrations of high-relevance 'bybit' domain names, since the start of 2024
36 of those domains definitively registered since the date of the initial theft produce some sort of live website response as of the date of analysis (04-Apr-2025), including 16 domains explicitly resolving to active content of concern (Figure 3).
Figure 3: Examples of high-threat Bybit impersonation domains registered since the date of the initial attack against the platform: bybitbot[.]net, bybitge[.]top, bybitplan[.]com (plus an additional ten 'mirror' domains with names of the form bybitXXX[.]com), bybittpay[.]xyz, bybit-register[.]top, bybitcn[.]com
Amongst the older high-risk third-party registrations, a further 318 resolve to some sort of active webpage, of which 61 explicitly include the term 'login' somewhere in the page content or source-code. This dataset includes a number of additional examples of active websites of concern, including the examples shown in Figure 4.
(a)
(b)
(c)
Figure 4: Other examples of high-threat websites hosted on 'bybit' domains:
a) Log-in pages: bybitearn[.]site; bybit-cfd[.]com; bybitut[.]com
b) Other brand impersonation sites: bybit-tr[.]com; bybitcryptostoragewallet[.]com; bybitcoop[.]com; bybit[.]casa; bybitoption[.]com; bybit-tradefunds[.]com
c) Other misdirection (promotion of gambling-related content): bybitgame[.]com
References
[1] https://www.infosecurity-magazine.com/news/bybit-140m-bounty-recover-mega/
[2] https://www.infosecurity-magazine.com/news/over-500-phishing-domains-bybit/
This article was first published on 4 April 2025 at:
https://www.linkedin.com/pulse/brand-monitoring-data-niblet-1-bybit-david-barnett-aqjic/
No comments:
Post a Comment